Greetings all.
I think this might fix the bug, but I haven't looked very closely
yet. I will expore it more deeply when I get time.
NeilBrown
----------- Diffstat output ------------
./drivers/md/raid1.c | 2 +-
1 files changed, 1 insertion(+), 1 deletion(-)
diff ./drivers/md/raid1.c~current~ ./drivers/md/raid1.c
--- ./drivers/md/raid1.c~current~ 2003-05-29 11:05:03.000000000 +1000
+++ ./drivers/md/raid1.c 2003-05-29 11:05:08.000000000 +1000
@@ -137,7 +137,7 @@ static void put_all_bios(conf_t *conf, r
BUG();
bio_put(r1_bio->read_bio);
r1_bio->read_bio = NULL;
- }
+ } else
for (i = 0; i < conf->raid_disks; i++) {
struct bio **bio = r1_bio->write_bios + i;
if (*bio) {
On Thu, 29 May 2003, Neil Brown wrote:
> I think this might fix the bug, but I haven't looked very closely
> yet. I will expore it more deeply when I get time.
>
> NeilBrown
No go;
raid0: comparing sdd1(4193152) with sdd1(4193152)
raid0: END
raid0: ==> UNIQUE
raid0: 1 zones
raid0: looking at sdc1
raid0: comparing sdc1(4193152) with sdd1(4193152)
raid0: EQUAL
raid0: FINAL 1 zones
raid0: multiple devices for 1 - aborting!
slab error in cache_free_debugcheck(): cache `size-32': double free, or memory before object was overwritten
Call Trace:
[<c0148da3>] kfree+0xf3/0x2e0
[<c0366a64>] raid0_run+0x234/0x250
[<c0366a64>] raid0_run+0x234/0x250
[<c012529a>] printk+0x1ca/0x280
[<c0371fa4>] do_md_run+0x2f4/0x560
[<c0371fbb>] do_md_run+0x30b/0x560
[<c012529a>] printk+0x1ca/0x280
[<c03724f2>] autorun_array+0x82/0xa0
[<c012529a>] printk+0x1ca/0x280
[<c03726ff>] autorun_devices+0x1ef/0x230
[<c0375569>] autostart_arrays+0x29/0xba
[<c036f8f6>] mddev_put+0x16/0xb0
[<c0250728>] capable+0x18/0x40
[<c03737de>] md_ioctl+0x56e/0x5a0
[<c0169759>] blkdev_open+0x29/0x30
[<c015f0dc>] dentry_open+0x14c/0x230
[<c0148c2a>] kmem_cache_free+0x1ca/0x250
[<c02a2f0b>] blkdev_ioctl+0x8b/0x3b1
[<c01747d6>] sys_ioctl+0x156/0x310
[<c056f6b7>] md_run_setup+0x57/0x80
[<c056ef28>] prepare_namespace+0x8/0xa0
[<c01050fb>] init+0x5b/0x210
[<c01050a0>] init+0x0/0x210
[<c01070e5>] kernel_thread_helper+0x5/0x10
--
function.linuxpower.ca
How does the following patch look for the double free.
On Thu, 29 May 2003, Zwane Mwaikambo wrote:
> slab error in cache_free_debugcheck(): cache `size-32': double free, or memory before object was overwritten
> Call Trace:
> [<c0148da3>] kfree+0xf3/0x2e0
> [<c0366a64>] raid0_run+0x234/0x250
> [<c0366a64>] raid0_run+0x234/0x250
> [<c012529a>] printk+0x1ca/0x280
> [<c0371fa4>] do_md_run+0x2f4/0x560
> [<c0371fbb>] do_md_run+0x30b/0x560
> [<c012529a>] printk+0x1ca/0x280
> [<c03724f2>] autorun_array+0x82/0xa0
> [<c012529a>] printk+0x1ca/0x280
> [<c03726ff>] autorun_devices+0x1ef/0x230
> [<c0375569>] autostart_arrays+0x29/0xba
> [<c036f8f6>] mddev_put+0x16/0xb0
> [<c0250728>] capable+0x18/0x40
> [<c03737de>] md_ioctl+0x56e/0x5a0
> [<c0169759>] blkdev_open+0x29/0x30
> [<c015f0dc>] dentry_open+0x14c/0x230
> [<c0148c2a>] kmem_cache_free+0x1ca/0x250
> [<c02a2f0b>] blkdev_ioctl+0x8b/0x3b1
> [<c01747d6>] sys_ioctl+0x156/0x310
> [<c056f6b7>] md_run_setup+0x57/0x80
> [<c056ef28>] prepare_namespace+0x8/0xa0
> [<c01050fb>] init+0x5b/0x210
> [<c01050a0>] init+0x0/0x210
> [<c01070e5>] kernel_thread_helper+0x5/0x10
Index: linux-2.5/drivers/md/raid0.c
===================================================================
RCS file: /home/cvs/linux-2.5/drivers/md/raid0.c,v
retrieving revision 1.31
diff -u -p -B -r1.31 raid0.c
--- linux-2.5/drivers/md/raid0.c 27 May 2003 04:06:15 -0000 1.31
+++ linux-2.5/drivers/md/raid0.c 29 May 2003 06:35:17 -0000
@@ -85,10 +85,8 @@ static int create_strip_zones (mddev_t *
conf->devlist = kmalloc(sizeof(mdk_rdev_t*)*
conf->nr_strip_zones*mddev->raid_disks,
GFP_KERNEL);
- if (!conf->devlist) {
- kfree(conf);
+ if (!conf->devlist)
return 1;
- }
memset(conf->strip_zone, 0,sizeof(struct strip_zone)*
conf->nr_strip_zones);
@@ -194,7 +192,6 @@ static int create_strip_zones (mddev_t *
return 0;
abort:
kfree(conf->devlist);
- kfree(conf->strip_zone);
return 1;
}
--
function.linuxpower.ca