From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1162010AbbKTESs (ORCPT ); Thu, 19 Nov 2015 23:18:48 -0500 Received: from arcturus.aphlor.org ([188.246.204.175]:45697 "EHLO arcturus.aphlor.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1161978AbbKTESr (ORCPT ); Thu, 19 Nov 2015 23:18:47 -0500 Date: Thu, 19 Nov 2015 23:18:36 -0500 From: Dave Jones To: Linux Kernel Cc: Tejun Heo Subject: pids_free double free. Message-ID: <20151120041836.GA18390@codemonkey.org.uk> Mail-Followup-To: Dave Jones , Linux Kernel , Tejun Heo MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) X-Spam-Score: -2.9 (--) X-Spam-Report: Spam report generated by SpamAssassin on "arcturus.aphlor.org" Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org One of my debian boxes got a systemd update. After rebooting, I started seeing a use-after-free trace, followed by a lockup. I have two slightly different traces from separate boots, which may give some clue as to how it's getting free'd in two ways.. http://codemonkey.org.uk/junk/IMG_0474.jpg http://codemonkey.org.uk/junk/IMG_0476.jpg This isn't new, I booted back to 4.3, and hit slab debugging warnings from the same code. (At the least it was broken differently) The WARN_ON referenced in the 2nd trace is this.. static void pids_cancel(struct pids_cgroup *pids, int num) { /* * A negative count (or overflow for that matter) is invalid, * and indicates a bug in the `pids` controller proper. */ WARN_ON_ONCE(atomic64_add_negative(-num, &pids->counter)); } Dave