[PATCH] ftrace: fix use-after-free of mod->name in function_stat

public inbox for linux-trace-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] ftrace: fix use-after-free of mod->name in function_stat_show()
@ 2026-04-16  8:33 Xiang Gao
  2026-04-17 14:18 ` Steven Rostedt
  0 siblings, 1 reply; 3+ messages in thread
From: Xiang Gao @ 2026-04-16  8:33 UTC (permalink / raw)
  To: rostedt, mhiramat
  Cc: mark.rutland, mathieu.desnoyers, linux-kernel, linux-trace-kernel,
	Xiang Gao

From: Xiang Gao <gaoxiang17@xiaomi.com>

function_stat_show() uses guard(rcu)() inside the else block to hold
the RCU read lock while calling __module_text_address() and accessing
mod->name. However, guard(rcu)() ties the RCU read lock lifetime to
the scope of the else block. The original code stores mod->name into
refsymbol and uses it in snprintf() after the else block exits,
at which point the RCU read lock has already been released. If the
module is concurrently unloaded, mod->name is freed, causing a
use-after-free.

Fix by moving the snprintf() call into each branch of the if/else,
so that mod->name is only accessed while the RCU read lock is held.
refsymbol now points to the local str buffer (which already contains
the formatted string) rather than to mod->name, and is only used
afterwards as a non-NULL indicator to skip the kallsyms_lookup()
fallback.

Signed-off-by: Xiang Gao <gaoxiang17@xiaomi.com>
---
 kernel/trace/ftrace.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
index 413310912609..6217b363203c 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -559,21 +559,23 @@ static int function_stat_show(struct seq_file *m, void *v)
 		unsigned long offset;

 		if (core_kernel_text(rec->ip)) {
-			refsymbol = "_text";
 			offset = rec->ip - (unsigned long)_text;
+			snprintf(str, sizeof(str), "  %s+%#lx",
+				 "_text", offset);
+			refsymbol = str;
 		} else {
 			struct module *mod;

 			guard(rcu)();
 			mod = __module_text_address(rec->ip);
 			if (mod) {
-				refsymbol = mod->name;
 				/* Calculate offset from module's text entry address. */
 				offset = rec->ip - (unsigned long)mod->mem[MOD_TEXT].base;
+				snprintf(str, sizeof(str), "  %s+%#lx",
+					 mod->name, offset);
+				refsymbol = str;
 			}
 		}
-		if (refsymbol)
-			snprintf(str, sizeof(str), "  %s+%#lx", refsymbol, offset);
 	}
 	if (!refsymbol)
 		kallsyms_lookup(rec->ip, NULL, NULL, NULL, str);
-- 
2.34.1

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] ftrace: fix use-after-free of mod->name in function_stat_show()
  2026-04-16  8:33 [PATCH] ftrace: fix use-after-free of mod->name in function_stat_show() Xiang Gao
@ 2026-04-17 14:18 ` Steven Rostedt
  2026-04-22  9:35   ` Xiang Gao
  0 siblings, 1 reply; 3+ messages in thread
From: Steven Rostedt @ 2026-04-17 14:18 UTC (permalink / raw)
  To: Xiang Gao
  Cc: mhiramat, mark.rutland, mathieu.desnoyers, linux-kernel,
	linux-trace-kernel, Xiang Gao


The tracing subsystem expects subjects to start with a capital letter:

  ftrace: Fix use-after-free of mod-name in function_stat_show()


On Thu, 16 Apr 2026 16:33:35 +0800
Xiang Gao <gxxa03070307@gmail.com> wrote:

> From: Xiang Gao <gaoxiang17@xiaomi.com>
> 
> function_stat_show() uses guard(rcu)() inside the else block to hold
> the RCU read lock while calling __module_text_address() and accessing
> mod->name. However, guard(rcu)() ties the RCU read lock lifetime to
> the scope of the else block. The original code stores mod->name into
> refsymbol and uses it in snprintf() after the else block exits,
> at which point the RCU read lock has already been released. If the
> module is concurrently unloaded, mod->name is freed, causing a
> use-after-free.
> 
> Fix by moving the snprintf() call into each branch of the if/else,
> so that mod->name is only accessed while the RCU read lock is held.
> refsymbol now points to the local str buffer (which already contains
> the formatted string) rather than to mod->name, and is only used
> afterwards as a non-NULL indicator to skip the kallsyms_lookup()
> fallback.

Was AI used for any part of this patch? Including finding the bug? If
so, it must be disclosed.

> 
> Signed-off-by: Xiang Gao <gaoxiang17@xiaomi.com>
> ---
>  kernel/trace/ftrace.c | 10 ++++++----
>  1 file changed, 6 insertions(+), 4 deletions(-)
> 
> diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
> index 413310912609..6217b363203c 100644
> --- a/kernel/trace/ftrace.c
> +++ b/kernel/trace/ftrace.c
> @@ -559,21 +559,23 @@ static int function_stat_show(struct seq_file *m, void *v)
>  		unsigned long offset;
>  
>  		if (core_kernel_text(rec->ip)) {
> -			refsymbol = "_text";
>  			offset = rec->ip - (unsigned long)_text;
> +			snprintf(str, sizeof(str), "  %s+%#lx",
> +				 "_text", offset);
> +			refsymbol = str;
>  		} else {
>  			struct module *mod;
>  
>  			guard(rcu)();

Just move guard(rcu) out of this if statement to include the below
reference. No need to make the code worse. This really looks like AI
slop :-(

-- Steve


>  			mod = __module_text_address(rec->ip);
>  			if (mod) {
> -				refsymbol = mod->name;
>  				/* Calculate offset from module's text entry address. */
>  				offset = rec->ip - (unsigned long)mod->mem[MOD_TEXT].base;
> +				snprintf(str, sizeof(str), "  %s+%#lx",
> +					 mod->name, offset);
> +				refsymbol = str;
>  			}
>  		}
> -		if (refsymbol)
> -			snprintf(str, sizeof(str), "  %s+%#lx", refsymbol, offset);
>  	}
>  	if (!refsymbol)
>  		kallsyms_lookup(rec->ip, NULL, NULL, NULL, str);


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] ftrace: fix use-after-free of mod->name in function_stat_show()
  2026-04-17 14:18 ` Steven Rostedt
@ 2026-04-22  9:35   ` Xiang Gao
  0 siblings, 0 replies; 3+ messages in thread
From: Xiang Gao @ 2026-04-22  9:35 UTC (permalink / raw)
  To: rostedt
  Cc: mhiramat, mark.rutland, mathieu.desnoyers, linux-kernel,
	linux-trace-kernel, gaoxiang17, Xiang Gao

On Fri, 17 Apr 2026 10:18:14 -0400, Steven Rostedt wrote:
> Was AI used for any part of this patch? Including finding the bug? If
> so, it must be disclosed.

Yes, AI was used. Claude (claude-opus-4-7) assisted in both finding
the bug and drafting the fix. I reviewed the analysis and took
responsibility for the submission, but I should have disclosed this
up front per Documentation/process/coding-assistants.rst. I
apologize for the oversight, and I will add an
Assisted-by: Claude:claude-opus-4-7 tag in the follow-up.

> Just move guard(rcu) out of this if statement to include the below
> reference. No need to make the code worse. This really looks like
> AI slop :-(

You are right. Hoisting guard(rcu)() to the top of the

  if (tr->trace_flags & TRACE_ITER(PROF_TEXT_OFFSET)) {

block so its scope covers the single snprintf() after the if/else is
the correct fix -- +1/-1, net zero, instead of duplicating snprintf()
into both branches as I did. I should have recognized this instead of
submitting the first plausible-looking approach.

I will send a follow-up patch that restores the single snprintf()
after the if/else and hoists guard(rcu)() to cover it, with the
Subject capitalized ("ftrace: Fix ...") and
Assisted-by: Claude:claude-opus-4-7 added.

Thanks for the review and for pushing back on the approach.

Xiang

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-04-22  9:35 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-16  8:33 [PATCH] ftrace: fix use-after-free of mod->name in function_stat_show() Xiang Gao
2026-04-17 14:18 ` Steven Rostedt
2026-04-22  9:35   ` Xiang Gao

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox