https://bugzilla.novell.com/show_bug.cgi?id=887046
https://bugzilla.novell.com/show_bug.cgi?id=887046#c17
--- Comment #17 from Takashi Iwai 2014-07-25 13:13:18 UTC ---
OK, I finally understood what went wrong. Indeed, this happens only on 32bit.
The function ulist_add_merge() takes u64 pointer as old_aux. This replaces the
content of old_aux pointer with the old aux data. Meanwhile, the caller of
this function passes the pointer to a pointer. Since the pointer is 32bit,
writing a 64bit value corrupts the neighborhood. This leads to NULL in the
adjacent list member, hits the NULL dereference Oops in the end.
Why there are two hits: the first commit introduced a new call of
ulist_add_merge(). With the second commit, it extends the search area and it
casually triggers the another call of ulist_add_merge() in find_parent_nodes().
A test fix patch is attached below. In this patch, I introduced a new
function, ulist_add_merge_ptr(), for keeping the compatibility of
ulist_add_merge(). But, since backref.c is the only user of ulist_add_merge(),
we may change ulist_add_merge() itself to take the pointer for aux, instead,
too.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.