From mboxrd@z Thu Jan  1 00:00:00 1970
From: =?EUC-KR?B?yKu9xSBzaGluIGhvbmc=?= <hongshin@gmail.com>
Subject: data race in remove_proc_entry()
Date: Wed, 4 Feb 2009 00:40:59 +0900
Message-ID: <2014bcab0902030740y115b6179gb5c6ad5f1f2d994@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
To: viro@zeniv.linux.org.uk, linux-fsdevel@vger.kernel.org
Return-path: <linux-fsdevel-owner@vger.kernel.org>
Received: from wf-out-1314.google.com ([209.85.200.168]:47996 "EHLO
	wf-out-1314.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752278AbZBCPlA (ORCPT
	<rfc822;linux-fsdevel@vger.kernel.org>);
	Tue, 3 Feb 2009 10:41:00 -0500
Received: by wf-out-1314.google.com with SMTP id 27so2299298wfd.4
        for <linux-fsdevel@vger.kernel.org>; Tue, 03 Feb 2009 07:40:59 -0800 (PST)
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

Hi. I found a suspected bug in proc file system

At proc/generic.c line 806,  de->subdir is not protected by
spin_lock(&proc_subdir_lock)
so that data races might occur.

Line 806 must be protected by spin_lock(&proc_subdir_lock) to avoid data race.

WARN(condition , stmt) is translated into if (condition) { stmt }.
At line 806, a context switching can happen right after the condition checking
and another thread may set 'de->subdir' as a null.
In this case, the execution of 'stmt' would occur null pointer dereference error
since it has 'de->subdir->name'.

Sincerely,
Shin Hong
M.S. Candidate
Computer Science Div., EECS Dept.,
Korea Advanced Institute of Sci. & Tech.,
Republic of Korea