[PATCH] perf: Fix deadlock in perf_mmap()

Next message: Johan Hovold: "[PATCH v2] net: mdio: mvusb: drop redundant device reference"
Previous message: Shi Hao: "[PATCH] dt-bindings: gpio: convert Cavium ThunderX GPIO binding to YAML"
Next in thread: Ian Rogers: "Re: [PATCH] perf: Fix deadlock in perf_mmap()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Qing Wang

Date: Mon Mar 09 2026 - 04:27:03 EST

There is a possible deadlock in perf_mmap() if mmap_range() fails then
perf_mmap_close() is called while holding event->mmap_mutex. Since
perf_mmap_close() also acquire the same mutex, this result in self-deadlock.

Fix this by moving the cleanup(perf_mmap_close()) outside the scope of
scoped_guard(mutex, &event->mmap_mutex).

Fixes: 77de62ad3de3 ("perf/core: Fix refcount bug and potential UAF in perf_mmap")
Reported-by: syzbot+196a82fd904572696b3c@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=196a82fd904572696b3c
Signed-off-by: Qing Wang <wangqing7171@xxxxxxxxx>
---
kernel/events/core.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 1f5699b339ec..e5ce03ce926d 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -7485,9 +7485,12 @@ static int perf_mmap(struct file *file, struct vm_area_struct *vma)
*/
ret = map_range(event->rb, vma);
if (ret)
- perf_mmap_close(vma);
+ goto out_close;
}
+ return 0;

+out_close:
+ perf_mmap_close(vma);
return ret;
}

--
2.34.1