On Mon, Oct 31, 2011 at 08:46:06PM +0900, Jun'ichi Nomura wrote: > Hm, dm_softirq_done is generic completion code of original > request in dm-multipath. > So oops here might be another manifestation of use-after-free. > > Do you always hit the oops at the same address? I think we saw this bug the first time. But before that the scsi logging level was higher. Gonzalo is trying to recreate it with the same (old) scsi logging level. Afterwards we will try with barrier=0. Both on v3.0.7 btw. > Could you find corresponding source code line for > the crashed address, dm_softirq_done+0x72/0x140, > and which pointer was invalid? It crashes in the inlined function dm_done() when trying to dereference tio (aka clone->end_io_data): static void dm_done(struct request *clone, int error, bool mapped) { int r = error; struct dm_rq_target_io *tio = clone->end_io_data; dm_request_endio_fn rq_end_io = tio->ti->type->rq_end_io; -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html