From c278eb170de8c020be0e2258607c42af2eaf9983 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 23 Apr 2025 16:16:48 +0200
Subject: [PATCH] drop queue-5.10/perf-fix-perf_pending_task-uaf.patch

Follow-on fixes were also not provided.
---
 .../perf-fix-perf_pending_task-uaf.patch      | 100 ------------------
 1 file changed, 100 deletions(-)
 delete mode 100644 queue-5.10/perf-fix-perf_pending_task-uaf.patch

diff --git a/queue-5.10/perf-fix-perf_pending_task-uaf.patch b/queue-5.10/perf-fix-perf_pending_task-uaf.patch
deleted file mode 100644
index e9417b1ee5..0000000000
--- a/queue-5.10/perf-fix-perf_pending_task-uaf.patch
+++ /dev/null
@@ -1,100 +0,0 @@
-From 517e6a301f34613bff24a8e35b5455884f2d83d8 Mon Sep 17 00:00:00 2001
-From: Peter Zijlstra <peterz@infradead.org>
-Date: Thu, 24 Nov 2022 12:49:12 +0100
-Subject: perf: Fix perf_pending_task() UaF
-
-From: Peter Zijlstra <peterz@infradead.org>
-
-commit 517e6a301f34613bff24a8e35b5455884f2d83d8 upstream.
-
-Per syzbot it is possible for perf_pending_task() to run after the
-event is free()'d. There are two related but distinct cases:
-
- - the task_work was already queued before destroying the event;
- - destroying the event itself queues the task_work.
-
-The first cannot be solved using task_work_cancel() since
-perf_release() itself might be called from a task_work (____fput),
-which means the current->task_works list is already empty and
-task_work_cancel() won't be able to find the perf_pending_task()
-entry.
-
-The simplest alternative is extending the perf_event lifetime to cover
-the task_work.
-
-The second is just silly, queueing a task_work while you know the
-event is going away makes no sense and is easily avoided by
-re-arranging how the event is marked STATE_DEAD and ensuring it goes
-through STATE_OFF on the way down.
-
-Reported-by: syzbot+9228d6098455bb209ec8@syzkaller.appspotmail.com
-Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Tested-by: Marco Elver <elver@google.com>
-[ Discard the changes in event_sched_out() due to 5.10 don't have the
-  commit: 97ba62b27867 ("perf: Add support for SIGTRAP on perf events")
-  and commit: ca6c21327c6a ("perf: Fix missing SIGTRAPs") ]
-Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
-Signed-off-by: He Zhe <zhe.he@windriver.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- kernel/events/core.c |   16 ++++++++++++----
- 1 file changed, 12 insertions(+), 4 deletions(-)
-
---- a/kernel/events/core.c
-+++ b/kernel/events/core.c
-@@ -2419,6 +2419,7 @@ group_sched_out(struct perf_event *group
- }
- 
- #define DETACH_GROUP	0x01UL
-+#define DETACH_DEAD	0x04UL
- 
- /*
-  * Cross CPU call to remove a performance event
-@@ -2439,10 +2440,18 @@ __perf_remove_from_context(struct perf_e
- 		update_cgrp_time_from_cpuctx(cpuctx, false);
- 	}
- 
-+	/*
-+	 * Ensure event_sched_out() switches to OFF, at the very least
-+	 * this avoids raising perf_pending_task() at this time.
-+	 */
-+	if (flags & DETACH_DEAD)
-+		event->pending_disable = 1;
- 	event_sched_out(event, cpuctx, ctx);
- 	if (flags & DETACH_GROUP)
- 		perf_group_detach(event);
- 	list_del_event(event, ctx);
-+	if (flags & DETACH_DEAD)
-+		event->state = PERF_EVENT_STATE_DEAD;
- 
- 	if (!ctx->nr_events && ctx->is_active) {
- 		if (ctx == &cpuctx->ctx)
-@@ -5111,9 +5120,7 @@ int perf_event_release_kernel(struct per
- 
- 	ctx = perf_event_ctx_lock(event);
- 	WARN_ON_ONCE(ctx->parent_ctx);
--	perf_remove_from_context(event, DETACH_GROUP);
- 
--	raw_spin_lock_irq(&ctx->lock);
- 	/*
- 	 * Mark this event as STATE_DEAD, there is no external reference to it
- 	 * anymore.
-@@ -5125,8 +5132,7 @@ int perf_event_release_kernel(struct per
- 	 * Thus this guarantees that we will in fact observe and kill _ALL_
- 	 * child events.
- 	 */
--	event->state = PERF_EVENT_STATE_DEAD;
--	raw_spin_unlock_irq(&ctx->lock);
-+	perf_remove_from_context(event, DETACH_GROUP|DETACH_DEAD);
- 
- 	perf_event_ctx_unlock(event, ctx);
- 
-@@ -6533,6 +6539,8 @@ static void perf_pending_event(struct ir
- 
- 	if (rctx >= 0)
- 		perf_swevent_put_recursion_context(rctx);
-+
-+	put_event(event);
- }
- 
- /*
-- 
2.47.3