There seems to be a bug in the wait_queue handling. Imagin the following
situation:
struct {
ulong test_value;
struct wait_queue *my_wait_queue;
} my_struct;
A "sleep_on(&my_struct.my_wait_queue);" overwrites than the value
of test_value, causing all kind of havoc.
It seems that the bug has been introduced in 2.0.16. Have a look at
following pice of code from include/linux/sched.h:
extern inline void __add_wait_queue(struct wait_queue ** p, struct
wait_queue *wait)
{
struct wait_queue *head = *p;
struct wait_queue *next = WAIT_QUEUE_HEAD(p);
if (head)
next = head;
*p = wait;
wait->next = next;
}
and from include/linux/wait.h:
#define WAIT_QUEUE_HEAD(x) ((struct wait_queue *)((x)-1))
The assignment of WAIT_QUEUE_HEAD to *next goes to an illegal address !!
Andreas
-- aschultz@cs.uni-magdeburg.de