ri_pool_push() returns a return_instance to the per-task pool for
later reuse. The pool reset clears cons_cnt, but it leaves
extra_consumers behind.
A reused return_instance can later grow a fresh extra_consumers
array and then reach the cleanup path with a stale pointer from its
previous lifetime, leading to a double free of the recycled object.
Free and clear extra_consumers before putting the instance back into
the pool so every reused entry starts from a clean state.
Fixes: 8622e45b5da1 ("uprobes: Reuse return_instances between multiple
uretprobes within task")
Reported-by: Keenan Dong <[email protected]>
Signed-off-by: Keenan Dong <[email protected]>
---
kernel/events/uprobes.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
index 923b24b321cc..24b9884a2667 100644
--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -1945,6 +1945,8 @@ unsigned long uprobe_get_trap_addr(struct pt_regs *regs)
static void ri_pool_push(struct uprobe_task *utask, struct return_instance *ri)
{
+ kfree(ri->extra_consumers);
+ ri->extra_consumers = NULL;
ri->cons_cnt = 0;
ri->next = utask->ri_pool;
utask->ri_pool = ri;
--
2.43.0
