On Tue, 03 Jun 2014 13:28:03 +0900 Yoshihiro YUNOMAE <yoshihiro.yunomae...@hitachi.com> wrote:
> When allocation of max_buffer is failed, the kernel frees > tr->trace_buffer.data > per CPU and return -ENOMEM in allocate_trace_buffers(). However, > tracer_alloc_buffers() calling allocate_trace_buffers() also frees the data > per CPU for -ENOMEM by allocate_trace_buffers(). Therefore, the allocation > failure induces double free. > > For the out_free_mask path in tracer_alloc_buffers(), > global_trace.trace_buffer.data and global_trace.max_buffer.data are > not allocated yet, so free_percpu of those are not needed. > > Signed-off-by: Yoshihiro YUNOMAE <yoshihiro.yunomae...@hitachi.com> > Cc: Steven Rostedt <rost...@goodmis.org> > Cc: Frederic Weisbecker <fweis...@gmail.com> > Cc: Ingo Molnar <mi...@redhat.com> > Cc: linux-kernel@vger.kernel.org > --- > kernel/trace/trace.c | 4 ---- > 1 file changed, 4 deletions(-) > > diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c > index 626dbfd..135af32 100644 > --- a/kernel/trace/trace.c > +++ b/kernel/trace/trace.c > @@ -6671,10 +6671,6 @@ __init static int tracer_alloc_buffers(void) > out_free_temp_buffer: > ring_buffer_free(temp_buffer); > out_free_cpumask: > - free_percpu(global_trace.trace_buffer.data); > -#ifdef CONFIG_TRACER_MAX_TRACE > - free_percpu(global_trace.max_buffer.data); > -#endif > free_cpumask_var(global_trace.tracing_cpumask); > out_free_buffer_mask: > free_cpumask_var(tracing_buffer_mask); OK, so this is a double free on an error path at boot up. As it is highly unlikely, I'll just add it for my 3.16 queue. It doesn't need to go to stable. -- Steve -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
