Could someone please double-check this? From: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> Subject: fs/exec.c: fix minor memory leak When the to-be-removed argument's trailing '\0' is the final byte in the page, remove_arg_zero()'s logic will avoid freeing the page, will break from the loop and will then advance bprm->p to point at the first byte in the next page. Net result: the final page for the zeroeth argument is unfreed. It isn't a very important leak - that page will be freed later by the bprm-wide sweep in free_arg_pages(). Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=116841 Reported by: hujunjie <jj.net@xxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- fs/exec.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff -puN fs/exec.c~fs-execc-fix-minor-memory-leak fs/exec.c --- a/fs/exec.c~fs-execc-fix-minor-memory-leak +++ a/fs/exec.c @@ -1482,8 +1482,15 @@ int remove_arg_zero(struct linux_binprm kunmap_atomic(kaddr); put_arg_page(page); - if (offset == PAGE_SIZE) + if (offset == PAGE_SIZE) { free_arg_page(bprm, (bprm->p >> PAGE_SHIFT) - 1); + } else if (offset == PAGE_SIZE - 1) { + /* + * The trailing '\0' is the last byte in a page - we're + * about to advance past that byte so free its page now + */ + free_arg_page(bprm, (bprm->p >> PAGE_SHIFT)); + } } while (offset == PAGE_SIZE); bprm->p++; _ -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx"> email@xxxxxxxxx </a>