The oops points to the following assertion in iput:

BUG_ON(inode->i_state == I_CLEAR);

which indicates a double-free. That was probably introduced by:

commit 430e285e0817e3e18aadd814bc078d50d8af0cbf
Author: Dave Hansen
Date: Fri Feb 15 14:37:26 2008 -0800

[PATCH] fix up new filp allocators

Some new uses of get_empty_filp() have crept in; switched
to alloc_file() to make sure that pieces of initialization
won't be missing.

We really need to kill get_empty_filp().

[AV] fixed dentry leak on failure exit in anon_inode_getfd()

and fixed by:

commit ed1524371716466e9c762808b02601d0d0276a92
Author: Al Viro
Date: Tue Apr 22 19:51:27 2008 -0400

[PATCH] double-free of inode on alloc_file() failure exit in create_write_pipe()

Duh... Fortunately, the bug is quite recent (post-2.6.25) and, embarrassingly,
mine ;-/

Signed-off-by: Al Viro

between 2.6.25 and 2.6.26. So I think this can be closed with version
2.6.26-1 (if not earlier).

Ben.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQBJFPTG79ZNCRIGYgcRAgchAJsHTmRfWOI0xXbc1PFZQA Huuyyl/QCghHQN
dBSfGkI4OCZp2U0Gs4gYzDs=
=fNzn
-----END PGP SIGNATURE-----