From: Steven Rostedt <rostedt@goodmis.org>

Looking at proc_match

int proc_match(int len, const char *name, struct proc_dir_entry *de)
{
	if (de->namelen != len)
		return 0;
	return !memcmp(name, de->name, len);
}


The bug would happen either at de->namelen in proc_match or in the loop
of p=&(*p)->next.

The race is if two threads remove two entries that are siblings.  Since
p = &(*p)->next,  and this is then dereferenced, the race is with *p
becoming NULL.

Add the required locking to fix this.

Signed-off-by: Andrew Morton <akpm@osdl.org>
---

 fs/proc/generic.c |    3 +++
 1 files changed, 3 insertions(+)

diff -puN fs/proc/generic.c~protect-remove_proc_entry fs/proc/generic.c
--- devel/fs/proc/generic.c~protect-remove_proc_entry	2006-01-04 01:21:55.000000000 -0800
+++ devel-akpm/fs/proc/generic.c	2006-01-04 01:21:55.000000000 -0800
@@ -694,6 +694,8 @@ void remove_proc_entry(const char *name,
 	if (!parent && xlate_proc_name(name, &parent, &fn) != 0)
 		goto out;
 	len = strlen(fn);
+
+	lock_kernel();
 	for (p = &parent->subdir; *p; p=&(*p)->next ) {
 		if (!proc_match(len, fn, *p))
 			continue;
@@ -714,6 +716,7 @@ void remove_proc_entry(const char *name,
 		}
 		break;
 	}
+	unlock_kernel();
 out:
 	return;
 }
_