On Tue, Oct 15, 2013 at 10:41 AM, Janne Karhunen
<janne.karhu...@gmail.com> wrote:
>> call_timer_fn 0x73/0x160 <--- EIP hits 0
>
> Use after free.. with CONFIG_DEBUG_PAGEALLOC &&
> CONFIG_DEBUG_OBJECTS_TIMERS we get :
>
> call_timer_fn 0x73/0x160
> destroy_timer_on_stack 0x20/0x20
> ftrace_raw_event_hrtimer_expire_entry 0x3b/0xc0
> run_timer_softirq 0x1f2/0x230
Sadly no time to hunt the free at the moment, so working around temporarily by
diff --git a/kernel/timer.c b/kernel/timer.c
index 4296d13..fc7ef44 100644
--- a/kernel/timer.c
+++ b/kernel/timer.c
@@ -1094,6 +1094,9 @@ static void call_timer_fn(struct timer_list
*timer, void (*fn)(unsigned long),
{
int preempt_count = preempt_count();
+ if (fn == NULL)
+ return;
+
Hoping someone wiser catches the real fix at some point.
--
Janne
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
