Re: kernel BUG at mm/slab.c:601
From: Vegard Nossum
Date: Fri Nov 21 2008 - 20:51:20 EST
On Sat, Nov 22, 2008 at 2:26 AM, Vegard Nossum <vegard.nossum@xxxxxxxxx> wrote:
> [Resend with (I hope) working e-mail address for Mauro]
>
> On Sat, Nov 22, 2008 at 2:25 AM, Vegard Nossum <vegard.nossum@xxxxxxxxx> wrote:
>> On Sat, Nov 22, 2008 at 2:10 AM, Vegard Nossum <vegard.nossum@xxxxxxxxx> wrote:
>>>> [ 527.562373] ffffffff8043b157 0000000000200200 ffffffffa02810d4
>>>> ffff88001e13c600
>>>
>>> LIST_POISON2 on the stack:
>>>
>>> include/linux/poison.h:#define LIST_POISON2 ((void *) 0x00200200)
>>
>> So looking at bttv source code, I wonder what the codes like these are
>> trying to do:
>>
>> if (set->top->vb.queue.next)
>> list_del(&set->top->vb.queue);
>>
>> Code is ancient, I'll ask Mauro.
A semantic patch that finds such invalid list constructs (it is
invalid, isn't it?) would look like this:
@@
expression E;
statement S;
@@
(
* if (E.next) S
|
* if (!E.next) S
|
* if (E.prev) S
|
* if (!E.prev) S
)
I am guessing that the original code wanted to check whether the
object was the last in a list? (The invalid assumption is that NULL
ends the list. Or NULL means that the node is not on a list? But if
so, why take it off the list? In either case, the NULL test looks
wrong because of the poison pointers which prevent intent of the code
-- to check if there is a valid next entry.)
But for this test we actually need to know the list head too. And I
don't know where to find it.
Vegard
--
"The animistic metaphor of the bug that maliciously sneaked in while
the programmer was not looking is intellectually dishonest as it
disguises that the error is the programmer's own creation."
-- E. W. Dijkstra, EWD1036
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/