summaryrefslogtreecommitdiff
path: root/kernel/perf_counter.c
diff options
context:
space:
mode:
authorMike Galbraith <efault@gmx.de>2009-02-11 10:53:37 +0100
committerIngo Molnar <mingo@elte.hu>2009-02-11 11:30:10 +0100
commit5af759176cc767e7426f89764bde4996ebaaf419 (patch)
tree0dcd0dafb569755f96fc6ee99db83259ecf5442c /kernel/perf_counter.c
parentffc046729381ec039a87dc2c00d2899fcc8785e3 (diff)
downloadlwn-5af759176cc767e7426f89764bde4996ebaaf419.tar.gz
lwn-5af759176cc767e7426f89764bde4996ebaaf419.zip
perfcounters: fix use after free in perf_release()
running... while true; do foo -d 1 -f 1 -c 100000 & sleep 1 kerneltop -d 1 -f 1 -e 1 -c 25000 -p `pidof foo` done while true; do killall foo; killall kerneltop; sleep 2 done ...in two shells with SLUB_DEBUG enabled produces flood of: BUG task_struct: Poison overwritten. Fix the use-after-free bug in perf_release(). Signed-off-by: Mike Galbraith <efault@gmx.de> Signed-off-by: Ingo Molnar <mingo@elte.hu>
Diffstat (limited to 'kernel/perf_counter.c')
-rw-r--r--kernel/perf_counter.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/kernel/perf_counter.c b/kernel/perf_counter.c
index 89d5e3fe9700..e0576c3fdb50 100644
--- a/kernel/perf_counter.c
+++ b/kernel/perf_counter.c
@@ -1145,12 +1145,12 @@ static int perf_release(struct inode *inode, struct file *file)
mutex_lock(&counter->mutex);
perf_counter_remove_from_context(counter);
- put_context(ctx);
mutex_unlock(&counter->mutex);
mutex_unlock(&ctx->mutex);
kfree(counter);
+ put_context(ctx);
return 0;
}