On Fri, May 12, 2000 at 05:01:50AM +0200, Jan Niehusmann wrote:
> The oops goes away if I remove the "flags |= SLAB_POISON;"-Line introduced
> in slap.c in pre7-9. So the bug is probably not new, but didn't get caught
> up to now.
The oops seems to be caused by to follwing code in uhci.c:
static void uhci_free_td(struct uhci_td *td)
{
if (!list_empty(&td->list))
dbg("td is still in URB list!");
kmem_cache_free(uhci_td_cachep, td);
if (td->dev)
usb_dec_dev_use(td->dev);
}
If I don't missunderstand this, kmem_cache_free frees td. With slab
poisoning, td->dev then points to 5a5a5a5a, leading to the oops.
Without slab poisoning, td->dev probably pointed to zero, so
usb_dec_dev_use didn't get executed, preventing the oops.
I just moved kmem_cache_free below usb_dec_dev_use, and will try if
it works now.
The same sequence is in uhci_free_qh.
--- linux-2.3.99-pre7/drivers/usb/uhci.c.orig Fri May 12 03:30:14 2000
+++ linux-2.3.99-pre7/drivers/usb/uhci.c Fri May 12 15:46:29 2000
@@ -289,10 +289,10 @@
if (!list_empty(&td->list))
dbg("td is still in URB list!");
- kmem_cache_free(uhci_td_cachep, td);
-
if (td->dev)
usb_dec_dev_use(td->dev);
+
+ kmem_cache_free(uhci_td_cachep, td);
}
static struct uhci_qh *uhci_alloc_qh(struct usb_device *dev)
@@ -318,10 +318,10 @@
static void uhci_free_qh(struct uhci_qh *qh)
{
- kmem_cache_free(uhci_qh_cachep, qh);
-
if (qh->dev)
usb_dec_dev_use(qh->dev);
+
+ kmem_cache_free(uhci_qh_cachep, qh);
}
static void uhci_insert_qh(struct uhci *uhci, struct uhci_qh *skelqh, struct uhci_qh *qh)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon May 15 2000 - 21:00:20 EST