UPSTREAM: tracing/histogram: Fix UAF in destroy_hist_field()
Calling destroy_hist_field() on an expression will recursively free any operands associated with the expression. If during expression parsing the operands of the expression are already set when an error is encountered, there is no need to explicity free the operands. Doing so will result in destroy_hist_field() being called twice for the operands and lead to a use-after-free (UAF) error. If the operands are associated with the expression, only call destroy_hist_field() on the expression since the operands will be recursively freed. Link: https://lore.kernel.org/all/CAHk-=wgcrEbFgkw9720H3tW-AhHOoEKhYwZinYJw4FpzSaJ6_Q@mail.gmail.com/ Link: https://lkml.kernel.org/r/20211118011542.1420131-1-kaleshsingh@google.com Suggested-by:Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by:
Kalesh Singh <kaleshsingh@google.com> Fixes: 8b5d46fd ("tracing/histogram: Optimize division by constants") Reported-by:
kernel test robot <oliver.sang@intel.com> Signed-off-by:
Steven Rostedt (VMware) <rostedt@goodmis.org> (cherry picked from commit f86b0aaa) Bug: 146055070 Bug: 145972256 Signed-off-by:
Loading
Please sign in to comment