Re: [BUG] 2.6.8-rc3 slab corruption (jffs2?)

[Manfred Spraul]

rmk wrote:

> Due to tail call optimisation, its difficult to work out exactly what's
> going on, but the first seems to be a kfree call from the erase callback
> (possibly jffs2_erase_callback).  The second function is the call to
> jffs2_free_full_dirent() in jffs2_garbage_collect_deletion_dirent().
>
>  
I'd concentrate on cfi_intelext_erase_varsize+0x58/0x64:
When slab encounters a corruption, it dumps three objects: the corrupted 
one, the previous one and the next one. Theoretically, a write 
before/after the end of the object could corrupt the neighboring object, 
but probably the first function is the relevant one.

Could you double check that gcc did a tail optimization in 
cfi_intelext_erase_varsize?
I don't understand how this is possible: cfi_intelext_erase_varsize 
returns (int)0, instr->callback is a void function.
And even if there is a tail optimization: how would that affect the call 
address of the kfree() call? Perhaps gcc automatically inlined something?

--
   Manfred
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/