[syzbot] [perf?] WARNING in perf_pending_task

[syzbot] [perf?] WARNING in perf_pending_task

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    b67ec639010f Merge tag 'i2c-for-6.16-rc3' of git://git.ker..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17715b0c580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d11f52d3049c3790
dashboard link: https://syzkaller.appspot.com/bug?extid=2fe61cb2a86066be6985
compiler:       Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10f15b0c580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1692ab0c580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-b67ec639.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3bcb2b262d02/vmlinux-b67ec639.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f5d4477f1e2e/bzImage-b67ec639.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2fe61cb2a86066be6985@syzkaller.appspotmail.com

------------[ cut here ]------------
WARNING: CPU: 0 PID: 5309 at kernel/events/core.c:7211 perf_sigtrap kernel/events/core.c:7211 [inline]
WARNING: CPU: 0 PID: 5309 at kernel/events/core.c:7211 perf_pending_task+0x319/0x400 kernel/events/core.c:7325
Modules linked in:
CPU: 0 UID: 0 PID: 5309 Comm: syz-executor122 Not tainted 6.16.0-rc2-syzkaller-00378-gb67ec639010f #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:perf_sigtrap kernel/events/core.c:7211 [inline]
RIP: 0010:perf_pending_task+0x319/0x400 kernel/events/core.c:7325
Code: 85 8f 00 00 00 41 fe 4d 00 eb 05 e8 21 4f cd ff 48 83 c4 18 5b 41 5c 41 5d 41 5e 41 5f 5d e9 4e 34 76 09 cc e8 08 4f cd ff 90 <0f> 0b 90 41 80 3c 1c 00 0f 85 02 ff ff ff e9 05 ff ff ff 44 89 e1
RSP: 0018:ffffc9000d41f9d0 EFLAGS: 00010293
RAX: ffffffff81f2fe18 RBX: dffffc0000000000 RCX: ffff888032cbc880
RDX: 0000000000000000 RSI: 0000000074971a36 RDI: 0000000000000000
RBP: 0000000074971a36 R08: ffffffff8fa10af7 R09: 1ffffffff1f4215e
R10: dffffc0000000000 R11: ffffffff81f2fb00 R12: 1ffff110035f390f
R13: ffff888032cbc880 R14: ffff88801af9cad8 R15: ffff88801af9c878
FS:  0000000000000000(0000) GS:ffff88808d251000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000000018 CR3: 000000000df38000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 task_work_run+0x1d1/0x260 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x6b5/0x22e0 kernel/exit.c:964
 do_group_exit+0x21c/0x2d0 kernel/exit.c:1105
 get_signal+0x1286/0x1340 kernel/signal.c:3034
 arch_do_signal_or_restart+0x9a/0x750 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop+0x75/0x110 kernel/entry/common.c:111
 exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
 do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f9ae420dab9
Code: Unable to access opcode bytes at 0x7f9ae420da8f.
RSP: 002b:00007ffd20a313c8 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RAX: 0000000000000003 RBX: 0000000000000000 RCX: 00007f9ae420dab9
RDX: ffffffffffffffff RSI: 0000000000000000 RDI: 0000200000000000
RBP: 00007f9ae42805f0 R08: 0000000000000000 R09: 0000000000000006
R10: ffffffffffffffff R11: 0000000000000246 R12: 0000000000000001
R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [perf?] WARNING in perf_pending_task

[Tetsuo Handa]

Hello.

I think that the cause of this problem is commit 4f6fc7821283 ("perf: Fix sample vs do_exit()"), for
syzbot found this problem in 5.15.186 and 6.1.142 where that was the only commit in kernel/events/ area
which has been backported between v5.15.185...v5.15.186 and v6.1.141...v6.1.142 .

Please have a look on this change. Maybe we need to swap WARN_ON_ONCE() and PF_EXITING checks?

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 1f746469fda5..5a3a1331311f 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -7204,18 +7204,18 @@ void perf_event_wakeup(struct perf_event *event)
 static void perf_sigtrap(struct perf_event *event)
 {
 	/*
-	 * We'd expect this to only occur if the irq_work is delayed and either
-	 * ctx->task or current has changed in the meantime. This can be the
-	 * case on architectures that do not implement arch_irq_work_raise().
+	 * Both perf_pending_task() and perf_pending_irq() can race with the
+	 * task exiting.
 	 */
-	if (WARN_ON_ONCE(event->ctx->task != current))
+	if (current->flags & PF_EXITING)
 		return;
 
 	/*
-	 * Both perf_pending_task() and perf_pending_irq() can race with the
-	 * task exiting.
+	 * We'd expect this to only occur if the irq_work is delayed and either
+	 * ctx->task or current has changed in the meantime. This can be the
+	 * case on architectures that do not implement arch_irq_work_raise().
 	 */
-	if (current->flags & PF_EXITING)
+	if (WARN_ON_ONCE(event->ctx->task != current))
 		return;
 
 	send_sig_perf((void __user *)event->pending_addr,

On 2025/06/25 4:01, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    b67ec639010f Merge tag 'i2c-for-6.16-rc3' of git://git.ker..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=17715b0c580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=d11f52d3049c3790
> dashboard link: https://syzkaller.appspot.com/bug?extid=2fe61cb2a86066be6985
> compiler:       Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10f15b0c580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1692ab0c580000
> 
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-b67ec639.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/3bcb2b262d02/vmlinux-b67ec639.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/f5d4477f1e2e/bzImage-b67ec639.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+2fe61cb2a86066be6985@syzkaller.appspotmail.com

[PATCH] perf/core: Fix WARN in perf_sigtrap()

[Tetsuo Handa]

Since commit 4f6fc7821283 ("perf: Fix sample vs do_exit()") has moved
perf_event_exit_task() call from after exit_task_work() to before
exit_task_work(), task_work_add() from perf_event_exit_task() now returns
0 than -ESRCH, despite perf_event_exit_task_context() updates ctx->task
to TASK_TOMBSTONE. As a result, event->ctx->task == current assumption
no longer holds.

Reported-by: syzbot <syzbot+2fe61cb2a86066be6985@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=2fe61cb2a86066be6985
Fixes: 4f6fc7821283 ("perf: Fix sample vs do_exit()")
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
#syz test

 kernel/events/core.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 7281230044d0..489f42defe3c 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -7208,7 +7208,8 @@ static void perf_sigtrap(struct perf_event *event)
 	 * ctx->task or current has changed in the meantime. This can be the
 	 * case on architectures that do not implement arch_irq_work_raise().
 	 */
-	if (WARN_ON_ONCE(event->ctx->task != current))
+	if (WARN_ON_ONCE(event->ctx->task != current &&
+			 event->ctx->task != TASK_TOMBSTONE))
 		return;
 
 	/*
-- 
2.50.0

Re: [syzbot] [perf?] WARNING in perf_pending_task

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+2fe61cb2a86066be6985@syzkaller.appspotmail.com
Tested-by: syzbot+2fe61cb2a86066be6985@syzkaller.appspotmail.com

Tested on:

commit:         a79a588f Merge tag 'pm-6.16-rc5' of git://git.kernel.o..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13691c8c580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=a6dba31fc9bb876c
dashboard link: https://syzkaller.appspot.com/bug?extid=2fe61cb2a86066be6985
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch:          https://syzkaller.appspot.com/x/patch.diff?x=157a2582580000

Note: testing is done by a robot and is best-effort only.

Re: [PATCH] perf/core: Fix WARN in perf_sigtrap()

[Peter Zijlstra]

On Sat, Jul 05, 2025 at 11:43:37PM +0900, Tetsuo Handa wrote:
> Since commit 4f6fc7821283 ("perf: Fix sample vs do_exit()") has moved
> perf_event_exit_task() call from after exit_task_work() to before
> exit_task_work(), 

> task_work_add() from perf_event_exit_task() now returns

There is no task_work_add() in perf_event_exit_task().

> 0 than -ESRCH, despite perf_event_exit_task_context() updates ctx->task
> to TASK_TOMBSTONE. As a result, event->ctx->task == current assumption
> no longer holds.

This changelog is confusing to the point that I've no idea what it is
trying to tell me.


Did you mean to say something like:

Because exit_task_work() now runs after perf_event_exit_task(), it is
possible for an already queued perf_pending_task()->perf_sigtrap() to
observe a dead task context.

> Reported-by: syzbot <syzbot+2fe61cb2a86066be6985@syzkaller.appspotmail.com>
> Closes: https://syzkaller.appspot.com/bug?extid=2fe61cb2a86066be6985
> Fixes: 4f6fc7821283 ("perf: Fix sample vs do_exit()")
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> ---
> #syz test
> 
>  kernel/events/core.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/kernel/events/core.c b/kernel/events/core.c
> index 7281230044d0..489f42defe3c 100644
> --- a/kernel/events/core.c
> +++ b/kernel/events/core.c
> @@ -7208,7 +7208,8 @@ static void perf_sigtrap(struct perf_event *event)
>  	 * ctx->task or current has changed in the meantime. This can be the
>  	 * case on architectures that do not implement arch_irq_work_raise().
>  	 */
> -	if (WARN_ON_ONCE(event->ctx->task != current))
> +	if (WARN_ON_ONCE(event->ctx->task != current &&
> +			 event->ctx->task != TASK_TOMBSTONE))
>  		return;
>  

Also, isn't it better to simply swap the early exit tests in that
function like so:


diff --git a/kernel/events/core.c b/kernel/events/core.c
index 0db36b2b2448..22fdf0c187cd 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -7203,6 +7203,13 @@ void perf_event_wakeup(struct perf_event *event)
 
 static void perf_sigtrap(struct perf_event *event)
 {
+	/*
+	 * Both perf_pending_task() and perf_pending_irq() can race with the
+	 * task exiting.
+	 */
+	if (current->flags & PF_EXITING)
+		return;
+
 	/*
 	 * We'd expect this to only occur if the irq_work is delayed and either
 	 * ctx->task or current has changed in the meantime. This can be the
@@ -7211,13 +7218,6 @@ static void perf_sigtrap(struct perf_event *event)
 	if (WARN_ON_ONCE(event->ctx->task != current))
 		return;
 
-	/*
-	 * Both perf_pending_task() and perf_pending_irq() can race with the
-	 * task exiting.
-	 */
-	if (current->flags & PF_EXITING)
-		return;
-
 	send_sig_perf((void __user *)event->pending_addr,
 		      event->orig_type, event->attr.sig_data);
 }

Re: [PATCH] perf/core: Fix WARN in perf_sigtrap()

[Tetsuo Handa]

On 2025/07/09 18:44, Peter Zijlstra wrote:
> On Sat, Jul 05, 2025 at 11:43:37PM +0900, Tetsuo Handa wrote:
>> Since commit 4f6fc7821283 ("perf: Fix sample vs do_exit()") has moved
>> perf_event_exit_task() call from after exit_task_work() to before
>> exit_task_work(), 
> 
>> task_work_add() from perf_event_exit_task() now returns
> 
> There is no task_work_add() in perf_event_exit_task().

Since the function which triggers BUG_ON() is perf_sigtrap(), I guessed
that the location that queued the task work is task_work_add() in
__perf_event_overflow(). But since testing again with

--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -10324,6 +10324,7 @@ static int __perf_event_overflow(struct perf_event *event,
 
                if (!event->pending_work &&
                    !task_work_add(current, &event->pending_task, notify_mode)) {
+                       BUG_ON(event->ctx && event->ctx->task == TASK_TOMBSTONE);
                        event->pending_work = pending_id;
                        local_inc(&event->ctx->nr_no_switch_fast);
                        WARN_ON_ONCE(!atomic_long_inc_not_zero(&event->refcount));

did not trigger, it seems that __perf_event_overflow() is not called from
perf_event_exit_task() path.



> Did you mean to say something like:
> 
> Because exit_task_work() now runs after perf_event_exit_task(), it is
> possible for an already queued perf_pending_task()->perf_sigtrap() to
> observe a dead task context.

Yes.



> Also, isn't it better to simply swap the early exit tests in that
> function like so:

Yes, that will be OK if you prefer it
( https://lkml.kernel.org/r/ed888189-dad4-47e1-bfc8-4f2213eda32d@I-love.SAKURA.ne.jp ).

[PATCH v2] perf/core: Fix WARN in perf_sigtrap()

[Tetsuo Handa]

Since exit_task_work() runs after perf_event_exit_task_context() updated
ctx->task to TASK_TOMBSTONE, perf_sigtrap() from perf_pending_task() might
observe event->ctx->task == TASK_TOMBSTONE.

Swap the early exit tests in order not to hit WARN_ON_ONCE().

Reported-by: syzbot <syzbot+2fe61cb2a86066be6985@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=2fe61cb2a86066be6985
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 kernel/events/core.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 0db36b2b2448..22fdf0c187cd 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -7204,18 +7204,18 @@ void perf_event_wakeup(struct perf_event *event)
 static void perf_sigtrap(struct perf_event *event)
 {
 	/*
-	 * We'd expect this to only occur if the irq_work is delayed and either
-	 * ctx->task or current has changed in the meantime. This can be the
-	 * case on architectures that do not implement arch_irq_work_raise().
+	 * Both perf_pending_task() and perf_pending_irq() can race with the
+	 * task exiting.
 	 */
-	if (WARN_ON_ONCE(event->ctx->task != current))
+	if (current->flags & PF_EXITING)
 		return;
 
 	/*
-	 * Both perf_pending_task() and perf_pending_irq() can race with the
-	 * task exiting.
+	 * We'd expect this to only occur if the irq_work is delayed and either
+	 * ctx->task or current has changed in the meantime. This can be the
+	 * case on architectures that do not implement arch_irq_work_raise().
 	 */
-	if (current->flags & PF_EXITING)
+	if (WARN_ON_ONCE(event->ctx->task != current))
 		return;
 
 	send_sig_perf((void __user *)event->pending_addr,
-- 
2.47.1

[tip: perf/urgent] perf/core: Fix WARN in perf_sigtrap()

[tip-bot2 for Tetsuo Handa]

The following commit has been merged into the perf/urgent branch of tip:

Commit-ID:     3da6bb419750f3ad834786d6ba7c9d5d062c770b
Gitweb:        https://git.kernel.org/tip/3da6bb419750f3ad834786d6ba7c9d5d062c770b
Author:        Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
AuthorDate:    Wed, 09 Jul 2025 20:27:52 +09:00
Committer:     Peter Zijlstra <peterz@infradead.org>
CommitterDate: Wed, 09 Jul 2025 13:40:17 +02:00

perf/core: Fix WARN in perf_sigtrap()

Since exit_task_work() runs after perf_event_exit_task_context() updated
ctx->task to TASK_TOMBSTONE, perf_sigtrap() from perf_pending_task() might
observe event->ctx->task == TASK_TOMBSTONE.

Swap the early exit tests in order not to hit WARN_ON_ONCE().

Closes: https://syzkaller.appspot.com/bug?extid=2fe61cb2a86066be6985
Reported-by: syzbot <syzbot+2fe61cb2a86066be6985@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/b1c224bd-97f9-462c-a3e3-125d5e19c983@I-love.SAKURA.ne.jp
---
 kernel/events/core.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 0db36b2..22fdf0c 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -7204,18 +7204,18 @@ void perf_event_wakeup(struct perf_event *event)
 static void perf_sigtrap(struct perf_event *event)
 {
 	/*
-	 * We'd expect this to only occur if the irq_work is delayed and either
-	 * ctx->task or current has changed in the meantime. This can be the
-	 * case on architectures that do not implement arch_irq_work_raise().
+	 * Both perf_pending_task() and perf_pending_irq() can race with the
+	 * task exiting.
 	 */
-	if (WARN_ON_ONCE(event->ctx->task != current))
+	if (current->flags & PF_EXITING)
 		return;
 
 	/*
-	 * Both perf_pending_task() and perf_pending_irq() can race with the
-	 * task exiting.
+	 * We'd expect this to only occur if the irq_work is delayed and either
+	 * ctx->task or current has changed in the meantime. This can be the
+	 * case on architectures that do not implement arch_irq_work_raise().
 	 */
-	if (current->flags & PF_EXITING)
+	if (WARN_ON_ONCE(event->ctx->task != current))
 		return;
 
 	send_sig_perf((void __user *)event->pending_addr,