Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932188AbVLLT4T (ORCPT ); Mon, 12 Dec 2005 14:56:19 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S932186AbVLLT4T (ORCPT ); Mon, 12 Dec 2005 14:56:19 -0500 Received: from smtp.osdl.org ([65.172.181.4]:51600 "EHLO smtp.osdl.org") by vger.kernel.org with ESMTP id S932183AbVLLT4S (ORCPT ); Mon, 12 Dec 2005 14:56:18 -0500 Date: Mon, 12 Dec 2005 11:55:40 -0800 (PST) From: Linus Torvalds To: Brian King cc: Benjamin Herrenschmidt , Andrew Morton , Linux Kernel list , Paul Mackerras , Jens Axboe , SCSI Mailing List Subject: Re: Memory corruption & SCSI in 2.6.15 In-Reply-To: <439DC9E4.6030508@us.ibm.com> Message-ID: References: <1134371606.6989.95.camel@gaston> <439DC9E4.6030508@us.ibm.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 916 Lines: 25 On Mon, 12 Dec 2005, Brian King wrote: > > Please try the attached patch. There appears to be a double free going on > in the scsi scan code. There is a direct call to scsi_free_queue and then > the following put_device calls the release function, which also frees > the queue. Indeed, that looks pretty subtle. James: Brian's patch looks obviously correct to me (scsi_alloc_sdev() will have called scsi_sysfs_device_initialize() which will set up the release function to free the queue). This code has been like that forever, though, which makes me wonder. Can anybody see what has changed to make the bug trigger? Or is there something I'm missing? Linus - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/