| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aYXvZgN5nrTr9onx@stanley.mountain>
Date: Fri, 6 Feb 2026 16:40:54 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Miaoqian Lin <linmq006@...il.com>
Cc: Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
linux-trace-kernel@...r.kernel.org,
linux-kernel <linux-kernel@...r.kernel.org>
Subject: [bug report] tracing: Properly process error handling in
event_hist_trigger_parse()
[ Smatch checking is paused while we raise funding. #SadFace
https://lore.kernel.org/all/aTaiGSbWZ9DJaGo7@stanley.mountain/ -dan ]
Hello Miaoqian Lin,
Commit 0550069cc25f ("tracing: Properly process error handling in
event_hist_trigger_parse()") from Dec 11, 2025 (linux-next), leads to
the following Smatch static checker warning:
kernel/trace/trace_events_hist.c:6925 event_hist_trigger_parse()
error: we previously assumed 'trigger_data' could be null (see line 6856)
kernel/trace/trace_events_hist.c
6855 trigger_data = trigger_data_alloc(cmd_ops, cmd, param, hist_data);
6856 if (!trigger_data) {
6857 ret = -ENOMEM;
6858 goto out_free;
trigger_data is NULL here.
6859 }
6860
6861 ret = event_trigger_set_filter(cmd_ops, file, filter, trigger_data);
6862 if (ret < 0)
6863 goto out_free;
6864
6865 if (remove) {
6866 if (!have_hist_trigger_match(trigger_data, file))
6867 goto out_free;
6868
6869 if (hist_trigger_check_refs(trigger_data, file)) {
6870 ret = -EBUSY;
6871 goto out_free;
6872 }
6873
6874 event_trigger_unregister(cmd_ops, file, glob+1, trigger_data);
6875 se_name = trace_event_name(file->event_call);
6876 se = find_synth_event(se_name);
6877 if (se)
6878 se->ref--;
6879 ret = 0;
6880 goto out_free;
6881 }
6882
6883 if (existing_hist_update_only(glob, trigger_data, file))
6884 goto out_free;
6885
6886 if (!get_named_trigger_data(trigger_data)) {
6887
6888 ret = create_actions(hist_data);
6889 if (ret)
6890 goto out_free;
6891
6892 if (has_hist_vars(hist_data) || hist_data->n_var_refs) {
6893 ret = save_hist_vars(hist_data);
6894 if (ret)
6895 goto out_free;
6896 }
6897
6898 ret = tracing_map_init(hist_data->map);
6899 if (ret)
6900 goto out_free;
6901 }
6902
6903 ret = event_trigger_register(cmd_ops, file, glob, trigger_data);
6904 if (ret < 0)
6905 goto out_free;
6906
6907 ret = hist_trigger_enable(trigger_data, file);
6908 if (ret)
6909 goto out_unreg;
6910
6911 se_name = trace_event_name(file->event_call);
6912 se = find_synth_event(se_name);
6913 if (se)
6914 se->ref++;
6915 out:
6916 if (ret == 0 && glob[0])
6917 hist_err_clear();
6918
6919 return ret;
6920 out_unreg:
6921 event_trigger_unregister(cmd_ops, file, glob+1, trigger_data);
6922 out_free:
6923 remove_hist_vars(hist_data);
6924
--> 6925 trigger_data_free(trigger_data);
Originally this was kfree(trigger_data) so passing a NULL pointer was
fine, but now it will crash.
6926
6927 destroy_hist_data(hist_data);
6928 goto out;
6929 }
6930
6931 static struct event_command trigger_hist_cmd = {
6932 .name = "hist",
6933 .trigger_type = ETT_EVENT_HIST,
6934 .flags = EVENT_CMD_FL_NEEDS_REC,
6935 .parse = event_hist_trigger_parse,
regards,
dan carpenter
Powered by blists - more mailing lists