From: Ivan Kokshaysky <ink@jurassic.park.msu.ru>

I believe many of those weird crash reports with recent 2.5
kernels can be explained by wrong pointer arithmetic in
ICMP_INC_STATS_xx_FIELD macros.

(*((long *)((void *)ptr) + offt))++

This actually adds "offt" _longs_, not _bytes_ to "ptr",
which causes increment of entirely unrelated kernel data.
Nasty thing is that a result of this corruption usually
shows up much later and depends on kernel layout.
I was "lucky" enough - on one of my boxes ICMP redirect
packets reproducibly caused increment of thread_info->task
pointer of kswapd, so finally I traced this back to icmp.h.




 25-akpm/include/net/icmp.h |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diff -puN include/net/icmp.h~icmp_stats-indexing-fix include/net/icmp.h
--- 25/include/net/icmp.h~icmp_stats-indexing-fix	Tue Apr  1 14:42:48 2003
+++ 25-akpm/include/net/icmp.h	Tue Apr  1 14:42:48 2003
@@ -39,15 +39,15 @@ DECLARE_SNMP_STAT(struct icmp_mib, icmp_
 #define ICMP_INC_STATS_FIELD(offt)					\
 	(*((unsigned long *) ((void *)					\
 			     per_cpu_ptr(icmp_statistics[!in_softirq()],\
-					 smp_processor_id())) + offt))++;
+					 smp_processor_id()) + offt)))++
 #define ICMP_INC_STATS_BH_FIELD(offt)					\
 	(*((unsigned long *) ((void *)					\
 			     per_cpu_ptr(icmp_statistics[0],		\
-					 smp_processor_id())) + offt))++;
+					 smp_processor_id()) + offt)))++
 #define ICMP_INC_STATS_USER_FIELD(offt)					\
 	(*((unsigned long *) ((void *)					\
 			     per_cpu_ptr(icmp_statistics[1],		\
-					 smp_processor_id())) + offt))++;
+					 smp_processor_id()) + offt)))++
 
 extern void	icmp_send(struct sk_buff *skb_in,  int type, int code, u32 info);
 extern int	icmp_rcv(struct sk_buff *skb);

_