On Thu, Dec 19, 2013 at 01:29:21PM -0500, Benjamin LaHaise wrote: > > > and some kind of double free in an error path would certainly explain > > > this (with io_setup() . And the first oops reported obviously had that > > > migration thing. So maybe those "fixes" weren't fixing things at all > > > (or just moved the error case around). > > > > > > Btw, that "rework aio migrate pages to use aio fs" looks odd. It has > > > Ben LaHaise marked as author, but no sign-off, instead "Tested-by" and > > > "Acked-by". > > > > I could certainly believe a double free, but rereading the current code > > I can't find anything, and I just manually tested all the relevant error > > paths in ioctx_alloc() and aio_setup_ring() without finding anything. > > The same here. It would be very helpful to know what syscalls trinity is > issuing in the lead up to the bug. Working on narrowing it down. The io_setup fuzzer is actually incredibly dumb, and 99.9% of the time will just EFAULT or EINVAL. I'll see if I can smarten it up to succeed more often, in the hope that it can reproduce this faster, because right now it looks like it needs the planets to line up just right to hit the bug (even though I've hit it twice in the last 24 hrs) Dave -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>