x86, ptrace, mm: fix double-free on race Ptrace_detach() races with __ptrace_unlink() if the traced task is reaped while detaching. This might cause a double-free of the BTS buffer. Change the ptrace_detach() path to only do the memory accounting in ptrace_bts_detach() and leave the buffer free to ptrace_bts_untrace() which will be called from __ptrace_unlink(). The fix follows a proposal from Oleg Nesterov. Reported-by: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Markus Metzger <markus.t.metzger@intel.com> Signed-off-by: Ingo Molnar <mingo@elte.hu>

commit: 9f339e7028e2855717af3193c938f9960ad13b38 [log] [tgz]
author: Markus Metzger <markus.t.metzger@intel.com> Wed Feb 11 15:10:27 2009 +0100
committer: Ingo Molnar <mingo@elte.hu> Wed Feb 11 15:44:20 2009 +0100
tree: 76e0e9181f4ee2b324742d517518e837d5c250bf
parent: 06eb23b1ba39c61ee5d5faeb42a097635693e370 [diff] [blame]
diff --git a/mm/mlock.c b/mm/mlock.c
index 028ec48..2b57f7e 100644
--- a/mm/mlock.c
+++ b/mm/mlock.c

@@ -657,7 +657,7 @@
 	return buffer;
 }
 
-void free_locked_buffer(void *buffer, size_t size)
+void release_locked_buffer(void *buffer, size_t size)
 {
 	unsigned long pgsz = PAGE_ALIGN(size) >> PAGE_SHIFT;
 
@@ -667,6 +667,11 @@
 	current->mm->locked_vm -= pgsz;
 
 	up_write(&current->mm->mmap_sem);
+}
+
+void free_locked_buffer(void *buffer, size_t size)
+{
+	release_locked_buffer(buffer, size);
 
 	kfree(buffer);
 }
commit	9f339e7028e2855717af3193c938f9960ad13b38	[log] [tgz]
author	Markus Metzger <markus.t.metzger@intel.com>	Wed Feb 11 15:10:27 2009 +0100
committer	Ingo Molnar <mingo@elte.hu>	Wed Feb 11 15:44:20 2009 +0100
tree	76e0e9181f4ee2b324742d517518e837d5c250bf
parent	06eb23b1ba39c61ee5d5faeb42a097635693e370 [diff] [blame]