From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752208AbcF1Onl (ORCPT <rfc822;w@1wt.eu>);
	Tue, 28 Jun 2016 10:43:41 -0400
Received: from smtprelay0243.hostedemail.com ([216.40.44.243]:50796 "EHLO
	smtprelay.hostedemail.com" rhost-flags-OK-OK-OK-FAIL)
	by vger.kernel.org with ESMTP id S1751673AbcF1Onj (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 28 Jun 2016 10:43:39 -0400
X-Session-Marker: 726F737465647440676F6F646D69732E6F7267
X-Spam-Summary: 2,0,0,,d41d8cd98f00b204,rostedt@goodmis.org,:::::::,RULES_HIT:41:69:355:379:541:599:800:960:965:966:973:988:989:1260:1277:1311:1313:1314:1345:1359:1437:1515:1516:1518:1534:1541:1593:1594:1711:1730:1747:1777:1792:2194:2196:2199:2200:2393:2553:2559:2562:2901:3138:3139:3140:3141:3142:3352:3622:3865:3866:3870:3873:4321:4362:4385:4390:4395:5007:6261:6690:7264:7875:7903:8603:9010:10004:10400:10848:10967:11026:11232:11473:11658:11914:12043:12291:12438:12517:12519:12555:12683:12740:13069:13311:13357:13439:14096:14097:14110:14180:14181:14659:14721:21080:21088:30054:30056:30070:30090:30091,0,RBL:none,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:fn,MSBL:0,DNSBL:none,Custom_rules:0:0:0,LFtime:7,LUA_SUMMARY:none
X-HE-Tag: lip98_9032e31894149
X-Filterd-Recvd-Size: 2298
Date: Tue, 28 Jun 2016 10:43:09 -0400
From: Steven Rostedt <rostedt@goodmis.org>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: Ingo Molnar <mingo@redhat.com>, LKML <linux-kernel@vger.kernel.org>,
        Tom Zanussi <tom.zanussi@linux.intel.com>
Subject: Re: trace: use-after-free in hist_unreg_all
Message-ID: <20160628104309.4bbafced@gandalf.local.home>
In-Reply-To: <CACT4Y+YSv9cd3fMFVSk-o=xxsqeYTTh03=cmY-3_N1RoSf1Y9Q@mail.gmail.com>
References: <CACT4Y+YSv9cd3fMFVSk-o=xxsqeYTTh03=cmY-3_N1RoSf1Y9Q@mail.gmail.com>
X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.30; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, 28 Jun 2016 14:58:50 +0200
Dmitry Vyukov <dvyukov@google.com> wrote:

> Hello,
> 
> While running tools/testing/selftests test suite with KASAN I hit the
> following use-after-free report:
> 
> 
> 
> ==================================================================
> BUG: KASAN: use-after-free in hist_unreg_all+0x1a1/0x1d0 at addr
> ffff880031632cc0
> Read of size 8 by task ftracetest/7413
> =============================================================================
> BUG kmalloc-128 (Not tainted): kasan: bad access detected
> -----------------------------------------------------------------------------

Thanks for the report. Can you check if this patch fixes the issue?

-- Steve

diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
index 0c05b8a99806..948adb4b6761 100644
--- a/kernel/trace/trace_events_hist.c
+++ b/kernel/trace/trace_events_hist.c
@@ -1699,9 +1699,9 @@ hist_enable_get_trigger_ops(char *cmd, char *param)
 
 static void hist_enable_unreg_all(struct trace_event_file *file)
 {
-	struct event_trigger_data *test;
+	struct event_trigger_data *test, *n;
 
-	list_for_each_entry_rcu(test, &file->triggers, list) {
+	list_for_each_entry_safe(test, n, &file->triggers, list) {
 		if (test->cmd_ops->trigger_type == ETT_HIST_ENABLE) {
 			list_del_rcu(&test->list);
 			update_cond_flag(file);