On Thu, Apr 18 2013, Linus Torvalds wrote: > On Thu, Apr 18, 2013 at 11:13 AM, Jens Axboe <axboe@xxxxxxxxx> wrote: > > On Thu, Apr 18 2013, Tejun Heo wrote: > >> On Thu, Apr 18, 2013 at 10:39:00AM -0700, Jens Axboe wrote: > >> > > >> > Yep, thanks Linus for that hint... Must be someone abusing it for a > >> > flag field post submission? Crazy. > >> > >> Let's hope that's not the case because there'll be blood if it is. :) > > > > Yeah, it's beyond the amount of crazy I've come to expect from various > > random users of IO interfaces :-) > > I think it's more likely to be some use-after-free after a long timeout. > > Wanlong says it happens a few minutes after boot, so maybe something > times out a command, does the blk_complete_request(), and free's the > bio, which gets re-used before the softirq actually ends up running. > > I note that Wanlong uses the SLAB allocator, not the SLUB one. I > wonder if the thing goes away with SLUB, and if not, if > CONFIG_SLUB_DEBUG_ON=y might help debug it? Hmm dunno. It happens right after we've completed the bio, which touches a lot of fields too. bi_bdev sits between bi_next (which we definitely used) and bi_flags. But adding slab use-after-free debugging would show for sure. -- Jens Axboe -- dm-devel mailing list dm-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/dm-devel