Re: Slab corruption in 2.6.16-rc5-mm2
From: Linus Torvalds
Date: Mon Mar 06 2006 - 17:15:49 EST
On Mon, 6 Mar 2006, Jesper Juhl wrote:
>
> Ok, booting a plain 2.6.16-rc5-mm2 kernel with the above being the
> only change made results in this :
Yeah. I'm not surprised. A real mode-sense shouldn't be even 64 bytes,
much less 96, so it shouldn't have overflowed, and we had no indication of
the corruption spreading past the one allocation anyway.
It did/does seem a bug, though, so worth checking.
So onward in our tireless battle. Does this patch make any difference for
you? It does two things:
- it clears the "->sense" buffer in blk_end_sync_rq() (since it won't be
valid any more: the request is gone)
- it adds a BUG_ON() if we appear to have already done the sense fill on
SCSI IO completion, and do it again.
Now, I've not tried either of these, and the BUG_ON() in particular might
be a false positive itself, but it might be worth testing.
Linus
---
diff --git a/block/ll_rw_blk.c b/block/ll_rw_blk.c
index 03d9c82..4351d34 100644
--- a/block/ll_rw_blk.c
+++ b/block/ll_rw_blk.c
@@ -2637,6 +2637,7 @@ void blk_end_sync_rq(struct request *rq,
struct completion *waiting = rq->waiting;
rq->waiting = NULL;
+ rq->sense = NULL;
__blk_put_request(rq->q, rq);
/*
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 701a328..2b60769 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -961,6 +961,10 @@ void scsi_io_completion(struct scsi_cmnd
if (result) {
clear_errors = 0;
if (sense_valid && req->sense) {
+
+ /* Have we already filled the sense buffer? */
+ BUG_ON(req->sense_len);
+
/*
* SG_IO wants current and deferred errors
*/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/