From: sashiko-bot@kernel.org
To: "Tengda Wu" <wutengda@huaweicloud.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH v3 21/21] perf annotate-arm64: Support 'mrs' instruction to track 'current' pointer
Date: Wed, 01 Jul 2026 04:16:36 +0000 [thread overview]
Message-ID: <20260701041636.7FEDC1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260701035355.752944-22-wutengda@huaweicloud.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [Medium] Memory leak of the dynamically allocated `type_name` string obtained from `strbuf_detach()`.
- [Medium] Cross-DSO contamination and potential type confusion due to globally caching a DWARF offset (`task_struct_dieoff`).
--
commit 0f7d6f3c161448b3cb967b47ee3887be3d974dc1
Author: Tengda Wu <wutengda@huaweicloud.com>
perf annotate-arm64: Support 'mrs' instruction to track 'current' pointer
This commit adds support for parsing the 'mrs' instruction on arm64 in
'perf annotate' to track the 'current' task pointer. It dynamically queries
the DWARF debug information for the 'get_current()' inline function's
return type to find 'struct task_struct', caching the DWARF offset for
subsequent lookups.
> diff --git a/tools/perf/util/annotate-arch/annotate-arm64.c b/tools/perf/util/annotate-arch/annotate-arm64.c
> index ec6fd59d51a27..89e3997f6721b 100644
> --- a/tools/perf/util/annotate-arch/annotate-arm64.c
> +++ b/tools/perf/util/annotate-arch/annotate-arm64.c
[ ... ]
> @@ -787,6 +789,81 @@ static void update_adrp_insn_state(struct type_state *state,
> insn_offset, tsr->addr, dreg);
> }
>
> +static Dwarf_Off task_struct_dieoff;
> +
> +static void update_mrs_insn_state(struct type_state *state,
> + struct data_loc_info *dloc, Dwarf_Die *cu_die,
> + struct disasm_line *dl,
> + struct annotated_op_loc *dst)
> +{
[ ... ]
> + /* Handle case difference: LLVM (SP_EL0) vs objdump (sp_el0) */
> + if (!dso__kernel(map__dso(dloc->ms->map)) ||
> + strcasecmp(dl->ops.source.raw, "sp_el0")) {
> + invalidate_reg_state(tsr);
> + return;
> + }
> +
> + ip = dloc->ms->sym->start + dl->al.offset;
> + pc = map__rip_2objdump(dloc->ms->map, ip);
> +
> + if (!task_struct_dieoff ||
> + !dwarf_offdie(dloc->di->dbg, task_struct_dieoff, &type_die)) {
[Severity: Medium]
Since DWARF offsets are local to their .debug_info section, if perf annotate
processes a symbol in a different kernel module (where dso__kernel() is still
true), couldn't this global task_struct_dieoff be applied to the module's
Dwarf * handle?
Would this result in type confusion or returning an arbitrary, unrelated DIE
across different DSOs?
> + struct strbuf sb;
> + char *type_name;
> + /*
> + * Find the inline function 'get_current()' Dwarf_Die
> + * and obtain its return value data type, which should
> + * be 'struct task_struct*'.
> + */
> + if (!die_find_inlinefunc(cu_die, pc, &func_die) ||
> + !dwarf_attr_integrate(&func_die, DW_AT_type, &attr) ||
> + !dwarf_formref_die(&attr, &type_die)) {
> + invalidate_reg_state(tsr);
> + return;
> + }
> +
> + strbuf_init(&sb, 32);
> + die_get_typename_from_type(&type_die, &sb);
> + type_name = strbuf_detach(&sb, NULL);
> +
> + if (!type_name || strcmp(type_name, "struct task_struct*")) {
> + invalidate_reg_state(tsr);
> + return;
> + }
[Severity: Medium]
Does this code leak the type_name string?
strbuf_detach() allocates and transfers ownership of the string to type_name,
but it appears to never be freed on either the success path or the error path
returning here.
> +
> + /*
> + * Cache the 'struct task_struct*' die offset globally.
> + * This allows us to resolve stack canary accesses even
> + * in CUs that lack a full task_struct definition (e.g.,
> + * compiler-generated entry/exit code).
> + */
> + task_struct_dieoff = dwarf_dieoffset(&type_die);
> + }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260701035355.752944-1-wutengda@huaweicloud.com?part=21
next prev parent reply other threads:[~2026-07-01 4:16 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-01 3:53 [PATCH v3 00/21] perf arm64: Support data type profiling Tengda Wu
2026-07-01 3:53 ` [PATCH v3 01/21] perf capstone: Fix kernel map reference count leak Tengda Wu
2026-07-01 3:53 ` [PATCH v3 02/21] perf capstone: Fix arm64 jump/adrp disassembly mismatch with objdump Tengda Wu
2026-07-01 4:07 ` sashiko-bot
2026-07-01 6:44 ` Tengda Wu
2026-07-01 3:53 ` [PATCH v3 03/21] perf llvm: Fix arm64 adrp instruction " Tengda Wu
2026-07-01 4:05 ` sashiko-bot
2026-07-01 6:45 ` Tengda Wu
2026-07-01 3:53 ` [PATCH v3 04/21] perf annotate-arm64: Generalize arm64_mov__parse to support more instructions Tengda Wu
2026-07-01 4:03 ` sashiko-bot
2026-07-01 6:57 ` Tengda Wu
2026-07-01 3:53 ` [PATCH v3 05/21] perf annotate-arm64: Handle load and store instructions Tengda Wu
2026-07-01 4:07 ` sashiko-bot
2026-07-01 7:03 ` Tengda Wu
2026-07-01 3:53 ` [PATCH v3 06/21] perf dwarf-regs: Adapt get_dwarf_regnum() for arm64 Tengda Wu
2026-07-01 4:07 ` sashiko-bot
2026-07-01 7:14 ` Tengda Wu
2026-07-01 3:53 ` [PATCH v3 07/21] perf annotate: Adapt arch__dwarf_regnum() " Tengda Wu
2026-07-01 3:53 ` [PATCH v3 08/21] perf annotate: Introduce extract_op_location callback for arch-specific parsing Tengda Wu
2026-07-01 4:06 ` sashiko-bot
2026-07-01 7:29 ` Tengda Wu
2026-07-01 3:53 ` [PATCH v3 09/21] perf annotate-arm64: Implement extract_op_location() callback Tengda Wu
2026-07-01 4:10 ` sashiko-bot
2026-07-01 7:36 ` Tengda Wu
2026-07-01 3:53 ` [PATCH v3 10/21] perf annotate: Deduplicate overlapping ARM SPE events for data type profiling Tengda Wu
2026-07-01 4:06 ` sashiko-bot
2026-07-01 3:53 ` [PATCH v3 11/21] perf auxtrace: Set default period to 1 for PERF_ITRACE_PERIOD_INSTRUCTIONS type Tengda Wu
2026-07-01 4:05 ` sashiko-bot
2026-07-01 3:53 ` [PATCH v3 12/21] perf annotate-data: Extract invalidate_reg_state() as a common helper Tengda Wu
2026-07-01 3:53 ` [PATCH v3 13/21] perf annotate-arm64: Enable instruction tracking support Tengda Wu
2026-07-01 4:12 ` sashiko-bot
2026-07-01 7:56 ` Tengda Wu
2026-07-01 3:53 ` [PATCH v3 14/21] perf annotate-arm64: Support load instruction tracking Tengda Wu
2026-07-01 4:14 ` sashiko-bot
2026-07-01 8:37 ` Tengda Wu
2026-07-01 3:53 ` [PATCH v3 15/21] perf annotate-arm64: Support store " Tengda Wu
2026-07-01 3:53 ` [PATCH v3 16/21] perf annotate-arm64: Support stack variable tracking Tengda Wu
2026-07-01 4:16 ` sashiko-bot
2026-07-01 3:53 ` [PATCH v3 17/21] perf annotate-arm64: Support 'mov' instruction tracking Tengda Wu
2026-07-01 4:21 ` sashiko-bot
2026-07-01 8:46 ` Tengda Wu
2026-07-01 3:53 ` [PATCH v3 18/21] perf annotate-arm64: Support 'add' " Tengda Wu
2026-07-01 4:16 ` sashiko-bot
2026-07-01 8:47 ` Tengda Wu
2026-07-01 3:53 ` [PATCH v3 19/21] perf annotate-arm64: Support 'adrp' instruction to track global variables Tengda Wu
2026-07-01 4:15 ` sashiko-bot
2026-07-01 8:48 ` Tengda Wu
2026-07-01 3:53 ` [PATCH v3 20/21] perf annotate-arm64: Support per-cpu variable access tracking Tengda Wu
2026-07-01 4:18 ` sashiko-bot
2026-07-01 3:53 ` [PATCH v3 21/21] perf annotate-arm64: Support 'mrs' instruction to track 'current' pointer Tengda Wu
2026-07-01 4:16 ` sashiko-bot [this message]
2026-07-01 8:56 ` Tengda Wu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260701041636.7FEDC1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=wutengda@huaweicloud.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox