Am 15.04.2011 18:18, schrieb Simon Arlott: > On 15/04/11 14:24, Eric Dumazet wrote: >> Hmm.. a more complete patch : >> >> diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c >> index 0857272..6f0bed0 100644 > > I applied the patch by recompiling and then reloading the nf_conntrack_ipv6 > module (temporarily flushing and then restoring all ip6tables rules). > Then this happened 10 minutes later: > > [33876.950100] BUG: unable to handle kernel NULL pointer dereference at 00000014 > [33876.951060] IP: [<f9b012bb>] nf_ct_frag6_gather+0x864/0x881 [nf_conntrack_ipv6] nf_ct_frag6_reasm() can return NULL, so we need to check for a non-NULL ret_skb before trying to set the device. Does this patch (based on Eric's second version) help?
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c index 0857272..b7ecfce 100644 --- a/net/ipv6/netfilter/nf_conntrack_reasm.c +++ b/net/ipv6/netfilter/nf_conntrack_reasm.c @@ -576,7 +576,9 @@ struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user) if (fq->q.last_in == (INET_FRAG_FIRST_IN | INET_FRAG_LAST_IN) && fq->q.meat == fq->q.len) { ret_skb = nf_ct_frag6_reasm(fq, dev); - if (ret_skb == NULL) + if (ret_skb != NULL) + ret_skb->dev = dev; + else pr_debug("Can't reassemble fragmented packets\n"); } spin_unlock_bh(&fq->q.lock); @@ -602,7 +604,7 @@ void nf_ct_frag6_output(unsigned int hooknum, struct sk_buff *skb, s2 = s->next; s->next = NULL; - + s->dev = in; NF_HOOK_THRESH(NFPROTO_IPV6, hooknum, s, in, out, okfn, NF_IP6_PRI_CONNTRACK_DEFRAG + 1); s = s2;