[Devel] [PATCH] kmapset: Fix NULL pointer derefference in kmapset_set_value()

Kirill Tkhai ktkhai at odin.com
Tue Jun 23 07:01:41 PDT 2015 

map->links hlist is ordered ascending (from less to bigger).
If we're adding a new_link, whose key is the bigger than
everything, we traverse all the hlist and exit with
old_link = NULL. This lead to kernel panic:

[71531.680537] BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
[71531.680553] IP: [<ffffffff812b9540>] kmapset_set_value+0x100/0x170
[71531.680566] PGD aad36067 PUD 9ee7d067 PMD 0
[71531.680576] Oops: 0000 [#1] SMP
[71531.680586] Modules linked in: veth tun ip6t_rpfilter ip6t_REJECT ipt_REJECT xt_conntrack ebtable_nat ebtable_broute ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_raw ip6table_filter ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_raw iptable_filter ip_tables crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd lpc_ich mfd_core virtio_balloon shpchp mperf serio_raw pcspkr ext4 mbcache jbd2 sd_mod sr_mod crc_t10dif cdrom crct10dif_common ata_generic pata_acpi ahci ata_piix libahci libata e1000 virtio_pci virtio virtio_ring dm_mirror dm_region_hash dm_log dm_mod ip6_vzprivnet ip6_vznetstat pio_kaio pio_nfs pio_direct
[71531.680743]  pfmt_raw pfmt_ploop1 ploop ip_vznetstat ip_vzprivnet vziolimit vzcon vzlinkdev vzevent vzlist vzstat vznetstat vznetdev vzcompat vzmon vzdev bridge stp llc
[71531.680784] CPU: 1 PID: 46241 Comm: vzctl ve: 0 Not tainted 3.10.0-123.1.2.vz7.5.16 #1 5.16
[71531.680802] Hardware name: Parallels Software International Inc. Parallels Virtual Platform/Parallels Virtual Platform, BIOS 6.10.24057.1139071 04/30/2015
[71531.680809] task: ffff8800a7834bc0 ti: ffff8800a7a28000 task.ti: ffff8800a7a28000
[71531.680815] RIP: 0010:[<ffffffff812b9540>]  [<ffffffff812b9540>] kmapset_set_value+0x100/0x170
[71531.680824] RSP: 0018:ffff8800a7a29dd0  EFLAGS: 00010246
[71531.680829] RAX: 0000000000000000 RBX: ffff8800368ae440 RCX: ffff8800a7a29fd8
[71531.680833] RDX: ffff8800368ae2d8 RSI: 00000000000000d0 RDI: ffffffff81ce6240
[71531.680837] RBP: ffff8800a7a29df8 R08: 00000000000208e0 R09: ffff880303803b00
[71531.680841] R10: ffffffff812b9470 R11: 0000000000000246 R12: ffff8800368ae7c0
[71531.680845] R13: ffff8802fc370918 R14: ffffffff81ce6240 R15: 0000000000000005
[71531.680850] FS:  00007fb7078dfbc0(0000) GS:ffff880303e40000(0000) knlGS:0000000000000000
[71531.680857] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[71531.680862] CR2: 0000000000000018 CR3: 00000000aadde000 CR4: 00000000000406e0
[71531.680867] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[71531.680871] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[71531.680876] Stack:
[71531.680880]  0000000000000000 ffff8800a78c72d0 0000000000000005 0000000000000000
[71531.680893]  ffff88003648f021 ffff8800a7a29e60 ffffffff81237486 ffff8802fc370918
[71531.680906]  ffff8800368ae7c0 ffff88003648f000 0000000000000024 ffff8802fc370620
[71531.680921] Call Trace:
[71531.680932]  [<ffffffff81237486>] sysfs_perms_write+0x196/0x360
[71531.680942]  [<ffffffff810e26dd>] cgroup_file_write+0x9d/0x310
[71531.680950]  [<ffffffff811be4f8>] ? __sb_start_write+0x58/0x110
[71531.680956]  [<ffffffff811bbcad>] vfs_write+0xbd/0x1e0
[71531.680961]  [<ffffffff811bc6f8>] SyS_write+0x58/0xb0
[71531.680967]  [<ffffffff815da959>] system_call_fastpath+0x16/0x1b
[71531.680972] Code: 41 5d 41 5e 41 5f 5d c3 0f 1f 00 49 8d 44 24 20 48 c7 43 18 00 00 00 00 48 89 43 20 48 8d 43 18 49 89 44 24 20 eb a7 0f 1f 40 00 <48> 8b 04 25 18 00 00 00 48 8d 53 18 48 c7 43 20 18 00 00 00 48
[71531.681092] RIP  [<ffffffff812b9540>] kmapset_set_value+0x100/0x170
[71531.681099]  RSP <ffff8800a7a29dd0>
[71531.681103] CR2: 0000000000000018

This patch adds the biggest key link on the right place (after the last existing link).

https://jira.sw.ru/browse/PSBM-34437

Signed-off-by: Kirill Tkhai <ktkhai at odin.com>
---
 lib/kmapset.c        |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/kmapset.c b/lib/kmapset.c
index b809e69..a8b79ae 100644
--- a/lib/kmapset.c
+++ b/lib/kmapset.c
@@ -245,7 +245,7 @@ int kmapset_set_value(struct kmapset_map *map,
 		struct kmapset_key *key, unsigned long value)
 {
 	struct kmapset_set *set = map->set;
-	struct kmapset_link *new_link, *old_link;
+	struct kmapset_link *new_link, *old_link, *last_link = NULL;
 
 	new_link = kmalloc(sizeof(struct kmapset_link), GFP_KERNEL);
 	if (!new_link)
@@ -260,6 +260,7 @@ int kmapset_set_value(struct kmapset_map *map,
 		hlist_add_head_rcu(&new_link->map_link, &map->links);
 	} else {
 		hlist_for_each_entry(old_link, &map->links, map_link) {
+			last_link = old_link;
 			if (old_link->key < key)
 				continue;
 			if (old_link->key == key) {
@@ -271,7 +272,7 @@ int kmapset_set_value(struct kmapset_map *map,
 					     &old_link->map_link);
 			goto add;
 		}
-		hlist_add_after_rcu(&old_link->map_link, &new_link->map_link);
+		hlist_add_after_rcu(&last_link->map_link, &new_link->map_link);
 	}
 add:
 	hlist_add_head(&new_link->key_link, &new_link->key->links);

More information about the Devel mailing list