The oops points to the following assertion in iput:
BUG_ON(inode->i_state == I_CLEAR);
which indicates a double-free. That was probably introduced by:
commit 430e285e0817e3e18aadd814bc078d50d8af0cbf
Author: Dave Hansen <haveblue@us.ibm.com>
Date: Fri Feb 15 14:37:26 2008 -0800
[PATCH] fix up new filp allocators
Some new uses of get_empty_filp() have crept in; switched
to alloc_file() to make sure that pieces of initialization
won't be missing.
We really need to kill get_empty_filp().
[AV] fixed dentry leak on failure exit in anon_inode_getfd()
and fixed by:
commit ed1524371716466e9c762808b02601d0d0276a92
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Tue Apr 22 19:51:27 2008 -0400
[PATCH] double-free of inode on alloc_file() failure exit in create_write_pipe()
Duh... Fortunately, the bug is quite recent (post-2.6.25) and, embarrassingly,
mine ;-/
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
between 2.6.25 and 2.6.26. So I think this can be closed with version
2.6.26-1 (if not earlier).
Ben.
Attachment:
signature.asc
Description: This is a digitally signed message part