Commit c36d6048 authored May 31, 2022 by Peter Zijlstra Committed by Zheng Zengkai May 31, 2022

perf: Fix sys_perf_event_open() race against self

stable inclusion
from stable-v5.10.118
commit 3ee8e109c3c316073a3e0f83ec0769c7ee8a7375
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I593PQ
CVE: CVE-2022-1729

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3ee8e109c3c316073a3e0f83ec0769c7ee8a7375



--------------------------------

commit 3ac6487e upstream.

Norbert reported that it's possible to race sys_perf_event_open() such
that the looser ends up in another context from the group leader,
triggering many WARNs.

The move_group case checks for races against itself, but the
!move_group case doesn't, seemingly relying on the previous
group_leader->ctx == ctx check. However, that check is racy due to not
holding any locks at that time.

Therefore, re-check the result after acquiring locks and bailing
if they no longer match.

Additionally, clarify the not_move_group case from the
move_group-vs-move_group race.

Fixes: f63a8daa ("perf: Fix event->ctx locking")
Reported-by: Norbert Slusarek <nslusarek@gmx.net>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Li Huafei <lihuafei1@huawei.com>
Reviewed-by: Yang Jihong <yangjihong1@huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>

parent 26eda960

kernel/events/core.c

+14 −0

Original line number	Diff line number	Diff line
		@@ -11897,6 +11897,9 @@ SYSCALL_DEFINE5(perf_event_open,
		* Do not allow to attach to a group in a different task
		* or CPU context. If we're moving SW events, we'll fix
		* this up later, so allow that.
		*
		* Racy, not holding group_leader->ctx->mutex, see comment with
		* perf_event_ctx_lock().
		*/
		if (!move_group && group_leader->ctx != ctx)
		goto err_context;
		@@ -11964,6 +11967,7 @@ SYSCALL_DEFINE5(perf_event_open,
		} else {
		perf_event_ctx_unlock(group_leader, gctx);
		move_group = 0;
		goto not_move_group;
		}
		}

		@@ -11980,7 +11984,17 @@ SYSCALL_DEFINE5(perf_event_open,
		}
		} else {
		mutex_lock(&ctx->mutex);

		/*
		* Now that we hold ctx->lock, (re)validate group_leader->ctx == ctx,
		* see the group_leader && !move_group test earlier.
		*/
		if (group_leader && group_leader->ctx != ctx) {
		err = -EINVAL;
		goto err_locked;
		}
		}
		not_move_group:

		if (ctx->task == TASK_TOMBSTONE) {
		err = -ESRCH;