aboutsummaryrefslogtreecommitdiffstats
path: root/kernel
diff options
context:
space:
mode:
authorMike Galbraith <efault@gmx.de>2009-02-11 04:53:37 -0500
committerIngo Molnar <mingo@elte.hu>2009-02-11 05:30:10 -0500
commit5af759176cc767e7426f89764bde4996ebaaf419 (patch)
tree0dcd0dafb569755f96fc6ee99db83259ecf5442c /kernel
parentffc046729381ec039a87dc2c00d2899fcc8785e3 (diff)
perfcounters: fix use after free in perf_release()
running... while true; do foo -d 1 -f 1 -c 100000 & sleep 1 kerneltop -d 1 -f 1 -e 1 -c 25000 -p `pidof foo` done while true; do killall foo; killall kerneltop; sleep 2 done ...in two shells with SLUB_DEBUG enabled produces flood of: BUG task_struct: Poison overwritten. Fix the use-after-free bug in perf_release(). Signed-off-by: Mike Galbraith <efault@gmx.de> Signed-off-by: Ingo Molnar <mingo@elte.hu>
Diffstat (limited to 'kernel')
-rw-r--r--kernel/perf_counter.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/kernel/perf_counter.c b/kernel/perf_counter.c
index 89d5e3fe9700..e0576c3fdb50 100644
--- a/kernel/perf_counter.c
+++ b/kernel/perf_counter.c
@@ -1145,12 +1145,12 @@ static int perf_release(struct inode *inode, struct file *file)
1145 mutex_lock(&counter->mutex); 1145 mutex_lock(&counter->mutex);
1146 1146
1147 perf_counter_remove_from_context(counter); 1147 perf_counter_remove_from_context(counter);
1148 put_context(ctx);
1149 1148
1150 mutex_unlock(&counter->mutex); 1149 mutex_unlock(&counter->mutex);
1151 mutex_unlock(&ctx->mutex); 1150 mutex_unlock(&ctx->mutex);
1152 1151
1153 kfree(counter); 1152 kfree(counter);
1153 put_context(ctx);
1154 1154
1155 return 0; 1155 return 0;
1156} 1156}