| From dfb4a6f2191a80c8b790117d0ff592fd712d3296 Mon Sep 17 00:00:00 2001 |
| From: Tomas Bortoli <tomasbortoli@gmail.com> |
| Date: Tue, 28 May 2019 17:43:38 +0200 |
| Subject: tracing: Avoid memory leak in predicate_parse() |
| |
| From: Tomas Bortoli <tomasbortoli@gmail.com> |
| |
| commit dfb4a6f2191a80c8b790117d0ff592fd712d3296 upstream. |
| |
| In case of errors, predicate_parse() goes to the out_free label |
| to free memory and to return an error code. |
| |
| However, predicate_parse() does not free the predicates of the |
| temporary prog_stack array, thence leaking them. |
| |
| Link: http://lkml.kernel.org/r/20190528154338.29976-1-tomasbortoli@gmail.com |
| |
| Cc: stable@vger.kernel.org |
| Fixes: 80765597bc587 ("tracing: Rewrite filter logic to be simpler and faster") |
| Reported-by: syzbot+6b8e0fb820e570c59e19@syzkaller.appspotmail.com |
| Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com> |
| [ Added protection around freeing prog_stack[i].pred ] |
| Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| kernel/trace/trace_events_filter.c | 8 ++++++-- |
| 1 file changed, 6 insertions(+), 2 deletions(-) |
| |
| --- a/kernel/trace/trace_events_filter.c |
| +++ b/kernel/trace/trace_events_filter.c |
| @@ -427,7 +427,7 @@ predicate_parse(const char *str, int nr_ |
| op_stack = kmalloc_array(nr_parens, sizeof(*op_stack), GFP_KERNEL); |
| if (!op_stack) |
| return ERR_PTR(-ENOMEM); |
| - prog_stack = kmalloc_array(nr_preds, sizeof(*prog_stack), GFP_KERNEL); |
| + prog_stack = kcalloc(nr_preds, sizeof(*prog_stack), GFP_KERNEL); |
| if (!prog_stack) { |
| parse_error(pe, -ENOMEM, 0); |
| goto out_free; |
| @@ -576,7 +576,11 @@ predicate_parse(const char *str, int nr_ |
| out_free: |
| kfree(op_stack); |
| kfree(inverts); |
| - kfree(prog_stack); |
| + if (prog_stack) { |
| + for (i = 0; prog_stack[i].pred; i++) |
| + kfree(prog_stack[i].pred); |
| + kfree(prog_stack); |
| + } |
| return ERR_PTR(ret); |
| } |
| |