From: Ingo Molnar <mingo@kernel.org>
To: Josh Poimboeuf <jpoimboe@kernel.org>
Cc: x86@kernel.org, linux-kernel@vger.kernel.org,
Nathan Chancellor <nathan@kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Alexandre Chartre <alexandre.chartre@oracle.com>,
David Laight <david.laight.linux@gmail.com>
Subject: Re: [PATCH] objtool: Fix stack overflow in validate_branch()
Date: Tue, 2 Dec 2025 18:03:49 +0100 [thread overview]
Message-ID: <aS8b9SeLDPF5n9UE@gmail.com> (raw)
In-Reply-To: <zfwk7bzznjhnkqmfvfn3tan7vdwzybghf5inwci5kbqlhuixwp@2cktlvdv4gjg>
* Josh Poimboeuf <jpoimboe@kernel.org> wrote:
> On Tue, Dec 02, 2025 at 05:20:22PM +0100, Ingo Molnar wrote:
> >
> > * Josh Poimboeuf <jpoimboe@kernel.org> wrote:
> >
> > > On an allmodconfig kernel compiled with Clang, objtool is segfaulting in
> > > drivers/scsi/qla2xxx/qla2xxx.o due to a stack overflow in
> > > validate_branch().
> > >
> > > Due in part to KASAN being enabled, the qla2xxx code has a large number
> > > of conditional jumps, causing objtool to go quite deep in its recursion.
> > >
> > > By far the biggest offender of stack usage is the recently added
> > > 'prev_state' stack variable in validate_insn(), coming in at 328 bytes.
> >
> > That's weird - how can a user-space tool run into stack
> > limits, are they set particularly conservatively?
>
> On my Fedora system, "ulimit -s" is 8MB. You'd think that would be
> enough :-)
>
> In this case, objtool had over 20,000 stack frames caused by recursively
> following over 7,000(!) conditional jumps in a single function.
Ouch ...
... which means that very likely we'll run into this problem again. :-/
Time to add stack overflow self-detection?
I've attached a simple proof-of-concept that uses
sigaltstacks based SIGSEGV handler to catch a stack
overflow:
starship:/s/stack-overflow> ./overflow
# Starting stack recursion:
# WARNING: SIGSEGV received: Possible stack overflow detected!
starship:/s/stack-overflow>
Could we add something like this to objtool, with
perhaps a look at the interrupted stack pointer from
SIGSEGV_handler(), to make sure the SIGSEGV was due to
a stack overflow?
Thanks,
Ingo
#
# Build with: gcc -Wall -o overflow overflow.c
#
======={ overflow.c }============>
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
#include <sys/resource.h>
void SIGSEGV_handler(int sig)
{
/*
* From this point on we are running on the sigaltstack:
*/
fprintf(stderr, "\n# WARNING: SIGSEGV received: Possible stack overflow detected!\n");
_exit(EXIT_FAILURE);
}
void setup_SIGSEGV_handler(void)
{
struct sigaction sa;
stack_t ss;
ss.ss_sp = malloc(SIGSTKSZ);
if (ss.ss_sp == NULL) {
perror("FAIL: malloc");
exit(EXIT_FAILURE);
}
ss.ss_size = SIGSTKSZ;
ss.ss_flags = 0;
if (sigaltstack(&ss, NULL) == -1) {
perror("FAIL: sigaltstack");
exit(EXIT_FAILURE);
}
sa.sa_handler = SIGSEGV_handler;
sigemptyset(&sa.sa_mask);
/*
* SA_ONSTACK tells the kernel to use the sigaltstack
* for this handler:
*/
sa.sa_flags = SA_RESTART | SA_ONSTACK;
if (sigaction(SIGSEGV, &sa, NULL) == -1) {
perror("sigaction");
exit(EXIT_FAILURE);
}
}
// Example function to force a recursive stack overflow
void recurse_into_stack(int depth)
{
char buffer[1000];
(void)buffer;
if (depth < 0)
return;
recurse_into_stack(depth - 1);
}
int main(void)
{
setup_SIGSEGV_handler();
printf("# Starting stack recursion:\n");
recurse_into_stack(1000000);
return 0;
}
next prev parent reply other threads:[~2025-12-02 17:03 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-02 16:16 [PATCH] objtool: Fix stack overflow in validate_branch() Josh Poimboeuf
2025-12-02 16:20 ` Ingo Molnar
2025-12-02 16:49 ` Josh Poimboeuf
2025-12-02 17:03 ` Ingo Molnar [this message]
2025-12-02 17:11 ` Josh Poimboeuf
2025-12-02 19:56 ` Josh Poimboeuf
2025-12-02 20:20 ` Ingo Molnar
2025-12-02 22:05 ` David Laight
2025-12-02 23:01 ` Josh Poimboeuf
2025-12-03 11:02 ` David Laight
2025-12-03 16:11 ` Ingo Molnar
2025-12-03 16:40 ` [tip: objtool/urgent] objtool: Add more robust signal error handling, detect and warn about stack overflows tip-bot2 for Josh Poimboeuf
2025-12-03 18:48 ` tip-bot2 for Josh Poimboeuf
2025-12-03 9:25 ` [PATCH] objtool: Fix stack overflow in validate_branch() Ingo Molnar
2025-12-03 18:54 ` Josh Poimboeuf
2025-12-03 18:58 ` Josh Poimboeuf
2025-12-03 19:15 ` Ingo Molnar
2025-12-03 19:37 ` David Laight
2025-12-03 20:30 ` Linus Torvalds
2025-12-03 23:53 ` Josh Poimboeuf
2025-12-03 19:11 ` Ingo Molnar
2025-12-04 2:47 ` Josh Poimboeuf
2025-12-02 16:27 ` [tip: objtool/urgent] " tip-bot2 for Josh Poimboeuf
2025-12-02 16:28 ` [PATCH] " Josh Poimboeuf
2025-12-02 16:41 ` Ingo Molnar
2025-12-02 16:44 ` [tip: objtool/urgent] " tip-bot2 for Josh Poimboeuf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aS8b9SeLDPF5n9UE@gmail.com \
--to=mingo@kernel.org \
--cc=alexandre.chartre@oracle.com \
--cc=david.laight.linux@gmail.com \
--cc=jpoimboe@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nathan@kernel.org \
--cc=peterz@infradead.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox