[PATCH v4 0/2] kallsyms: Always initialize modbuildid

[PATCH v4 0/2] kallsyms: Always initialize modbuildid

[Maurice Hieronymus]

modbuildid is never set when kallsyms_lookup_buildid is returning via
successful bpf_address_lookup or ftrace_mod_address_lookup.

This leads to an uninitialized pointer dereference on x86 when
CONFIG_STACKTRACE_BUILD_ID=y inside __sprint_symbol.

Prevent this by always initializing modbuildid.

Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220717

Changes to v3:
- Split the changes into separate ftrace and bpf patches
- Replace IS_ENABLED() with plain #ifdef

Maurice Hieronymus (2):
  kallsyms: Always initialize modbuildid on ftrace address
  kallsyms: Always initialize modbuildid on bpf address

 include/linux/filter.h | 6 ++++--
 include/linux/ftrace.h | 4 ++--
 kernel/kallsyms.c      | 4 ++--
 kernel/trace/ftrace.c  | 8 +++++++-
 4 files changed, 15 insertions(+), 7 deletions(-)


base-commit: dd9b004b7ff3289fb7bae35130c0a5c0537266af
-- 
2.50.1

[PATCH v4 1/2] kallsyms: Always initialize modbuildid on ftrace address

[Maurice Hieronymus]

modbuildid is never set when kallsyms_lookup_buildid is returning via
successful ftrace_mod_address_lookup.

This leads to an uninitialized pointer dereference on x86 when
CONFIG_STACKTRACE_BUILD_ID=y inside __sprint_symbol.

Prevent this by always initializing modbuildid.

Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220717
Signed-off-by: Maurice Hieronymus <mhi@mailbox.org>
---
 include/linux/ftrace.h | 4 ++--
 kernel/kallsyms.c      | 2 +-
 kernel/trace/ftrace.c  | 8 +++++++-
 3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/include/linux/ftrace.h b/include/linux/ftrace.h
index 770f0dc993cc..ed673fa2536b 100644
--- a/include/linux/ftrace.h
+++ b/include/linux/ftrace.h
@@ -87,11 +87,11 @@ struct ftrace_hash;
 	defined(CONFIG_DYNAMIC_FTRACE)
 int
 ftrace_mod_address_lookup(unsigned long addr, unsigned long *size,
-		   unsigned long *off, char **modname, char *sym);
+		   unsigned long *off, char **modname, const unsigned char **modbuildid, char *sym);
 #else
 static inline int
 ftrace_mod_address_lookup(unsigned long addr, unsigned long *size,
-		   unsigned long *off, char **modname, char *sym)
+		   unsigned long *off, char **modname, const unsigned char **modbuildid, char *sym)
 {
 	return 0;
 }
diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c
index 049e296f586c..5ca69eafda7a 100644
--- a/kernel/kallsyms.c
+++ b/kernel/kallsyms.c
@@ -382,7 +382,7 @@ static int kallsyms_lookup_buildid(unsigned long addr,
 
 	if (!ret)
 		ret = ftrace_mod_address_lookup(addr, symbolsize,
-						offset, modname, namebuf);
+						offset, modname, modbuildid, namebuf);
 
 	return ret;
 }
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
index ef2d5dca6f70..6eba92a52261 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -7752,7 +7752,7 @@ ftrace_func_address_lookup(struct ftrace_mod_map *mod_map,
 
 int
 ftrace_mod_address_lookup(unsigned long addr, unsigned long *size,
-		   unsigned long *off, char **modname, char *sym)
+		   unsigned long *off, char **modname, const unsigned char **modbuildid, char *sym)
 {
 	struct ftrace_mod_map *mod_map;
 	int ret = 0;
@@ -7764,6 +7764,12 @@ ftrace_mod_address_lookup(unsigned long addr, unsigned long *size,
 		if (ret) {
 			if (modname)
 				*modname = mod_map->mod->name;
+			if (modbuildid)
+#ifdef CONFIG_STACKTRACE_BUILD_ID
+				*modbuildid = mod_map->mod->build_id;
+#else
+				*modbuildid = NULL;
+#endif
 			break;
 		}
 	}
-- 
2.50.1

Re: [PATCH v4 1/2] kallsyms: Always initialize modbuildid on ftrace address

[Steven Rostedt]

On Sat, 20 Dec 2025 19:18:37 +0100
Maurice Hieronymus <mhi@mailbox.org> wrote:

> modbuildid is never set when kallsyms_lookup_buildid is returning via
> successful ftrace_mod_address_lookup.
> 
> This leads to an uninitialized pointer dereference on x86 when
> CONFIG_STACKTRACE_BUILD_ID=y inside __sprint_symbol.
> 

Nothing should be getting a buildid from the ftrace kallsyms lookup.

This code is used to find the names of init functions of modules after
those init functions have been freed. Nothing but ftrace should be looking
for these addresses, and ftrace doesn't care about buildids.

-- Steve

[PATCH v4 2/2] kallsyms: Always initialize modbuildid on bpf address

[Maurice Hieronymus]

modbuildid is never set when kallsyms_lookup_buildid is returning via
successful bpf_address_lookup.

This leads to an uninitialized pointer dereference on x86 when
CONFIG_STACKTRACE_BUILD_ID=y inside __sprint_symbol.

Prevent this by always initializing modbuildid.

Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220717
Signed-off-by: Maurice Hieronymus <mhi@mailbox.org>
---
 include/linux/filter.h | 6 ++++--
 kernel/kallsyms.c      | 2 +-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/include/linux/filter.h b/include/linux/filter.h
index fd54fed8f95f..eb1d1c876503 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -1384,12 +1384,14 @@ struct bpf_prog *bpf_prog_ksym_find(unsigned long addr);
 
 static inline int
 bpf_address_lookup(unsigned long addr, unsigned long *size,
-		   unsigned long *off, char **modname, char *sym)
+		   unsigned long *off, char **modname, const unsigned char **modbuildid, char *sym)
 {
 	int ret = __bpf_address_lookup(addr, size, off, sym);
 
 	if (ret && modname)
 		*modname = NULL;
+	if (ret && modbuildid)
+		*modbuildid = NULL;
 	return ret;
 }
 
@@ -1455,7 +1457,7 @@ static inline struct bpf_prog *bpf_prog_ksym_find(unsigned long addr)
 
 static inline int
 bpf_address_lookup(unsigned long addr, unsigned long *size,
-		   unsigned long *off, char **modname, char *sym)
+		   unsigned long *off, char **modname, const unsigned char **modbuildid, char *sym)
 {
 	return 0;
 }
diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c
index 5ca69eafda7a..b1516d3fa9c5 100644
--- a/kernel/kallsyms.c
+++ b/kernel/kallsyms.c
@@ -378,7 +378,7 @@ static int kallsyms_lookup_buildid(unsigned long addr,
 				    modname, modbuildid, namebuf);
 	if (!ret)
 		ret = bpf_address_lookup(addr, symbolsize,
-					 offset, modname, namebuf);
+					 offset, modname, modbuildid, namebuf);
 
 	if (!ret)
 		ret = ftrace_mod_address_lookup(addr, symbolsize,
-- 
2.50.1

Re: [PATCH v4 2/2] kallsyms: Always initialize modbuildid on bpf address

[Alexei Starovoitov]

On Sat, Dec 20, 2025 at 8:19 AM Maurice Hieronymus <mhi@mailbox.org> wrote:
>
> modbuildid is never set when kallsyms_lookup_buildid is returning via
> successful bpf_address_lookup.
>
> This leads to an uninitialized pointer dereference on x86 when
> CONFIG_STACKTRACE_BUILD_ID=y inside __sprint_symbol.
>
> Prevent this by always initializing modbuildid.
>
> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220717
> Signed-off-by: Maurice Hieronymus <mhi@mailbox.org>
> ---
>  include/linux/filter.h | 6 ++++--
>  kernel/kallsyms.c      | 2 +-
>  2 files changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/include/linux/filter.h b/include/linux/filter.h
> index fd54fed8f95f..eb1d1c876503 100644
> --- a/include/linux/filter.h
> +++ b/include/linux/filter.h
> @@ -1384,12 +1384,14 @@ struct bpf_prog *bpf_prog_ksym_find(unsigned long addr);
>
>  static inline int
>  bpf_address_lookup(unsigned long addr, unsigned long *size,
> -                  unsigned long *off, char **modname, char *sym)
> +                  unsigned long *off, char **modname, const unsigned char **modbuildid, char *sym)
>  {
>         int ret = __bpf_address_lookup(addr, size, off, sym);
>
>         if (ret && modname)
>                 *modname = NULL;
> +       if (ret && modbuildid)
> +               *modbuildid = NULL;
>         return ret;
>  }
>
> @@ -1455,7 +1457,7 @@ static inline struct bpf_prog *bpf_prog_ksym_find(unsigned long addr)
>
>  static inline int
>  bpf_address_lookup(unsigned long addr, unsigned long *size,
> -                  unsigned long *off, char **modname, char *sym)
> +                  unsigned long *off, char **modname, const unsigned char **modbuildid, char *sym)

No.
Please search the earlier threads where this was discussed.
The patches to fix this were posted and I think they landed
in some tree already.

pw-bot: cr

Re: [PATCH v4 0/2] kallsyms: Always initialize modbuildid

[Maurice Hieronymus]

On Sat, 2025-12-20 at 19:18 +0100, Maurice Hieronymus wrote:
> modbuildid is never set when kallsyms_lookup_buildid is returning via
> successful bpf_address_lookup or ftrace_mod_address_lookup.
> 
> This leads to an uninitialized pointer dereference on x86 when
> CONFIG_STACKTRACE_BUILD_ID=y inside __sprint_symbol.
> 
> Prevent this by always initializing modbuildid.
> 
> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220717
> 
> Changes to v3:
> - Split the changes into separate ftrace and bpf patches
> - Replace IS_ENABLED() with plain #ifdef
> 
> Maurice Hieronymus (2):
>   kallsyms: Always initialize modbuildid on ftrace address
>   kallsyms: Always initialize modbuildid on bpf address
> 
>  include/linux/filter.h | 6 ++++--
>  include/linux/ftrace.h | 4 ++--
>  kernel/kallsyms.c      | 4 ++--
>  kernel/trace/ftrace.c  | 8 +++++++-
>  4 files changed, 15 insertions(+), 7 deletions(-)
> 
> 
> base-commit: dd9b004b7ff3289fb7bae35130c0a5c0537266af

This patch is obsolete and already fixed by [1]

[1]
https://lore.kernel.org/bpf/20251128135920.217303-1-pmladek@suse.com/#t