From: sashiko-bot@kernel.org
To: "Wang Han" <wanghan@linux.alibaba.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH v3 8/8] selftests/livepatch: Add RISC-V syscall wrapper prefix
Date: Tue, 09 Jun 2026 06:45:51 +0000 [thread overview]
Message-ID: <20260609064551.E2F6C1F00898@smtp.kernel.org> (raw)
In-Reply-To: <20260609063002.3943001-8-wanghan@linux.alibaba.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] The module initialization function `livepatch_init()` leaks `klp_kobj` and its associated sysfs directory if `klp_enable_patch()` fails, leading to a kernel use-after-free.
--
commit 35d6758515b1de6295d7ae1a97c70e768cac9dfc
Author: Wang Han <wanghan@linux.alibaba.com>
selftests/livepatch: Add RISC-V syscall wrapper prefix
The syscall livepatch selftest resolves and patches a syscall wrapper
symbol. To use that test for RISC-V livepatch validation, add the
RISC-V FN_PREFIX definition for ARCH_HAS_SYSCALL_WRAPPER.
> diff --git a/tools/testing/selftests/livepatch/test_modules/test_klp_syscall.c b/tools/testing/selftests/livepatch/test_modules/test_klp_syscall.c
> index dd802783ea849..275e4b10cf595 100644
> --- a/tools/testing/selftests/livepatch/test_modules/test_klp_syscall.c
> +++ b/tools/testing/selftests/livepatch/test_modules/test_klp_syscall.c
> @@ -18,6 +18,8 @@
> #define FN_PREFIX __s390x_
> #elif defined(__aarch64__)
> #define FN_PREFIX __arm64_
> +#elif defined(__riscv)
> +#define FN_PREFIX __riscv_
> #else
> /* powerpc does not select ARCH_HAS_SYSCALL_WRAPPER */
> #define FN_PREFIX
[Severity: High]
This isn't a bug introduced by this patch, but does livepatch_init() leak
klp_kobj and its associated sysfs directory if klp_enable_patch() fails?
If klp_enable_patch() returns an error code, livepatch_init() returns this
error directly without calling kobject_put(klp_kobj):
tools/testing/selftests/livepatch/test_modules/test_klp_syscall.c:livepatch_init() {
...
klp_kobj = kobject_create_and_add("test_klp_syscall", kernel_kobj);
if (!klp_kobj)
return -ENOMEM;
ret = sysfs_create_file(klp_kobj, &klp_attr.attr);
if (ret) {
kobject_put(klp_kobj);
return ret;
}
...
return klp_enable_patch(&patch);
}
Because the initialization fails, the module loader frees the module memory,
but the sysfs file /sys/kernel/test_klp_syscall/npids remains registered.
A subsequent user-space access to this sysfs file could dereference a pointer
to the now-freed module data (klp_attr) and execute a freed function pointer
(npids_show), resulting in a use-after-free.
--
Sashiko AI review · https://sashiko.dev/#/patchset/cover.194d76e3a15b.v3.riscv-livepatch.wanghan@linux.alibaba.com?part=8
next prev parent reply other threads:[~2026-06-09 6:45 UTC|newest]
Thread overview: 89+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-27 12:35 [PATCH 0/8] riscv: Add reliable stack unwinding for livepatch Wang Han
2026-05-27 12:35 ` Wang Han
2026-05-27 12:35 ` [PATCH 1/8] scripts/sorttable: Handle RISC-V patchable ftrace entries Wang Han
2026-05-27 12:35 ` Wang Han
2026-05-27 15:30 ` Steven Rostedt
2026-05-27 15:30 ` Steven Rostedt
2026-05-28 5:38 ` Wang Han
2026-05-28 5:38 ` Wang Han
2026-06-03 7:14 ` Chen Pei
2026-06-03 7:14 ` Chen Pei
2026-05-27 12:35 ` [PATCH 2/8] riscv: stacktrace: Add frame record metadata Wang Han
2026-05-27 12:35 ` Wang Han
2026-05-27 12:35 ` [PATCH 3/8] riscv: stacktrace: disable KASAN instrumentation for stacktrace.o Wang Han
2026-05-27 12:35 ` Wang Han
2026-05-27 12:35 ` [PATCH 4/8] riscv: ftrace: always preserve s0 in dynamic ftrace register frame Wang Han
2026-05-27 12:35 ` Wang Han
2026-05-27 12:35 ` [PATCH 5/8] riscv: stacktrace: introduce stack-bound tracking helpers Wang Han
2026-05-27 12:35 ` Wang Han
2026-05-27 12:35 ` [PATCH 6/8] riscv: stacktrace: switch to frame-pointer based unwinder Wang Han
2026-05-27 12:35 ` Wang Han
2026-05-27 12:35 ` [PATCH 7/8] riscv: Kconfig: enable HAVE_RELIABLE_STACKTRACE and HAVE_LIVEPATCH Wang Han
2026-05-27 12:35 ` Wang Han
2026-05-27 12:35 ` [PATCH 8/8] selftests/livepatch: Add RISC-V syscall wrapper prefix Wang Han
2026-05-27 12:35 ` Wang Han
2026-05-28 8:23 ` [PATCH v2 0/8] riscv: Add reliable stack unwinding for livepatch Wang Han
2026-05-28 8:23 ` Wang Han
2026-06-09 6:29 ` [PATCH v3 " Wang Han
2026-06-09 6:29 ` Wang Han
2026-06-09 6:29 ` [PATCH v3 1/8] scripts/sorttable: Handle RISC-V patchable ftrace entries Wang Han
2026-06-09 6:29 ` Wang Han
2026-06-09 7:27 ` Martin Kaiser
2026-06-09 7:27 ` Martin Kaiser
2026-06-09 6:29 ` [PATCH v3 2/8] riscv: stacktrace: Add frame record metadata Wang Han
2026-06-09 6:29 ` Wang Han
2026-06-09 6:29 ` [PATCH v3 3/8] riscv: stacktrace: disable KASAN and KCOV instrumentation for stacktrace.o Wang Han
2026-06-09 6:29 ` Wang Han
2026-06-09 6:29 ` [PATCH v3 4/8] riscv: ftrace: always preserve s0 in dynamic ftrace register frame Wang Han
2026-06-09 6:29 ` Wang Han
2026-06-09 6:29 ` [PATCH v3 5/8] riscv: stacktrace: introduce stack-bound tracking helpers Wang Han
2026-06-09 6:29 ` Wang Han
2026-06-09 6:41 ` sashiko-bot
2026-06-09 6:29 ` [PATCH v3 6/8] riscv: stacktrace: switch to frame-pointer based unwinder Wang Han
2026-06-09 6:29 ` Wang Han
2026-06-09 8:44 ` sashiko-bot
2026-06-09 6:29 ` [PATCH v3 7/8] riscv: Kconfig: enable HAVE_RELIABLE_STACKTRACE and HAVE_LIVEPATCH Wang Han
2026-06-09 6:29 ` Wang Han
2026-06-09 6:29 ` [PATCH v3 8/8] selftests/livepatch: Add RISC-V syscall wrapper prefix Wang Han
2026-06-09 6:29 ` Wang Han
2026-06-09 6:45 ` sashiko-bot [this message]
2026-05-28 8:23 ` [PATCH v2 1/8] scripts/sorttable: Handle RISC-V patchable ftrace entries Wang Han
2026-05-28 8:23 ` Wang Han
2026-05-28 13:21 ` Steven Rostedt
2026-05-28 13:21 ` Steven Rostedt
2026-06-01 6:17 ` Shuai Xue
2026-06-01 6:17 ` Shuai Xue
2026-06-01 13:57 ` Steven Rostedt
2026-06-01 13:57 ` Steven Rostedt
2026-06-03 2:10 ` Shuai Xue
2026-06-03 2:10 ` Shuai Xue
2026-05-28 8:23 ` [PATCH v2 2/8] riscv: stacktrace: Add frame record metadata Wang Han
2026-05-28 8:23 ` Wang Han
2026-06-02 11:18 ` Shuai Xue
2026-06-02 11:18 ` Shuai Xue
2026-05-28 8:23 ` [PATCH v2 3/8] riscv: stacktrace: disable KASAN instrumentation for stacktrace.o Wang Han
2026-05-28 8:23 ` Wang Han
2026-06-02 11:22 ` Shuai Xue
2026-06-02 11:22 ` Shuai Xue
2026-05-28 8:23 ` [PATCH v2 4/8] riscv: ftrace: always preserve s0 in dynamic ftrace register frame Wang Han
2026-05-28 8:23 ` Wang Han
2026-06-02 11:37 ` Shuai Xue
2026-06-02 11:37 ` Shuai Xue
2026-05-28 8:23 ` [PATCH v2 5/8] riscv: stacktrace: introduce stack-bound tracking helpers Wang Han
2026-05-28 8:23 ` Wang Han
2026-06-03 1:23 ` Shuai Xue
2026-06-03 1:23 ` Shuai Xue
2026-05-28 8:23 ` [PATCH v2 6/8] riscv: stacktrace: switch to frame-pointer based unwinder Wang Han
2026-05-28 8:23 ` Wang Han
2026-06-03 1:35 ` Shuai Xue
2026-06-03 1:35 ` Shuai Xue
2026-05-28 8:23 ` [PATCH v2 7/8] riscv: Kconfig: enable HAVE_RELIABLE_STACKTRACE and HAVE_LIVEPATCH Wang Han
2026-05-28 8:23 ` Wang Han
2026-06-03 1:49 ` Shuai Xue
2026-06-03 1:49 ` Shuai Xue
2026-05-28 8:23 ` [PATCH v2 8/8] selftests/livepatch: Add RISC-V syscall wrapper prefix Wang Han
2026-05-28 8:23 ` Wang Han
2026-05-28 13:33 ` Marcos Paulo de Souza
2026-05-28 13:33 ` Marcos Paulo de Souza
2026-06-03 1:54 ` Shuai Xue
2026-06-03 1:54 ` Shuai Xue
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260609064551.E2F6C1F00898@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=wanghan@linux.alibaba.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.