CVE-2022-48950

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> perf: Fix perf_pending_task() UaF<br /> <br /> Per syzbot it is possible for perf_pending_task() to run after the<br /> event is free()&amp;#39;d. There are two related but distinct cases:<br /> <br /> - the task_work was already queued before destroying the event;<br /> - destroying the event itself queues the task_work.<br /> <br /> The first cannot be solved using task_work_cancel() since<br /> perf_release() itself might be called from a task_work (____fput),<br /> which means the current-&gt;task_works list is already empty and<br /> task_work_cancel() won&amp;#39;t be able to find the perf_pending_task()<br /> entry.<br /> <br /> The simplest alternative is extending the perf_event lifetime to cover<br /> the task_work.<br /> <br /> The second is just silly, queueing a task_work while you know the<br /> event is going away makes no sense and is easily avoided by<br /> re-arranging how the event is marked STATE_DEAD and ensuring it goes<br /> through STATE_OFF on the way down.