[PATCH v2] perf annotate: Use jump__delete when freeing LoongArch jumps

[PATCH v2] perf annotate: Use jump__delete when freeing LoongArch jumps

[Rong Bao]

Currently, the initialization of loongarch_jump_ops does not contain an
assignment to its .free field. This causes disasm_line__free() to fall
through to ins_ops__delete() for LoongArch jump instructions.

ins_ops__delete() will free ins_operands.source.raw and
ins_operands.source.name, and these fields overlaps with
ins_operands.jump.raw_comment and ins_operands.jump.raw_func_start.
Since in loongarch_jump__parse(), these two fields are populated by
strchr()-ing the same buffer, trying to free them will lead to undefined
behavior.

This invalid free usually leads to crashes:

        Process 1712902 (perf) of user 1000 dumped core.
        Stack trace of thread 1712902:
        #0  0x00007fffef155c58 n/a (libc.so.6 + 0x95c58)
        #1  0x00007fffef0f7a94 raise (libc.so.6 + 0x37a94)
        #2  0x00007fffef0dd6a8 abort (libc.so.6 + 0x1d6a8)
        #3  0x00007fffef145490 n/a (libc.so.6 + 0x85490)
        #4  0x00007fffef1646f4 n/a (libc.so.6 + 0xa46f4)
        #5  0x00007fffef164718 n/a (libc.so.6 + 0xa4718)
        #6  0x00005555583a6764 __zfree (/home/csmantle/dist/linux-arch/tools/perf/perf + 0x106764)
        #7  0x000055555854fb70 disasm_line__free (/home/csmantle/dist/linux-arch/tools/perf/perf + 0x2afb70)
        #8  0x000055555853d618 annotated_source__purge (/home/csmantle/dist/linux-arch/tools/perf/perf + 0x29d618)
        #9  0x000055555852300c __hist_entry__tui_annotate (/home/csmantle/dist/linux-arch/tools/perf/perf + 0x28300c)
        #10 0x0000555558526718 do_annotate (/home/csmantle/dist/linux-arch/tools/perf/perf + 0x286718)
        #11 0x000055555852ed94 evsel__hists_browse (/home/csmantle/dist/linux-arch/tools/perf/perf + 0x28ed94)
        #12 0x000055555831fdd0 cmd_report (/home/csmantle/dist/linux-arch/tools/perf/perf + 0x7fdd0)
        #13 0x000055555839b644 handle_internal_command (/home/csmantle/dist/linux-arch/tools/perf/perf + 0xfb644)
        #14 0x00005555582fe6ac main (/home/csmantle/dist/linux-arch/tools/perf/perf + 0x5e6ac)
        #15 0x00007fffef0ddd90 n/a (libc.so.6 + 0x1dd90)
        #16 0x00007fffef0ddf0c __libc_start_main (libc.so.6 + 0x1df0c)
        #17 0x00005555582fed10 _start (/home/csmantle/dist/linux-arch/tools/perf/perf + 0x5ed10)
        ELF object binary architecture: LoongArch

... and it can be confirmed with Valgrind:

        ==1721834== Invalid free() / delete / delete[] / realloc()
        ==1721834==    at 0x4EA9014: free (in /usr/lib/valgrind/vgpreload_memcheck-loongarch64-linux.so)
        ==1721834==    by 0x4106287: __zfree (zalloc.c:13)
        ==1721834==    by 0x42ADC8F: disasm_line__free (in /home/csmantle/dist/linux-arch/tools/perf/perf)
        ==1721834==    by 0x429B737: annotated_source__purge (in /home/csmantle/dist/linux-arch/tools/perf/perf)
        ==1721834==    by 0x42811EB: __hist_entry__tui_annotate (in /home/csmantle/dist/linux-arch/tools/perf/perf)
        ==1721834==    by 0x42848D7: do_annotate (in /home/csmantle/dist/linux-arch/tools/perf/perf)
        ==1721834==    by 0x428CF33: evsel__hists_browse (in /home/csmantle/dist/linux-arch/tools/perf/perf)
        ==1721834==  Address 0x7d34303 is 35 bytes inside a block of size 62 alloc'd
        ==1721834==    at 0x4EA59B8: malloc (in /usr/lib/valgrind/vgpreload_memcheck-loongarch64-linux.so)
        ==1721834==    by 0x6B80B6F: strdup (strdup.c:42)
        ==1721834==    by 0x42AD917: disasm_line__new (in /home/csmantle/dist/linux-arch/tools/perf/perf)
        ==1721834==    by 0x42AE5A3: symbol__disassemble_objdump (in /home/csmantle/dist/linux-arch/tools/perf/perf)
        ==1721834==    by 0x42AF0A7: symbol__disassemble (in /home/csmantle/dist/linux-arch/tools/perf/perf)
        ==1721834==    by 0x429B3CF: symbol__annotate (in /home/csmantle/dist/linux-arch/tools/perf/perf)
        ==1721834==    by 0x429C233: symbol__annotate2 (in /home/csmantle/dist/linux-arch/tools/perf/perf)
        ==1721834==    by 0x42804D3: __hist_entry__tui_annotate (in /home/csmantle/dist/linux-arch/tools/perf/perf)
        ==1721834==    by 0x42848D7: do_annotate (in /home/csmantle/dist/linux-arch/tools/perf/perf)
        ==1721834==    by 0x428CF33: evsel__hists_browse (in /home/csmantle/dist/linux-arch/tools/perf/perf)

This patch adds the missing free() specialization in loongarch_jump_ops,
which prevents disasm_line__free() from invoking the default cleanup
function.

Fixes: fb7fd2a14a503b9a ("perf annotate: Move raw_comment and raw_func_start fields out of 'struct ins_operands'")
Cc: stable@vger.kernel.org
Cc: WANG Rui <wangrui@loongson.cn>
Cc: Huacai Chen <chenhuacai@kernel.org>
Cc: WANG Xuerui <kernel@xen0n.name>
Cc: loongarch@lists.linux.dev
Signed-off-by: Rong Bao <rong.bao@csmantle.top>
---
v1 -> v2: Correct "Fixes:" tag and move declaration of jump__delete()
          per comments.

v1: https://lore.kernel.org/lkml/20260412062828.1734637-1-rong.bao@csmantle.top

 tools/perf/util/annotate-arch/annotate-loongarch.c | 1 +
 tools/perf/util/disasm.c                           | 2 +-
 tools/perf/util/disasm.h                           | 2 ++
 3 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/tools/perf/util/annotate-arch/annotate-loongarch.c b/tools/perf/util/annotate-arch/annotate-loongarch.c
index 950f34e59e5cd..c2addca77320b 100644
--- a/tools/perf/util/annotate-arch/annotate-loongarch.c
+++ b/tools/perf/util/annotate-arch/annotate-loongarch.c
@@ -110,6 +110,7 @@ static int loongarch_jump__parse(const struct arch *arch, struct ins_operands *o
 }
 
 static const struct ins_ops loongarch_jump_ops = {
+	.free	   = jump__delete,
 	.parse	   = loongarch_jump__parse,
 	.scnprintf = jump__scnprintf,
 	.is_jump   = true,
diff --git a/tools/perf/util/disasm.c b/tools/perf/util/disasm.c
index 9e0420e14be19..62bd8c3e53051 100644
--- a/tools/perf/util/disasm.c
+++ b/tools/perf/util/disasm.c
@@ -451,7 +451,7 @@ int jump__scnprintf(const struct ins *ins, char *bf, size_t size,
 			 ops->target.offset);
 }
 
-static void jump__delete(struct ins_operands *ops __maybe_unused)
+void jump__delete(struct ins_operands *ops __maybe_unused)
 {
 	/*
 	 * The ops->jump.raw_comment and ops->jump.raw_func_start belong to the
diff --git a/tools/perf/util/disasm.h b/tools/perf/util/disasm.h
index a6e478caf61a9..25756e3f47e47 100644
--- a/tools/perf/util/disasm.h
+++ b/tools/perf/util/disasm.h
@@ -161,6 +161,8 @@ int jump__scnprintf(const struct ins *ins, char *bf, size_t size,
 int mov__scnprintf(const struct ins *ins, char *bf, size_t size,
 		   struct ins_operands *ops, int max_ins_name);
 
+void jump__delete(struct ins_operands *ops);
+
 int symbol__disassemble(struct symbol *sym, struct annotate_args *args);
 
 char *expand_tabs(char *line, char **storage, size_t *storage_len);

base-commit: 028ef9c96e96197026887c0f092424679298aae8
-- 
2.53.0

Re: [PATCH v2] perf annotate: Use jump__delete when freeing LoongArch jumps

[sashiko-bot]

Sashiko AI review found 1 potential issue(s):
- [High] In `loongarch_call__parse`, missing verification of `strchr` return value causes a NULL pointer dereference if the objdump string does not contain '<'.
--

commit aaedf6d99ebecdf735574de2bae5e0ee0fc41c3f
Author: Rong Bao <rong.bao@csmantle.top>

perf annotate: Use jump__delete when freeing LoongArch jumps

This patch initializes the .free field in loongarch_jump_ops to jump__delete.
This prevents disasm_line__free() from falling back to the default cleanup
function for LoongArch jump instructions, which previously led to undefined
behavior and a crash.

> diff --git a/tools/perf/util/annotate-arch/annotate-loongarch.c b/tools/perf/util/annotate-arch/annotate-loongarch.c
> index 950f34e59e5cd..c2addca77320b 100644
> --- a/tools/perf/util/annotate-arch/annotate-loongarch.c
> +++ b/tools/perf/util/annotate-arch/annotate-loongarch.c
> @@ -110,6 +110,7 @@ static int loongarch_jump__parse(const struct arch *arch, struct ins_operands *o
>  }
>  
>  static const struct ins_ops loongarch_jump_ops = {
> +	.free	   = jump__delete,
>  	.parse	   = loongarch_jump__parse,
>  	.scnprintf = jump__scnprintf,
>  	.is_jump   = true,

This isn't a regression introduced by this patch, but in this same file,
could loongarch_call__parse() cause a NULL pointer dereference?

If the objdump output represents a call without a symbol and lacks
'<...>', strchr() returns NULL, but name is immediately incremented:

tools/perf/util/annotate-arch/annotate-loongarch.c:loongarch_call__parse() {
	...
	ops->target.addr = strtoull(c, &endptr, 16);

	name = strchr(endptr, '<');
	name++;

	if (arch->objdump.skip_functions_char &&
	    strchr(name, arch->objdump.skip_functions_char))
		return -1;
	...
}

Would this result in an invalid pointer and cause a crash when passed to
the subsequent strchr() calls?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260413100412.2313688-1-rong.bao@csmantle.top?part=1

Re: [PATCH v2] perf annotate: Use jump__delete when freeing LoongArch jumps

[WANG Rui]

On Mon, Apr 13, 2026 at 6:11 PM Rong Bao <rong.bao@csmantle.top> wrote:
>
> Currently, the initialization of loongarch_jump_ops does not contain an
> assignment to its .free field. This causes disasm_line__free() to fall
> through to ins_ops__delete() for LoongArch jump instructions.
>
> ins_ops__delete() will free ins_operands.source.raw and
> ins_operands.source.name, and these fields overlaps with
> ins_operands.jump.raw_comment and ins_operands.jump.raw_func_start.
> Since in loongarch_jump__parse(), these two fields are populated by
> strchr()-ing the same buffer, trying to free them will lead to undefined
> behavior.
>
> This invalid free usually leads to crashes:
>
>         Process 1712902 (perf) of user 1000 dumped core.
>         Stack trace of thread 1712902:
>         #0  0x00007fffef155c58 n/a (libc.so.6 + 0x95c58)
>         #1  0x00007fffef0f7a94 raise (libc.so.6 + 0x37a94)
>         #2  0x00007fffef0dd6a8 abort (libc.so.6 + 0x1d6a8)
>         #3  0x00007fffef145490 n/a (libc.so.6 + 0x85490)
>         #4  0x00007fffef1646f4 n/a (libc.so.6 + 0xa46f4)
>         #5  0x00007fffef164718 n/a (libc.so.6 + 0xa4718)
>         #6  0x00005555583a6764 __zfree (/home/csmantle/dist/linux-arch/tools/perf/perf + 0x106764)
>         #7  0x000055555854fb70 disasm_line__free (/home/csmantle/dist/linux-arch/tools/perf/perf + 0x2afb70)
>         #8  0x000055555853d618 annotated_source__purge (/home/csmantle/dist/linux-arch/tools/perf/perf + 0x29d618)
>         #9  0x000055555852300c __hist_entry__tui_annotate (/home/csmantle/dist/linux-arch/tools/perf/perf + 0x28300c)
>         #10 0x0000555558526718 do_annotate (/home/csmantle/dist/linux-arch/tools/perf/perf + 0x286718)
>         #11 0x000055555852ed94 evsel__hists_browse (/home/csmantle/dist/linux-arch/tools/perf/perf + 0x28ed94)
>         #12 0x000055555831fdd0 cmd_report (/home/csmantle/dist/linux-arch/tools/perf/perf + 0x7fdd0)
>         #13 0x000055555839b644 handle_internal_command (/home/csmantle/dist/linux-arch/tools/perf/perf + 0xfb644)
>         #14 0x00005555582fe6ac main (/home/csmantle/dist/linux-arch/tools/perf/perf + 0x5e6ac)
>         #15 0x00007fffef0ddd90 n/a (libc.so.6 + 0x1dd90)
>         #16 0x00007fffef0ddf0c __libc_start_main (libc.so.6 + 0x1df0c)
>         #17 0x00005555582fed10 _start (/home/csmantle/dist/linux-arch/tools/perf/perf + 0x5ed10)
>         ELF object binary architecture: LoongArch
>
> ... and it can be confirmed with Valgrind:
>
>         ==1721834== Invalid free() / delete / delete[] / realloc()
>         ==1721834==    at 0x4EA9014: free (in /usr/lib/valgrind/vgpreload_memcheck-loongarch64-linux.so)
>         ==1721834==    by 0x4106287: __zfree (zalloc.c:13)
>         ==1721834==    by 0x42ADC8F: disasm_line__free (in /home/csmantle/dist/linux-arch/tools/perf/perf)
>         ==1721834==    by 0x429B737: annotated_source__purge (in /home/csmantle/dist/linux-arch/tools/perf/perf)
>         ==1721834==    by 0x42811EB: __hist_entry__tui_annotate (in /home/csmantle/dist/linux-arch/tools/perf/perf)
>         ==1721834==    by 0x42848D7: do_annotate (in /home/csmantle/dist/linux-arch/tools/perf/perf)
>         ==1721834==    by 0x428CF33: evsel__hists_browse (in /home/csmantle/dist/linux-arch/tools/perf/perf)
>         ==1721834==  Address 0x7d34303 is 35 bytes inside a block of size 62 alloc'd
>         ==1721834==    at 0x4EA59B8: malloc (in /usr/lib/valgrind/vgpreload_memcheck-loongarch64-linux.so)
>         ==1721834==    by 0x6B80B6F: strdup (strdup.c:42)
>         ==1721834==    by 0x42AD917: disasm_line__new (in /home/csmantle/dist/linux-arch/tools/perf/perf)
>         ==1721834==    by 0x42AE5A3: symbol__disassemble_objdump (in /home/csmantle/dist/linux-arch/tools/perf/perf)
>         ==1721834==    by 0x42AF0A7: symbol__disassemble (in /home/csmantle/dist/linux-arch/tools/perf/perf)
>         ==1721834==    by 0x429B3CF: symbol__annotate (in /home/csmantle/dist/linux-arch/tools/perf/perf)
>         ==1721834==    by 0x429C233: symbol__annotate2 (in /home/csmantle/dist/linux-arch/tools/perf/perf)
>         ==1721834==    by 0x42804D3: __hist_entry__tui_annotate (in /home/csmantle/dist/linux-arch/tools/perf/perf)
>         ==1721834==    by 0x42848D7: do_annotate (in /home/csmantle/dist/linux-arch/tools/perf/perf)
>         ==1721834==    by 0x428CF33: evsel__hists_browse (in /home/csmantle/dist/linux-arch/tools/perf/perf)
>
> This patch adds the missing free() specialization in loongarch_jump_ops,
> which prevents disasm_line__free() from invoking the default cleanup
> function.
>
> Fixes: fb7fd2a14a503b9a ("perf annotate: Move raw_comment and raw_func_start fields out of 'struct ins_operands'")
> Cc: stable@vger.kernel.org
> Cc: WANG Rui <wangrui@loongson.cn>
> Cc: Huacai Chen <chenhuacai@kernel.org>
> Cc: WANG Xuerui <kernel@xen0n.name>
> Cc: loongarch@lists.linux.dev
> Signed-off-by: Rong Bao <rong.bao@csmantle.top>
> ---
> v1 -> v2: Correct "Fixes:" tag and move declaration of jump__delete()
>           per comments.
>
> v1: https://lore.kernel.org/lkml/20260412062828.1734637-1-rong.bao@csmantle.top
>
>  tools/perf/util/annotate-arch/annotate-loongarch.c | 1 +
>  tools/perf/util/disasm.c                           | 2 +-
>  tools/perf/util/disasm.h                           | 2 ++
>  3 files changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/tools/perf/util/annotate-arch/annotate-loongarch.c b/tools/perf/util/annotate-arch/annotate-loongarch.c
> index 950f34e59e5cd..c2addca77320b 100644
> --- a/tools/perf/util/annotate-arch/annotate-loongarch.c
> +++ b/tools/perf/util/annotate-arch/annotate-loongarch.c
> @@ -110,6 +110,7 @@ static int loongarch_jump__parse(const struct arch *arch, struct ins_operands *o
>  }
>
>  static const struct ins_ops loongarch_jump_ops = {
> +       .free      = jump__delete,
>         .parse     = loongarch_jump__parse,
>         .scnprintf = jump__scnprintf,
>         .is_jump   = true,
> diff --git a/tools/perf/util/disasm.c b/tools/perf/util/disasm.c
> index 9e0420e14be19..62bd8c3e53051 100644
> --- a/tools/perf/util/disasm.c
> +++ b/tools/perf/util/disasm.c
> @@ -451,7 +451,7 @@ int jump__scnprintf(const struct ins *ins, char *bf, size_t size,
>                          ops->target.offset);
>  }
>
> -static void jump__delete(struct ins_operands *ops __maybe_unused)
> +void jump__delete(struct ins_operands *ops __maybe_unused)
>  {
>         /*
>          * The ops->jump.raw_comment and ops->jump.raw_func_start belong to the
> diff --git a/tools/perf/util/disasm.h b/tools/perf/util/disasm.h
> index a6e478caf61a9..25756e3f47e47 100644
> --- a/tools/perf/util/disasm.h
> +++ b/tools/perf/util/disasm.h
> @@ -161,6 +161,8 @@ int jump__scnprintf(const struct ins *ins, char *bf, size_t size,
>  int mov__scnprintf(const struct ins *ins, char *bf, size_t size,
>                    struct ins_operands *ops, int max_ins_name);
>
> +void jump__delete(struct ins_operands *ops);
> +
>  int symbol__disassemble(struct symbol *sym, struct annotate_args *args);
>
>  char *expand_tabs(char *line, char **storage, size_t *storage_len);
>
> base-commit: 028ef9c96e96197026887c0f092424679298aae8
> --
> 2.53.0
>
>

Tested-by: WANG Rui <wangrui@loongson.cn>

Thanks,
Rui

Re: [PATCH v2] perf annotate: Use jump__delete when freeing LoongArch jumps

[Namhyung Kim]

On Mon, 13 Apr 2026 18:03:55 +0800, Rong Bao wrote:
> Currently, the initialization of loongarch_jump_ops does not contain an
> assignment to its .free field. This causes disasm_line__free() to fall
> through to ins_ops__delete() for LoongArch jump instructions.
> 
> ins_ops__delete() will free ins_operands.source.raw and
> ins_operands.source.name, and these fields overlaps with
> ins_operands.jump.raw_comment and ins_operands.jump.raw_func_start.
> Since in loongarch_jump__parse(), these two fields are populated by
> strchr()-ing the same buffer, trying to free them will lead to undefined
> behavior.
> 
> [...]
Applied to perf-tools-next, thanks!

Best regards,
Namhyung