From: Dan Carpenter <dan.carpenter@oracle.com>
To: kernel-janitors@vger.kernel.org
Subject: [bug report] tracing, synthetic events: Replace buggy strcat() with seq_buf operations
Date: Mon, 02 Nov 2020 07:45:24 +0000 [thread overview]
Message-ID: <20201102074524.GA4040095@mwanda> (raw)
Hello Steven Rostedt (VMware),
The patch 761a8c58db6b: "tracing, synthetic events: Replace buggy
strcat() with seq_buf operations" from Oct 23, 2020, leads to the
following static checker warning:
kernel/trace/trace_events_synth.c:703 parse_synth_field()
warn: passing zero to 'ERR_PTR'
kernel/trace/trace_events_synth.c
582 static struct synth_field *parse_synth_field(int argc, const char **argv,
583 int *consumed)
584 {
585 struct synth_field *field;
586 const char *prefix = NULL, *field_type = argv[0], *field_name, *array;
587 int len, ret = 0;
588 struct seq_buf s;
589 ssize_t size;
590
591 if (field_type[0] = ';')
592 field_type++;
593
594 if (!strcmp(field_type, "unsigned")) {
595 if (argc < 3) {
596 synth_err(SYNTH_ERR_INCOMPLETE_TYPE, errpos(field_type));
597 return ERR_PTR(-EINVAL);
598 }
599 prefix = "unsigned ";
600 field_type = argv[1];
601 field_name = argv[2];
602 *consumed = 3;
603 } else {
604 field_name = argv[1];
605 *consumed = 2;
606 }
607
608 field = kzalloc(sizeof(*field), GFP_KERNEL);
609 if (!field)
610 return ERR_PTR(-ENOMEM);
611
612 len = strlen(field_name);
613 array = strchr(field_name, '[');
614 if (array)
615 len -= strlen(array);
616 else if (field_name[len - 1] = ';')
617 len--;
618
619 field->name = kmemdup_nul(field_name, len, GFP_KERNEL);
620 if (!field->name) {
621 ret = -ENOMEM;
622 goto free;
623 }
624 if (!is_good_name(field->name)) {
625 synth_err(SYNTH_ERR_BAD_NAME, errpos(field_name));
626 ret = -EINVAL;
627 goto free;
628 }
629
630 if (field_type[0] = ';')
631 field_type++;
632 len = strlen(field_type) + 1;
633
634 if (array)
635 len += strlen(array);
636
637 if (prefix)
638 len += strlen(prefix);
639
640 field->type = kzalloc(len, GFP_KERNEL);
641 if (!field->type) {
642 ret = -ENOMEM;
643 goto free;
644 }
645 seq_buf_init(&s, field->type, len);
646 if (prefix)
647 seq_buf_puts(&s, prefix);
648 seq_buf_puts(&s, field_type);
649 if (array) {
650 seq_buf_puts(&s, array);
651 if (s.buffer[s.len - 1] = ';')
652 s.len--;
653 }
654 if (WARN_ON_ONCE(!seq_buf_buffer_left(&s)))
655 goto free;
This was originally reported by kbuild-bot, but it was somehow
overlooked so now it's on my system. The missing error code will lead
to a NULL dereference in the caller.
656 s.buffer[s.len] = '\0';
657
658 size = synth_field_size(field->type);
659 if (size < 0) {
660 synth_err(SYNTH_ERR_INVALID_TYPE, errpos(field_type));
661 ret = -EINVAL;
662 goto free;
663 } else if (size = 0) {
664 if (synth_field_is_string(field->type)) {
665 char *type;
666
667 len = sizeof("__data_loc ") + strlen(field->type) + 1;
668 type = kzalloc(len, GFP_KERNEL);
669 if (!type) {
670 ret = -ENOMEM;
671 goto free;
672 }
673
674 seq_buf_init(&s, type, len);
675 seq_buf_puts(&s, "__data_loc ");
676 seq_buf_puts(&s, field->type);
677
678 if (WARN_ON_ONCE(!seq_buf_buffer_left(&s)))
679 goto free;
Here as well.
680 s.buffer[s.len] = '\0';
681
682 kfree(field->type);
683 field->type = type;
684
685 field->is_dynamic = true;
686 size = sizeof(u64);
687 } else {
688 synth_err(SYNTH_ERR_INVALID_TYPE, errpos(field_type));
689 ret = -EINVAL;
690 goto free;
691 }
692 }
693 field->size = size;
694
695 if (synth_field_is_string(field->type))
696 field->is_string = true;
697
698 field->is_signed = synth_field_signed(field->type);
699 out:
700 return field;
701 free:
702 free_synth_field(field);
703 field = ERR_PTR(ret);
704 goto out;
705 }
regards,
dan carpenter
next reply other threads:[~2020-11-02 7:45 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-02 7:45 Dan Carpenter [this message]
2020-11-02 16:39 ` [bug report] tracing, synthetic events: Replace buggy strcat() with seq_buf operations Steven Rostedt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201102074524.GA4040095@mwanda \
--to=dan.carpenter@oracle.com \
--cc=kernel-janitors@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).