[Crash-utility] [PATCH] Report error for NULL list_head pointers

Dave Anderson anderson at redhat.com
Fri Mar 31 17:42:16 UTC 2017 


----- Original Message -----
> On Thu, Mar 30, 2017 at 03:13:27PM -0400, Dave Anderson wrote:
> > > If we hit a NULL next pointer on a struct list_head list it means the
> > > list is corrupted.

Thanks Rabin, queued for crash-7.1.9:

  https://github.com/crash-utility/crash/commit/a5ebe53b6b2a55ed64bf6f580e24edb76018ee48

Dave

  
> > 
> > Yeah, that is true -- although it's always been this way and there's never
> > been a bug report.  I'm curious as to what happened in your case where
> > you discovered this?
> 
> I received a dump where the kernel had crashed while iterating through a
> linked list.  We read out the list in crash and it was certainly
> corrupted:
> 
>  crash-arm> list -xH 0x7f047394
>  be44f544
>  8ff69004
>  8ff69f04
>  8ff693c4
>  8ffe0e44
>  8ffe0244
>  ...
>  8ffb53c4
>  be448b44
>  8fc2c3c4
>  8fc2c0c4
>  8fc2c604
>  8fc2cf04
>  ffff
>  list: invalid kernel virtual address: ffff  type: "list entry"
>  crash-arm>
> 
> Further investigation led us to suspect that this was not a simple case
> of a freed element still being on the list, but some other larger memory
> corruption.  We wanted to find out if there were more corrupted entries
> on this list, so we dumped the list in reverse using the .prev pointers:
> 
>  crash-arm> list -rxH 0x7f047394
>  b957fcc4
>  b957f0c4
>  b4d863c4
>  bad41904
>  bad416c4
>  bad41c04
>  bad41784
>  bad41544
>  be5f4b44
>  ...
>  8ff7de44
>  8f7a4c04
>  8f7a4f04
>  8fc2c9c4
>  8fc2c904
>  8fc2c784
>  8fc2ce44
>  crash-arm>
> 
> This, suprisingly, terminated succesfully.
> 
> However, a closer look at the addresses showed that the last elements of
> the reverse iteration are not the first elements of the forward
> iteration.  So crash had silently stopped iteration halfway into the
> list.  This was because the 8fc2ce44 element had a NULL prev pointer.
> 
>  crash-arm> struct list_head 8fc2ce44
>  struct list_head {
>    next = 0xffffffff,
>    prev = 0x0
>  }
> 
> Since crash knows that the list is corrupted, it would seem appropriate
> for it to alert the user to this fact instead of silently and
> succesfully terminating the iteration.
>

More information about the Crash-utility mailing list