All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jane Chu <jane.chu@oracle.com>
To: Zhiqiang Liu <liuzhiqiang26@huawei.com>,
	"Verma, Vishal L" <vishal.l.verma@intel.com>
Cc: "linux-nvdimm@lists.01.org" <linux-nvdimm@lists.01.org>,
	linfeilong <linfeilong@huawei.com>
Subject: Re: [ndctl PATCH V2 0/8] fix serverl issues reported by Coverity
Date: Tue, 8 Dec 2020 16:20:06 -0800	[thread overview]
Message-ID: <c8a8a260-34c6-dbfc-1f19-25c23d01cb45@oracle.com> (raw)
In-Reply-To: <3211fe8a-33fb-37ca-e192-ad1f116f4acd@huawei.com>

Hi,

I actually just ran into the NULL deref issue that is fixed here.

Bu I have a question for the experts:
what might cause libndctl to run into the NULL deref like below ?

Program terminated with signal 11, Segmentation fault.
#0  ndctl_pfn_get_bus (pfn=pfn@entry=0x0) at libndctl.c:5540
5540            return pfn->region->bus;

(gdb) print pfn
$1 = (struct ndctl_pfn *) 0x0
(gdb) frame 4
#4  0x000000000040ca70 in setup_namespace (region=region@entry=0x109d910,
     ndns=ndns@entry=0x10a7d40, p=p@entry=0x7ffd8ff73b90) at namespace.c:570
570                     try(ndctl_dax, set_uuid, dax, uuid);
(gdb) info locals
__rc = <optimized out>
dax = 0x0

What I did was to let 2 threads run "create-namespace all" in a tight 
loop, and 2 other threads run "destroy-namespace all" in a tight loop,
while chasing an year old issue that randomly resurfaces -
"nd_region region1: allocation underrun: 0x0 of 0x40000000 bytes"

In addition, there are kmemleaks,
# cat /sys/kernel/debug/kmemleak
[..]
unreferenced object 0xffff976bd46f6240 (size 64):
   comm "ndctl", pid 23556, jiffies 4299514316 (age 5406.733s)
   hex dump (first 32 bytes):
     00 00 00 00 00 00 00 00 00 00 20 c3 37 00 00 00  .......... .7...
     ff ff ff 7f 38 00 00 00 00 00 00 00 00 00 00 00  ....8...........
   backtrace:
     [<00000000064003cf>] __kmalloc_track_caller+0x136/0x379
     [<00000000d85e3c52>] krealloc+0x67/0x92
     [<00000000d7d3ba8a>] __alloc_dev_dax_range+0x73/0x25c
     [<0000000027d58626>] devm_create_dev_dax+0x27d/0x416
     [<00000000434abd43>] __dax_pmem_probe+0x1c9/0x1000 [dax_pmem_core]
     [<0000000083726c1c>] dax_pmem_probe+0x10/0x1f [dax_pmem]
     [<00000000b5f2319c>] nvdimm_bus_probe+0x9d/0x340 [libnvdimm]
     [<00000000c055e544>] really_probe+0x230/0x48d
     [<000000006cabd38e>] driver_probe_device+0x122/0x13b
     [<0000000029c7b95a>] device_driver_attach+0x5b/0x60
     [<0000000053e5659b>] bind_store+0xb7/0xc3
     [<00000000d3bdaadc>] drv_attr_store+0x27/0x31
     [<00000000949069c5>] sysfs_kf_write+0x4a/0x57
     [<000000004a8b5adf>] kernfs_fop_write+0x150/0x1e5
     [<00000000bded60f0>] __vfs_write+0x1b/0x34
     [<00000000b92900f0>] vfs_write+0xd8/0x1d1


thanks,
-jane


On 11/24/2020 5:00 PM, Zhiqiang Liu wrote:
> Changes: V1->V2
> - add one empty line in 1/8 patch as suggested by Jeff Moyer <jmoyer@redhat.com>.
> 
> 
> Recently, we use Coverity to analysis the ndctl package.
> Several issues should be resolved to make Coverity happy.
> 
> Zhiqiang Liu (8):
>    namespace: check whether pfn|dax|btt is NULL in setup_namespace
>    lib/libndctl: fix memory leakage problem in add_bus
>    libdaxctl: fix memory leakage in add_dax_region()
>    dimm: fix potential fd leakage in dimm_action()
>    util/help: check whether strdup returns NULL in exec_man_konqueror
>    lib/inject: check whether cmd is created successfully
>    libndctl: check whether ndctl_btt_get_namespace returns NULL in
>      callers
>    namespace: check whether seed is NULL in validate_namespace_options
> 
>   daxctl/lib/libdaxctl.c |  3 +++
>   ndctl/dimm.c           | 12 +++++++-----
>   ndctl/lib/inject.c     |  8 ++++++++
>   ndctl/lib/libndctl.c   |  1 +
>   ndctl/namespace.c      | 23 ++++++++++++++++++-----
>   test/libndctl.c        | 16 +++++++++++-----
>   test/parent-uuid.c     |  2 +-
>   util/help.c            |  8 +++++++-
>   util/json.c            |  3 +++
>   9 files changed, 59 insertions(+), 17 deletions(-)
> 
_______________________________________________
Linux-nvdimm mailing list -- linux-nvdimm@lists.01.org
To unsubscribe send an email to linux-nvdimm-leave@lists.01.org

  parent reply	other threads:[~2020-12-09  0:20 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-25  1:00 [ndctl PATCH V2 0/8] fix serverl issues reported by Coverity Zhiqiang Liu
2020-11-25  1:01 ` [ndctl PATCH V2 1/8] namespace: check whether pfn|dax|btt is NULL in setup_namespace Zhiqiang Liu
2020-12-09  0:20 ` Jane Chu [this message]
2020-12-17  8:18   ` [ndctl PATCH V2 0/8] fix serverl issues reported by Coverity Dan Williams
2020-12-17  3:41 ` Verma, Vishal L
2020-12-17  6:18   ` Zhiqiang Liu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c8a8a260-34c6-dbfc-1f19-25c23d01cb45@oracle.com \
    --to=jane.chu@oracle.com \
    --cc=linfeilong@huawei.com \
    --cc=linux-nvdimm@lists.01.org \
    --cc=liuzhiqiang26@huawei.com \
    --cc=vishal.l.verma@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.