Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 90f23506 authored by John Dias's avatar John Dias Committed by Gerrit - the friendly Code Review server
Browse files

perf: don't leave group_entry on sibling list (use-after-free) 



When perf_group_detach is called on a group leader,
it should empty its sibling list. Otherwise, when
a sibling is later deallocated, list_del_event()
removes the sibling's group_entry from its current
list, which can be the now-deallocated group leader's
sibling list (use-after-free bug).

Bug: 32402548
Change-Id: I99f6bc97c8518df1cb0035814368012ba72ab1f1
Signed-off-by: default avatarJohn Dias <joaodias@google.com>
Git-repo: https://android.googlesource.com/kernel/msm


Git-commit: 6b6cfb2362f09553b46b3b7e5684b16b6e53e373
Signed-off-by: default avatarDennis Cagle <d-cagle@codeaurora.org>
parent 8f2d81a9

kernel/events/core.c

+7 −0
Original line number Diff line number Diff line
@@ -1807,10 +1807,17 @@ static void perf_group_detach(struct perf_event *event) 
	 * If this was a group event with sibling events then

	 * upgrade the siblings to singleton events by adding them

	 * to whatever list we are on.

	 * If this isn't on a list, make sure we still remove the sibling's

	 * group_entry from this sibling_list; otherwise, when that sibling

	 * is later deallocated, it will try to remove itself from this

	 * sibling_list, which may well have been deallocated already,

	 * resulting in a use-after-free.

	 */

	list_for_each_entry_safe(sibling, tmp, &event->sibling_list, group_entry) {

		if (list)

			list_move_tail(&sibling->group_entry, list);

		else

			list_del_init(&sibling->group_entry);

		sibling->group_leader = sibling;



		/* Inherit group flags from the previous leader */