From: Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp
[ Upstream commit 3da6bb419750f3ad834786d6ba7c9d5d062c770b ]
Since exit_task_work() runs after perf_event_exit_task_context() updated ctx->task to TASK_TOMBSTONE, perf_sigtrap() from perf_pending_task() might observe event->ctx->task == TASK_TOMBSTONE.
Swap the early exit tests in order not to hit WARN_ON_ONCE().
Closes: https://syzkaller.appspot.com/bug?extid=2fe61cb2a86066be6985 Reported-by: syzbot syzbot+2fe61cb2a86066be6985@syzkaller.appspotmail.com Signed-off-by: Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp Signed-off-by: Peter Zijlstra (Intel) peterz@infradead.org Link: https://lkml.kernel.org/r/b1c224bd-97f9-462c-a3e3-125d5e19c983@I-love.SAKURA... Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
Based on my analysis of the commit, let me provide my assessment:
**YES**
This commit should be backported to stable kernel trees for the following reasons:
1. **It fixes a real bug with user-visible impact**: The commit fixes a WARN_ON_ONCE() that fires in perf_sigtrap() when the system hits a specific race condition. This WARN causes kernel log spam and indicates an unexpected state that shouldn't occur.
2. **The fix is small and contained**: The change is minimal - it simply reorders two early exit checks in perf_sigtrap(): - Before: Check `event->ctx->task != current` first, then check `PF_EXITING` - After: Check `PF_EXITING` first, then check `event->ctx->task != current`
3. **Clear race condition**: The commit message explains the race: exit_task_work() runs after perf_event_exit_task_context() has updated ctx->task to TASK_TOMBSTONE. When perf_sigtrap() is called from perf_pending_task() during this window, it observes event->ctx->task == TASK_TOMBSTONE, which doesn't match current, triggering the WARN.
4. **Low risk of regression**: The fix simply reorders existing checks without changing functionality. If the task is exiting (PF_EXITING is set), we return early regardless. The reordering just prevents the WARN from firing in this legitimate exit scenario.
5. **Fixes a reproducible issue**: The commit references a specific syzbot report (https://syzkaller.appspot.com/bug?extid=2fe61cb2a86066be6985), indicating this is a real issue that can be triggered, not just theoretical.
6. **Follows stable tree rules**: This is an important bugfix (prevents kernel warnings), has minimal risk, and doesn't introduce new features or make architectural changes.
The fix is appropriate because during task exit, it's expected that ctx->task might be TASK_TOMBSTONE while the task is still cleaning up its work items. By checking PF_EXITING first, we properly handle the legitimate exit case without triggering false warnings.
kernel/events/core.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c index 2761db0365ddc..c3ad15247009a 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -6571,18 +6571,18 @@ void perf_event_wakeup(struct perf_event *event) static void perf_sigtrap(struct perf_event *event) { /* - * We'd expect this to only occur if the irq_work is delayed and either - * ctx->task or current has changed in the meantime. This can be the - * case on architectures that do not implement arch_irq_work_raise(). + * Both perf_pending_task() and perf_pending_irq() can race with the + * task exiting. */ - if (WARN_ON_ONCE(event->ctx->task != current)) + if (current->flags & PF_EXITING) return;
/* - * Both perf_pending_task() and perf_pending_irq() can race with the - * task exiting. + * We'd expect this to only occur if the irq_work is delayed and either + * ctx->task or current has changed in the meantime. This can be the + * case on architectures that do not implement arch_irq_work_raise(). */ - if (current->flags & PF_EXITING) + if (WARN_ON_ONCE(event->ctx->task != current)) return;
send_sig_perf((void __user *)event->pending_addr,