Comment 34 for bug 683938

So thanks to upstream, we got a patch (I am duplicating this here). It was in a completely different corner. Instead of a race condition, the incorrect number of commands provided seems to have a hidden bad effect within the rpc code (I have not looked but from the patch description, some memory allocations are done for each command). The code put 2 as the number of commands, but the array had four entries and command index 0 and 2 being not used. The UMNT command has the index number 3, so when accessing internal arrays with that index the code accesses memory outside of the allocated range.

I am currently compiling stock Lucid kernels with just this patch applied. I will upload them as soon as those are ready to the same location I put the other debug kernels.