[LKP] [inotify] 464e1236c3: BUG kmalloc-512 (Not tainted): Freepointer corrupt

Greetings, 0day kernel testing robot got the below dmesg and the first bad commit is https://github.com/0day-ci/linux Nikolay-Borisov/inotify-Convert-to-using-per-namespace-limits/20161011-153830 commit 464e1236c367919e405c8d248d6a4118fdc4a2c1 Author: Nikolay Borisov <kernel(a)kyup.com&gt; AuthorDate: Tue Oct 11 10:36:22 2016 +0300 Commit: 0day robot <fengguang.wu(a)intel.com&gt; CommitDate: Tue Oct 11 15:38:34 2016 +0800 inotify: Convert to using per-namespace limits This patchset converts inotify to using the newly introduced per-userns sysctl infrastructure. Currently the inotify instances/watches are being accounted in the user_struct structure. This means that in setups where multiple users in unprivileged containers map to the same underlying real user (i.e. pointing to the same user_struct) the inotify limits are going to be shared as well, allowing one user(or application) to exhaust all others limits. Fix this by switching the inotify sysctls to using the per-namespace/per-user limits. This will allow the server admin to set sensible global limits, which can further be tuned inside every individual user namespace. Additionally, in order to preserve the sysctl ABI make the existing inotify instances/watches sysctls modify the values of the initial user namespace. Signed-off-by: Nikolay Borisov <kernel(a)kyup.com&gt; +-------------------------------------------------------+------------+------------+-----------------+ | | 101105b171 | 464e1236c3 | v4.9-rc1_101908 | +-------------------------------------------------------+------------+------------+-----------------+ | boot_successes | 902 | 278 | 10 | | boot_failures | 12 | 36 | 3 | | BUG:kernel_hang_in_early-boot_stage | 8 | | | | BUG:kernel_hang_in_boot_stage | 1 | | | | invoked_oom-killer:gfp_mask=0x | 3 | 1 | | | Mem-Info | 3 | 1 | | | BUG_kmalloc-#(Not_tainted):Freepointer_corrupt | 0 | 35 | 3 | | INFO:Allocated_in_setup_userns_sysctls_age=#cpu=#pid= | 0 | 35 | 3 | | INFO:Freed_in_skb_free_head_age=#cpu=#pid= | 0 | 27 | 1 | | INFO:Slab#objects=#used=#fp=#flags= | 0 | 35 | 3 | | INFO:Object#@offset=#fp= | 0 | 35 | 3 | | calltrace:free_user_ns | 0 | 35 | 3 | | INFO:Freed_in_load_elf_binary_age=#cpu=#pid= | 0 | 5 | 2 | | INFO:Freed_in_tty_port_destructor_age=#cpu=#pid= | 0 | 2 | | | BUG_kmalloc-#(Tainted:G_B):Freepointer_corrupt | 0 | 1 | | | INFO:Freed_in_free_uts_ns_age=#cpu=#pid= | 0 | 1 | | | INFO:Freed_in__d_free_external_age=#cpu=#pid= | 0 | 1 | | +-------------------------------------------------------+------------+------------+-----------------+ [ 17.656806] [ 17.661542] random: trinity-main: uninitialized urandom read (4 bytes read) [ 17.665272] ============================================================================= [ 17.665275] BUG kmalloc-512 (Not tainted): Freepointer corrupt [ 17.665276] ----------------------------------------------------------------------------- [ 17.665276] [ 17.665277] Disabling lock debugging due to kernel taint [ 17.665283] INFO: Allocated in setup_userns_sysctls+0x44/0xab age=6 cpu=0 pid=2335 [ 17.665309] INFO: Freed in skb_free_head+0x25/0x27 age=2295 cpu=0 pid=174 [ 17.665337] INFO: Slab 0xffffea0000572000 objects=19 used=2 fp=0xffff880015c831b8 flags=0x4000000000004080 [ 17.665338] INFO: Object 0xffff880015c83858 @offset=14424 fp=0xffff880016b3c1d0 [ 17.665338] [ 17.665340] Redzone ffff880015c83850: cc cc cc cc cc cc cc cc ........ [ 17.665342] Object ffff880015c83858: e6 e8 8a a3 ff ff ff ff b0 c1 b3 16 00 88 ff ff ................ [ 17.665343] Object ffff880015c83868: 04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................ [ 17.665344] Object ffff880015c83878: 70 95 c6 a2 ff ff ff ff 00 00 00 00 00 00 00 00 p............... [ 17.665345] Object ffff880015c83888: 20 e5 ce a3 ff ff ff ff 20 6c a4 a3 ff ff ff ff ....... l...... [ 17.665347] Object ffff880015c83898: fa e8 8a a3 ff ff ff ff b4 c1 b3 16 00 88 ff ff ................ [ 17.665348] Object ffff880015c838a8: 04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................ [ 17.665349] Object ffff880015c838b8: 70 95 c6 a2 ff ff ff ff 00 00 00 00 00 00 00 00 p............... [ 17.665350] Object ffff880015c838c8: 20 e5 ce a3 ff ff ff ff 20 6c a4 a3 ff ff ff ff ....... l...... [ 17.665351] Object ffff880015c838d8: 0d e9 8a a3 ff ff ff ff b8 c1 b3 16 00 88 ff ff ................ [ 17.665352] Object ffff880015c838e8: 04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................ [ 17.665354] Object ffff880015c838f8: 70 95 c6 a2 ff ff ff ff 00 00 00 00 00 00 00 00 p............... [ 17.665355] Object ffff880015c83908: 20 e5 ce a3 ff ff ff ff 20 6c a4 a3 ff ff ff ff ....... l...... [ 17.665356] Object ffff880015c83918: 20 e9 8a a3 ff ff ff ff bc c1 b3 16 00 88 ff ff ............... [ 17.665357] Object ffff880015c83928: 04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................ [ 17.665358] Object ffff880015c83938: 70 95 c6 a2 ff ff ff ff 00 00 00 00 00 00 00 00 p............... [ 17.665359] Object ffff880015c83948: 20 e5 ce a3 ff ff ff ff 20 6c a4 a3 ff ff ff ff ....... l...... [ 17.665360] Object ffff880015c83958: 33 e9 8a a3 ff ff ff ff c0 c1 b3 16 00 88 ff ff 3............... [ 17.665361] Object ffff880015c83968: 04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................ [ 17.665363] Object ffff880015c83978: 70 95 c6 a2 ff ff ff ff 00 00 00 00 00 00 00 00 p............... [ 17.665364] Object ffff880015c83988: 20 e5 ce a3 ff ff ff ff 20 6c a4 a3 ff ff ff ff ....... l...... [ 17.665365] Object ffff880015c83998: 46 e9 8a a3 ff ff ff ff c4 c1 b3 16 00 88 ff ff F............... [ 17.665366] Object ffff880015c839a8: 04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................ [ 17.665367] Object ffff880015c839b8: 70 95 c6 a2 ff ff ff ff 00 00 00 00 00 00 00 00 p............... [ 17.665368] Object ffff880015c839c8: 20 e5 ce a3 ff ff ff ff 20 6c a4 a3 ff ff ff ff ....... l...... [ 17.665369] Object ffff880015c839d8: 59 e9 8a a3 ff ff ff ff c8 c1 b3 16 00 88 ff ff Y............... [ 17.665371] Object ffff880015c839e8: 04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................ [ 17.665372] Object ffff880015c839f8: 70 95 c6 a2 ff ff ff ff 00 00 00 00 00 00 00 00 p............... [ 17.665373] Object ffff880015c83a08: 20 e5 ce a3 ff ff ff ff 20 6c a4 a3 ff ff ff ff ....... l...... [ 17.665374] Object ffff880015c83a18: 00 00 00 00 00 00 00 00 cc c1 b3 16 00 88 ff ff ................ [ 17.665376] Object ffff880015c83a28: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 17.665377] Object ffff880015c83a38: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 17.665378] Object ffff880015c83a48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 17.665379] Redzone ffff880015c83a58: cc cc cc cc cc cc cc cc ........ [ 17.665380] Padding ffff880015c83b98: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ [ 17.665383] CPU: 0 PID: 16 Comm: kworker/0:1 Tainted: G B 4.8.0-11826-g464e123 #1 [ 17.665384] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Debian-1.8.2-1 04/01/2014 [ 17.665388] Workqueue: events free_user_ns [ 17.665392] ffff88001cf13bf8 ffffffffa2f568f0 ffff88001cf13c28 ffffffffa2d47c13 [ 17.665394] ffff88001d402cc0 ffffea0000572000 ffff880015c83858 00000000000000cc [ 17.665397] ffff88001cf13c50 ffffffffa2d485fb ffff88001d402cc0 ffff880015c83858 [ 17.665397] Call Trace: [ 17.665402] [<ffffffffa2f568f0>] dump_stack+0x19/0x1b [ 17.665404] [<ffffffffa2d47c13>] print_trailer+0x155/0x15e [ 17.665406] [<ffffffffa2d485fb>] object_err+0x34/0x3b [ 17.665408] [<ffffffffa2d487db>] check_object+0x1d9/0x1fe [ 17.665410] [<ffffffffa2d49c3e>] free_debug_processing+0x81/0x26e [ 17.665413] [<ffffffffa2c80f8e>] ? retire_userns_sysctls+0x33/0x38 [ 17.665415] [<ffffffffa2d49eae>] __slab_free+0x83/0x3d1 [ 17.665419] [<ffffffffa2c9d3f6>] ? __call_rcu+0x83/0x95 [ 17.665421] [<ffffffffa2c80f8e>] ? retire_userns_sysctls+0x33/0x38 [ 17.665423] [<ffffffffa2d4a7f4>] kfree+0x198/0x1d7 [ 17.665425] [<ffffffffa2d4a7f4>] ? kfree+0x198/0x1d7 [ 17.665427] [<ffffffffa2c80f8e>] ? retire_userns_sysctls+0x33/0x38 [ 17.665430] [<ffffffffa2c80f8e>] retire_userns_sysctls+0x33/0x38 [ 17.665432] [<ffffffffa2cc4097>] free_user_ns+0x2b/0x6f [ 17.665435] [<ffffffffa2c78e8e>] process_one_work+0x1e7/0x357 [ 17.665437] [<ffffffffa2c79340>] worker_thread+0x30f/0x400 [ 17.665440] [<ffffffffa2c79031>] ? process_scheduled_works+0x33/0x33 [ 17.665441] [<ffffffffa2c7dd7b>] kthread+0xb0/0xb8 [ 17.665443] [<ffffffffa2c7dccb>] ? init_completion+0x24/0x24 [ 17.665446] [<ffffffffa34ecb6a>] ret_from_fork+0x2a/0x40 [ 17.665448] FIX kmalloc-512: Object at 0xffff880015c83858 not freed [ 18.070125] random: trinity-main: uninitialized urandom read (4 bytes read) [ 18.075211] VFS: Warning: trinity-c0 using old stat() call. Recompile your binary. git bisect start 13d297eb4a24c0a80ad3f4ede0e5009f2abb5508 1001354ca34179f3db924eb66672442a173147dc -- git bisect good 22d177833d42752cfe77cfcb7a04f22edbbf7108 # 17:18 310+ 2 Merge 'linux-review/Ralf-Ramsauer/spi-mark-device-nodes-only-in-case-of-successful-instantiation/20161017-220426' into devel-hourly-2016101908 git bisect good 40d24903b8b5e5d8ad5ce6f3fc7a377fa7dce7bf # 17:31 306+ 1 Merge 'rui/master' into devel-hourly-2016101908 git bisect bad caf7a2c976e467e855328d306d03247ba9325fda # 17:32 0- 2 Merge 'linux-review/Wanpeng-Li/sched-core-Fix-kick-offline-cpu-to-do-nohz-idle-load-balance/20161010-121307' into devel-hourly-2016101908 git bisect good 856a57487e0acfa98ea801b78f5bee433944149f # 18:42 302+ 12 Merge 'linux-review/Krister-Johansen/perf-script-fix-a-use-after-free-crash/20161011-173355' into devel-hourly-2016101908 git bisect bad 237485aa62396fcf3dfbf8102c83282295058a30 # 18:52 4- 1 Merge 'linux-review/Hoan-Tran/i2c-xgene-Avoid-dma_buffer-overrun/20161011-011627' into devel-hourly-2016101908 git bisect bad a59ebce20a1cfc53863c4ed4b78a394d51008f37 # 19:17 7- 1 Merge 'ecryptfs/next' into devel-hourly-2016101908 git bisect bad 158a8e091b5b83c53807d1b4196be6aa923bc54f # 19:42 33- 1 Merge 'linux-review/Nikolay-Borisov/inotify-Convert-to-using-per-namespace-limits/20161011-153830' into devel-hourly-2016101908 git bisect good 8dc833a8359d67c1f0f92039814ae77d1b645891 # 20:30 302+ 10 Merge 'linux-review/Arnd-Bergmann/scsi-NCR5380-no-longer-mark-irq-probing-as-__init/20161011-172833' into devel-hourly-2016101908 git bisect good 2313cb5f95606cb8a60a0ebd48113d583457e370 # 21:05 307+ 0 Merge 'linux-review/Pavel-Machek/ktest-pl-fix-english/20161011-153324' into devel-hourly-2016101908 git bisect bad 464e1236c367919e405c8d248d6a4118fdc4a2c1 # 21:29 4- 2 inotify: Convert to using per-namespace limits # first bad commit: [464e1236c367919e405c8d248d6a4118fdc4a2c1] inotify: Convert to using per-namespace limits git bisect good 101105b1717f536ca741f940033996302d4ef191 # 23:12 900+ 12 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs # extra tests with CONFIG_DEBUG_INFO_REDUCED git bisect bad 464e1236c367919e405c8d248d6a4118fdc4a2c1 # 23:21 11- 2 inotify: Convert to using per-namespace limits # extra tests on HEAD of linux-devel/devel-hourly-2016101908 git bisect bad 13d297eb4a24c0a80ad3f4ede0e5009f2abb5508 # 23:22 0- 3 0day head guard for 'devel-hourly-2016101908' # extra tests on tree/branch linux-review/Nikolay-Borisov/inotify-Convert-to-using-per-namespace-limits/20161011-153830 git bisect bad 464e1236c367919e405c8d248d6a4118fdc4a2c1 # 23:23 0- 36 inotify: Convert to using per-namespace limits # extra tests with first bad commit reverted git bisect good 5d3659a1575acd29d4ef590579a4468bb92ca6d1 # 07:21 900+ 11 Revert "inotify: Convert to using per-namespace limits" # extra tests on tree/branch linus/master git bisect good c3f8f7fa8b19e274e7eb99dee428ad3a9b2ad8eb # 09:11 902+ 7 Merge tag 'platform-drivers-x86-v4.9-2' of git://git.infradead.org/users/dvhart/linux-platform-drivers-x86 # extra tests on tree/branch linux-next/master git bisect good ff9a1f89bf4512a0b628792c096aea0eced8b83c # 10:43 903+ 1 Add linux-next specific files for 20161019 --- 0-DAY kernel test infrastructure Open Source Technology Center https://lists.01.org/pipermail/lkp Intel Corporation