From: sashiko-bot@kernel.org
To: "Arnaldo Carvalho de Melo" <acme@kernel.org>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH 6/8] perf sched: Fix thread reference leak in idle hist processing
Date: Fri, 05 Jun 2026 20:46:50 +0000 [thread overview]
Message-ID: <20260605204651.2CD831F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260605203316.1758661-7-acme@kernel.org>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
Pre-existing issues:
- [High] `timehist_get_thread()` leaks thread references on both success and error paths when `--idle-hist` is active.
- [High] The callchain root tree within `struct idle_thread_runtime` is not freed when idle threads are destroyed, leaking dynamically allocated callchain nodes.
--
commit b5d8b3caa1d8b8f8fc2ff742e34d77adc37bf655
Author: Arnaldo Carvalho de Melo <acme@redhat.com>
perf sched: Fix thread reference leak in idle hist processing
timehist_sched_change_event() sets itr->last_thread to NULL at the end
of idle hist processing without calling thread__put() first. The
thread reference was acquired via thread__get() in timehist_get_thread()
(line 2581), so every idle context switch leaks a thread reference when
--idle-hist is active.
Use thread__zput() to properly release the reference before clearing
the pointer.
> diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c
> index e47db1c5c6020..e2df69a624765 100644
> --- a/tools/perf/builtin-sched.c
> +++ b/tools/perf/builtin-sched.c
> @@ -2890,7 +2890,7 @@ static int timehist_sched_change_event(const struct perf_tool *tool,
> if (itr->cursor.nr)
> callchain_append(&itr->callchain, &itr->cursor, t - tprev);
>
> - itr->last_thread = NULL;
> + thread__zput(itr->last_thread);
[Severity: High]
This isn't a bug introduced by this patch, but while we are fixing leaks
around idle thread handling, does timehist_get_thread() also leak thread
references when --idle-hist is active?
tools/perf/builtin-sched.c:timehist_get_thread() {
...
if (sched->idle_hist) {
struct thread *idle;
struct idle_thread_runtime *itr;
idle = get_idle_thread(sample->cpu);
if (idle == NULL) {
pr_err("Failed to get idle thread for cpu %d.\n", sample->cpu);
return NULL;
}
...
}
It appears get_idle_thread() returns a new reference via thread__get(). On
success, this local idle thread reference is never released. Also, on the
error paths returning NULL, it seems to bypass the caller's cleanup code and
permanently leak the task thread reference acquired earlier via
machine__findnew_thread().
[Severity: High]
This is a pre-existing issue, but does free_idle_threads() leak dynamically
allocated callchain nodes?
tools/perf/builtin-sched.c:free_idle_threads() {
...
thread__put(idle);
...
}
The thread's private data destructor is set to free() via
thread__set_priv_destructor(free). While free() successfully frees the struct
idle_thread_runtime container, it doesn't appear to recursively free the
nodes embedded in the itr->callchain tree built by callchain_append(). Can
this lead to unbounded memory growth proportional to the trace size?
> }
>
> if (!sched->summary_only)
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260605203316.1758661-1-acme@kernel.org?part=6
next prev parent reply other threads:[~2026-06-05 20:46 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-05 20:33 [PATCHES v1 0/8] perf tools: Fix OOB writes, refcount bugs, and BUG_ON in mmap/stat/c2c/sched Arnaldo Carvalho de Melo
2026-06-05 20:33 ` [PATCH 1/8] perf mmap: Guard cpu__get_node() return in aio_bind() Arnaldo Carvalho de Melo
2026-06-05 20:48 ` sashiko-bot
2026-06-05 20:33 ` [PATCH 2/8] perf stat: Bounds-check CPU index in topology aggregation callbacks Arnaldo Carvalho de Melo
2026-06-05 20:33 ` [PATCH 3/8] perf c2c: Bounds-check CPU and node IDs before bitmap and array access Arnaldo Carvalho de Melo
2026-06-05 20:46 ` sashiko-bot
2026-06-05 20:33 ` [PATCH 4/8] perf c2c: Bounds-check CPU IDs in setup_nodes() topology loop Arnaldo Carvalho de Melo
2026-06-05 20:33 ` [PATCH 5/8] perf sched: Clean up idle_threads entry on init failure Arnaldo Carvalho de Melo
2026-06-05 20:53 ` sashiko-bot
2026-06-05 20:33 ` [PATCH 6/8] perf sched: Fix thread reference leak in idle hist processing Arnaldo Carvalho de Melo
2026-06-05 20:46 ` sashiko-bot [this message]
2026-06-05 20:33 ` [PATCH 7/8] perf sched: Use thread__put() in free_idle_threads() Arnaldo Carvalho de Melo
2026-06-05 20:49 ` sashiko-bot
2026-06-05 20:33 ` [PATCH 8/8] perf sched: Replace BUG_ON and add NULL checks in replay event helpers Arnaldo Carvalho de Melo
2026-06-05 20:46 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260605204651.2CD831F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=acme@kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox