From: sashiko-bot@kernel.org
To: "Jinchao Wang" <wangjinchao600@gmail.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [RFC PATCH 11/13] mm/kwatch: add debugfs control plane
Date: Tue, 14 Jul 2026 18:58:31 +0000 [thread overview]
Message-ID: <20260714185832.5E6E71F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260714183316.12964-1-wangjinchao600@gmail.com>
Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:
- [High] Tasks that exit or are killed while inside a probed function permanently leak their kwatch_ctx_pool slot and leave their hardware breakpoint globally armed.
- [High] Missing kernel lockdown check allows root to bypass confidentiality restrictions by setting hardware breakpoints on arbitrary kernel addresses.
- [Medium] Lockless access to the global `kwatch_config` and `watching_active` variables in `kwatch_dbgfs_read` causes data races and torn reads.
- [Low] The KWATCH config entry selects KPROBES, KRETPROBES, and STACKTRACE without inheriting their architecture-specific dependencies, causing unmet dependency warnings.
--
--- Patch [11]: [RFC PATCH 11/13] mm/kwatch: add debugfs control plane ---
commit fe07df22dbe76645eaac13880523515d1694aec8
Author: Jinchao Wang <wangjinchao600@gmail.com>
mm/kwatch: add debugfs control plane
Wire the pieces together behind a single debugfs file,
/sys/kernel/debug/kwatch/config. Writing a key=value configuration
string stops any active session and starts a new one; reading shows
the active configuration and the nmi_rejected counter. An open-count
guard keeps the file single-open and a mutex serializes
start/stop/auto-stop against each other.
> diff --git a/mm/kwatch/Kconfig b/mm/kwatch/Kconfig
> new file mode 100644
> index 0000000000000..b1c37a829dd53
> --- /dev/null
> +++ b/mm/kwatch/Kconfig
> @@ -0,0 +1,17 @@
> +config KWATCH
> + tristate "Kernel Watch Framework"
> + depends on PERF_EVENTS && HAVE_HW_BREAKPOINT && DEBUG_FS
> + depends on HAVE_REINSTALL_HW_BREAKPOINT
> + select KPROBES
> + select KRETPROBES
> + select STACKTRACE
[Severity: Low]
Should this Kconfig entry inherit architecture-specific dependencies for
KPROBES and STACKTRACE?
Selecting these without depending on HAVE_KPROBES and STACKTRACE_SUPPORT
can cause unmet dependency warnings and potential build failures on
architectures that do not support them.
[ ... ]
> diff --git a/mm/kwatch/core.c b/mm/kwatch/core.c
> new file mode 100644
> index 0000000000000..548d0cdd08126
> --- /dev/null
> +++ b/mm/kwatch/core.c
> @@ -0,0 +1,325 @@
[ ... ]
> +static int kwatch_start_watching(void)
> +{
> + int ret;
[ ... ]
> + ret = kwatch_hwbp_prealloc(kwatch_config.max_watch,
> + kwatch_config.access_type);
> + if (ret) {
> + pr_err("kwatch_hwbp_prealloc ret: %d\n", ret);
> + return ret;
> + }
> +
> + ret = kwatch_tsk_ctx_prealloc(kwatch_config.max_concurrency);
> + if (ret) {
> + kwatch_hwbp_free();
> + return ret;
> + }
> +
> + ret = kwatch_probe_start(&kwatch_config);
[Severity: High]
If a task exits or is killed while inside a probed function, could this leak
the kwatch_ctx_pool slot and leave hardware breakpoints permanently armed?
When a task terminates, the kretprobe framework flushes instances without
executing the exit handlers (like kwatch_lifecycle_exit() in probe.c).
This skips the kwatch_tsk_ctx_put() call, leaving the slot occupied
and the HWBP armed until the kwatch session is manually stopped.
[ ... ]
> +static ssize_t kwatch_dbgfs_read(struct file *file, char __user *user_buf,
> + size_t count, loff_t *ppos)
> +{
> + char *out_buf;
> + size_t len = 0;
> + ssize_t ret;
> +
> + out_buf = kzalloc(MAX_CONFIG_STR_LEN, GFP_KERNEL);
> + if (!out_buf)
> + return -ENOMEM;
> +
> + if (watching_active) {
> + len += scnprintf(out_buf + len, MAX_CONFIG_STR_LEN - len,
[Severity: Medium]
Is it safe to access watching_active and format kwatch_config here without
holding kwatch_dbgfs_mutex?
Since concurrent writes (via kwatch_dbgfs_write) zero out kwatch_config
while holding the mutex, this lockless read could result in data races
or torn reads of the configuration state.
[ ... ]
> +static ssize_t kwatch_dbgfs_write(struct file *file, const char __user *buffer,
> + size_t count, loff_t *ppos)
> +{
> + char *input_alloc;
> + char *parse_str;
> + int ret;
[ ... ]
> + ret = kwatch_config_parse(parse_str, &kwatch_config);
> + if (ret) {
> + pr_err("Failed to parse config %d\n", ret);
> + goto out;
> + }
> +
> + ret = kwatch_start_watching();
[Severity: High]
Could a missing lockdown check here allow root to bypass confidentiality
restrictions?
Since this enables setting hardware breakpoints on arbitrary memory addresses
provided by userspace, it might allow inspecting kernel memory in violation
of LOCKDOWN_CONFIDENTIALITY. perf_event_open() normally enforces
security_locked_down() checks, but register_wide_hw_breakpoint() does not.
> + if (ret) {
> + pr_err("Failed to start watching with %d\n", ret);
> + goto out;
> + }
> +
> + ret = count;
> +
> +out:
> + mutex_unlock(&kwatch_dbgfs_mutex);
> + kfree(input_alloc);
> + return ret;
> +}
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260714182243.10687-1-wangjinchao600@gmail.com?part=11
next prev parent reply other threads:[~2026-07-14 18:58 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-14 18:22 [RFC PATCH 00/13] mm/kwatch: dynamic hardware watchpoints for hunting memory corruption Jinchao Wang
2026-07-14 18:22 ` [RFC PATCH 01/13] arch: add HAVE_REINSTALL_HW_BREAKPOINT Jinchao Wang
2026-07-14 18:22 ` [RFC PATCH 02/13] x86/hw_breakpoint: Unify breakpoint install/uninstall Jinchao Wang
2026-07-14 18:47 ` sashiko-bot
2026-07-14 18:22 ` [RFC PATCH 03/13] x86/hw_breakpoint: Add arch_reinstall_hw_breakpoint Jinchao Wang
2026-07-14 19:22 ` sashiko-bot
2026-07-14 18:30 ` [RFC PATCH 04/13] HWBP: Add modify_wide_hw_breakpoint_local() API Jinchao Wang
2026-07-14 19:41 ` sashiko-bot
2026-07-14 18:31 ` [RFC PATCH 05/13] mm/kwatch: add watch expression parser and dereference engine Jinchao Wang
2026-07-14 18:45 ` sashiko-bot
2026-07-14 18:31 ` [RFC PATCH 06/13] mm/kwatch: add lockless per-task context pool Jinchao Wang
2026-07-14 18:44 ` sashiko-bot
2026-07-14 18:31 ` [RFC PATCH 07/13] stacktrace: export stack_trace_save_regs() Jinchao Wang
2026-07-14 18:42 ` sashiko-bot
2026-07-14 18:32 ` [RFC PATCH 08/13] mm/kwatch: add hardware breakpoint backend Jinchao Wang
2026-07-14 18:50 ` sashiko-bot
2026-07-14 18:32 ` [RFC PATCH 09/13] mm/kwatch: add probe lifecycle runtime Jinchao Wang
2026-07-14 19:53 ` sashiko-bot
2026-07-14 18:32 ` [RFC PATCH 10/13] mm/kwatch: add anchor thread for global watchpoints Jinchao Wang
2026-07-14 18:48 ` sashiko-bot
2026-07-14 18:33 ` [RFC PATCH 11/13] mm/kwatch: add debugfs control plane Jinchao Wang
2026-07-14 18:58 ` sashiko-bot [this message]
2026-07-14 18:33 ` [RFC PATCH 12/13] mm/kwatch: add KUnit tests for the watch expression parser Jinchao Wang
2026-07-14 18:50 ` sashiko-bot
2026-07-14 18:33 ` [RFC PATCH 13/13] Documentation/dev-tools: document KWatch Jinchao Wang
2026-07-14 18:48 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260714185832.5E6E71F00A3A@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=wangjinchao600@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox