Re: KASAN: stack-out-of-bounds Read in __free_filter
From: Steven Rostedt
Date: Wed Apr 11 2018 - 10:47:11 EST
On Wed, 11 Apr 2018 05:02:02 -0700
syzbot <syzbot+dadcc936587643d7f568@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> Hello,
>
> syzbot hit the following crash on upstream commit
> b284d4d5a6785f8cd07eda2646a95782373cd01e (Tue Apr 10 19:25:30 2018 +0000)
> Merge tag 'ceph-for-4.17-rc1' of git://github.com/ceph/ceph-client
> syzbot dashboard link:
> https://syzkaller.appspot.com/bug?extid=dadcc936587643d7f568
>
> So far this crash happened 6 times on upstream.
> C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6547381214511104
> syzkaller reproducer:
> https://syzkaller.appspot.com/x/repro.syz?id=5485642750361600
> Raw console output:
> https://syzkaller.appspot.com/x/log.txt?id=5352489637380096
> Kernel config:
> https://syzkaller.appspot.com/x/.config?id=-1223000601505858474
> compiler: gcc (GCC) 8.0.1 20180301 (experimental)
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+dadcc936587643d7f568@xxxxxxxxxxxxxxxxxxxxxxxxx
> It will help syzbot understand when the bug is fixed. See footer for
> details.
> If you forward the report, please keep this part and the footer.
>
Can you try this patch?
-- Steve
diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c
index 33b7720e2aa1..5c07ae2ac5d7 100644
--- a/kernel/trace/trace_events_filter.c
+++ b/kernel/trace/trace_events_filter.c
@@ -1705,18 +1705,16 @@ static int create_filter(struct trace_event_call *call,
struct event_filter **filterp)
{
struct filter_parse_error *pe = NULL;
- struct event_filter *filter = NULL;
int err;
- err = create_filter_start(filter_string, set_str, &pe, &filter);
+ err = create_filter_start(filter_string, set_str, &pe, filterp);
if (err)
return err;
- err = process_preds(call, filter_string, filter, pe);
+ err = process_preds(call, filter_string, *filterp, pe);
if (err && set_str)
- append_filter_err(pe, filter);
+ append_filter_err(pe, *filterp);
- *filterp = filter;
return err;
}
@@ -1740,24 +1738,22 @@ static int create_system_filter(struct trace_subsystem_dir *dir,
struct trace_array *tr,
char *filter_str, struct event_filter **filterp)
{
- struct event_filter *filter = NULL;
struct filter_parse_error *pe = NULL;
int err;
- err = create_filter_start(filter_str, true, &pe, &filter);
+ err = create_filter_start(filter_str, true, &pe, filterp);
if (!err) {
err = process_system_preds(dir, tr, pe, filter_str);
if (!err) {
/* System filters just show a default message */
- kfree(filter->filter_string);
- filter->filter_string = NULL;
+ kfree((*filterp)->filter_string);
+ (*filterp)->filter_string = NULL;
} else {
- append_filter_err(pe, filter);
+ append_filter_err(pe, *filterp);
}
}
create_filter_finish(pe);
- *filterp = filter;
return err;
}
@@ -1765,7 +1761,7 @@ static int create_system_filter(struct trace_subsystem_dir *dir,
int apply_event_filter(struct trace_event_file *file, char *filter_string)
{
struct trace_event_call *call = file->event_call;
- struct event_filter *filter;
+ struct event_filter *filter = NULL;
int err;
if (!strcmp(strstrip(filter_string), "0")) {
@@ -1818,7 +1814,7 @@ int apply_subsystem_event_filter(struct trace_subsystem_dir *dir,
{
struct event_subsystem *system = dir->subsystem;
struct trace_array *tr = dir->tr;
- struct event_filter *filter;
+ struct event_filter *filter = NULL;
int err = 0;
mutex_lock(&event_mutex);
@@ -2025,7 +2021,7 @@ int ftrace_profile_set_filter(struct perf_event *event, int event_id,
char *filter_str)
{
int err;
- struct event_filter *filter;
+ struct event_filter *filter = NULL;
struct trace_event_call *call;
mutex_lock(&event_mutex);