CVE-2022-49607

Summary

In the Linux kernel, the following vulnerability has been resolved:

perf/core: Fix data race between perf_event_set_output() and perf_mmap_close()

Yang Jihing reported a race between perf_event_set_output() and perf_mmap_close():

CPU1					CPU2

perf_mmap_close(e2)
  if (atomic_dec_and_test(&e2->rb->mmap_count)) // 1 - > 0
    detach_rest = true

					ioctl(e1, IOC_SET_OUTPUT, e2)
					  perf_event_set_output(e1, e2)

  ...
  list_for_each_entry_rcu(e, &e2->rb->event_list, rb_entry)
    ring_buffer_attach(e, NULL);
    // e1 isn't yet added and
    // therefore not detached

					    ring_buffer_attach(e1, e2->rb)
					      list_add_rcu(&e1->rb_entry,
							   &e2->rb->event_list)

After this; e1 is attached to an unmapped rb and a subsequent perf_mmap() will loop forever more:

again:
	mutex_lock(&e->mmap_mutex);
	if (event->rb) {
		...
		if (!atomic_inc_not_zero(&e->rb->mmap_count)) {
			...
			mutex_unlock(&e->mmap_mutex);
			goto again;
		}
	}

The loop in perf_mmap_close() holds e2->mmap_mutex, while the attach in perf_event_set_output() holds e1->mmap_mutex. As such there is no serialization to avoid this race.

Change perf_event_set_output() to take both e1->mmap_mutex and e2->mmap_mutex to alleviate that problem. Additionally, have the loop in perf_mmap() detach the rb directly, this avoids having to wait for the concurrent perf_mmap_close() to get around to doing it to make progress.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux9bb5d40cd93c9dd4be74834b1dcb1ba03629716b < 3bbd868099287ff9027db59029b502fcfa2202a0affected
LinuxLinux9bb5d40cd93c9dd4be74834b1dcb1ba03629716b < f836f9ac95df15f1e0af4beb0ec20021e8c91998affected
LinuxLinux9bb5d40cd93c9dd4be74834b1dcb1ba03629716b < 17f5417194136517ee9bbd6511249e5310e5617caffected
LinuxLinux9bb5d40cd93c9dd4be74834b1dcb1ba03629716b < 98c3c8fd0d4c560e0f8335b79c407bbf7fc9462caffected
LinuxLinux9bb5d40cd93c9dd4be74834b1dcb1ba03629716b < 43128b3eee337824158f34da6648163d2f2fb937affected
LinuxLinux9bb5d40cd93c9dd4be74834b1dcb1ba03629716b < da3c256e2d0ebc87c7db0c605c9692b6f1722074affected
LinuxLinux9bb5d40cd93c9dd4be74834b1dcb1ba03629716b < a9391ff7a7c5f113d6f2bf6621d49110950de49caffected
LinuxLinux9bb5d40cd93c9dd4be74834b1dcb1ba03629716b < 68e3c69803dada336893640110cb87221bb01dcfaffected
LinuxLinux2487f0db30527032c4d56fc2d0b1a240fe89fef8affected
LinuxLinux703197b61d05f5edae54bad3256901c5a5c8794caffected
LinuxLinuxc52217e88ae0f3a4ae00562d86e338f8f85969b4affected
LinuxLinux3.2.49 < 3.3affected
LinuxLinux3.4.52 < 3.5affected
LinuxLinux3.9.8 < 3.10affected
LinuxLinux3.10affected
LinuxLinux0 < 3.10unaffected
LinuxLinux4.9.325 <= 4.9.*unaffected
LinuxLinux4.14.290 <= 4.14.*unaffected
LinuxLinux4.19.254 <= 4.19.*unaffected
LinuxLinux5.4.208 <= 5.4.*unaffected
LinuxLinux5.10.134 <= 5.10.*unaffected
LinuxLinux5.15.58 <= 5.15.*unaffected
LinuxLinux5.18.15 <= 5.18.*unaffected
LinuxLinux5.19 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References