Re: [PATCH] fork/pid: Fix use-after-free in __task_pid_nr_ns

Next message: Kevin Brodsky: "Re: [PATCH] arm64: fix cleared E0POE bit after cpu_suspend()/resume()"
Previous message: Taniya Das: "[PATCH v3 00/11] Add support for Multimedia Clock controllers for Kaanapali"
In reply to: Oleg Nesterov: "Re: [PATCH] fork/pid: Fix use-after-free in __task_pid_nr_ns"
Next in thread: Kees Cook: "Re: [PATCH] fork/pid: Fix use-after-free in __task_pid_nr_ns"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Oleg Nesterov

Date: Wed Jan 07 2026 - 04:43:30 EST

On 01/06, Oleg Nesterov wrote:
>
> On a second thought...
>
> sched_fork() is called before perf_event_init_task(). So perhaps
> sync_child_event() could also check task->__state != TASK_NEW before
> perf_event_read_event() ?
>
> Not sure, I know nothing about perf. Would be nice if perf experts can
> take a look.

Or something else, but we can't rely on pid_alive() or ->signal != NULL
checks.

perf_event_init_task() is called soon after dup_task_struct(), so
pid_alive() is true and child->signal == current->signal.

Lets forget about use-after-free. What if perf_child_detach() paths
call __task_pid_nr_ns() before copy_signal/etc ? In this case
perf_event_pid/perf_event_tid will return the pids of the forking
process, not the child's pids.

Oleg.