From nobody Mon Jun 15 09:43:01 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A10993B19CC; Thu, 9 Apr 2026 10:35:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775730959; cv=none; b=AZLtkVldGheoSrp6BrB/TwqNfAuzbN6vdE6jy/8gp6X9o5yD3m2gDNdlnOyBao+P1B6DKPDZJTrz2k4QqnOKagbYEWRcLHBNnJR3jN0zexIUT0UVDOZkR5U6YqnYOia8cyRxTdMLNKbSBu3vCbeHgDAmtPqHNJtSYQ/Bxt/kYDY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775730959; c=relaxed/simple; bh=jLLIzO0lHDytPt2LFhW/BG1p5Yty3TeWOGHh66KheC0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=Arr8eQrUoVvG9RtW9dxrxuRcOcpc0x/biKeAacyiLAor3enbmjE5V80f9vzWb+GmAjTwJZ+vzWyfKlOFbijTLAvdSkXdnhWDF9eQEjKnI5IV/Jzx0E4h9WOKDkVR/UzFY6/VlCkzfuVu0JmCG2XC/lcGC8waGptX6n2hd0AiVdI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=atrARjuu; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="atrARjuu" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 947D5C4CEF7; Thu, 9 Apr 2026 10:35:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1775730959; bh=jLLIzO0lHDytPt2LFhW/BG1p5Yty3TeWOGHh66KheC0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=atrARjuuAtQKn0hBc10IbDe3rZfVDBKXafRKXf1W2Ao7n5WuRskq2aKMVTOVxm6vJ cLfwMNU1nNuAk+9bXicnC+bR8ZDo3lbeLbEHlREySWy87LJOyR5C6b/lwgNLoe3vzE y3wXzo2KZCvj+XAV/dqSRq1HURatRpoWsVXNAFFqy052ZNB4vkPtWTFSn5WvxzsCWu ZkRJ4Cn5LJChppSwRzqcXSyh20oAMXT4dNSihXE5LLv55dVJW3XqI9E/8SxiEmvVtS wUAiIhOV5Ia1WZTWA/id0JSACw1ndE5gx8VUNSyalc32MJKGpSFio7g8Y7I6/zpIoH omzLoTAJOQesg== From: "Masami Hiramatsu (Google)" To: Steven Rostedt , Masami Hiramatsu Cc: Menglong Dong , Mathieu Desnoyers , jiang.biao@linux.dev, linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org Subject: [PATCH v2 1/2] tracing/fprobe: Avoid kcalloc() in rcu_read_lock section Date: Thu, 9 Apr 2026 19:35:57 +0900 Message-ID: <177573095696.3666478.4412068539797028855.stgit@mhiramat.tok.corp.google.com> X-Mailer: git-send-email 2.54.0.rc0.605.g598a273b03-goog In-Reply-To: <177573094819.3666478.11900825120958856397.stgit@mhiramat.tok.corp.google.com> References: <177573094819.3666478.11900825120958856397.stgit@mhiramat.tok.corp.google.com> User-Agent: StGit/0.19 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: Masami Hiramatsu (Google) fprobe_remove_node_in_module() is called under RCU read locked, but this invokes kcalloc() if there are more than 8 fprobes installed on the module. Sashiko warns it because kcalloc() can sleep [1]. [1] https://sashiko.dev/#/patchset/177552432201.853249.5125045538812833325= .stgit%40mhiramat.tok.corp.google.com To fix this issue, expand the batch size to 128 and do not expand the fprobe_addr_list, but just cancel walking on fprobe_ip_table, update fgraph/ftrace_ops and retry the loop again. Fixes: 0de4c70d04a4 ("tracing: fprobe: use rhltable for fprobe_ip_table") Cc: stable@vger.kernel.org Signed-off-by: Masami Hiramatsu (Google) --- kernel/trace/fprobe.c | 53 ++++++++++++++++++---------------------------= ---- 1 file changed, 19 insertions(+), 34 deletions(-) diff --git a/kernel/trace/fprobe.c b/kernel/trace/fprobe.c index 56d145017902..058cf6ef7ebb 100644 --- a/kernel/trace/fprobe.c +++ b/kernel/trace/fprobe.c @@ -536,7 +536,7 @@ static void fprobe_graph_remove_ips(unsigned long *addr= s, int num) =20 #ifdef CONFIG_MODULES =20 -#define FPROBE_IPS_BATCH_INIT 8 +#define FPROBE_IPS_BATCH_INIT 128 /* instruction pointer address list */ struct fprobe_addr_list { int index; @@ -544,45 +544,21 @@ struct fprobe_addr_list { unsigned long *addrs; }; =20 -static int fprobe_addr_list_add(struct fprobe_addr_list *alist, unsigned l= ong addr) +static int fprobe_remove_node_in_module(struct module *mod, struct fprobe_= hlist_node *node, + struct fprobe_addr_list *alist) { - unsigned long *addrs; - - /* Previously we failed to expand the list. */ - if (alist->index =3D=3D alist->size) - return -ENOSPC; - - alist->addrs[alist->index++] =3D addr; - if (alist->index < alist->size) + if (!within_module(node->addr, mod)) return 0; =20 - /* Expand the address list */ - addrs =3D kcalloc(alist->size * 2, sizeof(*addrs), GFP_KERNEL); - if (!addrs) - return -ENOMEM; - - memcpy(addrs, alist->addrs, alist->size * sizeof(*addrs)); - alist->size *=3D 2; - kfree(alist->addrs); - alist->addrs =3D addrs; + if (delete_fprobe_node(node)) + return 0; =20 + alist->addrs[alist->index++] =3D node->addr; + if (alist->index =3D=3D alist->size) + return -ENOSPC; return 0; } =20 -static void fprobe_remove_node_in_module(struct module *mod, struct fprobe= _hlist_node *node, - struct fprobe_addr_list *alist) -{ - if (!within_module(node->addr, mod)) - return; - if (delete_fprobe_node(node)) - return; - /* - * If failed to update alist, just continue to update hlist. - * Therefore, at list user handler will not hit anymore. - */ - fprobe_addr_list_add(alist, node->addr); -} - /* Handle module unloading to manage fprobe_ip_table. */ static int fprobe_module_callback(struct notifier_block *nb, unsigned long val, void *data) @@ -591,6 +567,7 @@ static int fprobe_module_callback(struct notifier_block= *nb, struct fprobe_hlist_node *node; struct rhashtable_iter iter; struct module *mod =3D data; + bool retry; =20 if (val !=3D MODULE_STATE_GOING) return NOTIFY_DONE; @@ -600,13 +577,19 @@ static int fprobe_module_callback(struct notifier_blo= ck *nb, if (!alist.addrs) return NOTIFY_DONE; =20 +retry: + retry =3D false; + alist.index =3D 0; mutex_lock(&fprobe_mutex); rhltable_walk_enter(&fprobe_ip_table, &iter); do { rhashtable_walk_start(&iter); =20 while ((node =3D rhashtable_walk_next(&iter)) && !IS_ERR(node)) - fprobe_remove_node_in_module(mod, node, &alist); + if (fprobe_remove_node_in_module(mod, node, &alist) < 0) { + retry =3D true; + break; + } =20 rhashtable_walk_stop(&iter); } while (node =3D=3D ERR_PTR(-EAGAIN)); @@ -615,6 +598,8 @@ static int fprobe_module_callback(struct notifier_block= *nb, if (alist.index > 0) fprobe_set_ips(alist.addrs, alist.index, 1, 0); mutex_unlock(&fprobe_mutex); + if (retry) + goto retry; =20 kfree(alist.addrs); From nobody Mon Jun 15 09:43:01 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AC056246783; Thu, 9 Apr 2026 10:36:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775730967; cv=none; b=dtBT41HbTyuTV8UL7LiNgybC4TkczbUSQN2DY2SSiVBn6KDcX5lJnweXbZt7R6mvZTuC/AX6kt0lc8Sxidb5Qsb5kZnM86EtjEBHOHMXcnWeAaBmJQZciDy6vSma2JG7ozCGAi7vbYz8jDc5JlqEf/GzeJf/mh9WtwoZra+47mY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775730967; c=relaxed/simple; bh=5bXY7lfCnd3uz7meUSq5fTUsEk/TCUmVYEiR7iNVmjY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=m9MJGhxIiHszJI5bl78hd4Jj9f07Jkbn5iheVMqjPluNZjii73apY24+X6oNe4LWpU13mDnOX4cWs/tYldKs2x+wWZ39Uo1Abwk2xunycMftgv5cZfYdeekeHUseABoNovkq5AGaq+luIgKkEHNZ+kFB5hm20pCv+vQ3/K3+TOw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=tLI6122U; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="tLI6122U" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6ADD7C4CEF7; Thu, 9 Apr 2026 10:36:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1775730967; bh=5bXY7lfCnd3uz7meUSq5fTUsEk/TCUmVYEiR7iNVmjY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=tLI6122U9HQtksLl+2txtm2Sy4ZrjRqXlW6u0IQdne0//5Bl+Bc6fEtp05RDXsJwo mEICKTyETk/lrSqCf1wTT1mNS4YPI0AkJGU4YHrkaSEx9HxeWhctlyP9DSOpCZ2JEk KF7kN61jx0GdX2fyTmp4z9tMYUAtpEeCF3Km6FaYbRmXYdEMlPaNG7PE2EO6lhFvsa gZD4f6fpgU95Ea5cw5rhGX54EBSnmbIEfG32FebC11eVRngcsbgTRzpCBEES6EiDZC eEcwC7zp3HiVCqUyoVnM+9xv29vMDq5mfATGm5RHUZsc7aUPfEL1KhwBc7hth3CQro HrfdC6rcxdpvA== From: "Masami Hiramatsu (Google)" To: Steven Rostedt , Masami Hiramatsu Cc: Menglong Dong , Mathieu Desnoyers , jiang.biao@linux.dev, linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org Subject: [PATCH v2 2/2] tracing/fprobe: Check the same type fprobe on table as the unregistered one Date: Thu, 9 Apr 2026 19:36:05 +0900 Message-ID: <177573096480.3666478.1097131314141489988.stgit@mhiramat.tok.corp.google.com> X-Mailer: git-send-email 2.54.0.rc0.605.g598a273b03-goog In-Reply-To: <177573094819.3666478.11900825120958856397.stgit@mhiramat.tok.corp.google.com> References: <177573094819.3666478.11900825120958856397.stgit@mhiramat.tok.corp.google.com> User-Agent: StGit/0.19 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: Masami Hiramatsu (Google) Commit 2c67dc457bc6 ("tracing: fprobe: optimization for entry only case") introduced a different ftrace_ops for entry-only fprobes. However, when unregistering an fprobe, the kernel only checks if another fprobe exists at the same address, without checking which type of fprobe it is. If different fprobes are registered at the same address, the same address will be registered in both fgraph_ops and ftrace_ops, but only one of them will be deleted when unregistering. (the one removed first will not be deleted from the ops). This results in junk entries remaining in either fgraph_ops or ftrace_ops. For example: =3D=3D=3D=3D=3D=3D=3D cd /sys/kernel/tracing # 'Add entry and exit events on the same place' echo 'f:event1 vfs_read' >> dynamic_events echo 'f:event2 vfs_read%return' >> dynamic_events # 'Enable both of them' echo 1 > events/fprobes/enable cat enabled_functions vfs_read (2) ->arch_ftrace_ops_list_func+0x0/0x210 # 'Disable and remove exit event' echo 0 > events/fprobes/event2/enable echo -:event2 >> dynamic_events # 'Disable and remove all events' echo 0 > events/fprobes/enable echo > dynamic_events # 'Add another event' echo 'f:event3 vfs_open%return' > dynamic_events cat dynamic_events f:fprobes/event3 vfs_open%return echo 1 > events/fprobes/enable cat enabled_functions vfs_open (1) tramp: 0xffffffffa0001000 (ftrace_graph_func+0x0/0x= 60) ->ftrace_graph_func+0x0/0x60 subops: {ent:fprobe_fgraph_entry+0x0/0x= 620 ret:fprobe_return+0x0/0x150} vfs_read (1) tramp: 0xffffffffa0001000 (ftrace_graph_func+0x0/0x= 60) ->ftrace_graph_func+0x0/0x60 subops: {ent:fprobe_fgraph_entry+0x0/0x= 620 ret:fprobe_return+0x0/0x150} =3D=3D=3D=3D=3D=3D=3D As you can see, an entry for the vfs_read remains. To fix this issue, when unregistering, the kernel should also check if there is the same type of fprobes still exist at the same address, and if not, delete its entry from either fgraph_ops or ftrace_ops. Fixes: 2c67dc457bc6 ("tracing: fprobe: optimization for entry only case") Cc: stable@vger.kernel.org Signed-off-by: Masami Hiramatsu (Google) --- kernel/trace/fprobe.c | 81 +++++++++++++++++++++++++++++++++++++++------= ---- 1 file changed, 65 insertions(+), 16 deletions(-) diff --git a/kernel/trace/fprobe.c b/kernel/trace/fprobe.c index 058cf6ef7ebb..5c059ec1babc 100644 --- a/kernel/trace/fprobe.c +++ b/kernel/trace/fprobe.c @@ -85,11 +85,9 @@ static int insert_fprobe_node(struct fprobe_hlist_node *= node) return rhltable_insert(&fprobe_ip_table, &node->hlist, fprobe_rht_params); } =20 -/* Return true if there are synonims */ -static bool delete_fprobe_node(struct fprobe_hlist_node *node) +static void delete_fprobe_node(struct fprobe_hlist_node *node) { lockdep_assert_held(&fprobe_mutex); - bool ret; =20 /* Avoid double deleting */ if (READ_ONCE(node->fp) !=3D NULL) { @@ -97,13 +95,6 @@ static bool delete_fprobe_node(struct fprobe_hlist_node = *node) rhltable_remove(&fprobe_ip_table, &node->hlist, fprobe_rht_params); } - - rcu_read_lock(); - ret =3D !!rhltable_lookup(&fprobe_ip_table, &node->addr, - fprobe_rht_params); - rcu_read_unlock(); - - return ret; } =20 /* Check existence of the fprobe */ @@ -337,6 +328,32 @@ static bool fprobe_is_ftrace(struct fprobe *fp) return !fp->exit_handler; } =20 +static bool fprobe_exists_on_hash(unsigned long ip, bool ftrace) +{ + struct rhlist_head *head, *pos; + struct fprobe_hlist_node *node; + struct fprobe *fp; + + guard(rcu)(); + head =3D rhltable_lookup(&fprobe_ip_table, &ip, + fprobe_rht_params); + if (!head) + return false; + /* We have to check the same type on the list. */ + rhl_for_each_entry_rcu(node, pos, head, hlist) { + if (node->addr !=3D ip) + break; + fp =3D READ_ONCE(node->fp); + if (likely(fp)) { + if ((!ftrace && fp->exit_handler) || + (ftrace && !fp->exit_handler)) + return true; + } + } + + return false; +} + #ifdef CONFIG_MODULES static void fprobe_set_ips(unsigned long *ips, unsigned int cnt, int remov= e, int reset) @@ -360,6 +377,29 @@ static bool fprobe_is_ftrace(struct fprobe *fp) return false; } =20 +static bool fprobe_exists_on_hash(unsigned long ip, bool ftrace __maybe_un= used) +{ + struct rhlist_head *head, *pos; + struct fprobe_hlist_node *node; + struct fprobe *fp; + + guard(rcu)(); + head =3D rhltable_lookup(&fprobe_ip_table, &ip, + fprobe_rht_params); + if (!head) + return false; + /* We only need to check fp is there. */ + rhl_for_each_entry_rcu(node, pos, head, hlist) { + if (node->addr !=3D ip) + break; + fp =3D READ_ONCE(node->fp); + if (likely(fp)) + return true; + } + + return false; +} + #ifdef CONFIG_MODULES static void fprobe_set_ips(unsigned long *ips, unsigned int cnt, int remov= e, int reset) @@ -547,15 +587,22 @@ struct fprobe_addr_list { static int fprobe_remove_node_in_module(struct module *mod, struct fprobe_= hlist_node *node, struct fprobe_addr_list *alist) { + lockdep_assert_in_rcu_read_lock(); + if (!within_module(node->addr, mod)) return 0; =20 - if (delete_fprobe_node(node)) - return 0; + delete_fprobe_node(node); + /* + * Don't care the type here, because all fprobes on the same + * address must be removed eventually. + */ + if (!rhltable_lookup(&fprobe_ip_table, &node->addr, fprobe_rht_params)) { + alist->addrs[alist->index++] =3D node->addr; + if (alist->index =3D=3D alist->size) + return -ENOSPC; + } =20 - alist->addrs[alist->index++] =3D node->addr; - if (alist->index =3D=3D alist->size) - return -ENOSPC; return 0; } =20 @@ -926,7 +973,9 @@ int unregister_fprobe(struct fprobe *fp) /* Remove non-synonim ips from table and hash */ count =3D 0; for (i =3D 0; i < hlist_array->size; i++) { - if (!delete_fprobe_node(&hlist_array->array[i])) + delete_fprobe_node(&hlist_array->array[i]); + if (!fprobe_exists_on_hash(hlist_array->array[i].addr, + fprobe_is_ftrace(fp))) addrs[count++] =3D hlist_array->array[i].addr; } del_fprobe_hash(fp);