--- /dev/null
+From 24f2aaf952ee0b59f31c3a18b8b36c9e3d3c2cf5 Mon Sep 17 00:00:00 2001
+From: Jing Xia <jing.xia@spreadtrum.com>
+Date: Tue, 26 Dec 2017 15:12:53 +0800
+Subject: tracing: Fix crash when it fails to alloc ring buffer
+
+From: Jing Xia <jing.xia@spreadtrum.com>
+
+commit 24f2aaf952ee0b59f31c3a18b8b36c9e3d3c2cf5 upstream.
+
+Double free of the ring buffer happens when it fails to alloc new
+ring buffer instance for max_buffer if TRACER_MAX_TRACE is configured.
+The root cause is that the pointer is not set to NULL after the buffer
+is freed in allocate_trace_buffers(), and the freeing of the ring
+buffer is invoked again later if the pointer is not equal to Null,
+as:
+
+instance_mkdir()
+ |-allocate_trace_buffers()
+ |-allocate_trace_buffer(tr, &tr->trace_buffer...)
+ |-allocate_trace_buffer(tr, &tr->max_buffer...)
+
+ // allocate fail(-ENOMEM),first free
+ // and the buffer pointer is not set to null
+ |-ring_buffer_free(tr->trace_buffer.buffer)
+
+ // out_free_tr
+ |-free_trace_buffers()
+ |-free_trace_buffer(&tr->trace_buffer);
+
+ //if trace_buffer is not null, free again
+ |-ring_buffer_free(buf->buffer)
+ |-rb_free_cpu_buffer(buffer->buffers[cpu])
+ // ring_buffer_per_cpu is null, and
+ // crash in ring_buffer_per_cpu->pages
+
+Link: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com
+
+Fixes: 737223fbca3b1 ("tracing: Consolidate buffer allocation code")
+Signed-off-by: Jing Xia <jing.xia@spreadtrum.com>
+Signed-off-by: Chunyan Zhang <chunyan.zhang@spreadtrum.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -7604,7 +7604,9 @@ static int allocate_trace_buffers(struct
+ allocate_snapshot ? size : 1);
+ if (WARN_ON(ret)) {
+ ring_buffer_free(tr->trace_buffer.buffer);
++ tr->trace_buffer.buffer = NULL;
+ free_percpu(tr->trace_buffer.data);
++ tr->trace_buffer.data = NULL;
+ return -ENOMEM;
+ }
+ tr->allocated_snapshot = allocate_snapshot;
--- /dev/null
+From 4397f04575c44e1440ec2e49b6302785c95fd2f8 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Tue, 26 Dec 2017 20:07:34 -0500
+Subject: tracing: Fix possible double free on failure of allocating trace buffer
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 4397f04575c44e1440ec2e49b6302785c95fd2f8 upstream.
+
+Jing Xia and Chunyan Zhang reported that on failing to allocate part of the
+tracing buffer, memory is freed, but the pointers that point to them are not
+initialized back to NULL, and later paths may try to free the freed memory
+again. Jing and Chunyan fixed one of the locations that does this, but
+missed a spot.
+
+Link: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com
+
+Fixes: 737223fbca3b1 ("tracing: Consolidate buffer allocation code")
+Reported-by: Jing Xia <jing.xia@spreadtrum.com>
+Reported-by: Chunyan Zhang <chunyan.zhang@spreadtrum.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -7580,6 +7580,7 @@ allocate_trace_buffer(struct trace_array
+ buf->data = alloc_percpu(struct trace_array_cpu);
+ if (!buf->data) {
+ ring_buffer_free(buf->buffer);
++ buf->buffer = NULL;
+ return -ENOMEM;
+ }
+
--- /dev/null
+From 6b7e633fe9c24682df550e5311f47fb524701586 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Fri, 22 Dec 2017 20:38:57 -0500
+Subject: tracing: Remove extra zeroing out of the ring buffer page
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 6b7e633fe9c24682df550e5311f47fb524701586 upstream.
+
+The ring_buffer_read_page() takes care of zeroing out any extra data in the
+page that it returns. There's no need to zero it out again from the
+consumer. It was removed from one consumer of this function, but
+read_buffers_splice_read() did not remove it, and worse, it contained a
+nasty bug because of it.
+
+Fixes: 2711ca237a084 ("ring-buffer: Move zeroing out excess in page to ring buffer code")
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace.c | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -6769,7 +6769,7 @@ tracing_buffers_splice_read(struct file
+ .spd_release = buffer_spd_release,
+ };
+ struct buffer_ref *ref;
+- int entries, size, i;
++ int entries, i;
+ ssize_t ret = 0;
+
+ #ifdef CONFIG_TRACER_MAX_TRACE
+@@ -6823,14 +6823,6 @@ tracing_buffers_splice_read(struct file
+ break;
+ }
+
+- /*
+- * zero out any left over data, this is going to
+- * user land.
+- */
+- size = ring_buffer_page_len(ref->page);
+- if (size < PAGE_SIZE)
+- memset(ref->page + size, 0, PAGE_SIZE - size);
+-
+ page = virt_to_page(ref->page);
+
+ spd.pages[i] = page;
projects / thirdparty / kernel / stable-queue.git / commitdiff
