Linux Perf Users
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Jinchao Wang" <wangjinchao600@gmail.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [RFC PATCH v2 06/13] mm/kwatch: add lockless per-task context pool
Date: Fri, 17 Jul 2026 13:19:04 +0000	[thread overview]
Message-ID: <20260717131904.864991F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260717130430.1902527-1-wangjinchao600@gmail.com>

Thank you for your contribution! Sashiko AI review found 6 potential issue(s) to consider:
- [Critical] Concurrent lockless accesses to the global `kwatch_ctx_pool` lack RCU or READ_ONCE protection, leading to Use-After-Free or NULL pointer dereferences.
- [High] NMI reentrancy between slot claim and release causes premature release, double free, and cross-task data corruption.
- [High] Hash table lookup degenerates to an unconditional O(N) full array scan on negative lookups, causing massive NMI latency.
- [High] Context slots permanently leak if a task exits abruptly, causing state corruption and ABA problems when the task_struct is reallocated.
- [High] Missing release/acquire memory barriers when dynamically publishing `kwatch_ctx_pool` expose lockless readers to uninitialized state and UB.
- [Medium] Large contiguous memory allocation with kcalloc() risks frequent failure on fragmented systems.
--

--- Patch [6]: [RFC PATCH v2 06/13] mm/kwatch: add lockless per-task context pool ---
commit 48d8ef7e220842e6317681d38fcc2886436cae7d
Author: Jinchao Wang <wangjinchao600@gmail.com>

mm/kwatch: add lockless per-task context pool

A task that enters the watched function needs somewhere to keep its
window state (nesting depth, owned watchpoint, config epoch). The
lookup runs in kprobe and NMI-like contexts, so it must not allocate
or take locks.

> diff --git a/mm/kwatch/task_ctx.c b/mm/kwatch/task_ctx.c
> new file mode 100644
> index 0000000000000..64383a4429e7c
> --- /dev/null
> +++ b/mm/kwatch/task_ctx.c

[ ... ]

> @@ -0,0 +1,125 @@
> +int kwatch_tsk_ctx_prealloc(u16 max_concurrency)
> +{
> +	if (max_concurrency < KWATCH_CTX_POOL_MIN)
> +		max_concurrency = KWATCH_CTX_POOL_MIN;
> +	else if (max_concurrency > KWATCH_CTX_POOL_MAX)
> +		max_concurrency = KWATCH_CTX_POOL_MAX;
> +
> +	/*
> +	 * Set the size/mask only when actually allocating, so they can never
> +	 * drift out of sync with the live pool if prealloc is ever called
> +	 * again without a matching free.
> +	 */
> +	if (unlikely(!kwatch_ctx_pool)) {
> +		kwatch_ctx_pool_size = roundup_pow_of_two(max_concurrency);
> +		kwatch_ctx_pool_mask = kwatch_ctx_pool_size - 1;
> +
> +		kwatch_ctx_pool = kcalloc(kwatch_ctx_pool_size,
> +					  sizeof(struct kwatch_tsk_ctx),
> +					  GFP_KERNEL);

[Severity: Medium]
Does this allocation risk frequent failure on fragmented systems?

In kwatch_tsk_ctx_prealloc(), this uses kcalloc with GFP_KERNEL to allocate up
to 32768 elements of struct kwatch_tsk_ctx. Such large physically contiguous
allocations are highly prone to failure when memory is fragmented.

Would using kvcalloc be more appropriate here to allow fallback to
non-contiguous virtual memory mappings?

[Severity: High]
Are there missing memory barriers here when publishing kwatch_ctx_pool?

In kwatch_tsk_ctx_prealloc(), kwatch_ctx_pool_size is initialized before
dynamically assigning kwatch_ctx_pool. Without smp_store_release, the CPU
could reorder these stores.

If a concurrent reader in kwatch_tsk_ctx_get() evaluates !kwatch_ctx_pool
without smp_load_acquire, could it observe kwatch_ctx_pool != NULL but read a
stale value of 0 for kwatch_ctx_pool_size? This would result in ilog2(0),
which returns -1, and cause a bitshift overflow when passed to hash_ptr().

> +		if (!kwatch_ctx_pool)
> +			return -ENOMEM;
> +	}
> +	return 0;
> +}
> +
> +struct kwatch_tsk_ctx *kwatch_tsk_ctx_get(bool can_alloc)
> +{
> +	int start_idx, i, idx;
> +	struct task_struct *t;
> +
> +	if (unlikely(!kwatch_ctx_pool))
> +		return NULL;
> +
> +	start_idx = hash_ptr(current, ilog2(kwatch_ctx_pool_size));
> +
> +	for (i = 0; i < kwatch_ctx_pool_size; i++) {
> +		idx = (start_idx + i) & kwatch_ctx_pool_mask;

[Severity: High]
Does this loop cause significant NMI latency?

In kwatch_tsk_ctx_get(), because the open-addressing hash table nullifies the
task pointer instead of using tombstones for deletions, it cannot stop probing
when encountering an empty slot.

On every cache miss, such as when a task first triggers a watchpoint, this
loop unconditionally iterates kwatch_ctx_pool_size times to ensure the task
is not already present. Is it safe to perform an O(N) scan in NMI context?

> +		t = READ_ONCE(kwatch_ctx_pool[idx].task);
> +		if (t == current)
> +			return &kwatch_ctx_pool[idx];

[Severity: High]
Could this falsely match a new task to a dead task's leaked slot?

In kwatch_tsk_ctx_get(), if a task exits abruptly due to a fatal signal and
bypasses the return probe, it will fail to call kwatch_tsk_ctx_put(), leaving
the slot assigned to the dead task_struct pointer.

When the slab allocator reuses the freed memory for a new task, the new task's
current pointer would match this leaked slot. Will the new task erroneously
inherit stale state and potentially trigger a use-after-free on the dangling
watchpoint?

> +	}
> +
> +	if (!can_alloc)
> +		return NULL;
> +
> +	for (i = 0; i < kwatch_ctx_pool_size; i++) {
> +		idx = (start_idx + i) & kwatch_ctx_pool_mask;
> +		t = READ_ONCE(kwatch_ctx_pool[idx].task);
> +		if (!t) {
> +			if (!cmpxchg(&kwatch_ctx_pool[idx].task, NULL, current))
> +				return &kwatch_ctx_pool[idx];

[Severity: High]
Can an NMI interrupting this path cause a premature release or double free?

In kwatch_tsk_ctx_get(), this lockless claim publishes ownership before the
caller can establish safe nesting state. If an NMI interrupts the task
immediately after this claim, enters a watch window, and reclaims the same
slot because t == current, it will unconditionally call kwatch_tsk_ctx_put()
when exiting the watch window.

This releases the slot by writing NULL to ctx->task. When the interrupted task
resumes, it will incorrectly assume ownership of a now-freed slot that might
be claimed by another CPU. Is there a way to prevent this reentrancy issue?

> +		}
> +	}
> +
> +	return NULL;
> +}

[ ... ]

> +void kwatch_tsk_ctx_free(void)
> +{
> +	kfree(kwatch_ctx_pool);
> +	kwatch_ctx_pool = NULL;

[Severity: High]
Does this create a use-after-free regression?

In kwatch_tsk_ctx_free(), kfree is called directly on kwatch_ctx_pool followed
by assigning it to NULL, without any RCU synchronization.

If an NMI or task concurrently executes kwatch_tsk_ctx_get(), won't it
dereference the freed memory? Additionally, since kwatch_tsk_ctx_get()
evaluates kwatch_ctx_pool in loops without READ_ONCE, could the compiler
reload the global pointer after it is set to NULL, causing a NULL pointer
dereference?

> +}

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260717125023.1895892-1-wangjinchao600@gmail.com?part=6

  reply	other threads:[~2026-07-17 13:19 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-17 12:50 [RFC PATCH v2 00/13] mm/kwatch: dynamic hardware watchpoints for hunting memory corruption Jinchao Wang
2026-07-17 13:02 ` [RFC PATCH v2 01/13] arch: add HAVE_REINSTALL_HW_BREAKPOINT Jinchao Wang
2026-07-17 13:02 ` [RFC PATCH v2 02/13] x86/hw_breakpoint: Unify breakpoint install/uninstall Jinchao Wang
2026-07-17 13:15   ` sashiko-bot
2026-07-17 13:03 ` [RFC PATCH v2 03/13] x86/hw_breakpoint: Add arch_reinstall_hw_breakpoint Jinchao Wang
2026-07-17 13:03 ` [RFC PATCH v2 04/13] HWBP: Add modify_wide_hw_breakpoint_local() API Jinchao Wang
2026-07-17 13:21   ` sashiko-bot
2026-07-17 13:04 ` [RFC PATCH v2 05/13] mm/kwatch: add watch expression parser and dereference engine Jinchao Wang
2026-07-17 13:15   ` sashiko-bot
2026-07-17 13:04 ` [RFC PATCH v2 06/13] mm/kwatch: add lockless per-task context pool Jinchao Wang
2026-07-17 13:19   ` sashiko-bot [this message]
2026-07-17 13:04 ` [RFC PATCH v2 07/13] stacktrace: export stack_trace_save_regs() Jinchao Wang
2026-07-17 13:05 ` [RFC PATCH v2 08/13] mm/kwatch: add hardware breakpoint backend Jinchao Wang
2026-07-17 13:24   ` sashiko-bot
2026-07-17 13:05 ` [RFC PATCH v2 09/13] mm/kwatch: add probe lifecycle runtime Jinchao Wang
2026-07-17 13:20   ` sashiko-bot
2026-07-17 13:06 ` [RFC PATCH v2 10/13] mm/kwatch: add anchor thread for global watchpoints Jinchao Wang
2026-07-17 13:20   ` sashiko-bot
2026-07-17 13:06 ` [RFC PATCH v2 11/13] mm/kwatch: add debugfs control plane Jinchao Wang
2026-07-17 13:27   ` sashiko-bot
2026-07-17 13:07 ` [RFC PATCH v2 12/13] mm/kwatch: add KUnit tests for the watch expression parser Jinchao Wang
2026-07-17 13:07 ` [RFC PATCH v2 13/13] Documentation/dev-tools: document KWatch Jinchao Wang
2026-07-17 13:30   ` sashiko-bot
2026-07-17 13:41 ` [RFC PATCH v2 00/13] mm/kwatch: dynamic hardware watchpoints for hunting memory corruption Dave Hansen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260717131904.864991F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=linux-perf-users@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=wangjinchao600@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox