Re: [PATCH v15 17/20] unwind_user/sframe: Separate reading of FRE from reading of FRE data words

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Jens Remus" <jremus@linux.ibm.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH v15 17/20] unwind_user/sframe: Separate reading of FRE from reading of FRE data words
Date: Wed, 20 May 2026 16:48:01 +0000	[thread overview]
Message-ID: <20260520164802.0AA361F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260520154004.3845823-18-jremus@linux.ibm.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [Critical] The `sframe_mt` maple tree is initialized without `MT_FLAGS_USE_RCU`. As a result, maple tree nodes are freed synchronously via `kmem_cache_free()` instead of being deferred by RCU. Lockless concurrent readers using `mtree_load()` (or `mt_for_each()`) can encounter a Use-After-Free if another thread concurrently executes `sframe_remove_section()`.
--

commit 9c045164b82cb49d5d976dfee059454643b1da0a
Author: Jens Remus <jremus@linux.ibm.com>

unwind_user/sframe: Separate reading of FRE from reading of FRE data words

__find_fre() performs linear search for a matching SFrame FRE for a given IP.
For that purpose it uses __read_fre(), which reads the whole FRE.

> diff --git a/kernel/unwind/sframe.c b/kernel/unwind/sframe.c
> index 48709f0bafc78..ec8318977a2ef 100644
> --- a/kernel/unwind/sframe.c
> +++ b/kernel/unwind/sframe.c
> @@ -39,6 +39,9 @@ struct sframe_fre_internal {
>  	u32		fp_ctl;
>  	s32		fp_off;
>  	u8		info;
> +	unsigned long	dw_addr;
> +	unsigned char	dw_count;
> +	unsigned char	dw_size;
>  };
>  
>  DEFINE_STATIC_SRCU(sframe_srcu);

[Severity: Critical]
This is a pre-existing issue, but I noticed that mm->sframe_mt is initialized
via the INIT_MM_SFRAME macro using MTREE_INIT(sframe_mt, 0), which explicitly
leaves out the MT_FLAGS_USE_RCU flag.

Since sframe_find() and sframe_remove_section() execute under the shared
sframe_srcu read lock here, there is no mutual exclusion between a concurrent
reader and writer.

Because MT_FLAGS_USE_RCU is absent, maple tree node deletions triggered by
mtree_erase() in __sframe_remove_section() synchronously free the nodes
via kmem_cache_free() without waiting for an RCU grace period.

Could this lead to a use-after-free if a lockless concurrent reader using
mtree_load() accesses internal tree nodes while a writer is concurrently
removing a section?

If a multithreaded userspace program triggers a stack unwind in one thread
while another concurrently removes a section via prctl, could this cause
memory corruption or kernel panics?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260520154004.3845823-1-jremus@linux.ibm.com?part=17

next prev parent reply	other threads:[~2026-05-20 16:48 UTC|newest]

Thread overview: 52+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-20 15:39 [PATCH v15 00/20] unwind_deferred: Implement sframe handling Jens Remus
2026-05-20 15:39 ` [PATCH v15 01/20] unwind_user: Add generic and arch-specific headers to MAINTAINERS Jens Remus
2026-05-20 15:39 ` [PATCH v15 02/20] unwind_user/sframe: Add support for reading .sframe headers Jens Remus
2026-05-20 16:02   ` sashiko-bot
2026-05-21  7:58     ` Jens Remus
2026-05-20 15:39 ` [PATCH v15 03/20] unwind_user/sframe: Store .sframe section data in per-mm maple tree Jens Remus
2026-05-20 16:29   ` sashiko-bot
2026-05-21  9:39     ` Jens Remus
2026-05-21 16:08       ` Steven Rostedt
2026-05-20 15:39 ` [PATCH v15 04/20] x86/uaccess: Add unsafe_copy_from_user() implementation Jens Remus
2026-05-20 16:13   ` sashiko-bot
2026-05-20 15:39 ` [PATCH v15 05/20] unwind_user/sframe: Add support for reading .sframe contents Jens Remus
2026-05-20 16:33   ` sashiko-bot
2026-05-21  9:40     ` Jens Remus
2026-05-20 15:39 ` [PATCH v15 06/20] unwind_user/sframe: Detect .sframe sections in executables Jens Remus
2026-05-20 15:39 ` [PATCH v15 07/20] unwind_user/sframe: Wire up unwind_user to sframe Jens Remus
2026-05-20 16:23   ` sashiko-bot
2026-05-21 10:44     ` Jens Remus
2026-05-20 15:39 ` [PATCH v15 08/20] unwind_user: Stop when reaching an outermost frame Jens Remus
2026-05-20 16:01   ` sashiko-bot
2026-05-21 10:45     ` Jens Remus
2026-05-20 15:39 ` [PATCH v15 09/20] unwind_user/sframe: Add support for outermost frame indication Jens Remus
2026-05-20 16:01   ` sashiko-bot
2026-05-21 10:46     ` Jens Remus
2026-05-20 15:39 ` [PATCH v15 10/20] unwind_user/sframe: Remove .sframe section on detected corruption Jens Remus
2026-05-20 16:26   ` sashiko-bot
2026-05-20 15:39 ` [PATCH v15 11/20] unwind_user/sframe: Show file name in debug output Jens Remus
2026-05-20 16:14   ` sashiko-bot
2026-05-21 10:55     ` Jens Remus
2026-05-21 16:20       ` Steven Rostedt
2026-05-20 15:39 ` [PATCH v15 12/20] unwind_user/sframe: Add .sframe validation option Jens Remus
2026-05-20 16:15   ` sashiko-bot
2026-05-21 12:51     ` Jens Remus
2026-05-20 15:39 ` [PATCH v15 13/20] unwind_user: Enable archs that pass RA in a register Jens Remus
2026-05-20 16:21   ` sashiko-bot
2026-05-21 13:00     ` Jens Remus
2026-05-20 15:39 ` [PATCH v15 14/20] unwind_user: Flexible FP/RA recovery rules Jens Remus
2026-05-20 15:39 ` [PATCH v15 15/20] unwind_user: Flexible CFA " Jens Remus
2026-05-20 16:22   ` sashiko-bot
2026-05-21 11:33     ` Jens Remus
2026-05-20 15:40 ` [PATCH v15 16/20] unwind_user/sframe: Add support for SFrame V3 flexible FDEs Jens Remus
2026-05-20 17:04   ` sashiko-bot
2026-05-21 11:58     ` Jens Remus
2026-05-20 15:40 ` [PATCH v15 17/20] unwind_user/sframe: Separate reading of FRE from reading of FRE data words Jens Remus
2026-05-20 16:48   ` sashiko-bot [this message]
2026-05-20 15:40 ` [PATCH v15 18/20] unwind_user/sframe: Duplicate registered .sframe section data on clone/fork Jens Remus
2026-05-20 17:01   ` sashiko-bot
2026-05-21 12:05     ` Jens Remus
2026-05-20 15:40 ` [PATCH v15 19/20] unwind_user/sframe/x86: Enable sframe unwinding on x86 Jens Remus
2026-05-20 15:40 ` [PATCH v15 20/20] unwind_user/sframe: Add prctl() interface for registering .sframe sections Jens Remus
2026-05-20 16:52   ` sashiko-bot
2026-05-21 12:08     ` Jens Remus

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260520164802.0AA361F00893@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=jremus@linux.ibm.com \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.