• Peter Zijlstra's avatar
    perf_counter: Close race in perf_lock_task_context() · b49a9e7e
    Peter Zijlstra authored
    perf_lock_task_context() is buggy because it can return a dead
    context.
    
    the RCU read lock in perf_lock_task_context() only guarantees
    the memory won't get freed, it doesn't guarantee the object is
    valid (in our case refcount > 0).
    
    Therefore we can return a locked object that can get freed the
    moment we release the rcu read lock.
    
    perf_pin_task_context() then increases the refcount and does an
    unlock on freed memory.
    
    That increased refcount will cause a double free, in case it
    started out with 0.
    
    Ammend this by including the get_ctx() functionality in
    perf_lock_task_context() (all users already did this later
    anyway), and return a NULL context when the found one is
    already dead.
    Signed-off-by: default avatarPeter Zijlstra <a.p.zijlstra@chello.nl>
    Cc: Mike Galbraith <efault@gmx.de>
    Cc: Paul Mackerras <paulus@samba.org>
    Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
    LKML-Reference: <new-submission>
    Signed-off-by: default avatarIngo Molnar <mingo@elte.hu>
    b49a9e7e
perf_counter.c 102 KB