If trigger_data_alloc() fails and returns NULL, event_hist_trigger_parse() jumps to the out_free error path. While kfree() safely handles a NULL pointer, trigger_data_free() does not. This causes a NULL pointer dereference in trigger_data_free() when evaluating data->cmd_ops->set_filter.
Fix the problem by adding a new goto label and jumping to it if trigger_data_alloc() returns NULL. The problem was found by an experimental code review agent based on gemini-3.1-pro while reviewing backports into v6.18.y. Assisted-by: Gemini:gemini-3.1-pro Cc: Miaoqian Lin <[email protected]> Cc: Steven Rostedt (Google) <[email protected]> Fixes: 0550069cc25f ("tracing: Properly process error handling in event_hist_trigger_parse()") Signed-off-by: Guenter Roeck <[email protected]> --- kernel/trace/trace_events_hist.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c index 73ea180cad55..a2abdfe19281 100644 --- a/kernel/trace/trace_events_hist.c +++ b/kernel/trace/trace_events_hist.c @@ -6874,7 +6874,7 @@ static int event_hist_trigger_parse(struct event_command *cmd_ops, trigger_data = trigger_data_alloc(cmd_ops, cmd, param, hist_data); if (!trigger_data) { ret = -ENOMEM; - goto out_free; + goto out_destroy; } ret = event_trigger_set_filter(cmd_ops, file, filter, trigger_data); @@ -6942,7 +6942,7 @@ static int event_hist_trigger_parse(struct event_command *cmd_ops, remove_hist_vars(hist_data); trigger_data_free(trigger_data); - +out_destroy: destroy_hist_data(hist_data); goto out; } -- 2.45.2
