[linux] 03/18: perf: Fix race in swevent hash (CVE-2015-8963)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Thu Dec 29 03:44:11 UTC 2016 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch jessie
in repository linux.

commit 155aee446c7c2831cf6aa5d0d8e537b6da6dc87a
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Wed Dec 28 22:42:41 2016 +0000

    perf: Fix race in swevent hash (CVE-2015-8963)
---
 debian/changelog                                   |  1 +
 .../bugfix/all/perf-fix-race-in-swevent-hash.patch | 92 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 94 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 0c297d2..56a6550 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -490,6 +490,7 @@ linux (3.16.39-1) UNRELEASED; urgency=medium
   * Fix backport of "fs: Give dentry to inode_change_ok() instead of inode"
     in fuse, xfs
   * sg: Fix double-free when drives detach during SG_IO (CVE-2015-8962)
+  * perf: Fix race in swevent hash (CVE-2015-8963)
 
   [ Julien Cristau ]
   * hwrng: Add chaoskey driver, backported from 4.8 (Closes: #839616)
diff --git a/debian/patches/bugfix/all/perf-fix-race-in-swevent-hash.patch b/debian/patches/bugfix/all/perf-fix-race-in-swevent-hash.patch
new file mode 100644
index 0000000..7df1e1e
--- /dev/null
+++ b/debian/patches/bugfix/all/perf-fix-race-in-swevent-hash.patch
@@ -0,0 +1,92 @@
+From: Peter Zijlstra <peterz at infradead.org>
+Date: Tue, 15 Dec 2015 13:49:05 +0100
+Subject: perf: Fix race in swevent hash
+Origin: https://git.kernel.org/linus/12ca6ad2e3a896256f086497a7c7406a547ee373
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2015-8963
+
+There's a race on CPU unplug where we free the swevent hash array
+while it can still have events on. This will result in a
+use-after-free which is BAD.
+
+Simply do not free the hash array on unplug. This leaves the thing
+around and no use-after-free takes place.
+
+When the last swevent dies, we do a for_each_possible_cpu() iteration
+anyway to clean these up, at which time we'll free it, so no leakage
+will occur.
+
+Reported-by: Sasha Levin <sasha.levin at oracle.com>
+Tested-by: Sasha Levin <sasha.levin at oracle.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz at infradead.org>
+Cc: Arnaldo Carvalho de Melo <acme at redhat.com>
+Cc: Frederic Weisbecker <fweisbec at gmail.com>
+Cc: Jiri Olsa <jolsa at redhat.com>
+Cc: Linus Torvalds <torvalds at linux-foundation.org>
+Cc: Peter Zijlstra <peterz at infradead.org>
+Cc: Stephane Eranian <eranian at google.com>
+Cc: Thomas Gleixner <tglx at linutronix.de>
+Cc: Vince Weaver <vincent.weaver at maine.edu>
+Signed-off-by: Ingo Molnar <mingo at kernel.org>
+---
+ kernel/events/core.c | 20 +-------------------
+ 1 file changed, 1 insertion(+), 19 deletions(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -5595,9 +5595,6 @@ struct swevent_htable {
+ 
+ 	/* Recursion avoidance in each contexts */
+ 	int				recursion[PERF_NR_CONTEXTS];
+-
+-	/* Keeps track of cpu being initialized/exited */
+-	bool				online;
+ };
+ 
+ static DEFINE_PER_CPU(struct swevent_htable, swevent_htable);
+@@ -5844,14 +5841,8 @@ static int perf_swevent_add(struct perf_
+ 	hwc->state = !(flags & PERF_EF_START);
+ 
+ 	head = find_swevent_head(swhash, event);
+-	if (!head) {
+-		/*
+-		 * We can race with cpu hotplug code. Do not
+-		 * WARN if the cpu just got unplugged.
+-		 */
+-		WARN_ON_ONCE(swhash->online);
++	if (WARN_ON_ONCE(!head))
+ 		return -EINVAL;
+-	}
+ 
+ 	hlist_add_head_rcu(&event->hlist_entry, head);
+ 
+@@ -5918,7 +5909,6 @@ static int swevent_hlist_get_cpu(struct
+ 	int err = 0;
+ 
+ 	mutex_lock(&swhash->hlist_mutex);
+-
+ 	if (!swevent_hlist_deref(swhash) && cpu_online(cpu)) {
+ 		struct swevent_hlist *hlist;
+ 
+@@ -8050,7 +8040,6 @@ static void perf_event_init_cpu(int cpu)
+ 	struct swevent_htable *swhash = &per_cpu(swevent_htable, cpu);
+ 
+ 	mutex_lock(&swhash->hlist_mutex);
+-	swhash->online = true;
+ 	if (swhash->hlist_refcount > 0) {
+ 		struct swevent_hlist *hlist;
+ 
+@@ -8103,14 +8092,7 @@ static void perf_event_exit_cpu_context(
+ 
+ static void perf_event_exit_cpu(int cpu)
+ {
+-	struct swevent_htable *swhash = &per_cpu(swevent_htable, cpu);
+-
+ 	perf_event_exit_cpu_context(cpu);
+-
+-	mutex_lock(&swhash->hlist_mutex);
+-	swhash->online = false;
+-	swevent_hlist_release(swhash);
+-	mutex_unlock(&swhash->hlist_mutex);
+ }
+ #else
+ static inline void perf_event_exit_cpu(int cpu) { }
diff --git a/debian/patches/series b/debian/patches/series
index 550ca0d..5ba605f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -658,6 +658,7 @@ features/all/chaoskey/chaoskey-3.16-no-hwrng-quality.patch
 
 # Security fixes
 bugfix/all/sg-fix-double-free-when-drives-detach-during-sg_io.patch
+bugfix/all/perf-fix-race-in-swevent-hash.patch
 
 # Fix ABI changes
 debian/of-fix-abi-changes.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list