Dave Jones <[EMAIL PROTECTED]> wrote:
(This has actually been there for a while, but I only noticed it in dmesg this morning). During boot on a dual em64t I see ..
scsi2 : ata_piix isa bounce pool size: 16 pages slab error in cache_free_debugcheck(): cache `size-2048': double free, or memory outside object was overwritten
Call Trace:<ffffffff80163448>{cache_free_debugcheck+392} <ffffffff801646aa>{kfree+234} <ffffffff88065189>{:libata:ata_pci_init_one+937} <ffffffff801fe9ea>{pci_bus_read_config_word+122} <ffffffff880707f2>{:ata_piix:piix_init_one+498} <ffffffff80202926>{pci_device_probe+134} <ffffffff802691ad>{driver_probe_device+77} <ffffffff802692cb>{driver_attach+75} <ffffffff802696c9>{bus_add_driver+169} <ffffffff802025e3>{pci_register_driver+131} <ffffffff88074010>{:ata_piix:piix_init+16} <ffffffff80152c58>{sys_init_module+344} <ffffffff8010e52a>{system_call+126} ffff81011e49f4a0: redzone 1: 0x5a2cf071, redzone 2: 0x5a2cf071.
It's plain to see how ata_pci_init_one() will free `probe_ent' twice. Jeff wanna fix that up please? A naive fix would be
Here's the initial fix... about to test with some other fixes here. Anybody who is seeing this wanna give it a try?
Jeff
===== drivers/scsi/libata-core.c 1.116 vs edited =====
--- 1.116/drivers/scsi/libata-core.c 2005-02-01 20:23:51 -05:00
+++ edited/drivers/scsi/libata-core.c 2005-02-20 23:25:52 -05:00
@@ -3751,8 +3751,8 @@
kfree(probe_ent2);
} else {
ata_device_add(probe_ent);
+ kfree(probe_ent);
}
- kfree(probe_ent);
return 0;
