[PATCH 1/6] perf/sched: fix memory leaks in schedstat processing

[Wang Haoran <haoranwangsec@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 5991 bytes --]

>From 82a2414eac53e2052646a1c90a8eb8c03cecef22 Mon Sep 17 00:00:00 2001
From: Wang Haoran <haoranwangsec@gmail.com>
Date: Thu, 28 May 2026 15:16:39 +0800
Subject: [PATCH 1/6] perf/sched: fix memory leaks in schedstat processing

perf_sched__process_schedstat() allocates a schedstat_cpu (or
schedstat_domain) struct and its embedded data pointer, but fails to
free either when the data pointer allocation fails or when the
after_workload_flag path discards the temporary struct after diffing.

free_schedstat() walks the cpu_head list and frees each node but
omits the cpu_data and domain_data pointers allocated inside each
node, leaking them on every normal exit path.

Fix all three cases:
- free temp on zalloc failure of the inner data pointer
- free temp and its data pointer after store_schedstat_*_diff()
- free cpu_data/domain_data inside free_schedstat()

Fixes: <schedstat processing code>
Signed-off-by: Wang Haoran <haoranwangsec@gmail.com>
---
 tools/perf/builtin-sched.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c
index 3f509cfdd..ab4c9ffa4 100644
--- a/tools/perf/builtin-sched.c
+++ b/tools/perf/builtin-sched.c
@@ -4413,8 +4413,10 @@ static int perf_sched__process_schedstat(const struct perf_tool *tool __maybe_un
 			return -ENOMEM;
 
 		temp->cpu_data = zalloc(sizeof(*temp->cpu_data));
-		if (!temp->cpu_data)
+		if (!temp->cpu_data) {
+			free(temp);
 			return -ENOMEM;
+		}
 
 		memcpy(temp->cpu_data, &event->schedstat_cpu, sizeof(*temp->cpu_data));
 
@@ -4439,6 +4441,8 @@ static int perf_sched__process_schedstat(const struct perf_tool *tool __maybe_un
 			domain_second_pass = list_first_entry(&cpu_second_pass->domain_head,
 							      struct schedstat_domain, domain_list);
 			store_schedstat_cpu_diff(temp);
+			free(temp->cpu_data);
+			free(temp);
 		}
 	} else if (event->header.type == PERF_RECORD_SCHEDSTAT_DOMAIN) {
 		struct schedstat_cpu *cpu_tail;
@@ -4448,8 +4452,10 @@ static int perf_sched__process_schedstat(const struct perf_tool *tool __maybe_un
 			return -ENOMEM;
 
 		temp->domain_data = zalloc(sizeof(*temp->domain_data));
-		if (!temp->domain_data)
+		if (!temp->domain_data) {
+			free(temp);
 			return -ENOMEM;
+		}
 
 		memcpy(temp->domain_data, &event->schedstat_domain, sizeof(*temp->domain_data));
 
@@ -4458,6 +4464,8 @@ static int perf_sched__process_schedstat(const struct perf_tool *tool __maybe_un
 			list_add_tail(&temp->domain_list, &cpu_tail->domain_head);
 		} else {
 			store_schedstat_domain_diff(temp);
+			free(temp->domain_data);
+			free(temp);
 			domain_second_pass = list_next_entry(domain_second_pass, domain_list);
 		}
 	}
@@ -4473,9 +4481,11 @@ static void free_schedstat(struct list_head *head)
 	list_for_each_entry_safe(cptr, n2, head, cpu_list) {
 		list_for_each_entry_safe(dptr, n1, &cptr->domain_head, domain_list) {
 			list_del_init(&dptr->domain_list);
+			free(dptr->domain_data);
 			free(dptr);
 		}
 		list_del_init(&cptr->cpu_list);
+		free(cptr->cpu_data);
 		free(cptr);
 	}
 }
-- 
2.53.0



---
ASan output on perf 7.0.6 (unpatched) with the attached PoC:

0xb0 [0]: failed to process type: 1685713920 [Invalid argument]

=================================================================
==55915==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 73 byte(s) in 1 object(s) allocated from:
    #0 0x7f86f552b60f in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:67
    #1 0x7f86f4096e6e in __vasprintf_internal libio/vasprintf.c:116
    #2 0x7f86f4143172 in ___asprintf_chk debug/asprintf_chk.c:34
    #3 0x6072f7e48ee3 in asprintf /usr/include/x86_64-linux-gnu/bits/stdio2.h:206
    #4 0x6072f7e48ee3 in astrcat 
    #5 0x6072f7e48ee3 in parse_options_subcommand 
    #6 0x6072f7de3ef0 in cmd_sched (perf+0x33eef0) (BuildId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db)
    #7 0x6072f7e2887f in handle_internal_command (perf+0x38387f) (BuildId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db)
    #8 0x6072f7c9b836 in main (perf+0x1f6836) (BuildId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db)
    #9 0x7f86f402a600 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:59
    #10 0x7f86f402a717 in __libc_start_main_impl ../csu/libc-start.c:360
    #11 0x6072f7ca3754 in _start (perf+0x1fe754) (BuildId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db)

Objects leaked above:
0x7bf6f33e0800 (73 bytes)

Direct leak of 72 byte(s) in 1 object(s) allocated from:
    #0 0x7f86f552b40f in calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:74
    #1 0x6072f7dcfe52 in perf_sched__process_schedstat (perf+0x32ae52) (BuildId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db)
    #2 0x6072f80fcdc2 in perf_session__process_user_event (perf+0x657dc2) (BuildId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db)
    #3 0x6072f8101af8 in process_simple (perf+0x65caf8) (BuildId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db)
    #4 0x6072f8103865 in reader__read_event (perf+0x65e865) (BuildId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db)
    #5 0x6072f810421d in perf_session__process_events (perf+0x65f21d) (BuildId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db)
    #6 0x6072f7de9f97 in cmd_sched (perf+0x344f97) (BuildId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db)
    #7 0x6072f7e2887f in handle_internal_command (perf+0x38387f) (BuildId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db)
    #8 0x6072f7c9b836 in main (perf+0x1f6836) (BuildId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db)
    #9 0x7f86f402a600 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:59
    #10 0x7f86f402a717 in __libc_start_main_impl ../csu/libc-start.c:360
    #11 0x6072f7ca3754 in _start (perf+0x1fe754) (BuildId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db)

Objects leaked above:
0x7bf6f33e24e0 (72 bytes)

SUMMARY: AddressSanitizer: 145 byte(s) leaked in 2 allocation(s).

[-- Attachment #2: crash_err234_iter50.data --]
[-- Type: application/octet-stream, Size: 4753 bytes --]