Description

In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix refcount bug and potential UAF in perf_mmap Syzkaller reported a refcount_t: addition on 0; use-after-free warning in perf_mmap. The issue is caused by a race condition between a failing mmap() setup and a concurrent mmap() on a dependent event (e.g., using output redirection). In perf_mmap(), the ring_buffer (rb) is allocated and assigned to event->rb with the mmap_mutex held. The mutex is then released to perform map_range(). If map_range() fails, perf_mmap_close() is called to clean up. However, since the mutex was dropped, another thread attaching to this event (via inherited events or output redirection) can acquire the mutex, observe the valid event->rb pointer, and attempt to increment its reference count. If the cleanup path has already dropped the reference count to zero, this results in a use-after-free or refcount saturation warning. Fix this by extending the scope of mmap_mutex to cover the map_range() call. This ensures that the ring buffer initialization and mapping (or cleanup on failure) happens atomically effectively, preventing other threads from accessing a half-initialized or dying ring buffer.

Weaknesses 1

Affected Products 3

References 3

• git.kernel.org https://git.kernel.org/stable/c/77de62ad3de3967818c3dbe656b7336ebee461d2
  Patch
• git.kernel.org https://git.kernel.org/stable/c/ac7ecb65af170a7fc193e7bd8be15dac84ec6a56
  Patch
• git.kernel.org https://git.kernel.org/stable/c/c27dea9f50ed525facb62ef647dddc4722456e07
  Patch

Remediation

• git.kernel.org https://git.kernel.org/stable/c/77de62ad3de3967818c3dbe656b7336ebee461d2
  Patch
• git.kernel.org https://git.kernel.org/stable/c/ac7ecb65af170a7fc193e7bd8be15dac84ec6a56
  Patch
• git.kernel.org https://git.kernel.org/stable/c/c27dea9f50ed525facb62ef647dddc4722456e07
  Patch