CVE-2025-37878

In the Linux kernel, the following vulnerability has been resolved:

perf/core: Fix WARN_ON(!ctx) in _freeevent() for partial init

Move the getctx(childctx) call and the childevent->ctx assignment to occur immediately after the child event is allocated. Ensure that childevent->ctx is non-NULL before any subsequent error path within inheritevent calls freeevent(), satisfying the assumptions of the cleanup code.

Details:

There's no clear Fixes tag, because this bug is a side-effect of multiple interacting commits over time (up to 15 years old), not a single regression.

The code initially incremented refcount then assigned context immediately after the childevent was created. Later, an early validity check for childevent was added before the refcount/assignment. Even later, a WARNONONCE() cleanup check was added, assuming event->ctx is valid if the pmuctx is valid. The problem is that the WARNONONCE() could trigger after the initial check passed but before childevent->ctx was assigned, violating its precondition. The solution is to assign childevent->ctx right after its initial validation. This ensures the context exists for any subsequent checks or cleanup routines, resolving the WARNON_ONCE().

To resolve it, defer the refcount update and childevent->ctx assignment directly after childevent->pmuctx is set but before checking if the parent event is orphaned. The cleanup routine depends on event->pmuctx being non-NULL before it verifies event->ctx is non-NULL. This also maintains the author's original intent of passing in childctx to findgetpmucontext before its refcount/assignment.

[ mingo: Expanded the changelog from another email by Gabriel Shahrouzi. ]