[PATCH] tracing: eprobe: read the complete FILTER_PTR_STRING pointer

Next message: Rasmus Villemoes: "[PATCH] watchdog: take all OF aliases into account when assigning id"
Previous message: Brian Masney: "Re: [PATCH 2/4] clk: qcom: common: introduce qcom_cc_sync_state()"
Next in thread: Google: "Re: [PATCH] tracing: eprobe: read the complete FILTER_PTR_STRING pointer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Martin Kaiser

Date: Mon Jun 15 2026 - 10:56:21 EST

For a char * element in an event, the FILTER_PTR_STRING filter type is
used. When the event occurs, a pointer is stored in the ringbuffer.

If an eprobe references such a char * element of a "base event" and
decodes the pointer as string, the pointer cannot be dereferenced.

$ echo 'e syscalls.sys_enter_openat $filename:string' > \
/sys/kernel/tracing/dynamic_events
$ trace-cmd start -e eprobes
$ trace-cmd show
... : sys_enter_openat: (syscalls.sys_enter_openat) arg1=(fault)

The problem is in get_event_field

val = (unsigned long)(*(char *)addr);

addr points to the position in the ringbuffer where the pointer was
stored. We must read the complete pointer, not just the lowest byte.

Fix the assignment, make the example above work.

Signed-off-by: Martin Kaiser <martin@xxxxxxxxx>
---
kernel/trace/trace_eprobe.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/trace/trace_eprobe.c b/kernel/trace/trace_eprobe.c
index b66d6196338d..50518b071414 100644
--- a/kernel/trace/trace_eprobe.c
+++ b/kernel/trace/trace_eprobe.c
@@ -315,7 +315,7 @@ get_event_field(struct fetch_insn *code, void *rec)
val = (unsigned long)addr;
break;
case FILTER_PTR_STRING:
- val = (unsigned long)(*(char *)addr);
+ val = *(unsigned long *)addr;
break;
default:
WARN_ON_ONCE(1);
--
2.43.7