Re: Fw: Slab coruption and oops with 2.6.1-mm4

Re: Fw: Slab coruption and oops with 2.6.1-mm4

[Gerd Knorr]

> heh, this is the same bug.  Last time we were unlocking an unlocked page. 
> Now we're freeing a free page.

Yes.  Still no idea why that happens through ...

> CONFIG_PREEMPT=y

Bug reproducable with this one turned off?

> Slab corruption: start=c57c2000, len=4096
> 000: 6e 72 6d 71 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
> bttv0: skipped frame. no signal? high irq latency? [main=b030000,o_vbi=b030018,o_field=5378000,rc=537801c]
> ------------[ cut here ]------------
> kernel BUG at include/linux/mm.h:275!

page_cache_release()

> EIP is at videobuf_dma_free+0xa9/0xc0 [video_buf]

The code calling page_cache_release looks like this ...

	if (dma->pages) {
		int i;
		for (i=0; i < dma->nr_pages; i++)
			page_cache_release(dma->pages[i]);
		kfree(dma->pages);
		dma->pages = NULL;
	}

... even with videobuf_dma_free() called twice by mistake that shouldn't
double-free the pages.  Maybe videobuf_dma_free() is called from two
places at the same time because one of the call paths misses a lock, but
I can't find any on a quick review.  Hmm.

Does transcode use threads?  If so, does it call into bttv from
different threads?

> Call Trace:
>  [<d08f3a70>] bttv_dma_free+0x60/0xa0 [bttv]
>  [<d08ede63>] bttv_do_ioctl+0x403/0x16a0 [bttv]

must be VIDIOCSYNC ioctl.

>  [<c0335498>] video_usercopy+0xe8/0x1e0
>  [<d08ef13e>] bttv_ioctl+0x3e/0x70 [bttv]
>  [<c0168ef3>] sys_ioctl+0xf3/0x280
>  [<c042e9b7>] syscall_call+0x7/0xb

  Gerd

-- 
"... und auch das ganze Wochenende oll" -- Wetterbericht auf RadioEins

Re: Fw: Slab coruption and oops with 2.6.1-mm4

[Gerd Knorr]

> > CONFIG_PREEMPT=y
> 
> Bug reproducable with this one turned off?

Hmm, running -mm4 with CONFIG_PREEMPT now, box loaded with bttv capture
+ parallel kernel builds, no problems so far ...

> > Slab corruption: start=c57c2000, len=4096
                           ^^^^^^^^
> > 000: 6e 72 6d 71 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
> > bttv0: skipped frame. no signal? high irq latency? [main=b030000,o_vbi=b030018,o_field=5378000,rc=537801c]

Who is this?  Is this allocated by bttv?  Or someone else corrupts
memory here?

btcx-risc and video-buf have a "debug=1" insmod option, bttv has
"bttv_debug=1".  Those make bttv verbose (*plenty* of log, so better
don't try all three at the same time ...) and also log addresses of
(some) allocated memory blocks.

btcx-risc calls pci_alloc_consistent() and thus does PAGE_SIZE
allocations, that one likely is a good candidate to start with.

  Gerd

Re: Fw: Slab coruption and oops with 2.6.1-mm4

[caszonyi]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 1729 bytes --]

On Mon, 19 Jan 2004, Gerd Knorr wrote:

> > > CONFIG_PREEMPT=y
> >
> > Bug reproducable with this one turned off?
>
> Hmm, running -mm4 with CONFIG_PREEMPT now, box loaded with bttv capture
> + parallel kernel builds, no problems so far ...
>

yes
bug is reproduceable with preempt turned off

Transcode uses threads to capture and encode the movie. However i don't
know how many threads are allocated for capturing.

I tried to run transcode with only one thread for encoding and one buffer
for capturing (option -u 1,1 )

When  writing this email (after the oops) i also got this:

MCE: The hardware reports a non fatal, correctable incident occurred on
CPU 0.
Bank 1: 9400000000000151

> > > Slab corruption: start=c57c2000, len=4096
>                            ^^^^^^^^
> > > 000: 6e 72 6d 71 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
> > > bttv0: skipped frame. no signal? high irq latency? [main=b030000,o_vbi=b030018,o_field=5378000,rc=537801c]
>
> Who is this?  Is this allocated by bttv?  Or someone else corrupts
> memory here?
>
> btcx-risc and video-buf have a "debug=1" insmod option, bttv has
> "bttv_debug=1".  Those make bttv verbose (*plenty* of log, so better
> don't try all three at the same time ...) and also log addresses of
> (some) allocated memory blocks.
>
> btcx-risc calls pci_alloc_consistent() and thus does PAGE_SIZE
> allocations, that one likely is a good candidate to start with.
>

see atachment
this is with btcx-risc and video-buf with debug=1

i tried also with bttv_debug=1 when loadijng bttv module but haven't
noticed anything strange.
I can send the debug messages from bttv if you want.

>   Gerd
>

--
"A mouse is a device used to point at
the xterm you want to type in".
Kim Alm on a.s.r.

[-- Attachment #2: Type: TEXT/PLAIN, Size: 15556 bytes --]

g 1-0052
registering 1-0053
registering 1-0054
registering 1-0055
registering 1-0056
registering 1-0057
tuner: chip found @ 0xc2
registering 1-0061
bttv0: Avermedia eeprom[0x4011]: tuner=5 radio:no remote control:yes
bttv0: using tuner=5
tuner: type set to 5 (Philips PAL_BG (FI1216 and compatibles))
bttv0: i2c: checking for MSP34xx @ 0x80... not found
bttv0: i2c: checking for MSP34xx (alternate address) @ 0x88... not found
bttv0: i2c: checking for TDA9875 @ 0xb0... not found
bttv0: i2c: checking for TDA7432 @ 0x8a... not found
request_module: failed /sbin/modprobe -- tvaudio. error = 256
bttv0: registered device video0
bttv0: registered device vbi0
bttv0: PLL: 28636363 => 35468950 .. ok
bttv0: add subdevice "remote0"
agpgart: Found an AGP 2.0 compliant device at 0000:00:00.0.
agpgart: Putting AGP V2 device at 0000:00:00.0 into 4x mode
agpgart: Putting AGP V2 device at 0000:01:00.0 into 4x mode
atkbd.c: Unknown key released (translated set 2, code 0x7a on isa0060/serio0).
atkbd.c: Unknown key released (translated set 2, code 0x7a on isa0060/serio0).
btcx: riscmem alloc size=2320 [2]
btcx: skips line 0-9999:
btcx: riscmem free [1]
vbuf: init user [0x43267008+0x6c000 => 109 pages]
btcx: riscmem alloc size=3184 [2]
btcx: riscmem free [1]
btcx: riscmem alloc size=2320 [2]
btcx: skips line 0-9999:
btcx: riscmem free [1]
vbuf: init user [0x43267008+0x6c000 => 109 pages]
btcx: riscmem alloc size=3184 [2]
btcx: riscmem free [1]
vbuf: mmap setup: 32 buffers, 2129920 bytes each
vbuf: mmap c9cfc96c: 422fd000-463fd000 pgoff 00000000 bufs 0-31
vbuf: init user [0x42505000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [2]
btcx: riscmem alloc size=7820 [3]
vbuf: init user [0x4270d000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [4]
btcx: riscmem alloc size=7820 [5]
vbuf: init user [0x42915000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [6]
btcx: riscmem alloc size=7820 [7]
vbuf: init user [0x42b1d000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [8]
btcx: riscmem alloc size=7820 [9]
vbuf: init user [0x42d25000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [10]
btcx: riscmem alloc size=7820 [11]
vbuf: init user [0x42f2d000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [12]
btcx: riscmem alloc size=7820 [13]
vbuf: init user [0x43135000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [14]
btcx: riscmem alloc size=7820 [15]
vbuf: init user [0x4333d000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [16]
btcx: riscmem alloc size=7820 [17]
vbuf: init user [0x43545000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [18]
btcx: riscmem alloc size=7820 [19]
vbuf: init user [0x4374d000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [20]
btcx: riscmem alloc size=7820 [21]
vbuf: init user [0x43955000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [22]
btcx: riscmem alloc size=7820 [23]
vbuf: init user [0x43b5d000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [24]
btcx: riscmem alloc size=7820 [25]
vbuf: init user [0x43d65000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [26]
btcx: riscmem alloc size=7820 [27]
vbuf: init user [0x43f6d000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [28]
btcx: riscmem alloc size=7820 [29]
vbuf: init user [0x44175000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [30]
btcx: riscmem alloc size=7820 [31]
vbuf: init user [0x4437d000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [32]
btcx: riscmem alloc size=7820 [33]
vbuf: init user [0x44585000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [34]
btcx: riscmem alloc size=7820 [35]
vbuf: init user [0x4478d000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [36]
btcx: riscmem alloc size=7820 [37]
vbuf: init user [0x44995000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [38]
btcx: riscmem alloc size=7820 [39]
vbuf: init user [0x44b9d000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [40]
btcx: riscmem alloc size=7820 [41]
vbuf: init user [0x44da5000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [42]
btcx: riscmem alloc size=7820 [43]
vbuf: init user [0x44fad000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [44]
btcx: riscmem alloc size=7820 [45]
vbuf: init user [0x451b5000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [46]
btcx: riscmem alloc size=7820 [47]
vbuf: init user [0x453bd000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [48]
btcx: riscmem alloc size=7820 [49]
vbuf: init user [0x455c5000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [50]
btcx: riscmem alloc size=7820 [51]
vbuf: init user [0x457cd000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [52]
btcx: riscmem alloc size=7820 [53]
vbuf: init user [0x459d5000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [54]
btcx: riscmem alloc size=7820 [55]
vbuf: init user [0x45bdd000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [56]
btcx: riscmem alloc size=7820 [57]
vbuf: init user [0x45de5000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [58]
btcx: riscmem alloc size=7820 [59]
vbuf: init user [0x45fed000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [60]
btcx: riscmem alloc size=7820 [61]
vbuf: init user [0x461f5000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [62]
btcx: riscmem alloc size=7820 [63]
vbuf: init user [0x422fd000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [64]
btcx: riscmem alloc size=7820 [65]
btcx: riscmem free [64]
btcx: riscmem free [63]
vbuf: init user [0x42505000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [64]
btcx: riscmem alloc size=7820 [65]
btcx: riscmem free [64]
btcx: riscmem free [63]
vbuf: init user [0x4270d000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [64]
btcx: riscmem alloc size=7820 [65]
btcx: riscmem free [64]
btcx: riscmem free [63]
vbuf: init user [0x42915000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [64]
btcx: riscmem alloc size=7820 [65]
btcx: riscmem free [64]
btcx: riscmem free [63]
vbuf: init user [0x42b1d000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [64]
btcx: riscmem alloc size=7820 [65]
btcx: riscmem free [64]
btcx: riscmem free [63]
vbuf: init user [0x42d25000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [64]
btcx: riscmem alloc size=7820 [65]
btcx: riscmem free [64]
btcx: riscmem free [63]
vbuf: init user [0x42f2d000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [64]
btcx: riscmem alloc size=7820 [65]
btcx: riscmem free [64]
btcx: riscmem free [63]
vbuf: init user [0x43135000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [64]
btcx: riscmem alloc size=7820 [65]
btcx: riscmem free [64]
btcx: riscmem free [63]
vbuf: init user [0x4333d000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [64]
btcx: riscmem alloc size=7820 [65]
btcx: riscmem free [64]
btcx: riscmem free [63]
vbuf: init user [0x43545000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [64]
btcx: riscmem alloc size=7820 [65]
btcx: riscmem free [64]
btcx: riscmem free [63]
vbuf: init user [0x4374d000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [64]
btcx: riscmem alloc size=7820 [65]
btcx: riscmem free [64]
btcx: riscmem free [63]
vbuf: init user [0x43955000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [64]
btcx: riscmem alloc size=7820 [65]
btcx: riscmem free [64]
btcx: riscmem free [63]
vbuf: init user [0x43b5d000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [64]
btcx: riscmem alloc size=7820 [65]
btcx: riscmem free [64]
btcx: riscmem free [63]
vbuf: init user [0x43d65000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [64]
btcx: riscmem alloc size=7820 [65]
btcx: riscmem free [64]
btcx: riscmem free [63]
vbuf: init user [0x43f6d000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [64]
btcx: riscmem alloc size=7820 [65]
btcx: riscmem free [64]
btcx: riscmem free [63]
vbuf: init user [0x44175000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [64]
btcx: riscmem alloc size=7820 [65]
btcx: riscmem free [64]
btcx: riscmem free [63]
vbuf: init user [0x4437d000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [64]
btcx: riscmem alloc size=7820 [65]
btcx: riscmem free [64]
btcx: riscmem free [63]
vbuf: init user [0x44585000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [64]
btcx: riscmem alloc size=7820 [65]
btcx: riscmem free [64]
btcx: riscmem free [63]
vbuf: init user [0x4478d000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [64]
btcx: riscmem alloc size=7820 [65]
btcx: riscmem free [64]
btcx: riscmem free [63]
vbuf: init user [0x44995000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [64]
btcx: riscmem alloc size=7820 [65]
btcx: riscmem free [64]
btcx: riscmem free [63]
vbuf: init user [0x44b9d000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [64]
btcx: riscmem alloc size=7820 [65]
btcx: riscmem free [64]
btcx: riscmem free [63]
vbuf: init user [0x44da5000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [64]
btcx: riscmem alloc size=7820 [65]
btcx: riscmem free [64]
btcx: riscmem free [63]
vbuf: init user [0x44fad000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [64]
btcx: riscmem alloc size=7820 [65]
btcx: riscmem free [64]
btcx: riscmem free [63]
vbuf: init user [0x451b5000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [64]
btcx: riscmem alloc size=7820 [65]
btcx: riscmem free [64]
btcx: riscmem free [63]
vbuf: init user [0x453bd000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [64]
btcx: riscmem alloc size=7820 [65]
btcx: riscmem free [64]
btcx: riscmem free [63]
vbuf: init user [0x455c5000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [64]
btcx: riscmem alloc size=7820 [65]
btcx: riscmem free [64]
btcx: riscmem free [63]
vbuf: init user [0x457cd000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [64]
btcx: riscmem alloc size=7820 [65]
btcx: riscmem free [64]
btcx: riscmem free [63]
vbuf: init user [0x459d5000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [64]
btcx: riscmem alloc size=7820 [65]
btcx: riscmem free [64]
btcx: riscmem free [63]
vbuf: init user [0x45bdd000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [64]
btcx: riscmem alloc size=7820 [65]
btcx: riscmem free [64]
btcx: riscmem free [63]
vbuf: init user [0x45de5000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [64]
btcx: riscmem alloc size=7820 [65]
btcx: riscmem free [64]
btcx: riscmem free [63]
vbuf: init user [0x45fed000+0x208000 => 520 pages]
btcx: riscmem alloc size=7820 [64]
btcx: riscmem alloc size=7820 [65]
Unable to handle kernel paging request at virtual address 25262e29
 printing eip:
d08e5613
*pde = 00000000
Oops: 0000 [#1]
DEBUG_PAGEALLOC
CPU:    0
EIP:    0060:[<d08e5613>]    Not tainted VLI
EFLAGS: 00210293
EIP is at videobuf_dma_free+0x33/0xc0 [video_buf]
eax: 00000000   ebx: c45a7000   ecx: 00000208   edx: 25262e29
esi: 00000000   edi: c817cf54   ebp: d0a35720   esp: c4135c18
ds: 007b   es: 007b   ss: 0068
Process transcode (pid: 241, threadinfo=c4134000 task=c41739d0)
Stack: d0a35720 c817cf54 c817cf38 d0a35720 d0a24930 c817cf54 c817cf54 00000000 
       c817cf38 00000000 c4135eec d0a1edf3 d0a35720 c817cf38 00000001 000002d0 
       00000240 00000004 5a5a5a5a c8f0cdf8 c8f0ce08 5a5a5a5a 5a5a5a5a c8f0ce08 
Call Trace:
 [<d0a24930>] bttv_dma_free+0x60/0xa0 [bttv]
 [<d0a1edf3>] bttv_do_ioctl+0x403/0x1690 [bttv]
 [<c011a120>] recalc_task_prio+0x90/0x1a0
 [<c0119fd8>] kernel_map_pages+0x28/0x90
 [<c011a6dd>] scheduler_tick+0x1d/0x560
 [<c0125b96>] update_process_times+0x46/0x60
 [<c011a6dd>] scheduler_tick+0x1d/0x560
 [<c040d50a>] apic_timer_interrupt+0x1a/0x20
 [<c02ac1e0>] __copy_to_user_ll+0x50/0x80
 [<c010a71c>] setup_sigcontext+0x10c/0x120
 [<c010a83a>] setup_frame+0x10a/0x1e0
 [<c031f538>] video_usercopy+0xe8/0x1e0
 [<c010a2fc>] restore_sigcontext+0x5c/0x180
 [<d0a200be>] bttv_ioctl+0x3e/0x70 [bttv]
 [<d0a1e9f0>] bttv_do_ioctl+0x0/0x1690 [bttv]
 [<c0161e85>] sys_ioctl+0xb5/0x230
 [<c040d37b>] syscall_call+0x7/0xb

Code: 24 14 8b 5f 14 85 db 74 08 0f 0b f3 00 80 70 8e d0 8b 5f 04 85 db 74 47 8b 4f 18 31 f6 39 ce 7d 2f 8d b4 26 00 00 00 00 8b 14 b3 <8b> 02 a9 00 08 00 00 75 17 8b 42 04 85 c0 74 66 ff 4a 04 0f 94 
 <7>vbuf: munmap c9cfc96c
btcx: riscmem free [64]
btcx: riscmem free [63]
btcx: riscmem free [62]
btcx: riscmem free [61]
btcx: riscmem free [60]
btcx: riscmem free [59]
btcx: riscmem free [58]
btcx: riscmem free [57]
btcx: riscmem free [56]
btcx: riscmem free [55]
btcx: riscmem free [54]
btcx: riscmem free [53]
btcx: riscmem free [52]
btcx: riscmem free [51]
btcx: riscmem free [50]
btcx: riscmem free [49]
btcx: riscmem free [48]
btcx: riscmem free [47]
btcx: riscmem free [46]
btcx: riscmem free [45]
btcx: riscmem free [44]
btcx: riscmem free [43]
btcx: riscmem free [42]
btcx: riscmem free [41]
btcx: riscmem free [40]
btcx: riscmem free [39]
btcx: riscmem free [38]
btcx: riscmem free [37]
btcx: riscmem free [36]
btcx: riscmem free [35]
btcx: riscmem free [34]
btcx: riscmem free [33]
btcx: riscmem free [32]
btcx: riscmem free [31]
btcx: riscmem free [30]
btcx: riscmem free [29]
btcx: riscmem free [28]
btcx: riscmem free [27]
btcx: riscmem free [26]
btcx: riscmem free [25]
btcx: riscmem free [24]
btcx: riscmem free [23]
btcx: riscmem free [22]
btcx: riscmem free [21]
btcx: riscmem free [20]
btcx: riscmem free [19]
btcx: riscmem free [18]
btcx: riscmem free [17]
btcx: riscmem free [16]
btcx: riscmem free [15]
btcx: riscmem free [14]
btcx: riscmem free [13]
btcx: riscmem free [12]
btcx: riscmem free [11]
btcx: riscmem free [10]
btcx: riscmem free [9]
btcx: riscmem free [8]
btcx: riscmem free [7]
btcx: riscmem free [6]
btcx: riscmem free [5]
btcx: riscmem free [4]
btcx: riscmem free [3]
Unable to handle kernel paging request at virtual address 25262e29
 printing eip:
d08e5613
*pde = 00000000
Oops: 0000 [#2]
DEBUG_PAGEALLOC
CPU:    0
EIP:    0060:[<d08e5613>]    Not tainted VLI
EFLAGS: 00010293
EIP is at videobuf_dma_free+0x33/0xc0 [video_buf]
eax: 00000000   ebx: c45a7000   ecx: 00000208   edx: 25262e29
esi: 00000000   edi: c817cf54   ebp: c8837df4   esp: c8b33e2c
ds: 007b   es: 007b   ss: 0068
Process transcode (pid: 225, threadinfo=c8b32000 task=c9a839d0)
Stack: c817cf54 c817cf54 c817cf38 d0a35720 d0a24930 c817cf54 c817cf54 00000000 
       0000001f c9cfc96c c8dbc954 d08e6ac4 d0a35720 c817cf38 cffd0f38 00000282 
       c8dbc954 c8dbc954 c9234eac c9a839d0 c0146c0d c8dbc954 c89e5bb4 00000300 
Call Trace:
 [<d0a24930>] bttv_dma_free+0x60/0xa0 [bttv]
 [<d08e6ac4>] videobuf_vm_close+0x94/0xc0 [video_buf]
 [<c0146c0d>] exit_mmap+0x15d/0x180
 [<c011c8cf>] mmput+0x4f/0x90
 [<c0120238>] do_exit+0x128/0x310
 [<c01204e4>] do_group_exit+0x54/0x80
 [<c0128c80>] get_signal_to_deliver+0x1c0/0x300
 [<c010adad>] do_signal+0xdd/0x110
 [<c01278d0>] kill_proc_info+0x30/0x40
 [<c011a120>] recalc_task_prio+0x90/0x1a0
 [<c011a120>] recalc_task_prio+0x90/0x1a0
 [<c011af6c>] schedule+0x33c/0x540
 [<c010ae36>] do_notify_resume+0x56/0x60
 [<c040d3c6>] work_notifysig+0x13/0x15

Code: 24 14 8b 5f 14 85 db 74 08 0f 0b f3 00 80 70 8e d0 8b 5f 04 85 db 74 47 8b 4f 18 31 f6 39 ce 7d 2f 8d b4 26 00 00 00 00 8b 14 b3 <8b> 02 a9 00 08 00 00 75 17 8b 42 04 85 c0 74 66 ff 4a 04 0f 94 
 

Re: Slab coruption and oops with 2.6.1-mm4

[Mike Fedyk]

On Tue, Jan 20, 2004 at 02:27:35AM +0200, caszonyi@rdslink.ro wrote:
> When  writing this email (after the oops) i also got this:
> 
> MCE: The hardware reports a non fatal, correctable incident occurred on
> CPU 0.
> Bank 1: 9400000000000151

Ok, run memtest86 on the machine with at least one pass through "all tests"
(that should take several hours depending on memory size, and bandwidth).

Check your power supply, and power source (power from the wall, etc.).

Mike

Re: Fw: Slab coruption and oops with 2.6.1-mm4

[Gerd Knorr]

caszonyi@rdslink.ro writes:

> yes
> bug is reproduceable with preempt turned off

Ok.  Makes a locking flaw less likely as those tend to trigger with
preemp or smp only.

> MCE: The hardware reports a non fatal, correctable incident occurred on
> CPU 0.
> Bank 1: 9400000000000151

That pretty much looks like it is really a hardware issue.

> > > > Slab corruption: start=c57c2000, len=4096
> >                            ^^^^^^^^

> > Who is this?  Is this allocated by bttv?  Or someone else corrupts
> > memory here?

> [ bttv load messages ]
> btcx: riscmem alloc size=2320 [2]

That isn't a fresh booted box, is it?  Please reboot the machine after
every oops and before continuing testing.  With known-corrupted memory
it can oops basically everythere and those oops reports don't help
much.

> btcx: skips line 0-9999:
> btcx: riscmem free [1]
> vbuf: init user [0x43267008+0x6c000 => 109 pages]
> btcx: riscmem alloc size=3184 [2]
> btcx: riscmem free [1]
> btcx: riscmem alloc size=2320 [2]
> btcx: skips line 0-9999:
> btcx: riscmem free [1]
> vbuf: init user [0x43267008+0x6c000 => 109 pages]
> btcx: riscmem alloc size=3184 [2]
> btcx: riscmem free [1]

That was xawtv I guess?  Now transcode starting?

> vbuf: mmap setup: 32 buffers, 2129920 bytes each
> vbuf: mmap c9cfc96c: 422fd000-463fd000 pgoff 00000000 bufs 0-31
> vbuf: init user [0x42505000+0x208000 => 520 pages]
> btcx: riscmem alloc size=7820 [2]
> btcx: riscmem alloc size=7820 [3]

Oh, doesn't print the riscmem addresses.  The blocks are two-page
sized through, so the one-page allocation slab complains about above
likely doesn't come from this.

> Unable to handle kernel paging request at virtual address 25262e29
                                                            ^^^^^^^^
strange value for a kernel address, probably some corrupted pointer.

> EIP is at videobuf_dma_free+0x33/0xc0 [video_buf]
> eax: 00000000   ebx: c45a7000   ecx: 00000208   edx: 25262e29
> esi: 00000000   edi: c817cf54   ebp: d0a35720   esp: c4135c18

in edx.  "objdump -Sd video-buf.o" should help finding the instruction
and corrospending source line, but I fear that wouldn't help much as
that isn't the source of the problem but the place where it shows up.

> btcx: riscmem free [64]
> [ ... ]
> btcx: riscmem free [3]

cleanups due to transcode being killed ...

> Unable to handle kernel paging request at virtual address 25262e29

... and here it hits the very same corrupted pointer again.

  Gerd

-- 
"... und auch das ganze Wochenende oll" -- Wetterbericht auf RadioEins