Received: by 2002:a05:6a10:5594:0:0:0:0 with SMTP id ee20csp584020pxb; Mon, 25 Apr 2022 17:17:39 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyYoIx3aF7eB/jgC3QILXFfjToHULs8uNGtS8HV8MLuSVQlrb5jSY0B//fO2kwXXpbP0goB X-Received: by 2002:a17:907:1b0a:b0:6f0:e3d:1f5d with SMTP id mp10-20020a1709071b0a00b006f00e3d1f5dmr18477997ejc.418.1650932259344; Mon, 25 Apr 2022 17:17:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1650932259; cv=none; d=google.com; s=arc-20160816; b=TQiQnuoFclre8284dLZ17+i8wasPb+3smYyoBCfFhhXNeGRjkeHdDYtMdbTQN5C3tG ognrSmQ786WneP4yUNheOCx9v4vZzgiNG7Wz0zZYqa6mdeX0N3X7PxEL5skLJt/Fis/r I92A5HKRWR0f1nYzI9P0r5zGqkXi1wNVpry8hld/W1t7FJ/BH8Tc4llKWz4kSSysANaM pp0whXLuzlNQmxrY8pkBiWhlqi2+pC1ADf0v6wrk5ggDiF6mCTObDedrbCDrTMX6Wqeg 4+u1L4tIEY+436GY6qjZBV6XMBNVp4gg4aQpT58k6EQUTKdCuxb4Tz6Wwzgg0gyNSuqU 8QgQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date; bh=LNp6kgryBMEecCCU48AcLlULCXf0W/Ebet28Bj4ifYY=; b=BkN52/fpeIwnwQyg/9qaxLW6X2dNwau99eMLEv5ceTKv9A9LzAk4HXcNSkkKTbGQta Fttt52hYb1Tp+QiPpEFmVHBPv5jbF4AOWpyu3DmG99NTGPqTs8Q4XqjHViumR29gW+z2 yenrx9OKOlbDOQuFxkak7Yv6hYGw7Xl5W0/JhphOxsI+D4If0QRKrW7bHaLfZOkhD0a4 hNN/y8kmQKbjqxX7Ni0FuTEM35W9y6Ow3YruMfNKTMbiNqveINlAaHXX7pr1SIOt+QIP CQYC5uqjUXMlVP2lxhsEA/aDUdkLeYDUdn78RXTIDRQiydjvrdj2wua+K2JTl7RuDngN Ga1A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id m1-20020a170906160100b006e7cbc38c26si13906971ejd.868.2022.04.25.17.17.15; Mon, 25 Apr 2022 17:17:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233879AbiDYPcl (ORCPT + 99 others); Mon, 25 Apr 2022 11:32:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48366 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242896AbiDYPci (ORCPT ); Mon, 25 Apr 2022 11:32:38 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4AF5010F417; Mon, 25 Apr 2022 08:29:34 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 02852B815E2; Mon, 25 Apr 2022 15:29:33 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1C736C385A7; Mon, 25 Apr 2022 15:29:31 +0000 (UTC) Date: Mon, 25 Apr 2022 11:29:29 -0400 From: Steven Rostedt To: Keita Suzuki Cc: mhiramat@kernel.org, stable@vger.kernel.org, Ingo Molnar , Tom Zanussi , linux-kernel@vger.kernel.org Subject: Re: [PATCH V2] tracing: Fix potential double free in create_var_ref() Message-ID: <20220425112929.5c3fcfe4@gandalf.local.home> In-Reply-To: <20220425063739.3859998-1-keitasuzuki.park@sslab.ics.keio.ac.jp> References: <20220423001311.31e2dff59708ddd3043e55af@kernel.org> <20220425063739.3859998-1-keitasuzuki.park@sslab.ics.keio.ac.jp> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-6.7 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 25 Apr 2022 06:37:38 +0000 Keita Suzuki wrote: FYI, always send a new version of a patch as a separate thread, never as a reply-to of a previous version. That breaks tools like patchwork which will not show this version of the patch. > In create_var_ref(), init_var_ref() is called to initialize the fields > of variable ref_field, which is allocated in the previous function call > to create_hist_field(). Function init_var_ref() allocates the > corresponding fields such as ref_field->system, but frees these fields > when the function encounters an error. The caller later calls > destroy_hist_field() to conduct error handling, which frees the fields > and the variable itself. This results in double free of the fields which > are already freed in the previous function. > > Fix this by storing NULL to the corresponding fields when they are freed > in init_var_ref(). > > Fixes: 067fe038e70f ("tracing: Add variable reference handling to hist triggers") > CC: stable@vger.kernel.org > Signed-off-by: Keita Suzuki > Reviewed-by: Masami Hiramatsu > --- > kernel/trace/trace_events_hist.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c > index 44db5ba9cabb..a0e41906d9ce 100644 > --- a/kernel/trace/trace_events_hist.c > +++ b/kernel/trace/trace_events_hist.c > @@ -2093,8 +2093,11 @@ static int init_var_ref(struct hist_field *ref_field, > return err; > free: > kfree(ref_field->system); > + ref_field->system = NULL; > kfree(ref_field->event_name); > + ref_field->event_name = NULL; > kfree(ref_field->name); > + ref_field->name = NULL; Nit, but it would look nicer as: kfree(ref_field->system); kfree(ref_field->event_name); kfree(ref_field->name); ref_field->system = NULL; ref_field->event_name = NULL; ref_field->name = NULL; -- Steve > > goto out; > }