Re: Fw: Slab coruption and oops with 2.6.1-mm4
From: Gerd Knorr
Date: Mon Jan 19 2004 - 07:21:15 EST
> heh, this is the same bug. Last time we were unlocking an unlocked page.
> Now we're freeing a free page.
Yes. Still no idea why that happens through ...
> CONFIG_PREEMPT=y
Bug reproducable with this one turned off?
> Slab corruption: start=c57c2000, len=4096
> 000: 6e 72 6d 71 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
> bttv0: skipped frame. no signal? high irq latency? [main=b030000,o_vbi=b030018,o_field=5378000,rc=537801c]
> ------------[ cut here ]------------
> kernel BUG at include/linux/mm.h:275!
page_cache_release()
> EIP is at videobuf_dma_free+0xa9/0xc0 [video_buf]
The code calling page_cache_release looks like this ...
if (dma->pages) {
int i;
for (i=0; i < dma->nr_pages; i++)
page_cache_release(dma->pages[i]);
kfree(dma->pages);
dma->pages = NULL;
}
... even with videobuf_dma_free() called twice by mistake that shouldn't
double-free the pages. Maybe videobuf_dma_free() is called from two
places at the same time because one of the call paths misses a lock, but
I can't find any on a quick review. Hmm.
Does transcode use threads? If so, does it call into bttv from
different threads?
> Call Trace:
> [<d08f3a70>] bttv_dma_free+0x60/0xa0 [bttv]
> [<d08ede63>] bttv_do_ioctl+0x403/0x16a0 [bttv]
must be VIDIOCSYNC ioctl.
> [<c0335498>] video_usercopy+0xe8/0x1e0
> [<d08ef13e>] bttv_ioctl+0x3e/0x70 [bttv]
> [<c0168ef3>] sys_ioctl+0xf3/0x280
> [<c042e9b7>] syscall_call+0x7/0xb
Gerd
--
"... und auch das ganze Wochenende oll" -- Wetterbericht auf RadioEins
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/