Kernel oops with an unclean unmounted filesystem

David Woodhouse dwmw2 at
Thu Feb 20 08:34:50 EST 2003

On Wed, 2003-02-19 at 20:22, Thomas Gleixner wrote:
> What exactly did you do there ? I mean creating and/or modifying.
> The problem is the node is written with valid CRC, so it seems to be
> correct, but the node content is totally crap. Compressed data size = 
> 0x6b6b6b6b.

That's slab poisoning. Looking at the actual node, the 'offset',
'csize', 'dsize', 'usercompr' and 'flags' fields all seem to be filled
with 0x6B, but other fields are OK.

I suspect that we're allocating a jffs2_raw_inode structure, and we're
being given a slab address that someone else has already allocated and
freed. We're filling in some of the fields (offset, csize, etc), and
then said 'someone else' is freeing it _again_. At which point the slab
debugging code memsets it to all 0x6B. 

Then we fill in the rest of the fields, calculate the crcs and write it
to the flash, blissfully unaware that someone stomped on the offset,
csize, etc fields after we'd set them up.

What other drivers are present in your system? Can you reproduce this?
We can stick debugging checks in the write path to check for 0x6B in
bogus places, and try to debug further.


More information about the linux-mtd mailing list