[patch V2 RESEND 0/6] perf: Convert mmap() related reference counts to refcount_t

[Thomas Gleixner <tglx@linutronix.de>]

[ Resend because I fat-fingered the template. Sorry for the noise ]

This is an update to V1 of this conversion series, which can be found here:

  https://lore.kernel.org/all/20250806195624.880096284@linutronix.de

The recently fixed reference count leaks could have been detected by using
refcount_t and refcount_t would have mitigated the potential overflow at
least.

It turned out that converting the code as is does not work as the
allocation code ends up doing a refcount_inc() for the first allocation,
which causes refcount_t sanity checks to emit a UAF warning.

The reason is that the code is sharing functionality at the wrong level and
ends up being overly complicated for no reason. That's what inevitable led
to the refcount leak problems.

Address this by splitting the ringbuffer and the AUX buffer mapping and
allocation parts out into seperate functions, which handle the reference
counts in a sane way.

That not only simplifies the code and makes it halfways comprehensible, but
also allows to convert the mmap() related reference counts to refcount_t.

It survives lightweight testing with perf and passes the perf/mmap
selftest.

Changes vs. V1:

  - Fix the invers condition in the temporary workaround for the AUX buffer
    split out - Lorenzo

  - Apply writable flags in the AUX buffer allocation - Lorenzo

  - Fix the bogus subject line of the AUX buffer allocation splitout

  - Add a comment about size matching

  - Rebased on v16.17-rc1

  - Picked up Reviewed tags as far as applicable

Delta patch below

The series applies on top of Linus tree and is also available from git:

    git://git.kernel.org/pub/scm/linux/kernel/git/tglx/devel.git perf/refcounts

Thanks,

	tglx
---
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 2f061d392cd9..d2de721a7614 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -6987,6 +6987,7 @@ static int perf_mmap_rb(struct vm_area_struct *vma, struct perf_event *event,
        WARN_ON_ONCE(event->ctx->parent_ctx);
 
        if (rb) {
+               /* Must have the same size */
                if (data_page_nr(rb) != nr_pages)
                        return -EINVAL;
 
@@ -7084,6 +7085,9 @@ static int perf_mmap_aux(struct vm_area_struct *vma, struct perf_event *event,
                return -EPERM;
        }
 
+       if (vma->vm_flags & VM_WRITE)
+               rb_flags |= RING_BUFFER_WRITABLE;
+
        ret = rb_alloc_aux(rb, event, vma->vm_pgoff, nr_pages,
                           event->attr.aux_watermark, rb_flags);
        if (ret) {

---
 include/linux/perf_event.h  |    2 
 kernel/events/core.c        |  365 ++++++++++++++++++++++----------------------
 kernel/events/internal.h    |    4 
 kernel/events/ring_buffer.c |    2 
 4 files changed, 189 insertions(+), 184 deletions(-)