From: Jiri Olsa <olsajiri@gmail.com>
To: Song Liu <song@kernel.org>
Cc: bpf@vger.kernel.org, linux-trace-kernel@vger.kernel.org,
live-patching@vger.kernel.org, ast@kernel.org,
daniel@iogearbox.net, andrii@kernel.org, rostedt@goodmis.org,
andrey.grodzovsky@crowdstrike.com, mhiramat@kernel.org,
kernel-team@meta.com, olsajiri@gmail.com, stable@vger.kernel.org
Subject: Re: [PATCH v3 bpf 1/3] ftrace: Fix BPF fexit with livepatch
Date: Mon, 27 Oct 2025 09:48:25 +0100 [thread overview]
Message-ID: <aP8x2VthUhZf4QVv@krava> (raw)
In-Reply-To: <20251026205445.1639632-2-song@kernel.org>
On Sun, Oct 26, 2025 at 01:54:43PM -0700, Song Liu wrote:
> When livepatch is attached to the same function as bpf trampoline with
> a fexit program, bpf trampoline code calls register_ftrace_direct()
> twice. The first time will fail with -EAGAIN, and the second time it
> will succeed. This requires register_ftrace_direct() to unregister
> the address on the first attempt. Otherwise, the bpf trampoline cannot
> attach. Here is an easy way to reproduce this issue:
>
> insmod samples/livepatch/livepatch-sample.ko
> bpftrace -e 'fexit:cmdline_proc_show {}'
> ERROR: Unable to attach probe: fexit:vmlinux:cmdline_proc_show...
>
> Fix this by cleaning up the hash when register_ftrace_function_nolock hits
> errors.
>
> Also, move the code that resets ops->func and ops->trampoline to
> the error path of register_ftrace_direct().
>
> Fixes: d05cb470663a ("ftrace: Fix modification of direct_function hash while in use")
> Cc: stable@vger.kernel.org # v6.6+
> Reported-by: Andrey Grodzovsky <andrey.grodzovsky@crowdstrike.com>
> Closes: https://lore.kernel.org/live-patching/c5058315a39d4615b333e485893345be@crowdstrike.com/
> Cc: Steven Rostedt (Google) <rostedt@goodmis.org>
> Cc: Masami Hiramatsu (Google) <mhiramat@kernel.org>
> Acked-and-tested-by: Andrey Grodzovsky <andrey.grodzovsky@crowdstrike.com>
> Signed-off-by: Song Liu <song@kernel.org>
> ---
> kernel/bpf/trampoline.c | 5 -----
> kernel/trace/ftrace.c | 6 ++++++
> 2 files changed, 6 insertions(+), 5 deletions(-)
>
> diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c
> index 5949095e51c3..f2cb0b097093 100644
> --- a/kernel/bpf/trampoline.c
> +++ b/kernel/bpf/trampoline.c
> @@ -479,11 +479,6 @@ static int bpf_trampoline_update(struct bpf_trampoline *tr, bool lock_direct_mut
> * BPF_TRAMP_F_SHARE_IPMODIFY is set, we can generate the
> * trampoline again, and retry register.
> */
> - /* reset fops->func and fops->trampoline for re-register */
> - tr->fops->func = NULL;
> - tr->fops->trampoline = 0;
> -
> - /* free im memory and reallocate later */
> bpf_tramp_image_free(im);
> goto again;
> }
> diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
> index 42bd2ba68a82..725c224fb4e6 100644
> --- a/kernel/trace/ftrace.c
> +++ b/kernel/trace/ftrace.c
> @@ -6048,6 +6048,12 @@ int register_ftrace_direct(struct ftrace_ops *ops, unsigned long addr)
> ops->direct_call = addr;
>
> err = register_ftrace_function_nolock(ops);
> + if (err) {
> + /* cleanup for possible another register call */
> + ops->func = NULL;
> + ops->trampoline = 0;
nit, we could cleanup also flags and direct_call just to be complete,
but at the same time it does not seem to affect anything
jirka
> + remove_direct_functions_hash(hash, addr);
> + }
>
> out_unlock:
> mutex_unlock(&direct_mutex);
> --
> 2.47.3
>
next prev parent reply other threads:[~2025-10-27 8:48 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-26 20:54 [PATCH v3 bpf 0/3] Fix ftrace for livepatch + BPF fexit programs Song Liu
2025-10-26 20:54 ` [PATCH v3 bpf 1/3] ftrace: Fix BPF fexit with livepatch Song Liu
2025-10-27 8:48 ` Jiri Olsa [this message]
2025-10-27 17:10 ` Song Liu
2025-10-27 17:01 ` Steven Rostedt
2025-10-27 17:11 ` Song Liu
2025-10-26 20:54 ` [PATCH v3 bpf 2/3] ftrace: bpf: Fix IPMODIFY + DIRECT in modify_ftrace_direct() Song Liu
2025-10-26 20:54 ` [PATCH v3 bpf 3/3] selftests/bpf: Add tests for livepatch + bpf trampoline Song Liu
2025-10-27 8:47 ` [PATCH v3 bpf 0/3] Fix ftrace for livepatch + BPF fexit programs Jiri Olsa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aP8x2VthUhZf4QVv@krava \
--to=olsajiri@gmail.com \
--cc=andrey.grodzovsky@crowdstrike.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=kernel-team@meta.com \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=live-patching@vger.kernel.org \
--cc=mhiramat@kernel.org \
--cc=rostedt@goodmis.org \
--cc=song@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.