Re: [PATCH 1/3] [BUGFIX] tracing: Fix double free of event_trigger_data

Steven Rostedt <rostedt@xxxxxxxxxxx> · Tue, 24 Jul 2018 22:41:49 -0400

On Wed, 25 Jul 2018 10:16:53 +0900
Masami Hiramatsu <mhiramat@xxxxxxxxxx> wrote:

> Hm, as far as I can see, when register_trigger() returns >= 0, it already
> calls ->init the trigger_data. This means its refcount++, and in that
> case, below patch will miss to free the trigger_data.
> How about below for tentative fix?
> 
> 	if (!ret) {
> 		ret = -ENOENT;
> 		/* We have to forcibly free the trigger_data */
> 		goto out_free;
> 	} else if (ret > 0)
> 		ret = 0;

Or better yet, match it properly:

out_reg:
	/* Up the trigger_data count to make sure reg doesn't free it on failure */
	event_trigger_init(trigger_ops, trigger_data);
	ret = cmd_ops->reg(glob, trigger_ops, trigger_data, file);
	/*
	 * The above returns on success the # of functions enabled,
	 * but if it didn't find any functions it returns zero.
	 * Consider no functions a failure too.
	 */
	if (!ret) {
		cmd_ops->unreg(glob, trigger_ops, trigger_data, file);
		ret = -ENOENT;
	} else if (ret > 0)
		ret = 0;

	/* Down the counter of trigger_data or free it if not used anymore */
	event_trigger_free(trigger_ops, trigger_data);
 out:
	return ret;

-- Steve