From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932348AbVHHXKy (ORCPT ); Mon, 8 Aug 2005 19:10:54 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S932349AbVHHXKx (ORCPT ); Mon, 8 Aug 2005 19:10:53 -0400 Received: from mail.ocs.com.au ([202.147.117.210]:8901 "EHLO mail.ocs.com.au") by vger.kernel.org with ESMTP id S932348AbVHHXKx (ORCPT ); Mon, 8 Aug 2005 19:10:53 -0400 X-Mailer: exmh version 2.6.3_20040314 03/14/2004 with nmh-1.1 From: Keith Owens To: Andrew Morton Cc: Sonny Rao , rdunlap@xenotime.net, miles.lane@gmail.com, airlied@gmail.com, linux-kernel@vger.kernel.org, Greg KH Subject: Re: OOPS in 2.6.13-rc1-mm1 -- EIP is at sysfs_release+0x49/0xb0 In-reply-to: Your message of "Mon, 08 Aug 2005 10:44:04 MST." <20050808104404.11846951.akpm@osdl.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 09 Aug 2005 09:09:57 +1000 Message-ID: <19267.1123542597@ocs3.ocs.com.au> Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 8 Aug 2005 10:44:04 -0700, Andrew Morton wrote: >Sonny Rao wrote: >> Modules linked in: cpufreq_userspace cpufreq_stats freq_table cpufreq_powersave >> cpufreq_ondemand cpufreq_conservative ipv6 video thermal processor hotkey fan co >> ntainer button battery ac nfs lockd sunrpc af_packet tg3 ohci_hcd usbcore generi >> c serverworks i2c_piix4 i2c_core sworks_agp agpgart pcspkr rtc floppy tsdev dm_m >> od parport_pc lp parport ide_generic ide_disk ide_cd cdrom ide_core unix >> CPU: 0 >> EIP: 0060:[] Not tainted VLI >> EFLAGS: 00010246 (2.6.13-rc4-mm1) >> EIP is at sysfs_release+0x4c/0xb0 >> eax: 762f7373 ebx: 762f7373 ecx: 00000001 edx: ef3c5000 >> esi: f596a188 edi: f21fecc0 ebp: ef3c5f3c esp: ef3c5f2c >> ds: 007b es: 007b ss: 0068 >> Process udev (pid: 11843, threadinfo=ef3c5000 task=ef78e550) >> Stack: f596a188 00000010 f762d580 c21bc944 ef3c5f68 c0166cea c21bc944 f762d580 >> 00000000 00000000 c2137980 ec7e9748 f762d580 dcae7300 00000000 ef3c5f78 >> c0166aeb f762d580 f762d580 ef3c5f94 c01650ab f762d580 dcae7300 dcae7300 >> Call Trace: >> [] show_stack+0x7f/0xa0 >> [] show_registers+0x164/0x1d0 >> [] die+0x122/0x1c0 >> [] do_page_fault+0x2ce/0x600 >> [] error_code+0x4f/0x54 >> [] __fput+0x1da/0x1f0 >> [] fput+0x2b/0x50 >> [] filp_close+0x4b/0x80 >> [] sys_close+0x6e/0x90 >> [] sysenter_past_esp+0x54/0x75 >> Code: 85 f6 8b 40 14 8b 58 04 74 08 89 34 24 e8 0d 97 04 00 85 db 74 38 b8 01 00 >> 00 00 e8 af 18 f7 ff e8 4a e5 04 00 c1 e0 07 8d 04 18 88 00 01 00 00 83 3b >> 02 74 49 b8 01 00 00 00 e8 cf 18 f7 ff >> <6>note: udev[11843] exited with preempt_count 1 >> Using generic hotkey driver >> ibm_acpi: acpi_evalf(DHKC, d, ...) failed: 4097 >> ibm_acpi: `enable,0xffff' invalid for parameter `hotkey' >> toshiba_acpi: Unknown parameter `hotkeys_over_acpi' >> apm: BIOS not found. >> >> Let me see if I can reproduce this on either 2.6.13-rc4 or 2.6.13-rc6 >> >> Machine is an IBM x335 (dual P4), and I'm not using any framebuffer >> stuff. >> > >Keith, does this look like the use-after-free which you've been hitting? It is certainly in the same place, freeing the data that is chained off sd->s_element. This oops does not show any memory poisoning, but I am guessing that the kernel was not compiled with slab debugging. On balance, it looks like the same problem.