stable: please backport 3b7a34aebbdf to 6.{6,12,13,14,15}.y ("perf: Fix dangling cgroup pointer in cpuctx")

All of lore.kernel.org
 help / color / mirror / Atom feed

* stable: please backport 3b7a34aebbdf to 6.{6,12,13,14,15}.y ("perf: Fix dangling cgroup pointer in cpuctx")
@ 2026-05-28  0:25 Ian Klatzco
  2026-05-28  7:31 ` Greg KH
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Ian Klatzco @ 2026-05-28  0:25 UTC (permalink / raw)
  To: stable, yeoreum.yun; +Cc: gregkh, sashal, peterz, linux-kernel

Hi all,

linux-6.12.y has the regression commit e9c928807239 ("perf/core: Fix
child_total_time_enabled accounting bug at task exit", backport of
mainline a3c3c6667) but is missing the follow-up fix commit 3b7a34aebbdf
("perf: Fix dangling cgroup pointer in cpuctx", Yeoreum Yun, mainline
v6.16-rc).

The following branches are impacted:

  linux-6.6.y
  linux-6.12.y
  linux-6.13.y
  linux-6.14.y
  linux-6.15.y

The regression silently bypasses perf_cgroup_event_disable() on the
event-removal path when the event is non-ACTIVE at close time, leaving
cpuctx->cgrp dangling at a soon-to-be-freed perf_cgroup struct.  See
3b7a34aebbdf's commit message for the precise description.

The minimum viable patch is as follows:

    @@ in __perf_remove_from_context, after event_sched_out(...):
    +    if (event->state > PERF_EVENT_STATE_OFF)
    +        perf_cgroup_event_disable(event, ctx);
    +

I can prepare per-branch backports if useful; please let me know.

 - Ian Klatzco

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: stable: please backport 3b7a34aebbdf to 6.{6,12,13,14,15}.y ("perf: Fix dangling cgroup pointer in cpuctx")
  2026-05-28  0:25 stable: please backport 3b7a34aebbdf to 6.{6,12,13,14,15}.y ("perf: Fix dangling cgroup pointer in cpuctx") Ian Klatzco
@ 2026-05-28  7:31 ` Greg KH
  2026-05-29  6:06 ` [PATCH 6.12.y] perf: Fix dangling cgroup pointer in cpuctx Ian Klatzco
  2026-06-03 15:14 ` stable: please backport 3b7a34aebbdf to 6.{6,12,13,14,15}.y ("perf: Fix dangling cgroup pointer in cpuctx") Sasha Levin
  2 siblings, 0 replies; 5+ messages in thread
From: Greg KH @ 2026-05-28  7:31 UTC (permalink / raw)
  To: Ian Klatzco; +Cc: stable, yeoreum.yun, sashal, peterz, linux-kernel

On Wed, May 27, 2026 at 05:25:13PM -0700, Ian Klatzco wrote:
> Hi all,
> 
> linux-6.12.y has the regression commit e9c928807239 ("perf/core: Fix
> child_total_time_enabled accounting bug at task exit", backport of
> mainline a3c3c6667) but is missing the follow-up fix commit 3b7a34aebbdf
> ("perf: Fix dangling cgroup pointer in cpuctx", Yeoreum Yun, mainline
> v6.16-rc).
> 
> The following branches are impacted:
> 
>   linux-6.6.y
>   linux-6.12.y
>   linux-6.13.y
>   linux-6.14.y
>   linux-6.15.y
> 
> The regression silently bypasses perf_cgroup_event_disable() on the
> event-removal path when the event is non-ACTIVE at close time, leaving
> cpuctx->cgrp dangling at a soon-to-be-freed perf_cgroup struct.  See
> 3b7a34aebbdf's commit message for the precise description.
> 
> The minimum viable patch is as follows:
> 
>     @@ in __perf_remove_from_context, after event_sched_out(...):
>     +    if (event->state > PERF_EVENT_STATE_OFF)
>     +        perf_cgroup_event_disable(event, ctx);
>     +
> 
> I can prepare per-branch backports if useful; please let me know.

Please send backports for the trees we currently support (as listed on
the front page of kernel.org).

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH 6.12.y] perf: Fix dangling cgroup pointer in cpuctx
  2026-05-28  0:25 stable: please backport 3b7a34aebbdf to 6.{6,12,13,14,15}.y ("perf: Fix dangling cgroup pointer in cpuctx") Ian Klatzco
  2026-05-28  7:31 ` Greg KH
@ 2026-05-29  6:06 ` Ian Klatzco
  2026-05-29  6:06   ` [PATCH 6.6.y] " Ian Klatzco
  2026-06-03 15:14 ` stable: please backport 3b7a34aebbdf to 6.{6,12,13,14,15}.y ("perf: Fix dangling cgroup pointer in cpuctx") Sasha Levin
  2 siblings, 1 reply; 5+ messages in thread
From: Ian Klatzco @ 2026-05-29  6:06 UTC (permalink / raw)
  To: stable; +Cc: gregkh, sashal, peterz, yeoreum.yun, David Wang, Ian Klatzco

From: Yeoreum Yun <yeoreum.yun@arm.com>

[ Upstream commit 3b7a34aebbdf2a4b7295205bf0c654294283ec82 ]

Commit a3c3c6667("perf/core: Fix child_total_time_enabled accounting
bug at task exit") moves the event->state update to before
list_del_event(). This makes the event->state test in list_del_event()
always false; never calling perf_cgroup_event_disable().

As a result, cpuctx->cgrp won't be cleared properly; causing havoc.

Fixes: a3c3c6667("perf/core: Fix child_total_time_enabled accounting bug at task exit")
Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: David Wang <00107082@163.com>
Link: https://lore.kernel.org/all/aD2TspKH%2F7yvfYoO@e129823.arm.com/
Signed-off-by: Ian Klatzco <iklatzco@gmail.com>
---
 kernel/events/core.c | 16 ++++------------
 1 file changed, 4 insertions(+), 12 deletions(-)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 6fce2bac6dae..9099c0cc933b 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -2096,18 +2096,6 @@ list_del_event(struct perf_event *event, struct perf_event_context *ctx)
 	if (event->group_leader == event)
 		del_event_from_groups(event, ctx);
 
-	/*
-	 * If event was in error state, then keep it
-	 * that way, otherwise bogus counts will be
-	 * returned on read(). The only way to get out
-	 * of error state is by explicit re-enabling
-	 * of the event
-	 */
-	if (event->state > PERF_EVENT_STATE_OFF) {
-		perf_cgroup_event_disable(event, ctx);
-		perf_event_set_state(event, PERF_EVENT_STATE_OFF);
-	}
-
 	ctx->generation++;
 	event->pmu_ctx->nr_events--;
 }
@@ -2457,6 +2445,10 @@ __perf_remove_from_context(struct perf_event *event,
 		state = PERF_EVENT_STATE_DEAD;
 	}
 	event_sched_out(event, ctx);
+
+	if (event->state > PERF_EVENT_STATE_OFF)
+		perf_cgroup_event_disable(event, ctx);
+
 	perf_event_set_state(event, min(event->state, state));
 	if (flags & DETACH_GROUP)
 		perf_group_detach(event);
-- 
2.47.3


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH 6.6.y] perf: Fix dangling cgroup pointer in cpuctx
  2026-05-29  6:06 ` [PATCH 6.12.y] perf: Fix dangling cgroup pointer in cpuctx Ian Klatzco
@ 2026-05-29  6:06   ` Ian Klatzco
  0 siblings, 0 replies; 5+ messages in thread
From: Ian Klatzco @ 2026-05-29  6:06 UTC (permalink / raw)
  To: stable; +Cc: gregkh, sashal, peterz, yeoreum.yun, David Wang, Ian Klatzco

From: Yeoreum Yun <yeoreum.yun@arm.com>

[ Upstream commit 3b7a34aebbdf2a4b7295205bf0c654294283ec82 ]

Commit a3c3c6667("perf/core: Fix child_total_time_enabled accounting
bug at task exit") moves the event->state update to before
list_del_event(). This makes the event->state test in list_del_event()
always false; never calling perf_cgroup_event_disable().

As a result, cpuctx->cgrp won't be cleared properly; causing havoc.

Fixes: a3c3c6667("perf/core: Fix child_total_time_enabled accounting bug at task exit")
Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: David Wang <00107082@163.com>
Link: https://lore.kernel.org/all/aD2TspKH%2F7yvfYoO@e129823.arm.com/
Signed-off-by: Ian Klatzco <iklatzco@gmail.com>
---
 kernel/events/core.c | 16 ++++------------
 1 file changed, 4 insertions(+), 12 deletions(-)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index eba5eb6fcb87..a4187dea6402 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -2056,18 +2056,6 @@ list_del_event(struct perf_event *event, struct perf_event_context *ctx)
 	if (event->group_leader == event)
 		del_event_from_groups(event, ctx);
 
-	/*
-	 * If event was in error state, then keep it
-	 * that way, otherwise bogus counts will be
-	 * returned on read(). The only way to get out
-	 * of error state is by explicit re-enabling
-	 * of the event
-	 */
-	if (event->state > PERF_EVENT_STATE_OFF) {
-		perf_cgroup_event_disable(event, ctx);
-		perf_event_set_state(event, PERF_EVENT_STATE_OFF);
-	}
-
 	ctx->generation++;
 	event->pmu_ctx->nr_events--;
 }
@@ -2401,6 +2389,10 @@ __perf_remove_from_context(struct perf_event *event,
 		state = PERF_EVENT_STATE_DEAD;
 	}
 	event_sched_out(event, ctx);
+
+	if (event->state > PERF_EVENT_STATE_OFF)
+		perf_cgroup_event_disable(event, ctx);
+
 	perf_event_set_state(event, min(event->state, state));
 	if (flags & DETACH_GROUP)
 		perf_group_detach(event);
-- 
2.47.3


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: stable: please backport 3b7a34aebbdf to 6.{6,12,13,14,15}.y ("perf: Fix dangling cgroup pointer in cpuctx")
  2026-05-28  0:25 stable: please backport 3b7a34aebbdf to 6.{6,12,13,14,15}.y ("perf: Fix dangling cgroup pointer in cpuctx") Ian Klatzco
  2026-05-28  7:31 ` Greg KH
  2026-05-29  6:06 ` [PATCH 6.12.y] perf: Fix dangling cgroup pointer in cpuctx Ian Klatzco
@ 2026-06-03 15:14 ` Sasha Levin
  2 siblings, 0 replies; 5+ messages in thread
From: Sasha Levin @ 2026-06-03 15:14 UTC (permalink / raw)
  To: stable, yeoreum.yun
  Cc: Sasha Levin, gregkh, peterz, linux-kernel, Ian Klatzco

Queued for 6.6.y and 6.12.y, thanks.

-- 
Thanks,
Sasha

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-06-03 15:14 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-28  0:25 stable: please backport 3b7a34aebbdf to 6.{6,12,13,14,15}.y ("perf: Fix dangling cgroup pointer in cpuctx") Ian Klatzco
2026-05-28  7:31 ` Greg KH
2026-05-29  6:06 ` [PATCH 6.12.y] perf: Fix dangling cgroup pointer in cpuctx Ian Klatzco
2026-05-29  6:06   ` [PATCH 6.6.y] " Ian Klatzco
2026-06-03 15:14 ` stable: please backport 3b7a34aebbdf to 6.{6,12,13,14,15}.y ("perf: Fix dangling cgroup pointer in cpuctx") Sasha Levin

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.