• Andrew Morton's avatar
    [PATCH] devfs oops fix · 934acf6c
    Andrew Morton authored
    From: Andrey Borzenkov <arvidjaar@mail.ru>
    
    Doing concurrent lookups for the same name in devfs with devfsd and modules
    enabled may result in stack coruption.
    
    When devfs_lookup needs to call devfsd it arranges for other lookups for the
    same name to wait. It is using local variable as wait queue head. After
    devfsd returns devfs_lookup wakes up all waiters and returns. Unfortunately
    there is no garantee all waiters will actually get chance to run and clean up
    before devfs_lookup returns. so some of them attempt to access already freed
    storage on stack.
    
    It is trivial to trigger with SMP kernel (I have single-CPU system if it
    matters) doing
    
    while true
    do
      ls /dev/foo &
    done
    
    Without spinlock debug system usually hung dead with reset button as the only
    possibility.
    
    I was not able to reproduce it on 2.4 on single-CPU system - in 2.4
    devfs_d_revalidate_wait does not attempt to remove itself from wait queue
    so it appears to be safe.
    
    The patch makes lookup struct be allocated from heap and adds reference
    counter to free it when no more needed.
    934acf6c
base.c 92 KB