[PATCH] Still a mm bug in the fork error path

From: John Byrne
Date: Tue Oct 12 2004 - 18:31:43 EST



About a month ago, the thread "[no patch] broken use of mm_release / activate_mm" ("http://marc.theaimsgroup.com/?t=109510277700003&r=1&w=2";) ended up with the following patch being applied to fork.c:

@@ -1104,9 +1146,7 @@
bad_fork_cleanup_namespace:
exit_namespace(p);
bad_fork_cleanup_mm:
- exit_mm(p);
- if (p->active_mm)
- mmdrop(p->active_mm);
+ mmput(p->mm);
bad_fork_cleanup_signal:
exit_signal(p);
bad_fork_cleanup_sighand:

However, the new code will panic if the thread being forked is a process with a NULL mm. It looks very unlikely to be hit in the real world, but it is possible. (My modified kernel makes it much more likely which is how I found it.) The attached patch is against 2.6.9-rc4. This time for sure!

John Byrne






diff -Nar -U4 linux-2.6.9-rc4/kernel/fork.c new/kernel/fork.c
--- linux-2.6.9-rc4/kernel/fork.c 2004-10-12 16:18:03.661895647 -0700
+++ new/kernel/fork.c 2004-10-12 15:59:14.287779998 -0700
@@ -1145,9 +1145,10 @@

bad_fork_cleanup_namespace:
exit_namespace(p);
bad_fork_cleanup_mm:
- mmput(p->mm);
+ if (p->mm)
+ mmput(p->mm);
bad_fork_cleanup_signal:
exit_signal(p);
bad_fork_cleanup_sighand:
exit_sighand(p);