From: sashiko-bot@kernel.org
To: "Jens Remus" <jremus@linux.ibm.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH v15 11/20] unwind_user/sframe: Show file name in debug output
Date: Wed, 20 May 2026 16:14:05 +0000 [thread overview]
Message-ID: <20260520161405.AE1C31F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260520154004.3845823-12-jremus@linux.ibm.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
New issues:
- [Low] Incorrect use of `vma->vm_file` instead of `!vma_is_anonymous(vma)` to classify a VMA as file-backed.
Pre-existing issues:
- [Critical] Calling `sframe_remove_section` from `sframe_find` acquires a spinlock in NMI context, leading to deadlocks, and triggers a user-controllable WARN.
--
commit 60b05617f9a9c00f287a96dda25f8e4086c6178b
Author: Josh Poimboeuf <jpoimboe@kernel.org>
unwind_user/sframe: Show file name in debug output
This commit prefixes debug output strings with the file name to make sframe
debugging easier. It looks up the VMA corresponding to the sframe section
and extracts the filename based on the VMA properties.
> diff --git a/kernel/unwind/sframe.c b/kernel/unwind/sframe.c
> --- a/kernel/unwind/sframe.c
> +++ b/kernel/unwind/sframe.c
[ ... ]
> @@ -374,14 +374,17 @@ int sframe_find(unsigned long ip, struct unwind_user_frame *frame)
> user_read_access_end();
>
> end:
> - if (ret && ret != -ENOENT)
> + if (ret && ret != -ENOENT) {
> + dbg_sec("removing bad .sframe section\n");
> WARN_ON_ONCE(sframe_remove_section(sec->sframe_start));
> + }
[Severity: Critical]
This is a pre-existing issue, but can this lead to deadlocks in NMI context?
sframe_find() is invoked for user stack unwinding from contexts like perf,
which executes from NMI or hardirq contexts. sframe_remove_section() calls
mtree_erase(), which acquires the maple tree's non-IRQ-safe mtree_lock.
Acquiring a regular spinlock in NMI context can cause a hard CPU deadlock
if the lock was already held by the interrupted thread.
Also, could an unprivileged user trivially trigger this WARN_ON_ONCE by
unmapping the section, potentially crashing the system if panic_on_warn
is enabled?
[ ... ]
> diff --git a/kernel/unwind/sframe_debug.h b/kernel/unwind/sframe_debug.h
> --- a/kernel/unwind/sframe_debug.h
> +++ b/kernel/unwind/sframe_debug.h
[ ... ]
> +static inline void dbg_init(struct sframe_section *sec)
> +{
> + struct mm_struct *mm = current->mm;
> + struct vm_area_struct *vma;
> +
> + guard(mmap_read_lock)(mm);
> + vma = vma_lookup(mm, sec->sframe_start);
> + if (!vma)
> + sec->filename = kstrdup("(vma gone???)", GFP_KERNEL_ACCOUNT);
> + else if (vma->vm_file)
> + sec->filename = kstrdup_quotable_file(vma->vm_file, GFP_KERNEL_ACCOUNT);
[Severity: Low]
Does this code accurately classify file-backed VMAs?
Anonymous mappings, such as private mappings of /dev/zero, can also have
vm_file populated. Relying only on vm_file might misclassify these mappings
for the debug output.
Would it be more reliable to use !vma_is_anonymous(vma) to check if the
VMA is file-backed before accessing vm_file?
> + else if (vma->vm_ops && vma->vm_ops->name)
> + sec->filename = kstrdup(vma->vm_ops->name(vma), GFP_KERNEL_ACCOUNT);
[ ... ]
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260520154004.3845823-1-jremus@linux.ibm.com?part=11
next prev parent reply other threads:[~2026-05-20 16:14 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-20 15:39 [PATCH v15 00/20] unwind_deferred: Implement sframe handling Jens Remus
2026-05-20 15:39 ` [PATCH v15 01/20] unwind_user: Add generic and arch-specific headers to MAINTAINERS Jens Remus
2026-05-20 15:39 ` [PATCH v15 02/20] unwind_user/sframe: Add support for reading .sframe headers Jens Remus
2026-05-20 16:02 ` sashiko-bot
2026-05-21 7:58 ` Jens Remus
2026-05-20 15:39 ` [PATCH v15 03/20] unwind_user/sframe: Store .sframe section data in per-mm maple tree Jens Remus
2026-05-20 16:29 ` sashiko-bot
2026-05-21 9:39 ` Jens Remus
2026-05-21 16:08 ` Steven Rostedt
2026-05-20 15:39 ` [PATCH v15 04/20] x86/uaccess: Add unsafe_copy_from_user() implementation Jens Remus
2026-05-20 16:13 ` sashiko-bot
2026-05-20 15:39 ` [PATCH v15 05/20] unwind_user/sframe: Add support for reading .sframe contents Jens Remus
2026-05-20 16:33 ` sashiko-bot
2026-05-21 9:40 ` Jens Remus
2026-05-20 15:39 ` [PATCH v15 06/20] unwind_user/sframe: Detect .sframe sections in executables Jens Remus
2026-05-20 15:39 ` [PATCH v15 07/20] unwind_user/sframe: Wire up unwind_user to sframe Jens Remus
2026-05-20 16:23 ` sashiko-bot
2026-05-21 10:44 ` Jens Remus
2026-05-20 15:39 ` [PATCH v15 08/20] unwind_user: Stop when reaching an outermost frame Jens Remus
2026-05-20 16:01 ` sashiko-bot
2026-05-21 10:45 ` Jens Remus
2026-05-20 15:39 ` [PATCH v15 09/20] unwind_user/sframe: Add support for outermost frame indication Jens Remus
2026-05-20 16:01 ` sashiko-bot
2026-05-21 10:46 ` Jens Remus
2026-05-20 15:39 ` [PATCH v15 10/20] unwind_user/sframe: Remove .sframe section on detected corruption Jens Remus
2026-05-20 16:26 ` sashiko-bot
2026-05-20 15:39 ` [PATCH v15 11/20] unwind_user/sframe: Show file name in debug output Jens Remus
2026-05-20 16:14 ` sashiko-bot [this message]
2026-05-21 10:55 ` Jens Remus
2026-05-21 16:20 ` Steven Rostedt
2026-05-20 15:39 ` [PATCH v15 12/20] unwind_user/sframe: Add .sframe validation option Jens Remus
2026-05-20 16:15 ` sashiko-bot
2026-05-21 12:51 ` Jens Remus
2026-05-20 15:39 ` [PATCH v15 13/20] unwind_user: Enable archs that pass RA in a register Jens Remus
2026-05-20 16:21 ` sashiko-bot
2026-05-21 13:00 ` Jens Remus
2026-05-20 15:39 ` [PATCH v15 14/20] unwind_user: Flexible FP/RA recovery rules Jens Remus
2026-05-20 15:39 ` [PATCH v15 15/20] unwind_user: Flexible CFA " Jens Remus
2026-05-20 16:22 ` sashiko-bot
2026-05-21 11:33 ` Jens Remus
2026-05-20 15:40 ` [PATCH v15 16/20] unwind_user/sframe: Add support for SFrame V3 flexible FDEs Jens Remus
2026-05-20 17:04 ` sashiko-bot
2026-05-21 11:58 ` Jens Remus
2026-05-20 15:40 ` [PATCH v15 17/20] unwind_user/sframe: Separate reading of FRE from reading of FRE data words Jens Remus
2026-05-20 16:48 ` sashiko-bot
2026-05-20 15:40 ` [PATCH v15 18/20] unwind_user/sframe: Duplicate registered .sframe section data on clone/fork Jens Remus
2026-05-20 17:01 ` sashiko-bot
2026-05-21 12:05 ` Jens Remus
2026-05-20 15:40 ` [PATCH v15 19/20] unwind_user/sframe/x86: Enable sframe unwinding on x86 Jens Remus
2026-05-20 15:40 ` [PATCH v15 20/20] unwind_user/sframe: Add prctl() interface for registering .sframe sections Jens Remus
2026-05-20 16:52 ` sashiko-bot
2026-05-21 12:08 ` Jens Remus
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260520161405.AE1C31F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=jremus@linux.ibm.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox