From: sashiko-bot@kernel.org
To: "Fredrik Markstrom" <fredrik.markstrom@est.tech>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH v2 1/3] arm64: perf: Skip device memory during user callchain unwinding
Date: Thu, 30 Apr 2026 11:48:28 +0000 [thread overview]
Message-ID: <20260430114829.274ABC2BCB3@smtp.kernel.org> (raw)
In-Reply-To: <20260430-master-with-pfix-v3-v2-1-bd526ec04a75@est.tech>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Time-of-Check to Time-of-Use (TOCTOU) race in the lockless device memory check leaves a window for a kernel panic.
--
commit ed429c75630a0d1b28e968c7cbc91dc9b7885fe0
Author: Fredrik Markstrom <fredrik.markstrom@est.tech>
arm64: perf: Skip device memory during user callchain unwinding
This commit adds a lockless page table walk to inspect the MAIR
attribute index in leaf PTEs before reading userspace frame pointers
during callchain unwinding. If the PTE indicates device memory, the
frame is skipped to prevent kernel crashes from MMIO reads.
> diff --git a/arch/arm64/kernel/stacktrace.c b/arch/arm64/kernel/stacktrace.c
> index 3ebcf8c53fb04..4a28df9bbe763 100644
> --- a/arch/arm64/kernel/stacktrace.c
> +++ b/arch/arm64/kernel/stacktrace.c
[ ... ]
> @@ -524,6 +627,9 @@ unwind_user_frame(struct frame_tail __user *tail, void *cookie,
> if (!access_ok(tail, sizeof(buftail)))
> return NULL;
>
> + if (range_is_device_mem((unsigned long)tail, sizeof(buftail)))
> + return NULL;
> +
> pagefault_disable();
> err = __copy_from_user_inatomic(&buftail, tail, sizeof(buftail));
> pagefault_enable();
Does this TOCTOU race still leave a window for a kernel panic?
While the commit message notes this race, a concurrent thread could remap
the target address to device memory between the check in range_is_device_mem()
and the read in __copy_from_user_inatomic().
Since arm64 hardware TLB invalidation broadcasts to all CPUs without requiring
software IPI participation, could the racing thread successfully replace the
VMA and update the TLB even if the unwinding CPU has interrupts disabled?
Additionally, when called from process context via ftrace, interrupts are
fully re-enabled after the check, which might allow preemption to widen the
race window significantly.
Could this allow an unprivileged attacker to trigger a synchronous external
abort and cause a local denial of service?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260430-master-with-pfix-v3-v2-0-bd526ec04a75@est.tech?part=1
next prev parent reply other threads:[~2026-04-30 11:48 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-30 10:55 [PATCH v2 0/3] arm64: perf: Skip device memory during user callchain unwinding Fredrik Markstrom
2026-04-30 10:55 ` [PATCH v2 1/3] " Fredrik Markstrom
2026-04-30 11:48 ` sashiko-bot [this message]
2026-05-01 9:54 ` Fredrik Markstrom
2026-04-30 10:55 ` [PATCH v2 2/3] DO NOT MERGE: arm64: perf: Add skip_vmio parameter to control device memory callchain guard Fredrik Markstrom
2026-04-30 11:55 ` sashiko-bot
2026-04-30 10:55 ` [PATCH v2 3/3] DO NOT MERGE: selftests: perf_events: Add device memory callchain unwinding test Fredrik Markstrom
2026-04-30 12:08 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260430114829.274ABC2BCB3@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=fredrik.markstrom@est.tech \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox