CVE-2022-48950

In the Linux kernel, the following vulnerability has been resolved:

perf: Fix perfpendingtask() UaF

Per syzbot it is possible for perfpendingtask() to run after the event is free()'d. There are two related but distinct cases:

• the task_work was already queued before destroying the event;
• destroying the event itself queues the task_work.

The first cannot be solved using taskworkcancel() since perfrelease() itself might be called from a taskwork (_fput), which means the current->taskworks list is already empty and taskworkcancel() won't be able to find the perfpendingtask() entry.

The simplest alternative is extending the perfevent lifetime to cover the taskwork.

The second is just silly, queueing a taskwork while you know the event is going away makes no sense and is easily avoided by re-arranging how the event is marked STATEDEAD and ensuring it goes through STATE_OFF on the way down.