Hi Ingo,

I've discovered a problem with basically all "yields" in the kernel. But
that's not why I'm writing you this. To see if your kernel has the same
problems as mine, I wrote a modified test that caused me the problems,
and ran it on your kernel. But too my surprise, this test caused other
problems. This modified test causes my kernel the same types of problems
too.

Attached is the test I ran. The list.h is just my version of the kernels
list functions for userspace. It's used in the test program. 

What the test program does, is spawn 5 processes, each with a different
priority. Starting with 10 and going to 14. All are SCHED_FIFO.  Each of
these processes just do a scan of all directories starting with the root
directory '/' and going down. I usually run this with a directory NFS
mounted too, but I don't think this was a problem.

Here's the bug I get:

Slab corruption: start=cfc45938, len=276
Redzone: 0x5a2cf071/0x5a2cf071.
Last user: [<c0142b1d>](mempool_free+0x9d/0xb0)
050: 68 9a 3e c0 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
Prev obj: start=cfc45818, len=276
Redzone: 0x170fc2a5/0x170fc2a5.
Last user: [<c01426a8>](mempool_create+0xe8/0x120)
000: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a
010: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a
Next obj: start=cfc45a58, len=276
Redzone: 0x5a2cf071/0x5a2cf071.
Last user: [<00000000>](0x0)
000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
BUG at kernel/timer.c:419!
------------[ cut here ]------------
kernel BUG at kernel/timer.c:419!
invalid operand: 0000 [#1]
PREEMPT 
Modules linked in:
CPU:    0
EIP:    0060:[<c012142d>]    Not tainted VLI
EFLAGS: 00010282   (2.6.12-rc1-RT-V0.7.43-06) 
EIP is at cascade+0x6d/0x80
eax: 0000001e   ebx: c03e9a90   ecx: 00000000   edx: c0118720
esi: c03e9a68   edi: c03e9a90   ebp: c1273f44   esp: c1273f2c
ds: 007b   es: 007b   ss: 0068   preempt: 00000001
Process ksoftirqd/0 (pid: 2, threadinfo=c1272000 task=cffed260)
Stack: c0387e66 c0389ef9 000001a3 00000000 c03e9878 c1273f60 c1273f78 c0121bae 
       c03e9080 c03e98f0 0000002f 00000000 c1272000 c1273f60 c1273f60 c0112643 
       00000005 c1272000 00000000 c1273fa0 c011d45a c04f3e28 c1272000 cffeff00 
Call Trace:
 [<c0103bef>] show_stack+0x8f/0xb0 (28)
 [<c0103daa>] show_registers+0x16a/0x1d0 (56)
 [<c0103fc6>] die+0xf6/0x190 (64)
 [<c01044e1>] do_invalid_op+0xc1/0xd0 (204)
 [<c010381b>] error_code+0x2b/0x30 (84)
 [<c0121bae>] run_timer_softirq+0x2ae/0x420 (52)
 [<c011d45a>] ___do_softirq+0x9a/0x100 (40)
 [<c011d579>] _do_softirq+0x29/0x30 (8)
 [<c011da41>] ksoftirqd+0xb1/0x130 (20)
 [<c012de1a>] kthread+0xaa/0xb0 (48)
 [<c0100e35>] kernel_thread_helper+0x5/0x10 (1054392340)
---------------------------
| preempt count: 00000002 ]
| 2-level deep critical section nesting:
----------------------------------------
.. [<c0103f13>] .... die+0x43/0x190
.....[<c01044e1>] ..   ( <= do_invalid_op+0xc1/0xd0)
.. [<c0137b8d>] .... print_traces+0x1d/0x60
.....[<c0103bef>] ..   ( <= show_stack+0x8f/0xb0)

Code: 76 04 8b 45 10 83 c4 0c 5b 5e 5f 5d c3 c7 04 24 66 7e 38 c0 b8 a3 01 00 00 89 44 24 08 b8 f9 9e 38 c0 89 44 24 04 e8 d3 6e ff ff <0f> 0b a3 01 f9 9e 38 c0 eb b3 89 f6 8d bc 27 00 00 00 00 55 89 
 BUG: ksoftirqd/0/2, lock held at task exit time!
 [c03e9080] {&base->lock}
.. held by:       ksoftirqd/0:    2 [cffed260, 106]
... acquired at:  run_timer_softirq+0x243/0x420


-- Steve