Re: [PATCH] perf: Fix data race in perf_event_set_bpf_handler()

Next message: Jingyi Wang: "[PATCH v4 10/10] arm64: defconfig: Enable Kaanapali clock controllers"
Previous message: Jingyi Wang: "[PATCH v4 09/10] arm64: dts: qcom: kaanapali: Add support for MM clock controllers for Kaanapali"
In reply to: Henry Zhang: "[PATCH] perf: Fix data race in perf_event_set_bpf_handler()"
Next in thread: Peter Zijlstra: "Re: [PATCH] perf: Fix data race in perf_event_set_bpf_handler()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Qing Wang

Date: Tue Jan 27 2026 - 03:37:38 EST

On Tue, 27 Jan 2026 at 10:36, Henry Zhang <henryzhangjcle@xxxxxxxxx> wrote:
> diff --git a/kernel/events/core.c b/kernel/events/core.c
> index a0fa488bce84..1f3ed9e87507 100644
> --- a/kernel/events/core.c
> +++ b/kernel/events/core.c
> @@ -10349,7 +10349,7 @@ static inline int perf_event_set_bpf_handler(struct perf_event *event,
> return -EPROTO;
> }
>
> - event->prog = prog;
> + WRITE_ONCE(event->prog, prog);
> event->bpf_cookie = bpf_cookie;
> return 0;
> }
> @@ -10407,7 +10407,9 @@ static int __perf_event_overflow(struct perf_event *event,
> if (event->attr.aux_pause)
> perf_event_aux_pause(event->aux_event, true);
>
> - if (event->prog && event->prog->type == BPF_PROG_TYPE_PERF_EVENT &&
> + struct bpf_prog *prog = READ_ONCE(event->prog);
> +
> + if (prog && prog->type == BPF_PROG_TYPE_PERF_EVENT &&
> !bpf_overflow_handler(event, data, regs))
> goto out;

Looking at this code, I guess there may be an serious issue: a potential
use-after-free (UAF) risk when accessing event->prog in __perf_event_overflow.

CPU 0 (interrupt context) CPU 1 (process context)
read event->prog
perf_event_free_bpf_handler()
put(prog)
free(prog)
access memory pointed to by prog

This scenario need to be more analysis.

--
Qing