releases/4.19.49/tracing-avoid-memory-leak-in-predicate_parse.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From dfb4a6f2191a80c8b790117d0ff592fd712d3296 Mon Sep 17 00:00:00 2001
 From: Tomas Bortoli <tomasbortoli@gmail.com>
 Date: Tue, 28 May 2019 17:43:38 +0200
 Subject: tracing: Avoid memory leak in predicate_parse()

 From: Tomas Bortoli <tomasbortoli@gmail.com>

 commit dfb4a6f2191a80c8b790117d0ff592fd712d3296 upstream.

 In case of errors, predicate_parse() goes to the out_free label
 to free memory and to return an error code.

 However, predicate_parse() does not free the predicates of the
 temporary prog_stack array, thence leaking them.

 Link: http://lkml.kernel.org/r/20190528154338.29976-1-tomasbortoli@gmail.com

 Cc: stable@vger.kernel.org
 Fixes: 80765597bc587 ("tracing: Rewrite filter logic to be simpler and faster")
 Reported-by: syzbot+6b8e0fb820e570c59e19@syzkaller.appspotmail.com
 Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
 [ Added protection around freeing prog_stack[i].pred ]
 Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  kernel/trace/trace_events_filter.c |    8 ++++++--
  1 file changed, 6 insertions(+), 2 deletions(-)

 --- a/kernel/trace/trace_events_filter.c
 +++ b/kernel/trace/trace_events_filter.c
 @@ -427,7 +427,7 @@ predicate_parse(const char *str, int nr_
  	op_stack = kmalloc_array(nr_parens, sizeof(*op_stack), GFP_KERNEL);
  	if (!op_stack)
  		return ERR_PTR(-ENOMEM);
 -	prog_stack = kmalloc_array(nr_preds, sizeof(*prog_stack), GFP_KERNEL);
 +	prog_stack = kcalloc(nr_preds, sizeof(*prog_stack), GFP_KERNEL);
  	if (!prog_stack) {
  		parse_error(pe, -ENOMEM, 0);
  		goto out_free;
 @@ -576,7 +576,11 @@ predicate_parse(const char *str, int nr_
  out_free:
  	kfree(op_stack);
  	kfree(inverts);
 -	kfree(prog_stack);
 +	if (prog_stack) {
 +		for (i = 0; prog_stack[i].pred; i++)
 +			kfree(prog_stack[i].pred);
 +		kfree(prog_stack);
 +	}
  	return ERR_PTR(ret);
  }
	From dfb4a6f2191a80c8b790117d0ff592fd712d3296 Mon Sep 17 00:00:00 2001
	From: Tomas Bortoli <tomasbortoli@gmail.com>
	Date: Tue, 28 May 2019 17:43:38 +0200
	Subject: tracing: Avoid memory leak in predicate_parse()

	From: Tomas Bortoli <tomasbortoli@gmail.com>

	commit dfb4a6f2191a80c8b790117d0ff592fd712d3296 upstream.

	In case of errors, predicate_parse() goes to the out_free label
	to free memory and to return an error code.

	However, predicate_parse() does not free the predicates of the
	temporary prog_stack array, thence leaking them.

	Link: http://lkml.kernel.org/r/20190528154338.29976-1-tomasbortoli@gmail.com

	Cc: stable@vger.kernel.org
	Fixes: 80765597bc587 ("tracing: Rewrite filter logic to be simpler and faster")
	Reported-by: syzbot+6b8e0fb820e570c59e19@syzkaller.appspotmail.com
	Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
	[ Added protection around freeing prog_stack[i].pred ]
	Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	kernel/trace/trace_events_filter.c \| 8 ++++++--
	1 file changed, 6 insertions(+), 2 deletions(-)

	--- a/kernel/trace/trace_events_filter.c
	+++ b/kernel/trace/trace_events_filter.c
	@@ -427,7 +427,7 @@ predicate_parse(const char *str, int nr_
	op_stack = kmalloc_array(nr_parens, sizeof(*op_stack), GFP_KERNEL);
	if (!op_stack)
	return ERR_PTR(-ENOMEM);
	- prog_stack = kmalloc_array(nr_preds, sizeof(*prog_stack), GFP_KERNEL);
	+ prog_stack = kcalloc(nr_preds, sizeof(*prog_stack), GFP_KERNEL);
	if (!prog_stack) {
	parse_error(pe, -ENOMEM, 0);
	goto out_free;
	@@ -576,7 +576,11 @@ predicate_parse(const char *str, int nr_
	out_free:
	kfree(op_stack);
	kfree(inverts);
	- kfree(prog_stack);
	+ if (prog_stack) {
	+ for (i = 0; prog_stack[i].pred; i++)
	+ kfree(prog_stack[i].pred);
	+ kfree(prog_stack);
	+ }
	return ERR_PTR(ret);
	}