Re: [PATCH v10 1/9] perf cs-etm: Fix thread leaks on trace queue init failure

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Leo Yan" <leo.yan@arm.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH v10 1/9] perf cs-etm: Fix thread leaks on trace queue init failure
Date: Wed, 17 Jun 2026 20:25:25 +0000	[thread overview]
Message-ID: <20260617202525.CD4211F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260617-b4-arm_cs_callchain_support_v1-v10-1-e8b6e5d63db5@arm.com>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:

Pre-existing issues:
- [Medium] Crash via NULL pointer dereference in `cs_etm__etmq_get_traceid_queue()` when `intlist__findnew()` fails.
- [Medium] Memory and thread reference leak in `cs_etm__etmq_get_traceid_queue()` when `reallocarray()` fails.
--

commit 81959854a0401183b992f3f15f791657d4e73afb
Author: Leo Yan <leo.yan@arm.com>

perf cs-etm: Fix thread leaks on trace queue init failure

cs_etm__init_traceid_queue() allocates the frontend and decode threads.
If a later allocation fails, the error path does not drop the thread
references that were already acquired. This patch releases both thread
pointers on the error path to avoid leaking thread references.

> diff --git a/tools/perf/util/cs-etm.c b/tools/perf/util/cs-etm.c
> index 0927b0b9c06b1..d484a6155c2c2 100644
> --- a/tools/perf/util/cs-etm.c
> +++ b/tools/perf/util/cs-etm.c

[ ... ]

> @@ -661,6 +663,8 @@ static int cs_etm__init_traceid_queue(struct cs_etm_queue *etmq,
>  	zfree(&tidq->prev_packet);
>  	zfree(&tidq->packet);
>  out:
> +	thread__zput(tidq->frontend_thread);
> +	thread__zput(tidq->decode_thread);
>  	return rc;
>  }

[Severity: Medium]
This isn't a regression introduced by this patch, but while looking at the
thread and memory leaks fixed here, I noticed a pre-existing regression in
the caller cs_etm__etmq_get_traceid_queue() which calls
cs_etm__init_traceid_queue():

tools/perf/util/cs-etm.c:cs_etm__etmq_get_traceid_queue() {
...
	if (cs_etm__init_traceid_queue(etmq, tidq, trace_chan_id))
		goto out_free;

	/* Grow the traceid_queues array by one unit */
	traceid_queues = etmq->traceid_queues;
	traceid_queues = reallocarray(traceid_queues,
				      idx + 1,
				      sizeof(*traceid_queues));

	if (!traceid_queues)
		goto out_free;
...
out_free:
	intlist__remove(traceid_queues_list, inode);
	free(tidq);

	return NULL;
}

If reallocarray() fails, the code jumps to out_free. Does this leak the
inner allocations and thread references of tidq? 

It appears free(tidq) is called, but the nested allocations (like
tidq->packet, tidq->last_branch) and the thread references acquired in
cs_etm__init_traceid_queue() are never cleaned up here.

[Severity: Medium]
This is another pre-existing regression in the same function. Looking
slightly higher up in cs_etm__etmq_get_traceid_queue():

tools/perf/util/cs-etm.c:cs_etm__etmq_get_traceid_queue() {
...
	inode = intlist__findnew(traceid_queues_list, trace_chan_id);
	if (!inode)
		goto out_free;
...
out_free:
	intlist__remove(traceid_queues_list, inode);
	free(tidq);

	return NULL;
}

If intlist__findnew() fails, inode will be NULL. Could calling
intlist__remove() with a NULL inode cause a crash? 

It looks like intlist__remove() unconditionally dereferences the node passed
to it.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260617-b4-arm_cs_callchain_support_v1-v10-0-e8b6e5d63db5@arm.com?part=1

next prev parent reply	other threads:[~2026-06-17 20:25 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-17 15:08 [PATCH v10 0/9] perf cs-etm: Support thread stack and callchain Leo Yan
2026-06-17 15:08 ` [PATCH v10 1/9] perf cs-etm: Fix thread leaks on trace queue init failure Leo Yan
2026-06-17 20:25   ` sashiko-bot [this message]
2026-06-17 15:08 ` [PATCH v10 2/9] perf cs-etm: Filter synthesized branch samples Leo Yan
2026-06-17 15:08 ` [PATCH v10 3/9] perf cs-etm: Decode ETE exception packets Leo Yan
2026-06-17 15:08 ` [PATCH v10 4/9] perf cs-etm: Refactor instruction size handling Leo Yan
2026-06-17 15:08 ` [PATCH v10 5/9] perf cs-etm: Use thread-stack for last branch entries Leo Yan
2026-06-17 20:56   ` sashiko-bot
2026-06-17 15:08 ` [PATCH v10 6/9] perf cs-etm: Flush thread stacks after decoder reset Leo Yan
2026-06-17 21:08   ` sashiko-bot
2026-06-17 15:08 ` [PATCH v10 7/9] perf cs-etm: Support call indentation Leo Yan
2026-06-17 21:20   ` sashiko-bot
2026-06-17 15:08 ` [PATCH v10 8/9] perf cs-etm: Synthesize callchains for instruction samples Leo Yan
2026-06-17 21:35   ` sashiko-bot
2026-06-17 15:09 ` [PATCH v10 9/9] perf test: Add Arm CoreSight callchain test Leo Yan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260617202525.CD4211F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=leo.yan@arm.com \
    --cc=linux-perf-users@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.