From: Seth Jennings <sjenning@linux.vnet.ibm.com>
To: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Dan Magenheimer <dan.magenheimer@oracle.com>,
LKML <linux-kernel@vger.kernel.org>,
linux-mm@kvack.org
Subject: Re: [PATCH 10/10] cleanup the code between tmem_obj_init and tmem_obj_find
Date: Tue, 19 Jun 2012 11:49:13 -0500 [thread overview]
Message-ID: <4FE0AD89.6000001@linux.vnet.ibm.com> (raw)
In-Reply-To: <4FE03A55.7070503@linux.vnet.ibm.com>
This patch causes a crash, details below.
On 06/19/2012 03:37 AM, Xiao Guangrong wrote:
> tmem_obj_find and insertion tmem-obj have the some logic, we can integrate
> the code
>
> Signed-off-by: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
> ---
> drivers/staging/zcache/tmem.c | 58 +++++++++++++++++++++-------------------
> 1 files changed, 30 insertions(+), 28 deletions(-)
>
> diff --git a/drivers/staging/zcache/tmem.c b/drivers/staging/zcache/tmem.c
> index 1ca66ea..cdf2d3c 100644
> --- a/drivers/staging/zcache/tmem.c
> +++ b/drivers/staging/zcache/tmem.c
> @@ -72,33 +72,48 @@ void tmem_register_pamops(struct tmem_pamops *m)
> * the hashbucket lock must be held.
> */
>
> -/* searches for object==oid in pool, returns locked object if found */
> -static struct tmem_obj *tmem_obj_find(struct tmem_hashbucket *hb,
> - struct tmem_oid *oidp)
> +static struct tmem_obj
> +*__tmem_obj_find(struct tmem_hashbucket*hb, struct tmem_oid *oidp,
> + struct rb_node *parent, struct rb_node **link)
> {
> - struct rb_node *rbnode;
> + struct rb_node **rbnode;
> struct tmem_obj *obj;
>
> - rbnode = hb->obj_rb_root.rb_node;
> - while (rbnode) {
> - BUG_ON(RB_EMPTY_NODE(rbnode));
> - obj = rb_entry(rbnode, struct tmem_obj, rb_tree_node);
> + rbnode = &hb->obj_rb_root.rb_node;
> + while (*rbnode) {
> + BUG_ON(RB_EMPTY_NODE(*rbnode));
> + obj = rb_entry(*rbnode, struct tmem_obj,
> + rb_tree_node);
> switch (tmem_oid_compare(oidp, &obj->oid)) {
> case 0: /* equal */
> goto out;
> case -1:
> - rbnode = rbnode->rb_left;
> + rbnode = &(*rbnode)->rb_left;
> break;
> case 1:
> - rbnode = rbnode->rb_right;
> + rbnode = &(*rbnode)->rb_right;
> break;
> }
> }
> +
> + if (parent)
> + parent = &obj->rb_tree_node;
> + if (link)
> + link = rbnode;
> +
> obj = NULL;
> out:
> return obj;
> }
>
> +
> +/* searches for object==oid in pool, returns locked object if found */
> +static struct tmem_obj *tmem_obj_find(struct tmem_hashbucket *hb,
> + struct tmem_oid *oidp)
> +{
> + return __tmem_obj_find(hb, oidp, NULL, NULL);
> +}
> +
> static void tmem_pampd_destroy_all_in_obj(struct tmem_obj *);
>
> /* free an object that has no more pampds in it */
> @@ -131,8 +146,7 @@ static void tmem_obj_init(struct tmem_obj *obj, struct tmem_hashbucket *hb,
> struct tmem_oid *oidp)
> {
> struct rb_root *root = &hb->obj_rb_root;
> - struct rb_node **new = &(root->rb_node), *parent = NULL;
> - struct tmem_obj *this;
> + struct rb_node **new = NULL, *parent = NULL;
>
> BUG_ON(pool == NULL);
> atomic_inc(&pool->obj_count);
> @@ -144,22 +158,10 @@ static void tmem_obj_init(struct tmem_obj *obj, struct tmem_hashbucket *hb,
> obj->pampd_count = 0;
> (*tmem_pamops.new_obj)(obj);
> SET_SENTINEL(obj, OBJ);
> - while (*new) {
> - BUG_ON(RB_EMPTY_NODE(*new));
> - this = rb_entry(*new, struct tmem_obj, rb_tree_node);
> - parent = *new;
> - switch (tmem_oid_compare(oidp, &this->oid)) {
> - case 0:
> - BUG(); /* already present; should never happen! */
> - break;
> - case -1:
> - new = &(*new)->rb_left;
> - break;
> - case 1:
> - new = &(*new)->rb_right;
> - break;
> - }
> - }
> +
> + if (__tmem_obj_find(hb, oidp, parent, new))
> + BUG();
> +
> rb_link_node(&obj->rb_tree_node, parent, new);
Getting a NULL deref crash here because new is NULL
[ 56.422031] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 56.423008] IP: [<ffffffff812b8ba4>] tmem_put+0x3a4/0x3d0
static inline void rb_link_node(struct rb_node * node, struct rb_node * parent,
struct rb_node ** rb_link)
{
...
*rb_link = node;
ffffffff812b8ba4: 48 89 38 mov %rdi,(%rax) <--- here
ffffffff812b8ba7: e8 00 00 00 00 callq ffffffff812b8bac <tmem_put+0x3ac>
--
Seth
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Seth Jennings <sjenning@linux.vnet.ibm.com>
To: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Dan Magenheimer <dan.magenheimer@oracle.com>,
LKML <linux-kernel@vger.kernel.org>,
linux-mm@kvack.org
Subject: Re: [PATCH 10/10] cleanup the code between tmem_obj_init and tmem_obj_find
Date: Tue, 19 Jun 2012 11:49:13 -0500 [thread overview]
Message-ID: <4FE0AD89.6000001@linux.vnet.ibm.com> (raw)
In-Reply-To: <4FE03A55.7070503@linux.vnet.ibm.com>
This patch causes a crash, details below.
On 06/19/2012 03:37 AM, Xiao Guangrong wrote:
> tmem_obj_find and insertion tmem-obj have the some logic, we can integrate
> the code
>
> Signed-off-by: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
> ---
> drivers/staging/zcache/tmem.c | 58 +++++++++++++++++++++-------------------
> 1 files changed, 30 insertions(+), 28 deletions(-)
>
> diff --git a/drivers/staging/zcache/tmem.c b/drivers/staging/zcache/tmem.c
> index 1ca66ea..cdf2d3c 100644
> --- a/drivers/staging/zcache/tmem.c
> +++ b/drivers/staging/zcache/tmem.c
> @@ -72,33 +72,48 @@ void tmem_register_pamops(struct tmem_pamops *m)
> * the hashbucket lock must be held.
> */
>
> -/* searches for object==oid in pool, returns locked object if found */
> -static struct tmem_obj *tmem_obj_find(struct tmem_hashbucket *hb,
> - struct tmem_oid *oidp)
> +static struct tmem_obj
> +*__tmem_obj_find(struct tmem_hashbucket*hb, struct tmem_oid *oidp,
> + struct rb_node *parent, struct rb_node **link)
> {
> - struct rb_node *rbnode;
> + struct rb_node **rbnode;
> struct tmem_obj *obj;
>
> - rbnode = hb->obj_rb_root.rb_node;
> - while (rbnode) {
> - BUG_ON(RB_EMPTY_NODE(rbnode));
> - obj = rb_entry(rbnode, struct tmem_obj, rb_tree_node);
> + rbnode = &hb->obj_rb_root.rb_node;
> + while (*rbnode) {
> + BUG_ON(RB_EMPTY_NODE(*rbnode));
> + obj = rb_entry(*rbnode, struct tmem_obj,
> + rb_tree_node);
> switch (tmem_oid_compare(oidp, &obj->oid)) {
> case 0: /* equal */
> goto out;
> case -1:
> - rbnode = rbnode->rb_left;
> + rbnode = &(*rbnode)->rb_left;
> break;
> case 1:
> - rbnode = rbnode->rb_right;
> + rbnode = &(*rbnode)->rb_right;
> break;
> }
> }
> +
> + if (parent)
> + parent = &obj->rb_tree_node;
> + if (link)
> + link = rbnode;
> +
> obj = NULL;
> out:
> return obj;
> }
>
> +
> +/* searches for object==oid in pool, returns locked object if found */
> +static struct tmem_obj *tmem_obj_find(struct tmem_hashbucket *hb,
> + struct tmem_oid *oidp)
> +{
> + return __tmem_obj_find(hb, oidp, NULL, NULL);
> +}
> +
> static void tmem_pampd_destroy_all_in_obj(struct tmem_obj *);
>
> /* free an object that has no more pampds in it */
> @@ -131,8 +146,7 @@ static void tmem_obj_init(struct tmem_obj *obj, struct tmem_hashbucket *hb,
> struct tmem_oid *oidp)
> {
> struct rb_root *root = &hb->obj_rb_root;
> - struct rb_node **new = &(root->rb_node), *parent = NULL;
> - struct tmem_obj *this;
> + struct rb_node **new = NULL, *parent = NULL;
>
> BUG_ON(pool == NULL);
> atomic_inc(&pool->obj_count);
> @@ -144,22 +158,10 @@ static void tmem_obj_init(struct tmem_obj *obj, struct tmem_hashbucket *hb,
> obj->pampd_count = 0;
> (*tmem_pamops.new_obj)(obj);
> SET_SENTINEL(obj, OBJ);
> - while (*new) {
> - BUG_ON(RB_EMPTY_NODE(*new));
> - this = rb_entry(*new, struct tmem_obj, rb_tree_node);
> - parent = *new;
> - switch (tmem_oid_compare(oidp, &this->oid)) {
> - case 0:
> - BUG(); /* already present; should never happen! */
> - break;
> - case -1:
> - new = &(*new)->rb_left;
> - break;
> - case 1:
> - new = &(*new)->rb_right;
> - break;
> - }
> - }
> +
> + if (__tmem_obj_find(hb, oidp, parent, new))
> + BUG();
> +
> rb_link_node(&obj->rb_tree_node, parent, new);
Getting a NULL deref crash here because new is NULL
[ 56.422031] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 56.423008] IP: [<ffffffff812b8ba4>] tmem_put+0x3a4/0x3d0
static inline void rb_link_node(struct rb_node * node, struct rb_node * parent,
struct rb_node ** rb_link)
{
...
*rb_link = node;
ffffffff812b8ba4: 48 89 38 mov %rdi,(%rax) <--- here
ffffffff812b8ba7: e8 00 00 00 00 callq ffffffff812b8bac <tmem_put+0x3ac>
--
Seth
next prev parent reply other threads:[~2012-06-19 16:50 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-19 8:32 [PATCH 01/10] zcache: fix preemptable memory allocation in atomic context Xiao Guangrong
2012-06-19 8:32 ` Xiao Guangrong
2012-06-19 8:33 ` [PATCH 02/10] zcache: fix refcount leak Xiao Guangrong
2012-06-19 8:33 ` Xiao Guangrong
2012-06-19 14:28 ` Seth Jennings
2012-06-19 14:28 ` Seth Jennings
2012-06-19 19:49 ` Dan Magenheimer
2012-06-19 19:49 ` Dan Magenheimer
2012-06-19 20:06 ` Seth Jennings
2012-06-19 20:06 ` Seth Jennings
2012-06-20 2:54 ` Xiao Guangrong
2012-06-20 2:54 ` Xiao Guangrong
2012-06-20 3:19 ` Xiao Guangrong
2012-06-20 3:19 ` Xiao Guangrong
2012-06-20 22:25 ` Dan Magenheimer
2012-06-20 22:25 ` Dan Magenheimer
2012-06-21 1:44 ` Xiao Guangrong
2012-06-21 1:44 ` Xiao Guangrong
2012-06-19 8:33 ` [PATCH 03/10] zcache: fix a compile warning Xiao Guangrong
2012-06-19 8:33 ` Xiao Guangrong
2012-06-19 14:30 ` Seth Jennings
2012-06-19 14:30 ` Seth Jennings
2012-06-20 2:55 ` Xiao Guangrong
2012-06-20 2:55 ` Xiao Guangrong
2012-06-19 8:34 ` [PATCH 04/10] zcache: remove unnecessary check of config option dependence Xiao Guangrong
2012-06-19 8:34 ` Xiao Guangrong
2012-06-19 14:36 ` Seth Jennings
2012-06-19 14:36 ` Seth Jennings
2012-06-19 8:35 ` [PATCH 05/10] zcache: mark zbud_init/zcache_comp_init as __init Xiao Guangrong
2012-06-19 8:35 ` Xiao Guangrong
2012-06-19 16:35 ` Seth Jennings
2012-06-19 16:35 ` Seth Jennings
2012-06-19 8:35 ` [PATCH 06/10] zcache: cleanup zbud_init Xiao Guangrong
2012-06-19 8:35 ` Xiao Guangrong
2012-06-19 8:35 ` [PATCH 07/10] zcache: optimize zcache_do_preload Xiao Guangrong
2012-06-19 8:35 ` Xiao Guangrong
2012-06-19 8:36 ` [PATCH 08/10] zcache: cleanup zcache_do_preload and zcache_put_page Xiao Guangrong
2012-06-19 8:36 ` Xiao Guangrong
2012-06-19 8:37 ` [PATCH 09/10] zcache: introduce get_zcache_client Xiao Guangrong
2012-06-19 8:37 ` Xiao Guangrong
2012-06-19 8:37 ` [PATCH 10/10] cleanup the code between tmem_obj_init and tmem_obj_find Xiao Guangrong
2012-06-19 8:37 ` Xiao Guangrong
2012-06-19 16:49 ` Seth Jennings [this message]
2012-06-19 16:49 ` Seth Jennings
2012-06-20 2:53 ` Xiao Guangrong
2012-06-20 2:53 ` Xiao Guangrong
2012-06-19 14:26 ` [PATCH 01/10] zcache: fix preemptable memory allocation in atomic context Seth Jennings
2012-06-19 14:26 ` Seth Jennings
2012-06-20 2:51 ` Xiao Guangrong
2012-06-20 2:51 ` Xiao Guangrong
2012-06-21 18:51 ` Seth Jennings
2012-06-21 18:51 ` Seth Jennings
2012-06-23 3:00 ` Greg Kroah-Hartman
2012-06-23 3:00 ` Greg Kroah-Hartman
2012-06-25 13:48 ` Seth Jennings
2012-06-25 13:48 ` Seth Jennings
2012-06-25 14:11 ` Greg Kroah-Hartman
2012-06-25 14:11 ` Greg Kroah-Hartman
2012-06-26 7:08 ` Xiao Guangrong
2012-06-26 7:08 ` Xiao Guangrong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4FE0AD89.6000001@linux.vnet.ibm.com \
--to=sjenning@linux.vnet.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=dan.magenheimer@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=xiaoguangrong@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.