perf: Fix sys_perf_event_open() race against self
commit 3ac6487e584a1eb54071dbe1212e05b884136704 upstream.
Norbert reported that it's possible to race sys_perf_event_open() such
that the looser ends up in another context from the group leader,
triggering many WARNs.
The move_group case checks for races against itself, but the
!move_group case doesn't, seemingly relying on the previous
group_leader->ctx == ctx check. However, that check is racy due to not
holding any locks at that time.
Therefore, re-check the result after acquiring locks and bailing
if they no longer match.
Additionally, clarify the not_move_group case from the
RELEASE_NOTE=Fixed CVE-2022-1729 in the Linux Kernel.
Fixes: f63a8daa5812 ("perf: Fix event->ctx locking")
Reported-by: Norbert Slusarek <firstname.lastname@example.org>
Signed-off-by: Peter Zijlstra (Intel) <email@example.com>
Signed-off-by: Linus Torvalds <firstname.lastname@example.org>
Signed-off-by: Greg Kroah-Hartman <email@example.com>
Reviewed-by: Meena Shanmugam <firstname.lastname@example.org>
Reviewed-by: Oleksandr Tymoshenko <email@example.com>
Tested-by: Cusky Presubmit Bot <firstname.lastname@example.org>
Main-Branch-Verified: Cusky Presubmit Bot <email@example.com>
1 file changed