From: Steven Rostedt <rostedt@goodmis.org>
To: Afi0 <capyenglishlite@gmail.com>,
security@kernel.org, linux-kernel@vger.kernel.org,
linux-trace-kernel@vger.kernel.org, mhiramat@kernel.org,
Greg KH <gregkh@linuxfoundation.org>,
Jiri Olsa <olsajiri@gmail.com>
Subject: Re: Race condition in __modify_ftrace_direct() between tmp_ops registration and direct_functions hash update
Date: Sun, 17 May 2026 12:53:43 -0400 [thread overview]
Message-ID: <20260517125343.39dc8c85@fedora> (raw)
In-Reply-To: <CAEABq7dxnaLrTOhmD+tKnDenmZTUQD8sG=eoxe72mi_gwaus6g@mail.gmail.com>
[ RESEND - I didn't realize you replied to me privately. Adding back Cc list ]
On Sun, 17 May 2026 15:16:17 +0000
Afi0 <capyenglishlite@gmail.com> wrote:
> Hi Steven,
>
> Thanks for the detailed feedback, and for adding Jiri.
>
> You're right to challenge this. Let me clarify the exact scenario:
>
> The race is not about direct being NULL before assignment. The issue arises
> specifically in the *modification* path where an existing non-NULL direct
> is being replaced:
>
> 1. Caller holds a valid trampoline at address old_addr
> 2. Caller calls modify_ftrace_direct(ops, new_addr)
> 3. __modify_ftrace_direct() registers tmp_ops -> ftrace starts using
> tmp_ops
> 4. *Window opens:* CPUs entering traced function read entry -> direct =
> old_addr via ftrace_find_rec_direct()
> 5. Caller, believing the update is complete after modify_ftrace_direct()
> returns, frees old_addr
> 6. entry->direct = new_addr executes - too late, CPUs already jumped to
> freed memory
>
> The key assumption being violated: the caller cannot know when it is safe
> to free old_addr because modify_ftrace_direct() returns before entry ->
> direct is updated. The API implies atomicity that isn't guaranteed.
But __modify_ftrace_direct() calls unregister_ftrace_function(&tmp_ops).
Hmm, tmp_ops being static may be considered part of the core kernel in
which case the FTRACE_OPS_DYNAMIC is not set and the synchronization
will not be called from the unregister function.
>
> If the convention is that callers *must* never free the old trampoline
> until some explicit synchronization point after modify_ftrace_direct()
> returns, then you're correct that this is a caller bug rather than a bug in
> __modify_ftrace_direct() itself. Could you point me to documentation of
> this requirement? I may have misread the contract.
I'll let Jiri answer this part, but it does seem that there should be a
synchronization to make sure that the code is freed. BPF is the only
user of this, and this is a new feature.
Jiri, if the modify_ftrace_direct() is used to change the trampoline,
what synchronization is done to make make sure it's not called before
being freed?
-- Steve
prev parent reply other threads:[~2026-05-17 16:53 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-17 6:24 Race condition in __modify_ftrace_direct() between tmp_ops registration and direct_functions hash update Afi0
2026-05-17 7:08 ` Greg KH
2026-05-17 13:15 ` Steven Rostedt
[not found] ` <CAEABq7dxnaLrTOhmD+tKnDenmZTUQD8sG=eoxe72mi_gwaus6g@mail.gmail.com>
2026-05-17 16:53 ` Steven Rostedt [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260517125343.39dc8c85@fedora \
--to=rostedt@goodmis.org \
--cc=capyenglishlite@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=mhiramat@kernel.org \
--cc=olsajiri@gmail.com \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.