Description of problem: This command sequence: i=`keyctl add user a a @s` keyctl request2 keyring foo bar @t keyctl unlink $i @s Will cause the keyrings garbage collector to crash because the keyring_destroy() function sees the cached error code in the key as a pointer to its name, resulting in an oops that looks like the following. Note the value in RAX that is -ENOKEY as a 32-bit value. BUG: unable to handle kernel paging request at 00000000ffffff8a IP: [<ffffffff8126e051>] keyring_destroy+0x3d/0x88 PGD 0 Oops: 0002 [#1] SMP Modules linked in: CPU: 0 PID: 1201 Comm: kworker/0:2 Tainted: G W 4.3.0-rc2-fsdevel #456 Hardware name: /DG965RY, BIOS MQ96510J.86A.0816.2006.0716.2308 07/16/2006 Workqueue: events key_garbage_collector task: ffff88003bfc6200 ti: ffff88003e2f0000 task.ti: ffff88003e2f0000 RIP: 0010:[<ffffffff8126e051>] [<ffffffff8126e051>] keyring_destroy+0x3d/0x88 RSP: 0018:ffff88003e2f3d30 EFLAGS: 00010203 RAX: 00000000ffffff82 RBX: ffff88003bf1a900 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 000000003bfc6901 RDI: ffffffff81a73a40 RBP: ffff88003e2f3d38 R08: 0000000000000152 R09: 0000000000000000 R10: ffff88003e2f3c18 R11: 000000000000865b R12: ffff88003bf1a900 R13: 0000000000000000 R14: ffff88003bf1a908 R15: ffff88003e2f4000 FS: 0000000000000000(0000) GS:ffff88003da00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 00000000ffffff8a CR3: 000000003e3ec000 CR4: 00000000000006f0 Stack: ffff88003bf1a908 ffff88003e2f3d58 ffffffff8126c756 00000000561fc960 7fffffffffffffff ffff88003e2f3da0 ffffffff8126ca71 ffff88003bf1a400 ffff88003e1fd4c0 ffff88003e2f3cd0 ffffffff81a73720 ffff88003da14f80 Call Trace: [<ffffffff8126c756>] key_gc_unused_keys.constprop.1+0x5d/0x10f [<ffffffff8126ca71>] key_garbage_collector+0x1fa/0x351 [<ffffffff8105ec9b>] process_one_work+0x28e/0x547 [<ffffffff8105fd17>] worker_thread+0x26e/0x361 [<ffffffff8105faa9>] ? rescuer_thread+0x2a8/0x2a8 [<ffffffff810648ad>] kthread+0xf3/0xfb [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2 [<ffffffff815f2ccf>] ret_from_fork+0x3f/0x70 [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2 Version-Release number of selected component (if applicable): Anything since v2.6.39-rc1.
I've added the two patches David has authored to fix this issue to all branches in Fedora git.
These are now upstream: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce1fad2740c648a4340f6f6c391a8a83769d2e8c
Yep, the ones that David pointed to in comment #3.
kernel-4.1.12-100.fc21 has been submitted as an update to Fedora 21. https://bodhi.fedoraproject.org/updates/FEDORA-2015-fe9a93653f
kernel-4.1.12-101.fc21 has been submitted as an update to Fedora 21. https://bodhi.fedoraproject.org/updates/FEDORA-2015-0253d1f070
kernel-4.1.12-101.fc21 has been pushed to the Fedora 21 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update kernel' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-0253d1f070
kernel-4.1.12-101.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.