From: Manfred Spraul proc_pid_status dereferences pointers in the task structure even if the task is already dead. This is probably the reason for the oops described in http://bugme.osdl.org/show_bug.cgi?id=3812 The attached patch removes the pointer dereferences by using pid_alive() for testing that the task structure contents is still valid before dereferencing them. The task structure itself is guaranteed to be valid - we hold a reference count. What do you think? Are you aware of further instances where p->pid is still used to check if a thread is alive? Signed-Off-By: Manfred Spraul Signed-off-by: Andrew Morton --- 25-akpm/fs/proc/array.c | 4 ++-- 25-akpm/fs/proc/base.c | 5 ----- 25-akpm/include/linux/pid.h | 2 ++ 25-akpm/kernel/pid.c | 13 +++++++++++++ 4 files changed, 17 insertions(+), 7 deletions(-) diff -puN fs/proc/array.c~use-pid_alive-in-proc_pid_status fs/proc/array.c --- 25/fs/proc/array.c~use-pid_alive-in-proc_pid_status 2004-11-28 10:19:41.738951664 -0800 +++ 25-akpm/fs/proc/array.c 2004-11-28 10:19:41.748950144 -0800 @@ -172,8 +172,8 @@ static inline char * task_state(struct t get_task_state(p), (p->sleep_avg/1024)*100/(1020000000/1024), p->tgid, - p->pid, p->pid ? p->group_leader->real_parent->tgid : 0, - p->pid && p->ptrace ? p->parent->pid : 0, + p->pid, pid_alive(p) ? p->group_leader->real_parent->tgid : 0, + pid_alive(p) && p->ptrace ? p->parent->pid : 0, p->uid, p->euid, p->suid, p->fsuid, p->gid, p->egid, p->sgid, p->fsgid); read_unlock(&tasklist_lock); diff -puN fs/proc/base.c~use-pid_alive-in-proc_pid_status fs/proc/base.c --- 25/fs/proc/base.c~use-pid_alive-in-proc_pid_status 2004-11-28 10:19:41.740951360 -0800 +++ 25-akpm/fs/proc/base.c 2004-11-28 10:19:41.748950144 -0800 @@ -739,11 +739,6 @@ static struct inode_operations proc_pid_ .follow_link = proc_pid_follow_link }; -static inline int pid_alive(struct task_struct *p) -{ - return p->pids[PIDTYPE_PID].nr != 0; -} - #define NUMBUF 10 static int proc_readfd(struct file * filp, void * dirent, filldir_t filldir) diff -puN include/linux/pid.h~use-pid_alive-in-proc_pid_status include/linux/pid.h --- 25/include/linux/pid.h~use-pid_alive-in-proc_pid_status 2004-11-28 10:19:41.741951208 -0800 +++ 25-akpm/include/linux/pid.h 2004-11-28 10:19:41.746950448 -0800 @@ -52,4 +52,6 @@ extern void switch_exec_pids(struct task hlist_unhashed(&(task)->pids[type].pid_chain)); \ } \ +extern int pid_alive(struct task_struct *p); + #endif /* _LINUX_PID_H */ diff -puN kernel/pid.c~use-pid_alive-in-proc_pid_status kernel/pid.c --- 25/kernel/pid.c~use-pid_alive-in-proc_pid_status 2004-11-28 10:19:41.743950904 -0800 +++ 25-akpm/kernel/pid.c 2004-11-28 10:19:41.747950296 -0800 @@ -247,6 +247,19 @@ void switch_exec_pids(task_t *leader, ta attach_pid(leader, PIDTYPE_SID, leader->signal->session); } +/** + * pid_alive - check that a task structure is not stale + * @p: Task structure to be checked. + * + * Test if a process is not yet dead (at most zombie state) + * If pid_alive fails, then pointers within the task structure + * can be stale and must not be dereferenced. + */ +int pid_alive(struct task_struct *p) +{ + return p->pids[PIDTYPE_PID].nr != 0; +} + /* * The pid hash table is scaled according to the amount of memory in the * machine. From a minimum of 16 slots up to 4096 slots at one gigabyte or _