Re: [PATCH] tracing: Fix potential double free in create_var_ref()

From: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
To: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Steven Rostedt <rostedt@goodmis.org>,
	Ingo Molnar <mingo@redhat.com>,
	linux-kernel@vger.kernel.org, Tom Zanussi <zanussi@kernel.org>,
	Tom Zanussi <tom.zanussi@linux.intel.com>
Subject: Re: [PATCH] tracing: Fix potential double free in create_var_ref()
Date: Mon, 25 Apr 2022 15:28:32 +0900	[thread overview]
Message-ID: <CAEYrHjk3hmP2Vf3d3LqW7w+3GGMxu+hvDQbjaNgcU7oCrrzGsg@mail.gmail.com> (raw)
In-Reply-To: <20220423001311.31e2dff59708ddd3043e55af@kernel.org>

Hi Masami,

Thanks for the review!
I'll add the info and resend the patch.

Thanks,
Keita

2022年4月23日(土) 0:13 Masami Hiramatsu <mhiramat@kernel.org>:
>
> Hi Keita,
>
> On Fri, 22 Apr 2022 06:00:25 +0000
> Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp> wrote:
>
> > In create_var_ref(), init_var_ref() is called to initialize the fields
> > of variable ref_field, which is allocated in the previous function call
> > to create_hist_field(). Function init_var_ref() allocates the
> > corresponding fields such as ref_field->system, but frees these fields
> > when the function encounters an error. The caller later calls
> > destroy_hist_field() to conduct error handling, which frees the fields
> > and the variable itself. This results in double free of the fields which
> > are already freed in the previous function.
> >
> > Fix this by storing NULL to the corresponding fields when they are freed
> > in init_var_ref().
> >
>
> Good catch! this looks good to me.
>
> Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
>
>
> BTW, could you Cc the original code authoer and  if you fix a bug and
> add Fixes: tag? That will help the original author can check the bug and
> help stable kernel maintainers to pick the patch. :)
>
> To find the original commit, you can use the 'git blame'.
>
> $ git blame kernel/trace/trace_events_hist.c -L 2093,2100
> 067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2093)      return err;
> 067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2094)  free:
> 067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2095)      kfree(ref_field->system);
> 067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2096)      kfree(ref_field->event_name);
> 067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2097)      kfree(ref_field->name);
> 067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2098)
> 067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2099)      goto out;
> 067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2100) }
>
> Then, git show will tell you the original author.
> $ git show 067fe038e70f6
>
> And get the format of the commit for Fixes tag.
>
> $ git --no-pager show -s --abbrev-commit --abbrev=12 --pretty=format:"%h (\"%s\")%n" 067fe038e70f6
> 067fe038e70f ("tracing: Add variable reference handling to hist triggers")
>
> Then you can add lines like:
>
> Fixes: 067fe038e70f ("tracing: Add variable reference handling to hist triggers")
> Cc: stable@vger.kernel.org
>
> Thank you,
>
> > Signed-off-by: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
> > ---
> >  kernel/trace/trace_events_hist.c | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
> > index 44db5ba9cabb..a0e41906d9ce 100644
> > --- a/kernel/trace/trace_events_hist.c
> > +++ b/kernel/trace/trace_events_hist.c
> > @@ -2093,8 +2093,11 @@ static int init_var_ref(struct hist_field *ref_field,
> >       return err;
> >   free:
> >       kfree(ref_field->system);
> > +     ref_field->system = NULL;
> >       kfree(ref_field->event_name);
> > +     ref_field->event_name = NULL;
> >       kfree(ref_field->name);
> > +     ref_field->name = NULL;
> >
> >       goto out;
> >  }
> > --
> > 2.25.1
> >
>
>
> --
> Masami Hiramatsu <mhiramat@kernel.org>