Fix race between proc_get_inode() and remove_proc_entry() proc_lookup remove_proc_entry =========== ================= lock_kernel(); spin_lock(&proc_subdir_lock); [find PDE with refcount 0] spin_unlock(&proc_subdir_lock); spin_lock(&proc_subdir_lock); [find PDE with refcount 0] [check refcount and free PDE] spin_unlock(&proc_subdir_lock); proc_get_inode: de_get(de); /* boom */ Signed-off-by: Alexey Dobriyan <adobriyan@openvz.org> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Oleg Nesterov <oleg@tv-sign.ru> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit: 7695650a924a6859910c8c19dfa43b4d08224d66 [log] [tgz]
author: Alexey Dobriyan <adobriyan@openvz.org> Tue May 08 00:25:45 2007 -0700
committer: Linus Torvalds <torvalds@woody.linux-foundation.org> Tue May 08 11:15:01 2007 -0700
tree: 5947c3e1b24600b6440468c11b30feeef31eee2c
parent: 79c0b2df79eb56fc71e54c75cd7fb3acf84370f9 [diff] [blame]
diff --git a/fs/proc/generic.c b/fs/proc/generic.c
index 775fb21..22a08ff 100644
--- a/fs/proc/generic.c
+++ b/fs/proc/generic.c

@@ -398,6 +398,7 @@
 			if (!memcmp(dentry->d_name.name, de->name, de->namelen)) {
 				unsigned int ino = de->low_ino;
 
+				de_get(de);
 				spin_unlock(&proc_subdir_lock);
 				error = -EINVAL;
 				inode = proc_get_inode(dir->i_sb, ino, de);
@@ -414,6 +415,7 @@
 		d_add(dentry, inode);
 		return NULL;
 	}
+	de_put(de);
 	return ERR_PTR(error);
 }
commit	7695650a924a6859910c8c19dfa43b4d08224d66	[log] [tgz]
author	Alexey Dobriyan <adobriyan@openvz.org>	Tue May 08 00:25:45 2007 -0700
committer	Linus Torvalds <torvalds@woody.linux-foundation.org>	Tue May 08 11:15:01 2007 -0700
tree	5947c3e1b24600b6440468c11b30feeef31eee2c
parent	79c0b2df79eb56fc71e54c75cd7fb3acf84370f9 [diff] [blame]