From: sashiko-bot@kernel.org
To: "Ian Rogers" <irogers@google.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH v5 3/5] perf symbols: Fix map removal sequence inside dso__process_kernel_symbol()
Date: Wed, 06 May 2026 01:45:50 +0000 [thread overview]
Message-ID: <20260506014550.B5B39C2BCB4@smtp.kernel.org> (raw)
In-Reply-To: <20260506004546.3140141-4-irogers@google.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [Medium] Incomplete implementation missing identical map mutation anti-patterns in the kallsyms loading path.
- [Medium] Out-of-bounds array access and crash on session teardown if `maps__insert()` fails.
- [Medium] Lockless window exposes missing kernel map to concurrent worker threads, causing dropped samples.
--
commit bf2ae4502d20517901689001acc83f0ec6ca94db
Author: Ian Rogers <irogers@google.com>
perf symbols: Fix map removal sequence inside dso__process_kernel_symbol()
This commit addresses a binary search indexing issue by ensuring a map is
removed from its cache list before mutating its address key fields. After the
in-place mutations are complete, the map is re-inserted to preserve the
sorting invariants of the underlying array.
> diff --git a/tools/perf/util/symbol-elf.c b/tools/perf/util/symbol-elf.c
> index 7afa8a1171396..f31d481a8627a 100644
> --- a/tools/perf/util/symbol-elf.c
> +++ b/tools/perf/util/symbol-elf.c
> @@ -1372,20 +1372,31 @@ static int dso__process_kernel_symbol(struct dso *dso, struct map *map,
> */
> if (*remap_kernel && dso__kernel(dso) && !kmodule) {
> *remap_kernel = false;
> - map__set_start(map, shdr->sh_addr + ref_reloc(kmap));
> - map__set_end(map, map__start(map) + shdr->sh_size);
> - map__set_pgoff(map, shdr->sh_offset);
> - map__set_mapping_type(map, MAPPING_TYPE__DSO);
> - /* Ensure maps are correctly ordered */
> + /*
> + * If the map is tracking inside the kmaps cache list array, we
> + * MUST remove it before mutating its virtual address key fields
> + * in place. Otherwise, downstream binary search lookups (bsearch)
> + * will search for mutated keys inside an array sorted under old
> + * invariants, causing indexing desynchronization faults.
> + */
> if (kmaps) {
> int err;
> struct map *tmp = map__get(map);
>
> maps__remove(kmaps, map);
Does this introduce a window where the kernel map is missing from kmaps?
maps__remove() and maps__insert() each independently acquire and release the
kmaps write lock. During the gap between these operations, the kernel map is
missing from the collection.
For KVM guests, kernel symbols are loaded lazily when the first guest sample
is received. If concurrent perf top worker threads process samples during
this window, will their maps__find() queries fail and cause samples to be
dropped or misattributed as unknown?
> + map__set_start(map, shdr->sh_addr + ref_reloc(kmap));
> + map__set_end(map, map__start(map) + shdr->sh_size);
> + map__set_pgoff(map, shdr->sh_offset);
> + map__set_mapping_type(map, MAPPING_TYPE__DSO);
> err = maps__insert(kmaps, map);
If maps__insert() fails here (for example, due to an ENOMEM when reallocating
the array), is the kernel map left permanently detached from kmaps?
If it remains detached but is still referenced by machine->vmlinux_map, what
happens during session teardown? It looks like machine__destroy_kernel_maps()
unconditionally calls maps__remove().
Inside __maps__remove(), if maps__by_address_index() fails to find the map
and returns -1 (UINT_MAX), it seems the code will use this index to call
map__put(maps_by_address[UINT_MAX]) and perform a memmove(). Could this
trigger an out-of-bounds memory access and crash?
> map__put(tmp);
> if (err)
> return err;
> + } else {
> + map__set_start(map, shdr->sh_addr + ref_reloc(kmap));
> + map__set_end(map, map__start(map) + shdr->sh_size);
> + map__set_pgoff(map, shdr->sh_offset);
> + map__set_mapping_type(map, MAPPING_TYPE__DSO);
> }
> }
Also, this commit fixes the in-place map boundary mutations for ELF symbols,
but does it miss similar patterns in the kallsyms loading path?
In dso__load_kernel_sym() and dso__load_guest_kernel_sym(), it appears
map__fixup_start(map) directly mutates map->start in place after the map is
already inserted into the kmaps array. Will this lockless mutation break the
sorting invariants of the maps_by_address array in the same way, causing
bsearch lookups to fail?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260506004546.3140141-1-irogers@google.com?part=3
next prev parent reply other threads:[~2026-05-06 1:45 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-24 22:05 [PATCH v1 1/2] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses Ian Rogers
2026-04-24 22:05 ` [PATCH v1 2/2] perf test: Add inject ASLR test Ian Rogers
2026-04-24 22:47 ` sashiko-bot
2026-04-24 22:36 ` [PATCH v1 1/2] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses sashiko-bot
2026-04-25 2:05 ` [PATCH v2 " Ian Rogers
2026-04-25 2:05 ` [PATCH v2 2/2] perf test: Add inject ASLR test Ian Rogers
2026-05-04 3:51 ` [PATCH v3 0/4] perf tools: Add inject --aslr feature and prerequisite robustness fixes Ian Rogers
2026-05-04 3:51 ` [PATCH v3 1/4] perf sched: Add missing mmap2 handler in timehist Ian Rogers
2026-05-04 3:51 ` [PATCH v3 2/4] perf tool: Fix missing schedstat delegates and dont_split_sample_group in delegate_tool Ian Rogers
2026-05-04 3:51 ` [PATCH v3 3/4] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses Ian Rogers
2026-05-04 4:51 ` sashiko-bot
2026-05-04 3:51 ` [PATCH v3 4/4] perf test: Add inject ASLR test Ian Rogers
2026-05-04 5:02 ` sashiko-bot
2026-05-04 7:29 ` [PATCH v4 0/4] perf tools: Add inject --aslr feature and prerequisite robustness fixes Ian Rogers
2026-05-04 7:29 ` [PATCH v4 1/4] perf sched: Add missing mmap2 handler in timehist Ian Rogers
2026-05-04 7:29 ` [PATCH v4 2/4] perf tool: Fix missing schedstat delegates and dont_split_sample_group in delegate_tool Ian Rogers
2026-05-04 7:29 ` [PATCH v4 3/4] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses Ian Rogers
2026-05-04 8:39 ` sashiko-bot
2026-05-04 7:29 ` [PATCH v4 4/4] perf test: Add inject ASLR test Ian Rogers
2026-05-04 8:48 ` sashiko-bot
2026-05-04 8:23 ` [PATCH v4 0/4] perf tools: Add inject --aslr feature and prerequisite robustness fixes Ian Rogers
2026-05-06 0:45 ` [PATCH v5 0/5] " Ian Rogers
2026-05-06 0:45 ` [PATCH v5 1/5] perf sched: Add missing mmap2 handler in timehist Ian Rogers
2026-05-06 13:22 ` Arnaldo Carvalho de Melo
2026-05-06 16:16 ` Ian Rogers
2026-05-06 0:45 ` [PATCH v5 2/5] perf tool: Fix missing schedstat delegates and dont_split_sample_group in delegate_tool Ian Rogers
2026-05-06 0:45 ` [PATCH v5 3/5] perf symbols: Fix map removal sequence inside dso__process_kernel_symbol() Ian Rogers
2026-05-06 1:45 ` sashiko-bot [this message]
2026-05-06 0:45 ` [PATCH v5 4/5] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses Ian Rogers
2026-05-06 2:40 ` sashiko-bot
2026-05-06 18:52 ` Namhyung Kim
2026-05-06 20:01 ` Ian Rogers
2026-05-06 0:45 ` [PATCH v5 5/5] perf test: Add inject ASLR test Ian Rogers
2026-05-07 15:58 ` James Clark
2026-05-07 16:17 ` Ian Rogers
2026-05-08 10:42 ` James Clark
2026-05-08 10:49 ` James Clark
2026-05-08 8:27 ` [PATCH v6 0/6] perf tools: Add inject --aslr feature and prerequisite robustness fixes Ian Rogers
2026-05-08 8:27 ` [PATCH v6 1/6] perf sched: Add missing mmap2 handler in timehist Ian Rogers
2026-05-08 8:27 ` [PATCH v6 2/6] perf tool: Missing delegate_tool schedstat delegates and dont_split_sample_group Ian Rogers
2026-05-08 8:27 ` [PATCH v6 3/6] perf maps: Add maps__mutate_mapping Ian Rogers
2026-05-08 10:57 ` James Clark
2026-05-08 20:37 ` sashiko-bot
2026-05-11 7:07 ` Namhyung Kim
2026-05-08 8:27 ` [PATCH v6 4/6] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses Ian Rogers
2026-05-08 21:22 ` sashiko-bot
2026-05-11 7:32 ` Namhyung Kim
2026-05-08 8:27 ` [PATCH v6 5/6] perf test: Add inject ASLR test Ian Rogers
2026-05-08 13:29 ` James Clark
2026-05-08 14:29 ` James Clark
2026-05-11 7:34 ` Namhyung Kim
2026-05-08 8:27 ` [PATCH v6 6/6] perf aslr: Strip sample registers Ian Rogers
2026-05-08 21:49 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260506014550.B5B39C2BCB4@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=irogers@google.com \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox