Re: [PATCH] perf/core: Fix refcount bug and potential UAF in perf_mmap

Next message: Philipp Zabel: "Re: [PATCH v4 2/3] reset: tenstorrent: Add reset controller for Atlantis"
Previous message: Alain Volmat: "[PATCH 11/13] media: stm32: dcmipp: add pixel-pipe support in bytecap"
In reply to: Haocheng Yu: "[PATCH] perf/core: Fix refcount bug and potential UAF in perf_mmap"
Next in thread: Peter Zijlstra: "Re: [PATCH] perf/core: Fix refcount bug and potential UAF in perf_mmap"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Peter Zijlstra

Date: Mon Feb 02 2026 - 09:04:49 EST

On Mon, Feb 02, 2026 at 03:44:35PM +0800, Haocheng Yu wrote:
> Syzkaller reported a refcount_t: addition on 0; use-after-free warning
> in perf_mmap.
>
> The issue is caused by a race condition between mmap() and event
> teardown. In perf_mmap(), the ring_buffer (rb) is accessed via
> map_range() after the mmap_mutex is released. If another thread
> closes the event or detaches the buffer during this window, the
> reference count of rb can drop to zero, leading to a UAF or
> refcount saturation when map_range() or subsequent logic attempts
> to use it.

So you're saying this is something like:

Thread-1 Thread-2

mmap(fd)
close(fd) / ioctl(fd, IOC_SET_OUTPUT)

I don't think close() is possible, because mmap() should have a
reference on the struct file from fget(), no?

That leaves the ioctl(), let me go have a peek.