tracing: Fix filter logic error

If the processing of the tr->events loop fails, the filter that has been
added to filter_head will be released twice in free_filter_list(&head->rcu)
and __free_filter(filter).

After adding the filter of tr->events, add the filter to the filter_head
process to avoid triggering uaf.

Link: https://lore.kernel.org/[email protected]
Fixes: a9d0aab ("tracing: Fix regression of filter waiting a long time on RCU synchronization")
Reported-by: [email protected]
Closes: https://syzkaller.appspot.com/bug?extid=daba72c4af9915e9c894
Tested-by: [email protected]
Acked-by: Masami Hiramatsu (Google) <[email protected]>
Signed-off-by: Edward Adam Davis <[email protected]>
Signed-off-by: Steven Rostedt (Google) <[email protected]>

Author: ea1davis

kernel/trace/trace_events_filter.c

@@ -1436,13 +1436,6 @@ static void filter_free_subsystem_filters(struct trace_subsystem_dir *dir,
 
 	INIT_LIST_HEAD(&head->list);
 
-	item = kmalloc(sizeof(*item), GFP_KERNEL);
-	if (!item)
-		goto free_now;
-
-	item->filter = filter;
-	list_add_tail(&item->list, &head->list);
-
 	list_for_each_entry(file, &tr->events, list) {
 		if (file->system != dir)
 			continue;
@@ -1454,6 +1447,13 @@ static void filter_free_subsystem_filters(struct trace_subsystem_dir *dir,
 		event_clear_filter(file);
 	}
 
+	item = kmalloc(sizeof(*item), GFP_KERNEL);
+	if (!item)
+		goto free_now;
+
+	item->filter = filter;
+	list_add_tail(&item->list, &head->list);
+
 	delay_free_filter(head);
 	return;
  free_now: