@@ -809,6 +809,15 @@ fastcall NORET_TYPE void do_exit(long code)
+ * If do_exit is called because this processes oopsed, it's possible
+ * that get_fs() was left as KERNEL_DS, so reset it to USER_DS before
+ * continuing. Amongst other possible reasons, this is to prevent
+ * mm_release()->clear_child_tid() from writing to a user-controlled
+ * kernel address.
* We're taking recursive faults here in do_exit. Safest is to just
* leave this task alone and wait for reboot.