The oops points to the following assertion in iput: BUG_ON(inode->i_state == I_CLEAR); which indicates a double-free. That was probably introduced by: commit 430e285e0817e3e18aadd814bc078d50d8af0cbf Author: Dave Hansen <haveblue@us.ibm.com> Date: Fri Feb 15 14:37:26 2008 -0800 [PATCH] fix up new filp allocators Some new uses of get_empty_filp() have crept in; switched to alloc_file() to make sure that pieces of initialization won't be missing. We really need to kill get_empty_filp(). [AV] fixed dentry leak on failure exit in anon_inode_getfd() and fixed by: commit ed1524371716466e9c762808b02601d0d0276a92 Author: Al Viro <viro@zeniv.linux.org.uk> Date: Tue Apr 22 19:51:27 2008 -0400 [PATCH] double-free of inode on alloc_file() failure exit in create_write_pipe() Duh... Fortunately, the bug is quite recent (post-2.6.25) and, embarrassingly, mine ;-/ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> between 2.6.25 and 2.6.26. So I think this can be closed with version 2.6.26-1 (if not earlier). Ben.
Attachment:
signature.asc
Description: This is a digitally signed message part