git.baikalelectronics.ru Git - kernel.git/commit

author	Kalesh Singh <kaleshsingh@google.com>
	Thu, 18 Nov 2021 01:15:42 +0000 (17:15 -0800)
committer	Steven Rostedt (VMware) <rostedt@goodmis.org>
	Thu, 18 Nov 2021 18:53:43 +0000 (13:53 -0500)
commit	bd68eff5ee8f21cce6911eb41d81d19e5da38832
tree	0c3651ee0b42ed100e5babe9e6d43a3dc7b38247	tree \| snapshot
parent	d0ce3fde11a53d9af6f6c285b08ef85ffd711ab8	commit \| diff

tracing/histogram: Fix UAF in destroy_hist_field()

Calling destroy_hist_field() on an expression will recursively free
any operands associated with the expression. If during expression
parsing the operands of the expression are already set when an error
is encountered, there is no need to explicity free the operands. Doing
so will result in destroy_hist_field() being called twice for the
operands and lead to a use-after-free (UAF) error.

If the operands are associated with the expression, only call
destroy_hist_field() on the expression since the operands will be
recursively freed.

Link: https://lore.kernel.org/all/CAHk-=wgcrEbFgkw9720H3tW-AhHOoEKhYwZinYJw4FpzSaJ6_Q@mail.gmail.com/
Link: https://lkml.kernel.org/r/20211118011542.1420131-1-kaleshsingh@google.com
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
Fixes: 77d0e2dcacec ("tracing/histogram: Optimize division by constants")
Reported-by: kernel test robot <oliver.sang@intel.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>