Re: [inotify] fee1df54b6: BUG_kmalloc-#(Not_tainted):Freepointer_corrupt

From: Eric W. Biederman
Date: Tue Dec 13 2016 - 13:54:48 EST


Nikolay Borisov <n.borisov.lkml@xxxxxxxxx> writes:

> So this thing resurfaced again and I took a hard look into the code but
> couldn't find anything suspicious. So the allocating and freeing
> contexts leads me to believe it's the 'tbl' pointer that is being
> corrupted. The only thing which I do with it is to increase it by two.
>
> Perhaps some liveness issues.

To me it feels like a double free somewhere. Like we call dec_ucount
and thus put_ucount multiple times in a way that goes to 0.

Perhaps there is a peculiarity in the existing code which allows the
count to go to zero which we don't notice because we don't free anything
when the count goes to zero today.

Perhaps there is some subtle semantic mismatch between your conversion
and the inotify code.

I don't know if you made a subtle misreading of the code, or if
there is an existing bug that your changes took from harmless to
problematic, but the evidence is overwhelming that something
is going wrong and it is your patch that brings it out.

If it helps the openvz folks apparently reproduced this with the criu
regression tests and the appropriate kernel debug options, and confirmed
the failure was your patch.

The current state of play is that I would love to merge this if we can
track down this issue. I dropped this from my tree before I sent my pull
request to Linus so there is no emergency to get this fixed.

Eric