From 7dcc341e1a59f07dcd6ac591ecd90b41dcd28611 Mon Sep 17 00:00:00 2001 From: Budimir Markovic Date: Tue, 8 Aug 2023 12:48:54 +0000 Subject: [PATCH 7/7] perf: Fix check before add_event_to_groups() in perf_group_detach() commit fd0815f632c24878e325821943edccc7fde947a2 upstream Author: Budimir Markovic Date: Wed Mar 15 00:29:01 2023 -0700 Events should only be added to a groups rb tree if they have not been removed from their context by list_del_event(). Since remove_on_exec made it possible to call list_del_event() on individual events before they are detached from their group, perf_group_detach() should check each sibling's attach_state before calling add_event_to_groups() on it. Fixes: 2e498d0a74e5 ("perf: Add support for event removal on exec") Signed-off-by: Budimir Markovic Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/ZBFzvQV9tEqoHEtH@gentoo CVE: CVE-2023-2235 Signed-off-by: Nagappan Ramasamy Palaniappan Reviewed-by: Laurence Rochfort --- kernel/events/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/events/core.c b/kernel/events/core.c index d2adc3cbf..182494495 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -2210,7 +2210,7 @@ static void perf_group_detach(struct perf_event *event) /* Inherit group flags from the previous leader */ sibling->group_caps = event->group_caps; - if (!RB_EMPTY_NODE(&event->group_node)) { + if (sibling->attach_state & PERF_ATTACH_CONTEXT) { add_event_to_groups(sibling, event->ctx); if (sibling->state == PERF_EVENT_STATE_ACTIVE) -- 2.31.1