[xja]

As far as I can tell it appears to be a classic use of an uninitialized pointer.

Are there not static analysis tools routinely used against Linux that should have caught this?

Or runtime memory access detection, like valgrind.

I know both might be slow on a project the size the Linux kernel, but it seems worth it.

[caf]

You can't run valgrind on the kernel (not because of the speed, but because the way valgrind works it's not technically feasible), but even if you could, the bad access only occurred when the particular type of packet was received. The kernel panic essentially was the kernel's run-time bad access detection triggering.

[m00dy]

you can run the kernel in userspace so that valgrind can attach to it.

[lisivka]

It was done for UML kernel 2.6 with patches: http://web.archive.org/web/20100126181646/http://uml.jfdi.or... .

But today, it's impossible:

http://marc.info/?l=user-mode-linux-user&m=140187124116532&w...

> > So, is it possible to run linux (>3.12) with valgrind? If yes, how to do it?

> No.

> A long time ago it was possible after applying a patch to both UML and valgrind.

[hannob]

But why would you want to? There's kasan, which is faster and catches more bug classes.

[hannob]

It was catched with syzcaller and kasan. syzcaller is a kernel fuzzing tool, kasan is "like valgrind, but for the kernel" (the kernel version of address sanitizer. in general I like to describe address sanitizer as "like valgrind, just better".)

[xja]

Neat! I wonder why they're not part of kernel release tests.

[BuuQu9hu]

Yes there are:

https://scan.coverity.com/projects/linux

[rootw0rm]

100% code coverage for symbolic execution of the kernel seems a bit optimistic, no?