From nobody Sat Feb  7 08:44:15 2026
Received: from mail-dy1-f179.google.com (mail-dy1-f179.google.com
 [74.125.82.179])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 658862356D9
	for <linux-kernel@vger.kernel.org>; Sat, 24 Jan 2026 07:08:29 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=74.125.82.179
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1769238511; cv=none;
 b=D4SiqRyxfpGatndBOopVELwigK8bbWSixD3ulWjiV72w7PtYXPM/NXvrx7By8HqTLyh7K+nnQG5pekuFo0LBgQnyOrb7AsqUUaNo1d/+OY0qgu7JXX00Lq1AoGXjB5X483D7sbDA4wTEPN0g+wNJyJSdOn3ucGgqTg5Pvu5xbE0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1769238511; c=relaxed/simple;
	bh=f0WroCkTqRKE2T125f7PZut/lKVaRERWCDmHSoTNRxA=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=iA6vPNaJYwtNMVJRef2hEqS9jK4ew35ptmCpqAjB/Pm3aKXnhU3k7CR2eskEb/W+kjDClSj4uQylpsmX91s48Ox9nblj0XYzzXBNxG6CLnD9np1Q1lKBt0iyQvYPfRgJM/oEIajod0/9iG7PHTZ5vPXkBNy7zoKNYWQmU+Dtayc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=Xl7/qPlD; arc=none smtp.client-ip=74.125.82.179
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="Xl7/qPlD"
Received: by mail-dy1-f179.google.com with SMTP id
 5a478bee46e88-2b4520f6b32so4694481eec.0
        for <linux-kernel@vger.kernel.org>;
 Fri, 23 Jan 2026 23:08:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769238508; x=1769843308;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=iAlcDf31qBBwSv93L3Z4uMSzJzYFnwNA3ebbhkgX8oI=;
        b=Xl7/qPlD1uUQQYMO1kMG0uZs/0fn0BwIUVHH03domQk+oe2StTfDKMDPfor37Gk1O3
         0pA6H7k/2xNdYTeRnyLG1V1WM50SZtyBvHuCedGtp5Uu7bnVge0a2BsfL7Zbv+aIaJ/n
         xyGgMcyGmbr/o+0O/q6iUStJ0fxI4okjDmttv28vCrtzmhN13LS4b0sFlna0vVppvaQc
         MTwI+KRvPFrkSRM5ycPydQ470eCpWjHX5VgHJ23ajXc4xHr3U1kSavcOYgZTu4H1yujq
         QmK8a/+ncbi2xMrfQkzqVedOzyX8xGHtSs1hfZmrFejIgTfnRLSQsE8xZ//Dh8gMo5UP
         sDbA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769238508; x=1769843308;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=iAlcDf31qBBwSv93L3Z4uMSzJzYFnwNA3ebbhkgX8oI=;
        b=NBepfYruNZ9TsX/I/9hMPI5xDSJ8WwulO9n61UXWtspI60yR5VZhgtzPIRdf8mKW/l
         w9jvZQjo0yvMDz2eB1jLzt8g20RvlYPaFo2QYAEIMEBVbE3MrZagcdJH8GpP7Uw3mual
         qdHbmoJZvSXhCo44qD3SZrVSZHUSCRQ5obMtX9A6v2xI646W6zdS2LjZpXwXFqpYH+Jb
         saMPcgGClPpz47AuiFNOqE9i+cwyeG1LkogSMrmejROWVT09ZEtZvkVnZInNM1Q/5i/F
         jcuZ6J5YgZlP3niObfa0aCEG9eLyTOIQ1iePO3AIte/pBOBUsiA+gNj7RRRW287aRbMg
         +wRA==
X-Forwarded-Encrypted: i=1;
 AJvYcCW/BVqyUQc3YwwGaLWgC3nW4xf7X/Ok33P6mMXboG9Za9frDcoDH/TPWb36cssYKDB4AhKld4thfy0tWKU=@vger.kernel.org
X-Gm-Message-State: AOJu0Yx9vtd9kAPdgdANRy9I0zzDPtBql9EgE6XYbBaO9KC1v8Mw3r2n
	YOjzgFsGxGi+GSA6dpEFYNJluaq8xstof0UXdMRJlplnOpmLKrEnqCCd
X-Gm-Gg: AZuq6aKdtqtWapuNwBFJcKjMuDb5jgw1MDBVtd9wwep5v9G3TuhhSaJzguH/vWh0IEY
	Wh5OLz6UrVWgnzSSThSdZubQtnpNt+GYfpkwojxAEcy3fzPyOCQBVFON3ROeJWuIXFWEJvF3VxN
	WTAOb95Y+VpoGQHnfE9u/ds1/7Od+evdOPfrh6Kytw4xnCKEygof4+66ubvwkHCG8t0337XFm1j
	lmR6TESwfctPsCl6qAC/dIb6iUb0Bp5s6jy8hY3pT+vq02og7raAPwfyNTItJKt5BhmJE3LVSBE
	q0IvgJfrnGcBOhB2SfraxxMsxCkd0i4Nat5Dn40RCa09uTxLLZvE08k7sWt8gbUCbEcIU68WG4J
	vAgDNXbzuj5ozH/wjWZtNqhegYKfCT3HMNVp7xX12kDydEPQ0xaCtMxAGb+SSUi7QrjXLXyK/gn
	9SXfo=
X-Received: by 2002:a05:7300:bc0e:b0:2b7:3780:810f with SMTP id
 5a478bee46e88-2b739b73be3mr3051286eec.23.1769238508267;
        Fri, 23 Jan 2026 23:08:28 -0800 (PST)
Received: from debian ([74.48.213.230])
        by smtp.gmail.com with ESMTPSA id
 5a478bee46e88-2b749e301f0sm3798342eec.35.2026.01.23.23.08.23
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 23 Jan 2026 23:08:27 -0800 (PST)
From: Qiliang Yuan <realwujing@gmail.com>
To: dianders@chromium.org
Cc: akpm@linux-foundation.org,
	lihuafei1@huawei.com,
	linux-kernel@vger.kernel.org,
	mingo@kernel.org,
	mm-commits@vger.kernel.org,
	realwujing@gmail.com,
	song@kernel.org,
	stable@vger.kernel.org,
	sunshx@chinatelecom.cn,
	thorsten.blum@linux.dev,
	wangjinchao600@gmail.com,
	yangyicong@hisilicon.com,
	yuanql9@chinatelecom.cn,
	zhangjn11@chinatelecom.cn,
	linux-watchdog@vger.kernel.org
Subject: [PATCH v4] watchdog/hardlockup: Fix UAF in perf event cleanup due to
 migration race
Date: Sat, 24 Jan 2026 02:08:14 -0500
Message-ID: <20260124070814.806828-1-realwujing@gmail.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: 
 <CAD=FV=WHWrKS_LVjod6nhnPdEk9_ZqeubGpft3PJOUJNMbBxfg@mail.gmail.com>
References: 
 <CAD=FV=WHWrKS_LVjod6nhnPdEk9_ZqeubGpft3PJOUJNMbBxfg@mail.gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Original analysis on Linux 4.19 showed a race condition in the hardlockup
detector's initialization phase. Specifically, during the early probe
phase, hardlockup_detector_perf_init() (renamed to
watchdog_hardlockup_probe() in newer kernels via commit d9b3629ade8e)
interacted with the per-cpu 'watchdog_ev' variable.

If the initializing task migrates to another CPU during this probe phase,
two issues arise:
1. The 'watchdog_ev' pointer on the original CPU is set but not cleared,
   leaving a stale pointer to a freed perf event.
2. The 'watchdog_ev' pointer on the new CPU might be incorrectly cleared.

Note: Although the logs below reference hardlockup_detector_perf_init(),
the same logic persists in the current watchdog_hardlockup_probe()
implementation.

This race condition was observed in console logs:
[23.038376] hardlockup_detector_perf_init 313 cur_cpu=3D2
...
[23.076385] hardlockup_detector_event_create 203 cpu(cur)=3D2 set watchdog_=
ev
...
[23.095788] perf_event_release_kernel 4623 cur_cpu=3D2
...
[23.116963] lockup_detector_reconfigure 577 cur_cpu=3D3

The log shows the task started on CPU 2, set watchdog_ev on CPU 2,
released the event on CPU 2, but then migrated to CPU 3 before the
cleanup logic could run. This left watchdog_ev on CPU 2 pointing to a
freed event, resulting in a UAF when later accessed:

[26.540732] BUG: KASAN: use-after-free in perf_event_ctx_lock_nested.isra.7=
2+0x6b/0x140
[26.542442] Read of size 8 at addr ff110006b360d718 by task kworker/2:1/94

Fix this by refactoring hardlockup_detector_event_create() to return the
created perf event instead of directly assigning it to the per-cpu variable.
In the probe function, use an arbitrary CPU but ensure it remains
online via cpu_hotplug_disable() during the check.

Fixes: 930d8f8dbab9 ("watchdog/perf: adapt the watchdog_perf interface for =
async model")
Signed-off-by: Shouxin Sun <sunshx@chinatelecom.cn>
Signed-off-by: Junnan Zhang <zhangjn11@chinatelecom.cn>
Signed-off-by: Qiliang Yuan <realwujing@gmail.com>
Signed-off-by: Qiliang Yuan <yuanql9@chinatelecom.cn>
Cc: Song Liu <song@kernel.org>
Cc: Douglas Anderson <dianders@chromium.org>
Cc: Jinchao Wang <wangjinchao600@gmail.com>
Cc: Wang Jinchao <wangjinchao600@gmail.com>
Cc: <stable@vger.kernel.org>
---
v4:
- Add cpu_hotplug_disable() in watchdog_hardlockup_probe() to ensure the
  sampled CPU remains online during probing.=20
- Update commit message to explain the relevance of 4.19 logs even
  though functions were renamed in modern kernels.=20
v3:
- Refactor hardlockup_detector_event_create() to return the event pointer
  instead of directly assigning to per-cpu variables to fix the UAF.
- Restore PMU cycle fallback and unify the enable/probe paths.
v2:
- Add Cc: <stable@vger.kernel.org>.
v1:
- Avoid 'watchdog_ev' in probe path by manually creating and releasing a
  local perf event.
 kernel/watchdog_perf.c | 56 +++++++++++++++++++++++++-----------------
 1 file changed, 34 insertions(+), 22 deletions(-)

diff --git a/kernel/watchdog_perf.c b/kernel/watchdog_perf.c
index d3ca70e3c256..887b61c65c1b 100644
--- a/kernel/watchdog_perf.c
+++ b/kernel/watchdog_perf.c
@@ -17,6 +17,7 @@
 #include <linux/atomic.h>
 #include <linux/module.h>
 #include <linux/sched/debug.h>
+#include <linux/cpu.h>
=20
 #include <asm/irq_regs.h>
 #include <linux/perf_event.h>
@@ -118,18 +119,11 @@ static void watchdog_overflow_callback(struct perf_ev=
ent *event,
 	watchdog_hardlockup_check(smp_processor_id(), regs);
 }
=20
-static int hardlockup_detector_event_create(void)
+static struct perf_event *hardlockup_detector_event_create(unsigned int cp=
u)
 {
-	unsigned int cpu;
 	struct perf_event_attr *wd_attr;
 	struct perf_event *evt;
=20
-	/*
-	 * Preemption is not disabled because memory will be allocated.
-	 * Ensure CPU-locality by calling this in per-CPU kthread.
-	 */
-	WARN_ON(!is_percpu_thread());
-	cpu =3D raw_smp_processor_id();
 	wd_attr =3D &wd_hw_attr;
 	wd_attr->sample_period =3D hw_nmi_get_sample_period(watchdog_thresh);
=20
@@ -143,14 +137,7 @@ static int hardlockup_detector_event_create(void)
 						       watchdog_overflow_callback, NULL);
 	}
=20
-	if (IS_ERR(evt)) {
-		pr_debug("Perf event create on CPU %d failed with %ld\n", cpu,
-			 PTR_ERR(evt));
-		return PTR_ERR(evt);
-	}
-	WARN_ONCE(this_cpu_read(watchdog_ev), "unexpected watchdog_ev leak");
-	this_cpu_write(watchdog_ev, evt);
-	return 0;
+	return evt;
 }
=20
 /**
@@ -159,17 +146,26 @@ static int hardlockup_detector_event_create(void)
  */
 void watchdog_hardlockup_enable(unsigned int cpu)
 {
+	struct perf_event *evt;
+
 	WARN_ON_ONCE(cpu !=3D smp_processor_id());
=20
-	if (hardlockup_detector_event_create())
+	evt =3D hardlockup_detector_event_create(cpu);
+	if (IS_ERR(evt)) {
+		pr_debug("Perf event create on CPU %d failed with %ld\n", cpu,
+			 PTR_ERR(evt));
 		return;
+	}
=20
 	/* use original value for check */
 	if (!atomic_fetch_inc(&watchdog_cpus))
 		pr_info("Enabled. Permanently consumes one hw-PMU counter.\n");
=20
+	WARN_ONCE(this_cpu_read(watchdog_ev), "unexpected watchdog_ev leak");
+	this_cpu_write(watchdog_ev, evt);
+
 	watchdog_init_timestamp();
-	perf_event_enable(this_cpu_read(watchdog_ev));
+	perf_event_enable(evt);
 }
=20
 /**
@@ -263,19 +259,35 @@ bool __weak __init arch_perf_nmi_is_available(void)
  */
 int __init watchdog_hardlockup_probe(void)
 {
+	struct perf_event *evt;
+	unsigned int cpu;
 	int ret;
=20
 	if (!arch_perf_nmi_is_available())
 		return -ENODEV;
=20
-	ret =3D hardlockup_detector_event_create();
+	if (!hw_nmi_get_sample_period(watchdog_thresh))
+		return -EINVAL;
=20
-	if (ret) {
+	/*
+	 * Test hardware PMU availability by creating a temporary perf event.
+	 * The requested CPU is arbitrary; preemption is not disabled, so
+	 * raw_smp_processor_id() is used. Surround with cpu_hotplug_disable()
+	 * to ensure the arbitrarily chosen CPU remains online during the check.
+	 * The event is released immediately.
+	 */
+	cpu_hotplug_disable();
+	cpu =3D raw_smp_processor_id();
+	evt =3D hardlockup_detector_event_create(cpu);
+	if (IS_ERR(evt)) {
 		pr_info("Perf NMI watchdog permanently disabled\n");
+		ret =3D PTR_ERR(evt);
 	} else {
-		perf_event_release_kernel(this_cpu_read(watchdog_ev));
-		this_cpu_write(watchdog_ev, NULL);
+		perf_event_release_kernel(evt);
+		ret =3D 0;
 	}
+	cpu_hotplug_enable();
+
 	return ret;
 }
=20
--=20
2.51.0