From: sashiko-bot@kernel.org
To: "Namhyung Kim" <namhyung@kernel.org>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH 1/4] perf timechart: Release event samples at the end
Date: Fri, 05 Jun 2026 23:23:17 +0000 [thread overview]
Message-ID: <20260605232318.218551F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260605231155.2415760-2-namhyung@kernel.org>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Double-free of the `backtrace` string in `timechart__release()` due to shared pointers across multiple `cpu_sample` objects.
--
commit 3e2b8bb6971b84cf83df8b57e574d558c36bdaf8
Author: Namhyung Kim <namhyung@kernel.org>
perf timechart: Release event samples at the end
This commit adds timechart__release() to clean up data structures created
during sample processing to prevent memory leaks when the perf tool exits.
> diff --git a/tools/perf/builtin-timechart.c b/tools/perf/builtin-timechart.c
> index 28f33e39895d3..73a08236ac299 100644
> --- a/tools/perf/builtin-timechart.c
> +++ b/tools/perf/builtin-timechart.c
[ ... ]
> @@ -1509,6 +1509,59 @@ static void write_svg_file(struct timechart *tchart, const char *filename)
> svg_close();
> }
>
> +static void timechart__release(struct timechart *tchart)
> +{
> + struct per_pid *p = tchart->all_data;
[ ... ]
> + while (c) {
> + struct per_pidcomm *next_comm = c->next;
> + struct cpu_sample *cs = c->samples;
> + struct io_sample *ios = c->io_samples;
> +
> + while (cs) {
> + struct cpu_sample *next = cs->next;
> +
> + free((char *)cs->backtrace);
> + free(cs);
> + cs = next;
> + }
[Severity: High]
Will this result in a double-free of the backtrace string?
Looking at sched_switch(), when a context switch occurs between two active
processes, it shares the exact same backtrace pointer across multiple
cpu_sample objects:
if (prev_p->current && prev_p->current->state != TYPE_NONE)
pid_put_sample(tchart, prev_pid, TYPE_RUNNING, cpu,
prev_p->current->state_since, timestamp,
backtrace);
if (p && p->current) {
if (p->current->state != TYPE_NONE)
pid_put_sample(tchart, next_pid, p->current->state, cpu,
p->current->state_since, timestamp,
backtrace);
Because timechart__release() iterates over all processes and unconditionally
calls free() on cs->backtrace, won't it attempt to free the same pointer
multiple times when it cleans up these overlapping samples?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260605231155.2415760-1-namhyung@kernel.org?part=1
next prev parent reply other threads:[~2026-06-05 23:23 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-05 23:11 [PATCH 0/4] perf timechart: Fix memory leaks Namhyung Kim
2026-06-05 23:11 ` [PATCH 1/4] perf timechart: Release event samples at the end Namhyung Kim
2026-06-05 23:21 ` Arnaldo Carvalho de Melo
2026-06-05 23:31 ` Namhyung Kim
2026-06-05 23:23 ` sashiko-bot [this message]
2026-06-05 23:32 ` Namhyung Kim
2026-06-05 23:11 ` [PATCH 2/4] perf timechart: Fix memory leaks during record Namhyung Kim
2026-06-05 23:21 ` sashiko-bot
2026-06-05 23:23 ` Arnaldo Carvalho de Melo
2026-06-05 23:11 ` [PATCH 3/4] perf timechart: Fix memory leaks in draw_wakeups() Namhyung Kim
2026-06-05 23:17 ` sashiko-bot
2026-06-05 23:20 ` Namhyung Kim
2026-06-05 23:11 ` [PATCH 4/4] perf test: Update perf timechart test Namhyung Kim
2026-06-05 23:19 ` [PATCH 0/4] perf timechart: Fix memory leaks Arnaldo Carvalho de Melo
2026-06-05 23:28 ` Namhyung Kim
2026-06-05 23:41 ` Arnaldo Carvalho de Melo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260605232318.218551F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=namhyung@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.