[CVE-2015-8963] [Trusty/Vivid] [PATCH 0/1] perf: Fix race in swevent hash

Brad Figg brad.figg at canonical.com
Fri Jun 9 11:27:36 UTC 2017


There's a race on CPU unplug where we free the swevent hash array
while it can still have events on. This will result in a
use-after-free which is BAD.

Simply do not free the hash array on unplug. This leaves the thing
around and no use-after-free takes place.

When the last swevent dies, we do a for_each_possible_cpu() iteration
anyway to clean these up, at which time we'll free it, so no leakage
will occur.

Peter Zijlstra (1):
  perf: Fix race in swevent hash

 kernel/events/core.c | 19 +------------------
 1 file changed, 1 insertion(+), 18 deletions(-)


More information about the kernel-team mailing list