After we's done complete(&req->done), there's nothing to prevent the scope containing *req from being gone and *req overwritten by any kind of junk. So we must read req->next before that... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
@@ -406,9 +406,10 @@ static int devtmpfsd(void *p)
requests = NULL;
spin_unlock(&req_lock);
while (req) {
+ struct req *next = req->next;
req->err = handle(req->name, req->mode, req->dev);
complete(&req->done);
- req = req->next;
+ req = next;
}
spin_lock(&req_lock);
Al Viro