ANDROID: mm/oom_kill: fix task_struct refcount_t: underflow;
use-after-free.
__wake_oom_reaper() is supposed to be called after get_task_struct()
and oom_reap_task() will later drop that reference. Therefore
add_to_oom_reaper() should not drop the reference count itself,
unless someone else already queued the same task for reaping.
Bug: 265591293
Fixes: 561fe20b66 ("ANDROID: signal: Add vendor hook for memory reaping")
Change-Id: I4ed7f4bbac46552671de76aa1a212bec8b35144c
Signed-off-by: Hailong.Liu <liuhailong@oppo.com>
This commit is contained in:
Hailong.Liu
committed by
Suren Baghdasaryan
Suren Baghdasaryan
parent
2f40ae382f
commit
016d61094b
@@ -1277,12 +1277,13 @@ void add_to_oom_reaper(struct task_struct *p)
|
||||
p = find_lock_task_mm(p);
|
||||
if (!p)
|
||||
return;
|
||||
|
||||
get_task_struct(p);
|
||||
if (task_will_free_mem(p)) {
|
||||
__mark_oom_victim(p);
|
||||
__wake_oom_reaper(p);
|
||||
if (!test_and_set_bit(MMF_OOM_REAP_QUEUED,
|
||||
&p->signal->oom_mm->flags)) {
|
||||
get_task_struct(p);
|
||||
__wake_oom_reaper(p);
|
||||
}
|
||||
}
|
||||
task_unlock(p);
|
||||
put_task_struct(p);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user