Re: [BUG] 2.6.8-rc3 slab corruption (jffs2?)

From: Wu Jian Feng
Date: Sun Aug 08 2004 - 01:09:56 EST

Next message: Maurice: "Re: 2.6.xSMP and IPv4 issues (ifconfig(s))"
Previous message: Zwane Mwaikambo: "Re: [PATCH][2.6] Completely out of line spinlocks / x86_64"
Next in thread: David Woodhouse: "Re: [BUG] 2.6.8-rc3 slab corruption (jffs2?)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Can't figure out why but have a quick workaround for this:

--- a/fs/jffs2/erase.c 2004-08-08 14:03:06.000000000 +0800
+++ b/fs/jffs2/erase.c 2004-08-08 14:05:41.000000000 +0800
@@ -72,8 +72,10 @@
((struct erase_priv_struct *)instr->priv)->c = c;

ret = c->mtd->erase(c->mtd, instr);
- if (!ret)
+ if (!ret) {
+ kfree(instr);
return;
+ }

bad_offset = instr->fail_addr;
kfree(instr);
@@ -206,7 +208,6 @@
} else {
jffs2_erase_succeeded(priv->c, priv->jeb);
}
- kfree(instr);
}
#endif /* !__ECOS */

On Sat, Aug 07, 2004 at 03:04:58PM +0100, Russell King wrote:
> Not sure exactly what caused this, but it happened while logging in
> (after fixing the previous two reported problems - the first by backing
> out the last change to redboot.c and the second by commenting out
> ri->usercompr in fs/jffs2/read.c.)
>
> Slab corruption: start=c1e39474, len=64
> Redzone: 0x5a2cf071/0x5a2cf071.
> Last user: [<c032ca10>](cfi_intelext_erase_varsize+0x58/0x64)
> 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 4f 6b
> Prev obj: start=c1e39428, len=64
> Redzone: 0x5a2cf071/0x5a2cf071.
> Last user: [<c02c767c>](jffs2_garbage_collect_deletion_dirent+0x80/0x8c)
> 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
> 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
> Next obj: start=c1e394c0, len=64
> Redzone: 0x170fc2a5/0x170fc2a5.
> Last user: [<c03514f8>](neigh_hh_init+0x64/0x11c)
> 000: 00 00 00 00 03 00 00 00 08 00 00 00 0e 00 00 00
> 010: 00 b0 34 c0 00 00 08 00 2b 95 1d 7b 00 c0 1b 00
>
> Due to tail call optimisation, its difficult to work out exactly what's
> going on, but the first seems to be a kfree call from the erase callback
> (possibly jffs2_erase_callback). The second function is the call to
> jffs2_free_full_dirent() in jffs2_garbage_collect_deletion_dirent().
>
> Any ideas? I haven't been able to reproduce (presumably because the
> erase succeeded, and we didn't need to re-erase again.)
>
> --
> Russell King
> Linux kernel 2.6 ARM Linux - http://www.arm.linux.org.uk/
> maintainer of: 2.6 PCMCIA - http://pcmcia.arm.linux.org.uk/
> 2.6 Serial core
>
> ______________________________________________________
> Linux MTD discussion mailing list
> http://lists.infradead.org/mailman/listinfo/linux-mtd/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Maurice: "Re: 2.6.xSMP and IPv4 issues (ifconfig(s))"
Previous message: Zwane Mwaikambo: "Re: [PATCH][2.6] Completely out of line spinlocks / x86_64"
Next in thread: David Woodhouse: "Re: [BUG] 2.6.8-rc3 slab corruption (jffs2?)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]