Nikolay Borisov <n.borisov.lkml@xxxxxxxxx> writes: > So this thing resurfaced again and I took a hard look into the code but > couldn't find anything suspicious. So the allocating and freeing > contexts leads me to believe it's the 'tbl' pointer that is being > corrupted. The only thing which I do with it is to increase it by two. > > Perhaps some liveness issues. To me it feels like a double free somewhere. Like we call dec_ucount and thus put_ucount multiple times in a way that goes to 0. Perhaps there is a peculiarity in the existing code which allows the count to go to zero which we don't notice because we don't free anything when the count goes to zero today. Perhaps there is some subtle semantic mismatch between your conversion and the inotify code. I don't know if you made a subtle misreading of the code, or if there is an existing bug that your changes took from harmless to problematic, but the evidence is overwhelming that something is going wrong and it is your patch that brings it out. If it helps the openvz folks apparently reproduced this with the criu regression tests and the appropriate kernel debug options, and confirmed the failure was your patch. The current state of play is that I would love to merge this if we can track down this issue. I dropped this from my tree before I sent my pull request to Linus so there is no emergency to get this fixed. Eric _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
