Affected kernels - 3.14.0-0.rc3*:
- 3.14.0-0.rc3.git0.1 http://koji.fedoraproject.org/koji/buildinfo?buildID=498711
- 3.14.0-0.rc3.git0.7 based on 3.14.0-0.rc3.git0.1
- 3.14.0-0.rc3.git2.1 http://koji.fedoraproject.org/koji/buildinfo?buildID=499061
- 3.14.0-0.rc3.git5.1 http://koji.fedoraproject.org/koji/buildinfo?buildID=499636
Memtest86+ 4.20 - OK http://goo.gl/1nm1nV
RHBZ https://bugzilla.redhat.com/show_bug.cgi?id=1067919
messages-Oops-es-3.14.0-0.rc3 https://bugzilla.redhat.com/attachment.cgi?id=865926
poma
On Fri, Feb 21, 2014 at 12:40 PM, poma pomidorabelisima@gmail.com wrote:
Affected kernels - 3.14.0-0.rc3*:
3.14.0-0.rc3.git0.1 http://koji.fedoraproject.org/koji/buildinfo?buildID=498711
3.14.0-0.rc3.git0.7 based on 3.14.0-0.rc3.git0.1
3.14.0-0.rc3.git2.1 http://koji.fedoraproject.org/koji/buildinfo?buildID=499061
3.14.0-0.rc3.git5.1 http://koji.fedoraproject.org/koji/buildinfo?buildID=499636
Memtest86+ 4.20 - OK http://goo.gl/1nm1nV
RHBZ https://bugzilla.redhat.com/show_bug.cgi?id=1067919
messages-Oops-es-3.14.0-0.rc3 https://bugzilla.redhat.com/attachment.cgi?id=865926
Maybe commits 7053aee26a3548ebaba046ae2e52396ccf56ac6c (fsnotify: do not share events between notification groups) and 85816794240b9659e66e4d9b0df7c6e814e5f603 (fanotify: Fix use after free for permission events) introduced this regression.
CC'ing more guys.
On Fri 21-02-14 14:08:03, Richard Weinberger wrote:
On Fri, Feb 21, 2014 at 12:40 PM, poma pomidorabelisima@gmail.com wrote:
Affected kernels - 3.14.0-0.rc3*:
3.14.0-0.rc3.git0.1 http://koji.fedoraproject.org/koji/buildinfo?buildID=498711
3.14.0-0.rc3.git0.7 based on 3.14.0-0.rc3.git0.1
3.14.0-0.rc3.git2.1 http://koji.fedoraproject.org/koji/buildinfo?buildID=499061
3.14.0-0.rc3.git5.1 http://koji.fedoraproject.org/koji/buildinfo?buildID=499636
Memtest86+ 4.20 - OK http://goo.gl/1nm1nV
RHBZ https://bugzilla.redhat.com/show_bug.cgi?id=1067919
messages-Oops-es-3.14.0-0.rc3 https://bugzilla.redhat.com/attachment.cgi?id=865926
Maybe commits 7053aee26a3548ebaba046ae2e52396ccf56ac6c (fsnotify: do not share events between notification groups) and 85816794240b9659e66e4d9b0df7c6e814e5f603 (fanotify: Fix use after free for permission events) introduced this regression.
So the immediate problem seems to be that event->tgid is 0xffffffff instead of a pointer. I don't see how this could be use after free and we unconditionally initialize event->tgid to something sensible. Hum, but if it is an overflow event, we are in a trouble since that doesn't have ->tgid field at all so we read random crap that happens to be beyond the event structure. Actually there seem to be more problems in the handling of overflow event so I better add that to my testing (both for fanotify and inotify). I'll work on the fix. Thanks for report!
Honza
On 21.02.2014 16:48, Jan Kara wrote:
On Fri 21-02-14 14:08:03, Richard Weinberger wrote:
On Fri, Feb 21, 2014 at 12:40 PM, poma pomidorabelisima@gmail.com wrote:
Affected kernels - 3.14.0-0.rc3*:
3.14.0-0.rc3.git0.1 http://koji.fedoraproject.org/koji/buildinfo?buildID=498711
3.14.0-0.rc3.git0.7 based on 3.14.0-0.rc3.git0.1
3.14.0-0.rc3.git2.1 http://koji.fedoraproject.org/koji/buildinfo?buildID=499061
3.14.0-0.rc3.git5.1 http://koji.fedoraproject.org/koji/buildinfo?buildID=499636
Memtest86+ 4.20 - OK http://goo.gl/1nm1nV
RHBZ https://bugzilla.redhat.com/show_bug.cgi?id=1067919
messages-Oops-es-3.14.0-0.rc3 https://bugzilla.redhat.com/attachment.cgi?id=865926
Maybe commits 7053aee26a3548ebaba046ae2e52396ccf56ac6c (fsnotify: do not share events between notification groups) and 85816794240b9659e66e4d9b0df7c6e814e5f603 (fanotify: Fix use after free for permission events) introduced this regression.
So the immediate problem seems to be that event->tgid is 0xffffffff instead of a pointer. I don't see how this could be use after free and we unconditionally initialize event->tgid to something sensible. Hum, but if it is an overflow event, we are in a trouble since that doesn't have ->tgid field at all so we read random crap that happens to be beyond the event structure. Actually there seem to be more problems in the handling of overflow event so I better add that to my testing (both for fanotify and inotify). I'll work on the fix. Thanks for report!
Honza
The test was successfully completed with the '3.14-rc5'. Thanks guys, Jan for the patchwork!
poma
On Mon 03-03-14 20:13:00, poma wrote:
On 21.02.2014 16:48, Jan Kara wrote:
On Fri 21-02-14 14:08:03, Richard Weinberger wrote:
On Fri, Feb 21, 2014 at 12:40 PM, poma pomidorabelisima@gmail.com wrote:
Affected kernels - 3.14.0-0.rc3*:
3.14.0-0.rc3.git0.1 http://koji.fedoraproject.org/koji/buildinfo?buildID=498711
3.14.0-0.rc3.git0.7 based on 3.14.0-0.rc3.git0.1
3.14.0-0.rc3.git2.1 http://koji.fedoraproject.org/koji/buildinfo?buildID=499061
3.14.0-0.rc3.git5.1 http://koji.fedoraproject.org/koji/buildinfo?buildID=499636
Memtest86+ 4.20 - OK http://goo.gl/1nm1nV
RHBZ https://bugzilla.redhat.com/show_bug.cgi?id=1067919
messages-Oops-es-3.14.0-0.rc3 https://bugzilla.redhat.com/attachment.cgi?id=865926
Maybe commits 7053aee26a3548ebaba046ae2e52396ccf56ac6c (fsnotify: do not share events between notification groups) and 85816794240b9659e66e4d9b0df7c6e814e5f603 (fanotify: Fix use after free for permission events) introduced this regression.
So the immediate problem seems to be that event->tgid is 0xffffffff instead of a pointer. I don't see how this could be use after free and we unconditionally initialize event->tgid to something sensible. Hum, but if it is an overflow event, we are in a trouble since that doesn't have ->tgid field at all so we read random crap that happens to be beyond the event structure. Actually there seem to be more problems in the handling of overflow event so I better add that to my testing (both for fanotify and inotify). I'll work on the fix. Thanks for report!
Honza
The test was successfully completed with the '3.14-rc5'. Thanks guys, Jan for the patchwork!
Thanks for testing and letting me know!
Honza
kernel@lists.fedoraproject.org