Received: by 10.223.185.116 with SMTP id b49csp6368805wrg; Wed, 28 Feb 2018 08:16:46 -0800 (PST) X-Google-Smtp-Source: AG47ELtR3sg294T4KOf7Qd0dh3xAosuOEwC8Dj1SWdpmlfXIToYea21rB0PmmN4f0jqA3rKgzGW/ X-Received: by 2002:a17:902:1c5:: with SMTP id b63-v6mr12165078plb.311.1519834606344; Wed, 28 Feb 2018 08:16:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519834606; cv=none; d=google.com; s=arc-20160816; b=uJI6HUN29mdyQCDeLqHJhxvahj1fdbIDZyazhFwd484lq8Haxnu1A+Uhu6nWmj1UFL VW9xlwxE4G+Glf7ehjqp0OS0ZHC2CnfAaDknUpymqzOTXSe1f+JgoTo2spow8YFkQqOQ 7GqHTSrv3+F8ly/MT5ykz5EHsFKHqXPfsbXDzBJa15p5kkUkwVdISityMeerlJKcGWgT JASUuKSSMqgMjw5HlqoDIiz+tg+Hv4I3yhRtuIoqOuNEixXLQxszF2M7KkZlzucmBc9V CVQBez0z9YUYsdBabhTCygPP5deMftI80QNmwSorJ3PSeDw7cO43pyVVhGH7zA0F9PEL Ds0A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=zoL0afuUrC8dAF6hvozFo1ekGZyMEYIXdwP5cLM5zhc=; b=1KviI15Uji5HbZ4+ckulSJSFEbwhTjIGQhGVd0s3SumAcRoWgi6YHxnNH9QoiyQJN/ GymmOMKspFw1wfbsyeTUN5ANtXWqfHUnwxO3pqEuA18JpMDT3ep4JJzqJHT5uaQSRufQ RKo21sH5p+SYQP1MCa2jSUwg87E6K64umTevS3k8JBGZiAYGXngRkce+UpHFN5F+3V9d pd6I+9EREatEHtuEVoseDoUqEbWJ3lAS+RCEWo18GYwLgeeEJx+HTJycwoCr875E5PL2 pFqWbCx9nRc2w9+kDYCSKUJnymIEDnFVf3a/0+7wmhT+HbqS8admxOq+Ba0LUXPZ0X7j ZdsA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l19si1190294pgo.629.2018.02.28.08.16.31; Wed, 28 Feb 2018 08:16:46 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934888AbeB1QPt (ORCPT + 99 others); Wed, 28 Feb 2018 11:15:49 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:35196 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934483AbeB1QPn (ORCPT ); Wed, 28 Feb 2018 11:15:43 -0500 Received: from [2a02:8011:400e:2:6f00:88c8:c921:d332] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1er3Yr-0006XS-Nj; Wed, 28 Feb 2018 15:22:29 +0000 Received: from ben by deadeye with local (Exim 4.90_1) (envelope-from ) id 1er3Yh-00009z-SJ; Wed, 28 Feb 2018 15:22:19 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Chunyan Zhang" , "Jing Xia" , "Steven Rostedt (VMware)" Date: Wed, 28 Feb 2018 15:20:18 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 145/254] tracing: Fix crash when it fails to alloc ring buffer In-Reply-To: X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.55-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Jing Xia commit 24f2aaf952ee0b59f31c3a18b8b36c9e3d3c2cf5 upstream. Double free of the ring buffer happens when it fails to alloc new ring buffer instance for max_buffer if TRACER_MAX_TRACE is configured. The root cause is that the pointer is not set to NULL after the buffer is freed in allocate_trace_buffers(), and the freeing of the ring buffer is invoked again later if the pointer is not equal to Null, as: instance_mkdir() |-allocate_trace_buffers() |-allocate_trace_buffer(tr, &tr->trace_buffer...) |-allocate_trace_buffer(tr, &tr->max_buffer...) // allocate fail(-ENOMEM),first free // and the buffer pointer is not set to null |-ring_buffer_free(tr->trace_buffer.buffer) // out_free_tr |-free_trace_buffers() |-free_trace_buffer(&tr->trace_buffer); //if trace_buffer is not null, free again |-ring_buffer_free(buf->buffer) |-rb_free_cpu_buffer(buffer->buffers[cpu]) // ring_buffer_per_cpu is null, and // crash in ring_buffer_per_cpu->pages Link: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com Fixes: 737223fbca3b1 ("tracing: Consolidate buffer allocation code") Signed-off-by: Jing Xia Signed-off-by: Chunyan Zhang Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Ben Hutchings --- kernel/trace/trace.c | 2 ++ 1 file changed, 2 insertions(+) --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -6243,7 +6243,9 @@ static int allocate_trace_buffers(struct allocate_snapshot ? size : 1); if (WARN_ON(ret)) { ring_buffer_free(tr->trace_buffer.buffer); + tr->trace_buffer.buffer = NULL; free_percpu(tr->trace_buffer.data); + tr->trace_buffer.data = NULL; return -ENOMEM; } tr->allocated_snapshot = allocate_snapshot;