On 09/04/2012 10:32 PM, Eric W. Biederman wrote: >>> FYI, another kconfig triggering a slightly different oops on tree >>> >>> git://gitorious.org/linux-can/linux-can-next led-trigger >> >> This in turn means the problem doesn't come from the CAN patches, as >> both trees have different CAN patches. I'm adding Eric W. Biederman on >> Cc as he contributed some sctp patches between v3.6 and net-next/master. > > Anything is possible, but this seems unlikely as I don't think I touched > anything close to that part of the code. > > This most definitely looks like a memory stomp somewhere. > > sk->inet_sk->inet_opt has a bad value. > > I am puzzled though what are we doing with both ipv4 and ipv6 release > state doing on the same socket path? Is this some crazy ipv6 socket > doing sctp with only ipv4 addresses? It's Wu's testcase, can you show us the code? Eric, in case you haven't seen, this is another oops, from a slightly different tree (a handfull of different CAN patches). > [ 233.046014] kfree_debugcheck: out of range ptr ea6000000bb8h. > [ 233.047399] ------------[ cut here ]------------ > [ 233.048393] kernel BUG at /c/kernel-tests/src/stable/mm/slab.c:3074! > [ 233.048393] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC > [ 233.048393] Modules linked in: > [ 233.048393] CPU 0 > [ 233.048393] Pid: 3929, comm: trinity-watchdo Not tainted 3.6.0-rc3+ #4192 Bochs Bochs > [ 233.048393] RIP: 0010:[] [] kfree_debugcheck+0x27/0x2d > [ 233.048393] RSP: 0018:ffff88000facbca8 EFLAGS: 00010092 > [ 233.048393] RAX: 0000000000000031 RBX: 0000ea6000000bb8 RCX: 00000000a189a188 > [ 233.048393] RDX: 000000000000a189 RSI: ffffffff8108ad32 RDI: ffffffff810d30f9 > [ 233.048393] RBP: ffff88000facbcb8 R08: 0000000000000002 R09: ffffffff843846f0 > [ 233.048393] R10: ffffffff810ae37c R11: 0000000000000908 R12: 0000000000000202 > [ 233.048393] R13: ffffffff823dbd5a R14: ffff88000ec5bea8 R15: ffffffff8363c780 > [ 233.048393] FS: 00007faa6899c700(0000) GS:ffff88001f200000(0000) knlGS:0000000000000000 > [ 233.048393] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b > [ 233.048393] CR2: 00007faa6841019c CR3: 0000000012c82000 CR4: 00000000000006f0 > [ 233.048393] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > [ 233.048393] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 > [ 233.048393] Process trinity-watchdo (pid: 3929, threadinfo ffff88000faca000, task ffff88000faec600) > [ 233.048393] Stack: > [ 233.048393] 0000000000000000 0000ea6000000bb8 ffff88000facbce8 ffffffff8116ad81 > [ 233.048393] ffff88000ff588a0 ffff88000ff58850 ffff88000ff588a0 0000000000000000 > [ 233.048393] ffff88000facbd08 ffffffff823dbd5a ffffffff823dbcb0 ffff88000ff58850 > [ 233.048393] Call Trace: > [ 233.048393] [] kfree+0x5f/0xca > [ 233.048393] [] inet_sock_destruct+0xaa/0x13c > [ 233.048393] [] ? inet_sk_rebuild_header+0x319/0x319 > [ 233.048393] [] __sk_free+0x21/0x14b > [ 233.048393] [] sk_free+0x26/0x2a > [ 233.048393] [] sctp_close+0x215/0x224 > [ 233.048393] [] ? lock_release+0x16f/0x1b9 > [ 233.048393] [] inet_release+0x7e/0x85 > [ 233.048393] [] sock_release+0x1f/0x77 > [ 233.048393] [] sock_close+0x27/0x2b > [ 233.048393] [] __fput+0x101/0x20a > [ 233.048393] [] ____fput+0xe/0x10 > [ 233.048393] [] task_work_run+0x5d/0x75 > [ 233.048393] [] do_exit+0x290/0x7f5 > [ 233.048393] [] ? retint_swapgs+0x13/0x1b > [ 233.048393] [] do_group_exit+0x7b/0xba > [ 233.048393] [] sys_exit_group+0x17/0x17 > [ 233.048393] [] tracesys+0xdd/0xe2 > [ 233.048393] Code: 59 01 5d c3 55 48 89 e5 53 41 50 0f 1f 44 00 00 48 89 fb e8 d4 b0 f0 ff 84 c0 75 11 48 89 de 48 c7 c7 fc fa f7 82 e8 0d 0f 57 01 <0f> 0b 5f 5b 5d c3 55 48 89 e5 0f 1f 44 00 00 48 63 87 d8 00 00 > [ 233.048393] RIP [] kfree_debugcheck+0x27/0x2d > [ 233.048393] RSP Wu is running a bisect, let's hope that gives us a result. Marc -- Pengutronix e.K. | Marc Kleine-Budde | Industrial Linux Solutions | Phone: +49-231-2826-924 | Vertretung West/Dortmund | Fax: +49-5121-206917-5555 | Amtsgericht Hildesheim, HRA 2686 | http://www.pengutronix.de |