* [PATCH] uprobes: clear extra_consumers before pooling return instances
@ 2026-04-08 10:02 Keenan Dong
0 siblings, 0 replies; only message in thread
From: Keenan Dong @ 2026-04-08 10:02 UTC (permalink / raw)
To: peterz, mingo, acme, namhyung, mhiramat, oleg
Cc: mark.rutland, alexander.shishkin, jolsa, irogers, adrian.hunter,
james.clark, andrii, linux-perf-users, linux-kernel,
linux-trace-kernel, Keenan Dong
ri_pool_push() returns a return_instance to the per-task pool for
later reuse. The pool reset clears cons_cnt, but it leaves
extra_consumers behind.
A reused return_instance can later grow a fresh extra_consumers
array and then reach the cleanup path with a stale pointer from its
previous lifetime, leading to a double free of the recycled object.
Free and clear extra_consumers before putting the instance back into
the pool so every reused entry starts from a clean state.
Fixes: 8622e45b5da1 ("uprobes: Reuse return_instances between multiple uretprobes within task")
Reported-by: Keenan Dong <keenanat2000@gmail.com>
Signed-off-by: Keenan Dong <keenanat2000@gmail.com>
---
kernel/events/uprobes.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
index 923b24b321cc..24b9884a2667 100644
--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -1945,6 +1945,8 @@ unsigned long uprobe_get_trap_addr(struct pt_regs *regs)
static void ri_pool_push(struct uprobe_task *utask, struct return_instance *ri)
{
+ kfree(ri->extra_consumers);
+ ri->extra_consumers = NULL;
ri->cons_cnt = 0;
ri->next = utask->ri_pool;
utask->ri_pool = ri;
--
2.43.0
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-04-08 10:03 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-08 10:02 [PATCH] uprobes: clear extra_consumers before pooling return instances Keenan Dong
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox