Problems with string (charp) module parameters

From: Takashi Iwai
Date: Tue Oct 13 2009 - 06:38:33 EST

Next message: Ingo Molnar: "Re: [PATCH] softlockup: keep current softlockup period beforetouching timestamp"
Previous message: Jani Nikula: "Re: [PATCH 1/6] Haptic: add haptic class"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Rusty,

While I tried to add some debug option to a driver, I found that a module
parameter taking a string (charp) gives Oops when set via sysfs:

BUG: unable to handle kernel paging request at ffffffff814c8d8a
IP: [<ffffffff8107b1ec>] param_set_charp+0x89/0xd0
PGD 1003067 PUD 1007063 PMD 11c10d063 PTE 80000000014c8161
Oops: 0003 [#1] SMP
...
Call Trace:
[<ffffffff8107a711>] param_attr_store+0x31/0x56
[<ffffffff8107a7b5>] module_attr_store+0x34/0x4c
[<ffffffff8117e300>] sysfs_write_file+0x101/0x151
[<ffffffff8111bf0c>] vfs_write+0xbc/0x195
[<ffffffff8134fb23>] ? do_page_fault+0x2e5/0x345
[<ffffffff8111c0d0>] sys_write+0x54/0x8f
[<ffffffff81011e82>] system_call_fastpath+0x16/0x1b

This seems happening only with a built-in driver, not with a module.
The Oops appears at line 227 in kernel/params.c (as of 2.6.32-rc4),

if (slab_is_available()) {
==> kp->flags |= KPARAM_KMALLOCED;
*(char **)kp->arg = kstrdup(val, GFP_KERNEL);
if (!kp->arg)
return -ENOMEM;

Puzzling. So I looked into the relevant code, and found some deeper
problems.

* Each struct kernel_param instance is defined as const, and is put
into __param section, which is read-only.
I guess this causes the page fault above. And...

* The above NULL check is invalid. It should be
if (!*(char **)kp->arg)
return -ENOMEM
This is easy, however...

* The handling of parameter array is pretty buggy now.
kp->perm and kp->flags aren't properly initialized in
param_array(). Thus, you might call kfree() with invalid pointers,
or pass a wrong type for bool.

The first item was overlooked because there was no writable field
before the kmalloc'ed string was introduced. And, the current code
still works somehow for charp with param_array() just because a struct
kernel_param on stack is used there. But, this is also a buggy
implementation due to the third point. We didn't hint a bug because
the charp array contain usually NULL.

So, the situation looks messy right now, not only about the section
issue. If we allow kmalloc of each parameter array element, the flag
must be associated to each element, not a global one to the array.

Thoughts?

thanks,

Takashi
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ingo Molnar: "Re: [PATCH] softlockup: keep current softlockup period beforetouching timestamp"
Previous message: Jani Nikula: "Re: [PATCH 1/6] Haptic: add haptic class"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]