Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp4370175imw; Tue, 19 Jul 2022 05:30:47 -0700 (PDT) X-Google-Smtp-Source: AGRyM1vPq3EqKjBic8eeucJY17XEKbcJm4/W+8Zzfz81I767GiigoL++9n8r0R4UEycraqN6rVbo X-Received: by 2002:a17:906:7482:b0:722:ea8f:3a12 with SMTP id e2-20020a170906748200b00722ea8f3a12mr31010980ejl.220.1658233846956; Tue, 19 Jul 2022 05:30:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658233846; cv=none; d=google.com; s=arc-20160816; b=CdfOwUJNWlaHTCJy498Q2DqKdqcbXa+3SlqIVOuCyJn0Vqvt5WFn1b6QygeIocnKdx OrvjH3kUeNfayS+q/vjvZyExy7kiScBDSY2r89XAEoN4m8OqNkbo8Ct0Itvcw+nvNiZJ s4tiBDOTWrh5y2qrKCd+b+pHtHTTlVme0XpRFSTVBaNGY1rlWFovAahP+hymJq+DTVk5 VvDa2XrB6aH9yhXHzgvOqGmXbkoX2yjC3IEjOIa6b69e9kgjNxJZLgzyEsFxiOhgZQPX QYQdW6VXIDl/P+eBFG5AmT5ypvuMNYa1KJx3XWo48xhzA4NHa9kmw3fDUkp2UGd+xzH9 Jfxg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=1vaJYkCTU311VZJnXrdf8iujOVuCTA7+Biu/tZHg4dA=; b=qStP1uLGAwtNIJGnGL3isMdILm2R7hbWMQPlR8lCFeJwAtBHpxK81KZ9kaLIEWhbf4 k8sJ2c1rau5XRdN8XG4kftE8BJHtGE9N+yUqiDxqvzm4m/qnJ2x5dLDcF4uFDkPno1CV OgyDAl2YpdUvHnExUaIoK5GJ84H6R5aJfFya4VxRaJRliau4WSiI+OJlo9ElP4Rs/Z12 vkwKXAk9udgwamqFYm99tu6fTX623MBc4SNRIioof5mQA3ZQCvCQoAr6SZ9w4nnAbJNe INWRzvIVeUpXtkkVUv4igBiXhCB+Gt7JO/QMOcBEvHjv7VZvUxLiR8qrr0G8E7SFhETk zqpw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=UfuWWU6g; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p34-20020a056402502200b0042df65ab08csi14507492eda.578.2022.07.19.05.30.21; Tue, 19 Jul 2022 05:30:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=UfuWWU6g; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238069AbiGSMDj (ORCPT + 99 others); Tue, 19 Jul 2022 08:03:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39062 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238020AbiGSMDB (ORCPT ); Tue, 19 Jul 2022 08:03:01 -0400 Received: from sin.source.kernel.org (sin.source.kernel.org [145.40.73.55]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E621943E67; Tue, 19 Jul 2022 04:59:24 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sin.source.kernel.org (Postfix) with ESMTPS id 051A1CE1BDE; Tue, 19 Jul 2022 11:59:23 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 15CA6C341C6; Tue, 19 Jul 2022 11:59:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658231961; bh=tiGaM5KXUycrXNQmqaw/AA2IKcE1A6b05jfiMNIAtTw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=UfuWWU6gzaUnuZTILySxd0tAAx1TC/RyOanuDnS4mX8NuhUdKCfLeCKeGAEX+9cA6 wapNPiUIf7kF/y8jXokeKRG9hmeKc8tJjiwNUHjn29P4lir1kesTwYJ8traqzgPaNs 0euEFwJvtAzYoYBGe7kV/M+O6mjI8a2waWUw4yQM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hulk Robot , Steven Rostedt , Tom Zanussi , Zheng Yejian Subject: [PATCH 4.19 05/48] tracing/histograms: Fix memory leak problem Date: Tue, 19 Jul 2022 13:53:42 +0200 Message-Id: <20220719114520.456434279@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220719114518.915546280@linuxfoundation.org> References: <20220719114518.915546280@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.8 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Zheng Yejian commit 7edc3945bdce9c39198a10d6129377a5c53559c2 upstream. This reverts commit 46bbe5c671e06f070428b9be142cc4ee5cedebac. As commit 46bbe5c671e0 ("tracing: fix double free") said, the "double free" problem reported by clang static analyzer is: > In parse_var_defs() if there is a problem allocating > var_defs.expr, the earlier var_defs.name is freed. > This free is duplicated by free_var_defs() which frees > the rest of the list. However, if there is a problem allocating N-th var_defs.expr: + in parse_var_defs(), the freed 'earlier var_defs.name' is actually the N-th var_defs.name; + then in free_var_defs(), the names from 0th to (N-1)-th are freed; IF ALLOCATING PROBLEM HAPPENED HERE!!! -+ \ | 0th 1th (N-1)-th N-th V +-------------+-------------+-----+-------------+----------- var_defs: | name | expr | name | expr | ... | name | expr | name | /// +-------------+-------------+-----+-------------+----------- These two frees don't act on same name, so there was no "double free" problem before. Conversely, after that commit, we get a "memory leak" problem because the above "N-th var_defs.name" is not freed. If enable CONFIG_DEBUG_KMEMLEAK and inject a fault at where the N-th var_defs.expr allocated, then execute on shell like: $ echo 'hist:key=call_site:val=$v1,$v2:v1=bytes_req,v2=bytes_alloc' > \ /sys/kernel/debug/tracing/events/kmem/kmalloc/trigger Then kmemleak reports: unreferenced object 0xffff8fb100ef3518 (size 8): comm "bash", pid 196, jiffies 4295681690 (age 28.538s) hex dump (first 8 bytes): 76 31 00 00 b1 8f ff ff v1...... backtrace: [<0000000038fe4895>] kstrdup+0x2d/0x60 [<00000000c99c049a>] event_hist_trigger_parse+0x206f/0x20e0 [<00000000ae70d2cc>] trigger_process_regex+0xc0/0x110 [<0000000066737a4c>] event_trigger_write+0x75/0xd0 [<000000007341e40c>] vfs_write+0xbb/0x2a0 [<0000000087fde4c2>] ksys_write+0x59/0xd0 [<00000000581e9cdf>] do_syscall_64+0x3a/0x80 [<00000000cf3b065c>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 Link: https://lkml.kernel.org/r/20220711014731.69520-1-zhengyejian1@huawei.com Cc: stable@vger.kernel.org Fixes: 46bbe5c671e0 ("tracing: fix double free") Reported-by: Hulk Robot Suggested-by: Steven Rostedt Reviewed-by: Tom Zanussi Signed-off-by: Zheng Yejian Signed-off-by: Steven Rostedt (Google) Signed-off-by: Greg Kroah-Hartman --- kernel/trace/trace_events_hist.c | 2 ++ 1 file changed, 2 insertions(+) --- a/kernel/trace/trace_events_hist.c +++ b/kernel/trace/trace_events_hist.c @@ -4266,6 +4266,8 @@ static int parse_var_defs(struct hist_tr s = kstrdup(field_str, GFP_KERNEL); if (!s) { + kfree(hist_data->attrs->var_defs.name[n_vars]); + hist_data->attrs->var_defs.name[n_vars] = NULL; ret = -ENOMEM; goto free; }