Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753000AbeAAPUv (ORCPT + 1 other); Mon, 1 Jan 2018 10:20:51 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:43352 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753171AbeAAOeI (ORCPT ); Mon, 1 Jan 2018 09:34:08 -0500 From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jing Xia , Chunyan Zhang , "Steven Rostedt (VMware)" Subject: [PATCH 4.9 03/75] tracing: Fix possible double free on failure of allocating trace buffer Date: Mon, 1 Jan 2018 15:31:40 +0100 Message-Id: <20180101140057.251070370@linuxfoundation.org> X-Mailer: git-send-email 2.15.1 In-Reply-To: <20180101140056.475827799@linuxfoundation.org> References: <20180101140056.475827799@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Steven Rostedt (VMware) commit 4397f04575c44e1440ec2e49b6302785c95fd2f8 upstream. Jing Xia and Chunyan Zhang reported that on failing to allocate part of the tracing buffer, memory is freed, but the pointers that point to them are not initialized back to NULL, and later paths may try to free the freed memory again. Jing and Chunyan fixed one of the locations that does this, but missed a spot. Link: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com Fixes: 737223fbca3b1 ("tracing: Consolidate buffer allocation code") Reported-by: Jing Xia Reported-by: Chunyan Zhang Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman --- kernel/trace/trace.c | 1 + 1 file changed, 1 insertion(+) --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -6955,6 +6955,7 @@ allocate_trace_buffer(struct trace_array buf->data = alloc_percpu(struct trace_array_cpu); if (!buf->data) { ring_buffer_free(buf->buffer); + buf->buffer = NULL; return -ENOMEM; }