From: Xiang Gao <gxxa03070307@gmail.com>
To: rostedt@goodmis.org, mhiramat@kernel.org
Cc: mark.rutland@arm.com, mathieu.desnoyers@efficios.com,
linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org,
Xiang Gao <gaoxiang17@xiaomi.com>
Subject: [PATCH] ftrace: fix use-after-free of mod->name in function_stat_show()
Date: Thu, 16 Apr 2026 16:33:35 +0800 [thread overview]
Message-ID: <20260416083335.920555-1-gxxa03070307@gmail.com> (raw)
From: Xiang Gao <gaoxiang17@xiaomi.com>
function_stat_show() uses guard(rcu)() inside the else block to hold
the RCU read lock while calling __module_text_address() and accessing
mod->name. However, guard(rcu)() ties the RCU read lock lifetime to
the scope of the else block. The original code stores mod->name into
refsymbol and uses it in snprintf() after the else block exits,
at which point the RCU read lock has already been released. If the
module is concurrently unloaded, mod->name is freed, causing a
use-after-free.
Fix by moving the snprintf() call into each branch of the if/else,
so that mod->name is only accessed while the RCU read lock is held.
refsymbol now points to the local str buffer (which already contains
the formatted string) rather than to mod->name, and is only used
afterwards as a non-NULL indicator to skip the kallsyms_lookup()
fallback.
Signed-off-by: Xiang Gao <gaoxiang17@xiaomi.com>
---
kernel/trace/ftrace.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
index 413310912609..6217b363203c 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -559,21 +559,23 @@ static int function_stat_show(struct seq_file *m, void *v)
unsigned long offset;
if (core_kernel_text(rec->ip)) {
- refsymbol = "_text";
offset = rec->ip - (unsigned long)_text;
+ snprintf(str, sizeof(str), " %s+%#lx",
+ "_text", offset);
+ refsymbol = str;
} else {
struct module *mod;
guard(rcu)();
mod = __module_text_address(rec->ip);
if (mod) {
- refsymbol = mod->name;
/* Calculate offset from module's text entry address. */
offset = rec->ip - (unsigned long)mod->mem[MOD_TEXT].base;
+ snprintf(str, sizeof(str), " %s+%#lx",
+ mod->name, offset);
+ refsymbol = str;
}
}
- if (refsymbol)
- snprintf(str, sizeof(str), " %s+%#lx", refsymbol, offset);
}
if (!refsymbol)
kallsyms_lookup(rec->ip, NULL, NULL, NULL, str);
--
2.34.1
next reply other threads:[~2026-04-16 8:33 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-16 8:33 Xiang Gao [this message]
2026-04-17 14:18 ` [PATCH] ftrace: fix use-after-free of mod->name in function_stat_show() Steven Rostedt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260416083335.920555-1-gxxa03070307@gmail.com \
--to=gxxa03070307@gmail.com \
--cc=gaoxiang17@xiaomi.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=mathieu.desnoyers@efficios.com \
--cc=mhiramat@kernel.org \
--cc=rostedt@goodmis.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox