Re: [PATCH] perf/core: Fix refcount bug and potential UAF in perf_mmap

Next message: Li Chen: "[PATCH v1 1/2] io-wq: add exit-on-idle mode"
Previous message: Christoph Hellwig: "Re: [PATCH V1] nvme-pci: Fix NULL pointer dereference in nvme_pci_prp_iter_next"
In reply to: Peter Zijlstra: "Re: [PATCH] perf/core: Fix refcount bug and potential UAF in perf_mmap"
Next in thread: &#x4F59;&#x660A;&#x94D6;: "Re: [PATCH] perf/core: Fix refcount bug and potential UAF in perf_mmap"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Peter Zijlstra

Date: Mon Feb 02 2026 - 09:38:25 EST

On Mon, Feb 02, 2026 at 02:58:59PM +0100, Peter Zijlstra wrote:
> On Mon, Feb 02, 2026 at 03:44:35PM +0800, Haocheng Yu wrote:
> > Syzkaller reported a refcount_t: addition on 0; use-after-free warning
> > in perf_mmap.
> >
> > The issue is caused by a race condition between mmap() and event
> > teardown. In perf_mmap(), the ring_buffer (rb) is accessed via
> > map_range() after the mmap_mutex is released. If another thread
> > closes the event or detaches the buffer during this window, the
> > reference count of rb can drop to zero, leading to a UAF or
> > refcount saturation when map_range() or subsequent logic attempts
> > to use it.
>
> So you're saying this is something like:
>
> Thread-1 Thread-2
>
> mmap(fd)
> close(fd) / ioctl(fd, IOC_SET_OUTPUT)
>
>
> I don't think close() is possible, because mmap() should have a
> reference on the struct file from fget(), no?
>
> That leaves the ioctl(), let me go have a peek.

I'm not seeing it; once perf_mmap_rb() completes, we should have
event->mmap_count != 0, and this the IOC_SET_OUTPUT will fail.

Please provide a better explanation.