Description of Problem: If multiple mounts/unmounts are occurring, and a process is accessing/reading from /proc/mounts, it is possible for an oops to occur on an SMP machine. This is because the vfsmntlist can change while we're navigating it, but the code doesn't grab any locks to prevent this. If a vfsmount "p" is removed from the list while we're in d_path(), then we'll follow an invalid "next" pointer on return from d_path(). Version-Release number of selected component (if applicable): Any of 2.4.9-e.3, e.5 and e.8 are susceptible. How Reproducible: 100%. Steps to Reproduce: 1. Start some processes mounting and unmounting filesystems in a loop. 2. Repeatedly 'cat /proc/mounts' or otherwise read it. 3. Wait for the oops. Actual Results: An oops happens. Expected Results: No oops :-) Additional Information: A suggested fix is to grab the dcache_lock which apparently protects vfsmntlist. This seems reasonable since we only process one page worth of information.
Created attachment 68624 [details] Suggested patch (wrong line numbers but it applies).
patch applied to the U4 update stream. changing state to modified. kernel is available at: http://people.redhat.com/~jbaron/.private/u4/2.4.9-e.37.3.test/
An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2004-105.html