On 05/20, Minchan Kim wrote: > > + rcu_read_lock(); > + tsk = pid_task(pid, PIDTYPE_PID); > + if (!tsk) { > + rcu_read_unlock(); > + goto err; > + } > + get_task_struct(tsk); > + rcu_read_unlock(); > + mm = mm_access(tsk, PTRACE_MODE_ATTACH_REALCREDS); > + if (!mm || IS_ERR(mm)) { > + ret = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH; > + if (ret == -EACCES) > + ret = -EPERM; > + goto err; > + } > + ret = madvise_core(tsk, start, len_in, behavior); IIUC, madvise_core(tsk) plays with tsk->mm->mmap_sem. But this tsk can exit and nullify its ->mm right after mm_access() succeeds. another problem is that pid_task(pid) can return a zombie leader, in this case mm_access() will fail while it shouldn't. Oleg.