Received: by 10.223.185.116 with SMTP id b49csp6375681wrg; Wed, 28 Feb 2018 08:23:27 -0800 (PST) X-Google-Smtp-Source: AH8x227YAH/o7fJG5uYzv7yU4rLR17KSEDE6MKYDk9OgrNSfiEWhqxtAHoS3IFE52ITI4LNi/lDa X-Received: by 10.101.65.203 with SMTP id b11mr14754685pgq.118.1519835007808; Wed, 28 Feb 2018 08:23:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519835007; cv=none; d=google.com; s=arc-20160816; b=FQs7QONyxBFUjseJMsMFddEvwqnWfCvFpvloD1Z5wFMTjuYegA6wC/Ca3X4iXpiaRm jSBZLiKEYThVH1bN1YYJOCtP/eMnPKexOS+ltTIcv8Jx0R1DG7PBWxfWYWqpecb5DUOR 8aM0q6grPb9hx0xW6tva/syk3FD27DC3HFbH5WFbOUKFGprKBhQKgf2iopP46fCwYRGH msmJBkCTfAtBzqTtsP/H1ONtY5qNrMM+CJ5tjiQY63qj7fEs6/sZB4G8q11H5nD7u104 AlVuyK+cItjqzPRtk6GmePolPUmoTG/uiUkqZEUHfRhMZubLiJcM4OaBZBIAceOGmDsa JBeg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=ttgBjnoHVg8FuV4V0M7QgLpPHjWkhZFP3Rd3qcfTpJY=; b=D9IiXgprevsWkXgnk/sArwg1OzgilSgQeRjBkwjcDe4VGRA+L2x9abGIzR7Utxo2C2 SIk+Ofvo1QdVqwe/LyTVr1j9i64G+4vk1sApKHAfAz3/6/KM7p2OAUMzF1RPOYbWjlmS hiHA4CKbSAY98ZJt9Zdzx2Dv0F+w1KR24AVOU1YXBD7G0YAtlnzAoQ3pkL2tByGt5BT7 QQxSXQbM3rLnbi72qofVkRf0LLYsy88Zt+EuKU9HJkwY8X3ZHNL6Ssi+BXwYBt2Lqkpt hpDE+OwhS81QLqFyAO9z03LhHN1PWWNTMqjia9qq+8+E8bYNI1ArD5G14yM5vcmzpftG McLA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f62-v6si1494709plb.313.2018.02.28.08.23.12; Wed, 28 Feb 2018 08:23:27 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935038AbeB1QWg (ORCPT + 99 others); Wed, 28 Feb 2018 11:22:36 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:35399 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934946AbeB1QUx (ORCPT ); Wed, 28 Feb 2018 11:20:53 -0500 Received: from [2a02:8011:400e:2:6f00:88c8:c921:d332] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1er3Yr-0006XP-NA; Wed, 28 Feb 2018 15:22:29 +0000 Received: from ben by deadeye with local (Exim 4.90_1) (envelope-from ) id 1er3Yh-0000A3-TA; Wed, 28 Feb 2018 15:22:19 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Steven Rostedt (VMware)" , "Chunyan Zhang" , "Jing Xia" Date: Wed, 28 Feb 2018 15:20:18 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 146/254] tracing: Fix possible double free on failure of allocating trace buffer In-Reply-To: X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.55-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: "Steven Rostedt (VMware)" commit 4397f04575c44e1440ec2e49b6302785c95fd2f8 upstream. Jing Xia and Chunyan Zhang reported that on failing to allocate part of the tracing buffer, memory is freed, but the pointers that point to them are not initialized back to NULL, and later paths may try to free the freed memory again. Jing and Chunyan fixed one of the locations that does this, but missed a spot. Link: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com Fixes: 737223fbca3b1 ("tracing: Consolidate buffer allocation code") Reported-by: Jing Xia Reported-by: Chunyan Zhang Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Ben Hutchings --- kernel/trace/trace.c | 1 + 1 file changed, 1 insertion(+) --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -6220,6 +6220,7 @@ allocate_trace_buffer(struct trace_array buf->data = alloc_percpu(struct trace_array_cpu); if (!buf->data) { ring_buffer_free(buf->buffer); + buf->buffer = NULL; return -ENOMEM; }