From: Steven Rostedt <rostedt@goodmis.org>
To: Rosen Penev <rosenp@gmail.com>
Cc: linux-trace-kernel@vger.kernel.org,
Masami Hiramatsu <mhiramat@kernel.org>,
Mark Rutland <mark.rutland@arm.com>,
Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
linux-kernel@vger.kernel.org (open list:FUNCTION HOOKS (FTRACE)),
sashiko-bot@kernel.org, sashiko-reviews@lists.linux.dev
Subject: Re: [PATCH] ftrace: Use flexible array for hash buckets
Date: Wed, 20 May 2026 21:28:29 -0400 [thread overview]
Message-ID: <20260520212829.7734bad4@fedora> (raw)
In-Reply-To: <20260520220030.16887-1-rosenp@gmail.com>
On Wed, 20 May 2026 15:00:30 -0700
Rosen Penev <rosenp@gmail.com> wrote:
> Store ftrace hash buckets in the ftrace_hash allocation instead of
> allocating the bucket array separately.
>
> This keeps the bucket storage tied to the hash lifetime and simplifies
> the allocation and cleanup paths.
>
> Assisted-by: Codex:GPT-5.5
I'll let the AI's duke it out!
> Signed-off-by: Rosen Penev <rosenp@gmail.com>
> ---
> kernel/trace/ftrace.c | 17 ++---------------
> kernel/trace/trace.h | 2 +-
> 2 files changed, 3 insertions(+), 16 deletions(-)
>
> diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
> index b2611de3f594..25a9dca290dd 100644
> --- a/kernel/trace/ftrace.c
> +++ b/kernel/trace/ftrace.c
> @@ -1082,10 +1082,7 @@ struct ftrace_func_probe {
> * it all the time. These are in a read only section such that if
> * anyone does try to modify it, it will cause an exception.
> */
> -static const struct hlist_head empty_buckets[1];
> -static const struct ftrace_hash empty_hash = {
> - .buckets = (struct hlist_head *)empty_buckets,
> -};
> +static const struct ftrace_hash empty_hash = {};
> #define EMPTY_HASH ((struct ftrace_hash *)&empty_hash)
According to Sashiko: https://sashiko.dev/#/patchset/20260520220030.16887-1-rosenp%40gmail.com
Could this conversion to a flexible array member cause an
out-of-bounds read when iterating over the empty hash? Because
empty_hash is now initialized as an empty struct, its flexible array
member buckets has a size of 0. However, empty_hash.size_bits is 0,
which means loop limits computing '1 << hash->size_bits' will
evaluate to 1. If functions like
prepare_direct_functions_for_ipmodify() iterate over a default
EMPTY_HASH without checking ftrace_hash_empty(), they will attempt
to read EMPTY_HASH->buckets[0]. This reads past the end of the
struct into adjacent memory in the .rodata section. If that adjacent
memory happens to be non-zero, the linked list loop could
dereference it and cause a kernel panic. Prior to this patch,
empty_buckets provided a safely zeroed array of size 1 to handle
this single iteration.
-- Steve
next prev parent reply other threads:[~2026-05-21 1:28 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-20 22:00 [PATCH] ftrace: Use flexible array for hash buckets Rosen Penev
2026-05-21 1:28 ` Steven Rostedt [this message]
2026-05-21 1:39 ` Rosen Penev
2026-05-22 8:45 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260520212829.7734bad4@fedora \
--to=rostedt@goodmis.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=mathieu.desnoyers@efficios.com \
--cc=mhiramat@kernel.org \
--cc=rosenp@gmail.com \
--cc=sashiko-bot@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.