On 21.02.2014 16:48, Jan Kara wrote:
> On Fri 21-02-14 14:08:03, Richard Weinberger wrote:
>> On Fri, Feb 21, 2014 at 12:40 PM, poma <pomidorabelisima(a)gmail.com>
>>> Affected kernels - 3.14.0-0.rc3*:
>>> - 3.14.0-0.rc3.git0.1
>>> - 3.14.0-0.rc3.git0.7 based on 3.14.0-0.rc3.git0.1
>>> - 3.14.0-0.rc3.git2.1
>>> - 3.14.0-0.rc3.git5.1
>>> Memtest86+ 4.20 - OK
>> Maybe commits 7053aee26a3548ebaba046ae2e52396ccf56ac6c (fsnotify: do
>> not share events between notification groups)
>> and 85816794240b9659e66e4d9b0df7c6e814e5f603 (fanotify: Fix use after
>> free for permission events) introduced this regression.
> So the immediate problem seems to be that event->tgid is 0xffffffff
> instead of a pointer. I don't see how this could be use after free and we
> unconditionally initialize event->tgid to something sensible. Hum, but if
> it is an overflow event, we are in a trouble since that doesn't have ->tgid
> field at all so we read random crap that happens to be beyond the event
> structure. Actually there seem to be more problems in the handling of
> overflow event so I better add that to my testing (both for fanotify and
> inotify). I'll work on the fix. Thanks for report!
The test was successfully completed with the '3.14-rc5'.
Thanks guys, Jan for the patchwork!
Thanks for testing and letting me know!
Jan Kara <jack(a)suse.cz>
SUSE Labs, CR