On 13.12.2016 20:51, Eric W. Biederman wrote: > Nikolay Borisov <n.borisov.lkml@xxxxxxxxx> writes: > >> So this thing resurfaced again and I took a hard look into the code but >> couldn't find anything suspicious. So the allocating and freeing >> contexts leads me to believe it's the 'tbl' pointer that is being >> corrupted. The only thing which I do with it is to increase it by two. >> >> Perhaps some liveness issues. > > To me it feels like a double free somewhere. Like we call dec_ucount > and thus put_ucount multiple times in a way that goes to 0. > > Perhaps there is a peculiarity in the existing code which allows the > count to go to zero which we don't notice because we don't free anything > when the count goes to zero today. > > Perhaps there is some subtle semantic mismatch between your conversion > and the inotify code. > > I don't know if you made a subtle misreading of the code, or if > there is an existing bug that your changes took from harmless to > problematic, but the evidence is overwhelming that something > is going wrong and it is your patch that brings it out. > > If it helps the openvz folks apparently reproduced this with the criu > regression tests and the appropriate kernel debug options, and confirmed > the failure was your patch. Great but I think I missed this conversation, care to send relevant threads? I'd like to get to the bottom of this and have it merged? @openvz guys - if you care to shout with more details I'd love to work on getting this fixed! > > The current state of play is that I would love to merge this if we can > track down this issue. I dropped this from my tree before I sent my pull > request to Linus so there is no emergency to get this fixed. > > Eric > > _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
