https://bugzilla.novell.com/show_bug.cgi?id=887046 https://bugzilla.novell.com/show_bug.cgi?id=887046#c17 --- Comment #17 from Takashi Iwai <tiwai@suse.com> 2014-07-25 13:13:18 UTC --- OK, I finally understood what went wrong. Indeed, this happens only on 32bit. The function ulist_add_merge() takes u64 pointer as old_aux. This replaces the content of old_aux pointer with the old aux data. Meanwhile, the caller of this function passes the pointer to a pointer. Since the pointer is 32bit, writing a 64bit value corrupts the neighborhood. This leads to NULL in the adjacent list member, hits the NULL dereference Oops in the end. Why there are two hits: the first commit introduced a new call of ulist_add_merge(). With the second commit, it extends the search area and it casually triggers the another call of ulist_add_merge() in find_parent_nodes(). A test fix patch is attached below. In this patch, I introduced a new function, ulist_add_merge_ptr(), for keeping the compatibility of ulist_add_merge(). But, since backref.c is the only user of ulist_add_merge(), we may change ulist_add_merge() itself to take the pointer for aux, instead, too. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.