From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9455C287508 for ; Tue, 2 Dec 2025 17:03:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764695033; cv=none; b=WDhAa856LXthyTmiJRZHsysqlaGCAT6Y71JppbzyQnpaoEnrnsN5Dg0XhLivPtJZE5Hfam6mEZmc57Wv17ZoUx25/CCBQUl8/Da0x2b/6czbv3P93+GMb/tZKeAIx3+LFi9QCwdBHGCKObEx8XxSqWWD3MlmyMsS2p9xizP4RyA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764695033; c=relaxed/simple; bh=PWCJXJbTvcUx5MvyDFWGaPPFikIkfs6IKAXBi+ImjOQ=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=SmH8J4uSS/DK6ND7lVSqVu8/c0HK6dVOUF4xJzPF31F+juMxwKAnul2KS+atVxFkLeyNthIWPQiQDicF7o2TN4fhxA9iadA1bh0tJvIeqILvkgg66ro0GSvnk28MvsmTk0Q68nGkDakSxXW9hzFUdLjavEG8RsmLKT4seaF7LzM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=bb6g7EvW; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="bb6g7EvW" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 701CCC4CEF1; Tue, 2 Dec 2025 17:03:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1764695033; bh=PWCJXJbTvcUx5MvyDFWGaPPFikIkfs6IKAXBi+ImjOQ=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=bb6g7EvWIhr+Bl/timFUWoUMBb9hIn3rM8RVN8yyvpssffCN9WNCHsmeJEtYyvItJ msQbZAGapOb23Ngs5TmZ1+wo3udFYSTL/ERuqlD4amD9Rf4ioPRgs8xVlhKJyO20Jb jk0xQYBK/DMncI4uyYhD55DcrMUXetl2uPoEU5kw+8jbHGMy7lSuHc090sCnxariyr yqgCEYKYJOFPjCf8YuJjoZStzWydl3020+7haKBpzNn6/Wwf/ThO9QcqpWwkOhMCjq LgwLNUEaBZbrI1/1X1BtPa5Nw4IxAOkwN6e5S8scyAiRGTPkWk/O9ud6YqKh6Pmdbk NBkrN53VbALuA== Date: Tue, 2 Dec 2025 18:03:49 +0100 From: Ingo Molnar To: Josh Poimboeuf Cc: x86@kernel.org, linux-kernel@vger.kernel.org, Nathan Chancellor , Peter Zijlstra , Alexandre Chartre , David Laight Subject: Re: [PATCH] objtool: Fix stack overflow in validate_branch() Message-ID: References: <21bb161c23ca0d8c942a960505c0d327ca2dc7dc.1764691895.git.jpoimboe@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: * Josh Poimboeuf wrote: > On Tue, Dec 02, 2025 at 05:20:22PM +0100, Ingo Molnar wrote: > > > > * Josh Poimboeuf wrote: > > > > > On an allmodconfig kernel compiled with Clang, objtool is segfaulting in > > > drivers/scsi/qla2xxx/qla2xxx.o due to a stack overflow in > > > validate_branch(). > > > > > > Due in part to KASAN being enabled, the qla2xxx code has a large number > > > of conditional jumps, causing objtool to go quite deep in its recursion. > > > > > > By far the biggest offender of stack usage is the recently added > > > 'prev_state' stack variable in validate_insn(), coming in at 328 bytes. > > > > That's weird - how can a user-space tool run into stack > > limits, are they set particularly conservatively? > > On my Fedora system, "ulimit -s" is 8MB. You'd think that would be > enough :-) > > In this case, objtool had over 20,000 stack frames caused by recursively > following over 7,000(!) conditional jumps in a single function. Ouch ... ... which means that very likely we'll run into this problem again. :-/ Time to add stack overflow self-detection? I've attached a simple proof-of-concept that uses sigaltstacks based SIGSEGV handler to catch a stack overflow: starship:/s/stack-overflow> ./overflow # Starting stack recursion: # WARNING: SIGSEGV received: Possible stack overflow detected! starship:/s/stack-overflow> Could we add something like this to objtool, with perhaps a look at the interrupted stack pointer from SIGSEGV_handler(), to make sure the SIGSEGV was due to a stack overflow? Thanks, Ingo # # Build with: gcc -Wall -o overflow overflow.c # ======={ overflow.c }============> #include #include #include #include #include void SIGSEGV_handler(int sig) { /* * From this point on we are running on the sigaltstack: */ fprintf(stderr, "\n# WARNING: SIGSEGV received: Possible stack overflow detected!\n"); _exit(EXIT_FAILURE); } void setup_SIGSEGV_handler(void) { struct sigaction sa; stack_t ss; ss.ss_sp = malloc(SIGSTKSZ); if (ss.ss_sp == NULL) { perror("FAIL: malloc"); exit(EXIT_FAILURE); } ss.ss_size = SIGSTKSZ; ss.ss_flags = 0; if (sigaltstack(&ss, NULL) == -1) { perror("FAIL: sigaltstack"); exit(EXIT_FAILURE); } sa.sa_handler = SIGSEGV_handler; sigemptyset(&sa.sa_mask); /* * SA_ONSTACK tells the kernel to use the sigaltstack * for this handler: */ sa.sa_flags = SA_RESTART | SA_ONSTACK; if (sigaction(SIGSEGV, &sa, NULL) == -1) { perror("sigaction"); exit(EXIT_FAILURE); } } // Example function to force a recursive stack overflow void recurse_into_stack(int depth) { char buffer[1000]; (void)buffer; if (depth < 0) return; recurse_into_stack(depth - 1); } int main(void) { setup_SIGSEGV_handler(); printf("# Starting stack recursion:\n"); recurse_into_stack(1000000); return 0; }