diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2025-06-28 11:39:24 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2025-06-28 11:39:24 -0700 |
| commit | ded779017ad78fc9df3e9d9ae0e39d2e73865851 (patch) | |
| tree | 0f1a30110fd18d340935c3159bf304c7b05e1282 /net/unix/af_unix.c | |
| parent | 3a3de75a68ff8d52466980c4cfb2c16192d5e4e7 (diff) | |
| parent | 6921d1e07cb5eddec830801087b419194fde0803 (diff) | |
Merge tag 'trace-v6.16-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace
Pull tracing fix from Steven Rostedt:
- Fix possible UAF on error path in filter_free_subsystem_filters()
When freeing a subsystem filter, the filter for the subsystem is
passed in to be freed and all the events within the subsystem will
have their filter freed too. In order to free without waiting for RCU
synchronization, list items are allocated to hold what is going to be
freed to free it via a call_rcu(). If the allocation of these items
fails, it will call the synchronization directly and free after that
(causing a bit of delay for the user).
The subsystem filter is first added to this list and then the filters
for all the events under the subsystem. The bug is if one of the
allocations of the list items for the event filters fail to allocate,
it jumps to the "free_now" label which will free the subsystem
filter, then all the items on the allocated list, and then the event
filters that were not added to the list yet. But because the
subsystem filter was added first, it gets freed twice.
The solution is to add the subsystem filter after the events, and
then if any of the allocations fail it will not try to free any of
them twice
* tag 'trace-v6.16-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
tracing: Fix filter logic error
Diffstat (limited to 'net/unix/af_unix.c')
0 files changed, 0 insertions, 0 deletions