CVE-2022-49607

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> perf/core: Fix data race between perf_event_set_output() and perf_mmap_close()<br /> <br /> Yang Jihing reported a race between perf_event_set_output() and<br /> perf_mmap_close():<br /> <br /> CPU1 CPU2<br /> <br /> perf_mmap_close(e2)<br /> if (atomic_dec_and_test(&amp;e2-&gt;rb-&gt;mmap_count)) // 1 - &gt; 0<br /> detach_rest = true<br /> <br /> ioctl(e1, IOC_SET_OUTPUT, e2)<br /> perf_event_set_output(e1, e2)<br /> <br /> ...<br /> list_for_each_entry_rcu(e, &amp;e2-&gt;rb-&gt;event_list, rb_entry)<br /> ring_buffer_attach(e, NULL);<br /> // e1 isn&amp;#39;t yet added and<br /> // therefore not detached<br /> <br /> ring_buffer_attach(e1, e2-&gt;rb)<br /> list_add_rcu(&amp;e1-&gt;rb_entry,<br /> &amp;e2-&gt;rb-&gt;event_list)<br /> <br /> After this; e1 is attached to an unmapped rb and a subsequent<br /> perf_mmap() will loop forever more:<br /> <br /> again:<br /> mutex_lock(&amp;e-&gt;mmap_mutex);<br /> if (event-&gt;rb) {<br /> ...<br /> if (!atomic_inc_not_zero(&amp;e-&gt;rb-&gt;mmap_count)) {<br /> ...<br /> mutex_unlock(&amp;e-&gt;mmap_mutex);<br /> goto again;<br /> }<br /> }<br /> <br /> The loop in perf_mmap_close() holds e2-&gt;mmap_mutex, while the attach<br /> in perf_event_set_output() holds e1-&gt;mmap_mutex. As such there is no<br /> serialization to avoid this race.<br /> <br /> Change perf_event_set_output() to take both e1-&gt;mmap_mutex and<br /> e2-&gt;mmap_mutex to alleviate that problem. Additionally, have the loop<br /> in perf_mmap() detach the rb directly, this avoids having to wait for<br /> the concurrent perf_mmap_close() to get around to doing it to make<br /> progress.