lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20260127083719.1347209-1-wangqing7171@gmail.com>
Date: Tue, 27 Jan 2026 16:37:19 +0800
From: Qing Wang <wangqing7171@...il.com>
To: henryzhangjcle@...il.com
Cc: acme@...nel.org,
	linux-kernel@...r.kernel.org,
	linux-perf-users@...r.kernel.org,
	mingo@...hat.com,
	peterz@...radead.org,
	syzbot+2a077cb788749964cf68@...kaller.appspotmail.com,
	syzkaller-bugs@...glegroups.com,
	zeri@...ch.edu
Subject: Re: [PATCH] perf: Fix data race in perf_event_set_bpf_handler()

On Tue, 27 Jan 2026 at 10:36, Henry Zhang <henryzhangjcle@...il.com> wrote:
> diff --git a/kernel/events/core.c b/kernel/events/core.c
> index a0fa488bce84..1f3ed9e87507 100644
> --- a/kernel/events/core.c
> +++ b/kernel/events/core.c
> @@ -10349,7 +10349,7 @@ static inline int perf_event_set_bpf_handler(struct perf_event *event,
>  		return -EPROTO;
>  	}
>  
> -	event->prog = prog;
> +	WRITE_ONCE(event->prog, prog);
>  	event->bpf_cookie = bpf_cookie;
>  	return 0;
>  }
> @@ -10407,7 +10407,9 @@ static int __perf_event_overflow(struct perf_event *event,
>  	if (event->attr.aux_pause)
>  		perf_event_aux_pause(event->aux_event, true);
>  
> -	if (event->prog && event->prog->type == BPF_PROG_TYPE_PERF_EVENT &&
> +	struct bpf_prog *prog = READ_ONCE(event->prog);
> +
> +	if (prog && prog->type == BPF_PROG_TYPE_PERF_EVENT &&
>  	    !bpf_overflow_handler(event, data, regs))
>  		goto out;

Looking at this code, I guess there may be an serious issue: a potential
use-after-free (UAF) risk when accessing event->prog in __perf_event_overflow.

CPU 0 (interrupt context)               CPU 1 (process context)
read event->prog
                                        perf_event_free_bpf_handler()
                                            put(prog)
                                                free(prog)
access memory pointed to by prog

This scenario need to be more analysis.

--
Qing

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ