From: Jens Remus <jremus@linux.ibm.com>
To: Steven Rostedt <rostedt@kernel.org>,
Josh Poimboeuf <jpoimboe@kernel.org>
Cc: bpf@vger.kernel.org, sashiko@lists.linux.dev,
Indu Bhagat <ibhagatgnu@gmail.com>,
Heiko Carstens <hca@linux.ibm.com>
Subject: Re: [PATCH v14 11/19] unwind_user/sframe: Show file name in debug output
Date: Wed, 13 May 2026 11:20:39 +0200 [thread overview]
Message-ID: <d12caa4a-e54f-422b-92b1-b2f51bf7ea20@linux.ibm.com> (raw)
In-Reply-To: <edd04d6c-3cdc-43da-9cf2-44cccc353658@linux.ibm.com>
On 5/12/2026 4:52 PM, Jens Remus wrote:
> On 5/5/2026 8:46 PM, sashiko-bot@kernel.org wrote:
>
>> [ ... ]
>>> @@ -496,7 +501,7 @@ static int __sframe_remove_section(struct mm_struct *mm,
>>> struct sframe_section *sec)
>>> {
>>> if (!mtree_erase(&mm->sframe_mt, sec->text_start)) {
>>> - dbg("mtree_erase failed: text=%lx\n", sec->text_start);
>>> + dbg_sec("mtree_erase failed: text=%lx\n", sec->text_start);
>>
>> Does accessing sec->filename in dbg_sec() risk a use-after-free here? If
>> mtree_erase() fails, it indicates the section might have been concurrently
>> removed. The SRCU grace period could expire, causing sec to be freed before
>> dbg_sec() is called.
>
> IIUC this is a valid concern. Should this change be simply be reverted
> or should __sframe_remove_section() create a temporary copy of the
> filename and use dbg() for this rather unlikely case?
On my way home it occurred to me that adding guard(srcu)(&sframe_srcu);
to sframe_remove_section() (see my feedback on "[PATCH v14 03/19]
unwind_user/sframe: Store .sframe section data in per-mm maple tree")
should also resolve this use-after-free without any need for changes.
Regards,
Jens
--
Jens Remus
Linux on Z Development (D3303)
jremus@de.ibm.com / jremus@linux.ibm.com
IBM Deutschland Research & Development GmbH; Vorsitzender des Aufsichtsrats: Wolfgang Wendt; Geschäftsführung: David Faller; Sitz der Gesellschaft: Ehningen; Registergericht: Amtsgericht Stuttgart, HRB 243294
IBM Data Privacy Statement: https://www.ibm.com/privacy/
prev parent reply other threads:[~2026-05-13 9:20 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20260505121718.3572346-12-jremus@linux.ibm.com>
[not found] ` <20260505184638.5648DC2BCB4@smtp.kernel.org>
2026-05-12 14:52 ` [PATCH v14 11/19] unwind_user/sframe: Show file name in debug output Jens Remus
2026-05-13 9:20 ` Jens Remus [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d12caa4a-e54f-422b-92b1-b2f51bf7ea20@linux.ibm.com \
--to=jremus@linux.ibm.com \
--cc=bpf@vger.kernel.org \
--cc=hca@linux.ibm.com \
--cc=ibhagatgnu@gmail.com \
--cc=jpoimboe@kernel.org \
--cc=rostedt@kernel.org \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox