From nobody Mon Jun 15 05:17:50 2026 Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D8EE637E2E0 for ; Wed, 8 Apr 2026 10:03:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.179 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775642599; cv=none; b=ivLDxhdTPk2neErhsJyQhQSX22zfKqWj6FicWA8tTCBiHnu9RiwB1uCAm0wS5F2rI1dhAsiq09KLDz1RVDQlM9aIZ/iEq9nISbu28f5SqQ6bV7MC0q9ubVmdYHbre1lNN2F7mKfVvYokwYWjcL4H5T/wc63GEzKPva3uVBh0EeY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775642599; c=relaxed/simple; bh=DXs5JCpWJKCEkc7iuBQoDcwCbXCOV4p16Pl+XZolqC8=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=hRhhpGhHJF3r3j1HNvYDOdbcfaXLjxR8CB1irn80e2Of3NifA9/HGW3yB+2RQMVxfVf/0Bb8wO0SHdPIHwMZgHYqQNMaKS1dsCPXuBsfiILNiO2/S+6NhgmFeG+q1c2EnRl7nckKvk71+r1lATDSs3XbGDj6lUXAkRATr5JxgDU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=YMPqL0/1; arc=none smtp.client-ip=209.85.210.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="YMPqL0/1" Received: by mail-pf1-f179.google.com with SMTP id d2e1a72fcca58-827270d50d4so5325376b3a.3 for ; Wed, 08 Apr 2026 03:03:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775642591; x=1776247391; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=AU2utJvkUidUfp4jkj+rsm9KrKFB7YOYVa4X+ttSgRw=; b=YMPqL0/1UUVP7yy5lTgHdAMS31hjcqNnrqPOSXzfTOquTfv7k8OhhjFpnyo8gUBwgu lgBnsEewW5Gok3jpuYkFBdKbaaXBmxRL3GG6U2s6L1pM1Li50BpVfxd7gu9nVXL05E2n OPmeEBM4zK4W1Zd9CkuOUbvwSSPiU5A/Np7hFd+4iLdeav+IBLZBHCEEkdhR7gtj7wRt kBFbuJn1EFkCw1ZykRCk4s18nMaBLIMPmy48hsuwgOZvzjcRVXQOPX/+wW0FsGttpY4N QLGeI62uGu0JVvuE6Xq8mQh8hG6g5RUBRMbXDzlmrSDdTr5b2mpaSOsfatNdVgGDWQuL KTvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775642591; x=1776247391; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=AU2utJvkUidUfp4jkj+rsm9KrKFB7YOYVa4X+ttSgRw=; b=CHIwfNXuCbUHGRYrtwJrMFLuR/TxMLgWsL1V1VyOtjO3BJ6EYr8qz8e3dxkwY4fyON Wsm4IgSxAublVii1tv+YNRRnXnUtDhk/iTzmqniKOpEwp1xvuHIk+ZEu4wmcktM03HRp qE9IdB4QRGfWhtSa4Xp+fVRu/ZGEr+fqTXoDgJYmyM89Jdb0rnzh6nqAWbmBVjDkJsll syWqDj6hz4DoI8btbNVPCrumjspeY7cgDXogUFJNb1ekvT5boYyv8qyxBQ0XpFAMXG7U dKmsgPIbUMGJU+lI5QpNZSFgxpLuVB+DWqCToZIR7FDx08MGKNcHgDByBOIhYKX8YY66 vYHg== X-Forwarded-Encrypted: i=1; AJvYcCUU3n1U4yO2fq3bddQVK+kCQfM3963fSNzvfGGVvnHzJMqzCeotbEEUe95kK6jJW/5Yw/1jg8CjFQFw6MU=@vger.kernel.org X-Gm-Message-State: AOJu0YwfnBewS3dSrS+1uLZnyy+h5Qivsghkqq9keMAW6oV8TDIq3yVl MLFGJ7vKRQUcWHGxpUMLH4w0IsPVMWPGPwbURrDgLE+t9ekqtFSWBYrZ15wqjCGRUetBQQ== X-Gm-Gg: AeBDies74lU1dIPGaRsvVxbEYehLbybIQjzUK+2P12rdElmXs4FekAIlgprRi9cdfKE b1vxVpaMgK4AGK2zNtvSq/qARtLMV5PrFVs6Uo6GrcTlBQfNnLYE52CIwAArWGPaO8HfzyYQofh 44PRL1HSnpsj84SfnGOagvsSkAW78DEhCPpMxqbTy1FPJFNJJi47WQZq0s7WfTCln2h2tNUkCHc J+FMqHXbvFA0ZcjM5cAjGqxNeUKP3yXqovgjVyiExC0tK+z8vbbilIBBxTKYb9VAf+q6IL0gpHB 5shOXMZxvNFIjXwVCdYzjmlQWCN7cgxlwzkIVtzOm/UBwKn0krI3GRvCD/jwHKJxoRS12N0AXQ5 Ps9i/i7FpxDBzQ5KZtpWkZfHoURrG/hGr/7jFZzVWDn1D1UBq5N/w5eoEN3JObQbheQPYFh1dwx Q/UcicJ8floM1oHkiL2HtUyiTuu6ylX8fknw/e1Xx4mg433MdWB+9G51mT6u6Wx+y4 X-Received: by 2002:a05:6a00:950d:b0:82c:9f73:a33 with SMTP id d2e1a72fcca58-82d0dbb9944mr21611486b3a.44.1775642591429; Wed, 08 Apr 2026 03:03:11 -0700 (PDT) Received: from LAPTOP-KU1E7KI5.fudan.edu.cn ([202.120.235.189]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-82cf9b3ccc8sm25654756b3a.19.2026.04.08.03.03.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Apr 2026 03:03:10 -0700 (PDT) From: Keenan Dong To: peterz@infradead.org, mingo@redhat.com, acme@kernel.org, namhyung@kernel.org, mhiramat@kernel.org, oleg@redhat.com Cc: mark.rutland@arm.com, alexander.shishkin@linux.intel.com, jolsa@kernel.org, irogers@google.com, adrian.hunter@intel.com, james.clark@linaro.org, andrii@kernel.org, linux-perf-users@vger.kernel.org, linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org, Keenan Dong Subject: [PATCH] uprobes: clear extra_consumers before pooling return instances Date: Wed, 8 Apr 2026 18:02:47 +0800 Message-ID: <20260408100247.2065245-1-keenanat2000@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" ri_pool_push() returns a return_instance to the per-task pool for later reuse. The pool reset clears cons_cnt, but it leaves extra_consumers behind. A reused return_instance can later grow a fresh extra_consumers array and then reach the cleanup path with a stale pointer from its previous lifetime, leading to a double free of the recycled object. Free and clear extra_consumers before putting the instance back into the pool so every reused entry starts from a clean state. Fixes: 8622e45b5da1 ("uprobes: Reuse return_instances between multiple uret= probes within task") Reported-by: Keenan Dong Signed-off-by: Keenan Dong --- kernel/events/uprobes.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c index 923b24b321cc..24b9884a2667 100644 --- a/kernel/events/uprobes.c +++ b/kernel/events/uprobes.c @@ -1945,6 +1945,8 @@ unsigned long uprobe_get_trap_addr(struct pt_regs *re= gs) =20 static void ri_pool_push(struct uprobe_task *utask, struct return_instance= *ri) { + kfree(ri->extra_consumers); + ri->extra_consumers =3D NULL; ri->cons_cnt =3D 0; ri->next =3D utask->ri_pool; utask->ri_pool =3D ri; --=20 2.43.0