From 6c0985b1f0bc8d07162fa8904c9cf63eaf60210a Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 12 Aug 2025 12:20:21 +0200 Subject: [PATCH] 5.4-stable patches added patches: perf-core-don-t-leak-aux-buffer-refcount-on-allocation-failure.patch perf-core-exit-early-on-perf_mmap-fail.patch perf-core-prevent-vma-split-of-buffer-mappings.patch --- ...uffer-refcount-on-allocation-failure.patch | 54 +++++++++++++++ ...rf-core-exit-early-on-perf_mmap-fail.patch | 37 ++++++++++ ...prevent-vma-split-of-buffer-mappings.patch | 69 +++++++++++++++++++ queue-5.4/series | 3 + 4 files changed, 163 insertions(+) create mode 100644 queue-5.4/perf-core-don-t-leak-aux-buffer-refcount-on-allocation-failure.patch create mode 100644 queue-5.4/perf-core-exit-early-on-perf_mmap-fail.patch create mode 100644 queue-5.4/perf-core-prevent-vma-split-of-buffer-mappings.patch diff --git a/queue-5.4/perf-core-don-t-leak-aux-buffer-refcount-on-allocation-failure.patch b/queue-5.4/perf-core-don-t-leak-aux-buffer-refcount-on-allocation-failure.patch new file mode 100644 index 0000000000..4586874f28 --- /dev/null +++ b/queue-5.4/perf-core-don-t-leak-aux-buffer-refcount-on-allocation-failure.patch @@ -0,0 +1,54 @@ +From 1a76209abd468a04ff183c4ba9282a7c37650544 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Sat, 2 Aug 2025 12:39:39 +0200 +Subject: perf/core: Don't leak AUX buffer refcount on allocation failure + +From: Thomas Gleixner + +commit 5468c0fbccbb9d156522c50832244a8b722374fb upstream. + +Failure of the AUX buffer allocation leaks the reference count. + +Set the reference count to 1 only when the allocation succeeds. + +Fixes: 45bfb2e50471 ("perf/core: Add AUX area to ring buffer for raw data streams") +Signed-off-by: Thomas Gleixner +Reviewed-by: Lorenzo Stoakes +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + kernel/events/core.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -5877,9 +5877,7 @@ static int perf_mmap(struct file *file, + goto unlock; + } + +- atomic_set(&rb->aux_mmap_count, 1); + user_extra = nr_pages; +- + goto accounting; + } + +@@ -5986,8 +5984,10 @@ accounting: + } else { + ret = rb_alloc_aux(rb, event, vma->vm_pgoff, nr_pages, + event->attr.aux_watermark, flags); +- if (!ret) ++ if (!ret) { ++ atomic_set(&rb->aux_mmap_count, 1); + rb->aux_mmap_locked = extra; ++ } + } + + unlock: +@@ -5997,6 +5997,7 @@ unlock: + + atomic_inc(&event->mmap_count); + } else if (rb) { ++ /* AUX allocation failed */ + atomic_dec(&rb->mmap_count); + } + aux_unlock: diff --git a/queue-5.4/perf-core-exit-early-on-perf_mmap-fail.patch b/queue-5.4/perf-core-exit-early-on-perf_mmap-fail.patch new file mode 100644 index 0000000000..fb872c7856 --- /dev/null +++ b/queue-5.4/perf-core-exit-early-on-perf_mmap-fail.patch @@ -0,0 +1,37 @@ +From 8dfa884e9021cb0a9c85c2ed7b712432f1a10ec3 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Sat, 2 Aug 2025 12:49:48 +0200 +Subject: perf/core: Exit early on perf_mmap() fail + +From: Thomas Gleixner + +commit 07091aade394f690e7b655578140ef84d0e8d7b0 upstream. + +When perf_mmap() fails to allocate a buffer, it still invokes the +event_mapped() callback of the related event. On X86 this might increase +the perf_rdpmc_allowed reference counter. But nothing undoes this as +perf_mmap_close() is never called in this case, which causes another +reference count leak. + +Return early on failure to prevent that. + +Fixes: 1e0fb9ec679c ("perf/core: Add pmu callbacks to track event mapping and unmapping") +Signed-off-by: Thomas Gleixner +Reviewed-by: Lorenzo Stoakes Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + kernel/events/core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -6003,6 +6003,9 @@ unlock: + aux_unlock: + mutex_unlock(&event->mmap_mutex); + ++ if (ret) ++ return ret; ++ + /* + * Since pinned accounting is per vm we cannot allow fork() to copy our + * vma. diff --git a/queue-5.4/perf-core-prevent-vma-split-of-buffer-mappings.patch b/queue-5.4/perf-core-prevent-vma-split-of-buffer-mappings.patch new file mode 100644 index 0000000000..439a2b8392 --- /dev/null +++ b/queue-5.4/perf-core-prevent-vma-split-of-buffer-mappings.patch @@ -0,0 +1,69 @@ +From a7254c9bf0bf1210bbe7923f64dd314db1e9476f Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Wed, 30 Jul 2025 23:01:21 +0200 +Subject: perf/core: Prevent VMA split of buffer mappings + +From: Thomas Gleixner + +commit b024d7b56c77191cde544f838debb7f8451cd0d6 upstream. + +The perf mmap code is careful about mmap()'ing the user page with the +ringbuffer and additionally the auxiliary buffer, when the event supports +it. Once the first mapping is established, subsequent mapping have to use +the same offset and the same size in both cases. The reference counting for +the ringbuffer and the auxiliary buffer depends on this being correct. + +Though perf does not prevent that a related mapping is split via mmap(2), +munmap(2) or mremap(2). A split of a VMA results in perf_mmap_open() calls, +which take reference counts, but then the subsequent perf_mmap_close() +calls are not longer fulfilling the offset and size checks. This leads to +reference count leaks. + +As perf already has the requirement for subsequent mappings to match the +initial mapping, the obvious consequence is that VMA splits, caused by +resizing of a mapping or partial unmapping, have to be prevented. + +Implement the vm_operations_struct::may_split() callback and return +unconditionally -EINVAL. + +That ensures that the mapping offsets and sizes cannot be changed after the +fact. Remapping to a different fixed address with the same size is still +possible as it takes the references for the new mapping and drops those of +the old mapping. + +Fixes: 45bfb2e50471 ("perf/core: Add AUX area to ring buffer for raw data streams") +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-27504 +Signed-off-by: Thomas Gleixner +Reviewed-by: Lorenzo Stoakes +Acked-by: Arnaldo Carvalho de Melo +Acked-by: Vlastimil Babka +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + kernel/events/core.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -5789,11 +5789,21 @@ out_put: + ring_buffer_put(rb); /* could be last */ + } + ++static int perf_mmap_may_split(struct vm_area_struct *vma, unsigned long addr) ++{ ++ /* ++ * Forbid splitting perf mappings to prevent refcount leaks due to ++ * the resulting non-matching offsets and sizes. See open()/close(). ++ */ ++ return -EINVAL; ++} ++ + static const struct vm_operations_struct perf_mmap_vmops = { + .open = perf_mmap_open, + .close = perf_mmap_close, /* non mergeable */ + .fault = perf_mmap_fault, + .page_mkwrite = perf_mmap_fault, ++ .split = perf_mmap_may_split, + }; + + static int perf_mmap(struct file *file, struct vm_area_struct *vma) diff --git a/queue-5.4/series b/queue-5.4/series index 6f09203052..db20e0330a 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -144,3 +144,6 @@ net-drop-ufo-packets-in-udp_rcv_segment.patch benet-fix-bug-when-creating-vfs.patch smb-client-let-recv_done-cleanup-before-notifying-th.patch pptp-fix-pptp_xmit-error-path.patch +perf-core-don-t-leak-aux-buffer-refcount-on-allocation-failure.patch +perf-core-exit-early-on-perf_mmap-fail.patch +perf-core-prevent-vma-split-of-buffer-mappings.patch -- 2.47.3