Re: [inotify] fee1df54b6: BUG_kmalloc-#(Not_tainted):Freepointer_corrupt
From: Nikolay Borisov
Date: Tue Dec 13 2016 - 14:35:25 EST
On 13.12.2016 20:51, Eric W. Biederman wrote:
> Nikolay Borisov <n.borisov.lkml@xxxxxxxxx> writes:
>
>> So this thing resurfaced again and I took a hard look into the code but
>> couldn't find anything suspicious. So the allocating and freeing
>> contexts leads me to believe it's the 'tbl' pointer that is being
>> corrupted. The only thing which I do with it is to increase it by two.
>>
>> Perhaps some liveness issues.
>
> To me it feels like a double free somewhere. Like we call dec_ucount
> and thus put_ucount multiple times in a way that goes to 0.
>
> Perhaps there is a peculiarity in the existing code which allows the
> count to go to zero which we don't notice because we don't free anything
> when the count goes to zero today.
>
> Perhaps there is some subtle semantic mismatch between your conversion
> and the inotify code.
>
> I don't know if you made a subtle misreading of the code, or if
> there is an existing bug that your changes took from harmless to
> problematic, but the evidence is overwhelming that something
> is going wrong and it is your patch that brings it out.
>
> If it helps the openvz folks apparently reproduced this with the criu
> regression tests and the appropriate kernel debug options, and confirmed
> the failure was your patch.
Great but I think I missed this conversation, care to send relevant
threads? I'd like to get to the bottom of this and have it merged?
@openvz guys - if you care to shout with more details I'd love to work
on getting this fixed!
>
> The current state of play is that I would love to merge this if we can
> track down this issue. I dropped this from my tree before I sent my pull
> request to Linus so there is no emergency to get this fixed.
>
> Eric
>
>