> diff --git a/include/linux/ftrace.h b/include/linux/ftrace.h
> index c571deeff..4e2c0ed76 100644
> --- a/include/linux/ftrace.h
> +++ b/include/linux/ftrace.h
[ ... ]
> diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
> index cc730a8fd..5243aefb6 100644
> --- a/kernel/trace/ftrace.c
> +++ b/kernel/trace/ftrace.c
[ ... ]
> @@ -6486,6 +6486,74 @@ int update_ftrace_direct_del(struct ftrace_ops *ops,
> struct ftrace_hash *hash)
> return err;
> }
>
> +int update_ftrace_direct_mod(struct ftrace_ops *ops, struct ftrace_hash
> *hash, bool do_direct_lock)
> +{
> + struct ftrace_hash *orig_hash = ops->func_hash->filter_hash;
^^^^^^^^^^^^^^^^
Can this crash if ops->func_hash is NULL? In update_ftrace_direct_add()
and update_ftrace_direct_del(), there's a defensive check:
old_filter_hash = ops->func_hash ? ops->func_hash->filter_hash : NULL;
But update_ftrace_direct_mod() dereferences ops->func_hash before any
validation checks occur. The check_direct_multi(ops) validation happens
later, but the dereference occurs first at function entry.
> + struct ftrace_func_entry *entry, *tmp;
> + static struct ftrace_ops tmp_ops = {
> + .func = ftrace_stub,
> + .flags = FTRACE_OPS_FL_STUB,
> + };
> + unsigned long size, i;
> + int err;
> +
> + if (!hash_count(hash))
> + return -EINVAL;
> + if (check_direct_multi(ops))
> + return -EINVAL;
[ ... ]
---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/19552032346
