LKML Archive on
 help / color / Atom feed
From: Jiri Olsa <>
To: Peter Zijlstra <>,
	Arnaldo Carvalho de Melo <>
Cc: lkml <>,
	Ingo Molnar <>,
	Namhyung Kim <>,
	Alexander Shishkin <>,
	Michael Petlan <>,
	Wade Mealing <>
Subject: [PATCH] perf: Fix race in perf_mmap_close function
Date: Thu, 10 Sep 2020 12:41:53 +0200
Message-ID: <> (raw)

There's a possible race in perf_mmap_close when checking ring buffer's
mmap_count refcount value. The problem is that the mmap_count check is
not atomic because we call atomic_dec and atomic_read separately.

   if (atomic_read(&rb->mmap_count))
      goto out_put;

   <ring buffer detach>

  ring_buffer_put(rb); /* could be last */

The race can happen when we have two (or more) events sharing same ring
buffer and they go through atomic_dec and then they both see 0 as refcount
value later in atomic_read. Then both will go on and execute code which
is meant to be run just once.

The code that detaches ring buffer is probably fine to be executed more
than once, but the problem is in calling free_uid, which will later on
demonstrate in related crashes and refcount warnings, like:

  refcount_t: addition on 0; use-after-free.
  RIP: 0010:refcount_warn_saturate+0x6d/0xf
  Call Trace:

Using atomic decrease and check instead of separated calls.
This fixes CVE-2020-14351.

Signed-off-by: Jiri Olsa <>
 kernel/events/core.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 7ed5248f0445..29313cc54d9e 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -5903,8 +5903,6 @@ static void perf_mmap_close(struct vm_area_struct *vma)
-	atomic_dec(&rb->mmap_count);
 	if (!atomic_dec_and_mutex_lock(&event->mmap_count, &event->mmap_mutex))
 		goto out_put;
@@ -5912,7 +5910,7 @@ static void perf_mmap_close(struct vm_area_struct *vma)
 	/* If there's still other mmap()s of this buffer, we're done. */
-	if (atomic_read(&rb->mmap_count))
+	if (!atomic_dec_and_test(&rb->mmap_count))
 		goto out_put;

             reply index

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-09-10 10:41 Jiri Olsa [this message]
2020-09-10 13:48 ` Namhyung Kim
2020-09-10 14:47   ` Jiri Olsa
2020-09-11  3:05     ` Namhyung Kim
2020-09-11  7:49       ` Jiri Olsa
2020-09-14 12:48         ` Namhyung Kim
2020-09-14 20:59           ` Jiri Olsa
2020-09-15 15:35             ` Michael Petlan
2020-09-16 11:53               ` [PATCHv2] " Jiri Olsa
2020-09-16 13:54                 ` peterz
2020-09-16 14:38                   ` Jiri Olsa
2020-09-16 14:05                 ` peterz
2020-10-12 11:45                 ` [tip: perf/core] perf/core: Fix race in the perf_mmap_close() function tip-bot2 for Jiri Olsa

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

LKML Archive on

Archives are clonable:
	git clone --mirror lkml/git/0.git
	git clone --mirror lkml/git/1.git
	git clone --mirror lkml/git/2.git
	git clone --mirror lkml/git/3.git
	git clone --mirror lkml/git/4.git
	git clone --mirror lkml/git/5.git
	git clone --mirror lkml/git/6.git
	git clone --mirror lkml/git/7.git
	git clone --mirror lkml/git/8.git
	git clone --mirror lkml/git/9.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 lkml lkml/ \
	public-inbox-index lkml

Example config snippet for mirrors

Newsgroup available over NNTP:

AGPL code for this site: git clone