From: Jens Remus <jremus@linux.ibm.com>
To: Steven Rostedt <rostedt@kernel.org>
Cc: bpf@vger.kernel.org, sashiko@lists.linux.dev,
Josh Poimboeuf <jpoimboe@kernel.org>,
Indu Bhagat <ibhagatgnu@gmail.com>,
Dylan Hatch <dylanbhatch@google.com>
Subject: Re: [PATCH v14 13/19] unwind_user: Enable archs that pass RA in a register
Date: Tue, 19 May 2026 16:30:53 +0200 [thread overview]
Message-ID: <ab7c154e-aa60-471d-ba03-334e55d1c74a@linux.ibm.com> (raw)
In-Reply-To: <20260519084222.4d34c8b4@gandalf.local.home>
On 5/19/2026 2:42 PM, Steven Rostedt wrote:
> On Tue, 19 May 2026 14:24:34 +0200
> Jens Remus <jremus@linux.ibm.com> wrote:
>
>>> How can this be triggered? Does it require an architecture to implement
>>> only partial sframe to trigger?
>>
>> On x86-64 it can be triggered from user space using forged .sframe that
>> incorrectly specifies no fixed RA offset and thus causes the common
>> unwind user (sframe) logic to recover RA from the RA register using
>> the dummy unwind_user_get_ra_reg().
>
> OK, so if user space could trigger it via a invalid .sframe, I would do at
> most a pr_debug() (may not even need a 'once'), and remove that this task
> has an sframe. That is, as soon as a sframe is discovered to be corrupted,
> it should be discarded and never used after that.
Removing the .sframe section is not straightforward in this specific
case, as the issue is not detected in the sframe decoding but only later
in unwind_user_next_common() once it calls the dummy
unwind_user_get_ra_reg(). unwind_user_next_common() gets called by
unwind_user_next_sframe() after it obtained the information to unwind
the frame using sframe_find(). Therefore the offending struct
sframe_section is no longer known. A reference to it cannot be stored
in struct unwind_user_frame, as that would require a SRCU read lock to
be held. Instead the sec->sframe_start could be stored in struct
unwind_user_frame, which could then be passed to sframe_remove_section().
Instead of adding sframe-specific information to struct unwind_user_frame
I would prefer to use the state->ip as key to remove the offending
.sframe section. Below is a compile-tested patch that outlines how
that could potentially work. The sframe decoding cannot detect this
as it would need a mean to know whether the architecture implements
unwind_user_get_ra_reg() (and likewise for unwind_user_get_reg()).
Is there a simpler solution?
diff --git a/include/linux/sframe.h b/include/linux/sframe.h
@@ -33,6 +33,7 @@ extern void sframe_free_mm(struct mm_struct *mm);
extern int sframe_add_section(unsigned long sframe_start, unsigned long sframe_end,
unsigned long text_start, unsigned long text_end);
extern int sframe_remove_section(unsigned long sframe_addr);
+extern int sframe_remove_section_for_ip(unsigned long ip);
extern int sframe_find(unsigned long ip, struct unwind_user_frame *frame);
static inline bool current_has_sframe(void)
@@ -52,6 +53,7 @@ static inline int sframe_add_section(unsigned long sframe_start, unsigned long s
return -ENOSYS;
}
static inline int sframe_remove_section(unsigned long sframe_addr) { return -ENOSYS; }
+extern int sframe_remove_section_for_ip(unsigned long ip) { return -ENOSYS; }
static inline int sframe_find(unsigned long ip, struct unwind_user_frame *frame) { return -ENOSYS; }
static inline bool current_has_sframe(void) { return false; }
diff --git a/include/linux/unwind_user.h b/include/linux/unwind_user.h
@@ -21,7 +21,7 @@ static inline int unwind_user_get_ra_reg(unsigned long *val)
{
pr_debug_once("%s (%d): unwind_user_get_ra_reg() not implemented\n",
current->comm, current->pid);
- return -EINVAL;
+ return -EFAULT;
}
#define unwind_user_get_ra_reg unwind_user_get_ra_reg
#endif
diff --git a/kernel/unwind/sframe.c b/kernel/unwind/sframe.c
@@ -886,6 +886,20 @@ int sframe_remove_section(unsigned long sframe_start)
return 0;
}
+int sframe_remove_section_for_ip(unsigned long ip)
+{
+ struct mm_struct *mm = current->mm;
+ struct sframe_section *sec;
+
+ guard(srcu)(&sframe_srcu);
+
+ sec = mtree_load(&mm->sframe_mt, ip);
+ if (!sec)
+ return -EINVAL;
+
+ return sframe_remove_section(sec->sframe_start);
+}
+
void sframe_free_mm(struct mm_struct *mm)
{
struct sframe_section *sec;
diff --git a/kernel/unwind/user.c b/kernel/unwind/user.c
@@ -45,6 +45,7 @@ static int unwind_user_next_common(struct unwind_user_state *state,
const struct unwind_user_frame *frame)
{
unsigned long cfa, sp, fp, ra;
+ int ret;
/* Stop unwinding when reaching an outermost frame. */
if (frame->outermost) {
@@ -94,8 +95,11 @@ static int unwind_user_next_common(struct unwind_user_state *state,
/* Get the Return Address (RA) */
switch (frame->ra.rule) {
case UNWIND_USER_RULE_RETAIN:
- if (!state->topmost || unwind_user_get_ra_reg(&ra))
+ if (!state->topmost)
return -EINVAL;
+ ret = unwind_user_get_ra_reg(&ra);
+ if (ret)
+ return ret;
break;
case UNWIND_USER_RULE_CFA_OFFSET:
/*
@@ -173,11 +177,16 @@ static int unwind_user_next_fp(struct unwind_user_state *state)
static int unwind_user_next_sframe(struct unwind_user_state *state)
{
struct unwind_user_frame frame;
+ unsigned long ip = state->ip;
+ int ret;
/* sframe expects the frame to be local storage */
- if (sframe_find(state->ip, &frame))
+ if (sframe_find(ip, &frame))
return -ENOENT;
- return unwind_user_next_common(state, &frame);
+ ret = unwind_user_next_common(state, &frame);
+ if (ret == -EFAULT)
+ sframe_remove_section_for_ip(ip);
+ return ret;
}
static int unwind_user_next(struct unwind_user_state *state)
>
> A print could be done just to inform the admin of what happened. And since
> the sframe would be removed, that prevents it from spamming the console, so
> the "once" isn't needed. We may want to show it for other applications.
>
> The print should state the comm and pid of the task that failed.
Thanks and regards,
Jens
--
Jens Remus
Linux on Z Development (D3303)
jremus@de.ibm.com / jremus@linux.ibm.com
IBM Deutschland Research & Development GmbH; Vorsitzender des Aufsichtsrats: Wolfgang Wendt; Geschäftsführung: David Faller; Sitz der Gesellschaft: Ehningen; Registergericht: Amtsgericht Stuttgart, HRB 243294
IBM Data Privacy Statement: https://www.ibm.com/privacy/
next prev parent reply other threads:[~2026-05-19 14:31 UTC|newest]
Thread overview: 91+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-05 12:16 [PATCH v14 00/19] unwind_deferred: Implement sframe handling Jens Remus
2026-05-05 12:17 ` [PATCH v14 01/19] unwind_user: Add generic and arch-specific headers to MAINTAINERS Jens Remus
2026-05-05 12:17 ` [PATCH v14 02/19] unwind_user/sframe: Add support for reading .sframe headers Jens Remus
2026-05-05 12:49 ` sashiko-bot
2026-05-06 13:42 ` Jens Remus
2026-05-07 14:55 ` Jens Remus
2026-05-08 23:02 ` Indu Bhagat
2026-05-11 10:05 ` Jens Remus
2026-05-05 12:17 ` [PATCH v14 03/19] unwind_user/sframe: Store .sframe section data in per-mm maple tree Jens Remus
2026-05-05 18:51 ` sashiko-bot
2026-05-06 13:50 ` Jens Remus
2026-05-06 15:21 ` Steven Rostedt
2026-05-12 15:52 ` Jens Remus
2026-05-20 14:48 ` Jens Remus
2026-05-18 15:22 ` Jens Remus
2026-05-05 12:17 ` [PATCH v14 04/19] x86/uaccess: Add unsafe_copy_from_user() implementation Jens Remus
2026-05-05 18:22 ` sashiko-bot
2026-05-06 14:13 ` Jens Remus
2026-05-06 15:05 ` Steven Rostedt
2026-05-06 14:09 ` Jens Remus
2026-05-06 15:03 ` Steven Rostedt
2026-05-06 21:13 ` David Laight
2026-05-06 21:17 ` David Laight
2026-05-05 12:17 ` [PATCH v14 05/19] unwind_user/sframe: Add support for reading .sframe contents Jens Remus
2026-05-05 18:59 ` sashiko-bot
2026-05-06 14:34 ` Jens Remus
2026-05-06 15:01 ` Steven Rostedt
2026-05-06 15:29 ` Jens Remus
2026-05-08 9:49 ` Jens Remus
2026-05-08 23:04 ` Indu Bhagat
2026-05-12 13:35 ` Jens Remus
2026-05-13 12:22 ` Steven Rostedt
2026-05-08 23:03 ` Indu Bhagat
2026-05-08 10:50 ` Jens Remus
2026-05-11 16:16 ` Jens Remus
2026-05-05 12:17 ` [PATCH v14 06/19] unwind_user/sframe: Detect .sframe sections in executables Jens Remus
2026-05-05 12:53 ` sashiko-bot
2026-05-06 14:56 ` Jens Remus
2026-05-06 15:36 ` Steven Rostedt
2026-05-08 23:05 ` Indu Bhagat
2026-05-05 12:17 ` [PATCH v14 07/19] unwind_user/sframe: Wire up unwind_user to sframe Jens Remus
2026-05-05 18:55 ` sashiko-bot
2026-05-07 16:18 ` Jens Remus
2026-05-08 23:07 ` Indu Bhagat
2026-05-11 16:46 ` Steven Rostedt
2026-05-05 12:17 ` [PATCH v14 08/19] unwind_user: Stop when reaching an outermost frame Jens Remus
2026-05-05 12:40 ` sashiko-bot
2026-05-06 15:01 ` Jens Remus
2026-05-06 15:40 ` Steven Rostedt
2026-05-05 12:17 ` [PATCH v14 09/19] unwind_user/sframe: Add support for outermost frame indication Jens Remus
2026-05-05 12:17 ` [PATCH v14 10/19] unwind_user/sframe: Remove .sframe section on detected corruption Jens Remus
2026-05-05 20:39 ` sashiko-bot
2026-05-07 16:23 ` Jens Remus
2026-05-05 12:17 ` [PATCH v14 11/19] unwind_user/sframe: Show file name in debug output Jens Remus
2026-05-05 18:46 ` sashiko-bot
2026-05-12 14:52 ` Jens Remus
2026-05-13 9:20 ` Jens Remus
2026-05-18 15:27 ` Jens Remus
2026-05-05 12:17 ` [PATCH v14 12/19] unwind_user/sframe: Add .sframe validation option Jens Remus
2026-05-05 18:32 ` sashiko-bot
2026-05-12 14:23 ` Jens Remus
2026-05-13 12:30 ` Steven Rostedt
2026-05-08 10:51 ` Jens Remus
2026-05-05 12:17 ` [PATCH v14 13/19] unwind_user: Enable archs that pass RA in a register Jens Remus
2026-05-05 18:35 ` sashiko-bot
2026-05-18 14:57 ` Jens Remus
2026-05-18 16:16 ` Jens Remus
2026-05-18 16:31 ` Steven Rostedt
2026-05-19 12:24 ` Jens Remus
2026-05-19 12:42 ` Steven Rostedt
2026-05-19 14:30 ` Jens Remus [this message]
2026-05-05 12:17 ` [PATCH v14 14/19] unwind_user: Flexible FP/RA recovery rules Jens Remus
2026-05-05 18:34 ` sashiko-bot
2026-05-18 15:08 ` Jens Remus
2026-05-05 12:17 ` [PATCH v14 15/19] unwind_user: Flexible CFA " Jens Remus
2026-05-05 12:17 ` [PATCH v14 16/19] unwind_user/sframe: Add support for SFrame V3 flexible FDEs Jens Remus
2026-05-05 18:55 ` sashiko-bot
2026-05-07 15:30 ` Jens Remus
2026-05-13 6:26 ` Indu Bhagat
2026-05-13 13:50 ` Jens Remus
2026-05-13 15:16 ` Steven Rostedt
2026-05-05 12:17 ` [PATCH v14 17/19] unwind_user/sframe: Separate reading of FRE from reading of FRE data words Jens Remus
2026-05-05 19:05 ` sashiko-bot
2026-05-07 16:01 ` Jens Remus
2026-05-05 12:17 ` [PATCH v14 18/19] unwind_user/sframe/x86: Enable sframe unwinding on x86 Jens Remus
2026-05-05 19:07 ` sashiko-bot
2026-05-18 15:33 ` Jens Remus
2026-05-05 12:17 ` [PATCH v14 19/19] unwind_user/sframe: Add prctl() interface for registering .sframe sections Jens Remus
2026-05-05 18:45 ` sashiko-bot
2026-05-07 14:14 ` Jens Remus
2026-05-05 12:25 ` [PATCH v14 00/19] unwind_deferred: Implement sframe handling Jens Remus
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ab7c154e-aa60-471d-ba03-334e55d1c74a@linux.ibm.com \
--to=jremus@linux.ibm.com \
--cc=bpf@vger.kernel.org \
--cc=dylanbhatch@google.com \
--cc=ibhagatgnu@gmail.com \
--cc=jpoimboe@kernel.org \
--cc=rostedt@kernel.org \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox