path: root/mm/mlock.c
diff options
authorMarkus Metzger <>2009-02-11 15:10:27 +0100
committerIngo Molnar <>2009-02-11 15:44:20 +0100
commit9f339e7028e2855717af3193c938f9960ad13b38 (patch)
tree76e0e9181f4ee2b324742d517518e837d5c250bf /mm/mlock.c
parent06eb23b1ba39c61ee5d5faeb42a097635693e370 (diff)
x86, ptrace, mm: fix double-free on race
Ptrace_detach() races with __ptrace_unlink() if the traced task is reaped while detaching. This might cause a double-free of the BTS buffer. Change the ptrace_detach() path to only do the memory accounting in ptrace_bts_detach() and leave the buffer free to ptrace_bts_untrace() which will be called from __ptrace_unlink(). The fix follows a proposal from Oleg Nesterov. Reported-by: Oleg Nesterov <> Signed-off-by: Markus Metzger <> Signed-off-by: Ingo Molnar <>
Diffstat (limited to 'mm/mlock.c')
1 files changed, 6 insertions, 1 deletions
diff --git a/mm/mlock.c b/mm/mlock.c
index 028ec482fdd4..2b57f7e60390 100644
--- a/mm/mlock.c
+++ b/mm/mlock.c
@@ -657,7 +657,7 @@ void *alloc_locked_buffer(size_t size)
return buffer;
-void free_locked_buffer(void *buffer, size_t size)
+void release_locked_buffer(void *buffer, size_t size)
unsigned long pgsz = PAGE_ALIGN(size) >> PAGE_SHIFT;
@@ -667,6 +667,11 @@ void free_locked_buffer(void *buffer, size_t size)
current->mm->locked_vm -= pgsz;
+void free_locked_buffer(void *buffer, size_t size)
+ release_locked_buffer(buffer, size);