CVE-2024-43870

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> perf: Fix event leak upon exit<br /> <br /> When a task is scheduled out, pending sigtrap deliveries are deferred<br /> to the target task upon resume to userspace via task_work.<br /> <br /> However failures while adding an event&amp;#39;s callback to the task_work<br /> engine are ignored. And since the last call for events exit happen<br /> after task work is eventually closed, there is a small window during<br /> which pending sigtrap can be queued though ignored, leaking the event<br /> refcount addition such as in the following scenario:<br /> <br /> TASK A<br /> -----<br /> <br /> do_exit()<br /> exit_task_work(tsk);<br /> <br /> <br /> perf_event_overflow()<br /> event-&gt;pending_sigtrap = pending_id;<br /> irq_work_queue(&amp;event-&gt;pending_irq);<br /> <br /> =========&gt; PREEMPTION: TASK A -&gt; TASK B<br /> event_sched_out()<br /> event-&gt;pending_sigtrap = 0;<br /> atomic_long_inc_not_zero(&amp;event-&gt;refcount)<br /> // FAILS: task work has exited<br /> task_work_add(&amp;event-&gt;pending_task)<br /> [...]<br /> <br /> perf_pending_irq()<br /> // early return: event-&gt;oncpu = -1<br /> <br /> [...]<br /> =========&gt; TASK B -&gt; TASK A<br /> perf_event_exit_task(tsk)<br /> perf_event_exit_event()<br /> free_event()<br /> WARN(atomic_long_cmpxchg(&amp;event-&gt;refcount, 1, 0) != 1)<br /> // leak event due to unexpected refcount == 2<br /> <br /> As a result the event is never released while the task exits.<br /> <br /> Fix this with appropriate task_work_add()&amp;#39;s error handling.