On 04/19/2013 03:10 AM, Linus Torvalds wrote:
> On Thu, Apr 18, 2013 at 11:13 AM, Jens Axboe <axboe@kernel.dk> wrote:
>> On Thu, Apr 18 2013, Tejun Heo wrote:
>>> On Thu, Apr 18, 2013 at 10:39:00AM -0700, Jens Axboe wrote:
>>>>
>>>> Yep, thanks Linus for that hint... Must be someone abusing it for a
>>>> flag field post submission? Crazy.
>>>
>>> Let's hope that's not the case because there'll be blood if it is. :)
>>
>> Yeah, it's beyond the amount of crazy I've come to expect from various
>> random users of IO interfaces :-)
> 
> I think it's more likely to be some use-after-free after a long timeout.
> 
> Wanlong says it happens a few minutes after boot, so maybe something
> times out a command, does the blk_complete_request(), and free's the
> bio, which gets re-used before the softirq actually ends up running.
> 
> I note that Wanlong uses the SLAB allocator, not the SLUB one. I
> wonder if the thing goes away with SLUB, and if not, if
> CONFIG_SLUB_DEBUG_ON=y might help debug it?

Done as you mentioned, attach the config and dmesg before panic.
And the panic message almost the same as before here: https://lkml.org/lkml/2013/4/18/633

Thanks,
Wanlong Gao

> 
>                      Linus
>