!2641 Fix CVE-2023-5717 (cfc785ec) · Commits · EulixOS / Software / Kernel

include/linux/perf_event.h

+2 −0

Original line number	Diff line number	Diff line
		@@ -787,6 +787,8 @@ struct perf_event {
		void *security;
		#endif
		struct list_head sb_list;

		KABI_EXTEND(unsigned int group_generation)
		#endif /* CONFIG_PERF_EVENTS */
		};

kernel/events/core.c

+34 −6

Original line number	Diff line number	Diff line
		@@ -1967,6 +1967,7 @@ static void perf_group_attach(struct perf_event *event)

		list_add_tail(&event->sibling_list, &group_leader->sibling_list);
		group_leader->nr_siblings++;
		group_leader->group_generation++;

		perf_event__header_size(group_leader);

		@@ -2159,6 +2160,7 @@ static void perf_group_detach(struct perf_event *event)
		if (leader != event) {
		list_del_init(&event->sibling_list);
		event->group_leader->nr_siblings--;
		event->group_leader->group_generation++;
		goto out;
		}

		@@ -5144,7 +5146,7 @@ static int __perf_read_group_add(struct perf_event *leader,
		u64 read_format, u64 *values)
		{
		struct perf_event_context *ctx = leader->ctx;
		struct perf_event *sub;
		struct perf_event sub, parent;
		unsigned long flags;
		int n = 1; /* skip @nr */
		int ret;
		@@ -5154,6 +5156,33 @@ static int __perf_read_group_add(struct perf_event *leader,
		return ret;

		raw_spin_lock_irqsave(&ctx->lock, flags);
		/*
		* Verify the grouping between the parent and child (inherited)
		* events is still in tact.
		*
		* Specifically:
		* - leader->ctx->lock pins leader->sibling_list
		* - parent->child_mutex pins parent->child_list
		* - parent->ctx->mutex pins parent->sibling_list
		*
		* Because parent->ctx != leader->ctx (and child_list nests inside
		* ctx->mutex), group destruction is not atomic between children, also
		* see perf_event_release_kernel(). Additionally, parent can grow the
		* group.
		*
		* Therefore it is possible to have parent and child groups in a
		* different configuration and summing over such a beast makes no sense
		* what so ever.
		*
		* Reject this.
		*/
		parent = leader->parent;
		if (parent &&
		(parent->group_generation != leader->group_generation \|\|
		parent->nr_siblings != leader->nr_siblings)) {
		ret = -ECHILD;
		goto unlock;
		}

		/*
		* Since we co-schedule groups, {enabled,running} times of siblings
		@@ -5183,8 +5212,9 @@ static int __perf_read_group_add(struct perf_event *leader,
		values[n++] = primary_event_id(sub);
		}

		unlock:
		raw_spin_unlock_irqrestore(&ctx->lock, flags);
		return 0;
		return ret;
		}

		static int perf_read_group(struct perf_event *event,
		@@ -5203,10 +5233,6 @@ static int perf_read_group(struct perf_event *event,

		values[0] = 1 + leader->nr_siblings;

		/*
		* By locking the child_mutex of the leader we effectively
		* lock the child list of all siblings.. XXX explain how.
		*/
		mutex_lock(&leader->child_mutex);

		ret = __perf_read_group_add(leader, read_format, values);
		@@ -12778,6 +12804,8 @@ static int inherit_group(struct perf_event *parent_event,
		!perf_get_aux_event(child_ctr, leader))
		return -EINVAL;
		}
		if (leader)
		leader->group_generation = parent_event->group_generation;
		return 0;
		}