On Thu, Sep 10, 2020 at 10:48:02PM +0900, Namhyung Kim wrote: SNIP
> > _do_fork+0x83/0x3a0 > > __do_sys_wait4+0x83/0x90 > > __do_sys_clone+0x85/0xa0 > > do_syscall_64+0x5b/0x1e0 > > entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > > > Using atomic decrease and check instead of separated calls. > > This fixes CVE-2020-14351. > > > > Signed-off-by: Jiri Olsa <[email protected]> > > --- > > kernel/events/core.c | 4 +--- > > 1 file changed, 1 insertion(+), 3 deletions(-) > > > > diff --git a/kernel/events/core.c b/kernel/events/core.c > > index 7ed5248f0445..29313cc54d9e 100644 > > --- a/kernel/events/core.c > > +++ b/kernel/events/core.c > > @@ -5903,8 +5903,6 @@ static void perf_mmap_close(struct vm_area_struct > > *vma) > > mutex_unlock(&event->mmap_mutex); > > } > > > > - atomic_dec(&rb->mmap_count); > > - > > if (!atomic_dec_and_mutex_lock(&event->mmap_count, > > &event->mmap_mutex)) > > goto out_put; > > But when it takes the goto, rb->mmap_count won't decrement anymore.. event->mmap_count is per event, so if we have have race in here, 2 threads can go through with each event->mmap_count reaching zero jirka
