Merge tag 'trace-v6.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace

Pull tracing fix from Steven Rostedt:

 - Do not free "head" variable in filter_free_subsystem_filters()

   The first error path jumps to "free_now" label but first frees the
   newly allocated "head" variable. But the "free_now" code checks this
   variable, and if it is not NULL, it will iterate the list. As this
   list variable was already initialized, the "free_now" code will not
   do anything as it is empty. But freeing it will cause a UAF bug.

   The error path should simply jump to the "free_now" label and leave
   the "head" variable alone.

* tag 'trace-v6.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
  tracing: Do not free "head" on error path of filter_free_subsystem_filters()

1 files changed, 1 insertions, 3 deletions

diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c
index ea8b364b6818..08141f105c95 100644
--- a/kernel/trace/trace_events_filter.c
+++ b/kernel/trace/trace_events_filter.c
@@ -1437,10 +1437,8 @@ static void filter_free_subsystem_filters(struct trace_subsystem_dir *dir,
 	INIT_LIST_HEAD(&head->list);
 
 	item = kmalloc(sizeof(*item), GFP_KERNEL);
-	if (!item) {
-		kfree(head);
+	if (!item)
 		goto free_now;
-	}
 
 	item->filter = filter;
 	list_add_tail(&item->list, &head->list);