From: Ihor Solodrai <ihor.solodrai@linux.dev>
To: Runyu Xiao <runyu.xiao@seu.edu.cn>, Song Liu <song@kernel.org>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>
Cc: Jiri Olsa <jolsa@kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>,
Eduard Zingerman <eddyz87@gmail.com>,
Yonghong Song <yonghong.song@linux.dev>,
John Fastabend <john.fastabend@gmail.com>,
KP Singh <kpsingh@kernel.org>,
Stanislav Fomichev <sdf@fomichev.me>, Hao Luo <haoluo@google.com>,
bpf@vger.kernel.org, linux-kernel@vger.kernel.org,
jianhao.xu@seu.edu.cn
Subject: Re: Question: BPF stack build-id lookup while holding mmap_lock
Date: Wed, 17 Jun 2026 22:05:24 -0700 [thread overview]
Message-ID: <24784bcb-a33d-4b97-bac3-6585329bfd93@linux.dev> (raw)
In-Reply-To: <20260618033152.1541795-1-runyu.xiao@seu.edu.cn>
On 6/17/26 8:31 PM, Runyu Xiao wrote:
> Hi,
>
> While auditing lock ordering around faultable build-id lookups, our
> static analysis tool flagged the BPF stackmap user-build-id path, and we
> manually reviewed it against the current tree.
>
> The path we are concerned about is the sleepable helper path:
>
> bpf_get_stack_sleepable() / bpf_get_task_stack_sleepable()
> -> __bpf_get_stack(..., may_fault = true)
> -> stack_map_get_build_id_offset()
> -> mmap_read_trylock(current->mm)
> -> build_id_parse(vma, ...)
> -> __kernel_read()
>
> `build_id_parse()` can read from the backing file while mmap_lock is
> held. That can form an ABBA dependency with file read paths where the
> inode side is held first and copy_to_user/copy_page_to_iter can fault
> and then need mmap_lock.
>
> A minimal Lockdep reproducer preserving this BPF stackmap carrier and
> the reverse file-read edge reports:
>
> WARNING: possible circular locking dependency detected
> __kernel_read
> stack_map_get_build_id_offset
> __bpf_get_stack
> *** DEADLOCK ***
>
> The local fix I am considering is only for the faultable build-id path.
> It would snapshot the VMA file reference and offset metadata under
> mmap_lock, drop mmap_lock, and then parse the build-id from the file
> reference with build_id_parse_file(). The existing no-fault path would
> remain unchanged.
>
> Roughly:
>
> 1. Under mmap_lock, find the VMA for each user IP.
> 2. Take a file reference and snapshot vm_start/vm_pgoff.
> 3. Drop mmap_lock.
> 4. Parse build IDs from the files.
> 5. Fall back to reporting IPs if the faultable path cannot safely
> release mmap_lock or allocate the temporary snapshot array.
Hi Runyu,
A patch implementing more or less this algorithm has recently landed:
https://lore.kernel.org/bpf/20260525223948.1920986-1-ihor.solodrai@linux.dev/
I recommend doing a search on lore.kernel.org or other mailing list mirror
in advance, to avoid unnecessary or duplicate work.
>
> The tradeoff is that build-id parsing would happen after releasing
> mmap_lock, so the VMA/file relationship is represented by the file
> reference and copied metadata rather than by holding the VMA lock context
> through the file read. That avoids file I/O under mmap_lock, but may
> change edge-case behavior if the mapping changes concurrently.
>
> Does this direction sound acceptable for sleepable BPF stack helpers, or
> would you prefer a stricter fallback-to-IP behavior whenever build-id
> parsing would require faultable file I/O? Another option would be to
> avoid build-id parsing entirely in the may_fault=true stackmap path unless
> there is an existing BPF/MM helper pattern I should reuse.
>
> The local draft subject is:
>
> bpf: avoid faultable build-id lookup under mmap_lock
>
> Thanks,
> Runyu
next prev parent reply other threads:[~2026-06-18 5:05 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-18 3:31 Question: BPF stack build-id lookup while holding mmap_lock Runyu Xiao
2026-06-18 5:05 ` Ihor Solodrai [this message]
2026-06-18 5:10 ` Runyu Xiao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=24784bcb-a33d-4b97-bac3-6585329bfd93@linux.dev \
--to=ihor.solodrai@linux.dev \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=jianhao.xu@seu.edu.cn \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=runyu.xiao@seu.edu.cn \
--cc=sdf@fomichev.me \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.