Re: BUG: unable to handle kernel paging request at 0000000100000003 - Oops: 0000 [#1] SMP
From: Jan Kara
Date: Fri Feb 21 2014 - 10:48:35 EST
On Fri 21-02-14 14:08:03, Richard Weinberger wrote:
> On Fri, Feb 21, 2014 at 12:40 PM, poma <pomidorabelisima@xxxxxxxxx> wrote:
> >
> > Affected kernels - 3.14.0-0.rc3*:
> >
> > - 3.14.0-0.rc3.git0.1
> > http://koji.fedoraproject.org/koji/buildinfo?buildID=498711
> >
> > - 3.14.0-0.rc3.git0.7 based on 3.14.0-0.rc3.git0.1
> >
> > - 3.14.0-0.rc3.git2.1
> > http://koji.fedoraproject.org/koji/buildinfo?buildID=499061
> >
> > - 3.14.0-0.rc3.git5.1
> > http://koji.fedoraproject.org/koji/buildinfo?buildID=499636
> >
> > Memtest86+ 4.20 - OK
> > http://goo.gl/1nm1nV
> >
> > RHBZ
> > https://bugzilla.redhat.com/show_bug.cgi?id=1067919
> >
> > messages-Oops-es-3.14.0-0.rc3
> > https://bugzilla.redhat.com/attachment.cgi?id=865926
>
> Maybe commits 7053aee26a3548ebaba046ae2e52396ccf56ac6c (fsnotify: do
> not share events between notification groups)
> and 85816794240b9659e66e4d9b0df7c6e814e5f603 (fanotify: Fix use after
> free for permission events) introduced this regression.
So the immediate problem seems to be that event->tgid is 0xffffffff
instead of a pointer. I don't see how this could be use after free and we
unconditionally initialize event->tgid to something sensible. Hum, but if
it is an overflow event, we are in a trouble since that doesn't have ->tgid
field at all so we read random crap that happens to be beyond the event
structure. Actually there seem to be more problems in the handling of
overflow event so I better add that to my testing (both for fanotify and
inotify). I'll work on the fix. Thanks for report!
Honza
--
Jan Kara <jack@xxxxxxx>
SUSE Labs, CR
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/