{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"CVE_data_meta": {
"ID": "CVE-2024-43870",
"ASSIGNER": "cve@kernel.org",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix event leak upon exit\n\nWhen a task is scheduled out, pending sigtrap deliveries are deferred\nto the target task upon resume to userspace via task_work.\n\nHowever failures while adding an event's callback to the task_work\nengine are ignored. And since the last call for events exit happen\nafter task work is eventually closed, there is a small window during\nwhich pending sigtrap can be queued though ignored, leaking the event\nrefcount addition such as in the following scenario:\n\n TASK A\n -----\n\n do_exit()\n exit_task_work(tsk);\n\n \n perf_event_overflow()\n event->pending_sigtrap = pending_id;\n irq_work_queue(&event->pending_irq);\n \n =========> PREEMPTION: TASK A -> TASK B\n event_sched_out()\n event->pending_sigtrap = 0;\n atomic_long_inc_not_zero(&event->refcount)\n // FAILS: task work has exited\n task_work_add(&event->pending_task)\n [...]\n \n perf_pending_irq()\n // early return: event->oncpu = -1\n \n [...]\n =========> TASK B -> TASK A\n perf_event_exit_task(tsk)\n perf_event_exit_event()\n free_event()\n WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1)\n // leak event due to unexpected refcount == 2\n\nAs a result the event is never released while the task exits.\n\nFix this with appropriate task_work_add()'s error handling."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Linux",
"product": {
"product_data": [
{
"product_name": "Linux",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "8bffa95ac19f",
"version_value": "67fad724f1b5"
},
{
"version_affected": "<",
"version_name": "517e6a301f34",
"version_value": "70882d7fa74f"
},
{
"version_value": "not down converted",
"x_cve_json_5_version_data": {
"versions": [
{
"version": "6.1",
"status": "affected"
},
{
"version": "0",
"lessThan": "6.1",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.15.165",
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.1.103",
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.6.44",
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.10.3",
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.11",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
],
"defaultStatus": "affected"
}
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://git.kernel.org/stable/c/67fad724f1b568b356c1065d50df46e6b30eb2f7",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/67fad724f1b568b356c1065d50df46e6b30eb2f7"
},
{
"url": "https://git.kernel.org/stable/c/70882d7fa74f0731492a0d493e8515a4f7131831",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/70882d7fa74f0731492a0d493e8515a4f7131831"
},
{
"url": "https://git.kernel.org/stable/c/05d3fd599594abf79aad4484bccb2b26e1cb0b51",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/05d3fd599594abf79aad4484bccb2b26e1cb0b51"
},
{
"url": "https://git.kernel.org/stable/c/3d7a63352a93bdb8a1cdf29606bf617d3ac1c22a",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/3d7a63352a93bdb8a1cdf29606bf617d3ac1c22a"
},
{
"url": "https://git.kernel.org/stable/c/2fd5ad3f310de22836cdacae919dd99d758a1f1b",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/2fd5ad3f310de22836cdacae919dd99d758a1f1b"
}
]
},
"generator": {
"engine": "bippy-9e1c9544281a"
}
}