@@ -903,6 +903,15 @@ NORET_TYPE void do_exit(long code)
panic("Attempted to kill the idle task!");
+ * If do_exit is called because this processes oopsed, it's possible
+ * that get_fs() was left as KERNEL_DS, so reset it to USER_DS before
+ * continuing. Amongst other possible reasons, this is to prevent
+ * mm_release()->clear_child_tid() from writing to a user-controlled
+ * kernel address.