* [PATCH] tracing, synthetic events: Replace buggy strcat() with seq_buf operations
@ 2020-10-23 23:09 Steven Rostedt
2020-10-26 9:17 ` Dan Carpenter
0 siblings, 1 reply; 4+ messages in thread
From: Steven Rostedt @ 2020-10-23 23:09 UTC (permalink / raw
To: Tom Zanussi; +Cc: LKML, Masami Hiramatsu, Ingo Molnar, Andrew Morton
From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
There was a memory corruption bug happening while running the synthetic
event selftests:
kmemleak: Cannot insert 0xffff8c196fa2afe5 into the object search tree (overlaps existing)
CPU: 5 PID: 6866 Comm: ftracetest Tainted: G W 5.9.0-rc5-test+ #577
Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v03.03 07/14/2016
Call Trace:
dump_stack+0x8d/0xc0
create_object.cold+0x3b/0x60
slab_post_alloc_hook+0x57/0x510
? tracing_map_init+0x178/0x340
__kmalloc+0x1b1/0x390
tracing_map_init+0x178/0x340
event_hist_trigger_func+0x523/0xa40
trigger_process_regex+0xc5/0x110
event_trigger_write+0x71/0xd0
vfs_write+0xca/0x210
ksys_write+0x70/0xf0
do_syscall_64+0x33/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7fef0a63a487
Code: 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
RSP: 002b:00007fff76f18398 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000039 RCX: 00007fef0a63a487
RDX: 0000000000000039 RSI: 000055eb3b26d690 RDI: 0000000000000001
RBP: 000055eb3b26d690 R08: 000000000000000a R09: 0000000000000038
R10: 000055eb3b2cdb80 R11: 0000000000000246 R12: 0000000000000039
R13: 00007fef0a70b500 R14: 0000000000000039 R15: 00007fef0a70b700
kmemleak: Kernel memory leak detector disabled
kmemleak: Object 0xffff8c196fa2afe0 (size 8):
kmemleak: comm "ftracetest", pid 6866, jiffies 4295082531
kmemleak: min_count = 1
kmemleak: count = 0
kmemleak: flags = 0x1
kmemleak: checksum = 0
kmemleak: backtrace:
__kmalloc+0x1b1/0x390
tracing_map_init+0x1be/0x340
event_hist_trigger_func+0x523/0xa40
trigger_process_regex+0xc5/0x110
event_trigger_write+0x71/0xd0
vfs_write+0xca/0x210
ksys_write+0x70/0xf0
do_syscall_64+0x33/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The cause came down to a use of strcat() that was adding a string that was
shorten, but the strcat() did not take that into account.
strcat() is extremely dangerous as it does not care how big the buffer is.
Replace it with seq_buf operations that prevent the buffer from being
overwritten if what is being written is bigger than the buffer.
Fixes: 10819e25799a ("tracing: Handle synthetic event array field type checking correctly")
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
---
kernel/trace/trace_events_synth.c | 37 ++++++++++++++++++-------------
1 file changed, 22 insertions(+), 15 deletions(-)
diff --git a/kernel/trace/trace_events_synth.c b/kernel/trace/trace_events_synth.c
index 3212e2c653b3..bdd427ccdfc5 100644
--- a/kernel/trace/trace_events_synth.c
+++ b/kernel/trace/trace_events_synth.c
@@ -585,6 +585,7 @@ static struct synth_field *parse_synth_field(int argc, const char **argv,
struct synth_field *field;
const char *prefix = NULL, *field_type = argv[0], *field_name, *array;
int len, ret = 0;
+ struct seq_buf s;
ssize_t size;
if (field_type[0] == ';')
@@ -630,13 +631,9 @@ static struct synth_field *parse_synth_field(int argc, const char **argv,
field_type++;
len = strlen(field_type) + 1;
- if (array) {
- int l = strlen(array);
+ if (array)
+ len += strlen(array);
- if (l && array[l - 1] == ';')
- l--;
- len += l;
- }
if (prefix)
len += strlen(prefix);
@@ -645,14 +642,18 @@ static struct synth_field *parse_synth_field(int argc, const char **argv,
ret = -ENOMEM;
goto free;
}
+ seq_buf_init(&s, field->type, len);
if (prefix)
- strcat(field->type, prefix);
- strcat(field->type, field_type);
+ seq_buf_puts(&s, prefix);
+ seq_buf_puts(&s, field_type);
if (array) {
- strcat(field->type, array);
- if (field->type[len - 1] == ';')
- field->type[len - 1] = '\0';
+ seq_buf_puts(&s, array);
+ if (s.buffer[s.len - 1] == ';')
+ s.len--;
}
+ if (WARN_ON_ONCE(!seq_buf_buffer_left(&s)))
+ goto free;
+ s.buffer[s.len] = '\0';
size = synth_field_size(field->type);
if (size < 0) {
@@ -663,17 +664,23 @@ static struct synth_field *parse_synth_field(int argc, const char **argv,
if (synth_field_is_string(field->type)) {
char *type;
- type = kzalloc(sizeof("__data_loc ") + strlen(field->type) + 1, GFP_KERNEL);
+ len = sizeof("__data_loc ") + strlen(field->type) + 1;
+ type = kzalloc(len, GFP_KERNEL);
if (!type) {
ret = -ENOMEM;
goto free;
}
- strcat(type, "__data_loc ");
- strcat(type, field->type);
+ seq_buf_init(&s, type, len);
+ seq_buf_puts(&s, "__data_loc ");
+ seq_buf_puts(&s, field->type);
kfree(field->type);
- field->type = type;
+ if (WARN_ON_ONCE(!seq_buf_buffer_left(&s)))
+ goto free;
+ s.buffer[s.len] = '\0';
+
+ field->type = type;
field->is_dynamic = true;
size = sizeof(u64);
} else {
--
2.25.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] tracing, synthetic events: Replace buggy strcat() with seq_buf operations
@ 2020-10-24 1:35 kernel test robot
0 siblings, 0 replies; 4+ messages in thread
From: kernel test robot @ 2020-10-24 1:35 UTC (permalink / raw
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 11440 bytes --]
CC: kbuild-all(a)lists.01.org
In-Reply-To: <20201023190937.7cd48f5a@gandalf.local.home>
References: <20201023190937.7cd48f5a@gandalf.local.home>
TO: Steven Rostedt <rostedt@goodmis.org>
Hi Steven,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on linus/master]
[also build test WARNING on next-20201023]
[cannot apply to tip/perf/core linux/master hnaz-linux-mm/master v5.9]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Steven-Rostedt/tracing-synthetic-events-Replace-buggy-strcat-with-seq_buf-operations/20201024-071137
base: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 40a03b750bb3ded71a0f21a0b7dfbf3b24068dcb
:::::: branch date: 2 hours ago
:::::: commit date: 2 hours ago
config: i386-randconfig-m021-20201022 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
smatch warnings:
kernel/trace/trace_events_synth.c:701 parse_synth_field() warn: 'field->type' double freed
kernel/trace/trace_events_synth.c:702 parse_synth_field() warn: passing zero to 'ERR_PTR'
vim +701 kernel/trace/trace_events_synth.c
726721a51838e39 Tom Zanussi 2020-05-28 581
726721a51838e39 Tom Zanussi 2020-05-28 582 static struct synth_field *parse_synth_field(int argc, const char **argv,
726721a51838e39 Tom Zanussi 2020-05-28 583 int *consumed)
726721a51838e39 Tom Zanussi 2020-05-28 584 {
726721a51838e39 Tom Zanussi 2020-05-28 585 struct synth_field *field;
726721a51838e39 Tom Zanussi 2020-05-28 586 const char *prefix = NULL, *field_type = argv[0], *field_name, *array;
726721a51838e39 Tom Zanussi 2020-05-28 587 int len, ret = 0;
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 588) struct seq_buf s;
8fbeb52a598c7ab Tom Zanussi 2020-10-04 589 ssize_t size;
726721a51838e39 Tom Zanussi 2020-05-28 590
726721a51838e39 Tom Zanussi 2020-05-28 591 if (field_type[0] == ';')
726721a51838e39 Tom Zanussi 2020-05-28 592 field_type++;
726721a51838e39 Tom Zanussi 2020-05-28 593
726721a51838e39 Tom Zanussi 2020-05-28 594 if (!strcmp(field_type, "unsigned")) {
d4d704637d935ef Tom Zanussi 2020-10-13 595 if (argc < 3) {
d4d704637d935ef Tom Zanussi 2020-10-13 596 synth_err(SYNTH_ERR_INCOMPLETE_TYPE, errpos(field_type));
726721a51838e39 Tom Zanussi 2020-05-28 597 return ERR_PTR(-EINVAL);
d4d704637d935ef Tom Zanussi 2020-10-13 598 }
726721a51838e39 Tom Zanussi 2020-05-28 599 prefix = "unsigned ";
726721a51838e39 Tom Zanussi 2020-05-28 600 field_type = argv[1];
726721a51838e39 Tom Zanussi 2020-05-28 601 field_name = argv[2];
726721a51838e39 Tom Zanussi 2020-05-28 602 *consumed = 3;
726721a51838e39 Tom Zanussi 2020-05-28 603 } else {
726721a51838e39 Tom Zanussi 2020-05-28 604 field_name = argv[1];
726721a51838e39 Tom Zanussi 2020-05-28 605 *consumed = 2;
726721a51838e39 Tom Zanussi 2020-05-28 606 }
726721a51838e39 Tom Zanussi 2020-05-28 607
726721a51838e39 Tom Zanussi 2020-05-28 608 field = kzalloc(sizeof(*field), GFP_KERNEL);
726721a51838e39 Tom Zanussi 2020-05-28 609 if (!field)
726721a51838e39 Tom Zanussi 2020-05-28 610 return ERR_PTR(-ENOMEM);
726721a51838e39 Tom Zanussi 2020-05-28 611
726721a51838e39 Tom Zanussi 2020-05-28 612 len = strlen(field_name);
726721a51838e39 Tom Zanussi 2020-05-28 613 array = strchr(field_name, '[');
726721a51838e39 Tom Zanussi 2020-05-28 614 if (array)
726721a51838e39 Tom Zanussi 2020-05-28 615 len -= strlen(array);
726721a51838e39 Tom Zanussi 2020-05-28 616 else if (field_name[len - 1] == ';')
726721a51838e39 Tom Zanussi 2020-05-28 617 len--;
726721a51838e39 Tom Zanussi 2020-05-28 618
726721a51838e39 Tom Zanussi 2020-05-28 619 field->name = kmemdup_nul(field_name, len, GFP_KERNEL);
726721a51838e39 Tom Zanussi 2020-05-28 620 if (!field->name) {
726721a51838e39 Tom Zanussi 2020-05-28 621 ret = -ENOMEM;
726721a51838e39 Tom Zanussi 2020-05-28 622 goto free;
726721a51838e39 Tom Zanussi 2020-05-28 623 }
9bbb33291f8e448 Tom Zanussi 2020-10-13 624 if (!is_good_name(field->name)) {
d4d704637d935ef Tom Zanussi 2020-10-13 625 synth_err(SYNTH_ERR_BAD_NAME, errpos(field_name));
9bbb33291f8e448 Tom Zanussi 2020-10-13 626 ret = -EINVAL;
9bbb33291f8e448 Tom Zanussi 2020-10-13 627 goto free;
9bbb33291f8e448 Tom Zanussi 2020-10-13 628 }
726721a51838e39 Tom Zanussi 2020-05-28 629
726721a51838e39 Tom Zanussi 2020-05-28 630 if (field_type[0] == ';')
726721a51838e39 Tom Zanussi 2020-05-28 631 field_type++;
726721a51838e39 Tom Zanussi 2020-05-28 632 len = strlen(field_type) + 1;
10819e25799aae5 Tom Zanussi 2020-10-13 633
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 634) if (array)
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 635) len += strlen(array);
10819e25799aae5 Tom Zanussi 2020-10-13 636
726721a51838e39 Tom Zanussi 2020-05-28 637 if (prefix)
726721a51838e39 Tom Zanussi 2020-05-28 638 len += strlen(prefix);
726721a51838e39 Tom Zanussi 2020-05-28 639
726721a51838e39 Tom Zanussi 2020-05-28 640 field->type = kzalloc(len, GFP_KERNEL);
726721a51838e39 Tom Zanussi 2020-05-28 641 if (!field->type) {
726721a51838e39 Tom Zanussi 2020-05-28 642 ret = -ENOMEM;
726721a51838e39 Tom Zanussi 2020-05-28 643 goto free;
726721a51838e39 Tom Zanussi 2020-05-28 644 }
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 645) seq_buf_init(&s, field->type, len);
726721a51838e39 Tom Zanussi 2020-05-28 646 if (prefix)
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 647) seq_buf_puts(&s, prefix);
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 648) seq_buf_puts(&s, field_type);
726721a51838e39 Tom Zanussi 2020-05-28 649 if (array) {
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 650) seq_buf_puts(&s, array);
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 651) if (s.buffer[s.len - 1] == ';')
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 652) s.len--;
726721a51838e39 Tom Zanussi 2020-05-28 653 }
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 654) if (WARN_ON_ONCE(!seq_buf_buffer_left(&s)))
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 655) goto free;
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 656) s.buffer[s.len] = '\0';
726721a51838e39 Tom Zanussi 2020-05-28 657
8fbeb52a598c7ab Tom Zanussi 2020-10-04 658 size = synth_field_size(field->type);
bd82631d7ccdc89 Tom Zanussi 2020-10-04 659 if (size < 0) {
d4d704637d935ef Tom Zanussi 2020-10-13 660 synth_err(SYNTH_ERR_INVALID_TYPE, errpos(field_type));
bd82631d7ccdc89 Tom Zanussi 2020-10-04 661 ret = -EINVAL;
bd82631d7ccdc89 Tom Zanussi 2020-10-04 662 goto free;
bd82631d7ccdc89 Tom Zanussi 2020-10-04 663 } else if (size == 0) {
bd82631d7ccdc89 Tom Zanussi 2020-10-04 664 if (synth_field_is_string(field->type)) {
bd82631d7ccdc89 Tom Zanussi 2020-10-04 665 char *type;
bd82631d7ccdc89 Tom Zanussi 2020-10-04 666
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 667) len = sizeof("__data_loc ") + strlen(field->type) + 1;
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 668) type = kzalloc(len, GFP_KERNEL);
bd82631d7ccdc89 Tom Zanussi 2020-10-04 669 if (!type) {
bd82631d7ccdc89 Tom Zanussi 2020-10-04 670 ret = -ENOMEM;
bd82631d7ccdc89 Tom Zanussi 2020-10-04 671 goto free;
bd82631d7ccdc89 Tom Zanussi 2020-10-04 672 }
bd82631d7ccdc89 Tom Zanussi 2020-10-04 673
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 674) seq_buf_init(&s, type, len);
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 675) seq_buf_puts(&s, "__data_loc ");
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 676) seq_buf_puts(&s, field->type);
bd82631d7ccdc89 Tom Zanussi 2020-10-04 677 kfree(field->type);
bd82631d7ccdc89 Tom Zanussi 2020-10-04 678
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 679) if (WARN_ON_ONCE(!seq_buf_buffer_left(&s)))
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 680) goto free;
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 681) s.buffer[s.len] = '\0';
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 682)
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 683) field->type = type;
bd82631d7ccdc89 Tom Zanussi 2020-10-04 684 field->is_dynamic = true;
bd82631d7ccdc89 Tom Zanussi 2020-10-04 685 size = sizeof(u64);
bd82631d7ccdc89 Tom Zanussi 2020-10-04 686 } else {
d4d704637d935ef Tom Zanussi 2020-10-13 687 synth_err(SYNTH_ERR_INVALID_TYPE, errpos(field_type));
726721a51838e39 Tom Zanussi 2020-05-28 688 ret = -EINVAL;
726721a51838e39 Tom Zanussi 2020-05-28 689 goto free;
726721a51838e39 Tom Zanussi 2020-05-28 690 }
bd82631d7ccdc89 Tom Zanussi 2020-10-04 691 }
8fbeb52a598c7ab Tom Zanussi 2020-10-04 692 field->size = size;
726721a51838e39 Tom Zanussi 2020-05-28 693
726721a51838e39 Tom Zanussi 2020-05-28 694 if (synth_field_is_string(field->type))
726721a51838e39 Tom Zanussi 2020-05-28 695 field->is_string = true;
726721a51838e39 Tom Zanussi 2020-05-28 696
726721a51838e39 Tom Zanussi 2020-05-28 697 field->is_signed = synth_field_signed(field->type);
726721a51838e39 Tom Zanussi 2020-05-28 698 out:
726721a51838e39 Tom Zanussi 2020-05-28 699 return field;
726721a51838e39 Tom Zanussi 2020-05-28 700 free:
726721a51838e39 Tom Zanussi 2020-05-28 @701 free_synth_field(field);
726721a51838e39 Tom Zanussi 2020-05-28 @702 field = ERR_PTR(ret);
726721a51838e39 Tom Zanussi 2020-05-28 703 goto out;
726721a51838e39 Tom Zanussi 2020-05-28 704 }
726721a51838e39 Tom Zanussi 2020-05-28 705
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 40836 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] tracing, synthetic events: Replace buggy strcat() with seq_buf operations
2020-10-23 23:09 [PATCH] tracing, synthetic events: Replace buggy strcat() with seq_buf operations Steven Rostedt
@ 2020-10-26 9:17 ` Dan Carpenter
0 siblings, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2020-10-26 9:17 UTC (permalink / raw
To: kbuild-all
[-- Attachment #1: Type: text/plain, Size: 11003 bytes --]
Hi Steven,
url: https://github.com/0day-ci/linux/commits/Steven-Rostedt/tracing-synthetic-events-Replace-buggy-strcat-with-seq_buf-operations/20201024-071137
base: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 40a03b750bb3ded71a0f21a0b7dfbf3b24068dcb
config: i386-randconfig-m021-20201022 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
smatch warnings:
kernel/trace/trace_events_synth.c:701 parse_synth_field() warn: 'field->type' double freed
kernel/trace/trace_events_synth.c:702 parse_synth_field() warn: passing zero to 'ERR_PTR'
vim +701 kernel/trace/trace_events_synth.c
726721a51838e39 Tom Zanussi 2020-05-28 582 static struct synth_field *parse_synth_field(int argc, const char **argv,
726721a51838e39 Tom Zanussi 2020-05-28 583 int *consumed)
726721a51838e39 Tom Zanussi 2020-05-28 584 {
726721a51838e39 Tom Zanussi 2020-05-28 585 struct synth_field *field;
726721a51838e39 Tom Zanussi 2020-05-28 586 const char *prefix = NULL, *field_type = argv[0], *field_name, *array;
726721a51838e39 Tom Zanussi 2020-05-28 587 int len, ret = 0;
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 588) struct seq_buf s;
8fbeb52a598c7ab Tom Zanussi 2020-10-04 589 ssize_t size;
726721a51838e39 Tom Zanussi 2020-05-28 590
726721a51838e39 Tom Zanussi 2020-05-28 591 if (field_type[0] == ';')
726721a51838e39 Tom Zanussi 2020-05-28 592 field_type++;
726721a51838e39 Tom Zanussi 2020-05-28 593
726721a51838e39 Tom Zanussi 2020-05-28 594 if (!strcmp(field_type, "unsigned")) {
d4d704637d935ef Tom Zanussi 2020-10-13 595 if (argc < 3) {
d4d704637d935ef Tom Zanussi 2020-10-13 596 synth_err(SYNTH_ERR_INCOMPLETE_TYPE, errpos(field_type));
726721a51838e39 Tom Zanussi 2020-05-28 597 return ERR_PTR(-EINVAL);
d4d704637d935ef Tom Zanussi 2020-10-13 598 }
726721a51838e39 Tom Zanussi 2020-05-28 599 prefix = "unsigned ";
726721a51838e39 Tom Zanussi 2020-05-28 600 field_type = argv[1];
726721a51838e39 Tom Zanussi 2020-05-28 601 field_name = argv[2];
726721a51838e39 Tom Zanussi 2020-05-28 602 *consumed = 3;
726721a51838e39 Tom Zanussi 2020-05-28 603 } else {
726721a51838e39 Tom Zanussi 2020-05-28 604 field_name = argv[1];
726721a51838e39 Tom Zanussi 2020-05-28 605 *consumed = 2;
726721a51838e39 Tom Zanussi 2020-05-28 606 }
726721a51838e39 Tom Zanussi 2020-05-28 607
726721a51838e39 Tom Zanussi 2020-05-28 608 field = kzalloc(sizeof(*field), GFP_KERNEL);
726721a51838e39 Tom Zanussi 2020-05-28 609 if (!field)
726721a51838e39 Tom Zanussi 2020-05-28 610 return ERR_PTR(-ENOMEM);
726721a51838e39 Tom Zanussi 2020-05-28 611
726721a51838e39 Tom Zanussi 2020-05-28 612 len = strlen(field_name);
726721a51838e39 Tom Zanussi 2020-05-28 613 array = strchr(field_name, '[');
726721a51838e39 Tom Zanussi 2020-05-28 614 if (array)
726721a51838e39 Tom Zanussi 2020-05-28 615 len -= strlen(array);
726721a51838e39 Tom Zanussi 2020-05-28 616 else if (field_name[len - 1] == ';')
726721a51838e39 Tom Zanussi 2020-05-28 617 len--;
726721a51838e39 Tom Zanussi 2020-05-28 618
726721a51838e39 Tom Zanussi 2020-05-28 619 field->name = kmemdup_nul(field_name, len, GFP_KERNEL);
726721a51838e39 Tom Zanussi 2020-05-28 620 if (!field->name) {
726721a51838e39 Tom Zanussi 2020-05-28 621 ret = -ENOMEM;
726721a51838e39 Tom Zanussi 2020-05-28 622 goto free;
726721a51838e39 Tom Zanussi 2020-05-28 623 }
9bbb33291f8e448 Tom Zanussi 2020-10-13 624 if (!is_good_name(field->name)) {
d4d704637d935ef Tom Zanussi 2020-10-13 625 synth_err(SYNTH_ERR_BAD_NAME, errpos(field_name));
9bbb33291f8e448 Tom Zanussi 2020-10-13 626 ret = -EINVAL;
9bbb33291f8e448 Tom Zanussi 2020-10-13 627 goto free;
9bbb33291f8e448 Tom Zanussi 2020-10-13 628 }
726721a51838e39 Tom Zanussi 2020-05-28 629
726721a51838e39 Tom Zanussi 2020-05-28 630 if (field_type[0] == ';')
726721a51838e39 Tom Zanussi 2020-05-28 631 field_type++;
726721a51838e39 Tom Zanussi 2020-05-28 632 len = strlen(field_type) + 1;
10819e25799aae5 Tom Zanussi 2020-10-13 633
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 634) if (array)
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 635) len += strlen(array);
10819e25799aae5 Tom Zanussi 2020-10-13 636
726721a51838e39 Tom Zanussi 2020-05-28 637 if (prefix)
726721a51838e39 Tom Zanussi 2020-05-28 638 len += strlen(prefix);
726721a51838e39 Tom Zanussi 2020-05-28 639
726721a51838e39 Tom Zanussi 2020-05-28 640 field->type = kzalloc(len, GFP_KERNEL);
726721a51838e39 Tom Zanussi 2020-05-28 641 if (!field->type) {
726721a51838e39 Tom Zanussi 2020-05-28 642 ret = -ENOMEM;
726721a51838e39 Tom Zanussi 2020-05-28 643 goto free;
726721a51838e39 Tom Zanussi 2020-05-28 644 }
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 645) seq_buf_init(&s, field->type, len);
726721a51838e39 Tom Zanussi 2020-05-28 646 if (prefix)
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 647) seq_buf_puts(&s, prefix);
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 648) seq_buf_puts(&s, field_type);
726721a51838e39 Tom Zanussi 2020-05-28 649 if (array) {
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 650) seq_buf_puts(&s, array);
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 651) if (s.buffer[s.len - 1] == ';')
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 652) s.len--;
726721a51838e39 Tom Zanussi 2020-05-28 653 }
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 654) if (WARN_ON_ONCE(!seq_buf_buffer_left(&s)))
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 655) goto free;
^^^^^^^^^^
"ret" not set.
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 656) s.buffer[s.len] = '\0';
726721a51838e39 Tom Zanussi 2020-05-28 657
8fbeb52a598c7ab Tom Zanussi 2020-10-04 658 size = synth_field_size(field->type);
bd82631d7ccdc89 Tom Zanussi 2020-10-04 659 if (size < 0) {
d4d704637d935ef Tom Zanussi 2020-10-13 660 synth_err(SYNTH_ERR_INVALID_TYPE, errpos(field_type));
bd82631d7ccdc89 Tom Zanussi 2020-10-04 661 ret = -EINVAL;
bd82631d7ccdc89 Tom Zanussi 2020-10-04 662 goto free;
bd82631d7ccdc89 Tom Zanussi 2020-10-04 663 } else if (size == 0) {
bd82631d7ccdc89 Tom Zanussi 2020-10-04 664 if (synth_field_is_string(field->type)) {
bd82631d7ccdc89 Tom Zanussi 2020-10-04 665 char *type;
bd82631d7ccdc89 Tom Zanussi 2020-10-04 666
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 667) len = sizeof("__data_loc ") + strlen(field->type) + 1;
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 668) type = kzalloc(len, GFP_KERNEL);
bd82631d7ccdc89 Tom Zanussi 2020-10-04 669 if (!type) {
bd82631d7ccdc89 Tom Zanussi 2020-10-04 670 ret = -ENOMEM;
bd82631d7ccdc89 Tom Zanussi 2020-10-04 671 goto free;
bd82631d7ccdc89 Tom Zanussi 2020-10-04 672 }
bd82631d7ccdc89 Tom Zanussi 2020-10-04 673
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 674) seq_buf_init(&s, type, len);
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 675) seq_buf_puts(&s, "__data_loc ");
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 676) seq_buf_puts(&s, field->type);
bd82631d7ccdc89 Tom Zanussi 2020-10-04 677 kfree(field->type);
^^^^^^^^^^^^^^^^^^
Freed.
bd82631d7ccdc89 Tom Zanussi 2020-10-04 678
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 679) if (WARN_ON_ONCE(!seq_buf_buffer_left(&s)))
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 680) goto free;
^^^^^^^^^
Double free and "ret" not set.
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 681) s.buffer[s.len] = '\0';
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 682)
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 683) field->type = type;
bd82631d7ccdc89 Tom Zanussi 2020-10-04 684 field->is_dynamic = true;
bd82631d7ccdc89 Tom Zanussi 2020-10-04 685 size = sizeof(u64);
bd82631d7ccdc89 Tom Zanussi 2020-10-04 686 } else {
d4d704637d935ef Tom Zanussi 2020-10-13 687 synth_err(SYNTH_ERR_INVALID_TYPE, errpos(field_type));
726721a51838e39 Tom Zanussi 2020-05-28 688 ret = -EINVAL;
726721a51838e39 Tom Zanussi 2020-05-28 689 goto free;
726721a51838e39 Tom Zanussi 2020-05-28 690 }
bd82631d7ccdc89 Tom Zanussi 2020-10-04 691 }
8fbeb52a598c7ab Tom Zanussi 2020-10-04 692 field->size = size;
726721a51838e39 Tom Zanussi 2020-05-28 693
726721a51838e39 Tom Zanussi 2020-05-28 694 if (synth_field_is_string(field->type))
726721a51838e39 Tom Zanussi 2020-05-28 695 field->is_string = true;
726721a51838e39 Tom Zanussi 2020-05-28 696
726721a51838e39 Tom Zanussi 2020-05-28 697 field->is_signed = synth_field_signed(field->type);
726721a51838e39 Tom Zanussi 2020-05-28 698 out:
726721a51838e39 Tom Zanussi 2020-05-28 699 return field;
726721a51838e39 Tom Zanussi 2020-05-28 700 free:
726721a51838e39 Tom Zanussi 2020-05-28 @701 free_synth_field(field);
726721a51838e39 Tom Zanussi 2020-05-28 @702 field = ERR_PTR(ret);
726721a51838e39 Tom Zanussi 2020-05-28 703 goto out;
726721a51838e39 Tom Zanussi 2020-05-28 704 }
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 40836 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] tracing, synthetic events: Replace buggy strcat() with seq_buf operations
@ 2020-10-26 9:17 ` Dan Carpenter
0 siblings, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2020-10-26 9:17 UTC (permalink / raw
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 11003 bytes --]
Hi Steven,
url: https://github.com/0day-ci/linux/commits/Steven-Rostedt/tracing-synthetic-events-Replace-buggy-strcat-with-seq_buf-operations/20201024-071137
base: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 40a03b750bb3ded71a0f21a0b7dfbf3b24068dcb
config: i386-randconfig-m021-20201022 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
smatch warnings:
kernel/trace/trace_events_synth.c:701 parse_synth_field() warn: 'field->type' double freed
kernel/trace/trace_events_synth.c:702 parse_synth_field() warn: passing zero to 'ERR_PTR'
vim +701 kernel/trace/trace_events_synth.c
726721a51838e39 Tom Zanussi 2020-05-28 582 static struct synth_field *parse_synth_field(int argc, const char **argv,
726721a51838e39 Tom Zanussi 2020-05-28 583 int *consumed)
726721a51838e39 Tom Zanussi 2020-05-28 584 {
726721a51838e39 Tom Zanussi 2020-05-28 585 struct synth_field *field;
726721a51838e39 Tom Zanussi 2020-05-28 586 const char *prefix = NULL, *field_type = argv[0], *field_name, *array;
726721a51838e39 Tom Zanussi 2020-05-28 587 int len, ret = 0;
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 588) struct seq_buf s;
8fbeb52a598c7ab Tom Zanussi 2020-10-04 589 ssize_t size;
726721a51838e39 Tom Zanussi 2020-05-28 590
726721a51838e39 Tom Zanussi 2020-05-28 591 if (field_type[0] == ';')
726721a51838e39 Tom Zanussi 2020-05-28 592 field_type++;
726721a51838e39 Tom Zanussi 2020-05-28 593
726721a51838e39 Tom Zanussi 2020-05-28 594 if (!strcmp(field_type, "unsigned")) {
d4d704637d935ef Tom Zanussi 2020-10-13 595 if (argc < 3) {
d4d704637d935ef Tom Zanussi 2020-10-13 596 synth_err(SYNTH_ERR_INCOMPLETE_TYPE, errpos(field_type));
726721a51838e39 Tom Zanussi 2020-05-28 597 return ERR_PTR(-EINVAL);
d4d704637d935ef Tom Zanussi 2020-10-13 598 }
726721a51838e39 Tom Zanussi 2020-05-28 599 prefix = "unsigned ";
726721a51838e39 Tom Zanussi 2020-05-28 600 field_type = argv[1];
726721a51838e39 Tom Zanussi 2020-05-28 601 field_name = argv[2];
726721a51838e39 Tom Zanussi 2020-05-28 602 *consumed = 3;
726721a51838e39 Tom Zanussi 2020-05-28 603 } else {
726721a51838e39 Tom Zanussi 2020-05-28 604 field_name = argv[1];
726721a51838e39 Tom Zanussi 2020-05-28 605 *consumed = 2;
726721a51838e39 Tom Zanussi 2020-05-28 606 }
726721a51838e39 Tom Zanussi 2020-05-28 607
726721a51838e39 Tom Zanussi 2020-05-28 608 field = kzalloc(sizeof(*field), GFP_KERNEL);
726721a51838e39 Tom Zanussi 2020-05-28 609 if (!field)
726721a51838e39 Tom Zanussi 2020-05-28 610 return ERR_PTR(-ENOMEM);
726721a51838e39 Tom Zanussi 2020-05-28 611
726721a51838e39 Tom Zanussi 2020-05-28 612 len = strlen(field_name);
726721a51838e39 Tom Zanussi 2020-05-28 613 array = strchr(field_name, '[');
726721a51838e39 Tom Zanussi 2020-05-28 614 if (array)
726721a51838e39 Tom Zanussi 2020-05-28 615 len -= strlen(array);
726721a51838e39 Tom Zanussi 2020-05-28 616 else if (field_name[len - 1] == ';')
726721a51838e39 Tom Zanussi 2020-05-28 617 len--;
726721a51838e39 Tom Zanussi 2020-05-28 618
726721a51838e39 Tom Zanussi 2020-05-28 619 field->name = kmemdup_nul(field_name, len, GFP_KERNEL);
726721a51838e39 Tom Zanussi 2020-05-28 620 if (!field->name) {
726721a51838e39 Tom Zanussi 2020-05-28 621 ret = -ENOMEM;
726721a51838e39 Tom Zanussi 2020-05-28 622 goto free;
726721a51838e39 Tom Zanussi 2020-05-28 623 }
9bbb33291f8e448 Tom Zanussi 2020-10-13 624 if (!is_good_name(field->name)) {
d4d704637d935ef Tom Zanussi 2020-10-13 625 synth_err(SYNTH_ERR_BAD_NAME, errpos(field_name));
9bbb33291f8e448 Tom Zanussi 2020-10-13 626 ret = -EINVAL;
9bbb33291f8e448 Tom Zanussi 2020-10-13 627 goto free;
9bbb33291f8e448 Tom Zanussi 2020-10-13 628 }
726721a51838e39 Tom Zanussi 2020-05-28 629
726721a51838e39 Tom Zanussi 2020-05-28 630 if (field_type[0] == ';')
726721a51838e39 Tom Zanussi 2020-05-28 631 field_type++;
726721a51838e39 Tom Zanussi 2020-05-28 632 len = strlen(field_type) + 1;
10819e25799aae5 Tom Zanussi 2020-10-13 633
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 634) if (array)
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 635) len += strlen(array);
10819e25799aae5 Tom Zanussi 2020-10-13 636
726721a51838e39 Tom Zanussi 2020-05-28 637 if (prefix)
726721a51838e39 Tom Zanussi 2020-05-28 638 len += strlen(prefix);
726721a51838e39 Tom Zanussi 2020-05-28 639
726721a51838e39 Tom Zanussi 2020-05-28 640 field->type = kzalloc(len, GFP_KERNEL);
726721a51838e39 Tom Zanussi 2020-05-28 641 if (!field->type) {
726721a51838e39 Tom Zanussi 2020-05-28 642 ret = -ENOMEM;
726721a51838e39 Tom Zanussi 2020-05-28 643 goto free;
726721a51838e39 Tom Zanussi 2020-05-28 644 }
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 645) seq_buf_init(&s, field->type, len);
726721a51838e39 Tom Zanussi 2020-05-28 646 if (prefix)
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 647) seq_buf_puts(&s, prefix);
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 648) seq_buf_puts(&s, field_type);
726721a51838e39 Tom Zanussi 2020-05-28 649 if (array) {
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 650) seq_buf_puts(&s, array);
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 651) if (s.buffer[s.len - 1] == ';')
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 652) s.len--;
726721a51838e39 Tom Zanussi 2020-05-28 653 }
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 654) if (WARN_ON_ONCE(!seq_buf_buffer_left(&s)))
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 655) goto free;
^^^^^^^^^^
"ret" not set.
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 656) s.buffer[s.len] = '\0';
726721a51838e39 Tom Zanussi 2020-05-28 657
8fbeb52a598c7ab Tom Zanussi 2020-10-04 658 size = synth_field_size(field->type);
bd82631d7ccdc89 Tom Zanussi 2020-10-04 659 if (size < 0) {
d4d704637d935ef Tom Zanussi 2020-10-13 660 synth_err(SYNTH_ERR_INVALID_TYPE, errpos(field_type));
bd82631d7ccdc89 Tom Zanussi 2020-10-04 661 ret = -EINVAL;
bd82631d7ccdc89 Tom Zanussi 2020-10-04 662 goto free;
bd82631d7ccdc89 Tom Zanussi 2020-10-04 663 } else if (size == 0) {
bd82631d7ccdc89 Tom Zanussi 2020-10-04 664 if (synth_field_is_string(field->type)) {
bd82631d7ccdc89 Tom Zanussi 2020-10-04 665 char *type;
bd82631d7ccdc89 Tom Zanussi 2020-10-04 666
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 667) len = sizeof("__data_loc ") + strlen(field->type) + 1;
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 668) type = kzalloc(len, GFP_KERNEL);
bd82631d7ccdc89 Tom Zanussi 2020-10-04 669 if (!type) {
bd82631d7ccdc89 Tom Zanussi 2020-10-04 670 ret = -ENOMEM;
bd82631d7ccdc89 Tom Zanussi 2020-10-04 671 goto free;
bd82631d7ccdc89 Tom Zanussi 2020-10-04 672 }
bd82631d7ccdc89 Tom Zanussi 2020-10-04 673
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 674) seq_buf_init(&s, type, len);
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 675) seq_buf_puts(&s, "__data_loc ");
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 676) seq_buf_puts(&s, field->type);
bd82631d7ccdc89 Tom Zanussi 2020-10-04 677 kfree(field->type);
^^^^^^^^^^^^^^^^^^
Freed.
bd82631d7ccdc89 Tom Zanussi 2020-10-04 678
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 679) if (WARN_ON_ONCE(!seq_buf_buffer_left(&s)))
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 680) goto free;
^^^^^^^^^
Double free and "ret" not set.
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 681) s.buffer[s.len] = '\0';
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 682)
1c7ca34b0b3f131 Steven Rostedt (VMware 2020-10-23 683) field->type = type;
bd82631d7ccdc89 Tom Zanussi 2020-10-04 684 field->is_dynamic = true;
bd82631d7ccdc89 Tom Zanussi 2020-10-04 685 size = sizeof(u64);
bd82631d7ccdc89 Tom Zanussi 2020-10-04 686 } else {
d4d704637d935ef Tom Zanussi 2020-10-13 687 synth_err(SYNTH_ERR_INVALID_TYPE, errpos(field_type));
726721a51838e39 Tom Zanussi 2020-05-28 688 ret = -EINVAL;
726721a51838e39 Tom Zanussi 2020-05-28 689 goto free;
726721a51838e39 Tom Zanussi 2020-05-28 690 }
bd82631d7ccdc89 Tom Zanussi 2020-10-04 691 }
8fbeb52a598c7ab Tom Zanussi 2020-10-04 692 field->size = size;
726721a51838e39 Tom Zanussi 2020-05-28 693
726721a51838e39 Tom Zanussi 2020-05-28 694 if (synth_field_is_string(field->type))
726721a51838e39 Tom Zanussi 2020-05-28 695 field->is_string = true;
726721a51838e39 Tom Zanussi 2020-05-28 696
726721a51838e39 Tom Zanussi 2020-05-28 697 field->is_signed = synth_field_signed(field->type);
726721a51838e39 Tom Zanussi 2020-05-28 698 out:
726721a51838e39 Tom Zanussi 2020-05-28 699 return field;
726721a51838e39 Tom Zanussi 2020-05-28 700 free:
726721a51838e39 Tom Zanussi 2020-05-28 @701 free_synth_field(field);
726721a51838e39 Tom Zanussi 2020-05-28 @702 field = ERR_PTR(ret);
726721a51838e39 Tom Zanussi 2020-05-28 703 goto out;
726721a51838e39 Tom Zanussi 2020-05-28 704 }
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 40836 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-10-26 9:17 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-10-23 23:09 [PATCH] tracing, synthetic events: Replace buggy strcat() with seq_buf operations Steven Rostedt
2020-10-26 9:17 ` Dan Carpenter
2020-10-26 9:17 ` Dan Carpenter
-- strict thread matches above, loose matches on Subject: below --
2020-10-24 1:35 kernel test robot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.