From: Namhyung Kim <namhyung@kernel.org>
To: sashiko-reviews@lists.linux.dev
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH 1/4] perf timechart: Release event samples at the end
Date: Fri, 5 Jun 2026 16:32:57 -0700 [thread overview]
Message-ID: <aiNcqfkyWo4zPsxC@google.com> (raw)
In-Reply-To: <20260605232318.218551F00893@smtp.kernel.org>
On Fri, Jun 05, 2026 at 11:23:17PM +0000, sashiko-bot@kernel.org wrote:
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
> - [High] Double-free of the `backtrace` string in `timechart__release()` due to shared pointers across multiple `cpu_sample` objects.
> --
>
> commit 3e2b8bb6971b84cf83df8b57e574d558c36bdaf8
> Author: Namhyung Kim <namhyung@kernel.org>
>
> perf timechart: Release event samples at the end
>
> This commit adds timechart__release() to clean up data structures created
> during sample processing to prevent memory leaks when the perf tool exits.
>
> > diff --git a/tools/perf/builtin-timechart.c b/tools/perf/builtin-timechart.c
> > index 28f33e39895d3..73a08236ac299 100644
> > --- a/tools/perf/builtin-timechart.c
> > +++ b/tools/perf/builtin-timechart.c
> [ ... ]
> > @@ -1509,6 +1509,59 @@ static void write_svg_file(struct timechart *tchart, const char *filename)
> > svg_close();
> > }
> >
> > +static void timechart__release(struct timechart *tchart)
> > +{
> > + struct per_pid *p = tchart->all_data;
> [ ... ]
> > + while (c) {
> > + struct per_pidcomm *next_comm = c->next;
> > + struct cpu_sample *cs = c->samples;
> > + struct io_sample *ios = c->io_samples;
> > +
> > + while (cs) {
> > + struct cpu_sample *next = cs->next;
> > +
> > + free((char *)cs->backtrace);
> > + free(cs);
> > + cs = next;
> > + }
>
> [Severity: High]
> Will this result in a double-free of the backtrace string?
>
> Looking at sched_switch(), when a context switch occurs between two active
> processes, it shares the exact same backtrace pointer across multiple
> cpu_sample objects:
>
> if (prev_p->current && prev_p->current->state != TYPE_NONE)
> pid_put_sample(tchart, prev_pid, TYPE_RUNNING, cpu,
> prev_p->current->state_since, timestamp,
> backtrace);
> if (p && p->current) {
> if (p->current->state != TYPE_NONE)
> pid_put_sample(tchart, next_pid, p->current->state, cpu,
> p->current->state_since, timestamp,
> backtrace);
>
> Because timechart__release() iterates over all processes and unconditionally
> calls free() on cs->backtrace, won't it attempt to free the same pointer
> multiple times when it cleans up these overlapping samples?
Actually this is handled in another series.
Thanks,
Namhyung
next prev parent reply other threads:[~2026-06-05 23:32 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-05 23:11 [PATCH 0/4] perf timechart: Fix memory leaks Namhyung Kim
2026-06-05 23:11 ` [PATCH 1/4] perf timechart: Release event samples at the end Namhyung Kim
2026-06-05 23:21 ` Arnaldo Carvalho de Melo
2026-06-05 23:31 ` Namhyung Kim
2026-06-05 23:23 ` sashiko-bot
2026-06-05 23:32 ` Namhyung Kim [this message]
2026-06-05 23:11 ` [PATCH 2/4] perf timechart: Fix memory leaks during record Namhyung Kim
2026-06-05 23:21 ` sashiko-bot
2026-06-05 23:23 ` Arnaldo Carvalho de Melo
2026-06-05 23:11 ` [PATCH 3/4] perf timechart: Fix memory leaks in draw_wakeups() Namhyung Kim
2026-06-05 23:17 ` sashiko-bot
2026-06-05 23:20 ` Namhyung Kim
2026-06-05 23:11 ` [PATCH 4/4] perf test: Update perf timechart test Namhyung Kim
2026-06-05 23:19 ` [PATCH 0/4] perf timechart: Fix memory leaks Arnaldo Carvalho de Melo
2026-06-05 23:28 ` Namhyung Kim
2026-06-05 23:41 ` Arnaldo Carvalho de Melo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aiNcqfkyWo4zPsxC@google.com \
--to=namhyung@kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.