In the latest CVS there is a regression in switch_exec_pids() that would eventually cause an oops decrementing reference count on an already released vproc at vpop_wait() while running glibc tst-exec4 from ssic-linux-bugs-2000692.  I checked in the fix.

On Wed, Nov 4, 2009 at 6:18 AM, Roger Tsang <> wrote:

This bug is either staring right at me or I am just having a bad hair day.  In vpop_wait() we see VPROC LOCK is used to protect its parent-child-sibling list.  However the ND LIST lock doesn't protect PVP(vo)->pvp_childl from other threads.  Also if I am not wrong the for-loop in vpop_wait() is not SMP-safe since PVP(vc)->pvp_childl is neither protected by VPROC LOCK nor ND LIST lock.


VPROC_LOCK_EXCL(vp, "vpop_wait");
        for (vo = NULL, vc = pvp->pvp_head_childl;
                                vc != NULL;
                                vo = vc, vc = PVP(vc)->pvp_childl) {
                                VPROC_LOCK_ND_LIST_EXCL(vp, "vpop_wait");
                                if (vo == NULL)
                                        pvp->pvp_head_childl = pvc->pvp_childl;
                                        PVP(vo)->pvp_childl = pvc->pvp_childl;
                                pvc->pvp_childl = NULL;
                                VPROC_UNLOCK_ND_LIST_EXCL(vp, "vpop_wait");
VPROC_UNLOCK_EXCL(vp, "vpop_wait");