From: Linus Torvalds <torvalds@linux-foundation.org>
To: "Rafael J. Wysocki" <rjw@sisk.pl>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Adrian Bunk <bunk@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Natalie Protasevich <protasnb@gmail.com>,
Shirish Pargaonkar <shirishp@us.ibm.com>,
Steve French <sfrench@us.ibm.com>
Subject: Re: 2.6.30-rc6: Reported regressions from 2.6.29
Date: Sat, 16 May 2009 16:44:28 -0700 (PDT) [thread overview]
Message-ID: <alpine.LFD.2.01.0905161632160.3301@localhost.localdomain> (raw)
In-Reply-To: <_AjETDMbIoL.A.DcH.RYzDKB@chimera>
On Sat, 16 May 2009, Rafael J. Wysocki wrote:
>
> Bug-Entry : http://bugzilla.kernel.org/show_bug.cgi?id=13329
> Subject : cifs_close: NULL pointer dereference
> Submitter : Luca Tettamanti <kronos.it@gmail.com>
> Date : 2009-05-16 16:28 (1 days old)
> References : http://marc.info/?l=linux-kernel&m=124249133701702&w=4
The code in this one decodes to
0: 89 ef mov %ebp,%edi
2: 45 31 e4 xor %r12d,%r12d
5: e8 f3 63 e7 df callq 0xffffffffdfe763fd
a: 41 bd 0a 00 00 00 mov $0xa,%r13d
10: 48 c7 c7 c4 6b 61 a0 mov $0xffffffffa0616bc4,%rdi
17: e8 b3 7f e7 df callq 0xffffffffdfe77fcf
1c: 48 8b 53 10 mov 0x10(%rbx),%rdx
20: 48 8b 43 18 mov 0x18(%rbx),%rax
24: 48 c7 c7 c4 6b 61 a0 mov $0xffffffffa0616bc4,%rdi
2b:* 48 89 42 08 mov %rax,0x8(%rdx) <-- trapping instruction
2f: 48 89 10 mov %rdx,(%rax)
32: 48 c7 43 18 00 02 20 movq $0x200200,0x18(%rbx)
39: 00
3a: 48 8b 13 mov (%rbx),%rdx
which seems to match (modulo normal compiler issues):
movq -56(%rbp), %rdi # %sfp,
call mutex_unlock #
movq $GlobalSMBSeslock, %rdi #,
call _write_lock #
movq 16(%rbx), %rdx # <variable>.flist.next, D.47095
movq 24(%rbx), %rax # <variable>.flist.prev, D.47094
movq %rax, 8(%rdx) # D.47094, <variable>.prev
movq %rdx, (%rax) # D.47095, <variable>.next
movq $2097664, 24(%rbx) #, <variable>.flist.prev
movq (%rbx), %rdx # <variable>.tlist.next, D.47099
which I think ends up being this code:
mutex_unlock(&pSMBFile->lock_mutex);
write_lock(&GlobalSMBSeslock);
list_del(&pSMBFile->flist);
ie 'pSMBFile->flist.next' looks to be zero. Either uninitialized or
perhaps a use-after-free thing..
We have commit 90e4ee5d31 "[CIFS] Fix double list addition in cifs posix
open code" that touches exactly that 'flist' thing, and removes the thing
that adds it to the list because it's _claimed_ to be a "double add". It
probably wasn't.
The bug reporter says:
> The machine is running kernel from git (1d80cac - almost rc6)
and that 1d80cac is _after_ 90e4ee5d31. So I do think 90e4ee5d31 is buggy.
Linus
next prev parent reply other threads:[~2009-05-16 23:46 UTC|newest]
Thread overview: 91+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-16 19:14 2.6.30-rc6: Reported regressions from 2.6.29 Rafael J. Wysocki
2009-05-16 19:14 ` [Bug #13068] Lockdep warining in inotify_dev_queue_event Rafael J. Wysocki
2009-05-17 6:35 ` Ingo Molnar
2009-05-17 8:13 ` Sachin Sant
2009-05-17 10:25 ` Rafael J. Wysocki
2009-05-16 19:20 ` [Bug #13069] regression in 2.6.29-git3 on SH/Dreamcast Rafael J. Wysocki
2009-05-16 19:20 ` [Bug #13107] LTP 20080131 causes defunct processes w/2.6.30-rc1 Rafael J. Wysocki
2009-05-17 19:13 ` Linus Torvalds
2009-05-18 14:41 ` Oleg Nesterov
2009-05-18 17:54 ` Sukadev Bhattiprolu
2009-05-19 9:16 ` Ingo Molnar
2009-05-19 13:32 ` Oleg Nesterov
2009-05-16 19:20 ` [Bug #13109] High latency on /sys/class/thermal Rafael J. Wysocki
2009-05-16 19:20 ` [Bug #13118] iptables very slow after commit 784544739a25c30637397ace5489eeb6e15d7d49 Rafael J. Wysocki
2009-05-17 6:06 ` Jeff Chua
2009-05-17 10:26 ` Rafael J. Wysocki
2009-05-16 19:20 ` [Bug #13116] Can't boot with nosmp Rafael J. Wysocki
2009-05-16 19:20 ` [Bug #13122] reiserfs_delete_xattrs: Couldn't delete all xattrs (-13) Rafael J. Wysocki
2009-05-17 19:16 ` Linus Torvalds
2009-05-17 20:36 ` Rafael J. Wysocki
2009-05-16 19:20 ` [Bug #13125] active uvcvideo breaks over suspend Rafael J. Wysocki
2009-05-16 19:20 ` [Bug #13119] Trouble with make-install from a NFS mount Rafael J. Wysocki
2009-05-16 19:20 ` [Bug #13126] BUG: MAX_LOCKDEP_ENTRIES too low! when mounting rootfs Rafael J. Wysocki
2009-05-16 19:20 ` [Bug #13156] keyboard backlight brightness up/down keys doesn't work Rafael J. Wysocki
2009-05-16 19:20 ` [Bug #13148] resume after suspend-to-ram broken on Sony Vaio VGN-SR19VN when sony-laptop driver present Rafael J. Wysocki
2009-05-16 19:20 ` [Bug #13179] CD-R: wodim intermittent failures Rafael J. Wysocki
2009-05-16 22:51 ` Robert Hancock
2009-05-16 19:20 ` [Bug #13177] 2.6.30-rc2-git7 build problem Rafael J. Wysocki
2009-05-18 14:05 ` Martin Knoblauch
2009-05-16 19:20 ` [Bug #13171] 2.6.30-rc2 + xorg-intel-2.7.0 + DRM_I915_KMS = corruption Rafael J. Wysocki
2009-05-16 19:20 ` [Bug #13180] 2.6.30-rc2: WARNING at i915_gem.c for i915_gem_idle Rafael J. Wysocki
2009-05-16 19:20 ` [Bug #13188] horizontal strips of the screen frozen Rafael J. Wysocki
2009-05-18 16:35 ` Justin Madru
2009-05-18 18:03 ` Rafael J. Wysocki
2009-05-18 18:04 ` Rafael J. Wysocki
2009-05-16 19:20 ` [Bug #13245] possible circular locking dependency detected Rafael J. Wysocki
2009-05-17 3:22 ` Ming Lei
2009-05-17 10:26 ` Rafael J. Wysocki
2009-05-16 19:20 ` [Bug #13285] INTELFB: Colors display incorrectly Rafael J. Wysocki
2009-05-16 19:20 ` [Bug #13250] Side channel of Intel HDA chip doesn't work anymore, did work with 2.6.29 Rafael J. Wysocki
2009-05-16 19:20 ` [Bug #13293] Kernel BUG under network load with gianfar Rafael J. Wysocki
2009-05-16 19:20 ` [Bug #13296] Lockdep violation at cleanup_workqueue_thread during suspend Rafael J. Wysocki
2009-05-16 19:20 ` [Bug #13294] i915: drm: xorg leaks drm objects massively Rafael J. Wysocki
2009-05-16 19:20 ` [Bug #13297] kernel panic - not syncing : fatel exception in interupt Rafael J. Wysocki
2009-05-16 19:20 ` [Bug #13298] modprobe ipmi_si hangs under 2.6.30-rc5 Rafael J. Wysocki
2009-05-16 19:20 ` [Bug #13306] hibernate slow on _second_ run Rafael J. Wysocki
2009-05-16 19:20 ` [Bug #13319] Page allocation failures with b43 and p54usb Rafael J. Wysocki
2009-05-16 23:36 ` Andrew Morton
2009-05-17 23:16 ` Larry Finger
2009-05-18 6:31 ` Pekka Enberg
2009-05-21 13:21 ` Larry Finger
2009-05-16 19:20 ` [Bug #13318] AGP doesn't work anymore on nforce2 Rafael J. Wysocki
2009-05-16 19:20 ` [Bug #13321] kernel crash with NULL pointer when boot Rafael J. Wysocki
2009-05-16 19:20 ` [Bug #13324] panic when loading oprofile Rafael J. Wysocki
2009-05-16 19:20 ` [Bug #13323] 2.6.30-rc deadline scheduler performance regression for iozone over NFS Rafael J. Wysocki
2009-05-16 19:20 ` [Bug #13326] Null pointer dereference in rtc-cmos driver Rafael J. Wysocki
2009-05-16 19:20 ` [Bug #13325] 2.6.30-rc kills my box hard - and lockdep chains Rafael J. Wysocki
2009-05-16 19:20 ` [Bug #13327] Regression: 2.6.30-rc5 and rt2x00 / rt2500pci Rafael J. Wysocki
2009-05-16 19:20 ` [Bug #13329] cifs_close: NULL pointer dereference Rafael J. Wysocki
2009-05-16 19:20 ` [Bug #13328] b44: eth0: BUG! Timeout waiting for bit 00000002 of register 42c to clear Rafael J. Wysocki
2009-05-16 23:44 ` Linus Torvalds [this message]
2009-05-17 0:01 ` 2.6.30-rc6: Reported regressions from 2.6.29 Linus Torvalds
2009-05-17 0:15 ` Kay Sievers
2009-05-17 1:01 ` Kay Sievers
2009-05-17 2:13 ` Linus Torvalds
2009-05-17 15:33 ` Greg KH
2009-05-18 3:48 ` Greg KH
2009-05-17 6:32 ` Ingo Molnar
2009-05-17 0:32 ` Ozan Çağlayan
2009-05-17 2:06 ` Linus Torvalds
2009-05-17 7:33 ` Ingo Molnar
2009-05-17 10:34 ` Rafael J. Wysocki
2009-05-17 12:56 ` Stefan Richter
2009-05-17 13:59 ` Jeff Mahoney
2009-05-17 13:32 ` Frederic Weisbecker
2009-05-17 16:19 ` Borislav Petkov
2009-05-18 16:35 ` Bartlomiej Zolnierkiewicz
2009-05-19 6:05 ` Borislav Petkov
2009-05-20 1:14 ` Frederic Weisbecker
2009-05-18 14:57 ` Oleg Nesterov
2009-05-18 15:11 ` Ingo Molnar
2009-05-18 15:31 ` Oleg Nesterov
2009-05-18 15:32 ` Linus Torvalds
2009-05-18 15:45 ` Oleg Nesterov
2009-05-17 17:55 ` Alex Bennee
2009-05-22 16:40 ` Linus Torvalds
2009-05-23 0:10 ` Rafael J. Wysocki
2009-05-25 20:24 ` Frans Pop
2009-05-25 23:02 ` Rafael J. Wysocki
2009-05-26 15:30 ` Frans Pop
2009-05-26 18:48 ` Rafael J. Wysocki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LFD.2.01.0905161632160.3301@localhost.localdomain \
--to=torvalds@linux-foundation.org \
--cc=akpm@linux-foundation.org \
--cc=bunk@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=protasnb@gmail.com \
--cc=rjw@sisk.pl \
--cc=sfrench@us.ibm.com \
--cc=shirishp@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox