[linux] 02/02: perf: Do not double free

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Tue Feb 21 00:58:42 UTC 2017 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch jessie-security
in repository linux.

commit 4013919d6715dee30f6042cd87c01801d3d1931d
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Tue Feb 21 00:55:23 2017 +0000

    perf: Do not double free
    
    This avoids the possibility of a double free which would otherwise be
    introduced by the fix for CVE-2017-6001.  In mainline the potential
    double free was introduced by an earlier change.
---
 debian/changelog                                   |  4 ++
 .../bugfix/all/perf-do-not-double-free.patch       | 47 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 52 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 1c28db7..a3bf0f2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,11 +1,15 @@
 linux (3.16.39-1+deb8u1) UNRELEASED; urgency=medium
 
+  [ Salvatore Bonaccorso ]
   * perf: Fix event->ctx locking (CVE-2016-6786 CVE-2016-6787)
   * perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race
     (CVE-2017-6001)
   * dccp: fix freeing skb too early for IPV6_RECVPKTINFO (CVE-2017-6074)
   * sctp: avoid BUG_ON on sctp_wait_for_sndbuf (CVE-2017-5986)
 
+  [ Ben Hutchings ]
+  * perf: Do not double free (dependency of fix for CVE-2017-6001)
+
  -- Salvatore Bonaccorso <carnil at debian.org>  Sat, 18 Feb 2017 18:26:58 +0100
 
 linux (3.16.39-1) jessie; urgency=medium
diff --git a/debian/patches/bugfix/all/perf-do-not-double-free.patch b/debian/patches/bugfix/all/perf-do-not-double-free.patch
new file mode 100644
index 0000000..9bde436
--- /dev/null
+++ b/debian/patches/bugfix/all/perf-do-not-double-free.patch
@@ -0,0 +1,47 @@
+From: Peter Zijlstra <peterz at infradead.org>
+Date: Wed, 24 Feb 2016 18:45:41 +0100
+Subject: perf: Do not double free
+Origin: https://git.kernel.org/linus/130056275ade730e7a79c110212c8815202773ee
+
+In case of: err_file: fput(event_file), we'll end up calling
+perf_release() which in turn will free the event.
+
+Do not then free the event _again_.
+
+Tested-by: Alexander Shishkin <alexander.shishkin at linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz at infradead.org>
+Reviewed-by: Alexander Shishkin <alexander.shishkin at linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme at redhat.com>
+Cc: Jiri Olsa <jolsa at redhat.com>
+Cc: Linus Torvalds <torvalds at linux-foundation.org>
+Cc: Peter Zijlstra <peterz at infradead.org>
+Cc: Thomas Gleixner <tglx at linutronix.de>
+Cc: dvyukov at google.com
+Cc: eranian at google.com
+Cc: oleg at redhat.com
+Cc: panand at redhat.com
+Cc: sasha.levin at oracle.com
+Cc: vince at deater.net
+Link: http://lkml.kernel.org/r/20160224174947.697350349@infradead.org
+Signed-off-by: Ingo Molnar <mingo at kernel.org>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ kernel/events/core.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -7611,7 +7611,12 @@ err_context:
+ 	perf_unpin_context(ctx);
+ 	put_ctx(ctx);
+ err_alloc:
+-	free_event(event);
++	/*
++	 * If event_file is set, the fput() above will have called ->release()
++	 * and that will take care of freeing the event.
++	 */
++	if (!event_file)
++		free_event(event);
+ err_cpus:
+ 	put_online_cpus();
+ err_task:
diff --git a/debian/patches/series b/debian/patches/series
index 0342263..1ce4877 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -680,6 +680,7 @@ bugfix/x86/kvm-x86-drop-error-recovery-in-em_jmp_far-and-em_ret.patch
 bugfix/all/net-avoid-signed-overflows-for-so_-snd-rcv-bufforce.patch
 bugfix/all/alsa-pcm-call-kill_fasync-in-stream-lock.patch
 bugfix/all/perf-Fix-event-ctx-locking.patch
+bugfix/all/perf-do-not-double-free.patch
 bugfix/all/perf-core-Fix-concurrent-sys_perf_event_open-vs.-mov.patch
 bugfix/all/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch
 bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list