From: ebiederm@xmission.com (Eric W. Biederman)
To: Nikolay Borisov <n.borisov.lkml@gmail.com>
Cc: Jan Kara <jack@suse.cz>,
containers@lists.linux-foundation.org,
LKML <linux-kernel@vger.kernel.org>,
Serge Hallyn <serge@hallyn.com>
Subject: Re: [inotify] fee1df54b6: BUG_kmalloc-#(Not_tainted):Freepointer_corrupt
Date: Wed, 14 Dec 2016 07:51:39 +1300 [thread overview]
Message-ID: <87oa0fpsqs.fsf@xmission.com> (raw)
In-Reply-To: <db529280-24ec-9957-93bc-b42998e1d692@gmail.com> (Nikolay Borisov's message of "Tue, 13 Dec 2016 18:56:25 +0200")
Nikolay Borisov <n.borisov.lkml@gmail.com> writes:
> So this thing resurfaced again and I took a hard look into the code but
> couldn't find anything suspicious. So the allocating and freeing
> contexts leads me to believe it's the 'tbl' pointer that is being
> corrupted. The only thing which I do with it is to increase it by two.
>
> Perhaps some liveness issues.
To me it feels like a double free somewhere. Like we call dec_ucount
and thus put_ucount multiple times in a way that goes to 0.
Perhaps there is a peculiarity in the existing code which allows the
count to go to zero which we don't notice because we don't free anything
when the count goes to zero today.
Perhaps there is some subtle semantic mismatch between your conversion
and the inotify code.
I don't know if you made a subtle misreading of the code, or if
there is an existing bug that your changes took from harmless to
problematic, but the evidence is overwhelming that something
is going wrong and it is your patch that brings it out.
If it helps the openvz folks apparently reproduced this with the criu
regression tests and the appropriate kernel debug options, and confirmed
the failure was your patch.
The current state of play is that I would love to merge this if we can
track down this issue. I dropped this from my tree before I sent my pull
request to Linus so there is no emergency to get this fixed.
Eric
next prev parent reply other threads:[~2016-12-13 18:54 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <87inqo4ip1.fsf@yhuang-dev.intel.com>
2016-12-13 16:56 ` [inotify] fee1df54b6: BUG_kmalloc-#(Not_tainted):Freepointer_corrupt Nikolay Borisov
2016-12-13 18:51 ` Eric W. Biederman [this message]
2016-12-13 19:34 ` Nikolay Borisov
2016-12-13 22:18 ` Andrey Vagin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87oa0fpsqs.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=containers@lists.linux-foundation.org \
--cc=jack@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=n.borisov.lkml@gmail.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).