On Thu, 5 Mar 2026 08:36:33 -0800 Guenter Roeck <[email protected]> wrote:
> If trigger_data_alloc() fails and returns NULL, event_hist_trigger_parse() > jumps to the out_free error path. While kfree() safely handles a NULL > pointer, trigger_data_free() does not. This causes a NULL pointer > dereference in trigger_data_free() when evaluating > data->cmd_ops->set_filter. > > Fix the problem by adding a new goto label and jumping to it if > trigger_data_alloc() returns NULL. > > The problem was found by an experimental code review agent based on > gemini-3.1-pro while reviewing backports into v6.18.y. > > Assisted-by: Gemini:gemini-3.1-pro > Cc: Miaoqian Lin <[email protected]> > Cc: Steven Rostedt (Google) <[email protected]> > Fixes: 0550069cc25f ("tracing: Properly process error handling in > event_hist_trigger_parse()") > Signed-off-by: Guenter Roeck <[email protected]> > --- > kernel/trace/trace_events_hist.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/kernel/trace/trace_events_hist.c > b/kernel/trace/trace_events_hist.c > index 73ea180cad55..a2abdfe19281 100644 > --- a/kernel/trace/trace_events_hist.c > +++ b/kernel/trace/trace_events_hist.c > @@ -6874,7 +6874,7 @@ static int event_hist_trigger_parse(struct > event_command *cmd_ops, > trigger_data = trigger_data_alloc(cmd_ops, cmd, param, hist_data); > if (!trigger_data) { > ret = -ENOMEM; > - goto out_free; > + goto out_destroy; > } > > ret = event_trigger_set_filter(cmd_ops, file, filter, trigger_data); > @@ -6942,7 +6942,7 @@ static int event_hist_trigger_parse(struct > event_command *cmd_ops, > remove_hist_vars(hist_data); > > trigger_data_free(trigger_data); I rather make trigger_data_free() more robust by starting it with: if (!data) return; -- Steve > - > +out_destroy: > destroy_hist_data(hist_data); > goto out; > }
