Message ID | 1298918455-17633-4-git-send-email-brad.figg@canonical.com |
---|---|
State | Accepted |
Headers | show |
diff --git a/kernel/exit.c b/kernel/exit.c index b64937a..69f4445 100644 --- a/kernel/exit.c +++ b/kernel/exit.c @@ -907,6 +907,15 @@ NORET_TYPE void do_exit(long code) if (unlikely(!tsk->pid)) panic("Attempted to kill the idle task!"); + /* + * If do_exit is called because this processes oopsed, it's possible + * that get_fs() was left as KERNEL_DS, so reset it to USER_DS before + * continuing. Amongst other possible reasons, this is to prevent + * mm_release()->clear_child_tid() from writing to a user-controlled + * kernel address. + */ + set_fs(USER_DS); + tracehook_report_exit(&code); /*