[PATCH] Re: slab corruption on 2.6.10-rc4-bk7

[Jeff Garzik]

Andrew Morton wrote:
> Dave Jones <davej@xxxxxxxxxx> wrote:
>
> > (This has actually been there for a while, but I only
> > noticed it in dmesg this morning).
> > During boot on a dual em64t I see ..
> >
> > scsi2 : ata_piix
> > isa bounce pool size: 16 pages
> > slab error in cache_free_debugcheck(): cache `size-2048': double free, or memory outside object was overwritten
> >
> > Call Trace:<ffffffff80163448>{cache_free_debugcheck+392} <ffffffff801646aa>{kfree+234}
> >       <ffffffff88065189>{:libata:ata_pci_init_one+937} <ffffffff801fe9ea>{pci_bus_read_config_word+122}
> >       <ffffffff880707f2>{:ata_piix:piix_init_one+498} <ffffffff80202926>{pci_device_probe+134}
> >       <ffffffff802691ad>{driver_probe_device+77} <ffffffff802692cb>{driver_attach+75}
> >       <ffffffff802696c9>{bus_add_driver+169} <ffffffff802025e3>{pci_register_driver+131}
> >       <ffffffff88074010>{:ata_piix:piix_init+16} <ffffffff80152c58>{sys_init_module+344}
> >       <ffffffff8010e52a>{system_call+126}
> > ffff81011e49f4a0: redzone 1: 0x5a2cf071, redzone 2: 0x5a2cf071.
>
>
> It's plain to see how ata_pci_init_one() will free `probe_ent' twice.  Jeff
> wanna fix that up please?  A naive fix would be

Here's the initial fix...  about to test with some other fixes here. 
Anybody who is seeing this wanna give it a try?

	Jeff


===== drivers/scsi/libata-core.c 1.116 vs edited =====
--- 1.116/drivers/scsi/libata-core.c	2005-02-01 20:23:51 -05:00
+++ edited/drivers/scsi/libata-core.c	2005-02-20 23:25:52 -05:00
@@ -3751,8 +3751,8 @@
 			kfree(probe_ent2);
 	} else {
 		ata_device_add(probe_ent);
+		kfree(probe_ent);
 	}
-	kfree(probe_ent);
 
 	return 0;