diff options
author | Mike Galbraith <efault@gmx.de> | 2009-02-11 04:53:37 -0500 |
---|---|---|
committer | Ingo Molnar <mingo@elte.hu> | 2009-02-11 05:30:10 -0500 |
commit | 5af759176cc767e7426f89764bde4996ebaaf419 (patch) | |
tree | 0dcd0dafb569755f96fc6ee99db83259ecf5442c /kernel | |
parent | ffc046729381ec039a87dc2c00d2899fcc8785e3 (diff) |
perfcounters: fix use after free in perf_release()
running...
while true; do
foo -d 1 -f 1 -c 100000 & sleep 1
kerneltop -d 1 -f 1 -e 1 -c 25000 -p `pidof foo`
done
while true; do
killall foo; killall kerneltop; sleep 2
done
...in two shells with SLUB_DEBUG enabled produces flood of:
BUG task_struct: Poison overwritten.
Fix the use-after-free bug in perf_release().
Signed-off-by: Mike Galbraith <efault@gmx.de>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Diffstat (limited to 'kernel')
-rw-r--r-- | kernel/perf_counter.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/kernel/perf_counter.c b/kernel/perf_counter.c index 89d5e3fe9700..e0576c3fdb50 100644 --- a/kernel/perf_counter.c +++ b/kernel/perf_counter.c | |||
@@ -1145,12 +1145,12 @@ static int perf_release(struct inode *inode, struct file *file) | |||
1145 | mutex_lock(&counter->mutex); | 1145 | mutex_lock(&counter->mutex); |
1146 | 1146 | ||
1147 | perf_counter_remove_from_context(counter); | 1147 | perf_counter_remove_from_context(counter); |
1148 | put_context(ctx); | ||
1149 | 1148 | ||
1150 | mutex_unlock(&counter->mutex); | 1149 | mutex_unlock(&counter->mutex); |
1151 | mutex_unlock(&ctx->mutex); | 1150 | mutex_unlock(&ctx->mutex); |
1152 | 1151 | ||
1153 | kfree(counter); | 1152 | kfree(counter); |
1153 | put_context(ctx); | ||
1154 | 1154 | ||
1155 | return 0; | 1155 | return 0; |
1156 | } | 1156 | } |