From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752238AbdCNPVP (ORCPT <rfc822;w@1wt.eu>);
        Tue, 14 Mar 2017 11:21:15 -0400
Received: from mx1.redhat.com ([209.132.183.28]:27808 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1752034AbdCNPVM (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 14 Mar 2017 11:21:12 -0400
Date: Tue, 14 Mar 2017 16:19:10 +0100
From: Oleg Nesterov <oleg@redhat.com>
To: Peter Zijlstra <peterz@infradead.org>
Cc: Dmitry Vyukov <dvyukov@google.com>, Ingo Molnar <mingo@redhat.com>,
        Arnaldo Carvalho de Melo <acme@kernel.org>,
        Alexander Shishkin <alexander.shishkin@linux.intel.com>,
        LKML <linux-kernel@vger.kernel.org>,
        Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
        syzkaller <syzkaller@googlegroups.com>
Subject: Re: perf: use-after-free in perf_release
Message-ID: <20170314151910.GA31766@redhat.com>
References: <CACT4Y+bgMfF=jUjNcVSSrBZy0xbyCPeNiDsW-c-S9sHe-Vxc=g@mail.gmail.com> <20170306131459.GC6515@twins.programming.kicks-ass.net> <20170307140414.GA31678@redhat.com> <CACT4Y+bzNOrMHmfP_cv3Jzaqs0zB3qHY9eu0y4JdKvVw0mgveA@mail.gmail.com> <20170307165131.GA6097@redhat.com> <20170314125508.GK3343@twins.programming.kicks-ass.net> <20170314140302.GA28146@redhat.com> <20170314140754.GG3328@twins.programming.kicks-ass.net> <20170314143010.GA30351@redhat.com> <20170314150241.GO5680@worktop>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20170314150241.GO5680@worktop>
User-Agent: Mutt/1.5.18 (2008-05-17)
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Tue, 14 Mar 2017 15:21:07 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 03/14, Peter Zijlstra wrote:
>
> 	    mutex_unlock(ctx->lock);
> 	    put_ctx() /* >0 */
> 	  free_task();
> 					    mutex_lock(ctx->lock);
> 					    mutex_lock(A->child_mutex);
> 					    /* ... */
> 					    mutex_unlock(A->child_mutex);
> 					    mutex_unlock(ctx->lock)
> 					    put_ctx() /* 0 */
> 					      ctx->task && !TOMBSTONE
> 					        put_task_struct() /* UAF */
>
>
> Something like that, right?

Yes, exactly.

> Let me see if it makes sense to retain perf_event_free_task() at all;
> maybe we should always do perf_event_exit_task().

Yes, perhaps... but this needs changes too. Say, WARN_ON_ONCE(child != current)
in perf_event_exit_task_context(). And even perf_event_task(new => F) does not
look right in this case. In fact it would be simply buggy to do this, this task
was not fully constructed yet, so even perf_event_pid(task) is not safe.

Oleg.