On 03/14, Peter Zijlstra wrote: > > Yes, this looks buggy. But I cannot explain how that would result in the > observed use-after-free.
Yes... Suppose that copy_process() fails after perf_event_init_task(). In this case perf_event_free_task() does put_ctx(), but if this ctx has another reference (ctx->refcount > 1) then ctx->task will point to the already freed task, copy_process() does free_task() at the end of error path. And we can't replace it with put_task_struct(). I am looking at TASK_TOMBSTONE, perhaps perf_event_free_task() should use it too? Oleg.
