Hi James,

FYI, I got the attached oops in linux-next and it's bisected down to:

commit 88265322c14cce39f7afbc416726ef4fac413298
Merge: 65b99c7 bf53083
Author:     Linus Torvalds <torvalds@linux-foundation.org>
AuthorDate: Tue Oct 2 21:38:48 2012 -0700
Commit:     Linus Torvalds <torvalds@linux-foundation.org>
CommitDate: Tue Oct 2 21:38:48 2012 -0700

    Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
    
    Pull security subsystem updates from James Morris:
     "Highlights:
    
       - Integrity: add local fs integrity verification to detect offline
         attacks
       - Integrity: add digital signature verification
       - Simple stacking of Yama with other LSMs (per LSS discussions)
       - IBM vTPM support on ppc64
       - Add new driver for Infineon I2C TIS TPM
       - Smack: add rule revocation for subject labels"
    
    Fixed conflicts with the user namespace support in kernel/auditsc.c and
    security/integrity/ima/ima_policy.c.
    
    * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (39 commits)

[    8.887933] Write protecting the kernel read-only data: 3212k
[    8.924449] =============================================================================
[    8.925786] BUG dentry (Not tainted): Invalid object pointer 0xcd48f9a8
[    8.926749] -----------------------------------------------------------------------------
[    8.926749] 
[    8.928011] Disabling lock debugging due to kernel taint
[    8.928011] INFO: Slab 0xcdee81e0 objects=23 used=23 fp=0x  (null) flags=0x40000081
[    8.928011] Pid: 1, comm: init Tainted: G    B        3.7.0-rc1-bisect-00005-gdd8e8c4 #2
[    8.928011] Call Trace:
[    8.928011]  [<c10bc7fd>] slab_err+0x38/0x40
[    8.928011]  [<c10bd09d>] ? slab_pad_check.part.50+0x5e/0xd2
[    8.928011]  [<c1683420>] free_debug_processing+0x19b/0x1a0
[    8.928011]  [<c1683460>] __slab_free+0x3b/0x26a
[    8.928011]  [<c10dc46b>] ? __simple_xattr_set+0xe8/0xf8
[    8.928011]  [<c10be6c5>] kfree+0xaa/0xb3
[    8.928011]  [<c10be6c5>] ? kfree+0xaa/0xb3
[    8.928011]  [<c10dc46b>] ? __simple_xattr_set+0xe8/0xf8
[    8.928011]  [<c10aa6da>] ? unmap_mapping_range+0x11f/0x127
[    8.928011]  [<c16a4a0e>] ? mutex_lock+0x18/0x31
[    8.928011]  [<c10dc46b>] ? __simple_xattr_set+0xe8/0xf8
[    8.928011]  [<c10dc46b>] __simple_xattr_set+0xe8/0xf8
[    8.928011]  [<c10dc516>] simple_xattr_remove+0xe/0x10
[    8.928011]  [<c109f136>] shmem_removexattr+0x42/0x47
[    8.928011]  [<c11c3e75>] ima_inode_post_setattr+0x76/0x7b
[    8.928011]  [<c10d6a60>] notify_change+0x268/0x284
[    8.928011]  [<c10c2c52>] do_truncate+0x60/0x77
[    8.928011]  [<c11c3583>] ? ima_get_action+0x1f/0x24
[    8.928011]  [<c10cac23>] handle_truncate+0x73/0x84
[    8.928011]  [<c10cd614>] do_last.isra.27+0x445/0x502
[    8.928011]  [<c10cd764>] path_openat.isra.28+0x93/0x340
[    8.928011]  [<c1683974>] ? __slab_alloc.constprop.66+0x258/0x27d
[    8.928011]  [<c10cda32>] do_filp_open+0x21/0x5d
[    8.928011]  [<c10d7445>] ? __alloc_fd+0x36/0xdc
[    8.928011]  [<c10c3979>] do_sys_open+0xfa/0x173
[    8.928011]  [<c10c3a13>] sys_open+0x21/0x29
[    8.928011]  [<c16a6c4a>] sysenter_do_call+0x12/0x2c
[    8.961197] FIX dentry: Object at 0xcd48f9a8 not freed
[    8.962022] BUG: unable to handle kernel paging request at 6b6b6be3
[    8.963103] IP: [<c16a4a2a>] mutex_unlock+0x3/0x16
[    8.963939] *pde = 00000000 
[    8.964551] Oops: 0002 [#1] SMP 
[    8.965122] Pid: 1, comm: init Tainted: G    B        3.7.0-rc1-bisect-00005-gdd8e8c4 #2 Bochs Bochs
[    8.965122] EIP: 0060:[<c16a4a2a>] EFLAGS: 00010212 CPU: 0
[    8.965122] EIP is at mutex_unlock+0x3/0x16
[    8.965122] EAX: 6b6b6bd3 EBX: cd765790 ECX: cd89b998 EDX: 0000a068
[    8.965122] ESI: 00000000 EDI: cf925c00 EBP: cd84fe04 ESP: cd84fe04
[    8.965122]  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
[    8.965122] CR0: 80050033 CR2: 6b6b6be3 CR3: 0f8a9000 CR4: 00000690
[    8.965122] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[    8.965122] DR6: ffff0ff0 DR7: 00000400
[    8.965122] Process init (pid: 1, ti=cd84e000 task=cd850000 task.ti=cd84e000)
[    8.965122] Stack:
[    8.965122]  cd84fe4c c10c2c5f 0000a068 cd84fecc cd84fe24 c11c3583 00000000 00000000
[    8.965122]  507d1295 37049458 507d1295 37049458 507d1295 37049458 cf925c00 cd89b9a4
[    8.965122]  cd765790 cf925c00 cd84fe68 c10cac23 00008060 cf925c00 cd84ff00 00000000
[    8.965122] Call Trace:
[    8.965122]  [<c10c2c5f>] do_truncate+0x6d/0x77
[    8.965122]  [<c11c3583>] ? ima_get_action+0x1f/0x24
[    8.965122]  [<c10cac23>] handle_truncate+0x73/0x84
[    8.965122]  [<c10cd614>] do_last.isra.27+0x445/0x502
[    8.965122]  [<c10cd764>] path_openat.isra.28+0x93/0x340
[    8.965122]  [<c1683974>] ? __slab_alloc.constprop.66+0x258/0x27d
[    8.965122]  [<c10cda32>] do_filp_open+0x21/0x5d
[    8.965122]  [<c10d7445>] ? __alloc_fd+0x36/0xdc
[    8.965122]  [<c10c3979>] do_sys_open+0xfa/0x173
[    8.965122]  [<c10c3a13>] sys_open+0x21/0x29
[    8.965122]  [<c16a6c4a>] sysenter_do_call+0x12/0x2c
[    8.965122] Code: b8 c0 91 8c c1 ba 55 00 00 00 e8 d5 9f 9c ff 89 d8 f0 ff 08 79 05 e8 ce 00 00 00 64 a1 88 17 af c1 89 43 10 59 5b 5d c
3 55 89 e5 <c7> 40 10 00 00 00 00 f0 ff 00 7f 05 e8 02 00 00 00 5d c3 55 89
[    8.965122] EIP: [<c16a4a2a>] mutex_unlock+0x3/0x16 SS:ESP 0068:cd84fe04
[    8.965122] CR2: 000000006b6b6be3
[    8.998377] ---[ end trace c748b36104e4e97e ]---

Thanks,
Fengguang