-
Andrew Morton authored
From: Andrey Borzenkov <arvidjaar@mail.ru> Doing concurrent lookups for the same name in devfs with devfsd and modules enabled may result in stack coruption. When devfs_lookup needs to call devfsd it arranges for other lookups for the same name to wait. It is using local variable as wait queue head. After devfsd returns devfs_lookup wakes up all waiters and returns. Unfortunately there is no garantee all waiters will actually get chance to run and clean up before devfs_lookup returns. so some of them attempt to access already freed storage on stack. It is trivial to trigger with SMP kernel (I have single-CPU system if it matters) doing while true do ls /dev/foo & done Without spinlock debug system usually hung dead with reset button as the only possibility. I was not able to reproduce it on 2.4 on single-CPU system - in 2.4 devfs_d_revalidate_wait does not attempt to remove itself from wait queue so it appears to be safe. The patch makes lookup struct be allocated from heap and adds reference counter to free it when no more needed.
934acf6c