From: Russell King <rmk+lkml@arm.linux.org.uk>
To: Manfred Spraul <manfred@colorfullife.com>
Cc: linux-kernel@vger.kernel.org
Subject: Re: [BUG] 2.6.8-rc3 slab corruption (jffs2?)
Date: Sun, 8 Aug 2004 10:36:19 +0100 [thread overview]
Message-ID: <20040808103619.A7589@flint.arm.linux.org.uk> (raw)
In-Reply-To: <4115F0FA.30503@colorfullife.com>; from manfred@colorfullife.com on Sun, Aug 08, 2004 at 11:23:06AM +0200
On Sun, Aug 08, 2004 at 11:23:06AM +0200, Manfred Spraul wrote:
> rmk wrote:
> >Due to tail call optimisation, its difficult to work out exactly what's
> >going on, but the first seems to be a kfree call from the erase callback
> >(possibly jffs2_erase_callback). The second function is the call to
> >jffs2_free_full_dirent() in jffs2_garbage_collect_deletion_dirent().
>
> I'd concentrate on cfi_intelext_erase_varsize+0x58/0x64:
> When slab encounters a corruption, it dumps three objects: the corrupted
> one, the previous one and the next one. Theoretically, a write
> before/after the end of the object could corrupt the neighboring object,
> but probably the first function is the relevant one.
Remember - we report the _return_ address of a function when we use
__builtin_return_address(0) in that function.
This means that if kfree() is called from a tail-call optimised
position, the reported address will be the parent function of the
one which actually called it.
Therefore, cfi_intelext_erase_varsize() called some other function
(in this case, via a function pointer) which then called kfree() in
a tail-call optimised position. jffs2_erase_callback() would be
called from this function pointer and does have kfree() in a tail-call
optimised position.
However, reading the code around jffs2_erase_callback() and
jffs2_erase_block(), I can find nothing obviously wrong.
The main problem is that I don't actually know what triggered it in the
first place - I'd just booted the machine and was just logging in when
it poped up, but repeating this does not cause the problem.
--
Russell King
Linux kernel 2.6 ARM Linux - http://www.arm.linux.org.uk/
maintainer of: 2.6 PCMCIA - http://pcmcia.arm.linux.org.uk/
2.6 Serial core
next prev parent reply other threads:[~2004-08-08 9:36 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-08-08 9:23 [BUG] 2.6.8-rc3 slab corruption (jffs2?) Manfred Spraul
2004-08-08 9:36 ` Russell King [this message]
-- strict thread matches above, loose matches on Subject: below --
2004-08-07 14:04 Russell King
2004-08-07 14:04 ` Russell King
2004-08-07 21:59 ` David Woodhouse
2004-08-07 21:59 ` David Woodhouse
2004-08-08 6:12 ` Wu Jian Feng
2004-08-08 10:53 ` David Woodhouse
2004-08-08 10:53 ` David Woodhouse
2004-08-09 1:59 ` Wu Jian Feng
2004-08-09 1:59 ` Wu Jian Feng
2004-08-09 6:41 ` David Woodhouse
2004-08-09 11:07 ` David Woodhouse
2004-08-09 13:11 ` Jarkko Lavinen
2004-08-09 13:17 ` David Woodhouse
2004-08-10 0:52 ` Wu Jian Feng
2004-08-10 0:52 ` Wu Jian Feng
2004-08-10 13:16 ` David Woodhouse
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040808103619.A7589@flint.arm.linux.org.uk \
--to=rmk+lkml@arm.linux.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=manfred@colorfullife.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.