aboutsummaryrefslogtreecommitdiffstats
path: root/fs
Commit message (Collapse)AuthorAge
* [XFS] Shutdown the filesystem if all device paths have gone. MadeNathan Scott2006-06-09
| | | | | | | | | shutdown vop flags consistent with sync vop flags declarations too. SGI-PV: 939911 SGI-Modid: xfs-linux-melb:xfs-kern:26096a Signed-off-by: Nathan Scott <nathans@sgi.com>
* [XFS] getattr can return an error code, so propogate any from lowerNathan Scott2006-06-09
| | | | | | | | | layers. SGI-PV: 904196 SGI-Modid: xfs-linux-melb:xfs-kern:26095a Signed-off-by: Nathan Scott <nathans@sgi.com>
* [XFS] Drop use of m_writeio_blocks when zeroing, its not meaningfulNathan Scott2006-06-09
| | | | | | | | | anymore here. SGI-PV: 904196 SGI-Modid: xfs-linux-melb:xfs-kern:26094a Signed-off-by: Nathan Scott <nathans@sgi.com>
* [XFS] lock validator: lockdep: small xfs init_rwsem() cleanup Ingo Molnar2006-06-09
| | | | | | | | | | | | | | init_rwsem() has no return value. This is not a problem if init_rwsem() is a function, but it's a problem if it's a do { ... } while (0) macro. (which lockdep introduces) SGI-PV: 904196 SGI-Modid: xfs-linux-melb:xfs-kern:26082a Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Arjan van de Ven <arjan@linux.intel.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Nathan Scott <nathans@sgi.com>
* [XFS] Over zealous with doing endian conversions. We endian converted theTim Shimmin2006-06-09
| | | | | | | | | | | | logged version of di_next_unlinked which is actually always stored in the correct ondisk format. This was pointed out to us by Shailendra Tripathi. And is evident in the xfs qa test of 121. SGI-PV: 953263 SGI-Modid: xfs-linux-melb:xfs-kern:26044a Signed-off-by: Tim Shimmin <tes@sgi.com> Signed-off-by: Nathan Scott <nathans@sgi.com>
* [XFS] Stop a BUG from occurring in generic_delete_inode by preventingDavid Chinner2006-06-09
| | | | | | | | | | | transaction completion from marking the inode dirty while it is being cleaned up on it's way out of the system. SGI-PV: 952967 SGI-Modid: xfs-linux-melb:xfs-kern:26040a Signed-off-by: David Chinner <dgc@sgi.com> Signed-off-by: Nathan Scott <nathans@sgi.com>
* [XFS] inode items and EFI/EFDs have different ondisk format for 32bit andTim Shimmin2006-06-09
| | | | | | | | | | | 64bit kernels allow recovery to handle both versions and do the necessary decoding SGI-PV: 952214 SGI-Modid: xfs-linux-melb:xfs-kern:26011a Signed-off-by: Tim Shimmin <tes@sgi.com> Signed-off-by: Nathan Scott <nathans@sgi.com>
* [XFS] In actual allocation of file system blocks and freeing extents, theYingping Lu2006-06-09
| | | | | | | | | | | | | | | | | transaction within each such operation may involve multiple locking of AGF buffer. While the freeing extent function has sorted the extents based on AGF number before entering into transaction, however, when the file system space is very limited, the allocation of space would try every AGF to get space allocated, this could potentially cause out-of-order locking, thus deadlock could happen. This fix mitigates the scarce space for allocation by setting aside a few blocks without reservation, and avoid deadlock by maintaining ascending order of AGF locking. SGI-PV: 947395 SGI-Modid: xfs-linux-melb:xfs-kern:210801a Signed-off-by: Yingping Lu <yingping@sgi.com> Signed-off-by: Nathan Scott <nathans@sgi.com>
* [XFS] Add degframentation exclusion supportBarry Naujok2006-06-09
| | | | | | | | SGI-PV: 953061 SGI-Modid: xfs-linux-melb:xfs-kern:25986a Signed-off-by: Barry Naujok <bnaujok@sgi.com> Signed-off-by: Nathan Scott <nathans@sgi.com>
* [XFS] Fix a noatime regression related to updating inode atime field onNathan Scott2006-06-09
| | | | | | | | | mmap only. SGI-PV: 952736 SGI-Modid: xfs-linux-melb:xfs-kern:25922a Signed-off-by: Nathan Scott <nathans@sgi.com>
* [XFS] Fix a comment typo, originally noticed by Ming Zhang.Nathan Scott2006-06-09
| | | | | | | SGI-PV: 907752 SGI-Modid: xfs-linux-melb:xfs-kern:25921a Signed-off-by: Nathan Scott <nathans@sgi.com>
* [XFS] Fix size argument in kmem_free().Mandy Kirkconnell2006-06-09
| | | | | | | | SGI-PV: 952291 SGI-Modid: xfs-linux-melb:xfs-kern:209807a Signed-off-by: Mandy Kirkconnell <alkirkco@sgi.com> Signed-off-by: Nathan Scott <nathans@sgi.com>
* [XFS] Originally the ATTR_DMI flag also had the functionality of theOlaf Weber2006-06-09
| | | | | | | | | | | | ATTR_NOLOCK flag, but this was split off some time ago, as ATTR_DMI needed to be used separately. Two asserts were added to guard correctness of the code during the transition. These are no longer required. SGI-PV: 952145 SGI-Modid: xfs-linux-melb:xfs-kern:209633a Signed-off-by: Olaf Weber <olaf@sgi.com> Signed-off-by: Nathan Scott <nathans@sgi.com>
* [XFS] endianess annotations for xfs_dir_leaf_entry_t Christoph Hellwig2006-06-09
| | | | | | | | | SGI-PV: 943272 SGI-Modid: xfs-linux-melb:xfs-kern:25808a Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Nathan Scott <nathans@sgi.com>
* [XFS] endianess annotations for xfs_dir_leaf_hdr_t Christoph Hellwig2006-06-09
| | | | | | | | | SGI-PV: 943272 SGI-Modid: xfs-linux-melb:xfs-kern:25807a Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Nathan Scott <nathans@sgi.com>
* [XFS] endianess annotations for xfs_dir2_data_entry_t Christoph Hellwig2006-06-09
| | | | | | | | | SGI-PV: 943272 SGI-Modid: xfs-linux-melb:xfs-kern:25806a Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Nathan Scott <nathans@sgi.com>
* [XFS] Add parameters to xfs_bmapi() and xfs_bunmapi() to have them reportOlaf Weber2006-06-09
| | | | | | | | | | | | | | the range spanned by modifications to the in-core extent map. Add XFS_BUNMAPI() and XFS_SWAP_EXTENTS() macros that call xfs_bunmapi() and xfs_swap_extents() via the ioops vector. Change all calls that may modify the in-core extent map for the data fork to go through the ioops vector. This allows a cache of extent map data to be kept in sync. SGI-PV: 947615 SGI-Modid: xfs-linux-melb:xfs-kern:209226a Signed-off-by: Olaf Weber <olaf@sgi.com> Signed-off-by: Nathan Scott <nathans@sgi.com>
* [PATCH] debugfs inode leakJens Axboe2006-06-08
| | | | | | | | | | | | Looking at the reiser4 crash, I found a leak in debugfs. In debugfs_mknod(), we create the inode before checking if the dentry already has one attached. We don't free it if that is the case. These bugs happen quite often, I'm starting to think we should disallow such coding in CodingStyle. Signed-off-by: Jens Axboe <axboe@suse.de> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* [PATCH] fs/namei.c: Call to file_permission() under a spinlock in ↵Trond Myklebust2006-06-05
| | | | | | | | | | | | | | | | | | | | do_lookup_path() From: Trond Myklebust <Trond.Myklebust@netapp.com> We're presently running lock_kernel() under fs_lock via nfs's ->permission handler. That's a ranking bug and sometimes a sleep-in-spinlock bug. This problem was introduced in the openat() patchset. We should not need to hold the current->fs->lock for a codepath that doesn't use current->fs. [vsu@altlinux.ru: fix error path] Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Cc: Al Viro <viro@ftp.linux.org.uk> Signed-off-by: Sergey Vlasov <vsu@altlinux.ru> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* [PATCH] ext3 resize: fix double unlock_super()Andrew Morton2006-05-31
| | | | | | | | | | | | From: Andrew Morton <akpm@osdl.org> Spotted by Jan Capek <jca@sysgo.com> Cc: "Stephen C. Tweedie" <sct@redhat.com> Cc: Andreas Dilger <adilger@clusterfs.com> Cc: Jan Capek <jca@sysgo.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* [[CIFS] Pass truncate open flag through on file open in case setattr failsSteve French2006-05-30
| | | | | | | on set size to zero. Signed-off-by: Sebastian Voitzsch <sebastoam/vpotzscj@web.de> Signed-off-by: Steve French <sfrench@us.ibm.com>
* [CIFS] Fix typos in previous fixSteve French2006-05-30
| | | | Signed-off-by: Steve French <sfrench@us.ibm.com>
* [CIFS] endian fix for new POSIX byte range lock supportSteve French2006-05-30
| | | | | Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
* [CIFS] fix memory leak in cifs session info struct on reconnectSteve French2006-05-30
| | | | Signed-off-by: Steve French <sfrench@us.ibm.com>
* [CIFS] ACPI suspend oopsSteve French2006-05-30
| | | | | | | | | | | | | Wasn't able to reproduce a hard hang, but was able to get an oops if suspended the machine during a copy to the cifs mount. This led to some things hanging, including a "sync". Also got I/O errors when trying to access the mount afterwards (even when didn't see the oops), and had to unmount and remount in order to access the filesystem. This patch fixed the oops. Signed-off-by: Dave Kleikamp <shaggy@austin.ibm.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
* [CIFS] Do not limit the length of share names (was 100 for whole UNC name)Steve French2006-05-30
| | | | | | during mount. Especially important for some non-Western languages. Signed-off-by: Steve French <sfrench@us.ibm.com>
* [CIFS] Fix new POSIX Locking for setting lock_type correctly on unlockSteve French2006-05-30
| | | | Signed-off-by: Steve French <sfrench@us.ibm.com>
* [PATCH] affs: possible null pointer dereference in affs_rename()Florin Malita2006-05-26
| | | | | | | | | | | If affs_bread() fails, the exit path calls mark_buffer_dirty_inode() with a NULL argument. Coverity CID: 312. Signed-off-by: Florin Malita <fmalita@gmail.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* JFS: Fix multiple errors in metapage_releasepageDave Kleikamp2006-05-24
| | | | | | | | | | | | | | | | It looks like metapage_releasepage was making in invalid assumption that the releasepage method would not be called on a dirty page. Instead of issuing a warning and releasing the metapage, it should return 0, indicating that the private data for the page cannot be released. I also realized that metapage_releasepage had the return code all wrong. If it is successful in releasing the private data, it should return 1, otherwise it needs to return 0. Lastly, there is no need to call wait_on_page_writeback, since try_to_release_page will not call us with a page in writback state. Signed-off-by: Dave Kleikamp <shaggy@austin.ibm.com>
* [PATCH] md: Make sure bi_max_vecs is set properly in bio_splitNeilBrown2006-05-23
| | | | | | | | | | Else a subsequent bio_clone might make a mess. Signed-off-by: Neil Brown <neilb@suse.de> Cc: "Don Dupuis" <dondster@gmail.com> Acked-by: Jens Axboe <axboe@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* [PATCH] knfsd: Fix two problems that can cause rmmod nfsd to dieNeilBrown2006-05-23
| | | | | | | | | | | | | | | | | | Both cause the 'entries' count in the export cache to be non-zero at module removal time, so unregistering that cache fails and results in an oops. 1/ exp_pseudoroot (used for NFSv4 only) leaks a reference to an export entry. 2/ sunrpc_cache_update doesn't increment the entries count when it adds an entry. Thanks to "david m. richter" <richterd@citi.umich.edu> for triggering the problem and finding one of the bugs. Cc: "david m. richter" <richterd@citi.umich.edu> Signed-off-by: Neil Brown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* [PATCH] fix NULL dereference in inotify_ignoreAmy Griffis2006-05-21
| | | | | | | | | | | Don't reassign to watch. If idr_find() returns NULL, then put_inotify_watch() will choke. Signed-off-by: Amy Griffis <amy.griffis@hp.com> Cc: John McCutchan <john@johnmccutchan.com> Cc: Robert Love <rlove@rlove.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* [PATCH] fix race in inotify_releaseAmy Griffis2006-05-21
| | | | | | | | | | | | | | | | | While doing some inotify stress testing, I hit the following race. In inotify_release(), it's possible for a watch to be removed from the lists in between dropping dev->mutex and taking inode->inotify_mutex. The reference we hold prevents the watch from being freed, but not from being removed. Checking the dev's idr mapping will prevent a double list_del of the same watch. Signed-off-by: Amy Griffis <amy.griffis@hp.com> Acked-by: John McCutchan <john@johnmccutchan.com> Cc: Robert Love <rml@novell.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* [PATCH] binfmt_flat: don't check for EMFILEAndrew Morton2006-05-21
| | | | | | | | | | | | | | | | | Bernd Schmidt points out that binfmt_flat is now leaving the exec file open while the application runs. This offsets all the application's fd numbers. We should have closed the file within exec(), not at exit()-time. But there doesn't seem to be a lot of point in doing all this just to avoid going over RLIMIT_NOFILE by one fd for a few microseconds. So take the EMFILE checking out again. This will cause binfmt_flat to again fail LTP's exec-should-return-EMFILE-when-fdtable-is-full test. That test appears to be wrong anyway - Open Group specs say nothing about exec() returning EMFILE. Cc: Bernd Schmidt <bernd.schmidt@analog.com> Cc: Greg Ungerer <gerg@uclinux.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* [PATCH] nfsd: sign conversion obscuring errors in nfsd_set_posix_acl()Florin Malita2006-05-21
| | | | | | | | | | | | Assigning the result of posix_acl_to_xattr() to an unsigned data type (size/size_t) obscures possible errors. Coverity CID: 1206. Signed-off-by: Florin Malita <fmalita@gmail.com> Acked-by: NeilBrown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* [PATCH] NFS server subtree_check returns dubious valuePeter Staubach2006-05-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | Address a problem found when a Linux NFS server uses the "subtree_check" export option. The "subtree_check" NFS export option was designed to prohibit a client from using a file handle for which it should not have permission. The algorithm used is to ensure that the entire path to the file being referenced is accessible to the user attempting to use the file handle. If some part of the path is not accessible, then the operation is aborted and the appropriate version of ESTALE is returned to the NFS client. The error, ESTALE, is unfortunate in that it causes NFS clients to make certain assumptions about the continued existence of the file. They assume that the file no longer exists and refuse to attempt to access it again. In this case, the file really does exist, but access was denied by the server for a particular user. A better error to return would be an EACCES sort of error. This would inform the client that the particular operation that it was attempting was not allowed, without the nasty side effects of the ESTALE error. Signed-off-by: Peter Staubach <staubach@redhat.com> Acked-By: NeilBrown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* [PATCH] NFS: fix error handling on access_ok in compat_sys_nfsservctlLin Feng Shen2006-05-21
| | | | | | | | | | | | | | | | | | | | | | | Functions compat_nfs_svc_trans, compat_nfs_clnt_trans, compat_nfs_exp_trans, compat_nfs_getfd_trans and compat_nfs_getfs_trans, which are called by compat_sys_nfsservctl(fs/compat.c), don't handle the return value of access_ok properly. access_ok return 1 when the addr is valid, and 0 when it's not, but these functions have the reversed understanding. When the address is valid, they always return -EFAULT to compat_sys_nfsservctl. An example is to run /usr/sbin/rpc.nfsd(32bit program on Power5). It doesn't function as expected. strace showes that nfsservctl returns -EFAULT. The patch fixes this by correcting the error handling on the return value of access_ok in the five functions. Signed-off-by: Lin Feng Shen <shenlinf@cn.ibm.com> Cc: Trond Myklebust <trond.myklebust@fys.uio.no> Acked-by: Neil Brown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* configfs: Make sure configfs_init() is called before consumers.Joel Becker2006-05-17
| | | | | | | | configfs_init() needs to be called first to register configfs before anyconsumers try to access it. Move up configfs in fs/Makefile to make sure it is initialized early. Signed-off-by: Joel Becker <joel.becker@oracle.com> Signed-off-by: Mark Fasheh <mark.fasheh@oracle.com>
* configfs: configfs_mkdir() failed to cleanup linkage.Joel Becker2006-05-17
| | | | | | | | | If configfs_mkdir() errored in certain ways after the parent<->child linkage was already created, it would not undo the linkage. Also, comment the reference counting for clarity. Signed-off-by: Joel Becker <joel.becker@oracle.com> Signed-off-by: Mark Fasheh <mark.fasheh@oracle.com>
* configfs: Fix a reference leak in configfs_mkdir().Joel Becker2006-05-17
| | | | | | | | configfs_mkdir() failed to release the working parent reference in most exit paths. Also changed the exit path for readability. Signed-off-by: Joel Becker <joel.becker@oracle.com> Signed-off-by: Mark Fasheh <mark.fasheh@oracle.com>
* ocfs2: fix gfp mask in some file system pathsSunil Mushran2006-05-17
| | | | | | | | We were using GFP_KERNEL in a handful of places which really wanted GFP_NOFS. Fix this. Signed-off-by: Sunil Mushran <sunil.mushran@oracle.com> Signed-off-by: Mark Fasheh <mark.fasheh@oracle.com>
* ocfs2: Don't populate uptodate cache in ocfs2_force_read_journal()Mark Fasheh2006-05-17
| | | | | | This greatly reduces the amount of memory useded during recovery. Signed-off-by: Mark Fasheh <mark.fasheh@oracle.com>
* ocfs2: take meta data lock in ocfs2_file_aio_read()Mark Fasheh2006-05-17
| | | | | | | Temporarily take the meta data lock in ocfs2_file_aio_read() to allow us to update our inode fields. Signed-off-by: Mark Fasheh <mark.fasheh@oracle.com>
* ocfs2: take data locks around extendMark Fasheh2006-05-17
| | | | | | | | | We need to take a data lock around extends to protect the pages that ocfs2_zero_extend is going to be pulling into the page cache. Otherwise an extend on one node might populate the page cache with data pages that have no lock coverage. Signed-off-by: Mark Fasheh <mark.fasheh@oracle.com>
* [PATCH] jffs2 warning fixesAndrew Morton2006-05-15
| | | | | | | | | fs/jffs2/nodelist.c: In function `check_node_data': fs/jffs2/nodelist.c:441: warning: unsigned int format, different type arg (arg 4) fs/jffs2/nodelist.c:464: warning: int format, different type arg (arg 5) Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* [PATCH] revert "vfs: propagate mnt_flags into do_loopback/vfsmount"Andrew Morton2006-05-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Revert commit f6422f17d3a480f21917a3895e2a46b968f56a08, due to Valdis.Kletnieks@vt.edu wrote: > > There seems to have been a bug introduced in this changeset: > > Am running 2.6.17-rc3-mm1. When this changeset is applied, 'mount --bind' > misbehaves: > > > # mkdir /foo > > # mount -t tmpfs -o rw,nosuid,nodev,noexec,noatime,nodiratime none /foo > > # mkdir /foo/bar > > # mount --bind /foo/bar /foo > > # tail -2 /proc/mounts > > none /foo tmpfs rw,nosuid,nodev,noexec,noatime,nodiratime 0 0 > > none /foo tmpfs rw 0 0 > > Reverting this changeset causes both mounts to have the same options. > > (Thanks to Stephen Smalley for tracking down the changeset...) > Cc: Herbert Poetzl <herbert@13thfloor.at> Cc: Christoph Hellwig <hch@infradead.org> Cc: <Valdis.Kletnieks@vt.edu> Cc: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* [PATCH] fs/compat.c: fix 'if (a |= b )' typoAlexey Dobriyan2006-05-15
| | | | | | | | | | | Mentioned by Mark Armbrust somewhere on Usenet. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Cc: David Woodhouse <dwmw2@infradead.org> Cc: Ulrich Drepper <drepper@redhat.com> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* [PATCH] v9fs: signal handling fixesLatchesar Ionkov2006-05-15
| | | | | | | | | | | | | | | Multiple races can happen when v9fs is interrupted by a signal and Tflush message is sent to the server. After v9fs sends Tflush it doesn't wait until it receives Rflush, and possibly the response of the original message. This behavior may confuse v9fs what fids are allocated by the file server. This patch fixes the races and the fid allocation. Signed-off-by: Latchesar Ionkov <lucho@ionkov.net> Cc: Eric Van Hensbergen <ericvh@hera.kernel.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* [PATCH] v9fs: Twalk memory leakLatchesar Ionkov2006-05-15
| | | | | | | | | | v9fs leaks memory if the file server responds with Rerror to a Twalk message. The patch fixes the leak. Signed-off-by: Latchesar Ionkov <lucho@ionkov.net> Cc: Eric Van Hensbergen <ericvh@hera.kernel.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* [PATCH] smbfs: Fix slab corruption in samba error pathJan Niehusmann2006-05-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Yesterday, I got the following error with 2.6.16.13 during a file copy from a smb filesystem over a wireless link. I guess there was some error on the wireless link, which in turn caused an error condition for the smb filesystem. In the log, smb_file_read reports error=4294966784 (0xfffffe00), which also shows up in the slab dumps, and also is -ERESTARTSYS. Error code 27499 corresponds to 0x6b6b, so the rq_errno field seems to be the only one being set after freeing the slab. In smb_add_request (which is the only place in smbfs where I found ERESTARTSYS), I found the following: if (!timeleft || signal_pending(current)) { /* * On timeout or on interrupt we want to try and remove the * request from the recvq/xmitq. */ smb_lock_server(server); if (!(req->rq_flags & SMB_REQ_RECEIVED)) { list_del_init(&req->rq_queue); smb_rput(req); } smb_unlock_server(server); } [...] if (signal_pending(current)) req->rq_errno = -ERESTARTSYS; I guess that some codepath like smbiod_flush() caused the request to be removed from the queue, and smb_rput(req) be called, without SMB_REQ_RECEIVED being set. This violates an asumption made by the quoted code. Then, the above code calls smb_rput(req) again, the req gets freed, and req->rq_errno = -ERESTARTSYS writes into the already freed slab. As list_del_init doesn't cause an error if called multiple times, that does cause the observed behaviour (freed slab with rq_errno=-ERESTARTSYS). If this observation is correct, the following patch should fix it. I wonder why the smb code uses list_del_init everywhere - using list_del instead would catch such situations by poisoning the next and prev pointers. May 4 23:29:21 knautsch kernel: [17180085.456000] ipw2200: Firmware error detected. Restarting. May 4 23:29:21 knautsch kernel: [17180085.456000] ipw2200: Sysfs 'error' log captured. May 4 23:33:02 knautsch kernel: [17180306.316000] ipw2200: Firmware error detected. Restarting. May 4 23:33:02 knautsch kernel: [17180306.316000] ipw2200: Sysfs 'error' log already exists. May 4 23:33:02 knautsch kernel: [17180306.968000] smb_file_read: //some_file validation failed, error=4294966784 May 4 23:34:18 knautsch kernel: [17180383.256000] smb_file_read: //some_file validation failed, error=4294966784 May 4 23:34:18 knautsch kernel: [17180383.284000] SMB connection re-established (-5) May 4 23:37:19 knautsch kernel: [17180563.956000] smb_file_read: //some_file validation failed, error=4294966784 May 4 23:40:09 knautsch kernel: [17180733.636000] smb_file_read: //some_file validation failed, error=4294966784 May 4 23:40:26 knautsch kernel: [17180750.700000] smb_file_read: //some_file validation failed, error=4294966784 May 4 23:43:02 knautsch kernel: [17180907.304000] smb_file_read: //some_file validation failed, error=4294966784 May 4 23:43:08 knautsch kernel: [17180912.324000] smb_file_read: //some_file validation failed, error=4294966784 May 4 23:43:34 knautsch kernel: [17180938.416000] smb_errno: class Unknown, code 27499 from command 0x6b May 4 23:43:34 knautsch kernel: [17180938.416000] Slab corruption: start=c4ebe09c, len=244 May 4 23:43:34 knautsch kernel: [17180938.416000] Redzone: 0x5a2cf071/0x5a2cf071. May 4 23:43:34 knautsch kernel: [17180938.416000] Last user: [<e087b903>](smb_rput+0x53/0x90 [smbfs]) May 4 23:43:34 knautsch kernel: [17180938.416000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6a 6b 6b 6b 6b 6b 6b 6b May 4 23:43:34 knautsch kernel: [17180938.416000] 0f0: 00 fe ff ff May 4 23:43:34 knautsch kernel: [17180938.416000] Next obj: start=c4ebe19c, len=244 May 4 23:43:34 knautsch kernel: [17180938.416000] Redzone: 0x5a2cf071/0x5a2cf071. May 4 23:43:34 knautsch kernel: [17180938.416000] Last user: [<00000000>](_stext+0x3feffde0/0x30) May 4 23:43:34 knautsch kernel: [17180938.416000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b May 4 23:43:34 knautsch kernel: [17180938.416000] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b May 4 23:43:34 knautsch kernel: [17180938.460000] SMB connection re-established (-5) May 4 23:43:42 knautsch kernel: [17180946.292000] ipw2200: Firmware error detected. Restarting. May 4 23:43:42 knautsch kernel: [17180946.292000] ipw2200: Sysfs 'error' log already exists. May 4 23:45:04 knautsch kernel: [17181028.752000] ipw2200: Firmware error detected. Restarting. May 4 23:45:04 knautsch kernel: [17181028.752000] ipw2200: Sysfs 'error' log already exists. May 4 23:45:05 knautsch kernel: [17181029.868000] smb_file_read: //some_file validation failed, error=4294966784 May 4 23:45:36 knautsch kernel: [17181060.984000] smb_errno: class Unknown, code 27499 from command 0x6b May 4 23:45:36 knautsch kernel: [17181060.984000] Slab corruption: start=c4ebe09c, len=244 May 4 23:45:36 knautsch kernel: [17181060.984000] Redzone: 0x5a2cf071/0x5a2cf071. May 4 23:45:36 knautsch kernel: [17181060.984000] Last user: [<e087b903>](smb_rput+0x53/0x90 [smbfs]) May 4 23:45:36 knautsch kernel: [17181060.984000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6a 6b 6b 6b 6b 6b 6b 6b May 4 23:45:36 knautsch kernel: [17181060.984000] 0f0: 00 fe ff ff May 4 23:45:36 knautsch kernel: [17181060.984000] Next obj: start=c4ebe19c, len=244 May 4 23:45:36 knautsch kernel: [17181060.984000] Redzone: 0x5a2cf071/0x5a2cf071. May 4 23:45:36 knautsch kernel: [17181060.984000] Last user: [<00000000>](_stext+0x3feffde0/0x30) May 4 23:45:36 knautsch kernel: [17181060.984000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b May 4 23:45:36 knautsch kernel: [17181060.984000] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b May 4 23:45:36 knautsch kernel: [17181061.024000] SMB connection re-established (-5) May 4 23:46:17 knautsch kernel: [17181102.132000] smb_file_read: //some_file validation failed, error=4294966784 May 4 23:47:46 knautsch kernel: [17181190.468000] smb_errno: class Unknown, code 27499 from command 0x6b May 4 23:47:46 knautsch kernel: [17181190.468000] Slab corruption: start=c4ebe09c, len=244 May 4 23:47:46 knautsch kernel: [17181190.468000] Redzone: 0x5a2cf071/0x5a2cf071. May 4 23:47:46 knautsch kernel: [17181190.468000] Last user: [<e087b903>](smb_rput+0x53/0x90 [smbfs]) May 4 23:47:46 knautsch kernel: [17181190.468000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6a 6b 6b 6b 6b 6b 6b 6b May 4 23:47:46 knautsch kernel: [17181190.468000] 0f0: 00 fe ff ff May 4 23:47:46 knautsch kernel: [17181190.468000] Next obj: start=c4ebe19c, len=244 May 4 23:47:46 knautsch kernel: [17181190.468000] Redzone: 0x5a2cf071/0x5a2cf071. May 4 23:47:46 knautsch kernel: [17181190.468000] Last user: [<00000000>](_stext+0x3feffde0/0x30) May 4 23:47:46 knautsch kernel: [17181190.468000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b May 4 23:47:46 knautsch kernel: [17181190.468000] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b May 4 23:47:46 knautsch kernel: [17181190.492000] SMB connection re-established (-5) May 4 23:49:20 knautsch kernel: [17181284.828000] smb_file_read: //some_file validation failed, error=4294966784 May 4 23:49:39 knautsch kernel: [17181303.896000] smb_file_read: //some_file validation failed, error=4294966784 Signed-off-by: Jan Niehusmann <jan@gondor.com> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>