From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from e5.ny.us.ibm.com (e5.ny.us.ibm.com [32.97.182.145]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "e5.ny.us.ibm.com", Issuer "Equifax" (verified OK)) by ozlabs.org (Postfix) with ESMTP id 0095CDDE3E for ; Sat, 14 Jul 2007 06:05:34 +1000 (EST) Received: from d01relay04.pok.ibm.com (d01relay04.pok.ibm.com [9.56.227.236]) by e5.ny.us.ibm.com (8.13.8/8.13.8) with ESMTP id l6DK5Gfh009999 for ; Fri, 13 Jul 2007 16:05:16 -0400 Received: from d01av04.pok.ibm.com (d01av04.pok.ibm.com [9.56.224.64]) by d01relay04.pok.ibm.com (8.13.8/8.13.8/NCO v8.4) with ESMTP id l6DK5GRs474432 for ; Fri, 13 Jul 2007 16:05:16 -0400 Received: from d01av04.pok.ibm.com (loopback [127.0.0.1]) by d01av04.pok.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id l6DK5GYi009061 for ; Fri, 13 Jul 2007 16:05:16 -0400 Date: Fri, 13 Jul 2007 15:05:15 -0500 To: "Eric W. Biederman" , linux-kernel@vger.kernel.org Subject: [PATCH] crash in 2.6.22-git2 sysctl_set_parent() Message-ID: <20070713200515.GS5549@austin.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: linas@austin.ibm.com (Linas Vepstas) Cc: linuxppc-dev@ozlabs.org, netdev@vger.kernel.org List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , This is a patch (& bug report) for a crash in sysctl_set_parent() in 2.6.22-git2. Problem: 2.6.22-git2 crashes with a stack trace [c000000001d0fb00] c000000000067b4c .sysctl_set_parent+0x48/0x7c [c000000001d0fb90] c000000000069b40 .register_sysctl_table+0x7c/0xf4 [c000000001d0fc30] c00000000065e710 .devinet_init+0x88/0xb0 [c000000001d0fcc0] c00000000065db74 .ip_rt_init+0x17c/0x32c [c000000001d0fd70] c00000000065deec .ip_init+0x10/0x34 [c000000001d0fdf0] c00000000065e898 .inet_init+0x160/0x3dc [c000000001d0fea0] c000000000630bc4 .kernel_init+0x204/0x3c8 A bit of poking around makes it clear what the problem is: In sysctl_set_parent(), the for loop for (; table->ctl_name || table->procname; table++) { walks off the end of the table, and into garbage. Basically, this for-loop iterator expects all table arrays to be "null terminated". However, net/ipv4/devinet.c statically declares an array that is not null-terminated. The patch below fixes that; it works for me. Its somewhat conservative; if one wishes to assume that the compiler will always zero out the empty parts of the structure, then this pach can be shrunk to one line: + ctl_table devinet_root_dir[3]; Signed-off-by: Linas Vepstas ---- I tried to audit some of the code to see where else there might be similar badly-formed static declarations. This is hard, as there's a lot of code. Most seems fine. net/core/neighbour.c | 4 ++++ net/ipv4/devinet.c | 7 ++++++- 2 files changed, 10 insertions(+), 1 deletion(-) Index: linux-2.6.22-git2/net/ipv4/devinet.c =================================================================== --- linux-2.6.22-git2.orig/net/ipv4/devinet.c 2007-07-13 14:23:21.000000000 -0500 +++ linux-2.6.22-git2/net/ipv4/devinet.c 2007-07-13 14:24:15.000000000 -0500 @@ -1424,7 +1424,7 @@ static struct devinet_sysctl_table { ctl_table devinet_dev[2]; ctl_table devinet_conf_dir[2]; ctl_table devinet_proto_dir[2]; - ctl_table devinet_root_dir[2]; + ctl_table devinet_root_dir[3]; } devinet_sysctl = { .devinet_vars = { DEVINET_SYSCTL_COMPLEX_ENTRY(FORWARDING, "forwarding", @@ -1493,8 +1493,13 @@ static struct devinet_sysctl_table { .data = &ipv4_devconf.loop, .maxlen = sizeof(int), .mode = 0644, + .child = 0x0, .proc_handler = &proc_dointvec, }, + { + .ctl_name = 0, + .procname = 0, + }, }, };