| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAEf4BzYN33yQhO-tsF8pUWDMZoiLAXkV+Z1oP6fJkByocYcjpw@mail.gmail.com>
Date: Tue, 3 Feb 2026 16:04:11 -0800
From: Andrii Nakryiko <andrii.nakryiko@...il.com>
To: Qing Wang <wangqing7171@...il.com>
Cc: Song Liu <song@...nel.org>, Jiri Olsa <jolsa@...nel.org>,
Alexei Starovoitov <ast@...nel.org>, peterz@...radead.org, acme@...nel.org,
Daniel Borkmann <daniel@...earbox.net>, Andrii Nakryiko <andrii@...nel.org>,
Martin KaFai Lau <martin.lau@...ux.dev>, Eduard Zingerman <eddyz87@...il.com>,
Yonghong Song <yonghong.song@...ux.dev>, John Fastabend <john.fastabend@...il.com>,
KP Singh <kpsingh@...nel.org>, Stanislav Fomichev <sdf@...ichev.me>, Hao Luo <haoluo@...gle.com>,
bpf@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-perf-users@...r.kernel.org,
syzbot+72a43cdb78469f7fbad1@...kaller.appspotmail.com
Subject: Re: [PATCH] bpf/perf: Fix suspicious RCU usage in get_callchain_entry()
On Tue, Jan 27, 2026 at 10:18 PM Qing Wang <wangqing7171@...il.com> wrote:
>
> There is a patch intended to fix suspicious RCU usage in get_callchain_entry(),
> but it is incorrect. Specifically, rcu_read_lock()/rcu_read_unlock() is not
> called when may_fault == false.
rcu_read_lock/unlock is not called when may_fault == false because in
that case BPF program is already running within rcu_read_lock/unlock
region. So I'm not sure this patch fixes anything really. And even
with trace_in, if we cann rcu_read_lock/unlock one extra time it
shouldn't be a problem, no?
pw-bot: cr
>
> Previous discussion:
> https://lore.kernel.org/all/CAEf4BzaYL9zZN8TZyRHW3_O3vbHc7On+NSunrkDvDQx2=wwyRw@mail.gmail.com/#R
>
> For perf's callchain, rcu_read_lock()/rcu_read_unlock() should be called when
> trace_in == false.
>
> Fixes: d4dd9775ec24 ("bpf: wire up sleepable bpf_get_stack() and bpf_get_task_stack() helpers")
> Reported-by: syzbot+72a43cdb78469f7fbad1@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=72a43cdb78469f7fbad1
> Tested-by: syzbot+72a43cdb78469f7fbad1@...kaller.appspotmail.com
> Signed-off-by: Qing Wang <wangqing7171@...il.com>
> ---
> kernel/bpf/stackmap.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
> index da3d328f5c15..f97d4aa9d038 100644
> --- a/kernel/bpf/stackmap.c
> +++ b/kernel/bpf/stackmap.c
> @@ -460,7 +460,7 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
>
> max_depth = stack_map_calculate_max_depth(size, elem_size, flags);
>
> - if (may_fault)
> + if (!trace_in)
> rcu_read_lock(); /* need RCU for perf's callchain below */
>
> if (trace_in) {
> @@ -474,7 +474,7 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
> }
>
> if (unlikely(!trace) || trace->nr < skip) {
> - if (may_fault)
> + if (!trace_in)
> rcu_read_unlock();
> goto err_fault;
> }
> @@ -494,7 +494,7 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
> }
>
> /* trace/ips should not be dereferenced after this point */
> - if (may_fault)
> + if (!trace_in)
> rcu_read_unlock();
>
> if (user_build_id)
> --
> 2.34.1
>
Powered by blists - more mailing lists