On Mon, 25 Apr 2022 06:37:38 +0000
Keita Suzuki <keitasuzuki.park@xxxxxxxxxxxxxxxxxxxx> wrote:
FYI, always send a new version of a patch as a separate thread, never as a
reply-to of a previous version. That breaks tools like patchwork which will
not show this version of the patch.
> In create_var_ref(), init_var_ref() is called to initialize the fields
> of variable ref_field, which is allocated in the previous function call
> to create_hist_field(). Function init_var_ref() allocates the
> corresponding fields such as ref_field->system, but frees these fields
> when the function encounters an error. The caller later calls
> destroy_hist_field() to conduct error handling, which frees the fields
> and the variable itself. This results in double free of the fields which
> are already freed in the previous function.
>
> Fix this by storing NULL to the corresponding fields when they are freed
> in init_var_ref().
>
> Fixes: 067fe038e70f ("tracing: Add variable reference handling to hist triggers")
> CC: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Keita Suzuki <keitasuzuki.park@xxxxxxxxxxxxxxxxxxxx>
> Reviewed-by: Masami Hiramatsu <mhiramat@xxxxxxxxxx>
> ---
> kernel/trace/trace_events_hist.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
> index 44db5ba9cabb..a0e41906d9ce 100644
> --- a/kernel/trace/trace_events_hist.c
> +++ b/kernel/trace/trace_events_hist.c
> @@ -2093,8 +2093,11 @@ static int init_var_ref(struct hist_field *ref_field,
> return err;
> free:
> kfree(ref_field->system);
> + ref_field->system = NULL;
> kfree(ref_field->event_name);
> + ref_field->event_name = NULL;
> kfree(ref_field->name);
> + ref_field->name = NULL;
Nit, but it would look nicer as:
kfree(ref_field->system);
kfree(ref_field->event_name);
kfree(ref_field->name);
ref_field->system = NULL;
ref_field->event_name = NULL;
ref_field->name = NULL;
-- Steve
>
> goto out;
> }
