From: "Martin J. Bligh" <mbligh@aracnet.com> and me

proc_pid_lookup() does a put_task_struct() and then continues to play with
the task.



 fs/proc/base.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diff -puN fs/proc/base.c~task_struct-use-after-free-fix fs/proc/base.c
--- 25/fs/proc/base.c~task_struct-use-after-free-fix	2003-06-14 18:15:07.000000000 -0700
+++ 25-akpm/fs/proc/base.c	2003-06-14 18:15:07.000000000 -0700
@@ -1362,10 +1362,11 @@ struct dentry *proc_pid_lookup(struct in
 
 	inode = proc_pid_make_inode(dir->i_sb, task, PROC_PID_INO);
 
-	put_task_struct(task);
 
-	if (!inode)
+	if (!inode) {
+		put_task_struct(task);
 		goto out;
+	}
 	inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
 	inode->i_op = &proc_base_inode_operations;
 	inode->i_fop = &proc_base_operations;
@@ -1379,6 +1380,7 @@ struct dentry *proc_pid_lookup(struct in
 	d_add(dentry, inode);
 	spin_unlock(&task->proc_lock);
 
+	put_task_struct(task);
 	return NULL;
 out:
 	return ERR_PTR(-ENOENT);

_