From 76a0eb8d5a20c69120a5f8b4c12f4da0cdc15bb5 Mon Sep 17 00:00:00 2001

From: Ian Rogers <irogers@google.com>

Date: Tue, 30 Apr 2024 00:39:08 -0700

Subject: [PATCH 1/7] libtraceevent: Fix event-parse memory leak in

 process_cond

Leak sanitizer was reporting a stack trace with perf:

```

$ perf stat -e 'kvm:kvm_inj_exception' true

 Performance counter stats for 'true':

                 0      kvm:kvm_inj_exception

       0.001701473 seconds time elapsed

       0.000000000 seconds user

       0.001865000 seconds sys

=================================================================

==1705137==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 2 byte(s) in 1 object(s) allocated from:

    #0 0x7f413ee80778 in __interceptor_strdup ../../../../src/libsanitizer/asan/asan_interceptors.cpp:454

    #1 0x7f413ecb7b66 in __read_token libtraceevent/src/event-parse.c:1274

    #2 0x7f413ecb85bb in read_token libtraceevent/src/event-parse.c:1432

    #3 0x7f413ecbeaaa in process_entry libtraceevent/src/event-parse.c:2554

    #4 0x7f413ecc54ae in process_arg_token libtraceevent/src/event-parse.c:3698

    #5 0x7f413ecbb52e in process_arg libtraceevent/src/event-parse.c:2017

    #6 0x7f413ecbd05a in process_op libtraceevent/src/event-parse.c:2357

    #7 0x7f413ecc5a56 in process_arg_token libtraceevent/src/event-parse.c:3752

    #8 0x7f413ecbb52e in process_arg libtraceevent/src/event-parse.c:2017

    #9 0x7f413ecc5dd6 in event_read_print_args libtraceevent/src/event-parse.c:3791

    #10 0x7f413ecc6511 in event_read_print libtraceevent/src/event-parse.c:3879

    #11 0x7f413ecda16c in parse_format libtraceevent/src/event-parse.c:7808

    #12 0x7f413ecda667 in __parse_event libtraceevent/src/event-parse.c:7866

    #13 0x7f413ecda71b in tep_parse_format libtraceevent/src/event-parse.c:7908

    #14 0x561672439029 in tp_format util/trace-event.c:94

    #15 0x561672439141 in trace_event__tp_format util/trace-event.c:109

    #16 0x56167230a429 in evsel__newtp_idx util/evsel.c:472

    #17 0x561672329f99 in add_tracepoint util/parse-events.c:552

    #18 0x56167232a5b4 in add_tracepoint_event util/parse-events.c:627

    #19 0x56167232ebf2 in parse_events_add_tracepoint util/parse-events.c:1313

    #20 0x561672411e0e in parse_events_parse util/parse-events.y:500

    #21 0x561672332409 in parse_events__scanner util/parse-events.c:1878

    #22 0x561672333cd4 in __parse_events util/parse-events.c:2146

    #23 0x561672334e74 in parse_events_option util/parse-events.c:2349

    #24 0x56167269ec23 in get_value tools/lib/subcmd/parse-options.c:251

    #25 0x56167269fe65 in parse_short_opt tools/lib/subcmd/parse-options.c:351

    #26 0x5616726a0e4d in parse_options_step tools/lib/subcmd/parse-options.c:539

    #27 0x5616726a1d86 in parse_options_subcommand tools/lib/subcmd/parse-options.c:654

    #28 0x5616720e6ad2 in cmd_stat tools/perf/builtin-stat.c:2531

    #29 0x5616722b0f5d in run_builtin tools/perf/perf.c:350

$ cat /sys/kernel/tracing/events/kvm/kvm_inj_exception/format

name: kvm_inj_exception

ID: 1956

format:

        field:unsigned short common_type;       offset:0;       size:2; signed:0;

        field:unsigned char common_flags;       offset:2;       size:1; signed:0;

        field:unsigned char common_preempt_count;       offset:3;       size:1; signed:0;

        field:int common_pid;   offset:4;       size:4; signed:1;

        field:u8 exception;     offset:8;       size:1; signed:0;

        field:u8 has_error;     offset:9;       size:1; signed:0;

        field:u32 error_code;   offset:12;      size:4; signed:0;

        field:bool reinjected;  offset:16;      size:1; signed:0;

print fmt: "%s%s%s%s%s", __print_symbolic(REC->exception, { 0, "#" "DE" }, { 1, "#" "DB" }, { 3, "#" "BP" }, { 4, "#" "OF" }, { 5, "#" "BR" }, { 6, "#" "UD" }, { 7, "#" "NM" }, { 8, "#" "DF" }, { 10, "#" "TS" }, { 11, "#" "NP" }, { 12, "#" "SS" }, { 13, "#" "GP" }, { 14, "#" "PF" }, { 16, "#" "MF" }, { 17, "#" "AC" }, { 18, "#" "MC" }), !REC->has_error ? "" : " (", !REC->has_error ? "" : __print_symbolic(REC->error_code, { }), !REC->has_error ? "" : ")", REC->reinjected ? " [reinjected]" : ""

```

The issue appears to be that when process_cond returns an error,

callers clear the variable holding the string but the string was never

freed. This change adds the free when process_cond returns

TEP_EVENT_ERROR.

Link: https://lore.kernel.org/linux-trace-devel/20240430073908.1706482-1-irogers@google.com

Signed-off-by: Ian Rogers <irogers@google.com>

Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>

---

 src/event-parse.c | 2 ++

 1 file changed, 2 insertions(+)

diff --git a/src/event-parse.c b/src/event-parse.c

index 61b0966..2c38fe5 100644

--- a/src/event-parse.c

+++ b/src/event-parse.c

@@ -2373,6 +2373,8 @@ process_op(struct tep_event *event, struct tep_print_arg *arg, char **tok)

 		/* it will set arg->op.right */

 		type = process_cond(event, arg, tok);

+		if (type == TEP_EVENT_ERROR)

+			free(token);

 	} else if (strcmp(token, ">>") == 0 ||

 		   strcmp(token, "<<") == 0 ||

-- 

2.45.2