From 06ae01888eec7d95d65fc0e55daeea972d292977 Mon Sep 17 00:00:00 2001
From: Srinivasarao P <spathi@codeaurora.org>
Date: Tue, 1 Mar 2016 12:16:03 +0530
Subject: perf: duplicate deletion of perf event

a malicious app can open a perf event with constraint_duplicate
bit set, disable the event, and close the fd.  On closing the fd,
the perf_release() modification causes the kernel to clean up
the event as if it still were enabled, leading to the event
being removed from a list twice.

CRs-Fixed: 977563
Change-Id: I5fbec3722407d2f3d0ff0d9f7097c5889e31fd62
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
---
 kernel/events/core.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'kernel')

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 01686c17b480..1cb22d44ccbb 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -8322,6 +8322,9 @@ SYSCALL_DEFINE5(perf_event_open,
 	if (err)
 		return err;
 
+	if (attr.constraint_duplicate || attr.__reserved_1)
+		return -EINVAL;
+
 	if (!attr.exclude_kernel) {
 		if (perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN))
 			return -EACCES;
-- 
cgit v1.2.3