release_mem() is altering the file->f_list lists without taking the
appropriate spinlock.



 drivers/char/tty_io.c |    4 ++++
 1 files changed, 4 insertions(+)

diff -puN drivers/char/tty_io.c~tty_files-fixes drivers/char/tty_io.c
--- 25/drivers/char/tty_io.c~tty_files-fixes	2003-03-17 21:32:06.000000000 -0800
+++ 25-akpm/drivers/char/tty_io.c	2003-03-17 21:32:06.000000000 -0800
@@ -1034,7 +1034,9 @@ static void release_mem(struct tty_struc
 		}
 		o_tty->magic = 0;
 		(*o_tty->driver.refcount)--;
+		file_list_lock();
 		list_del(&o_tty->tty_files);
+		file_list_unlock();
 		free_tty_struct(o_tty);
 	}
 
@@ -1046,7 +1048,9 @@ static void release_mem(struct tty_struc
 	}
 	tty->magic = 0;
 	(*tty->driver.refcount)--;
+	file_list_lock();
 	list_del(&tty->tty_files);
+	file_list_unlock();
 	module_put(tty->driver.owner);
 	free_tty_struct(tty);
 }

_