Re: [PATCH] perf/core: Fix refcount bug and potential UAF in perf_mmap

Next message: Lance Yang: "Re: [PATCH v4 0/3] targeted TLB sync IPIs for lockless page table"
Previous message: Ian Abbott: "Re: [PATCH] comedi: fix device lifecycle handling in comedi_dev_kref_release()"
In reply to: Peter Zijlstra: "Re: [PATCH] perf/core: Fix refcount bug and potential UAF in perf_mmap"
Next in thread: yuhaocheng035: "[PATCH v2] perf/core: Fix refcount bug and potential UAF in perf_mmap"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: 余昊铖

Date: Mon Feb 02 2026 - 10:53:36 EST

Hi Peter,

Thanks for the review. You are right, my previous explanation was
inaccurate. The actual race condition occurs between a failing
mmap() on one event and a concurrent mmap() on a second event
that shares the ring buffer (e.g., via output redirection).

Detailed scenario is as follows, for example:
1. Thread A calls mmap(event_A). It allocates the ring buffer, sets
event_A->rb, and initializes refcount to 1. It then drops mmap_mutex.
2. Thread A calls map_range(). Suppose this fails. Thread A then
proceeds to the error path and calls perf_mmap_close().
3. Thread B concurrently calls mmap(event_B), where event_B is
configured to share event_A's buffer. Thread B acquires
event_A->mmap_mutex and sees the valid event_A->rb pointer.
4. The race triggers here: If Thread A's perf_mmap_close() logic
decrements the ring buffer's refcount to 0 (releasing it) but the pointer
event_A->rb is still visible to Thread B (or was read by Thread B before
it was cleared), Thread B triggers the "refcount_t: addition on 0" warning
when it attempts to increment the refcount in perf_mmap_rb().

The fix extends the scope of mmap_mutex to cover map_range() and the
potential error handling path. This ensures that event->rb is only exposed
to other threads after it is fully successfully mapped, or it is cleaned up
atomically inside the lock if mapping fails.

I have updated the commit message accordingly.

Thanks,
Haocheng