On Thu, Mar 05, 2026 at 11:43:36AM -0500, Steven Rostedt wrote: > On Thu, 5 Mar 2026 08:36:33 -0800 > Guenter Roeck <[email protected]> wrote: > > > If trigger_data_alloc() fails and returns NULL, event_hist_trigger_parse() > > jumps to the out_free error path. While kfree() safely handles a NULL > > pointer, trigger_data_free() does not. This causes a NULL pointer > > dereference in trigger_data_free() when evaluating > > data->cmd_ops->set_filter. > > > > Fix the problem by adding a new goto label and jumping to it if > > trigger_data_alloc() returns NULL. > > > > The problem was found by an experimental code review agent based on > > gemini-3.1-pro while reviewing backports into v6.18.y. > > > > Assisted-by: Gemini:gemini-3.1-pro > > Cc: Miaoqian Lin <[email protected]> > > Cc: Steven Rostedt (Google) <[email protected]> > > Fixes: 0550069cc25f ("tracing: Properly process error handling in > > event_hist_trigger_parse()") > > Signed-off-by: Guenter Roeck <[email protected]> > > --- > > kernel/trace/trace_events_hist.c | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/kernel/trace/trace_events_hist.c > > b/kernel/trace/trace_events_hist.c > > index 73ea180cad55..a2abdfe19281 100644 > > --- a/kernel/trace/trace_events_hist.c > > +++ b/kernel/trace/trace_events_hist.c > > @@ -6874,7 +6874,7 @@ static int event_hist_trigger_parse(struct > > event_command *cmd_ops, > > trigger_data = trigger_data_alloc(cmd_ops, cmd, param, hist_data); > > if (!trigger_data) { > > ret = -ENOMEM; > > - goto out_free; > > + goto out_destroy; > > } > > > > ret = event_trigger_set_filter(cmd_ops, file, filter, trigger_data); > > @@ -6942,7 +6942,7 @@ static int event_hist_trigger_parse(struct > > event_command *cmd_ops, > > remove_hist_vars(hist_data); > > > > trigger_data_free(trigger_data); > > I rather make trigger_data_free() more robust by starting it with: > > if (!data) > return;
Sure. No preference on my side. I'll send v2. Thanks, Guenter
