* [tip: perf/urgent] perf/core: Fix missing read event generation on task exit
2025-12-09 4:16 [PATCH v3 RESEND] perf/core: Fix missing read event generation on task exit Thaumy Cheng
@ 2025-12-09 9:23 ` tip-bot2 for Thaumy Cheng
2025-12-09 9:38 ` [PATCH v3 RESEND] " Peter Zijlstra
2025-12-09 11:24 ` [tip: perf/urgent] " tip-bot2 for Thaumy Cheng
2 siblings, 0 replies; 5+ messages in thread
From: tip-bot2 for Thaumy Cheng @ 2025-12-09 9:23 UTC (permalink / raw)
To: linux-tip-commits
Cc: Thaumy Cheng, Ingo Molnar, Adrian Hunter, Alexander Shishkin,
Arnaldo Carvalho de Melo, Ian Rogers, James Clark, Jiri Olsa,
Mark Rutland, Namhyung Kim, Peter Zijlstra, linux-perf-users, x86,
linux-kernel
The following commit has been merged into the perf/urgent branch of tip:
Commit-ID: 02a4984a359633d45b0926eb2a9c6d7bfb71b2e2
Gitweb: https://git.kernel.org/tip/02a4984a359633d45b0926eb2a9c6d7bfb71b2e2
Author: Thaumy Cheng <thaumy.love@gmail.com>
AuthorDate: Tue, 09 Dec 2025 12:16:00 +08:00
Committer: Ingo Molnar <mingo@kernel.org>
CommitterDate: Tue, 09 Dec 2025 09:57:45 +01:00
perf/core: Fix missing read event generation on task exit
For events with inherit_stat enabled, a "read" event will be generated
to collect per task event counts on task exit.
The call chain is as follows:
do_exit
-> perf_event_exit_task
-> perf_event_exit_task_context
-> perf_event_exit_event
-> perf_remove_from_context
-> perf_child_detach
-> sync_child_event
-> perf_event_read_event
However, the child event context detaches the task too early in
perf_event_exit_task_context, which causes sync_child_event to never
generate the read event in this case, since child_event->ctx->task is
always set to TASK_TOMBSTONE. Fix that by moving context lock section
backward to ensure ctx->task is not set to TASK_TOMBSTONE before
generating the read event.
Because perf_event_free_task calls perf_event_exit_task_context with
exit = false to tear down all child events from the context, and the
task never lived, accessing the task PID can lead to a use-after-free.
To fix that, let sync_child_event read task from argument and move the
call to the only place it should be triggered to avoid the effect of
setting ctx->task to TASK_TOMESTONE, and add a task parameter to
perf_event_exit_event to trigger the sync_child_event properly when
needed.
This bug can be reproduced by running "perf record -s" and attaching to
any program that generates perf events in its child tasks. If we check
the result with "perf report -T", the last line of the report will leave
an empty table like "# PID TID", which is expected to contain the
per-task event counts by design.
Fixes: ef54c1a476ae ("perf: Rework perf_event_exit_event()")
Signed-off-by: Thaumy Cheng <thaumy.love@gmail.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Ian Rogers <irogers@google.com>
Cc: James Clark <james.clark@linaro.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: linux-perf-users@vger.kernel.org
Link: https://patch.msgid.link/20251209041600.963586-1-thaumy.love@gmail.com
---
kernel/events/core.c | 23 ++++++++++++++---------
1 file changed, 14 insertions(+), 9 deletions(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index ece7168..47d5dc4 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -2317,7 +2317,8 @@ out:
perf_event__header_size(leader);
}
-static void sync_child_event(struct perf_event *child_event);
+static void sync_child_event(struct perf_event *child_event,
+ struct task_struct *task);
static void perf_child_detach(struct perf_event *event)
{
@@ -2337,7 +2338,6 @@ static void perf_child_detach(struct perf_event *event)
lockdep_assert_held(&parent_event->child_mutex);
*/
- sync_child_event(event);
list_del_init(&event->child_list);
}
@@ -4588,6 +4588,7 @@ out:
static void perf_remove_from_owner(struct perf_event *event);
static void perf_event_exit_event(struct perf_event *event,
struct perf_event_context *ctx,
+ struct task_struct *task,
bool revoke);
/*
@@ -4615,7 +4616,7 @@ static void perf_event_remove_on_exec(struct perf_event_context *ctx)
modified = true;
- perf_event_exit_event(event, ctx, false);
+ perf_event_exit_event(event, ctx, ctx->task, false);
}
raw_spin_lock_irqsave(&ctx->lock, flags);
@@ -12518,7 +12519,7 @@ static void __pmu_detach_event(struct pmu *pmu, struct perf_event *event,
/*
* De-schedule the event and mark it REVOKED.
*/
- perf_event_exit_event(event, ctx, true);
+ perf_event_exit_event(event, ctx, ctx->task, true);
/*
* All _free_event() bits that rely on event->pmu:
@@ -14075,14 +14076,13 @@ void perf_pmu_migrate_context(struct pmu *pmu, int src_cpu, int dst_cpu)
}
EXPORT_SYMBOL_GPL(perf_pmu_migrate_context);
-static void sync_child_event(struct perf_event *child_event)
+static void sync_child_event(struct perf_event *child_event,
+ struct task_struct *task)
{
struct perf_event *parent_event = child_event->parent;
u64 child_val;
if (child_event->attr.inherit_stat) {
- struct task_struct *task = child_event->ctx->task;
-
if (task && task != TASK_TOMBSTONE)
perf_event_read_event(child_event, task);
}
@@ -14101,7 +14101,9 @@ static void sync_child_event(struct perf_event *child_event)
static void
perf_event_exit_event(struct perf_event *event,
- struct perf_event_context *ctx, bool revoke)
+ struct perf_event_context *ctx,
+ struct task_struct *task,
+ bool revoke)
{
struct perf_event *parent_event = event->parent;
unsigned long detach_flags = DETACH_EXIT;
@@ -14124,6 +14126,9 @@ perf_event_exit_event(struct perf_event *event,
mutex_lock(&parent_event->child_mutex);
/* PERF_ATTACH_ITRACE might be set concurrently */
attach_state = READ_ONCE(event->attach_state);
+
+ if (attach_state & PERF_ATTACH_CHILD)
+ sync_child_event(event, task);
}
if (revoke)
@@ -14215,7 +14220,7 @@ static void perf_event_exit_task_context(struct task_struct *task, bool exit)
perf_event_task(task, ctx, 0);
list_for_each_entry_safe(child_event, next, &ctx->event_list, event_entry)
- perf_event_exit_event(child_event, ctx, false);
+ perf_event_exit_event(child_event, ctx, exit ? task : NULL, false);
mutex_unlock(&ctx->mutex);
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH v3 RESEND] perf/core: Fix missing read event generation on task exit
2025-12-09 4:16 [PATCH v3 RESEND] perf/core: Fix missing read event generation on task exit Thaumy Cheng
2025-12-09 9:23 ` [tip: perf/urgent] " tip-bot2 for Thaumy Cheng
@ 2025-12-09 9:38 ` Peter Zijlstra
2025-12-09 11:23 ` Ingo Molnar
2025-12-09 11:24 ` [tip: perf/urgent] " tip-bot2 for Thaumy Cheng
2 siblings, 1 reply; 5+ messages in thread
From: Peter Zijlstra @ 2025-12-09 9:38 UTC (permalink / raw)
To: Thaumy Cheng
Cc: Ingo Molnar, Arnaldo Carvalho de Melo, Namhyung Kim, Mark Rutland,
Alexander Shishkin, Jiri Olsa, Ian Rogers, Adrian Hunter,
James Clark, linux-perf-users, linux-kernel
On Tue, Dec 09, 2025 at 12:16:00PM +0800, Thaumy Cheng wrote:
> For events with inherit_stat enabled, a "read" event will be generated
> to collect per task event counts on task exit.
>
> The call chain is as follows:
>
> do_exit
> -> perf_event_exit_task
> -> perf_event_exit_task_context
> -> perf_event_exit_event
> -> perf_remove_from_context
> -> perf_child_detach
> -> sync_child_event
> -> perf_event_read_event
>
> However, the child event context detaches the task too early in
> perf_event_exit_task_context, which causes sync_child_event to never
> generate the read event in this case, since child_event->ctx->task is
> always set to TASK_TOMBSTONE. Fix that by moving context lock section
> backward to ensure ctx->task is not set to TASK_TOMBSTONE before
> generating the read event.
>
> Because perf_event_free_task calls perf_event_exit_task_context with
> exit = false to tear down all child events from the context, and the
> task never lived, accessing the task PID can lead to a use-after-free.
>
> To fix that, let sync_child_event read task from argument and move the
> call to the only place it should be triggered to avoid the effect of
> setting ctx->task to TASK_TOMESTONE, and add a task parameter to
> perf_event_exit_event to trigger the sync_child_event properly when
> needed.
>
> This bug can be reproduced by running "perf record -s" and attaching to
> any program that generates perf events in its child tasks. If we check
> the result with "perf report -T", the last line of the report will leave
> an empty table like "# PID TID", which is expected to contain the
> per-task event counts by design.
>
> Fixes: ef54c1a476ae ("perf: Rework perf_event_exit_event()")
> Signed-off-by: Thaumy Cheng <thaumy.love@gmail.com>
> ---
> kernel/events/core.c | 23 ++++++++++++++---------
> 1 file changed, 14 insertions(+), 9 deletions(-)
>
> diff --git a/kernel/events/core.c b/kernel/events/core.c
> index 177e57c1a362..618e7947c358 100644
> --- a/kernel/events/core.c
> +++ b/kernel/events/core.c
> @@ -2316,7 +2316,8 @@ static void perf_group_detach(struct perf_event *event)
> perf_event__header_size(leader);
> }
>
> -static void sync_child_event(struct perf_event *child_event);
> +static void sync_child_event(struct perf_event *child_event,
> + struct task_struct *task);
This forward declaration can be entirely removed now.
Other than that, yes this seems fine. I see Ingo already picked up the
patch, thanks!
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH v3 RESEND] perf/core: Fix missing read event generation on task exit
2025-12-09 9:38 ` [PATCH v3 RESEND] " Peter Zijlstra
@ 2025-12-09 11:23 ` Ingo Molnar
0 siblings, 0 replies; 5+ messages in thread
From: Ingo Molnar @ 2025-12-09 11:23 UTC (permalink / raw)
To: Peter Zijlstra
Cc: Thaumy Cheng, Ingo Molnar, Arnaldo Carvalho de Melo, Namhyung Kim,
Mark Rutland, Alexander Shishkin, Jiri Olsa, Ian Rogers,
Adrian Hunter, James Clark, linux-perf-users, linux-kernel
* Peter Zijlstra <peterz@infradead.org> wrote:
> >
> > -static void sync_child_event(struct perf_event *child_event);
> > +static void sync_child_event(struct perf_event *child_event,
> > + struct task_struct *task);
>
> This forward declaration can be entirely removed now.
Indeed - I've applied the delta patch below.
>
> Other than that, yes this seems fine. I see Ingo already picked up the
> patch, thanks!
and I've added your Acked-by as well.
Thanks,
Ingo
================>
kernel/events/core.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 47d5dc4bf700..dad0d3d2e85f 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -2317,9 +2317,6 @@ static void perf_group_detach(struct perf_event *event)
perf_event__header_size(leader);
}
-static void sync_child_event(struct perf_event *child_event,
- struct task_struct *task);
-
static void perf_child_detach(struct perf_event *event)
{
struct perf_event *parent_event = event->parent;
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [tip: perf/urgent] perf/core: Fix missing read event generation on task exit
2025-12-09 4:16 [PATCH v3 RESEND] perf/core: Fix missing read event generation on task exit Thaumy Cheng
2025-12-09 9:23 ` [tip: perf/urgent] " tip-bot2 for Thaumy Cheng
2025-12-09 9:38 ` [PATCH v3 RESEND] " Peter Zijlstra
@ 2025-12-09 11:24 ` tip-bot2 for Thaumy Cheng
2 siblings, 0 replies; 5+ messages in thread
From: tip-bot2 for Thaumy Cheng @ 2025-12-09 11:24 UTC (permalink / raw)
To: linux-tip-commits
Cc: Thaumy Cheng, Ingo Molnar, Peter Zijlstra, Adrian Hunter,
Alexander Shishkin, Arnaldo Carvalho de Melo, Ian Rogers,
James Clark, Jiri Olsa, Mark Rutland, Namhyung Kim,
linux-perf-users, x86, linux-kernel
The following commit has been merged into the perf/urgent branch of tip:
Commit-ID: c418d8b4d7a43a86b82ee39cb52ece3034383530
Gitweb: https://git.kernel.org/tip/c418d8b4d7a43a86b82ee39cb52ece3034383530
Author: Thaumy Cheng <thaumy.love@gmail.com>
AuthorDate: Tue, 09 Dec 2025 12:16:00 +08:00
Committer: Ingo Molnar <mingo@kernel.org>
CommitterDate: Tue, 09 Dec 2025 12:22:25 +01:00
perf/core: Fix missing read event generation on task exit
For events with inherit_stat enabled, a "read" event will be generated
to collect per task event counts on task exit.
The call chain is as follows:
do_exit
-> perf_event_exit_task
-> perf_event_exit_task_context
-> perf_event_exit_event
-> perf_remove_from_context
-> perf_child_detach
-> sync_child_event
-> perf_event_read_event
However, the child event context detaches the task too early in
perf_event_exit_task_context, which causes sync_child_event to never
generate the read event in this case, since child_event->ctx->task is
always set to TASK_TOMBSTONE. Fix that by moving context lock section
backward to ensure ctx->task is not set to TASK_TOMBSTONE before
generating the read event.
Because perf_event_free_task calls perf_event_exit_task_context with
exit = false to tear down all child events from the context, and the
task never lived, accessing the task PID can lead to a use-after-free.
To fix that, let sync_child_event read task from argument and move the
call to the only place it should be triggered to avoid the effect of
setting ctx->task to TASK_TOMESTONE, and add a task parameter to
perf_event_exit_event to trigger the sync_child_event properly when
needed.
This bug can be reproduced by running "perf record -s" and attaching to
any program that generates perf events in its child tasks. If we check
the result with "perf report -T", the last line of the report will leave
an empty table like "# PID TID", which is expected to contain the
per-task event counts by design.
Fixes: ef54c1a476ae ("perf: Rework perf_event_exit_event()")
Signed-off-by: Thaumy Cheng <thaumy.love@gmail.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Ian Rogers <irogers@google.com>
Cc: James Clark <james.clark@linaro.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: linux-perf-users@vger.kernel.org
Link: https://patch.msgid.link/20251209041600.963586-1-thaumy.love@gmail.com
---
kernel/events/core.c | 22 ++++++++++++----------
1 file changed, 12 insertions(+), 10 deletions(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index ece7168..dad0d3d 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -2317,8 +2317,6 @@ out:
perf_event__header_size(leader);
}
-static void sync_child_event(struct perf_event *child_event);
-
static void perf_child_detach(struct perf_event *event)
{
struct perf_event *parent_event = event->parent;
@@ -2337,7 +2335,6 @@ static void perf_child_detach(struct perf_event *event)
lockdep_assert_held(&parent_event->child_mutex);
*/
- sync_child_event(event);
list_del_init(&event->child_list);
}
@@ -4588,6 +4585,7 @@ out:
static void perf_remove_from_owner(struct perf_event *event);
static void perf_event_exit_event(struct perf_event *event,
struct perf_event_context *ctx,
+ struct task_struct *task,
bool revoke);
/*
@@ -4615,7 +4613,7 @@ static void perf_event_remove_on_exec(struct perf_event_context *ctx)
modified = true;
- perf_event_exit_event(event, ctx, false);
+ perf_event_exit_event(event, ctx, ctx->task, false);
}
raw_spin_lock_irqsave(&ctx->lock, flags);
@@ -12518,7 +12516,7 @@ static void __pmu_detach_event(struct pmu *pmu, struct perf_event *event,
/*
* De-schedule the event and mark it REVOKED.
*/
- perf_event_exit_event(event, ctx, true);
+ perf_event_exit_event(event, ctx, ctx->task, true);
/*
* All _free_event() bits that rely on event->pmu:
@@ -14075,14 +14073,13 @@ void perf_pmu_migrate_context(struct pmu *pmu, int src_cpu, int dst_cpu)
}
EXPORT_SYMBOL_GPL(perf_pmu_migrate_context);
-static void sync_child_event(struct perf_event *child_event)
+static void sync_child_event(struct perf_event *child_event,
+ struct task_struct *task)
{
struct perf_event *parent_event = child_event->parent;
u64 child_val;
if (child_event->attr.inherit_stat) {
- struct task_struct *task = child_event->ctx->task;
-
if (task && task != TASK_TOMBSTONE)
perf_event_read_event(child_event, task);
}
@@ -14101,7 +14098,9 @@ static void sync_child_event(struct perf_event *child_event)
static void
perf_event_exit_event(struct perf_event *event,
- struct perf_event_context *ctx, bool revoke)
+ struct perf_event_context *ctx,
+ struct task_struct *task,
+ bool revoke)
{
struct perf_event *parent_event = event->parent;
unsigned long detach_flags = DETACH_EXIT;
@@ -14124,6 +14123,9 @@ perf_event_exit_event(struct perf_event *event,
mutex_lock(&parent_event->child_mutex);
/* PERF_ATTACH_ITRACE might be set concurrently */
attach_state = READ_ONCE(event->attach_state);
+
+ if (attach_state & PERF_ATTACH_CHILD)
+ sync_child_event(event, task);
}
if (revoke)
@@ -14215,7 +14217,7 @@ static void perf_event_exit_task_context(struct task_struct *task, bool exit)
perf_event_task(task, ctx, 0);
list_for_each_entry_safe(child_event, next, &ctx->event_list, event_entry)
- perf_event_exit_event(child_event, ctx, false);
+ perf_event_exit_event(child_event, ctx, exit ? task : NULL, false);
mutex_unlock(&ctx->mutex);
^ permalink raw reply related [flat|nested] 5+ messages in thread