Peter Zijlstra writes:
> static struct perf_counter_context *perf_pin_task_context(struct task_struct *task)
> {
> struct perf_counter_context *ctx;
> unsigned long flags;
>
> ctx = perf_lock_task_context(task, &flags);
> if (ctx) {
> ++ctx->pin_count;
> get_ctx(ctx);
> spin_unlock_irqrestore(&ctx->lock, flags);
> }
> return ctx;
> }
>
> Is buggy because perf_lock_task_context() can return a dead context.
>
> the RCU read lock in perf_lock_task_context() only guarantees the memory
> won't get freed, it doesn't guarantee the object is valid (in our case
> refcount > 0).
>
> Therefore we can return a locked object that can get freed the moment we
> release the rcu read lock.
>
> perf_pin_task_context() then increases the refcount and does an unlock
> on freed memory.
>
> That increased refcount will cause a double free, in case it started out
> with 0.
Wow, good catch! Thanks for finding that.
Paul.
--
To unsubscribe from this list: send the line "unsubscribe linux-tip-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
|