git.ipfire.org Git - thirdparty/linux.git/commit

author	Peter Zijlstra <peterz@infradead.org>
	Thu, 26 Mar 2026 11:28:21 +0000 (12:28 +0100)
committer	Peter Zijlstra <peterz@infradead.org>
	Tue, 5 May 2026 10:47:20 +0000 (12:47 +0200)
commit	c69df06e4e26e50611190ce04eab92c5cc261b61
tree	675f2393ab9178acc4ec6365c00c9aa9a042c3b2	tree \| snapshot
parent	7fd2df204f342fc17d1a0bfcd474b24232fb0f32	commit \| diff

perf/core: Fix deadlock in perf_mmap() failure path

Ian noted that commit 77de62ad3de3 ("perf/core: Fix refcount bug and
potential UAF in perf_mmap") would cause a deadlock due to
event->mmap_mutex recursion.

This happens because we're now calling perf_mmap_close() under
mmap_mutex, while that function itself can also take mmap_mutex.

Solve this by noting that perf_mmap_close() is far more complicated
than we need at this particular point, since it deals with scenarios
that cannot happen in this particular case.

Replace the call to perf_mmap_close() with a very narrow undo for the
case of first-exposure. If this is not the first mmap(), there is no
race and it is fine to drop the lock and call perf_mmap_close() to
handle to more complicated scenarios.

Note: move the rb->mmap_user (namespace) handling into the rb
init/free code such that it does not complicate the mmap handling.

Fixes: 77de62ad3de3 ("perf/core: Fix refcount bug and potential UAF in perf_mmap")
Reported-by: Ian Rogers <irogers@google.com>
Closes: https://patch.msgid.link/CAP-5%3DfVJyVMZw%3DDqP53Kxg58nUmJ_0bxoaeOKAbC03BVc11HaA%40mail.gmail.com
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://patch.msgid.link/20260326112821.GK3738786@noisy.programming.kicks-ass.net

kernel/events/core.c		diff \| blob \| blame \| history
kernel/events/internal.h		diff \| blob \| blame \| history
kernel/events/ring_buffer.c		diff \| blob \| blame \| history