diff mbox series

[1/1] tracing: Fix memory leak when reading set_event file

Message ID 20250219104230.12000-1-ahuang12@lenovo.com (mailing list archive)
State Superseded
Headers show
Series [1/1] tracing: Fix memory leak when reading set_event file | expand

Commit Message

Adrian Huang Feb. 19, 2025, 10:42 a.m. UTC 
From: Adrian Huang <ahuang12@lenovo.com>

kmemleak reports the following memory leak after reading set_event file:

  # cat /sys/kernel/tracing/set_event

  # cat /sys/kernel/debug/kmemleak
  unreferenced object 0xff110001234449e0 (size 16):
  comm "cat", pid 13645, jiffies 4294981880
  hex dump (first 16 bytes):
    01 00 00 00 00 00 00 00 a8 71 e7 84 ff ff ff ff  .........q......
  backtrace (crc c43abbc):
    __kmalloc_cache_noprof+0x3ca/0x4b0
    s_start+0x72/0x2d0
    seq_read_iter+0x265/0x1080
    seq_read+0x2c9/0x420
    vfs_read+0x166/0xc30
    ksys_read+0xf4/0x1d0
    do_syscall_64+0x79/0x150
    entry_SYSCALL_64_after_hwframe+0x76/0x7e

The issue can be reproduced regardless of whether set_event is empty or
not. Here is an example about the valid content of set_event.

  # cat /sys/kernel/tracing/set_event
  sched:sched_process_fork
  sched:sched_switch
  sched:sched_wakeup
  *:*:mod:trace_events_sample

The root cause is that s_next() returns NULL when nothing is found.
This results in s_stop() attempting to free a NULL pointer because its
parameter p is NULL.

Fix the issue by freeing the memory appropriately when s_next() fails
to find anything.

Fixes: b355247df104 ("tracing: Cache ":mod:" events for modules not loaded yet")
Signed-off-by: Adrian Huang <ahuang12@lenovo.com>
---
 kernel/trace/trace_events.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Steven Rostedt Feb. 19, 2025, 4:05 p.m. UTC | #1 
On Wed, 19 Feb 2025 18:42:30 +0800
Adrian Huang <adrianhuang0701@gmail.com> wrote:


> The root cause is that s_next() returns NULL when nothing is found.
> This results in s_stop() attempting to free a NULL pointer because its
> parameter p is NULL.
> 
> Fix the issue by freeing the memory appropriately when s_next() fails
> to find anything.
> 
> Fixes: b355247df104 ("tracing: Cache ":mod:" events for modules not loaded yet")
> Signed-off-by: Adrian Huang <ahuang12@lenovo.com>
> ---
>  kernel/trace/trace_events.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
> index 4cb275316e51..c76353ad0a4e 100644
> --- a/kernel/trace/trace_events.c
> +++ b/kernel/trace/trace_events.c
> @@ -1591,6 +1591,7 @@ s_next(struct seq_file *m, void *v, loff_t *pos)
>  		return iter;
>  #endif
>  
> +	kfree(iter);
>  	return NULL;
>  }
>  

This most definitely needs a comment, as it will look like a bug otherwise.
Please add:

	/*
	 * The iter is allocated in s_start() and passed via the 'v'
	 * parameter. To stop the iterator, NULL must be returned. But
	 * the return value is what the 'v' parameter in s_stop() receives
	 * and frees. Free iter here as it will no longer be used.
	 */
	kfree(iter);

I would also change the variable 'p' in s_stop() to 'v' to be consistent.

Thanks,

-- Steve
diff mbox series

Patch

diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
index 4cb275316e51..c76353ad0a4e 100644
--- a/kernel/trace/trace_events.c
+++ b/kernel/trace/trace_events.c
@@ -1591,6 +1591,7 @@  s_next(struct seq_file *m, void *v, loff_t *pos)
 		return iter;
 #endif
 
+	kfree(iter);
 	return NULL;
 }