From nobody Tue Jun 16 04:51:57 2026
Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com
 [209.85.214.178])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4DF1C33D503
	for <linux-kernel@vger.kernel.org>; Thu, 16 Apr 2026 08:33:41 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.178
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776328422; cv=none;
 b=Hg+v4LA9ASzCLjPteBCxuIxgIeOxi64iLZr8ysR/wKAXn/NGnOhBB5f18EY9idAjkwxztDyGXXtoeFBb2UCnSAkWVJ9KsSOO1XjClo5Iqf8oxl6QNZWIZEXcrli/NU8rBFHyUO36ooKUZSf3fECw3yg/0VXC8OamVdvqdOas0p8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776328422; c=relaxed/simple;
	bh=yDvw9QNheyxgTewP6EIyWz0N0bCZCdxouabsXc5gj0M=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=AaOGV9V4m3APTecogbOkI5LE36BAbgiF3+laKiHOR17sqsCS0wRiA0gkvnsQKYQki438CD9tkUTFAqrdyi3yWaJnII5f3wxDW9jF70DWDOQP4uZu1/Q72xlrWrit7Gin9THbJDZDci3X9LDsN4pwqCtYlXmHSwtaemamk6pyWzs=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=stzFhVSc; arc=none smtp.client-ip=209.85.214.178
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="stzFhVSc"
Received: by mail-pl1-f178.google.com with SMTP id
 d9443c01a7336-2addb31945aso47135135ad.1
        for <linux-kernel@vger.kernel.org>;
 Thu, 16 Apr 2026 01:33:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1776328421; x=1776933221;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=DfpO2hGCwjyFr8u8B5sPRFUHsnHMuKJAwc/frKEr0SU=;
        b=stzFhVScM1TFg0JHM6vEmeNOTa/NZn4CKCEZoLgOJ++CTRd+7FMLBpB+eP2Wywc+ad
         Rsb/gUEODiskyGTxIoU5pAac+pFDL7rd90r4Ih7G2z+nP5Fba/pdxK5pdc8/8Y2erzpb
         Rvtdu6HtlUf1lkkBbGBAh3XNMUQVlb0o4xvfHyuZUSDUGlWV6LzbU9PHbtUdYRWwbbLa
         dlqZO6Lm0bBK7RfFyUMG/ikhRyuH4LI8hvggMRIWBZPDxxhm57PTH96eGrGRCF8Uga+0
         LOR/lHdLbAMDD8JZvdIx1aWy2zx2Xera/3iFjFElkwHXNVLvPv3WQZfueu3EIr6PvyJN
         aTAg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776328421; x=1776933221;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=DfpO2hGCwjyFr8u8B5sPRFUHsnHMuKJAwc/frKEr0SU=;
        b=Zg05WeLSW+sqnhMxWXpfyjtlEP47mCmIFJ8/WOnmIm3RvQisvb4YuQwvPCvMyeV56h
         Gx1TzPRpRWW81Ji4mMRsFeuFU/fKvMRfMWRQQetIKGJJQOGMrrGnRzRtt3jDr8vhPyIC
         o/DC0wL9zGZGyLQLCjWeqZ6tPezuN8+InTadv4zUEg4DUOAYEM0jZRRygZ1KTFWzTJE5
         5tTURhu8UwAeRu9QUYR7DpoeM3qWQU1DW59JfmYny8nhkc3r/k4EnI2ChLrGBdZ3R2Kx
         a2WNXRxt2QTsKaKAEqiv//z5r/P9sbqZeXEIG7nlD7AovLlRoO7jTVMC/5d1MnJX6Fbi
         JmFg==
X-Forwarded-Encrypted: i=1;
 AFNElJ/UeJYWMboGZDm3+BqaVXH0A2RBAkFcx2tET9B7XJTq+QGbqCeIJ9P/987PMu9Va9QUWgkSoPP+Wx/+WII=@vger.kernel.org
X-Gm-Message-State: AOJu0Yz9xLScV0p5ntmOfLaV5IpzrINnfLWuct1XJ8FNZi/xXL6Lhgov
	gJoM5TqVD3LChSuWNOMoV/fIPUjkAckuVNaQNw/5m1q/OZYeibkDT6GWw8WykQ==
X-Gm-Gg: AeBDieuoNxgbD5oZgP2mKWRs9NDcyuqgGrAAUP7AVT/h99qlA1FUTZc3gwfMZ2iNJRk
	PbJGhoBa7JC95VzGxAPRTHZL4iXrdeXSIBq04IvXoFJjgR2cB9h8Y5URtKmVeJwJHOTZHzepafJ
	F+L1s6OFskbRpK0tcjeRfJOL/xbPlBZj7NInK+p3m3opx28LNi2GvSuDCovE8BGHxw+t24LlQMr
	xWvujx40O4ROR3R9uv6LGegH++9nfWMOZeFfma1mfGb36MztLNoOIZgDGGtOCyuuatOlSvhNUPh
	JHWn1D9FrAd6PeD6HS1wKOhXzDHX9kAF29y+//3xtFCtJa4KdKL0dc4IYSt7f5ZYZtSKHPovHLE
	W24dg9sfKwX4K84BKmQXmL90/aFUGIFd7WPoAH9NMTs3s4Akd95QXRDyvPgD8HVhTwY1pXmIn2a
	7Exr415cRGA907OKKpqUrvZyqohrqtEduj
X-Received: by 2002:a17:902:db0f:b0:2aa:d67b:ef96 with SMTP id
 d9443c01a7336-2b2d5a5c0f4mr271666615ad.31.1776328420531;
        Thu, 16 Apr 2026 01:33:40 -0700 (PDT)
Received: from xiao.mioffice.cn ([43.224.245.230])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2b478292053sm58391365ad.56.2026.04.16.01.33.37
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 16 Apr 2026 01:33:39 -0700 (PDT)
From: Xiang Gao <gxxa03070307@gmail.com>
To: rostedt@goodmis.org,
	mhiramat@kernel.org
Cc: mark.rutland@arm.com,
	mathieu.desnoyers@efficios.com,
	linux-kernel@vger.kernel.org,
	linux-trace-kernel@vger.kernel.org,
	Xiang Gao <gaoxiang17@xiaomi.com>
Subject: [PATCH] ftrace: fix use-after-free of mod->name in
 function_stat_show()
Date: Thu, 16 Apr 2026 16:33:35 +0800
Message-Id: <20260416083335.920555-1-gxxa03070307@gmail.com>
X-Mailer: git-send-email 2.34.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Xiang Gao <gaoxiang17@xiaomi.com>

function_stat_show() uses guard(rcu)() inside the else block to hold
the RCU read lock while calling __module_text_address() and accessing
mod->name. However, guard(rcu)() ties the RCU read lock lifetime to
the scope of the else block. The original code stores mod->name into
refsymbol and uses it in snprintf() after the else block exits,
at which point the RCU read lock has already been released. If the
module is concurrently unloaded, mod->name is freed, causing a
use-after-free.

Fix by moving the snprintf() call into each branch of the if/else,
so that mod->name is only accessed while the RCU read lock is held.
refsymbol now points to the local str buffer (which already contains
the formatted string) rather than to mod->name, and is only used
afterwards as a non-NULL indicator to skip the kallsyms_lookup()
fallback.

Signed-off-by: Xiang Gao <gaoxiang17@xiaomi.com>
---
 kernel/trace/ftrace.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
index 413310912609..6217b363203c 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -559,21 +559,23 @@ static int function_stat_show(struct seq_file *m, voi=
d *v)
 		unsigned long offset;
=20
 		if (core_kernel_text(rec->ip)) {
-			refsymbol =3D "_text";
 			offset =3D rec->ip - (unsigned long)_text;
+			snprintf(str, sizeof(str), "  %s+%#lx",
+				 "_text", offset);
+			refsymbol =3D str;
 		} else {
 			struct module *mod;
=20
 			guard(rcu)();
 			mod =3D __module_text_address(rec->ip);
 			if (mod) {
-				refsymbol =3D mod->name;
 				/* Calculate offset from module's text entry address. */
 				offset =3D rec->ip - (unsigned long)mod->mem[MOD_TEXT].base;
+				snprintf(str, sizeof(str), "  %s+%#lx",
+					 mod->name, offset);
+				refsymbol =3D str;
 			}
 		}
-		if (refsymbol)
-			snprintf(str, sizeof(str), "  %s+%#lx", refsymbol, offset);
 	}
 	if (!refsymbol)
 		kallsyms_lookup(rec->ip, NULL, NULL, NULL, str);
--=20
2.34.1