In some cases it may happen that pmd_none_or_clear_bad() is called with the mmap_sem hold in read mode. In those cases the huge page faults can allocate hugepmds under pmd_none_or_clear_bad() and that can trigger a false positive from pmd_bad() that will not like to see a pmd materializing as trans huge. A privileged user in the KVM guest can use this flaw to crash the host. An unprivileged local user could use this flaw to crash the system. Proposed upstream patch: http://comments.gmane.org/gmane.linux.kernel.mm/75413
Created kernel tracking bugs for this issue Affects: fedora-all [bug 803809]
kernel-3.2.10-3.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
kernel-2.6.42.12-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
Upstream fix: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=1a5a9906d4e8d1976b701f889d8f35d54b928f25
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:0743 https://rhn.redhat.com/errata/RHSA-2012-0743.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6.1 EUS - Server Only Via RHSA-2012:1042 https://rhn.redhat.com/errata/RHSA-2012-1042.html