Backport this fix from 2.4




 ipc/msg.c |   11 ++++++++++-
 1 files changed, 10 insertions(+), 1 deletion(-)

diff -puN ipc/msg.c~ipc-msg-race-fix ipc/msg.c
--- 25/ipc/msg.c~ipc-msg-race-fix	2003-10-19 03:07:08.000000000 -0700
+++ 25-akpm/ipc/msg.c	2003-10-19 03:09:14.000000000 -0700
@@ -837,11 +837,20 @@ out_success:
 		msg_unlock(msq);
 
 		schedule();
-		current->state = TASK_RUNNING;
 
+		/*
+		 * The below optimisation is buggy.  A sleeping thread that is
+		 * woken up checks if it got a message and if so, copies it to
+		 * userspace and just returns without taking any locks.
+		 * But this return to user space can be faster than the message
+		 * send, and if the receiver immediately exits the
+		 * wake_up_process performed by the sender will oops.
+		 */
+#if 0
 		msg = (struct msg_msg*) msr_d.r_msg;
 		if(!IS_ERR(msg)) 
 			goto out_success;
+#endif
 
 		msq = msg_lock(msqid);
 		msg = (struct msg_msg*)msr_d.r_msg;

_