On 08/23, Eric Biggers wrote: > > From: Eric Biggers <ebiggers@xxxxxxxxxx> > > Commit 7c051267931a ("mm, fork: make dup_mmap wait for mmap_sem for > write killable") made it possible to kill a forking task while it is > waiting to acquire its ->mmap_sem for write, in dup_mmap(). However, it > was overlooked that this introduced an new error path before a reference > is taken on the mm_struct's ->exe_file. Hmm. Unless I am totally confused, the same problem with mm->exol_area? I'll recheck.... > --- a/kernel/fork.c > +++ b/kernel/fork.c > @@ -806,6 +806,7 @@ static struct mm_struct *mm_init(struct mm_struct *mm, struct task_struct *p, > mm_init_cpumask(mm); > mm_init_aio(mm); > mm_init_owner(mm, p); > + RCU_INIT_POINTER(mm->exe_file, NULL); Can't we simply move RCU_INIT_POINTER(mm->exe_file, get_mm_exe_file(oldmm)); from dup_mmap() here? Afaics this doesn't need mmap_sem. Good catch! Oleg.