* [PATCH] perf: Avoid double-free of AUX buffer
@ 2015-07-26 23:31 Ben Hutchings
2015-08-12 12:31 ` [tip:perf/core] perf: Fix double-free of the " tip-bot for Ben Hutchings
0 siblings, 1 reply; 2+ messages in thread
From: Ben Hutchings @ 2015-07-26 23:31 UTC (permalink / raw)
To: Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo; +Cc: linux-kernel
[-- Attachment #1: Type: text/plain, Size: 1276 bytes --]
If rb->aux_refcount is decremented to zero before rb->refcount,
__rb_free_aux() may be called twice resulting in a double free of
rb->aux_pages. Fix this by adding a check to __rb_free_aux().
Fixes: 57ffc5ca679f ("perf: Fix AUX buffer refcounting")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
Found by inspection, and the fix is compile-tested only.
I think both commit 57ffc5ca679f and this should go to stable, but
that's up to you.
Ben.
kernel/events/ring_buffer.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c
index b2be01b..c8aa3f7 100644
--- a/kernel/events/ring_buffer.c
+++ b/kernel/events/ring_buffer.c
@@ -559,11 +559,13 @@ static void __rb_free_aux(struct ring_buffer *rb)
rb->aux_priv = NULL;
}
- for (pg = 0; pg < rb->aux_nr_pages; pg++)
- rb_free_aux_page(rb, pg);
+ if (rb->aux_nr_pages) {
+ for (pg = 0; pg < rb->aux_nr_pages; pg++)
+ rb_free_aux_page(rb, pg);
- kfree(rb->aux_pages);
- rb->aux_nr_pages = 0;
+ kfree(rb->aux_pages);
+ rb->aux_nr_pages = 0;
+ }
}
void rb_free_aux(struct ring_buffer *rb)
--
Ben Hutchings
Any sufficiently advanced bug is indistinguishable from a feature.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 811 bytes --]
^ permalink raw reply related [flat|nested] 2+ messages in thread* [tip:perf/core] perf: Fix double-free of the AUX buffer
2015-07-26 23:31 [PATCH] perf: Avoid double-free of AUX buffer Ben Hutchings
@ 2015-08-12 12:31 ` tip-bot for Ben Hutchings
0 siblings, 0 replies; 2+ messages in thread
From: tip-bot for Ben Hutchings @ 2015-08-12 12:31 UTC (permalink / raw)
To: linux-tip-commits
Cc: hpa, mingo, ben, linux-kernel, acme, peterz, torvalds,
alexander.shishkin, tglx
Commit-ID: ee9397a6fb9bc4e52677f5e33eed4abee0f515e6
Gitweb: http://git.kernel.org/tip/ee9397a6fb9bc4e52677f5e33eed4abee0f515e6
Author: Ben Hutchings <ben@decadent.org.uk>
AuthorDate: Mon, 27 Jul 2015 00:31:08 +0100
Committer: Ingo Molnar <mingo@kernel.org>
CommitDate: Wed, 12 Aug 2015 11:37:21 +0200
perf: Fix double-free of the AUX buffer
If rb->aux_refcount is decremented to zero before rb->refcount,
__rb_free_aux() may be called twice resulting in a double free of
rb->aux_pages. Fix this by adding a check to __rb_free_aux().
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Fixes: 57ffc5ca679f ("perf: Fix AUX buffer refcounting")
Link: http://lkml.kernel.org/r/1437953468.12842.17.camel@decadent.org.uk
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
kernel/events/ring_buffer.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c
index b2be01b..c8aa3f7 100644
--- a/kernel/events/ring_buffer.c
+++ b/kernel/events/ring_buffer.c
@@ -559,11 +559,13 @@ static void __rb_free_aux(struct ring_buffer *rb)
rb->aux_priv = NULL;
}
- for (pg = 0; pg < rb->aux_nr_pages; pg++)
- rb_free_aux_page(rb, pg);
+ if (rb->aux_nr_pages) {
+ for (pg = 0; pg < rb->aux_nr_pages; pg++)
+ rb_free_aux_page(rb, pg);
- kfree(rb->aux_pages);
- rb->aux_nr_pages = 0;
+ kfree(rb->aux_pages);
+ rb->aux_nr_pages = 0;
+ }
}
void rb_free_aux(struct ring_buffer *rb)
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-08-12 12:32 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-07-26 23:31 [PATCH] perf: Avoid double-free of AUX buffer Ben Hutchings
2015-08-12 12:31 ` [tip:perf/core] perf: Fix double-free of the " tip-bot for Ben Hutchings
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox