diff options
| author | Peter Zijlstra <[email protected]> | 2017-01-26 16:39:55 +0100 |
|---|---|---|
| committer | Ingo Molnar <[email protected]> | 2017-01-30 11:41:25 +0100 |
| commit | a76a82a3e38c8d3fb6499e3dfaeb0949241ab588 (patch) | |
| tree | b5bc906278fe1ac66d75de984d26bf59b43b3ed8 /lib/test-string_helpers.c | |
| parent | 566cf877a1fcb6d6dc0126b076aad062054c2637 (diff) | |
perf/core: Fix use-after-free bug
Dmitry reported a KASAN use-after-free on event->group_leader.
It turns out there's a hole in perf_remove_from_context() due to
event_function_call() not calling its function when the task
associated with the event is already dead.
In this case the event will have been detached from the task, but the
grouping will have been retained, such that group operations might
still work properly while there are live child events etc.
This does however mean that we can miss a perf_group_detach() call
when the group decomposes, this in turn can then lead to
use-after-free.
Fix it by explicitly doing the group detach if its still required.
Reported-by: Dmitry Vyukov <[email protected]>
Tested-by: Dmitry Vyukov <[email protected]>
Signed-off-by: Peter Zijlstra (Intel) <[email protected]>
Cc: Alexander Shishkin <[email protected]>
Cc: Arnaldo Carvalho de Melo <[email protected]>
Cc: Arnaldo Carvalho de Melo <[email protected]>
Cc: Jiri Olsa <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Mathieu Desnoyers <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: [email protected] # v4.5+
Cc: syzkaller <[email protected]>
Fixes: 63b6da39bb38 ("perf: Fix perf_event_exit_task() race")
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Ingo Molnar <[email protected]>
Diffstat (limited to 'lib/test-string_helpers.c')
0 files changed, 0 insertions, 0 deletions