On Sun, 7 Aug 2022 23:21:20 +0100 Alan Maguire <alan.maguire@xxxxxxxxxx> wrote: > The following (wrong) use of tracepoint filtering was enough to trigger > a null-pointer dereference crash: > > cd /sys/kernel/debug/tracing > echo "saddr_v6 == 0x0100007f" > tcp/tcp_receive_reset/filter > echo 1 > tcp/tcp_receive_reset/enable > wget https://localhost > > This works fine if saddr - a 4-byte array representing the source address - > is used instead. > The patch series is a new feature so it would need to go into the next merge window. But this patch looks to be a bug fix, so I'll pull this one in separately, and tag it for stable. Thanks, -- Steve > Fix is to handle case where we encounter an unexpected size. > > Signed-off-by: Alan Maguire <alan.maguire@xxxxxxxxxx> > --- > kernel/trace/trace_events_filter.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c > index 4b1057ab9d96..65e01c8d48d9 100644 > --- a/kernel/trace/trace_events_filter.c > +++ b/kernel/trace/trace_events_filter.c > @@ -1490,6 +1490,11 @@ static int parse_pred(const char *str, void *data, > else { > pred->fn = select_comparison_fn(pred->op, field->size, > field->is_signed); > + if (!pred->fn) { > + parse_error(pe, FILT_ERR_ILLEGAL_FIELD_OP, > + pos + i); > + goto err_free; > + } > if (pred->op == OP_NE) > pred->not = 1; > }
