[PATCH 2/2] tracing: Fix kmemleak in set_trigger_filter

From: Chunyu Hu
Date: Mon Aug 14 2017 - 06:18:32 EST


Found this kmemleak in error path when setting event trigger
filter. The steps is as below.

cd /sys/kernel/debug/tracing/events/irq/irq_handler_entry
echo 'enable_event:kmem:kmalloc:3 if nr_rq > 1' > trigger
echo 'enable_event:kmem:kmalloc:3 if irq > 31' > trigger
echo 'enable_event:kmem:kmalloc:3 if irq > ' > trigger

unreferenced object 0xffffa06e570186a0 (size 32):
comm "bash", pid 2521, jiffies 4335796661 (age 43872.095s)
hex dump (first 32 bytes):
00 00 00 00 01 00 00 00 00 a6 86 69 6e a0 ff ff ...........in...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff9756c27a>] kmemleak_alloc+0x4a/0xa0
[<ffffffff97024e0a>] kmem_cache_alloc_trace+0xca/0x1d0
[<ffffffff96f86552>] create_filter_start.constprop.28+0x42/0x730
[<ffffffff96f87a0a>] create_filter+0x4a/0xc0
[<ffffffff96f87bac>] create_event_filter+0xc/0x10
[<ffffffff96f88b24>] set_trigger_filter+0x84/0x130
[<ffffffff96f8934f>] event_enable_trigger_func+0x25f/0x340
[<ffffffff96f8894d>] event_trigger_write+0xfd/0x1a0
[<ffffffff9704e117>] __vfs_write+0x37/0x170
[<ffffffff9704f6a2>] vfs_write+0xb2/0x1b0
[<ffffffff97050cd5>] SyS_write+0x55/0xc0
[<ffffffff96e03857>] do_syscall_64+0x67/0x150
[<ffffffff97577ce7>] return_from_SYSCALL_64+0x0/0x6a
[<ffffffffffffffff>] 0xffffffffffffffff
unreferenced object 0xffffa06e6986a600 (size 512):
comm "bash", pid 2521, jiffies 4335796661 (age 43872.095s)
hex dump (first 32 bytes):
b0 59 f8 96 ff ff ff ff 00 00 00 00 00 00 00 00 .Y..............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff9756c27a>] kmemleak_alloc+0x4a/0xa0
[<ffffffff97025498>] __kmalloc+0xe8/0x220
[<ffffffff96f87518>] replace_preds+0x4c8/0x970
[<ffffffff96f87a51>] create_filter+0x91/0xc0
[<ffffffff96f87bac>] create_event_filter+0xc/0x10
[<ffffffff96f88b24>] set_trigger_filter+0x84/0x130
[<ffffffff96f8934f>] event_enable_trigger_func+0x25f/0x340
[<ffffffff96f8894d>] event_trigger_write+0xfd/0x1a0
[<ffffffff9704e117>] __vfs_write+0x37/0x170
[<ffffffff9704f6a2>] vfs_write+0xb2/0x1b0
[<ffffffff97050cd5>] SyS_write+0x55/0xc0
[<ffffffff96e03857>] do_syscall_64+0x67/0x150
[<ffffffff97577ce7>] return_from_SYSCALL_64+0x0/0x6a
[<ffffffffffffffff>] 0xffffffffffffffff
unreferenced object 0xffffa06e718a7560 (size 32):
comm "bash", pid 2521, jiffies 4335807465 (age 43861.320s)
hex dump (first 32 bytes):
00 00 00 00 01 00 00 00 00 a2 76 5b 6e a0 ff ff ..........v[n...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff9756c27a>] kmemleak_alloc+0x4a/0xa0
[<ffffffff97024e0a>] kmem_cache_alloc_trace+0xca/0x1d0
[<ffffffff96f86552>] create_filter_start.constprop.28+0x42/0x730
[<ffffffff96f87a0a>] create_filter+0x4a/0xc0
[<ffffffff96f87bac>] create_event_filter+0xc/0x10
[<ffffffff96f88b24>] set_trigger_filter+0x84/0x130
[<ffffffff96f8934f>] event_enable_trigger_func+0x25f/0x340
[<ffffffff96f8894d>] event_trigger_write+0xfd/0x1a0
[<ffffffff9704e117>] __vfs_write+0x37/0x170
[<ffffffff9704f6a2>] vfs_write+0xb2/0x1b0
[<ffffffff97050cd5>] SyS_write+0x55/0xc0
[<ffffffff96e03857>] do_syscall_64+0x67/0x150
[<ffffffff97577ce7>] return_from_SYSCALL_64+0x0/0x6a
[<ffffffffffffffff>] 0xffffffffffffffff

Signed-off-by: Chunyu Hu <chuhu@xxxxxxxxxx>
---
kernel/trace/trace_events_trigger.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c
index f2ac9d4..955c3eb 100644
--- a/kernel/trace/trace_events_trigger.c
+++ b/kernel/trace/trace_events_trigger.c
@@ -739,7 +739,7 @@ int set_trigger_filter(char *filter_str,
/* The filter is for the 'trigger' event, not the triggered event */
ret = create_event_filter(file->event_call, filter_str, false, &filter);
if (ret)
- goto out;
+ goto out_free;
assign:
tmp = rcu_access_pointer(data->filter);

@@ -764,6 +764,10 @@ int set_trigger_filter(char *filter_str,
}
out:
return ret;
+
+ out_free:
+ free_event_filter(filter);
+ goto out;
}

static LIST_HEAD(named_triggers);
--
1.8.3.1