From 51ec83132ab250883b0a1393dd73cbfdb92226cb Mon Sep 17 00:00:00 2001
From: Hong-Mei Li <a21834@motorola.com>
Date: Wed, 3 Jun 2015 14:28:48 -0700
Subject: kernel: avoid adding non-thread-group task to LMK rbtree

To maintain the task adj RB tree, we add a task to the RB tree when fork,
and delete it when exit. The place is exactly the same as the linear
p->tasks list, only when the task is thread_group_leader.

But to handle the oom_score_adj change case, which did not check the
thread_group_leader, we may del/add a non-leader task to the RB tree.
Finally leave the task in the RB tree, since we would not really delete
a non-leader task from the tree. The orphan task would finally be freed,
and cause later use-after-free panic when accessing RB tree.

Solution:
Move the rbtree adj_node to signal_struct, which is shared between
task and all threads. This can make sure we only add one node for
a thread group.

Change-Id: I1e8dfe490656408863b3726c7bc9e4ee6dc5abc1
Signed-off-by: Hong-Mei Li <a21834@motorola.com>
Reviewed-on: http://gerrit.mot.com/754224
SLTApproved: Slta Waiver <sltawvr@motorola.com>
SME-Granted: SME Approvals Granted
Tested-by: Jira Key <jirakey@motorola.com>
Reviewed-by: Zhi-Ming Yuan <a14194@motorola.com>
Reviewed-by: Yi-Wei Zhao <gbjc64@motorola.com>
Submit-Approved: Jira Key <jirakey@motorola.com>
(cherry picked from commit b3f12a2465542888ec5c868c38022e0e5f7631ca)
Signed-off-by: Abdul Salam <salamab@motorola.com>
Reviewed-on: http://gerrit.mot.com/766108
Reviewed-by: Sudharsan Yettapu <sudharsan.yettapu@motorola.com>
Reviewed-by: Ravikumar Vembu <raviv@motorola.com>
(cherry picked from commit 558ef1fceae5d4c8509cb2a40d98c841525f7ea3)
Reviewed-on: http://gerrit.mot.com/768300

Conflicts:
	kernel/fork.c
---
 kernel/fork.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'kernel')

diff --git a/kernel/fork.c b/kernel/fork.c
index 158ca4f..0400fdf 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1009,6 +1009,10 @@ static int copy_signal(unsigned long clone_flags, struct task_struct *tsk)
 	sig->oom_score_adj = current->signal->oom_score_adj;
 	sig->oom_score_adj_min = current->signal->oom_score_adj_min;
 
+#ifdef CONFIG_ANDROID_LMK_ADJ_RBTREE
+	RB_CLEAR_NODE(&sig->adj_node);
+#endif
+
 	mutex_init(&sig->cred_guard_mutex);
 
 	return 0;
-- 
cgit v1.1