diff --git a/mm/oom_kill.c b/mm/oom_kill.c
index 4b689dcf65a0482eba21dd8efb88a74826278322..e66ac8a47dd6c3c1cfdeccfc2e710e68902445d8 100644
--- a/mm/oom_kill.c
+++ b/mm/oom_kill.c
@@ -962,6 +962,13 @@ static void oom_kill_process(struct oom_control *oc, const char *message)
 	 * still freeing memory.
 	 */
 	read_lock(&tasklist_lock);
+
+	/*
+	 * The task 'p' might have already exited before reaching here. The
+	 * put_task_struct() will free task_struct 'p' while the loop still try
+	 * to access the field of 'p', so, get an extra reference.
+	 */
+	get_task_struct(p);
 	for_each_thread(p, t) {
 		list_for_each_entry(child, &t->children, sibling) {
 			unsigned int child_points;
@@ -981,6 +988,7 @@ static void oom_kill_process(struct oom_control *oc, const char *message)
 			}
 		}
 	}
+	put_task_struct(p);
 	read_unlock(&tasklist_lock);
 
 	/*