Linux Perf Users
 help / color / mirror / Atom feed
* [PATCH] perf/core: Fix group leader use-after-free after sibling detach
@ 2026-06-26  9:54 Aditya Chillara
  2026-06-29  2:58 ` Mi, Dapeng
  0 siblings, 1 reply; 5+ messages in thread
From: Aditya Chillara @ 2026-06-26  9:54 UTC (permalink / raw)
  To: Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo,
	Namhyung Kim, Mark Rutland, Alexander Shishkin, Jiri Olsa,
	Ian Rogers, Adrian Hunter, James Clark
  Cc: Peter Zijlstra, Ingo Molnar, linux-perf-users, linux-kernel,
	stable, Aditya Chillara

perf_group_detach() handles leader and sibling detach differently. When the
group leader is detached, all siblings are promoted to singleton events and
their group_leader pointer is reset to themselves. When a sibling is
detached, it is removed from the leader's sibling_list, but its
group_leader pointer is left pointing at the old leader.

That is harmless when the sibling is being closed and freed immediately, as
in the DETACH_DEAD path. It is not safe when the sibling is detached but
kept alive, such as during CPU hotplug with DETACH_GROUP. In that case the
sibling is removed from the context, while its file descriptor can still
keep it alive.

A typical failing sequence is:

  - A group contains leader L and sibling S.
  - CPU hot-unplug detaches S with DETACH_GROUP, removing it from
    L->sibling_list but leaving S->group_leader == L.
  - L is later closed and freed.
  - A PERF_IOC_FLAG_GROUP ioctl on S follows S->group_leader and
    dereferences the freed leader.

This was reproduced by running the perf event fuzzer, CPU hotplug, and a
stress workload concurrently:

Unable to handle kernel paging request at virtual address 006b6b6b6b6b6cdb
CPU: 2 PID: 12489 Comm: perf_fuzzer 6.18.7 PREEMPT
pc : perf_ioctl+0x34c/0xc68
x20: ffffff89a3fa2c70 x8 : 6b6b6b6b6b6b6b6b
Code: 943c4a0e 340047a0 f9404a94 f9411e88 (f940b908)
Call trace:
perf_ioctl+0x34c/0xc68 (P)
__arm64_sys_ioctl+0xa0/0xf4
invoke_syscall+0x58/0xe4
el0_svc_common+0xa8/0xdc
do_el0_svc+0x1c/0x28
el0_svc+0x40/0xc0
el0t_64_sync_handler+0x68/0xdc
el0t_64_sync+0x1c4/0x1c8

The fault happened in perf_ioctl(), where perf_event_for_each() follows
the stale group_leader pointer and perf_event_for_each_child() then
dereferences the freed leader's context.

Fix the use-after-free by promoting the detached sibling to a singleton.

Fixes: 8a49542c0554 ("perf_events: Fix races in group composition")
Assisted-by: PatchWise:gpt-5.5
Signed-off-by: Aditya Chillara <aditya.chillara@oss.qualcomm.com>
---
 kernel/events/core.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 954c36e28101..dd9892040ab2 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -2605,6 +2605,26 @@ __perf_remove_from_context(struct perf_event *event,
 		perf_child_detach(event);
 	list_del_event(event, ctx);
 
+	if ((flags & DETACH_GROUP) && event->group_leader != event) {
+		/*
+		 * list_del_event() needed the old group_leader to tell a real
+		 * leader from a sibling. That's done now, so make the detached
+		 * sibling self-contained.
+		 */
+		event->group_leader = event;
+		event->group_caps = event->event_caps;
+
+		/*
+		 * PERF_EV_CAP_SIBLING event requires being part of a group, so move
+		 * the event to ERROR state if it is still alive.
+		 */
+		if ((event->event_caps & PERF_EV_CAP_SIBLING) &&
+		    event->state > PERF_EVENT_STATE_ERROR)
+			perf_event_set_state(event, PERF_EVENT_STATE_ERROR);
+
+		perf_event__header_size(event);
+	}
+
 	if (!pmu_ctx->nr_events) {
 		pmu_ctx->rotate_necessary = 0;
 

---
base-commit: ab9de95c9cf952332ab79453b4b5d1bfca8e514f
change-id: 20260626-fix-group-leader-uaf-c46960e525e0

Best regards,
--  
Aditya Chillara <aditya.chillara@oss.qualcomm.com>


^ permalink raw reply related	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-06-29 19:15 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-26  9:54 [PATCH] perf/core: Fix group leader use-after-free after sibling detach Aditya Chillara
2026-06-29  2:58 ` Mi, Dapeng
2026-06-29  4:00   ` Aditya Chillara
2026-06-29  7:06     ` Mi, Dapeng
2026-06-29 19:15       ` Aditya Chillara

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox