On Mon, 23 Jun 2003, Jens Axboe wrote:

quoted

Note 6b6b6b6b in the eax and esi registers and on the stack.  That must be
freed memory. __end_that_request_first() is a static function in
drivers/block/ll_rw_blk.c

That doesn't look good. I'll try and reproduce + fix here, thanks for
the report.

What happens is cdrom_newpc_intr() calls cdrom_decode_status() which frees 
rq, and then is calls end_that_request_chunk() that tries to use rq->bio.

I tried the patch below, and it seems to delay the panic, but it happens
seconds later anyways in a different place but still on 6b6b6b6b address.
The new stack trace is attached.

Patch (possibly wrong or incomplete):
===================================

--- linux.orig/drivers/ide/ide-cd.c
+++ linux/drivers/ide/ide-cd.c

@@ -1664,7 +1664,7 @@ static ide_startstop_t cdrom_newpc_intr(
 	}
 
 	if (cdrom_decode_status(drive, 0, &stat)) {
-		end_that_request_chunk(rq, 1, rq->data_len);
+		printk("ide-cd: newpc_intr decode_status bad\n");
 		return ide_stopped;
 	}
 

===================================

-- 
Regards,
Pavel Roskin