From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934925AbcLMSyp (ORCPT ); Tue, 13 Dec 2016 13:54:45 -0500 Received: from out01.mta.xmission.com ([166.70.13.231]:47335 "EHLO out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932848AbcLMSyo (ORCPT ); Tue, 13 Dec 2016 13:54:44 -0500 From: ebiederm@xmission.com (Eric W. Biederman) To: Nikolay Borisov Cc: Jan Kara , containers@lists.linux-foundation.org, LKML , Serge Hallyn References: <87inqo4ip1.fsf@yhuang-dev.intel.com> Date: Wed, 14 Dec 2016 07:51:39 +1300 In-Reply-To: (Nikolay Borisov's message of "Tue, 13 Dec 2016 18:56:25 +0200") Message-ID: <87oa0fpsqs.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1cGsDn-0002no-UY;;;mid=<87oa0fpsqs.fsf@xmission.com>;;;hst=in01.mta.xmission.com;;;ip=101.100.131.98;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX1/0T+8TZBZ8W9uTjosthWVifK5KsgZd+x8= X-SA-Exim-Connect-IP: 101.100.131.98 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.7 XMSubLong Long Subject * 1.5 TR_Symld_Words too many words that have symbols inside * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.4912] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa06 1397; Body=1 Fuz1=1 Fuz2=1] * 0.0 T_TooManySym_02 5+ unique symbols in subject * 0.0 T_TooManySym_03 6+ unique symbols in subject * 0.0 T_TooManySym_01 4+ unique symbols in subject X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: **;Nikolay Borisov X-Spam-Relay-Country: X-Spam-Timing: total 272 ms - load_scoreonly_sql: 0.04 (0.0%), signal_user_changed: 2.8 (1.0%), b_tie_ro: 1.94 (0.7%), parse: 1.10 (0.4%), extract_message_metadata: 3.9 (1.4%), get_uri_detail_list: 1.72 (0.6%), tests_pri_-1000: 5 (1.9%), tests_pri_-950: 1.61 (0.6%), tests_pri_-900: 1.33 (0.5%), tests_pri_-400: 22 (7.9%), check_bayes: 20 (7.5%), b_tokenize: 8 (3.1%), b_tok_get_all: 6 (2.2%), b_comp_prob: 1.85 (0.7%), b_tok_touch_all: 2.3 (0.9%), b_finish: 0.61 (0.2%), tests_pri_0: 219 (80.3%), check_dkim_signature: 0.44 (0.2%), check_dkim_adsp: 2.8 (1.0%), tests_pri_500: 3.9 (1.4%), rewrite_mail: 0.00 (0.0%) Subject: Re: [inotify] fee1df54b6: BUG_kmalloc-#(Not_tainted):Freepointer_corrupt X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Nikolay Borisov writes: > So this thing resurfaced again and I took a hard look into the code but > couldn't find anything suspicious. So the allocating and freeing > contexts leads me to believe it's the 'tbl' pointer that is being > corrupted. The only thing which I do with it is to increase it by two. > > Perhaps some liveness issues. To me it feels like a double free somewhere. Like we call dec_ucount and thus put_ucount multiple times in a way that goes to 0. Perhaps there is a peculiarity in the existing code which allows the count to go to zero which we don't notice because we don't free anything when the count goes to zero today. Perhaps there is some subtle semantic mismatch between your conversion and the inotify code. I don't know if you made a subtle misreading of the code, or if there is an existing bug that your changes took from harmless to problematic, but the evidence is overwhelming that something is going wrong and it is your patch that brings it out. If it helps the openvz folks apparently reproduced this with the criu regression tests and the appropriate kernel debug options, and confirmed the failure was your patch. The current state of play is that I would love to merge this if we can track down this issue. I dropped this from my tree before I sent my pull request to Linus so there is no emergency to get this fixed. Eric