[Netnice-kernels] socket->so_vifnet invalid pointers

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi,

I am running into a problem implementing the nnfs_socketfd_readdir
operation in the /nnfs/procs/<pid>/sockets/<fd>/ directories.  This
operation cooresponds to the FreeBSD function nnfs_readdir with node
id type Pso_dir.

It seems that some of the struct socket objects have so_vifnet
pointers that are not valid.  Dereferencing these pointers lead to
kernel faults.  I am guessing that this is a problem with the
incomplete netnice internals.

In the dump that I have appended notice that the crash occurs when the
address 676f6c2e is dereferenced, this address is probably garbage.

Here is a code snapshot from nnfs_socketfd_readdir:

static int nnfs_socketfd_readdir(struct file * filep, void * dirent,
                                 filldir_t filldir) {

        unsigned int pos = filep->f_pos;
        struct dentry * dentry = filep->f_dentry;
        char *endp;
        int fd = simple_strtol(dentry->d_name.name,&endp,10);
        int pid = (int) dentry->d_inode->u.generic_ip;
        struct task_struct * task;
        struct inode * inode;
        struct socket * socket;
        struct files_struct * files;
        struct file * file;
        struct pvifnet * pvif = 0;
        ino_t ino;

        switch(pos) {
        case 0:
                ino = dentry->d_inode->i_ino;
                if (filldir(dirent,".",1,0,ino,DT_DIR) < 0) {
                        printk("filldir error\n");
                }
                filep->f_pos++;
                return 0;
        case 1:
                ino = parent_ino(dentry);
                if (filldir(dirent,"..",2,1,ino,DT_DIR) < 0) {
                        printk("filldir error\n");
                }
                filep->f_pos++;
                return 0;
        }

        task = find_task_by_pid(pid);
        if (!task) {
                printk("no task for pid %d\n",pid);
                return 0;
        }

        files = get_files_struct(task);
        if (!files) {
                printk("no files for task %d\n",pid);
                return 0;
        }

        spin_lock(&files->file_lock);
        file = fcheck_files(files,fd);
        if (!file) {
                goto out;
        }

        inode = file->f_dentry->d_inode;

        if (!inode || !inode->i_sock || !(socket = SOCKET_I(inode))) {
                goto out;
        }

        pvif = (struct pvifnet *) socket->so_vifnet;
        if (pvif) {
                printk("readdir pid %d fd %d pvif %p state %d sk_state %d\n",
                       pid,fd,pvif,socket->state,socket->sk->sk_state);

                /* crash here due to memory fault */
                printk("found pvifnet %s\n",pvif->dev->name);
        }

 out:
        spin_unlock(&files->file_lock);
        put_files_struct(files);

        return 0;

}

This crash occurs consistently when doing an ls -R /nnfs.  This is a
dump of the kernel log messages:

Oct 21 13:25:43 tamarack kernel: found pvifnet eth0
Oct 21 13:25:43 tamarack kernel: readdir pid 1955 fd 3 pvif f1c846c8 state 1 sk_state 10
Oct 21 13:25:43 tamarack kernel: found pvifnet eth0
Oct 21 13:25:43 tamarack kernel: readdir pid 1955 fd 4 pvif f1c84688 state 1 sk_state 10
Oct 21 13:25:43 tamarack kernel: found pvifnet eth0
Oct 21 13:25:43 tamarack kernel: readdir pid 1956 fd 3 pvif f1c846c8 state 1 sk_state 10
Oct 21 13:25:43 tamarack kernel: found pvifnet eth0
Oct 21 13:25:43 tamarack kernel: readdir pid 1956 fd 4 pvif f1c84688 state 1 sk_state 10
Oct 21 13:25:43 tamarack kernel: found pvifnet eth0
Oct 21 13:25:43 tamarack kernel: readdir pid 1957 fd 3 pvif f1c846c8 state 1 sk_state 10
Oct 21 13:25:43 tamarack kernel: found pvifnet eth0
Oct 21 13:25:43 tamarack kernel: readdir pid 1957 fd 4 pvif f1c84688 state 1 sk_state 10
Oct 21 13:25:43 tamarack kernel: found pvifnet eth0
Oct 21 13:25:43 tamarack kernel: readdir pid 1958 fd 3 pvif f1c846c8 state 1 sk_state 10
Oct 21 13:25:43 tamarack kernel: found pvifnet eth0
Oct 21 13:25:43 tamarack kernel: readdir pid 1958 fd 4 pvif f1c84688 state 1 sk_state 10
Oct 21 13:25:43 tamarack kernel: found pvifnet eth0
Oct 21 13:25:43 tamarack kernel: readdir pid 1959 fd 4 pvif 676f6c2e state 3 sk_state 1
Oct 21 13:25:43 tamarack kernel: Unable to handle kernel paging request at virtual address 676f6c32
Oct 21 13:25:43 tamarack kernel:  printing eip:
Oct 21 13:25:43 tamarack kernel: f8977b67
Oct 21 13:25:43 tamarack kernel: *pde = 00000000
Oct 21 13:25:43 tamarack kernel: Oops: 0000 [#1]
Oct 21 13:25:43 tamarack kernel: PREEMPT SMP
Oct 21 13:25:43 tamarack kernel: Modules linked in: nnfs
Oct 21 13:25:43 tamarack kernel: CPU:    0
Oct 21 13:25:43 tamarack kernel: EIP:    0060:[<f8977b67>]    Not tainted
Oct 21 13:25:43 tamarack kernel: EFLAGS: 00010286   (2.6.7-nnice)
Oct 21 13:25:43 tamarack kernel: EIP is at nnfs_socketfd_readdir+0xfa/0x23d [nnfs]
Oct 21 13:25:43 tamarack kernel: eax: 00000037   ebx: f7bc7b80   ecx: c04320b4   edx: 00000286
Oct 21 13:25:43 tamarack kernel: esi: 00000002   edi: 676f6c2e   ebp: eb7b3080   esp: e9c39f38
Oct 21 13:25:43 tamarack kernel: ds: 007b   es: 007b   ss: 0068
Oct 21 13:25:43 tamarack kernel: Process ls (pid: 3768, threadinfo=e9c39000 task=ef247290)