fix devtmpfs race

After we's done complete(&req->done), there's nothing to prevent the
scope containing *req from being gone and *req overwritten by any
kind of junk.  So we must read req->next before that...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

diff --git a/drivers/base/devtmpfs.c b/drivers/base/devtmpfs.c
index 6d678c9..b89fffc 100644 (file)
--- a/drivers/base/devtmpfs.c
+++ b/drivers/base/devtmpfs.c
@@ -406,9 +406,10 @@ static int devtmpfsd(void *p)
                        requests = NULL;
                        spin_unlock(&req_lock);
                        while (req) {
+                               struct req *next = req->next;
                                req->err = handle(req->name, req->mode, req->dev);
                                complete(&req->done);
-                               req = req->next;
+                               req = next;
                        }
                        spin_lock(&req_lock);
                }