Re: [Oops] i386 mm/slab.c (cache_flusharray)

From: Manfred Spraul
Date: Fri Nov 21 2003 - 14:15:45 EST


pinotj@xxxxxxxxxxxxxxxx wrote:

0. Increase verbosity of the printk (thanks to Manfred):
(compilation of kernel)
slab: double free detected in cache 'buffer_head', objp c4c8e3d8, objnr 10,
slabp c4c8e000, s_mem c4c8e180, bufctl ffffffff.
(compilation of firebird)
slab: double free detected in cache 'pte_chain', objp c18a6600, objnr 10,
slabp c18a6000, s_mem c18a6100, bufctl ffffffff.


The correct value for the bufctl would be 0xfffffffe - a single bit is wrong, but OTHO 0xffffffff is also a valid value.
Two different caches are affected.
The addresses of the corrupted variable differ, the offset into the page is identical. I think that rules out bad memory. That leaves a bug in slab.c, a bad bit in the L1/L2 cache, or random pointer scribbling.
Jerome, could you try the attached patch? It changes the magic constants that are used by slab.c. And please pay attention to the objnr: Is it always objnr 10, slabp xxxxx000, or do you see other values as well?

--
Manfred

--
Manfred
--- 2.6/mm/slab.c 2003-11-18 18:18:20.000000000 +0100
+++ build-2.6/mm/slab.c 2003-11-21 19:50:02.000000000 +0100
@@ -153,9 +153,9 @@
* is less than 512 (PAGE_SIZE<<3), but greater than 256.
*/

-#define BUFCTL_END 0xffffFFFF
-#define BUFCTL_FREE 0xffffFFFE
-#define SLAB_LIMIT 0xffffFFFD
+#define BUFCTL_END 0xfeffFFFF
+#define BUFCTL_FREE 0xf7ffFFFE
+#define SLAB_LIMIT 0xf0ffFFFD
typedef unsigned int kmem_bufctl_t;

/* Max number of objs-per-slab for caches which use off-slab slabs.