--- /dev/null
+From fda024fb64769e9d6b3916d013c78d6b189129f8 Mon Sep 17 00:00:00 2001
+From: Petr Mladek <pmladek@suse.com>
+Date: Fri, 28 Nov 2025 14:59:15 +0100
+Subject: kallsyms: clean up modname and modbuildid initialization in kallsyms_lookup_buildid()
+
+From: Petr Mladek <pmladek@suse.com>
+
+commit fda024fb64769e9d6b3916d013c78d6b189129f8 upstream.
+
+The @modname and @modbuildid optional return parameters are set only when
+the symbol is in a module.
+
+Always initialize them so that they do not need to be cleared when the
+module is not in a module. It simplifies the logic and makes the code
+even slightly more safe.
+
+Note that bpf_address_lookup() function will get updated in a separate
+patch.
+
+Link: https://lkml.kernel.org/r/20251128135920.217303-3-pmladek@suse.com
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Cc: Aaron Tomlin <atomlin@atomlin.com>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Daniel Borkman <daniel@iogearbox.net>
+Cc: Daniel Gomez <da.gomez@samsung.com>
+Cc: John Fastabend <john.fastabend@gmail.com>
+Cc: Kees Cook <kees@kernel.org>
+Cc: Luis Chamberalin <mcgrof@kernel.org>
+Cc: Marc Rutland <mark.rutland@arm.com>
+Cc: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Cc: Petr Pavlu <petr.pavlu@suse.com>
+Cc: Sami Tolvanen <samitolvanen@google.com>
+Cc: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/kallsyms.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/kernel/kallsyms.c
++++ b/kernel/kallsyms.c
+@@ -362,6 +362,14 @@ static int kallsyms_lookup_buildid(unsig
+ * or empty string.
+ */
+ namebuf[0] = 0;
++ /*
++ * Initialize the module-related return values. They are not set
++ * when the symbol is in vmlinux or it is a bpf address.
++ */
++ if (modname)
++ *modname = NULL;
++ if (modbuildid)
++ *modbuildid = NULL;
+
+ if (is_ksym_addr(addr)) {
+ unsigned long pos;
+@@ -370,10 +378,6 @@ static int kallsyms_lookup_buildid(unsig
+ /* Grab name */
+ kallsyms_expand_symbol(get_symbol_offset(pos),
+ namebuf, KSYM_NAME_LEN);
+- if (modname)
+- *modname = NULL;
+- if (modbuildid)
+- *modbuildid = NULL;
+
+ return strlen(namebuf);
+ }
--- /dev/null
+From 426295ef18c5d5f0b7f75ac89d09022fcfafd25c Mon Sep 17 00:00:00 2001
+From: Petr Mladek <pmladek@suse.com>
+Date: Fri, 28 Nov 2025 14:59:14 +0100
+Subject: kallsyms: clean up @namebuf initialization in kallsyms_lookup_buildid()
+
+From: Petr Mladek <pmladek@suse.com>
+
+commit 426295ef18c5d5f0b7f75ac89d09022fcfafd25c upstream.
+
+Patch series "kallsyms: Prevent invalid access when showing module
+buildid", v3.
+
+We have seen nested crashes in __sprint_symbol(), see below. They seem to
+be caused by an invalid pointer to "buildid". This patchset cleans up
+kallsyms code related to module buildid and fixes this invalid access when
+printing backtraces.
+
+I made an audit of __sprint_symbol() and found several situations
+when the buildid might be wrong:
+
+ + bpf_address_lookup() does not set @modbuildid
+
+ + ftrace_mod_address_lookup() does not set @modbuildid
+
+ + __sprint_symbol() does not take rcu_read_lock and
+ the related struct module might get removed before
+ mod->build_id is printed.
+
+This patchset solves these problems:
+
+ + 1st, 2nd patches are preparatory
+ + 3rd, 4th, 6th patches fix the above problems
+ + 5th patch cleans up a suspicious initialization code.
+
+This is the backtrace, we have seen. But it is not really important.
+The problems fixed by the patchset are obvious:
+
+ crash64> bt [62/2029]
+ PID: 136151 TASK: ffff9f6c981d4000 CPU: 367 COMMAND: "btrfs"
+ #0 [ffffbdb687635c28] machine_kexec at ffffffffb4c845b3
+ #1 [ffffbdb687635c80] __crash_kexec at ffffffffb4d86a6a
+ #2 [ffffbdb687635d08] hex_string at ffffffffb51b3b61
+ #3 [ffffbdb687635d40] crash_kexec at ffffffffb4d87964
+ #4 [ffffbdb687635d50] oops_end at ffffffffb4c41fc8
+ #5 [ffffbdb687635d70] do_trap at ffffffffb4c3e49a
+ #6 [ffffbdb687635db8] do_error_trap at ffffffffb4c3e6a4
+ #7 [ffffbdb687635df8] exc_stack_segment at ffffffffb5666b33
+ #8 [ffffbdb687635e20] asm_exc_stack_segment at ffffffffb5800cf9
+ ...
+
+
+This patch (of 7)
+
+The function kallsyms_lookup_buildid() initializes the given @namebuf by
+clearing the first and the last byte. It is not clear why.
+
+The 1st byte makes sense because some callers ignore the return code and
+expect that the buffer contains a valid string, for example:
+
+ - function_stat_show()
+ - kallsyms_lookup()
+ - kallsyms_lookup_buildid()
+
+The initialization of the last byte does not make much sense because it
+can later be overwritten. Fortunately, it seems that all called functions
+behave correctly:
+
+ - kallsyms_expand_symbol() explicitly adds the trailing '\0'
+ at the end of the function.
+
+ - All *__address_lookup() functions either use the safe strscpy()
+ or they do not touch the buffer at all.
+
+Document the reason for clearing the first byte. And remove the useless
+initialization of the last byte.
+
+Link: https://lkml.kernel.org/r/20251128135920.217303-2-pmladek@suse.com
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Reviewed-by: Aaron Tomlin <atomlin@atomlin.com>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Daniel Borkman <daniel@iogearbox.net>
+Cc: John Fastabend <john.fastabend@gmail.com>
+Cc: Kees Cook <kees@kernel.org>
+Cc: Luis Chamberalin <mcgrof@kernel.org>
+Cc: Marc Rutland <mark.rutland@arm.com>
+Cc: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Cc: Petr Pavlu <petr.pavlu@suse.com>
+Cc: Sami Tolvanen <samitolvanen@google.com>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Daniel Gomez <da.gomez@samsung.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/kallsyms.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/kernel/kallsyms.c
++++ b/kernel/kallsyms.c
+@@ -355,7 +355,12 @@ static int kallsyms_lookup_buildid(unsig
+ {
+ int ret;
+
+- namebuf[KSYM_NAME_LEN - 1] = 0;
++ /*
++ * kallsyms_lookus() returns pointer to namebuf on success and
++ * NULL on error. But some callers ignore the return value.
++ * Instead they expect @namebuf filled either with valid
++ * or empty string.
++ */
+ namebuf[0] = 0;
+
+ if (is_ksym_addr(addr)) {
--- /dev/null
+From 8e81dac4cd5477731169b92cff7c24f8f6635950 Mon Sep 17 00:00:00 2001
+From: Petr Mladek <pmladek@suse.com>
+Date: Fri, 28 Nov 2025 14:59:17 +0100
+Subject: kallsyms: cleanup code for appending the module buildid
+
+From: Petr Mladek <pmladek@suse.com>
+
+commit 8e81dac4cd5477731169b92cff7c24f8f6635950 upstream.
+
+Put the code for appending the optional "buildid" into a helper function,
+It makes __sprint_symbol() better readable.
+
+Also print a warning when the "modname" is set and the "buildid" isn't.
+It might catch a situation when some lookup function in
+kallsyms_lookup_buildid() does not handle the "buildid".
+
+Use pr_*_once() to avoid an infinite recursion when the function is called
+from printk(). The recursion is rather theoretical but better be on the
+safe side.
+
+Link: https://lkml.kernel.org/r/20251128135920.217303-5-pmladek@suse.com
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Cc: Aaron Tomlin <atomlin@atomlin.com>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Daniel Borkman <daniel@iogearbox.net>
+Cc: Daniel Gomez <da.gomez@samsung.com>
+Cc: John Fastabend <john.fastabend@gmail.com>
+Cc: Kees Cook <kees@kernel.org>
+Cc: Luis Chamberalin <mcgrof@kernel.org>
+Cc: Marc Rutland <mark.rutland@arm.com>
+Cc: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Cc: Petr Pavlu <petr.pavlu@suse.com>
+Cc: Sami Tolvanen <samitolvanen@google.com>
+Cc: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/kallsyms.c | 42 +++++++++++++++++++++++++++++++++---------
+ 1 file changed, 33 insertions(+), 9 deletions(-)
+
+--- a/kernel/kallsyms.c
++++ b/kernel/kallsyms.c
+@@ -434,6 +434,37 @@ int lookup_symbol_name(unsigned long add
+ return lookup_module_symbol_name(addr, symname);
+ }
+
++#ifdef CONFIG_STACKTRACE_BUILD_ID
++
++static int append_buildid(char *buffer, const char *modname,
++ const unsigned char *buildid)
++{
++ if (!modname)
++ return 0;
++
++ if (!buildid) {
++ pr_warn_once("Undefined buildid for the module %s\n", modname);
++ return 0;
++ }
++
++ /* build ID should match length of sprintf */
++#ifdef CONFIG_MODULES
++ static_assert(sizeof(typeof_member(struct module, build_id)) == 20);
++#endif
++
++ return sprintf(buffer, " %20phN", buildid);
++}
++
++#else /* CONFIG_STACKTRACE_BUILD_ID */
++
++static int append_buildid(char *buffer, const char *modname,
++ const unsigned char *buildid)
++{
++ return 0;
++}
++
++#endif /* CONFIG_STACKTRACE_BUILD_ID */
++
+ /* Look up a kernel symbol and return it in a text buffer. */
+ static int __sprint_symbol(char *buffer, unsigned long address,
+ int symbol_offset, int add_offset, int add_buildid)
+@@ -456,15 +487,8 @@ static int __sprint_symbol(char *buffer,
+
+ if (modname) {
+ len += sprintf(buffer + len, " [%s", modname);
+-#if IS_ENABLED(CONFIG_STACKTRACE_BUILD_ID)
+- if (add_buildid && buildid) {
+- /* build ID should match length of sprintf */
+-#if IS_ENABLED(CONFIG_MODULES)
+- static_assert(sizeof(typeof_member(struct module, build_id)) == 20);
+-#endif
+- len += sprintf(buffer + len, " %20phN", buildid);
+- }
+-#endif
++ if (add_buildid)
++ len += append_buildid(buffer + len, modname, buildid);
+ len += sprintf(buffer + len, "]");
+ }
+
--- /dev/null
+From 3b07086444f80c844351255fd94c2cb0a7224df2 Mon Sep 17 00:00:00 2001
+From: Petr Mladek <pmladek@suse.com>
+Date: Fri, 28 Nov 2025 14:59:20 +0100
+Subject: kallsyms: prevent module removal when printing module name and buildid
+
+From: Petr Mladek <pmladek@suse.com>
+
+commit 3b07086444f80c844351255fd94c2cb0a7224df2 upstream.
+
+kallsyms_lookup_buildid() copies the symbol name into the given buffer so
+that it can be safely read anytime later. But it just copies pointers to
+mod->name and mod->build_id which might get reused after the related
+struct module gets removed.
+
+The lifetime of struct module is synchronized using RCU. Take the rcu
+read lock for the entire __sprint_symbol().
+
+Link: https://lkml.kernel.org/r/20251128135920.217303-8-pmladek@suse.com
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Reviewed-by: Aaron Tomlin <atomlin@atomlin.com>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Daniel Borkman <daniel@iogearbox.net>
+Cc: Daniel Gomez <da.gomez@samsung.com>
+Cc: John Fastabend <john.fastabend@gmail.com>
+Cc: Kees Cook <kees@kernel.org>
+Cc: Luis Chamberalin <mcgrof@kernel.org>
+Cc: Marc Rutland <mark.rutland@arm.com>
+Cc: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Cc: Petr Pavlu <petr.pavlu@suse.com>
+Cc: Sami Tolvanen <samitolvanen@google.com>
+Cc: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/kallsyms.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/kernel/kallsyms.c
++++ b/kernel/kallsyms.c
+@@ -474,6 +474,9 @@ static int __sprint_symbol(char *buffer,
+ unsigned long offset, size;
+ int len;
+
++ /* Prevent module removal until modname and modbuildid are printed */
++ guard(rcu)();
++
+ address += symbol_offset;
+ len = kallsyms_lookup_buildid(address, &size, &offset, &modname, &buildid,
+ buffer);
usb-gadget-f_rndis-fix-net_device-lifecycle-with-device_move.patch
usb-gadget-f_hid-move-list-and-spinlock-inits-from-bind-to-alloc.patch
usb-gadget-f_uac1_legacy-validate-control-request-size.patch
+kallsyms-clean-up-namebuf-initialization-in-kallsyms_lookup_buildid.patch
+kallsyms-clean-up-modname-and-modbuildid-initialization-in-kallsyms_lookup_buildid.patch
+kallsyms-cleanup-code-for-appending-the-module-buildid.patch
+kallsyms-prevent-module-removal-when-printing-module-name-and-buildid.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
