bpf: Add LINK_DETACH for perf links by kernel-patches-daemon-bpf[bot] · Pull Request #11291 · kernel-patches/bpf

kernel-patches-daemon-bpf · 2026-03-04T21:34:39Z

Pull request for series with
subject: bpf: Add LINK_DETACH for perf links
version: 2
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=1061570

kernel-patches-daemon-bpf · 2026-03-04T21:34:41Z

Upstream branch: 05c9b2e
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1061570
version: 2

kernel-patches-review-bot · 2026-03-04T21:53:07Z

commit b516258b868c21c868025562bd2d812f909cfe80
Author: Florian Lehner <dev@der-flo.net>

bpf: Add LINK_DETACH support for perf link

This patch adds a detach callback for bpf_perf_link so that
BPF_LINK_DETACH can be used to detach a BPF program from its perf
event while keeping the link fd alive.  The release path is made
idempotent with xchg(), and fill_link_info/show_fdinfo gain NULL
guards for the detached case.

> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
> --- a/kernel/bpf/syscall.c
> +++ b/kernel/bpf/syscall.c
> @@ -3863,10 +3863,23 @@ struct bpf_perf_link {
>  static void bpf_perf_link_release(struct bpf_link *link)
>  {
>  	struct bpf_perf_link *perf_link = container_of(link, struct bpf_perf_link, link);
> -	struct perf_event *event = perf_link->perf_file->private_data;
> +	struct perf_event *event;
> +	struct file *perf_file;
> +
> +	/* bpf_perf_link_detach() may have already released perf_file */
> +	perf_file = xchg(&perf_link->perf_file, NULL);
> +	if (!perf_file)
> +		return;
> +
> +	event = perf_file->private_data;
>  	perf_event_free_bpf_prog(event);
> -	fput(perf_link->perf_file);
> +	fput(perf_file);
> +}

[ ... ]

> @@ -4075,9 +4088,13 @@ static int bpf_perf_link_fill_link_info(const struct bpf_link *link,
>  {
>  	struct bpf_perf_link *perf_link;
>  	const struct perf_event *event;
> +	struct file *perf_file;
> +
>  	perf_link = container_of(link, struct bpf_perf_link, link);
> -	event = perf_get_event(perf_link->perf_file);
> +	perf_file = READ_ONCE(perf_link->perf_file);
> +	if (!perf_file)
> +		return 0;
> +	event = perf_get_event(perf_file);

Could bpf_perf_link_fill_link_info() race with bpf_perf_link_release()
here?

After READ_ONCE reads a non-NULL perf_file, no reference is taken on
the file.  A concurrent BPF_LINK_DETACH on another CPU can call
bpf_perf_link_release(), which does xchg() followed by fput().  If
the perf event fd has already been closed by userspace, fput() drops
the last reference.  Once the detaching thread returns to userspace,
task_work runs __fput and frees the file struct.

At that point perf_get_event() dereferences file->f_op on freed
memory:

  Thread A (BPF_OBJ_GET_INFO_BY_FD)      Thread B (BPF_LINK_DETACH)
  --------------------------------       --------------------------
  perf_file = READ_ONCE(...)  [non-NULL]
                                         xchg(&..., NULL)
                                         fput(perf_file)
                                         return to userspace
                                         task_work -> __fput -> free
  perf_get_event(perf_file) -> UAF

The xdp and cgroup link types handle this by serializing
fill_link_info and release under a shared lock (rtnl_lock and
cgroup_lock respectively):

kernel/bpf/cgroup.c:bpf_cgroup_link_fill_link_info() {
    cgroup_lock();
    if (cg_link->cgroup)
        cg_id = cgroup_id(cg_link->cgroup);
    cgroup_unlock();
}

net/core/dev.c:bpf_xdp_link_fill_link_info() {
    rtnl_lock();
    if (xdp_link->dev)
        ifindex = xdp_link->dev->ifindex;
    rtnl_unlock();
}

The same issue applies to bpf_perf_link_show_fdinfo() below.

> @@ -4143,9 +4160,13 @@ static void bpf_perf_link_show_fdinfo(const struct bpf_link *link,
>  {
>  	struct bpf_perf_link *perf_link;
>  	const struct perf_event *event;
> +	struct file *perf_file;
> +
>  	perf_link = container_of(link, struct bpf_perf_link, link);
> -	event = perf_get_event(perf_link->perf_file);
> +	perf_file = READ_ONCE(perf_link->perf_file);
> +	if (!perf_file)
> +		return;
> +	event = perf_get_event(perf_file);

Same race as bpf_perf_link_fill_link_info() above -- a concurrent
BPF_LINK_DETACH can free perf_file between the READ_ONCE and the
perf_get_event() call.

AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

In-Reply-To-Subject: bpf: Add LINK_DETACH support for perf link
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/22690413273

kernel-patches-daemon-bpf · 2026-03-04T22:01:20Z

Forwarding comment 4000532898 via email
In-Reply-To: 20260304210212.235096-2-dev@der-flo.net
Patch: https://patchwork.kernel.org/project/netdevbpf/patch/20260304210212.235096-2-dev@der-flo.net/

kernel-patches-daemon-bpf · 2026-03-05T01:19:10Z

Upstream branch: 4faa189
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1061570
version: 2

kernel-patches-daemon-bpf · 2026-03-05T23:23:37Z

Upstream branch: 748f9c6
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1061570
version: 2

kernel-patches-daemon-bpf · 2026-03-05T23:38:47Z

Upstream branch: 6dd780f
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1061570
version: 2

kernel-patches-daemon-bpf · 2026-03-09T01:06:59Z

Upstream branch: 099bded
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1061570
version: 2

kernel-patches-daemon-bpf · 2026-03-09T16:47:35Z

Upstream branch: bd2e02e
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1061570
version: 2

kernel-patches-daemon-bpf · 2026-03-10T01:22:42Z

Upstream branch: bd2e02e
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1061570
version: 2

kernel-patches-daemon-bpf · 2026-03-10T19:00:43Z

Upstream branch: 0c55d48
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1061570
version: 2

kernel-patches-daemon-bpf · 2026-03-11T01:12:26Z

Upstream branch: e95e85b
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1061570
version: 2

Add bpf_perf_link_detach() to allow detaching a BPF program from its perf event via BPF_LINK_DETACH while keeping the link file descriptor alive. This mirrors the existing behavior for xdp and cgroup links and enables temporarily disabling uprobes or other perf event-based programs that are attached via bpf_perf_links without closing the link. bpf_perf_link_release() is made idempotent using xchg() so that closing the link fd after an explicit LINK_DETACH does not call perf_event_free_bpf_prog() a second time. bpf_perf_link_fill_link_info() and bpf_perf_link_show_fdinfo() gain NULL guards so that querying an already-detached link returns an empty result rather than dereferencing a stale pointer. Signed-off-by: Florian Lehner <dev@der-flo.net>

Add serial_test_perf_link_detach() to verify that the new LINK_DETACH support for BPF perf links works correctly. The test creates a link to a BPF program for a software perf event, confirms the program is executed, calls bpf_link__detach() to exercise the BPF_LINK_DETACH syscall path, and then verifies the program is no longer invoked after detach. Signed-off-by: Florian Lehner <dev@der-flo.net>

kernel-patches-daemon-bpf · 2026-03-11T16:42:42Z

At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=1061570 expired. Closing PR.

kernel-patches-daemon-bpf Bot added new bpf-next V2 labels Mar 4, 2026

kernel-patches-review-bot Bot added the ai-review label Mar 4, 2026

kernel-patches-daemon-bpf Bot added V2-ci-fail and removed ai-review labels Mar 4, 2026

kernel-patches-daemon-bpf Bot force-pushed the bpf-next_base branch from c7dcbca to 69a44ca Compare March 5, 2026 01:15

kernel-patches-daemon-bpf Bot force-pushed the series/1061570=>bpf-next branch from 4466bbb to 665984b Compare March 5, 2026 01:19

kernel-patches-daemon-bpf Bot force-pushed the bpf-next_base branch from 69a44ca to f264dc7 Compare March 5, 2026 23:19

kernel-patches-daemon-bpf Bot force-pushed the series/1061570=>bpf-next branch from 665984b to df33f14 Compare March 5, 2026 23:23

kernel-patches-daemon-bpf Bot force-pushed the bpf-next_base branch from f264dc7 to 59120bd Compare March 5, 2026 23:35

kernel-patches-daemon-bpf Bot force-pushed the series/1061570=>bpf-next branch from df33f14 to 25875e9 Compare March 5, 2026 23:38

kernel-patches-daemon-bpf Bot added V2-ci-pass and removed V2-ci-fail labels Mar 6, 2026

kernel-patches-daemon-bpf Bot force-pushed the bpf-next_base branch from 59120bd to 94aca0b Compare March 9, 2026 01:04

kernel-patches-daemon-bpf Bot force-pushed the series/1061570=>bpf-next branch from 25875e9 to 96ba546 Compare March 9, 2026 01:07

kernel-patches-daemon-bpf Bot force-pushed the bpf-next_base branch from 94aca0b to 980a66f Compare March 9, 2026 16:44

kernel-patches-daemon-bpf Bot force-pushed the series/1061570=>bpf-next branch from 96ba546 to 19a12c9 Compare March 9, 2026 16:47

kernel-patches-daemon-bpf Bot force-pushed the bpf-next_base branch from 980a66f to 026b5c1 Compare March 10, 2026 01:20

kernel-patches-daemon-bpf Bot force-pushed the series/1061570=>bpf-next branch from 19a12c9 to 5b595c9 Compare March 10, 2026 01:22

kernel-patches-daemon-bpf Bot force-pushed the bpf-next_base branch from 026b5c1 to b72a510 Compare March 10, 2026 18:57

kernel-patches-daemon-bpf Bot force-pushed the series/1061570=>bpf-next branch from 5b595c9 to 3e44c7d Compare March 10, 2026 19:00

adding ci files

ebefa82

kernel-patches-daemon-bpf Bot force-pushed the bpf-next_base branch from b72a510 to ebefa82 Compare March 11, 2026 01:10

florianl added 2 commits March 10, 2026 18:12

kernel-patches-daemon-bpf Bot force-pushed the series/1061570=>bpf-next branch from 3e44c7d to 9541385 Compare March 11, 2026 01:12

kernel-patches-daemon-bpf Bot force-pushed the bpf-next_base branch from ebefa82 to 4b0d910 Compare March 11, 2026 16:38

kernel-patches-daemon-bpf Bot added changes-requested and removed new labels Mar 11, 2026

kernel-patches-daemon-bpf Bot closed this Mar 11, 2026

kernel-patches-daemon-bpf Bot deleted the series/1061570=>bpf-next branch March 13, 2026 16:50

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

bpf: Add LINK_DETACH for perf links#11291

bpf: Add LINK_DETACH for perf links#11291
kernel-patches-daemon-bpf[bot] wants to merge 3 commits intobpf-next_basefrom
series/1061570=>bpf-next

kernel-patches-daemon-bpf Bot commented Mar 4, 2026

Uh oh!

kernel-patches-daemon-bpf Bot commented Mar 4, 2026

Uh oh!

kernel-patches-review-bot Bot commented Mar 4, 2026

Uh oh!

kernel-patches-daemon-bpf Bot commented Mar 4, 2026

Uh oh!

kernel-patches-daemon-bpf Bot commented Mar 5, 2026

Uh oh!

kernel-patches-daemon-bpf Bot commented Mar 5, 2026

Uh oh!

kernel-patches-daemon-bpf Bot commented Mar 5, 2026

Uh oh!

kernel-patches-daemon-bpf Bot commented Mar 9, 2026

Uh oh!

kernel-patches-daemon-bpf Bot commented Mar 9, 2026

Uh oh!

kernel-patches-daemon-bpf Bot commented Mar 10, 2026

Uh oh!

kernel-patches-daemon-bpf Bot commented Mar 10, 2026

Uh oh!

kernel-patches-daemon-bpf Bot commented Mar 11, 2026

Uh oh!

kernel-patches-daemon-bpf Bot commented Mar 11, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

kernel-patches-daemon-bpf Bot commented Mar 4, 2026

Uh oh!

kernel-patches-daemon-bpf Bot commented Mar 4, 2026

Uh oh!

kernel-patches-review-bot Bot commented Mar 4, 2026

Uh oh!

kernel-patches-daemon-bpf Bot commented Mar 4, 2026

Uh oh!

kernel-patches-daemon-bpf Bot commented Mar 5, 2026

Uh oh!

kernel-patches-daemon-bpf Bot commented Mar 5, 2026

Uh oh!

kernel-patches-daemon-bpf Bot commented Mar 5, 2026

Uh oh!

kernel-patches-daemon-bpf Bot commented Mar 9, 2026

Uh oh!

kernel-patches-daemon-bpf Bot commented Mar 9, 2026

Uh oh!

kernel-patches-daemon-bpf Bot commented Mar 10, 2026

Uh oh!

kernel-patches-daemon-bpf Bot commented Mar 10, 2026

Uh oh!

kernel-patches-daemon-bpf Bot commented Mar 11, 2026

Uh oh!

kernel-patches-daemon-bpf Bot commented Mar 11, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant