CVE-2025-37878

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> perf/core: Fix WARN_ON(!ctx) in __free_event() for partial init<br /> <br /> Move the get_ctx(child_ctx) call and the child_event-&gt;ctx assignment to<br /> occur immediately after the child event is allocated. Ensure that<br /> child_event-&gt;ctx is non-NULL before any subsequent error path within<br /> inherit_event calls free_event(), satisfying the assumptions of the<br /> cleanup code.<br /> <br /> Details:<br /> <br /> There&amp;#39;s no clear Fixes tag, because this bug is a side-effect of<br /> multiple interacting commits over time (up to 15 years old), not<br /> a single regression.<br /> <br /> The code initially incremented refcount then assigned context<br /> immediately after the child_event was created. Later, an early<br /> validity check for child_event was added before the<br /> refcount/assignment. Even later, a WARN_ON_ONCE() cleanup check was<br /> added, assuming event-&gt;ctx is valid if the pmu_ctx is valid.<br /> The problem is that the WARN_ON_ONCE() could trigger after the initial<br /> check passed but before child_event-&gt;ctx was assigned, violating its<br /> precondition. The solution is to assign child_event-&gt;ctx right after<br /> its initial validation. This ensures the context exists for any<br /> subsequent checks or cleanup routines, resolving the WARN_ON_ONCE().<br /> <br /> To resolve it, defer the refcount update and child_event-&gt;ctx assignment<br /> directly after child_event-&gt;pmu_ctx is set but before checking if the<br /> parent event is orphaned. The cleanup routine depends on<br /> event-&gt;pmu_ctx being non-NULL before it verifies event-&gt;ctx is<br /> non-NULL. This also maintains the author&amp;#39;s original intent of passing<br /> in child_ctx to find_get_pmu_context before its refcount/assignment.<br /> <br /> [ mingo: Expanded the changelog from another email by Gabriel Shahrouzi. ]