[PATCH] bpf/perf: Fix suspicious RCU usage in get_callchain

BPF List
 help / color / mirror / Atom feed

* [PATCH] bpf/perf: Fix suspicious RCU usage in get_callchain_entry()
@ 2026-01-28  6:17 Qing Wang
  2026-02-04  0:04 ` Andrii Nakryiko
  0 siblings, 1 reply; 3+ messages in thread
From: Qing Wang @ 2026-01-28  6:17 UTC (permalink / raw)
  To: Song Liu, Jiri Olsa, Alexei Starovoitov, peterz, acme,
	Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau,
	Eduard Zingerman, Yonghong Song, John Fastabend, KP Singh,
	Stanislav Fomichev, Hao Luo
  Cc: bpf, linux-kernel, linux-perf-users, Qing Wang,
	syzbot+72a43cdb78469f7fbad1

There is a patch intended to fix suspicious RCU usage in get_callchain_entry(),
but it is incorrect. Specifically, rcu_read_lock()/rcu_read_unlock() is not
called when may_fault == false.

Previous discussion:
https://lore.kernel.org/all/CAEf4BzaYL9zZN8TZyRHW3_O3vbHc7On+NSunrkDvDQx2=wwyRw@mail.gmail.com/#R

For perf's callchain, rcu_read_lock()/rcu_read_unlock() should be called when
trace_in == false.

Fixes: d4dd9775ec24 ("bpf: wire up sleepable bpf_get_stack() and bpf_get_task_stack() helpers")
Reported-by: syzbot+72a43cdb78469f7fbad1@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=72a43cdb78469f7fbad1
Tested-by: syzbot+72a43cdb78469f7fbad1@syzkaller.appspotmail.com
Signed-off-by: Qing Wang <wangqing7171@gmail.com>
---
 kernel/bpf/stackmap.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
index da3d328f5c15..f97d4aa9d038 100644
--- a/kernel/bpf/stackmap.c
+++ b/kernel/bpf/stackmap.c
@@ -460,7 +460,7 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
 
 	max_depth = stack_map_calculate_max_depth(size, elem_size, flags);
 
-	if (may_fault)
+	if (!trace_in)
 		rcu_read_lock(); /* need RCU for perf's callchain below */
 
 	if (trace_in) {
@@ -474,7 +474,7 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
 	}
 
 	if (unlikely(!trace) || trace->nr < skip) {
-		if (may_fault)
+		if (!trace_in)
 			rcu_read_unlock();
 		goto err_fault;
 	}
@@ -494,7 +494,7 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
 	}
 
 	/* trace/ips should not be dereferenced after this point */
-	if (may_fault)
+	if (!trace_in)
 		rcu_read_unlock();
 
 	if (user_build_id)
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] bpf/perf: Fix suspicious RCU usage in get_callchain_entry()
  2026-01-28  6:17 [PATCH] bpf/perf: Fix suspicious RCU usage in get_callchain_entry() Qing Wang
@ 2026-02-04  0:04 ` Andrii Nakryiko
  2026-02-04  9:14   ` Qing Wang
  0 siblings, 1 reply; 3+ messages in thread
From: Andrii Nakryiko @ 2026-02-04  0:04 UTC (permalink / raw)
  To: Qing Wang
  Cc: Song Liu, Jiri Olsa, Alexei Starovoitov, peterz, acme,
	Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau,
	Eduard Zingerman, Yonghong Song, John Fastabend, KP Singh,
	Stanislav Fomichev, Hao Luo, bpf, linux-kernel, linux-perf-users,
	syzbot+72a43cdb78469f7fbad1

On Tue, Jan 27, 2026 at 10:18 PM Qing Wang <wangqing7171@gmail.com> wrote:
>
> There is a patch intended to fix suspicious RCU usage in get_callchain_entry(),
> but it is incorrect. Specifically, rcu_read_lock()/rcu_read_unlock() is not
> called when may_fault == false.

rcu_read_lock/unlock is not called when may_fault == false because in
that case BPF program is already running within rcu_read_lock/unlock
region. So I'm not sure this patch fixes anything really. And even
with trace_in, if we cann rcu_read_lock/unlock one extra time it
shouldn't be a problem, no?

pw-bot: cr

>
> Previous discussion:
> https://lore.kernel.org/all/CAEf4BzaYL9zZN8TZyRHW3_O3vbHc7On+NSunrkDvDQx2=wwyRw@mail.gmail.com/#R
>
> For perf's callchain, rcu_read_lock()/rcu_read_unlock() should be called when
> trace_in == false.
>
> Fixes: d4dd9775ec24 ("bpf: wire up sleepable bpf_get_stack() and bpf_get_task_stack() helpers")
> Reported-by: syzbot+72a43cdb78469f7fbad1@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=72a43cdb78469f7fbad1
> Tested-by: syzbot+72a43cdb78469f7fbad1@syzkaller.appspotmail.com
> Signed-off-by: Qing Wang <wangqing7171@gmail.com>
> ---
>  kernel/bpf/stackmap.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
> index da3d328f5c15..f97d4aa9d038 100644
> --- a/kernel/bpf/stackmap.c
> +++ b/kernel/bpf/stackmap.c
> @@ -460,7 +460,7 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
>
>         max_depth = stack_map_calculate_max_depth(size, elem_size, flags);
>
> -       if (may_fault)
> +       if (!trace_in)
>                 rcu_read_lock(); /* need RCU for perf's callchain below */
>
>         if (trace_in) {
> @@ -474,7 +474,7 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
>         }
>
>         if (unlikely(!trace) || trace->nr < skip) {
> -               if (may_fault)
> +               if (!trace_in)
>                         rcu_read_unlock();
>                 goto err_fault;
>         }
> @@ -494,7 +494,7 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
>         }
>
>         /* trace/ips should not be dereferenced after this point */
> -       if (may_fault)
> +       if (!trace_in)
>                 rcu_read_unlock();
>
>         if (user_build_id)
> --
> 2.34.1
>

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] bpf/perf: Fix suspicious RCU usage in get_callchain_entry()
  2026-02-04  0:04 ` Andrii Nakryiko
@ 2026-02-04  9:14   ` Qing Wang
  0 siblings, 0 replies; 3+ messages in thread
From: Qing Wang @ 2026-02-04  9:14 UTC (permalink / raw)
  To: andrii.nakryiko
  Cc: acme, andrii, ast, bpf, daniel, eddyz87, haoluo, john.fastabend,
	jolsa, kpsingh, linux-kernel, linux-perf-users, martin.lau,
	peterz, sdf, song, syzbot+72a43cdb78469f7fbad1, wangqing7171,
	yonghong.song

On Wed, 04 Feb 2026 at 08:04, Andrii Nakryiko <andrii.nakryiko@gmail.com> wrote:
> rcu_read_lock/unlock is not called when may_fault == false because in
> that case BPF program is already running within rcu_read_lock/unlock
> region. So I'm not sure this patch fixes anything really. And even
> with trace_in, if we cann rcu_read_lock/unlock one extra time it
> shouldn't be a problem, no?

Thanks for your review, I agree with you. My patch is incorrect and there was a patch series [0]
to fix it.

    [0] https://lore.kernel.org/bpf/fb745675-e25c-4dcc-be4b-4a4411056755@linux.dev/T/#mc0fc5e0fec2e6456f72f402308fd4e397ba19d09

Let's forget my patch.

Thanks,
Qing.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-02-04  9:14 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-28  6:17 [PATCH] bpf/perf: Fix suspicious RCU usage in get_callchain_entry() Qing Wang
2026-02-04  0:04 ` Andrii Nakryiko
2026-02-04  9:14   ` Qing Wang

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox