Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull kthread fix from Thomas Gleixner:
"A single fix which prevents a use after free when kthread fork fails"
* 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
kthread: Fix use-after-free if kthread fork fails
+12
-5
+12
-5
kernel/fork.c
+12
-5
kernel/fork.c
···
1577
1577
if (!p)
1578
1578
goto fork_out;
1579
1579
1580
+
/*
1581
+
* This _must_ happen before we call free_task(), i.e. before we jump
1582
+
* to any of the bad_fork_* labels. This is to avoid freeing
1583
+
* p->set_child_tid which is (ab)used as a kthread's data pointer for
1584
+
* kernel threads (PF_KTHREAD).
1585
+
*/
1586
+
p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
1587
+
/*
1588
+
* Clear TID on mm_release()?
1589
+
*/
1590
+
p->clear_child_tid = (clone_flags & CLONE_CHILD_CLEARTID) ? child_tidptr : NULL;
1591
+
1580
1592
ftrace_graph_init_task(p);
1581
1593
1582
1594
rt_mutex_init_task(p);
···
1755
1743
}
1756
1744
}
1757
1745
1758
-
p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
1759
-
/*
1760
-
* Clear TID on mm_release()?
1761
-
*/
1762
-
p->clear_child_tid = (clone_flags & CLONE_CHILD_CLEARTID) ? child_tidptr : NULL;
1763
1746
#ifdef CONFIG_BLOCK
1764
1747
p->plug = NULL;
1765
1748
#endif