public inbox for linux-trace-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@linaro.org>
To: Miaoqian Lin <linmq006@gmail.com>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
	linux-trace-kernel@vger.kernel.org,
	linux-kernel <linux-kernel@vger.kernel.org>
Subject: [bug report] tracing: Properly process error handling in event_hist_trigger_parse()
Date: Fri, 6 Feb 2026 16:40:54 +0300	[thread overview]
Message-ID: <aYXvZgN5nrTr9onx@stanley.mountain> (raw)
In-Reply-To: <caa37f28-a2e8-4e0a-a9ce-a365ce805e4b@stanley.mountain>

[ Smatch checking is paused while we raise funding.  #SadFace
  https://lore.kernel.org/all/aTaiGSbWZ9DJaGo7@stanley.mountain/ -dan ]

Hello Miaoqian Lin,

Commit 0550069cc25f ("tracing: Properly process error handling in
event_hist_trigger_parse()") from Dec 11, 2025 (linux-next), leads to
the following Smatch static checker warning:

	kernel/trace/trace_events_hist.c:6925 event_hist_trigger_parse()
	error: we previously assumed 'trigger_data' could be null (see line 6856)

kernel/trace/trace_events_hist.c
    6855         trigger_data = trigger_data_alloc(cmd_ops, cmd, param, hist_data);
    6856         if (!trigger_data) {
    6857                 ret = -ENOMEM;
    6858                 goto out_free;

trigger_data is NULL here.

    6859         }
    6860 
    6861         ret = event_trigger_set_filter(cmd_ops, file, filter, trigger_data);
    6862         if (ret < 0)
    6863                 goto out_free;
    6864 
    6865         if (remove) {
    6866                 if (!have_hist_trigger_match(trigger_data, file))
    6867                         goto out_free;
    6868 
    6869                 if (hist_trigger_check_refs(trigger_data, file)) {
    6870                         ret = -EBUSY;
    6871                         goto out_free;
    6872                 }
    6873 
    6874                 event_trigger_unregister(cmd_ops, file, glob+1, trigger_data);
    6875                 se_name = trace_event_name(file->event_call);
    6876                 se = find_synth_event(se_name);
    6877                 if (se)
    6878                         se->ref--;
    6879                 ret = 0;
    6880                 goto out_free;
    6881         }
    6882 
    6883         if (existing_hist_update_only(glob, trigger_data, file))
    6884                 goto out_free;
    6885 
    6886         if (!get_named_trigger_data(trigger_data)) {
    6887 
    6888                 ret = create_actions(hist_data);
    6889                 if (ret)
    6890                         goto out_free;
    6891 
    6892                 if (has_hist_vars(hist_data) || hist_data->n_var_refs) {
    6893                         ret = save_hist_vars(hist_data);
    6894                         if (ret)
    6895                                 goto out_free;
    6896                 }
    6897 
    6898                 ret = tracing_map_init(hist_data->map);
    6899                 if (ret)
    6900                         goto out_free;
    6901         }
    6902 
    6903         ret = event_trigger_register(cmd_ops, file, glob, trigger_data);
    6904         if (ret < 0)
    6905                 goto out_free;
    6906 
    6907         ret = hist_trigger_enable(trigger_data, file);
    6908         if (ret)
    6909                 goto out_unreg;
    6910 
    6911         se_name = trace_event_name(file->event_call);
    6912         se = find_synth_event(se_name);
    6913         if (se)
    6914                 se->ref++;
    6915  out:
    6916         if (ret == 0 && glob[0])
    6917                 hist_err_clear();
    6918 
    6919         return ret;
    6920  out_unreg:
    6921         event_trigger_unregister(cmd_ops, file, glob+1, trigger_data);
    6922  out_free:
    6923         remove_hist_vars(hist_data);
    6924 
--> 6925         trigger_data_free(trigger_data);

Originally this was kfree(trigger_data) so passing a NULL pointer was
fine, but now it will crash.

    6926 
    6927         destroy_hist_data(hist_data);
    6928         goto out;
    6929 }
    6930 
    6931 static struct event_command trigger_hist_cmd = {
    6932         .name                        = "hist",
    6933         .trigger_type                = ETT_EVENT_HIST,
    6934         .flags                        = EVENT_CMD_FL_NEEDS_REC,
    6935         .parse                        = event_hist_trigger_parse,

regards,
dan carpenter

           reply	other threads:[~2026-02-06 13:40 UTC|newest]

Thread overview: expand[flat|nested]  mbox.gz  Atom feed
 [parent not found: <caa37f28-a2e8-4e0a-a9ce-a365ce805e4b@stanley.mountain>]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aYXvZgN5nrTr9onx@stanley.mountain \
    --to=dan.carpenter@linaro.org \
    --cc=linmq006@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-trace-kernel@vger.kernel.org \
    --cc=mathieu.desnoyers@efficios.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox