perf: Fix use-after-free in error path

The syscall error path has a use-after-free; put_pmu_ctx() will reference ctx, therefore we must ensure ctx is destroyed after pmu_ctx is. Fixes: bd27568 ("perf: Rewrite core context handling") Reported-by: [email protected] Signed-off-by: Peter Zijlstra (Intel) <[email protected]> Tested-by: Chengming Zhou <[email protected]> Link: https://lkml.kernel.org/r/[email protected]
noroot · Dec 27, 2022 · a551844 · a551844
1 parent 0824567
commit a551844
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/kernel/events/core.c b/kernel/events/core.c
@@ -12671,7 +12671,8 @@ SYSCALL_DEFINE5(perf_event_open,
 	return event_fd;
 
 err_context:
-	/* event->pmu_ctx freed by free_event() */
+	put_pmu_ctx(event->pmu_ctx);
+	event->pmu_ctx = NULL; /* _free_event() */
 err_locked:
 	mutex_unlock(&ctx->mutex);
 	perf_unpin_context(ctx);
@@ -12784,6 +12785,7 @@ perf_event_create_kernel_counter(struct perf_event_attr *attr, int cpu,
 
 err_pmu_ctx:
 	put_pmu_ctx(pmu_ctx);
+	event->pmu_ctx = NULL; /* _free_event() */
 err_unlock:
 	mutex_unlock(&ctx->mutex);
 	perf_unpin_context(ctx);