[PATCH v2 0/3] powerpc/ftrace: Fix livepatch module OOL ftrace corruption

[PATCH v2 0/3] powerpc/ftrace: Fix livepatch module OOL ftrace corruption

[Joe Lawrence]

This patch series fixes a couple of bugs in the powerpc64 out-of-line
(OOL) ftrace support for modules, and follows up with a patch to
simplify the module .stubs allocation code. An analysis of the module
stub area corruption that prompted this work can be found in the v1
thread [1].

The first two patches fix bugs introduced by commit eec37961a56a
("powerpc64/ftrace: Move ftrace sequence out of line"). The first,
suggested by Naveen, ensures that a NOP'd ftrace call site has its
ftrace_ops record updated correctly. The second patch corrects a loop in
setup_ftrace_ool_stubs() to ensure all required stubs are reserved, not
just the first. Together, these bugs lead to potential corruption of the
OOL ftrace stubs area for livepatch modules.

The final patch replaces the sentinel-based allocation in the module
.stubs section with an explicit counter. This improves clarity and helps
prevent similar problems in the future.

Changes since v1: https://lore.kernel.org/live-patching/df7taxdxpbo4qfn7lniggj5o4ili6kweg4nytyb2fwwwgmnyo4@halp5gf244nn/T/

- Split into parts: bug fix x2, code cleanup
- Call ftrace_rec_set_nop_ops() from ftrace_init_nop() [Naveen]
- Update commit msg on cleanup patch [Naveen]

Joe Lawrence (3):
  powerpc/ftrace: ensure ftrace record ops are always set for NOPs
  powerpc64/modules: correctly iterate over stubs in
    setup_ftrace_ool_stubs
  powerpc64/modules: replace stub allocation sentinel with an explicit
    counter

 arch/powerpc/include/asm/module.h  |  1 +
 arch/powerpc/kernel/module_64.c    | 26 ++++++++------------------
 arch/powerpc/kernel/trace/ftrace.c | 10 ++++++++--
 3 files changed, 17 insertions(+), 20 deletions(-)

-- 
2.51.0

[PATCH v2 1/3] powerpc/ftrace: ensure ftrace record ops are always set for NOPs

[Joe Lawrence]

When an ftrace call site is converted to a NOP, its corresponding
dyn_ftrace record should have its ftrace_ops pointer set to
ftrace_nop_ops.

Correct the powerpc implementation to ensure the
ftrace_rec_set_nop_ops() helper is called on all successful NOP
initialization paths. This ensures all ftrace records are consistent
before being handled by the ftrace core.

Fixes: eec37961a56a ("powerpc64/ftrace: Move ftrace sequence out of line")
Suggested-by: Naveen N Rao <naveen@kernel.org>
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
---
 arch/powerpc/kernel/trace/ftrace.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/arch/powerpc/kernel/trace/ftrace.c b/arch/powerpc/kernel/trace/ftrace.c
index 6dca92d5a6e8..841d077e2825 100644
--- a/arch/powerpc/kernel/trace/ftrace.c
+++ b/arch/powerpc/kernel/trace/ftrace.c
@@ -488,8 +488,10 @@ int ftrace_init_nop(struct module *mod, struct dyn_ftrace *rec)
 		return ret;
 
 	/* Set up out-of-line stub */
-	if (IS_ENABLED(CONFIG_PPC_FTRACE_OUT_OF_LINE))
-		return ftrace_init_ool_stub(mod, rec);
+	if (IS_ENABLED(CONFIG_PPC_FTRACE_OUT_OF_LINE)) {
+		ret = ftrace_init_ool_stub(mod, rec);
+		goto out;
+	}
 
 	/* Nop-out the ftrace location */
 	new = ppc_inst(PPC_RAW_NOP());
@@ -520,6 +522,10 @@ int ftrace_init_nop(struct module *mod, struct dyn_ftrace *rec)
 		return -EINVAL;
 	}
 
+out:
+	if (!ret)
+		ret = ftrace_rec_set_nop_ops(rec);
+
 	return ret;
 }
 
-- 
2.51.0

[PATCH v2 2/3] powerpc64/modules: correctly iterate over stubs in setup_ftrace_ool_stubs

[Joe Lawrence]

CONFIG_PPC_FTRACE_OUT_OF_LINE introduced setup_ftrace_ool_stubs() to
extend the ppc64le module .stubs section with an array of
ftrace_ool_stub structures for each patchable function.

Fix its ppc64_stub_entry stub reservation loop to properly write across
all of the num_stubs used and not just the first entry.

Fixes: eec37961a56a ("powerpc64/ftrace: Move ftrace sequence out of line")
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
---
 arch/powerpc/kernel/module_64.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/powerpc/kernel/module_64.c b/arch/powerpc/kernel/module_64.c
index 126bf3b06ab7..0e45cac4de76 100644
--- a/arch/powerpc/kernel/module_64.c
+++ b/arch/powerpc/kernel/module_64.c
@@ -1139,7 +1139,7 @@ static int setup_ftrace_ool_stubs(const Elf64_Shdr *sechdrs, unsigned long addr,
 
 	/* reserve stubs */
 	for (i = 0; i < num_stubs; i++)
-		if (patch_u32((void *)&stub->funcdata, PPC_RAW_NOP()))
+		if (patch_u32((void *)&stub[i].funcdata, PPC_RAW_NOP()))
 			return -1;
 #endif
 
-- 
2.51.0

[PATCH v2 3/3] powerpc64/modules: replace stub allocation sentinel with an explicit counter

[Joe Lawrence]

The logic for allocating ppc64_stub_entry trampolines in the .stubs
section relies on an inline sentinel, where a NULL .funcdata member
indicates an available slot.

While preceding commits fixed the initialization bugs that led to ftrace
stub corruption, the sentinel-based approach remains fragile: it depends
on an implicit convention between subsystems modifying different
struct types in the same memory area.

Replace the sentinel with an explicit counter, module->arch.num_stubs.
Instead of iterating through memory to find a NULL marker, the module
loader uses this counter as the boundary for the next free slot.

This simplifies the allocation code, hardens it against future changes
to stub structures, and removes the need for an extra relocation slot
previously reserved to terminate the sentinel search.

Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
---
 arch/powerpc/include/asm/module.h |  1 +
 arch/powerpc/kernel/module_64.c   | 26 ++++++++------------------
 2 files changed, 9 insertions(+), 18 deletions(-)

diff --git a/arch/powerpc/include/asm/module.h b/arch/powerpc/include/asm/module.h
index e1ee5026ac4a..864e22deaa2c 100644
--- a/arch/powerpc/include/asm/module.h
+++ b/arch/powerpc/include/asm/module.h
@@ -27,6 +27,7 @@ struct ppc_plt_entry {
 struct mod_arch_specific {
 #ifdef __powerpc64__
 	unsigned int stubs_section;	/* Index of stubs section in module */
+	unsigned int stub_count;	/* Number of stubs used */
 #ifdef CONFIG_PPC_KERNEL_PCREL
 	unsigned int got_section;	/* What section is the GOT? */
 	unsigned int pcpu_section;	/* .data..percpu section */
diff --git a/arch/powerpc/kernel/module_64.c b/arch/powerpc/kernel/module_64.c
index 0e45cac4de76..2a44bc8e2439 100644
--- a/arch/powerpc/kernel/module_64.c
+++ b/arch/powerpc/kernel/module_64.c
@@ -209,8 +209,7 @@ static unsigned long get_stubs_size(const Elf64_Ehdr *hdr,
 				    char *secstrings,
 				    struct module *me)
 {
-	/* One extra reloc so it's always 0-addr terminated */
-	unsigned long relocs = 1;
+	unsigned long relocs = 0;
 	unsigned i;
 
 	/* Every relocated section... */
@@ -705,7 +704,7 @@ static unsigned long stub_for_addr(const Elf64_Shdr *sechdrs,
 
 	/* Find this stub, or if that fails, the next avail. entry */
 	stubs = (void *)sechdrs[me->arch.stubs_section].sh_addr;
-	for (i = 0; stub_func_addr(stubs[i].funcdata); i++) {
+	for (i = 0; i < me->arch.stub_count; i++) {
 		if (WARN_ON(i >= num_stubs))
 			return 0;
 
@@ -716,6 +715,7 @@ static unsigned long stub_for_addr(const Elf64_Shdr *sechdrs,
 	if (!create_stub(sechdrs, &stubs[i], addr, me, name))
 		return 0;
 
+	me->arch.stub_count++;
 	return (unsigned long)&stubs[i];
 }
 
@@ -1118,29 +1118,19 @@ int module_trampoline_target(struct module *mod, unsigned long addr,
 static int setup_ftrace_ool_stubs(const Elf64_Shdr *sechdrs, unsigned long addr, struct module *me)
 {
 #ifdef CONFIG_PPC_FTRACE_OUT_OF_LINE
-	unsigned int i, total_stubs, num_stubs;
+	unsigned int total_stubs, num_stubs;
 	struct ppc64_stub_entry *stub;
 
 	total_stubs = sechdrs[me->arch.stubs_section].sh_size / sizeof(*stub);
 	num_stubs = roundup(me->arch.ool_stub_count * sizeof(struct ftrace_ool_stub),
 			    sizeof(struct ppc64_stub_entry)) / sizeof(struct ppc64_stub_entry);
 
-	/* Find the next available entry */
-	stub = (void *)sechdrs[me->arch.stubs_section].sh_addr;
-	for (i = 0; stub_func_addr(stub[i].funcdata); i++)
-		if (WARN_ON(i >= total_stubs))
-			return -1;
-
-	if (WARN_ON(i + num_stubs > total_stubs))
+	if (WARN_ON(me->arch.stub_count + num_stubs > total_stubs))
 		return -1;
 
-	stub += i;
-	me->arch.ool_stubs = (struct ftrace_ool_stub *)stub;
-
-	/* reserve stubs */
-	for (i = 0; i < num_stubs; i++)
-		if (patch_u32((void *)&stub[i].funcdata, PPC_RAW_NOP()))
-			return -1;
+	stub = (void *)sechdrs[me->arch.stubs_section].sh_addr;
+	me->arch.ool_stubs = (struct ftrace_ool_stub *)(stub + me->arch.stub_count);
+	me->arch.stub_count += num_stubs;
 #endif
 
 	return 0;
-- 
2.51.0

Re: [PATCH v2 0/3] powerpc/ftrace: Fix livepatch module OOL ftrace corruption

[Naveen N Rao]

On Fri, Sep 12, 2025 at 10:27:37AM -0400, Joe Lawrence wrote:
> This patch series fixes a couple of bugs in the powerpc64 out-of-line
> (OOL) ftrace support for modules, and follows up with a patch to
> simplify the module .stubs allocation code. An analysis of the module
> stub area corruption that prompted this work can be found in the v1
> thread [1].
> 
> The first two patches fix bugs introduced by commit eec37961a56a
> ("powerpc64/ftrace: Move ftrace sequence out of line"). The first,
> suggested by Naveen, ensures that a NOP'd ftrace call site has its
> ftrace_ops record updated correctly. The second patch corrects a loop in
> setup_ftrace_ool_stubs() to ensure all required stubs are reserved, not
> just the first. Together, these bugs lead to potential corruption of the
> OOL ftrace stubs area for livepatch modules.
> 
> The final patch replaces the sentinel-based allocation in the module
> .stubs section with an explicit counter. This improves clarity and helps
> prevent similar problems in the future.
> 
> Changes since v1: https://lore.kernel.org/live-patching/df7taxdxpbo4qfn7lniggj5o4ili6kweg4nytyb2fwwwgmnyo4@halp5gf244nn/T/
> 
> - Split into parts: bug fix x2, code cleanup
> - Call ftrace_rec_set_nop_ops() from ftrace_init_nop() [Naveen]
> - Update commit msg on cleanup patch [Naveen]
> 
> Joe Lawrence (3):
>   powerpc/ftrace: ensure ftrace record ops are always set for NOPs
>   powerpc64/modules: correctly iterate over stubs in
>     setup_ftrace_ool_stubs
>   powerpc64/modules: replace stub allocation sentinel with an explicit
>     counter
> 
>  arch/powerpc/include/asm/module.h  |  1 +
>  arch/powerpc/kernel/module_64.c    | 26 ++++++++------------------
>  arch/powerpc/kernel/trace/ftrace.c | 10 ++++++++--
>  3 files changed, 17 insertions(+), 20 deletions(-)

Thanks for fixing this! For the series:
Acked-by: Naveen N Rao (AMD) <naveen@kernel.org>


- Naveen

Re: [PATCH v2 0/3] powerpc/ftrace: Fix livepatch module OOL ftrace corruption

[Madhavan Srinivasan]

On Fri, 12 Sep 2025 10:27:37 -0400, Joe Lawrence wrote:
> This patch series fixes a couple of bugs in the powerpc64 out-of-line
> (OOL) ftrace support for modules, and follows up with a patch to
> simplify the module .stubs allocation code. An analysis of the module
> stub area corruption that prompted this work can be found in the v1
> thread [1].
> 
> The first two patches fix bugs introduced by commit eec37961a56a
> ("powerpc64/ftrace: Move ftrace sequence out of line"). The first,
> suggested by Naveen, ensures that a NOP'd ftrace call site has its
> ftrace_ops record updated correctly. The second patch corrects a loop in
> setup_ftrace_ool_stubs() to ensure all required stubs are reserved, not
> just the first. Together, these bugs lead to potential corruption of the
> OOL ftrace stubs area for livepatch modules.
> 
> [...]

Applied to powerpc/next.

[1/3] powerpc/ftrace: ensure ftrace record ops are always set for NOPs
      https://git.kernel.org/powerpc/c/5337609a314828aa2474ac359db615f475c4a4d2
[2/3] powerpc64/modules: correctly iterate over stubs in setup_ftrace_ool_stubs
      https://git.kernel.org/powerpc/c/f6b4df37ebfeb47e50e27780500d2d06b4d211bd
[3/3] powerpc64/modules: replace stub allocation sentinel with an explicit counter
      https://git.kernel.org/powerpc/c/b137312fbf2dd1edc39acf7e8e6e8ac0a6ad72c0

Thanks