From: Ihor Solodrai <ihor.solodrai@linux.dev>
To: Runyu Xiao <runyu.xiao@seu.edu.cn>, Song Liu <song@kernel.org>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>
Cc: Jiri Olsa <jolsa@kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>,
Eduard Zingerman <eddyz87@gmail.com>,
Yonghong Song <yonghong.song@linux.dev>,
John Fastabend <john.fastabend@gmail.com>,
KP Singh <kpsingh@kernel.org>,
Stanislav Fomichev <sdf@fomichev.me>, Hao Luo <haoluo@google.com>,
bpf@vger.kernel.org, linux-kernel@vger.kernel.org,
jianhao.xu@seu.edu.cn
Subject: Re: Question: BPF stack build-id lookup while holding mmap_lock
Date: Wed, 17 Jun 2026 22:05:24 -0700 [thread overview]
Message-ID: <24784bcb-a33d-4b97-bac3-6585329bfd93@linux.dev> (raw)
In-Reply-To: <20260618033152.1541795-1-runyu.xiao@seu.edu.cn>
On 6/17/26 8:31 PM, Runyu Xiao wrote:
> Hi,
>
> While auditing lock ordering around faultable build-id lookups, our
> static analysis tool flagged the BPF stackmap user-build-id path, and we
> manually reviewed it against the current tree.
>
> The path we are concerned about is the sleepable helper path:
>
> bpf_get_stack_sleepable() / bpf_get_task_stack_sleepable()
> -> __bpf_get_stack(..., may_fault = true)
> -> stack_map_get_build_id_offset()
> -> mmap_read_trylock(current->mm)
> -> build_id_parse(vma, ...)
> -> __kernel_read()
>
> `build_id_parse()` can read from the backing file while mmap_lock is
> held. That can form an ABBA dependency with file read paths where the
> inode side is held first and copy_to_user/copy_page_to_iter can fault
> and then need mmap_lock.
>
> A minimal Lockdep reproducer preserving this BPF stackmap carrier and
> the reverse file-read edge reports:
>
> WARNING: possible circular locking dependency detected
> __kernel_read
> stack_map_get_build_id_offset
> __bpf_get_stack
> *** DEADLOCK ***
>
> The local fix I am considering is only for the faultable build-id path.
> It would snapshot the VMA file reference and offset metadata under
> mmap_lock, drop mmap_lock, and then parse the build-id from the file
> reference with build_id_parse_file(). The existing no-fault path would
> remain unchanged.
>
> Roughly:
>
> 1. Under mmap_lock, find the VMA for each user IP.
> 2. Take a file reference and snapshot vm_start/vm_pgoff.
> 3. Drop mmap_lock.
> 4. Parse build IDs from the files.
> 5. Fall back to reporting IPs if the faultable path cannot safely
> release mmap_lock or allocate the temporary snapshot array.
Hi Runyu,
A patch implementing more or less this algorithm has recently landed:
https://lore.kernel.org/bpf/20260525223948.1920986-1-ihor.solodrai@linux.dev/
I recommend doing a search on lore.kernel.org or other mailing list mirror
in advance, to avoid unnecessary or duplicate work.
>
> The tradeoff is that build-id parsing would happen after releasing
> mmap_lock, so the VMA/file relationship is represented by the file
> reference and copied metadata rather than by holding the VMA lock context
> through the file read. That avoids file I/O under mmap_lock, but may
> change edge-case behavior if the mapping changes concurrently.
>
> Does this direction sound acceptable for sleepable BPF stack helpers, or
> would you prefer a stricter fallback-to-IP behavior whenever build-id
> parsing would require faultable file I/O? Another option would be to
> avoid build-id parsing entirely in the may_fault=true stackmap path unless
> there is an existing BPF/MM helper pattern I should reuse.
>
> The local draft subject is:
>
> bpf: avoid faultable build-id lookup under mmap_lock
>
> Thanks,
> Runyu
next prev parent reply other threads:[~2026-06-18 5:06 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-18 3:31 Question: BPF stack build-id lookup while holding mmap_lock Runyu Xiao
2026-06-18 5:05 ` Ihor Solodrai [this message]
2026-06-18 5:10 ` Runyu Xiao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=24784bcb-a33d-4b97-bac3-6585329bfd93@linux.dev \
--to=ihor.solodrai@linux.dev \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=jianhao.xu@seu.edu.cn \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=runyu.xiao@seu.edu.cn \
--cc=sdf@fomichev.me \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox