Re: Oops on ibmasm

From: Dave Jones
Date: Wed Mar 08 2006 - 17:56:57 EST

Next message: Con Kolivas: "Re: [PATCH] mm: yield during swap prefetching"
Previous message: Tilman Schmidt: "[PATCH] reduce syslog clutter (take 2)"
In reply to: Srihari Vijayaraghavan: "Oops on ibmasm"
Next in thread: Greg KH: "Re: Oops on ibmasm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Mar 09, 2006 at 09:41:45AM +1100, Srihari Vijayaraghavan wrote:
> command count: 1
> input: ibmasm RSA I remote mouse as
> /class/input/input2
> input: ibmasm RSA I remote keyboard as
> /class/input/input3
> ibmasm remote responding to events on RSA card 0
> command count: 2
> ibmasm_exec_command:130 at 1141819512.780778
> do_exec_command:107 at 1141819512.780787
> respond to interrupt at 1141819512.782055
> exec_next_command:150 at 1141819512.782094
> finished interrupt at 1141819512.782103
> command count: 1
> Unable to handle kernel paging request at virtual
> address 6b6b6b6b

the problem is we do this..

command_put(sp->current_command);
exec_next_command(sp);

command_put drops the refcount of the kobject in sp,
which then gets freed in the .release (free_command)
which ends up kfree'ing 'sp'.

unsurprisingly, it goes bang the next time something
tries to access it. (Ie the 2nd line above)

It's totally busted.

Dave

--
http://www.codemonkey.org.uk
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Con Kolivas: "Re: [PATCH] mm: yield during swap prefetching"
Previous message: Tilman Schmidt: "[PATCH] reduce syslog clutter (take 2)"
In reply to: Srihari Vijayaraghavan: "Oops on ibmasm"
Next in thread: Greg KH: "Re: Oops on ibmasm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]