From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752723AbaEBQjo (ORCPT ); Fri, 2 May 2014 12:39:44 -0400 Received: from mail-qa0-f47.google.com ([209.85.216.47]:47264 "EHLO mail-qa0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751782AbaEBQjl (ORCPT ); Fri, 2 May 2014 12:39:41 -0400 X-Google-Original-From: Vince Weaver Date: Fri, 2 May 2014 12:43:17 -0400 (EDT) From: Vince Weaver To: Peter Zijlstra cc: Vince Weaver , Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org, Steven Rostedt Subject: Re: [perf] more perf_fuzzer memory corruption In-Reply-To: <20140502162234.GX11096@twins.programming.kicks-ass.net> Message-ID: References: <20140430184437.GH17778@laptop.programming.kicks-ass.net> <20140501150948.GR11096@twins.programming.kicks-ass.net> <20140502154217.GW11096@twins.programming.kicks-ass.net> <20140502162234.GX11096@twins.programming.kicks-ass.net> User-Agent: Alpine 2.10 (DEB 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 2 May 2014, Peter Zijlstra wrote: > In principle the vfs file refcounting should be responsible for that. > But I'll go over it in a bit. The poll code is ancient and the C-parser in my head really can't handle it very well. Anyway for completeness this is the kind of thing I'm seeing. The poll() manpage isn't very clear about what is supposed to happen if you poll() on a closed file descriptor. FD#3 closed perf_fuzzer-2293 [003] 286.500137: sys_enter: NR 3 (3, 7fff841b9eac, 0, 22, 7ff17078110c, 7ff170781120) Child killed: perf_fuzzer-2293 [003] 286.505587: sys_exit: NR 62 = 0 Poll started, seems to have freed fd #3 as an argument: perf_fuzzer-2293 [003] 286.505703: sys_enter: NR 7 (7fff841b9b00, 55, 3, 40e3e3, 7ff1707810dc, 7ff170781120) (child is still closing out at this point) Event freed: <...>-2701 [004] 286.505904: bprint: _free_event: freeing with 0 refs; ptr=0x0xffff8800ce88e000 fd#3 is still being polled despite the event being completely gone now: perf_fuzzer-2293 [003] 286.508846: bprint: do_sys_poll: VMW: poll 3 perf_fuzzer-2293 [003] 286.508847: function: perf_poll perf_fuzzer-2293 [003] 286.508848: bprint: do_sys_poll: VMW: poll 3 perf_fuzzer-2293 [003] 286.508849: function: perf_poll perf_fuzzer-2293 [003] 286.508850: bprint: do_sys_poll: VMW: poll 3 perf_fuzzer-2293 [003] 286.508846: bprint: do_sys_poll: VMW: poll 3 perf_fuzzer-2293 [003] 286.508847: function: perf_poll perf_fuzzer-2293 [003] 286.508848: bprint: do_sys_poll: VMW: poll 3 perf_fuzzer-2293 [003] 286.508849: function: perf_poll perf_fuzzer-2293 [003] 286.508850: bprint: do_sys_poll: VMW: poll 3 perf_fuzzer-2293 [003] 286.508850: function: perf_poll perf_fuzzer-2293 [003] 286.508851: bprint: do_sys_poll: VMW: poll 12 perf_fuzzer-2293 [003] 286.508850: function: perf_poll perf_fuzzer-2293 [003] 286.508851: bprint: do_sys_poll: VMW: poll 12 Finally done polling: perf_fuzzer-2293 [003] 286.509002: sys_exit: NR 7 = 0