Hello,
fs/inode.c:prune_icache() does list_del(&inode->i_hash), and then calls
destroy_inode(). Inode is returned to the slab with ->i_hash still
containing dangling pointers. Probably this wasn't observed so far,
because prune_icache() is called during memory pressure and slab page
where inode is returned back into, is almost immediately released.
2.4 explicitly calls INIT_LIST_HEAD(&inode->i_hash) in prune_icache().
Following patch re-initializes ->i_hash.
Nikita.
===== fs/inode.c 1.84 vs edited =====
--- 1.84/fs/inode.c Mon Dec 16 09:38:48 2002
+++ edited/fs/inode.c Wed Dec 25 16:19:10 2002
@@ -248,7 +248,7 @@
struct inode *inode;
inode = list_entry(head->next, struct inode, i_list);
- list_del(&inode->i_list);
+ list_del_init(&inode->i_list);
if (inode->i_data.nrpages)
truncate_inode_pages(&inode->i_data, 0);
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Tue Dec 31 2002 - 22:00:10 EST