Description Sune Kloppenborg Jeppesen (RETIRED) 2006-12-22 01:06:05 UTC

the function isdn_ppp_ccp_reset_alloc_state() in 
drivers/isdn/i4l/isdn_ppp.c (after kmalloc() + memset to 0) sets 
->timer.function and ->timer.data later on calls add_timer() with no 
init_timer() ever done and that's an instant death.

The first thing add_timer() does is

         for (;;) {
                 base = timer->base;
                 if (likely(base != NULL)) {
                         spin_lock_irqsave(&base->lock, *flags);
                         if (likely(base == timer->base))
                                 return base;
                         /* The timer has migrated to another CPU */
                         spin_unlock_irqrestore(&base->lock, *flags);
                 }
                 cpu_relax();
         }

and timer->base is what init_timer() sets if it's left NULL, well...

The add_timer() in this case is called on decompression errors.