From nobody Sat Feb 7 04:47:25 2026 Received: from mail-pf1-f193.google.com (mail-pf1-f193.google.com [209.85.210.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 87FA0277C96 for ; Mon, 2 Feb 2026 16:21:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.193 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770049262; cv=none; b=Fkrmdk3c3qMr2z0JNRAEs4SkJ5lXaOS0WhyEdkAJrJqik2Joh7enbLIydrymvu9r96/JD1qD8aBvm8euWLz6evkGXdL4rETVOOkaE2PQkgR+Isyzqqow2V86cGy3nV93prxLsqv0nbmz6qM+EJz5HGc2oxdXUpQSTYuyzQr0evc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770049262; c=relaxed/simple; bh=2+sFTI4Twi70XgQ/Tit5ZeoczWokFQjiFzARk2LlBzg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=o7632KET95r93d9doS9WfQ5+z3b2DtyjSAIvjNUPPofbIbv57ca8zF7+m4m3uULm4uS+R5zYSDgOwPvICdui0mKQ/Xd5oXefv6dcPPbbxvSDEppW28ZfnMnur+U6Gy/WD8+CjIxWc1mxF21pXBv7iXoBg1UwcQlKESDX27yCKm4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=l1pyoAbi; arc=none smtp.client-ip=209.85.210.193 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="l1pyoAbi" Received: by mail-pf1-f193.google.com with SMTP id d2e1a72fcca58-82310b74496so2662334b3a.3 for ; Mon, 02 Feb 2026 08:21:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770049261; x=1770654061; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=xzWCXgQVP39cSNB7GkVYMYPIhqlyfZ+BI+Aqz0QKBJg=; b=l1pyoAbixoiVq3D6q6JIiPmfzHtHtyw1mXOrT37B5P9ilgu4+CKjugVsFh0h0f8dBx vowAVu59E+LN+P403v2EoloH5mk+QXvF5pxcar4pgmUq5Xus1pOo17UJQ80G7QWsOB/t ftmpI5VJh/x/yo6FUWatMqe+3IeHMxmCATRRM0BEsrWG6EfBSpHXGiQ1IFTVJDcJpbNR wIOzPR1EikgBXAlqd1iSQlQrF02Z2sERBUYSyJuWXhHOied5/l7rg1nFg+oKcEasFiMh 1UXGjQbANyNPCd1NeAo8rc2HadPDTx5owBKXaeiQ6dz9KcomBk9Ar00NsuA1NUvTg4b9 LJtA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770049261; x=1770654061; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=xzWCXgQVP39cSNB7GkVYMYPIhqlyfZ+BI+Aqz0QKBJg=; b=UVaD7V3xcXvl88/+3zQWHi0k3Z2cXTVxEuatBmy9vdbJ8YsASWdRqD27HLGwwVY5kk ZBUGZurx5+Yaj5yscOQL51zFoZgTMFXB2sJHB/wnVVAEhWQ5rP4zQ/k3xt7GGAMf0srm 9C+gJw36WKtNc09JpwPQN2flpGvHuw7CsznOBxKgI/9ywKP708TYcv7/dmBgAYU4GMHy UIgY1hV52VayvwUOchNxHaJlQ9Y10s1x1StKhnpeRscQxmwtY3nJ66vKF/PL41O1DHgX vwLmnSnEKnQJj201+yszQh9eA+a26N3rz/0n7ULEjUwCgRfFEWg7bppbIlfpv9q6OxZL w1Zw== X-Forwarded-Encrypted: i=1; AJvYcCUtdYZJPNNmJ+FjvO+i9Osyfv55bPdKL6bL765v6nZzSexzeoLY1woVHOY99A7HWpf2cnVU+9dWGVCwFQw=@vger.kernel.org X-Gm-Message-State: AOJu0Yw+Vx1jCihLT+toF6FqTzflbdoTRfVi7jLy2vw0VlBRkdGHlevk /mxzustXMmwtV00oLYFy+YGCbndVxACjb5HRUuzraTPnNAa0gfWZLlUs X-Gm-Gg: AZuq6aKCAoq2P4sg9cmmJwoW3k4ir5YZLJxIZDxGoWIvRgACsh9qMz6OzSNzXV/4HS1 bOIbXUM9d6bp8h7ydI09QdeWCHXYo8qGh8U41gxhH8T0sFQC+TV6QjCiA2ffhSUPy+jkqhlQS3N fyb4cEijCitrrm0iltMAmqx7LzyL3OvlkDhhoIynFbZaoHOnUcF5zcCJC/qObbdWb2TorvanKsr UwH9wb9FNwKh9rJ6MJ92EfUkuTOLAbe4poIBXu1i+HEvExAa45gYy+dJq23gO2+J7MdS2JXOYSc z0SD79Lv3ZGNb4DnPAGmBExK1btUnoDRALIwAvpNULPKu8RceXJxLatQ4ICNYCCodMwXSLSEsK2 q04lGaAeb7n0Vq7wgRMEZNF9fTmW21LJr6JKQTpPO6NvwyB5IUsyElhTpCRlRgKwZQwIfgg95rq usNb6DpSqm5eg= X-Received: by 2002:a05:6a00:240d:b0:81f:4e0b:324e with SMTP id d2e1a72fcca58-823ab66fb69mr10787422b3a.15.1770049260409; Mon, 02 Feb 2026 08:21:00 -0800 (PST) Received: from localhost ([222.205.46.87]) by smtp.gmail.com with UTF8SMTPSA id d2e1a72fcca58-82379c5293dsm15821644b3a.61.2026.02.02.08.20.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Feb 2026 08:21:00 -0800 (PST) From: yuhaocheng035@gmail.com To: peterz@infradead.org Cc: acme@kernel.org, security@kernel.org, linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, gregkh@linuxfoundation.org Subject: [PATCH v2] perf/core: Fix refcount bug and potential UAF in perf_mmap Date: Tue, 3 Feb 2026 00:20:56 +0800 Message-ID: <20260202162057.7237-1-yuhaocheng035@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Haocheng Yu Syzkaller reported a refcount_t: addition on 0; use-after-free warning in perf_mmap. The issue is caused by a race condition between a failing mmap() setup and a concurrent mmap() on a dependent event (e.g., using output redirection). In perf_mmap(), the ring_buffer (rb) is allocated and assigned to event->rb with the mmap_mutex held. The mutex is then released to perform map_range(). If map_range() fails, perf_mmap_close() is called to clean up. However, since the mutex was dropped, another thread attaching to this event (via inherited events or output redirection) can acquire the mutex, observe the valid event->rb pointer, and attempt to increment its reference count. If the cleanup path has already dropped the reference count to zero, this results in a use-after-free or refcount saturation warning. Fix this by extending the scope of mmap_mutex to cover the map_range() call. This ensures that the ring buffer initialization and mapping (or cleanup on failure) happens atomically effectively, preventing other threads from accessing a half-initialized or dying ring buffer. Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202602020208.m7KIjdzW-lkp@int= el.com/ Signed-off-by: Haocheng Yu --- kernel/events/core.c | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/kernel/events/core.c b/kernel/events/core.c index 2c35acc2722b..abefd1213582 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -7167,28 +7167,28 @@ static int perf_mmap(struct file *file, struct vm_a= rea_struct *vma) ret =3D perf_mmap_aux(vma, event, nr_pages); if (ret) return ret; - } =20 - /* - * Since pinned accounting is per vm we cannot allow fork() to copy our - * vma. - */ - vm_flags_set(vma, VM_DONTCOPY | VM_DONTEXPAND | VM_DONTDUMP); - vma->vm_ops =3D &perf_mmap_vmops; + /* + * Since pinned accounting is per vm we cannot allow fork() to copy our + * vma. + */ + vm_flags_set(vma, VM_DONTCOPY | VM_DONTEXPAND | VM_DONTDUMP); + vma->vm_ops =3D &perf_mmap_vmops; =20 - mapped =3D get_mapped(event, event_mapped); - if (mapped) - mapped(event, vma->vm_mm); + mapped =3D get_mapped(event, event_mapped); + if (mapped) + mapped(event, vma->vm_mm); =20 - /* - * Try to map it into the page table. On fail, invoke - * perf_mmap_close() to undo the above, as the callsite expects - * full cleanup in this case and therefore does not invoke - * vmops::close(). - */ - ret =3D map_range(event->rb, vma); - if (ret) - perf_mmap_close(vma); + /* + * Try to map it into the page table. On fail, invoke + * perf_mmap_close() to undo the above, as the callsite expects + * full cleanup in this case and therefore does not invoke + * vmops::close(). + */ + ret =3D map_range(event->rb, vma); + if (ret) + perf_mmap_close(vma); + } =20 return ret; } base-commit: 7d0a66e4bb9081d75c82ec4957c50034cb0ea449 --=20 2.51.0