[PATCH] do_fork() error path memory leak

From: <john.l.byrne@hp.com> In do_fork(), if an error occurs after the mm_struct for the child has been allocated, it is never freed. The exit_mm() meant to free it increments the mm_count and this count is never decremented. (For a running process that is exitting, schedule() takes care this; however, the child process being cleaned up is not running.) In the CLONE_VM case, the parent's mm_struct will get an extra mm_count and so it will never be freed. This patch should fix both the CLONE_VM and the not CLONE_VM case; the test of p->active_mm prevents a panic in the case that a kernel-thread is being cloned.

[PATCH] do_fork() error path memory leak
From: <john.l.byrne@hp.com> In do_fork(), if an error occurs after the mm_struct for the child has been allocated, it is never freed. The exit_mm() meant to free it increments the mm_count and this count is never decremented. (For a running process that is exitting, schedule() takes care this; however, the child process being cleaned up is not running.) In the CLONE_VM case, the parent's mm_struct will get an extra mm_count and so it will never be freed. This patch should fix both the CLONE_VM and the not CLONE_VM case; the test of p->active_mm prevents a panic in the case that a kernel-thread is being cloned.
23868940 · Andrew Morton · Linus Torvalds · 94ce3185 · 23868940
Commit 23868940 authored Apr 12, 2004 by Andrew Morton Committed by Linus Torvalds Apr 12, 2004
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 0 deletions

kernel/fork.c kernel/fork.c +2 -0

No files found.
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1086,6 +1086,8 @@ struct task_struct *copy_process(unsigned long clone_flags,
 	exit_namespace(p);
 bad_fork_cleanup_mm:
 	exit_mm(p);
+	if (p->active_mm)
+		mmdrop(p->active_mm);
 bad_fork_cleanup_signal:
 	exit_signal(p);
 bad_fork_cleanup_sighand: