Re: use after free in sysfs_find_dirent

On Wed, Mar 20, 2013 at 10:34:40AM -0400, Sasha Levin wrote: > On 03/19/2013 09:02 PM, Ming Lei wrote: > > Hi Sasha, > > > > On Wed, Mar 20, 2013 at 12:28 AM, Sasha Levin > > wrote: > >> On 03/19/2013 07:54 AM, Ming Lei wrote: > >> > >> With v3 of the patch: > >> > >> [ 1275.665758]

Re: use after free in sysfs_find_dirent

On 03/19/2013 09:02 PM, Ming Lei wrote: > Hi Sasha, > > On Wed, Mar 20, 2013 at 12:28 AM, Sasha Levin wrote: >> On 03/19/2013 07:54 AM, Ming Lei wrote: >> >> With v3 of the patch: >> >> [ 1275.665758] sysfs_dir_pos-973 sysfs_dirent use after free: >> tun(tun)-uevent, 2-1472641949 > > Thanks

Re: use after free in sysfs_find_dirent

On 03/19/2013 09:02 PM, Ming Lei wrote: Hi Sasha, On Wed, Mar 20, 2013 at 12:28 AM, Sasha Levin levinsasha...@gmail.com wrote: On 03/19/2013 07:54 AM, Ming Lei wrote: With v3 of the patch: [ 1275.665758] sysfs_dir_pos-973 sysfs_dirent use after free: tun(tun)-uevent, 2-1472641949

Re: use after free in sysfs_find_dirent

On Wed, Mar 20, 2013 at 10:34:40AM -0400, Sasha Levin wrote: On 03/19/2013 09:02 PM, Ming Lei wrote: Hi Sasha, On Wed, Mar 20, 2013 at 12:28 AM, Sasha Levin levinsasha...@gmail.com wrote: On 03/19/2013 07:54 AM, Ming Lei wrote: With v3 of the patch: [ 1275.665758]

Re: use after free in sysfs_find_dirent

Hi Sasha, On Wed, Mar 20, 2013 at 12:28 AM, Sasha Levin wrote: > On 03/19/2013 07:54 AM, Ming Lei wrote: > > With v3 of the patch: > > [ 1275.665758] sysfs_dir_pos-973 sysfs_dirent use after free: > tun(tun)-uevent, 2-1472641949 Thanks again for your test. Looks it is caused by another bug in

Re: use after free in sysfs_find_dirent

On 03/19/2013 07:54 AM, Ming Lei wrote: > Hi Sasha, > > On Tue, Mar 19, 2013 at 11:40 AM, Ming Lei wrote: >> Hi Sasha, >> >> On Tue, Mar 19, 2013 at 10:06 AM, Sasha Levin >> wrote: >>> [ 232.822703] sysfs_dir_pos-973 sysfs_dirent use after free: >>> vx855(vx855)-bind, 0-25520352 >> >> Looks

Re: use after free in sysfs_find_dirent

Hi Sasha, On Tue, Mar 19, 2013 at 11:40 AM, Ming Lei wrote: > Hi Sasha, > > On Tue, Mar 19, 2013 at 10:06 AM, Sasha Levin wrote: >> [ 232.822703] sysfs_dir_pos-973 sysfs_dirent use after free: >> vx855(vx855)-bind, 0-25520352 > > Looks filp->f_pos is changed as zero by llseek(), so may leave

Re: use after free in sysfs_find_dirent

Hi Sasha, On Tue, Mar 19, 2013 at 11:40 AM, Ming Lei tom.leim...@gmail.com wrote: Hi Sasha, On Tue, Mar 19, 2013 at 10:06 AM, Sasha Levin levinsasha...@gmail.com wrote: [ 232.822703] sysfs_dir_pos-973 sysfs_dirent use after free: vx855(vx855)-bind, 0-25520352 Looks filp-f_pos is changed

Re: use after free in sysfs_find_dirent

On 03/19/2013 07:54 AM, Ming Lei wrote: Hi Sasha, On Tue, Mar 19, 2013 at 11:40 AM, Ming Lei tom.leim...@gmail.com wrote: Hi Sasha, On Tue, Mar 19, 2013 at 10:06 AM, Sasha Levin levinsasha...@gmail.com wrote: [ 232.822703] sysfs_dir_pos-973 sysfs_dirent use after free:

Re: use after free in sysfs_find_dirent

Hi Sasha, On Wed, Mar 20, 2013 at 12:28 AM, Sasha Levin levinsasha...@gmail.com wrote: On 03/19/2013 07:54 AM, Ming Lei wrote: With v3 of the patch: [ 1275.665758] sysfs_dir_pos-973 sysfs_dirent use after free: tun(tun)-uevent, 2-1472641949 Thanks again for your test. Looks it is caused

Re: use after free in sysfs_find_dirent

Hi Sasha, On Tue, Mar 19, 2013 at 10:06 AM, Sasha Levin wrote: > [ 232.822703] sysfs_dir_pos-973 sysfs_dirent use after free: > vx855(vx855)-bind, 0-25520352 Looks filp->f_pos is changed as zero by llseek(), so may leave filp->private_data point to one refcount-balanced sysfs_dirent object,

Re: use after free in sysfs_find_dirent

On 03/17/2013 12:23 PM, Ming Lei wrote: > On Sun, Mar 17, 2013 at 10:24 PM, Sasha Levin wrote: >> >> I still see it going on with the patch applied: > > Looks the previous patch still has the race problem, so could you just > apply the attachment patch and cancel all previous patches for the >

Re: use after free in sysfs_find_dirent

On 03/17/2013 12:23 PM, Ming Lei wrote: On Sun, Mar 17, 2013 at 10:24 PM, Sasha Levin levinsasha...@gmail.com wrote: I still see it going on with the patch applied: Looks the previous patch still has the race problem, so could you just apply the attachment patch and cancel all previous

Re: use after free in sysfs_find_dirent

Hi Sasha, On Tue, Mar 19, 2013 at 10:06 AM, Sasha Levin levinsasha...@gmail.com wrote: [ 232.822703] sysfs_dir_pos-973 sysfs_dirent use after free: vx855(vx855)-bind, 0-25520352 Looks filp-f_pos is changed as zero by llseek(), so may leave filp-private_data point to one refcount-balanced

Re: use after free in sysfs_find_dirent

On Sun, Mar 17, 2013 at 10:24 PM, Sasha Levin wrote: > > I still see it going on with the patch applied: Looks the previous patch still has the race problem, so could you just apply the attachment patch and cancel all previous patches for the test? If there is still the problem, please post out

Re: use after free in sysfs_find_dirent

On 03/16/2013 09:02 PM, Ming Lei wrote: > On Sun, Mar 17, 2013 at 2:33 AM, Sasha Levin wrote: >> >> I don't think it shows what we want it to show thought: >> >> [ 327.416905] Pid: 10504, comm: trinity-child98 Tainted: GW >> 3.9.0-rc2-next-20130315-sasha-00046-gecde602-dirty #301 >>

Re: use after free in sysfs_find_dirent

On 03/16/2013 09:02 PM, Ming Lei wrote: On Sun, Mar 17, 2013 at 2:33 AM, Sasha Levin levinsasha...@gmail.com wrote: I don't think it shows what we want it to show thought: [ 327.416905] Pid: 10504, comm: trinity-child98 Tainted: GW

Re: use after free in sysfs_find_dirent

On Sun, Mar 17, 2013 at 10:24 PM, Sasha Levin levinsasha...@gmail.com wrote: I still see it going on with the patch applied: Looks the previous patch still has the race problem, so could you just apply the attachment patch and cancel all previous patches for the test? If there is still the

Re: use after free in sysfs_find_dirent

On Sun, Mar 17, 2013 at 2:33 AM, Sasha Levin wrote: > > I don't think it shows what we want it to show thought: > > [ 327.416905] Pid: 10504, comm: trinity-child98 Tainted: GW > 3.9.0-rc2-next-20130315-sasha-00046-gecde602-dirty #301 > [ 327.418815] Call Trace: > [ 327.419255] []

Re: use after free in sysfs_find_dirent

On 03/16/2013 11:58 AM, Ming Lei wrote: > On Sat, Mar 16, 2013 at 11:22 PM, Ming Lei wrote: >> On Sat, Mar 16, 2013 at 11:07 PM, Sasha Levin >> wrote: >>> >>> Hi Ming, >>> >>> With your patch: >>> >>> >>> [ 1525.874312] release_sysfs_dirent sysfs_dirent use after free: >>> ptysb-uevent >> >>

Re: use after free in sysfs_find_dirent

On 03/16/2013 11:22 AM, Ming Lei wrote: > On Sat, Mar 16, 2013 at 11:07 PM, Sasha Levin wrote: >> >> Hi Ming, >> >> With your patch: >> >> >> [ 1525.874312] release_sysfs_dirent sysfs_dirent use after free: ptysb-uevent > > Sasha, thanks for your test. > > So is the oops always triggered on

Re: use after free in sysfs_find_dirent

On Sat, Mar 16, 2013 at 11:22 PM, Ming Lei wrote: > On Sat, Mar 16, 2013 at 11:07 PM, Sasha Levin wrote: >> >> Hi Ming, >> >> With your patch: >> >> >> [ 1525.874312] release_sysfs_dirent sysfs_dirent use after free: ptysb-uevent > > Sasha, thanks for your test. > > So is the oops always

Re: use after free in sysfs_find_dirent

On Sat, Mar 16, 2013 at 11:07 PM, Sasha Levin wrote: > > Hi Ming, > > With your patch: > > > [ 1525.874312] release_sysfs_dirent sysfs_dirent use after free: ptysb-uevent Sasha, thanks for your test. So is the oops always triggered on this node of 'ptysb-uevent' or the node name is changed

Re: use after free in sysfs_find_dirent

On 03/16/2013 09:30 AM, Ming Lei wrote: > On Sat, Mar 16, 2013 at 8:39 PM, Hillf Danton wrote: >> init rb node before use due to empty node checked by rb_next(). >> >> --- a/fs/sysfs/dir.cSat Mar 16 20:12:16 2013 >> +++ b/fs/sysfs/dir.cSat Mar 16 20:37:10 2013 >> @@ -396,6 +396,7 @@

Re: use after free in sysfs_find_dirent

On Sat, Mar 16, 2013 at 8:39 PM, Hillf Danton wrote: > init rb node before use due to empty node checked by rb_next(). > > --- a/fs/sysfs/dir.cSat Mar 16 20:12:16 2013 > +++ b/fs/sysfs/dir.cSat Mar 16 20:37:10 2013 > @@ -396,6 +396,7 @@ struct sysfs_dirent *sysfs_new_dirent(co > >

Re: use after free in sysfs_find_dirent

On Fri, Mar 15, 2013 at 1:04 PM, Sasha Levin wrote: > On 03/15/2013 12:03 AM, Sasha Levin wrote: >> On 03/07/2013 01:26 AM, Dave Jones wrote: >>> On Thu, Mar 07, 2013 at 02:02:30PM +0800, Greg Kroah-Hartman wrote: >>> > On Thu, Mar 07, 2013 at 12:28:54AM -0500, Dave Jones wrote: >>> > > general

Re: use after free in sysfs_find_dirent

On Fri, Mar 15, 2013 at 1:04 PM, Sasha Levin levinsasha...@gmail.com wrote: On 03/15/2013 12:03 AM, Sasha Levin wrote: On 03/07/2013 01:26 AM, Dave Jones wrote: On Thu, Mar 07, 2013 at 02:02:30PM +0800, Greg Kroah-Hartman wrote: On Thu, Mar 07, 2013 at 12:28:54AM -0500, Dave Jones wrote:

Re: use after free in sysfs_find_dirent

On Sat, Mar 16, 2013 at 8:39 PM, Hillf Danton dhi...@gmail.com wrote: init rb node before use due to empty node checked by rb_next(). --- a/fs/sysfs/dir.cSat Mar 16 20:12:16 2013 +++ b/fs/sysfs/dir.cSat Mar 16 20:37:10 2013 @@ -396,6 +396,7 @@ struct sysfs_dirent *sysfs_new_dirent(co

Re: use after free in sysfs_find_dirent

On 03/16/2013 09:30 AM, Ming Lei wrote: On Sat, Mar 16, 2013 at 8:39 PM, Hillf Danton dhi...@gmail.com wrote: init rb node before use due to empty node checked by rb_next(). --- a/fs/sysfs/dir.cSat Mar 16 20:12:16 2013 +++ b/fs/sysfs/dir.cSat Mar 16 20:37:10 2013 @@ -396,6 +396,7 @@

Re: use after free in sysfs_find_dirent

On Sat, Mar 16, 2013 at 11:07 PM, Sasha Levin levinsasha...@gmail.com wrote: Hi Ming, With your patch: [ 1525.874312] release_sysfs_dirent sysfs_dirent use after free: ptysb-uevent Sasha, thanks for your test. So is the oops always triggered on this node of 'ptysb-uevent' or the node name

Re: use after free in sysfs_find_dirent

On Sat, Mar 16, 2013 at 11:22 PM, Ming Lei tom.leim...@gmail.com wrote: On Sat, Mar 16, 2013 at 11:07 PM, Sasha Levin levinsasha...@gmail.com wrote: Hi Ming, With your patch: [ 1525.874312] release_sysfs_dirent sysfs_dirent use after free: ptysb-uevent Sasha, thanks for your test. So

Re: use after free in sysfs_find_dirent

On 03/16/2013 11:22 AM, Ming Lei wrote: On Sat, Mar 16, 2013 at 11:07 PM, Sasha Levin levinsasha...@gmail.com wrote: Hi Ming, With your patch: [ 1525.874312] release_sysfs_dirent sysfs_dirent use after free: ptysb-uevent Sasha, thanks for your test. So is the oops always triggered on

Re: use after free in sysfs_find_dirent

On 03/16/2013 11:58 AM, Ming Lei wrote: On Sat, Mar 16, 2013 at 11:22 PM, Ming Lei tom.leim...@gmail.com wrote: On Sat, Mar 16, 2013 at 11:07 PM, Sasha Levin levinsasha...@gmail.com wrote: Hi Ming, With your patch: [ 1525.874312] release_sysfs_dirent sysfs_dirent use after free:

Re: use after free in sysfs_find_dirent

On Sun, Mar 17, 2013 at 2:33 AM, Sasha Levin levinsasha...@gmail.com wrote: I don't think it shows what we want it to show thought: [ 327.416905] Pid: 10504, comm: trinity-child98 Tainted: GW 3.9.0-rc2-next-20130315-sasha-00046-gecde602-dirty #301 [ 327.418815] Call Trace: [

Re: use after free in sysfs_find_dirent

On 03/15/2013 03:38 AM, Ming Lei wrote: > Hi, > > On Fri, Mar 15, 2013 at 1:04 PM, Sasha Levin wrote: >> On 03/15/2013 12:03 AM, Sasha Levin wrote: >>> >>> [ 350.140100] general protection fault: [#1] PREEMPT SMP >>> DEBUG_PAGEALLOC >>> [ 350.141468] Dumping ftrace buffer: >>> [

Re: use after free in sysfs_find_dirent

Hi, On Fri, Mar 15, 2013 at 1:04 PM, Sasha Levin wrote: > On 03/15/2013 12:03 AM, Sasha Levin wrote: >> >> [ 350.140100] general protection fault: [#1] PREEMPT SMP >> DEBUG_PAGEALLOC >> [ 350.141468] Dumping ftrace buffer: >> [ 350.142048](ftrace buffer empty) >> [ 350.142619]

Re: use after free in sysfs_find_dirent

Hi, On Fri, Mar 15, 2013 at 1:04 PM, Sasha Levin levinsasha...@gmail.com wrote: On 03/15/2013 12:03 AM, Sasha Levin wrote: [ 350.140100] general protection fault: [#1] PREEMPT SMP DEBUG_PAGEALLOC [ 350.141468] Dumping ftrace buffer: [ 350.142048](ftrace buffer empty) [

Re: use after free in sysfs_find_dirent

On 03/15/2013 03:38 AM, Ming Lei wrote: Hi, On Fri, Mar 15, 2013 at 1:04 PM, Sasha Levin levinsasha...@gmail.com wrote: On 03/15/2013 12:03 AM, Sasha Levin wrote: [ 350.140100] general protection fault: [#1] PREEMPT SMP DEBUG_PAGEALLOC [ 350.141468] Dumping ftrace buffer: [

Re: use after free in sysfs_find_dirent

On 03/15/2013 12:03 AM, Sasha Levin wrote: > On 03/07/2013 01:26 AM, Dave Jones wrote: >> On Thu, Mar 07, 2013 at 02:02:30PM +0800, Greg Kroah-Hartman wrote: >> > On Thu, Mar 07, 2013 at 12:28:54AM -0500, Dave Jones wrote: >> > > general protection fault: [#1] PREEMPT SMP >> > > Modules

Re: use after free in sysfs_find_dirent

On 03/07/2013 01:26 AM, Dave Jones wrote: > On Thu, Mar 07, 2013 at 02:02:30PM +0800, Greg Kroah-Hartman wrote: > > On Thu, Mar 07, 2013 at 12:28:54AM -0500, Dave Jones wrote: > > > general protection fault: [#1] PREEMPT SMP > > > Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock

Re: use after free in sysfs_find_dirent

On 03/07/2013 01:26 AM, Dave Jones wrote: On Thu, Mar 07, 2013 at 02:02:30PM +0800, Greg Kroah-Hartman wrote: On Thu, Mar 07, 2013 at 12:28:54AM -0500, Dave Jones wrote: general protection fault: [#1] PREEMPT SMP Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock bnep

Re: use after free in sysfs_find_dirent

On 03/15/2013 12:03 AM, Sasha Levin wrote: On 03/07/2013 01:26 AM, Dave Jones wrote: On Thu, Mar 07, 2013 at 02:02:30PM +0800, Greg Kroah-Hartman wrote: On Thu, Mar 07, 2013 at 12:28:54AM -0500, Dave Jones wrote: general protection fault: [#1] PREEMPT SMP Modules linked in:

Re: use after free in sysfs_find_dirent

On Thu, Mar 7, 2013 at 2:26 PM, Dave Jones wrote: > Could be some of those that caused these bugs. > > I just retried rerunning the test a few times. Every time I run for a while > I end up with different crashes. It's raining bugs over here. > (Here's another sysfs one below) > > Running

Re: use after free in sysfs_find_dirent

On Thu, Mar 7, 2013 at 2:26 PM, Dave Jones da...@redhat.com wrote: Could be some of those that caused these bugs. I just retried rerunning the test a few times. Every time I run for a while I end up with different crashes. It's raining bugs over here. (Here's another sysfs one below)

Re: use after free in sysfs_find_dirent

On Thu, Mar 07, 2013 at 02:02:30PM +0800, Greg Kroah-Hartman wrote: > On Thu, Mar 07, 2013 at 12:28:54AM -0500, Dave Jones wrote: > > general protection fault: [#1] PREEMPT SMP > > Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock bnep fuse > > rfcomm hidp l2tp_ppp l2tp_core

Re: use after free in sysfs_find_dirent

On Thu, Mar 07, 2013 at 12:28:54AM -0500, Dave Jones wrote: > general protection fault: [#1] PREEMPT SMP > Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock bnep fuse rfcomm > hidp l2tp_ppp l2tp_core 8021q garp mrp dlci pppoe pppox ppp_generic slhc > scsi_transport_iscsi rose

use after free in sysfs_find_dirent

general protection fault: [#1] PREEMPT SMP Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock bnep fuse rfcomm hidp l2tp_ppp l2tp_core 8021q garp mrp dlci pppoe pppox ppp_generic slhc scsi_transport_iscsi rose caif_socket caif can_raw bridge af_key can_bcm llc2 stp can netrom

use after free in sysfs_find_dirent

general protection fault: [#1] PREEMPT SMP Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock bnep fuse rfcomm hidp l2tp_ppp l2tp_core 8021q garp mrp dlci pppoe pppox ppp_generic slhc scsi_transport_iscsi rose caif_socket caif can_raw bridge af_key can_bcm llc2 stp can netrom

Re: use after free in sysfs_find_dirent

On Thu, Mar 07, 2013 at 12:28:54AM -0500, Dave Jones wrote: general protection fault: [#1] PREEMPT SMP Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock bnep fuse rfcomm hidp l2tp_ppp l2tp_core 8021q garp mrp dlci pppoe pppox ppp_generic slhc scsi_transport_iscsi rose

Re: use after free in sysfs_find_dirent

On Thu, Mar 07, 2013 at 02:02:30PM +0800, Greg Kroah-Hartman wrote: On Thu, Mar 07, 2013 at 12:28:54AM -0500, Dave Jones wrote: general protection fault: [#1] PREEMPT SMP Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock bnep fuse rfcomm hidp l2tp_ppp l2tp_core 8021q