* [PATCH] tracing: Fix potential double free in create_var_ref()
@ 2022-04-22 6:00 Keita Suzuki
2022-04-22 15:13 ` Masami Hiramatsu
0 siblings, 1 reply; 6+ messages in thread
From: Keita Suzuki @ 2022-04-22 6:00 UTC (permalink / raw)
Cc: mhiramat, keitasuzuki.park, Steven Rostedt, Ingo Molnar, linux-kernel
In create_var_ref(), init_var_ref() is called to initialize the fields
of variable ref_field, which is allocated in the previous function call
to create_hist_field(). Function init_var_ref() allocates the
corresponding fields such as ref_field->system, but frees these fields
when the function encounters an error. The caller later calls
destroy_hist_field() to conduct error handling, which frees the fields
and the variable itself. This results in double free of the fields which
are already freed in the previous function.
Fix this by storing NULL to the corresponding fields when they are freed
in init_var_ref().
Signed-off-by: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
---
kernel/trace/trace_events_hist.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
index 44db5ba9cabb..a0e41906d9ce 100644
--- a/kernel/trace/trace_events_hist.c
+++ b/kernel/trace/trace_events_hist.c
@@ -2093,8 +2093,11 @@ static int init_var_ref(struct hist_field *ref_field,
return err;
free:
kfree(ref_field->system);
+ ref_field->system = NULL;
kfree(ref_field->event_name);
+ ref_field->event_name = NULL;
kfree(ref_field->name);
+ ref_field->name = NULL;
goto out;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] tracing: Fix potential double free in create_var_ref()
2022-04-22 6:00 [PATCH] tracing: Fix potential double free in create_var_ref() Keita Suzuki
@ 2022-04-22 15:13 ` Masami Hiramatsu
2022-04-25 6:28 ` Keita Suzuki
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Masami Hiramatsu @ 2022-04-22 15:13 UTC (permalink / raw)
To: Keita Suzuki
Cc: mhiramat, Steven Rostedt, Ingo Molnar, linux-kernel, Tom Zanussi,
Tom Zanussi
Hi Keita,
On Fri, 22 Apr 2022 06:00:25 +0000
Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp> wrote:
> In create_var_ref(), init_var_ref() is called to initialize the fields
> of variable ref_field, which is allocated in the previous function call
> to create_hist_field(). Function init_var_ref() allocates the
> corresponding fields such as ref_field->system, but frees these fields
> when the function encounters an error. The caller later calls
> destroy_hist_field() to conduct error handling, which frees the fields
> and the variable itself. This results in double free of the fields which
> are already freed in the previous function.
>
> Fix this by storing NULL to the corresponding fields when they are freed
> in init_var_ref().
>
Good catch! this looks good to me.
Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
BTW, could you Cc the original code authoer and if you fix a bug and
add Fixes: tag? That will help the original author can check the bug and
help stable kernel maintainers to pick the patch. :)
To find the original commit, you can use the 'git blame'.
$ git blame kernel/trace/trace_events_hist.c -L 2093,2100
067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2093) return err;
067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2094) free:
067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2095) kfree(ref_field->system);
067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2096) kfree(ref_field->event_name);
067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2097) kfree(ref_field->name);
067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2098)
067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2099) goto out;
067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2100) }
Then, git show will tell you the original author.
$ git show 067fe038e70f6
And get the format of the commit for Fixes tag.
$ git --no-pager show -s --abbrev-commit --abbrev=12 --pretty=format:"%h (\"%s\")%n" 067fe038e70f6
067fe038e70f ("tracing: Add variable reference handling to hist triggers")
Then you can add lines like:
Fixes: 067fe038e70f ("tracing: Add variable reference handling to hist triggers")
Cc: stable@vger.kernel.org
Thank you,
> Signed-off-by: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
> ---
> kernel/trace/trace_events_hist.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
> index 44db5ba9cabb..a0e41906d9ce 100644
> --- a/kernel/trace/trace_events_hist.c
> +++ b/kernel/trace/trace_events_hist.c
> @@ -2093,8 +2093,11 @@ static int init_var_ref(struct hist_field *ref_field,
> return err;
> free:
> kfree(ref_field->system);
> + ref_field->system = NULL;
> kfree(ref_field->event_name);
> + ref_field->event_name = NULL;
> kfree(ref_field->name);
> + ref_field->name = NULL;
>
> goto out;
> }
> --
> 2.25.1
>
--
Masami Hiramatsu <mhiramat@kernel.org>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] tracing: Fix potential double free in create_var_ref()
2022-04-22 15:13 ` Masami Hiramatsu
@ 2022-04-25 6:28 ` Keita Suzuki
2022-04-25 6:37 ` [PATCH V2] " Keita Suzuki
2022-04-25 14:59 ` [PATCH] " Tom Zanussi
2 siblings, 0 replies; 6+ messages in thread
From: Keita Suzuki @ 2022-04-25 6:28 UTC (permalink / raw)
To: Masami Hiramatsu
Cc: Steven Rostedt, Ingo Molnar, linux-kernel, Tom Zanussi, Tom Zanussi
Hi Masami,
Thanks for the review!
I'll add the info and resend the patch.
Thanks,
Keita
2022年4月23日(土) 0:13 Masami Hiramatsu <mhiramat@kernel.org>:
>
> Hi Keita,
>
> On Fri, 22 Apr 2022 06:00:25 +0000
> Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp> wrote:
>
> > In create_var_ref(), init_var_ref() is called to initialize the fields
> > of variable ref_field, which is allocated in the previous function call
> > to create_hist_field(). Function init_var_ref() allocates the
> > corresponding fields such as ref_field->system, but frees these fields
> > when the function encounters an error. The caller later calls
> > destroy_hist_field() to conduct error handling, which frees the fields
> > and the variable itself. This results in double free of the fields which
> > are already freed in the previous function.
> >
> > Fix this by storing NULL to the corresponding fields when they are freed
> > in init_var_ref().
> >
>
> Good catch! this looks good to me.
>
> Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
>
>
> BTW, could you Cc the original code authoer and if you fix a bug and
> add Fixes: tag? That will help the original author can check the bug and
> help stable kernel maintainers to pick the patch. :)
>
> To find the original commit, you can use the 'git blame'.
>
> $ git blame kernel/trace/trace_events_hist.c -L 2093,2100
> 067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2093) return err;
> 067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2094) free:
> 067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2095) kfree(ref_field->system);
> 067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2096) kfree(ref_field->event_name);
> 067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2097) kfree(ref_field->name);
> 067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2098)
> 067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2099) goto out;
> 067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2100) }
>
> Then, git show will tell you the original author.
> $ git show 067fe038e70f6
>
> And get the format of the commit for Fixes tag.
>
> $ git --no-pager show -s --abbrev-commit --abbrev=12 --pretty=format:"%h (\"%s\")%n" 067fe038e70f6
> 067fe038e70f ("tracing: Add variable reference handling to hist triggers")
>
> Then you can add lines like:
>
> Fixes: 067fe038e70f ("tracing: Add variable reference handling to hist triggers")
> Cc: stable@vger.kernel.org
>
> Thank you,
>
> > Signed-off-by: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
> > ---
> > kernel/trace/trace_events_hist.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
> > index 44db5ba9cabb..a0e41906d9ce 100644
> > --- a/kernel/trace/trace_events_hist.c
> > +++ b/kernel/trace/trace_events_hist.c
> > @@ -2093,8 +2093,11 @@ static int init_var_ref(struct hist_field *ref_field,
> > return err;
> > free:
> > kfree(ref_field->system);
> > + ref_field->system = NULL;
> > kfree(ref_field->event_name);
> > + ref_field->event_name = NULL;
> > kfree(ref_field->name);
> > + ref_field->name = NULL;
> >
> > goto out;
> > }
> > --
> > 2.25.1
> >
>
>
> --
> Masami Hiramatsu <mhiramat@kernel.org>
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH V2] tracing: Fix potential double free in create_var_ref()
2022-04-22 15:13 ` Masami Hiramatsu
2022-04-25 6:28 ` Keita Suzuki
@ 2022-04-25 6:37 ` Keita Suzuki
2022-04-25 15:29 ` Steven Rostedt
2022-04-25 14:59 ` [PATCH] " Tom Zanussi
2 siblings, 1 reply; 6+ messages in thread
From: Keita Suzuki @ 2022-04-25 6:37 UTC (permalink / raw)
Cc: mhiramat, keitasuzuki.park, stable, Steven Rostedt, Ingo Molnar,
Tom Zanussi, linux-kernel
In create_var_ref(), init_var_ref() is called to initialize the fields
of variable ref_field, which is allocated in the previous function call
to create_hist_field(). Function init_var_ref() allocates the
corresponding fields such as ref_field->system, but frees these fields
when the function encounters an error. The caller later calls
destroy_hist_field() to conduct error handling, which frees the fields
and the variable itself. This results in double free of the fields which
are already freed in the previous function.
Fix this by storing NULL to the corresponding fields when they are freed
in init_var_ref().
Fixes: 067fe038e70f ("tracing: Add variable reference handling to hist triggers")
CC: stable@vger.kernel.org
Signed-off-by: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
---
kernel/trace/trace_events_hist.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
index 44db5ba9cabb..a0e41906d9ce 100644
--- a/kernel/trace/trace_events_hist.c
+++ b/kernel/trace/trace_events_hist.c
@@ -2093,8 +2093,11 @@ static int init_var_ref(struct hist_field *ref_field,
return err;
free:
kfree(ref_field->system);
+ ref_field->system = NULL;
kfree(ref_field->event_name);
+ ref_field->event_name = NULL;
kfree(ref_field->name);
+ ref_field->name = NULL;
goto out;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] tracing: Fix potential double free in create_var_ref()
2022-04-22 15:13 ` Masami Hiramatsu
2022-04-25 6:28 ` Keita Suzuki
2022-04-25 6:37 ` [PATCH V2] " Keita Suzuki
@ 2022-04-25 14:59 ` Tom Zanussi
2 siblings, 0 replies; 6+ messages in thread
From: Tom Zanussi @ 2022-04-25 14:59 UTC (permalink / raw)
To: Masami Hiramatsu, Keita Suzuki; +Cc: Steven Rostedt, Ingo Molnar, linux-kernel
On Sat, 2022-04-23 at 00:13 +0900, Masami Hiramatsu wrote:
> Hi Keita,
>
> On Fri, 22 Apr 2022 06:00:25 +0000
> Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp> wrote:
>
> > In create_var_ref(), init_var_ref() is called to initialize the
> > fields
> > of variable ref_field, which is allocated in the previous function
> > call
> > to create_hist_field(). Function init_var_ref() allocates the
> > corresponding fields such as ref_field->system, but frees these
> > fields
> > when the function encounters an error. The caller later calls
> > destroy_hist_field() to conduct error handling, which frees the
> > fields
> > and the variable itself. This results in double free of the fields
> > which
> > are already freed in the previous function.
> >
> > Fix this by storing NULL to the corresponding fields when they are
> > freed
> > in init_var_ref().
> >
>
> Good catch! this looks good to me.
>
> Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
Looks fine to me too, thanks,
Reviewed-by: Tom Zanussi <zanussi@kernel.org>
>
>
> BTW, could you Cc the original code authoer and if you fix a bug and
> add Fixes: tag? That will help the original author can check the bug
> and
> help stable kernel maintainers to pick the patch. :)
>
> To find the original commit, you can use the 'git blame'.
>
> $ git blame kernel/trace/trace_events_hist.c -L 2093,2100
> 067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600
> 2093) return err;
> 067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2094) free:
> 067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600
> 2095) kfree(ref_field->system);
> 067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600
> 2096) kfree(ref_field->event_name);
> 067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600
> 2097) kfree(ref_field->name);
> 067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2098)
> 067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2099) goto
> out;
> 067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2100) }
>
> Then, git show will tell you the original author.
> $ git show 067fe038e70f6
>
> And get the format of the commit for Fixes tag.
>
> $ git --no-pager show -s --abbrev-commit --abbrev=12 --
> pretty=format:"%h (\"%s\")%n" 067fe038e70f6
> 067fe038e70f ("tracing: Add variable reference handling to hist
> triggers")
>
> Then you can add lines like:
>
> Fixes: 067fe038e70f ("tracing: Add variable reference handling to
> hist triggers")
> Cc: stable@vger.kernel.org
>
> Thank you,
>
> > Signed-off-by: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
> > ---
> > kernel/trace/trace_events_hist.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/kernel/trace/trace_events_hist.c
> > b/kernel/trace/trace_events_hist.c
> > index 44db5ba9cabb..a0e41906d9ce 100644
> > --- a/kernel/trace/trace_events_hist.c
> > +++ b/kernel/trace/trace_events_hist.c
> > @@ -2093,8 +2093,11 @@ static int init_var_ref(struct hist_field
> > *ref_field,
> > return err;
> > free:
> > kfree(ref_field->system);
> > + ref_field->system = NULL;
> > kfree(ref_field->event_name);
> > + ref_field->event_name = NULL;
> > kfree(ref_field->name);
> > + ref_field->name = NULL;
> >
> > goto out;
> > }
> > --
> > 2.25.1
> >
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH V2] tracing: Fix potential double free in create_var_ref()
2022-04-25 6:37 ` [PATCH V2] " Keita Suzuki
@ 2022-04-25 15:29 ` Steven Rostedt
0 siblings, 0 replies; 6+ messages in thread
From: Steven Rostedt @ 2022-04-25 15:29 UTC (permalink / raw)
To: Keita Suzuki; +Cc: mhiramat, stable, Ingo Molnar, Tom Zanussi, linux-kernel
On Mon, 25 Apr 2022 06:37:38 +0000
Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp> wrote:
FYI, always send a new version of a patch as a separate thread, never as a
reply-to of a previous version. That breaks tools like patchwork which will
not show this version of the patch.
> In create_var_ref(), init_var_ref() is called to initialize the fields
> of variable ref_field, which is allocated in the previous function call
> to create_hist_field(). Function init_var_ref() allocates the
> corresponding fields such as ref_field->system, but frees these fields
> when the function encounters an error. The caller later calls
> destroy_hist_field() to conduct error handling, which frees the fields
> and the variable itself. This results in double free of the fields which
> are already freed in the previous function.
>
> Fix this by storing NULL to the corresponding fields when they are freed
> in init_var_ref().
>
> Fixes: 067fe038e70f ("tracing: Add variable reference handling to hist triggers")
> CC: stable@vger.kernel.org
> Signed-off-by: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
> Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
> ---
> kernel/trace/trace_events_hist.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
> index 44db5ba9cabb..a0e41906d9ce 100644
> --- a/kernel/trace/trace_events_hist.c
> +++ b/kernel/trace/trace_events_hist.c
> @@ -2093,8 +2093,11 @@ static int init_var_ref(struct hist_field *ref_field,
> return err;
> free:
> kfree(ref_field->system);
> + ref_field->system = NULL;
> kfree(ref_field->event_name);
> + ref_field->event_name = NULL;
> kfree(ref_field->name);
> + ref_field->name = NULL;
Nit, but it would look nicer as:
kfree(ref_field->system);
kfree(ref_field->event_name);
kfree(ref_field->name);
ref_field->system = NULL;
ref_field->event_name = NULL;
ref_field->name = NULL;
-- Steve
>
> goto out;
> }
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-04-25 15:29 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-22 6:00 [PATCH] tracing: Fix potential double free in create_var_ref() Keita Suzuki
2022-04-22 15:13 ` Masami Hiramatsu
2022-04-25 6:28 ` Keita Suzuki
2022-04-25 6:37 ` [PATCH V2] " Keita Suzuki
2022-04-25 15:29 ` Steven Rostedt
2022-04-25 14:59 ` [PATCH] " Tom Zanussi
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.