[PATCH v5 7/8] sframe: Introduce in-kernel SFRAME_VALIDATION

Thu Apr 30 03:04:00 PDT 2026

On 4/28/2026 8:36 PM, Dylan Hatch wrote:
> Generalize the __safe* helpers to support a non-user-access code path.
> 
> This requires arch-specific function address validation. This is because
> arm64 vmlinux keeps .exit.text (normally discarded), and .rodata.text
> sections both of which lie outside the bounds of the normal .text.
> .rodata.text contains code that is never executed by the kernel mapping,
> but for which the toolchain nonetheless generates sframe data, and needs
> to be considered valid for a PC lookup.
> 
> Additionally .init.text lies outside .text for all arches and must be
> accounted for as well.

> diff --git a/arch/arm64/include/asm/unwind_sframe.h b/arch/arm64/include/asm/unwind_sframe.h

> @@ -2,7 +2,54 @@
>  #ifndef _ASM_ARM64_UNWIND_SFRAME_H
>  #define _ASM_ARM64_UNWIND_SFRAME_H
>  
> +#include <linux/module.h>
> +#include <linux/sframe.h>
> +#include <asm/sections.h>
> +
>  #define SFRAME_REG_SP	31
>  #define SFRAME_REG_FP	29
>  
> +static inline bool sframe_func_start_addr_valid(struct sframe_section *sec,
> +						unsigned long func_addr)
> +{
> +	/* Common case for unwinding */
> +	if (sec->text_start <= func_addr && func_addr < sec->text_end)
> +		return true;
> +
> +	if (sec->sec_type != SFRAME_KERNEL)
> +		return false;
> +
> +	/*
> +	 * Account for vmlinux and module code outside the normal .text section.
> +	 * The toolchain still generates sframe data for these functions, so
> +	 * sframe lookups on them should be allowed.
> +	 */
> +	if (sec == &kernel_sfsec) {
> +		if (is_kernel_inittext(func_addr))
> +			return true;
> +
> +		/* .exit.text is retained in vmlinux on arm64. */
> +		if (func_addr >= (unsigned long)__exittext_begin &&
> +		    func_addr < (unsigned long)__exittext_end)
> +			return true;
> +
> +

Nit: Superfluous empty line (2 instead of 1).

> +		/*
> +		 * .rodata.text is never executed from the kernel mapping, but
> +		 * still has sframe data
> +		 */
> +		if (func_addr >= (unsigned long)_srodatatext &&
> +		    func_addr < (unsigned long)_erodatatext)
> +			return true;
> +	} else {
> +		struct module *mod = container_of(sec, struct module,
> +						  arch.sframe_sec);

This currently does not work properly when sframe_validate_section() is
called from sframe_module_init(), which operates on a temporary struct
sframe_section section, that is not (yet) the one in struct module.  See
my feedback to the respective patch for how to resolve.

> +		if (within_module_mem_type(func_addr, mod, MOD_INIT_TEXT))
> +			return true;
> +	}
> +
> +	return false;
> +}
> +#define sframe_func_start_addr_valid sframe_func_start_addr_valid
> +
>  #endif /* _ASM_ARM64_UNWIND_SFRAME_H */
Regards,
Jens
-- 
Jens Remus
Linux on Z Development (D3303)
jremus at de.ibm.com / jremus at linux.ibm.com

IBM Deutschland Research & Development GmbH; Vorsitzender des Aufsichtsrats: Wolfgang Wendt; Geschäftsführung: David Faller; Sitz der Gesellschaft: Ehningen; Registergericht: Amtsgericht Stuttgart, HRB 243294
IBM Data Privacy Statement: https://www.ibm.com/privacy/