mm/sharepool: Fix double delete list in sp_group_exit
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I650K6 -------------------------------- There is a double delete list problem in sp_group_exit Unable to handle kernel paging request at virtual address dead000000000108 Call trace: sp_group_exit+0x104/0x238 do_exit+0x188/0xb88 __arm64_sys_exit+0x24/0x28 Calls to sp_group_exit depends on the value of group_dead, which is controlled by CLONE_THREAD. If process A clone B with CLONE_VM and *NO* CLONE_THREAD. A and B will have group_dead = 1 and have the same mm_struct on exit. So sp_group_exit processes an mm_struct more than once. To sovle the problem, we check the tgid in sp_group_exit and allow only the parent process to continue. Similar check should be added in mg_sp_group_add/del_task. Signed-off-by:Wang Wensheng <wangwensheng4@huawei.com>
Loading
Please sign in to comment