In case if proc_pid_make_inode() steps on exiting task we do
iput() and return NULL. Unfortunately, in that case inode->i_ino
doesn't look like inumber of a per-process inode and we take the
wrong path in proc_delete_inode(). I.e. do dput(PDE(inode)). Which
is left uninitialized...
We used to get out with that almost by accident - that code
worked only because we had zeroed out one field of union and that
guaranteed that another field would be NULL. It worked, but broke
at the first occasion.
Fix:
--- linux/fs/proc/base.c Tue Feb 19 22:33:04 2002
+++ linux/fs/proc/base.c.fix Fri Mar 15 08:42:19 2002
@@ -730,6 +730,7 @@
return inode;
out_unlock:
+ ei->pde = NULL;
iput(inode);
return NULL;
}