[linux] 03/10: perf: Fix race in swevent hash (CVE-2015-8963)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Wed Dec 28 20:44:02 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch wheezy-security
in repository linux.
commit 31069ba3b42613ea9df3d07c62eab4603f2b5a1d
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Wed Dec 28 16:21:16 2016 +0000
perf: Fix race in swevent hash (CVE-2015-8963)
---
debian/changelog | 1 +
.../bugfix/all/perf-fix-race-in-swevent-hash.patch | 92 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 94 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 1fde1c3..8e37247 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -103,6 +103,7 @@ linux (3.2.84-1) UNRELEASED; urgency=medium
* net: cleanups in sock_setsockopt() (CVE-2012-6704)
* net: avoid signed overflows for SO_{SND|RCV}BUFFORCE (CVE-2016-9793)
* sg: Fix double-free when drives detach during SG_IO (CVE-2015-8962)
+ * perf: Fix race in swevent hash (CVE-2015-8963)
-- Ben Hutchings <ben at decadent.org.uk> Mon, 28 Nov 2016 18:43:52 +0000
diff --git a/debian/patches/bugfix/all/perf-fix-race-in-swevent-hash.patch b/debian/patches/bugfix/all/perf-fix-race-in-swevent-hash.patch
new file mode 100644
index 0000000..a48ac54
--- /dev/null
+++ b/debian/patches/bugfix/all/perf-fix-race-in-swevent-hash.patch
@@ -0,0 +1,92 @@
+From: Peter Zijlstra <peterz at infradead.org>
+Date: Tue, 15 Dec 2015 13:49:05 +0100
+Subject: perf: Fix race in swevent hash
+Origin: https://git.kernel.org/linus/12ca6ad2e3a896256f086497a7c7406a547ee373
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2015-8963
+
+There's a race on CPU unplug where we free the swevent hash array
+while it can still have events on. This will result in a
+use-after-free which is BAD.
+
+Simply do not free the hash array on unplug. This leaves the thing
+around and no use-after-free takes place.
+
+When the last swevent dies, we do a for_each_possible_cpu() iteration
+anyway to clean these up, at which time we'll free it, so no leakage
+will occur.
+
+Reported-by: Sasha Levin <sasha.levin at oracle.com>
+Tested-by: Sasha Levin <sasha.levin at oracle.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz at infradead.org>
+Cc: Arnaldo Carvalho de Melo <acme at redhat.com>
+Cc: Frederic Weisbecker <fweisbec at gmail.com>
+Cc: Jiri Olsa <jolsa at redhat.com>
+Cc: Linus Torvalds <torvalds at linux-foundation.org>
+Cc: Peter Zijlstra <peterz at infradead.org>
+Cc: Stephane Eranian <eranian at google.com>
+Cc: Thomas Gleixner <tglx at linutronix.de>
+Cc: Vince Weaver <vincent.weaver at maine.edu>
+Signed-off-by: Ingo Molnar <mingo at kernel.org>
+---
+ kernel/events/core.c | 20 +-------------------
+ 1 file changed, 1 insertion(+), 19 deletions(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -4958,9 +4958,6 @@ struct swevent_htable {
+
+ /* Recursion avoidance in each contexts */
+ int recursion[PERF_NR_CONTEXTS];
+-
+- /* Keeps track of cpu being initialized/exited */
+- bool online;
+ };
+
+ static DEFINE_PER_CPU(struct swevent_htable, swevent_htable);
+@@ -5203,14 +5200,8 @@ static int perf_swevent_add(struct perf_
+ hwc->state = !(flags & PERF_EF_START);
+
+ head = find_swevent_head(swhash, event);
+- if (!head) {
+- /*
+- * We can race with cpu hotplug code. Do not
+- * WARN if the cpu just got unplugged.
+- */
+- WARN_ON_ONCE(swhash->online);
++ if (WARN_ON_ONCE(!head))
+ return -EINVAL;
+- }
+
+ hlist_add_head_rcu(&event->hlist_entry, head);
+
+@@ -5282,7 +5273,6 @@ static int swevent_hlist_get_cpu(struct
+ int err = 0;
+
+ mutex_lock(&swhash->hlist_mutex);
+-
+ if (!swevent_hlist_deref(swhash) && cpu_online(cpu)) {
+ struct swevent_hlist *hlist;
+
+@@ -7149,7 +7139,6 @@ static void __cpuinit perf_event_init_cp
+ struct swevent_htable *swhash = &per_cpu(swevent_htable, cpu);
+
+ mutex_lock(&swhash->hlist_mutex);
+- swhash->online = true;
+ if (swhash->hlist_refcount > 0) {
+ struct swevent_hlist *hlist;
+
+@@ -7202,14 +7191,7 @@ static void perf_event_exit_cpu_context(
+
+ static void perf_event_exit_cpu(int cpu)
+ {
+- struct swevent_htable *swhash = &per_cpu(swevent_htable, cpu);
+-
+ perf_event_exit_cpu_context(cpu);
+-
+- mutex_lock(&swhash->hlist_mutex);
+- swhash->online = false;
+- swevent_hlist_release(swhash);
+- mutex_unlock(&swhash->hlist_mutex);
+ }
+ #else
+ static inline void perf_event_exit_cpu(int cpu) { }
diff --git a/debian/patches/series b/debian/patches/series
index ba81022..464db1b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1108,6 +1108,7 @@ bugfix/all/ecryptfs-fix-handling-of-directory-opening.patch
bugfix/all/net-cleanups-in-sock_setsockopt.patch
bugfix/all/net-avoid-signed-overflows-for-so_-snd-rcv-bufforce.patch
bugfix/all/sg-fix-double-free-when-drives-detach-during-sg_io.patch
+bugfix/all/perf-fix-race-in-swevent-hash.patch
# ABI maintenance
debian/perf-hide-abi-change-in-3.2.30.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list