Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3333632imu; Sun, 11 Nov 2018 12:35:37 -0800 (PST) X-Google-Smtp-Source: AJdET5fiTnF1Y+oMsBfdh+lixZ922pbfjiy84paFe94qlCMx4sRKb9BfFnIiPmSA7HFuub9Hmbtp X-Received: by 2002:a17:902:6113:: with SMTP id t19-v6mr17180234plj.84.1541968537314; Sun, 11 Nov 2018 12:35:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541968537; cv=none; d=google.com; s=arc-20160816; b=vtUM6RdPZyA9TZwo+wb3pNa8xkvNmZ/pVy6N1iV8tsCbCjLAytyDbUcyK3pazwLMvv //wpYe4KN7KrE4paO3KYy2ZjY+6b7ecW9cHdmka3KRYhJaMnXy2pNgPNWpKW9LnK0x28 SyIEwEqNY9tGld7xFrkaea89SSmgHJEb64t+JEhXJqoITfLumpElikFiSD+YavKt36cd iS3zvbAK+TgLCvM58FmtFgg/W6ijoepQbcjccFoNUiChDYco5EKCFHRP55ge551UnKqE CFl68vrg1BrxUL0PZPB8MEdc/W3S+/KPHwAEi0TmDzXSfb1f8JOo8EZpqVHedlNRhfvX mMpA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=s34DBMTvGcLHgjWys6FMxjcdDA6vY3pbAk88Lg4YgOo=; b=NIoUml84rr09sJ9zZE/cykCGNjs2WXatKrQxFMh+SDc6a6H6Tnien8Rw4QQ+fEd1NA akqAyvTEvOu7PgEwwAODJGTDp+gIn6LdOayDjHhNUwFIzeZ33ZUtyXnwdZcbGrkSTsdj azJu1f0m4uQokXqp0yaah+uc7jraNPvc3wp6jxr1RTP0yYRtAPC0zwfOzsz956KN/7Bu HsmZnVDeW3F7QuvxTYLxxUqLu4rEdW7zh7tYRwKZR7+NeJKQIUzQZtkm9Jg2tgPa0mhU A3uTgJr5EapF2l84f3MSYuFNb3DS04R/QVORQ0nqNs8uo+86gZVqG5VwF986Adf7zx1m NoAg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r4si14552452pgi.387.2018.11.11.12.35.22; Sun, 11 Nov 2018 12:35:37 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730615AbeKLGYW (ORCPT + 99 others); Mon, 12 Nov 2018 01:24:22 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:49984 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730207AbeKLFsN (ORCPT ); Mon, 12 Nov 2018 00:48:13 -0500 Received: from [192.168.4.242] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1gLvsa-0000oG-T6; Sun, 11 Nov 2018 19:58:44 +0000 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1gLvsY-0001mk-EA; Sun, 11 Nov 2018 19:58:42 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Steven Rostedt (VMware)" Date: Sun, 11 Nov 2018 19:49:05 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 296/366] tracing: Fix possible double free in event_enable_trigger_func() In-Reply-To: X-SA-Exim-Connect-IP: 192.168.4.242 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.61-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: "Steven Rostedt (VMware)" commit 15cc78644d0075e76d59476a4467e7143860f660 upstream. There was a case that triggered a double free in event_trigger_callback() due to the called reg() function freeing the trigger_data and then it getting freed again by the error return by the caller. The solution there was to up the trigger_data ref count. Code inspection found that event_enable_trigger_func() has the same issue, but is not as easy to trigger (requires harder to trigger failures). It needs to be solved slightly different as it needs more to clean up when the reg() function fails. Link: http://lkml.kernel.org/r/20180725124008.7008e586@gandalf.local.home Fixes: 7862ad1846e99 ("tracing: Add 'enable_event' and 'disable_event' event trigger commands") Reivewed-by: Masami Hiramatsu Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Ben Hutchings --- kernel/trace/trace_events_trigger.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) --- a/kernel/trace/trace_events_trigger.c +++ b/kernel/trace/trace_events_trigger.c @@ -1231,6 +1231,9 @@ event_enable_trigger_func(struct event_c goto out; } + /* Up the trigger_data count to make sure nothing frees it on failure */ + event_trigger_init(trigger_ops, trigger_data); + if (trigger) { number = strsep(&trigger, ":"); @@ -1281,6 +1284,7 @@ event_enable_trigger_func(struct event_c goto out_disable; /* Just return zero, not the number of enabled functions */ ret = 0; + event_trigger_free(trigger_ops, trigger_data); out: return ret; @@ -1291,7 +1295,7 @@ event_enable_trigger_func(struct event_c out_free: if (cmd_ops->set_filter) cmd_ops->set_filter(NULL, trigger_data, NULL); - kfree(trigger_data); + event_trigger_free(trigger_ops, trigger_data); kfree(enable_data); goto out; }