[GIT PULL] tracing: Fix double free bug

From: Steven Rostedt
Date: Wed Nov 17 2021 - 18:19:26 EST


Fix double free bug in tracing histograms

On error, the operands and the histogram expression are destroyed,
but since the destruction is recursive, do not destroy the operands
if they already belong to the expression that is about to be destroyed.

Please pull the latest trace-v5.16-rc1 tree, which can be found at:


Tag SHA1: a34f97bfa65691c91eed55ce5f09cfaa78e05908
Head SHA1: b0cb20110d4562bcc39f49f2de4020f0caa84bdd

Kalesh Singh (1):
tracing/histogram: Fix UAF in destroy_hist_field()

kernel/trace/trace_events_hist.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
commit b0cb20110d4562bcc39f49f2de4020f0caa84bdd
Author: Kalesh Singh <kaleshsingh@xxxxxxxxxx>
Date: Tue Nov 16 23:34:14 2021 -0800

tracing/histogram: Fix UAF in destroy_hist_field()

Calling destroy_hist_field() on an expression will recursively free
any operands associated with the expression. If during expression
parsing the operands of the expression are already set when an error
is encountered, there is no need to explicity free the operands. Doing
so will result in destroy_hist_field() being called twice for the
operands and lead to a use-after-free (UAF) error.

Fix this by only calling destroy_hist_field() for the operands if they
are not associated with the expression hist_field.

Link: https://lkml.kernel.org/r/20211117073415.2584751-1-kaleshsingh@xxxxxxxxxx

Signed-off-by: Kalesh Singh <kaleshsingh@xxxxxxxxxx>
Fixes: 8b5d46fd7a38 ("tracing/histogram: Optimize division by constants")
Reported-by: kernel test robot <oliver.sang@xxxxxxxxx>
Signed-off-by: Steven Rostedt (VMware) <rostedt@xxxxxxxxxxx>

diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
index 5ea2c9ec54a6..b53ee8d566f6 100644
--- a/kernel/trace/trace_events_hist.c
+++ b/kernel/trace/trace_events_hist.c
@@ -2717,8 +2717,10 @@ static struct hist_field *parse_expr(struct hist_trigger_data *hist_data,

return expr;
- destroy_hist_field(operand1, 0);
- destroy_hist_field(operand2, 0);
+ if (!expr || expr->operands[0] != operand1)
+ destroy_hist_field(operand1, 0);
+ if (!expr || expr->operands[1] != operand2)
+ destroy_hist_field(operand2, 0);
destroy_hist_field(expr, 0);

return ERR_PTR(ret);