From: Greg Kroah-Hartman Date: Wed, 8 Apr 2026 13:02:08 +0000 (+0200) Subject: 6.19-stable patches X-Git-Tag: v6.1.168~17 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b58d6ab8579ab19a34d5a627aecb3a0658851650;p=thirdparty%2Fkernel%2Fstable-queue.git 6.19-stable patches added patches: kallsyms-clean-up-modname-and-modbuildid-initialization-in-kallsyms_lookup_buildid.patch kallsyms-clean-up-namebuf-initialization-in-kallsyms_lookup_buildid.patch kallsyms-cleanup-code-for-appending-the-module-buildid.patch kallsyms-prevent-module-removal-when-printing-module-name-and-buildid.patch --- diff --git a/queue-6.19/kallsyms-clean-up-modname-and-modbuildid-initialization-in-kallsyms_lookup_buildid.patch b/queue-6.19/kallsyms-clean-up-modname-and-modbuildid-initialization-in-kallsyms_lookup_buildid.patch new file mode 100644 index 0000000000..fdbab797d2 --- /dev/null +++ b/queue-6.19/kallsyms-clean-up-modname-and-modbuildid-initialization-in-kallsyms_lookup_buildid.patch @@ -0,0 +1,67 @@ +From fda024fb64769e9d6b3916d013c78d6b189129f8 Mon Sep 17 00:00:00 2001 +From: Petr Mladek +Date: Fri, 28 Nov 2025 14:59:15 +0100 +Subject: kallsyms: clean up modname and modbuildid initialization in kallsyms_lookup_buildid() + +From: Petr Mladek + +commit fda024fb64769e9d6b3916d013c78d6b189129f8 upstream. + +The @modname and @modbuildid optional return parameters are set only when +the symbol is in a module. + +Always initialize them so that they do not need to be cleared when the +module is not in a module. It simplifies the logic and makes the code +even slightly more safe. + +Note that bpf_address_lookup() function will get updated in a separate +patch. + +Link: https://lkml.kernel.org/r/20251128135920.217303-3-pmladek@suse.com +Signed-off-by: Petr Mladek +Cc: Aaron Tomlin +Cc: Alexei Starovoitov +Cc: Daniel Borkman +Cc: Daniel Gomez +Cc: John Fastabend +Cc: Kees Cook +Cc: Luis Chamberalin +Cc: Marc Rutland +Cc: "Masami Hiramatsu (Google)" +Cc: Petr Pavlu +Cc: Sami Tolvanen +Cc: Steven Rostedt (Google) +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + kernel/kallsyms.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/kernel/kallsyms.c ++++ b/kernel/kallsyms.c +@@ -362,6 +362,14 @@ static int kallsyms_lookup_buildid(unsig + * or empty string. + */ + namebuf[0] = 0; ++ /* ++ * Initialize the module-related return values. They are not set ++ * when the symbol is in vmlinux or it is a bpf address. ++ */ ++ if (modname) ++ *modname = NULL; ++ if (modbuildid) ++ *modbuildid = NULL; + + if (is_ksym_addr(addr)) { + unsigned long pos; +@@ -370,10 +378,6 @@ static int kallsyms_lookup_buildid(unsig + /* Grab name */ + kallsyms_expand_symbol(get_symbol_offset(pos), + namebuf, KSYM_NAME_LEN); +- if (modname) +- *modname = NULL; +- if (modbuildid) +- *modbuildid = NULL; + + return strlen(namebuf); + } diff --git a/queue-6.19/kallsyms-clean-up-namebuf-initialization-in-kallsyms_lookup_buildid.patch b/queue-6.19/kallsyms-clean-up-namebuf-initialization-in-kallsyms_lookup_buildid.patch new file mode 100644 index 0000000000..85f80f9a38 --- /dev/null +++ b/queue-6.19/kallsyms-clean-up-namebuf-initialization-in-kallsyms_lookup_buildid.patch @@ -0,0 +1,112 @@ +From 426295ef18c5d5f0b7f75ac89d09022fcfafd25c Mon Sep 17 00:00:00 2001 +From: Petr Mladek +Date: Fri, 28 Nov 2025 14:59:14 +0100 +Subject: kallsyms: clean up @namebuf initialization in kallsyms_lookup_buildid() + +From: Petr Mladek + +commit 426295ef18c5d5f0b7f75ac89d09022fcfafd25c upstream. + +Patch series "kallsyms: Prevent invalid access when showing module +buildid", v3. + +We have seen nested crashes in __sprint_symbol(), see below. They seem to +be caused by an invalid pointer to "buildid". This patchset cleans up +kallsyms code related to module buildid and fixes this invalid access when +printing backtraces. + +I made an audit of __sprint_symbol() and found several situations +when the buildid might be wrong: + + + bpf_address_lookup() does not set @modbuildid + + + ftrace_mod_address_lookup() does not set @modbuildid + + + __sprint_symbol() does not take rcu_read_lock and + the related struct module might get removed before + mod->build_id is printed. + +This patchset solves these problems: + + + 1st, 2nd patches are preparatory + + 3rd, 4th, 6th patches fix the above problems + + 5th patch cleans up a suspicious initialization code. + +This is the backtrace, we have seen. But it is not really important. +The problems fixed by the patchset are obvious: + + crash64> bt [62/2029] + PID: 136151 TASK: ffff9f6c981d4000 CPU: 367 COMMAND: "btrfs" + #0 [ffffbdb687635c28] machine_kexec at ffffffffb4c845b3 + #1 [ffffbdb687635c80] __crash_kexec at ffffffffb4d86a6a + #2 [ffffbdb687635d08] hex_string at ffffffffb51b3b61 + #3 [ffffbdb687635d40] crash_kexec at ffffffffb4d87964 + #4 [ffffbdb687635d50] oops_end at ffffffffb4c41fc8 + #5 [ffffbdb687635d70] do_trap at ffffffffb4c3e49a + #6 [ffffbdb687635db8] do_error_trap at ffffffffb4c3e6a4 + #7 [ffffbdb687635df8] exc_stack_segment at ffffffffb5666b33 + #8 [ffffbdb687635e20] asm_exc_stack_segment at ffffffffb5800cf9 + ... + + +This patch (of 7) + +The function kallsyms_lookup_buildid() initializes the given @namebuf by +clearing the first and the last byte. It is not clear why. + +The 1st byte makes sense because some callers ignore the return code and +expect that the buffer contains a valid string, for example: + + - function_stat_show() + - kallsyms_lookup() + - kallsyms_lookup_buildid() + +The initialization of the last byte does not make much sense because it +can later be overwritten. Fortunately, it seems that all called functions +behave correctly: + + - kallsyms_expand_symbol() explicitly adds the trailing '\0' + at the end of the function. + + - All *__address_lookup() functions either use the safe strscpy() + or they do not touch the buffer at all. + +Document the reason for clearing the first byte. And remove the useless +initialization of the last byte. + +Link: https://lkml.kernel.org/r/20251128135920.217303-2-pmladek@suse.com +Signed-off-by: Petr Mladek +Reviewed-by: Aaron Tomlin +Cc: Alexei Starovoitov +Cc: Daniel Borkman +Cc: John Fastabend +Cc: Kees Cook +Cc: Luis Chamberalin +Cc: Marc Rutland +Cc: "Masami Hiramatsu (Google)" +Cc: Petr Pavlu +Cc: Sami Tolvanen +Cc: Steven Rostedt +Cc: Daniel Gomez +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + kernel/kallsyms.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/kernel/kallsyms.c ++++ b/kernel/kallsyms.c +@@ -355,7 +355,12 @@ static int kallsyms_lookup_buildid(unsig + { + int ret; + +- namebuf[KSYM_NAME_LEN - 1] = 0; ++ /* ++ * kallsyms_lookus() returns pointer to namebuf on success and ++ * NULL on error. But some callers ignore the return value. ++ * Instead they expect @namebuf filled either with valid ++ * or empty string. ++ */ + namebuf[0] = 0; + + if (is_ksym_addr(addr)) { diff --git a/queue-6.19/kallsyms-cleanup-code-for-appending-the-module-buildid.patch b/queue-6.19/kallsyms-cleanup-code-for-appending-the-module-buildid.patch new file mode 100644 index 0000000000..2665a1eb7c --- /dev/null +++ b/queue-6.19/kallsyms-cleanup-code-for-appending-the-module-buildid.patch @@ -0,0 +1,98 @@ +From 8e81dac4cd5477731169b92cff7c24f8f6635950 Mon Sep 17 00:00:00 2001 +From: Petr Mladek +Date: Fri, 28 Nov 2025 14:59:17 +0100 +Subject: kallsyms: cleanup code for appending the module buildid + +From: Petr Mladek + +commit 8e81dac4cd5477731169b92cff7c24f8f6635950 upstream. + +Put the code for appending the optional "buildid" into a helper function, +It makes __sprint_symbol() better readable. + +Also print a warning when the "modname" is set and the "buildid" isn't. +It might catch a situation when some lookup function in +kallsyms_lookup_buildid() does not handle the "buildid". + +Use pr_*_once() to avoid an infinite recursion when the function is called +from printk(). The recursion is rather theoretical but better be on the +safe side. + +Link: https://lkml.kernel.org/r/20251128135920.217303-5-pmladek@suse.com +Signed-off-by: Petr Mladek +Cc: Aaron Tomlin +Cc: Alexei Starovoitov +Cc: Daniel Borkman +Cc: Daniel Gomez +Cc: John Fastabend +Cc: Kees Cook +Cc: Luis Chamberalin +Cc: Marc Rutland +Cc: "Masami Hiramatsu (Google)" +Cc: Petr Pavlu +Cc: Sami Tolvanen +Cc: Steven Rostedt (Google) +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + kernel/kallsyms.c | 42 +++++++++++++++++++++++++++++++++--------- + 1 file changed, 33 insertions(+), 9 deletions(-) + +--- a/kernel/kallsyms.c ++++ b/kernel/kallsyms.c +@@ -434,6 +434,37 @@ int lookup_symbol_name(unsigned long add + return lookup_module_symbol_name(addr, symname); + } + ++#ifdef CONFIG_STACKTRACE_BUILD_ID ++ ++static int append_buildid(char *buffer, const char *modname, ++ const unsigned char *buildid) ++{ ++ if (!modname) ++ return 0; ++ ++ if (!buildid) { ++ pr_warn_once("Undefined buildid for the module %s\n", modname); ++ return 0; ++ } ++ ++ /* build ID should match length of sprintf */ ++#ifdef CONFIG_MODULES ++ static_assert(sizeof(typeof_member(struct module, build_id)) == 20); ++#endif ++ ++ return sprintf(buffer, " %20phN", buildid); ++} ++ ++#else /* CONFIG_STACKTRACE_BUILD_ID */ ++ ++static int append_buildid(char *buffer, const char *modname, ++ const unsigned char *buildid) ++{ ++ return 0; ++} ++ ++#endif /* CONFIG_STACKTRACE_BUILD_ID */ ++ + /* Look up a kernel symbol and return it in a text buffer. */ + static int __sprint_symbol(char *buffer, unsigned long address, + int symbol_offset, int add_offset, int add_buildid) +@@ -456,15 +487,8 @@ static int __sprint_symbol(char *buffer, + + if (modname) { + len += sprintf(buffer + len, " [%s", modname); +-#if IS_ENABLED(CONFIG_STACKTRACE_BUILD_ID) +- if (add_buildid && buildid) { +- /* build ID should match length of sprintf */ +-#if IS_ENABLED(CONFIG_MODULES) +- static_assert(sizeof(typeof_member(struct module, build_id)) == 20); +-#endif +- len += sprintf(buffer + len, " %20phN", buildid); +- } +-#endif ++ if (add_buildid) ++ len += append_buildid(buffer + len, modname, buildid); + len += sprintf(buffer + len, "]"); + } + diff --git a/queue-6.19/kallsyms-prevent-module-removal-when-printing-module-name-and-buildid.patch b/queue-6.19/kallsyms-prevent-module-removal-when-printing-module-name-and-buildid.patch new file mode 100644 index 0000000000..dc1ad3ec77 --- /dev/null +++ b/queue-6.19/kallsyms-prevent-module-removal-when-printing-module-name-and-buildid.patch @@ -0,0 +1,49 @@ +From 3b07086444f80c844351255fd94c2cb0a7224df2 Mon Sep 17 00:00:00 2001 +From: Petr Mladek +Date: Fri, 28 Nov 2025 14:59:20 +0100 +Subject: kallsyms: prevent module removal when printing module name and buildid + +From: Petr Mladek + +commit 3b07086444f80c844351255fd94c2cb0a7224df2 upstream. + +kallsyms_lookup_buildid() copies the symbol name into the given buffer so +that it can be safely read anytime later. But it just copies pointers to +mod->name and mod->build_id which might get reused after the related +struct module gets removed. + +The lifetime of struct module is synchronized using RCU. Take the rcu +read lock for the entire __sprint_symbol(). + +Link: https://lkml.kernel.org/r/20251128135920.217303-8-pmladek@suse.com +Signed-off-by: Petr Mladek +Reviewed-by: Aaron Tomlin +Cc: Alexei Starovoitov +Cc: Daniel Borkman +Cc: Daniel Gomez +Cc: John Fastabend +Cc: Kees Cook +Cc: Luis Chamberalin +Cc: Marc Rutland +Cc: "Masami Hiramatsu (Google)" +Cc: Petr Pavlu +Cc: Sami Tolvanen +Cc: Steven Rostedt (Google) +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + kernel/kallsyms.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/kernel/kallsyms.c ++++ b/kernel/kallsyms.c +@@ -474,6 +474,9 @@ static int __sprint_symbol(char *buffer, + unsigned long offset, size; + int len; + ++ /* Prevent module removal until modname and modbuildid are printed */ ++ guard(rcu)(); ++ + address += symbol_offset; + len = kallsyms_lookup_buildid(address, &size, &offset, &modname, &buildid, + buffer); diff --git a/queue-6.19/series b/queue-6.19/series index a5239eba56..da733d043e 100644 --- a/queue-6.19/series +++ b/queue-6.19/series @@ -304,3 +304,7 @@ usb-gadget-f_subset-fix-net_device-lifecycle-with-device_move.patch usb-gadget-f_rndis-fix-net_device-lifecycle-with-device_move.patch usb-gadget-f_hid-move-list-and-spinlock-inits-from-bind-to-alloc.patch usb-gadget-f_uac1_legacy-validate-control-request-size.patch +kallsyms-clean-up-namebuf-initialization-in-kallsyms_lookup_buildid.patch +kallsyms-clean-up-modname-and-modbuildid-initialization-in-kallsyms_lookup_buildid.patch +kallsyms-cleanup-code-for-appending-the-module-buildid.patch +kallsyms-prevent-module-removal-when-printing-module-name-and-buildid.patch