Re: Dcache oops

From: Al Viro
Date: Fri Jun 03 2016 - 17:27:02 EST

Next message: Kees Cook: "Re: [kernel-hardening] [PATCH 2/2] arm: apply more __ro_after_init"
Previous message: Heiko Stübner: "Re: [v2, 2/2] phy: rockchip-inno-usb2: add a new driver for Rockchip usb2phy"
In reply to: Linus Torvalds: "Re: Dcache oops"
Next in thread: Linus Torvalds: "Re: Dcache oops"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jun 03, 2016 at 02:18:15PM -0700, Linus Torvalds wrote:

> So something must have corrupted the qstr.
>
> The remaining length *should* in %edi, judging by the
>
> 0xffffffff81243b82 <+306>: cmp $0x7,%edi
>
> in the __d_lookup() disassembly. And %rdi contains 2, so there were
> supposed to be two more characters at 'ct' (which is %rdx).

... and since r8 and rsi are 0, we couldn't have consumed anything.
>
> Why would nd->last.name be bogus? I don't see anything.

An interesting part is that it's page-aligned. Which is impossible for
a short name obtained by getname(), but is quite likely for a symlink body.
So at a guess, we have a page containing a symlink body freed under us.

Next message: Kees Cook: "Re: [kernel-hardening] [PATCH 2/2] arm: apply more __ro_after_init"
Previous message: Heiko Stübner: "Re: [v2, 2/2] phy: rockchip-inno-usb2: add a new driver for Rockchip usb2phy"
In reply to: Linus Torvalds: "Re: Dcache oops"
Next in thread: Linus Torvalds: "Re: Dcache oops"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]