[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20170823103836.584a5dc5@gandalf.local.home>
Date: Wed, 23 Aug 2017 10:38:36 -0400
From: Steven Rostedt <rostedt@...dmis.org>
To: Chunyu Hu <chuhu@...hat.com>
Cc: mingo@...nel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/2] tracing: Fix kmemleak in set_trigger_filter
On Mon, 14 Aug 2017 18:18:18 +0800
Chunyu Hu <chuhu@...hat.com> wrote:
> Found this kmemleak in error path when setting event trigger
> filter. The steps is as below.
>
> cd /sys/kernel/debug/tracing/events/irq/irq_handler_entry
> echo 'enable_event:kmem:kmalloc:3 if nr_rq > 1' > trigger
> echo 'enable_event:kmem:kmalloc:3 if irq > 31' > trigger
> echo 'enable_event:kmem:kmalloc:3 if irq > ' > trigger
>
> unreferenced object 0xffffa06e570186a0 (size 32):
> comm "bash", pid 2521, jiffies 4335796661 (age 43872.095s)
> hex dump (first 32 bytes):
> 00 00 00 00 01 00 00 00 00 a6 86 69 6e a0 ff ff ...........in...
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<ffffffff9756c27a>] kmemleak_alloc+0x4a/0xa0
> [<ffffffff97024e0a>] kmem_cache_alloc_trace+0xca/0x1d0
> [<ffffffff96f86552>] create_filter_start.constprop.28+0x42/0x730
> [<ffffffff96f87a0a>] create_filter+0x4a/0xc0
> [<ffffffff96f87bac>] create_event_filter+0xc/0x10
> [<ffffffff96f88b24>] set_trigger_filter+0x84/0x130
> [<ffffffff96f8934f>] event_enable_trigger_func+0x25f/0x340
> [<ffffffff96f8894d>] event_trigger_write+0xfd/0x1a0
> [<ffffffff9704e117>] __vfs_write+0x37/0x170
> [<ffffffff9704f6a2>] vfs_write+0xb2/0x1b0
> [<ffffffff97050cd5>] SyS_write+0x55/0xc0
> [<ffffffff96e03857>] do_syscall_64+0x67/0x150
> [<ffffffff97577ce7>] return_from_SYSCALL_64+0x0/0x6a
> [<ffffffffffffffff>] 0xffffffffffffffff
> unreferenced object 0xffffa06e6986a600 (size 512):
> comm "bash", pid 2521, jiffies 4335796661 (age 43872.095s)
> hex dump (first 32 bytes):
> b0 59 f8 96 ff ff ff ff 00 00 00 00 00 00 00 00 .Y..............
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<ffffffff9756c27a>] kmemleak_alloc+0x4a/0xa0
> [<ffffffff97025498>] __kmalloc+0xe8/0x220
> [<ffffffff96f87518>] replace_preds+0x4c8/0x970
> [<ffffffff96f87a51>] create_filter+0x91/0xc0
> [<ffffffff96f87bac>] create_event_filter+0xc/0x10
> [<ffffffff96f88b24>] set_trigger_filter+0x84/0x130
> [<ffffffff96f8934f>] event_enable_trigger_func+0x25f/0x340
> [<ffffffff96f8894d>] event_trigger_write+0xfd/0x1a0
> [<ffffffff9704e117>] __vfs_write+0x37/0x170
> [<ffffffff9704f6a2>] vfs_write+0xb2/0x1b0
> [<ffffffff97050cd5>] SyS_write+0x55/0xc0
> [<ffffffff96e03857>] do_syscall_64+0x67/0x150
> [<ffffffff97577ce7>] return_from_SYSCALL_64+0x0/0x6a
> [<ffffffffffffffff>] 0xffffffffffffffff
> unreferenced object 0xffffa06e718a7560 (size 32):
> comm "bash", pid 2521, jiffies 4335807465 (age 43861.320s)
> hex dump (first 32 bytes):
> 00 00 00 00 01 00 00 00 00 a2 76 5b 6e a0 ff ff ..........v[n...
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<ffffffff9756c27a>] kmemleak_alloc+0x4a/0xa0
> [<ffffffff97024e0a>] kmem_cache_alloc_trace+0xca/0x1d0
> [<ffffffff96f86552>] create_filter_start.constprop.28+0x42/0x730
> [<ffffffff96f87a0a>] create_filter+0x4a/0xc0
> [<ffffffff96f87bac>] create_event_filter+0xc/0x10
> [<ffffffff96f88b24>] set_trigger_filter+0x84/0x130
> [<ffffffff96f8934f>] event_enable_trigger_func+0x25f/0x340
> [<ffffffff96f8894d>] event_trigger_write+0xfd/0x1a0
> [<ffffffff9704e117>] __vfs_write+0x37/0x170
> [<ffffffff9704f6a2>] vfs_write+0xb2/0x1b0
> [<ffffffff97050cd5>] SyS_write+0x55/0xc0
> [<ffffffff96e03857>] do_syscall_64+0x67/0x150
> [<ffffffff97577ce7>] return_from_SYSCALL_64+0x0/0x6a
> [<ffffffffffffffff>] 0xffffffffffffffff
>
> Signed-off-by: Chunyu Hu <chuhu@...hat.com>
> ---
> kernel/trace/trace_events_trigger.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c
> index f2ac9d4..955c3eb 100644
> --- a/kernel/trace/trace_events_trigger.c
> +++ b/kernel/trace/trace_events_trigger.c
> @@ -739,7 +739,7 @@ int set_trigger_filter(char *filter_str,
> /* The filter is for the 'trigger' event, not the triggered event */
> ret = create_event_filter(file->event_call, filter_str, false, &filter);
The filter is allocated by create_event_filter. If that returns a
failure, then that should be the one to free it. It is bad taste to
require the calling function to require it.
-- Steve
> if (ret)
> - goto out;
> + goto out_free;
> assign:
> tmp = rcu_access_pointer(data->filter);
>
> @@ -764,6 +764,10 @@ int set_trigger_filter(char *filter_str,
> }
> out:
> return ret;
> +
> + out_free:
> + free_event_filter(filter);
> + goto out;
> }
>
> static LIST_HEAD(named_triggers);
Powered by blists - more mailing lists