[PATCH AUTOSEL 6.19-6.18] rtla: Fix NULL pointer dereference in actions_parse

[Sasha Levin <sashal@kernel.org>]

From: Wander Lairson Costa <wander@redhat.com>

[ Upstream commit a0890f9dbd24b302d327fe7dad9b9c5be0e278aa ]

The actions_parse() function uses strtok() to tokenize the trigger
string, but does not check if the returned token is NULL before
passing it to strcmp(). If the trigger parameter is an empty string
or contains only delimiter characters, strtok() returns NULL, causing
strcmp() to dereference a NULL pointer and crash the program.

This issue can be triggered by malformed user input or edge cases in
trigger string parsing. Add a NULL check immediately after the strtok()
call to validate that a token was successfully extracted before using
it. If no token is found, the function now returns -1 to indicate a
parsing error.

Signed-off-by: Wander Lairson Costa <wander@redhat.com>
Link: https://lore.kernel.org/r/20260106133655.249887-13-wander@redhat.com
Signed-off-by: Tomas Glozar <tglozar@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

LLM Generated explanations, may be completely bogus:

## Analysis of rtla NULL Pointer Dereference Fix

### Commit Message Analysis

The commit message is clear and explicit: it fixes a **NULL pointer
dereference** in `actions_parse()`. The bug mechanism is well-explained:
- `strtok()` can return NULL when given an empty string or a string
  containing only delimiters
- The returned value is passed directly to `strcmp()` without a NULL
  check
- This causes a crash (NULL pointer dereference)

The commit is from a Red Hat engineer, reviewed and applied by another
Red Hat engineer, and posted to the kernel mailing list with a proper
Link tag.

### Code Change Analysis

The fix is extremely small and surgical: **2 lines added**.

```c
token = strtok(trigger_c, ",");
+       if (!token)
+               return -1;

if (strcmp(token, "trace") == 0)
```

This is a textbook NULL check before dereference. The function already
returns `-1` for invalid trigger types, so this is consistent with
existing error handling patterns. The change:

1. Adds a NULL check after `strtok()` returns
2. Returns `-1` (error) if no token was found
3. Prevents the subsequent `strcmp(token, ...)` calls from crashing

### Bug Classification

- **Type**: NULL pointer dereference (crash/segfault)
- **Trigger**: Malformed user input (empty string or delimiter-only
  string passed as trigger)
- **Severity**: Program crash - rtla is a userspace tool, so this is a
  userspace crash, not a kernel crash
- **Scope**: Affects the `rtla` tracing tool (a userspace utility in
  `tools/tracing/rtla/`)

### Important Context: This is a Userspace Tool

The file is in `tools/tracing/rtla/` — this is **rtla** (Real-Time Linux
Analysis), a userspace tool shipped with the kernel source tree. It's
not kernel code per se, but a userspace utility that ships alongside the
kernel.

### Stable Kernel Criteria Assessment

1. **Obviously correct and tested**: Yes — a simple NULL check before
   dereference. The fix is trivially correct.
2. **Fixes a real bug**: Yes — NULL pointer dereference causing a crash
   on malformed input.
3. **Important issue**: Moderate — it's a crash in a userspace tool, not
   a kernel crash. However, it can be triggered by user input, which
   makes it a robustness issue.
4. **Small and contained**: Yes — 2 lines, 1 file, purely additive
   safety check.
5. **No new features**: Correct — this is purely a bug fix.
6. **Applies cleanly**: Should apply cleanly as it's a minimal change.

### Risk Assessment

- **Risk**: Essentially zero. Adding a NULL check and returning an error
  code cannot introduce a regression. The function already handles the
  `-1` return for other invalid inputs.
- **Benefit**: Prevents a crash when rtla receives malformed trigger
  input.

### Considerations

- This is a **userspace tool** fix, not a kernel fix. The stable kernel
  rules primarily target kernel code, but tools shipped with the kernel
  tree do get backported regularly.
- The fix is so small and obviously correct that there's virtually no
  risk.
- The `rtla` tool is used by real-time Linux users who rely on it for
  system analysis — a crash on malformed input is a real usability
  issue.

### Verdict

This is a straightforward NULL pointer dereference fix in a userspace
tool. It's small (2 lines), obviously correct, fixes a real crash
triggered by user input, and has zero regression risk. While it's a
userspace tool rather than kernel code, such fixes are commonly
backported to stable trees. The fix meets all stable kernel criteria.

**YES**

 tools/tracing/rtla/src/actions.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tools/tracing/rtla/src/actions.c b/tools/tracing/rtla/src/actions.c
index 8945aee58d511..15986505b4376 100644
--- a/tools/tracing/rtla/src/actions.c
+++ b/tools/tracing/rtla/src/actions.c
@@ -141,6 +141,8 @@ actions_parse(struct actions *self, const char *trigger, const char *tracefn)
 
 	strcpy(trigger_c, trigger);
 	token = strtok(trigger_c, ",");
+	if (!token)
+		return -1;
 
 	if (strcmp(token, "trace") == 0)
 		type = ACTION_TRACE_OUTPUT;
-- 
2.51.0