Some updates on this: rcu: inside rcu_barrier begin loop first pass cpu index=0 CPU: 1 UID: 0 PID: 1433 Comm: rmmod Not tainted 6.12.1-gentoo #75 fffffc000a217c88 fffffc0000e62440 fffffc00003a8be8 0000000000000000 fffffc0000e627b0 fffffc0000e42240 fffffc0000b67c98 fffffc0004a18000 here return address to scsi_host_dev_release is still intact on stack rcu: inside rcu_barrier end loop first pass CPU: 1 UID: 0 PID: 1433 Comm: rmmod Not tainted 6.12.1-gentoo #75 fffffc000a217c88 fffffc0000e62440 fffffc00003a8f64 0000000000000000 fffffc0000e627b0 fffffc0000e42240 0000000000000000 fffffc0004a18000 at the end of first pass in loop, return address in replaced by 0 rcu: inside rcu_barrier begin loop second pass cpu index=1 CPU: 1 UID: 0 PID: 1433 Comm: rmmod Not tainted 6.12.1-gentoo #75 fffffc000a217c88 fffffc0000e62440 fffffc00003a8be8 0000000000000001 fffffc0000e627b0 fffffc0000e42240 0000000000000000 fffffc0004a18000 rcu: inside rcu_barrier end loop (second pass) CPU: 1 UID: 0 PID: 1433 Comm: rmmod Not tainted 6.12.1-gentoo #75 fffffc000a217c88 fffffc0000e62440 fffffc00003a8f64 0000000000000001 fffffc0000e627b0 fffffc0000e42240 0000000000000001 fffffc0004a18000 ant the end of second pass return address is replaced by 1. It looks like the variable used as loop counter is the value put on the stack overwriting the return value for scsi_host_dev_release. When adding a reference to the address of this variable or when it is declared volatile, stack corruption does NOT occur. When examining the disassembly of the code generated from kernel/rcu/tree.o the most significant difference I can see is that in the case of a corrupted stack the frame pointer register $fp is used to hold a reference to the loop count variable but in the case with no stack corruption a regular "saved register" is used for the reference. Is it possible that the frame pointer is somehow altered during the execution of the code? not really sure how linux/alpha/gcc treats the frame pointer. I've tried altering -fomit-frame-pointer/-f-no-omit-frame-pointer but so far not getting anywhere with that... /Magnus Return address to scsi_host_dev_release: [<fffffc0000b67c98>] scsi_host_dev_release+0xac/0x1cc