From: sashiko-bot@kernel.org
To: "Ian Rogers" <irogers@google.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH v4 5/9] perf ui hists: Fix memory leak in evsel__hists_browse() interactive loop
Date: Fri, 10 Jul 2026 03:05:47 +0000 [thread overview]
Message-ID: <20260710030547.A93851F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260710024952.1668911-5-irogers@google.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
New issues:
- [Medium] Raw pointer assignment of reference-counted structs violates REFCNT_CHECKING lifecycle rules.
Pre-existing issues:
- [High] Stack-allocated buffer `buf` is assigned to a long-lived structure field `hists->symbol_filter_str`, leading to a Use-After-Free when the function returns.
--
--- Patch [5]: [PATCH v4 5/9] perf ui hists: Fix memory leak in evsel__hists_browse() interactive loop ---
commit 8a51dcaa31cd8e1cae7b31630b60408cb040d87b
Author: Ian Rogers <irogers@google.com>
perf ui hists: Fix memory leak in evsel__hists_browse() interactive loop
In the evsel__hists_browse() interactive loop, the options array is
filled with strings dynamically allocated via asprintf() and displayed
in a popup menu. However, if the user picks a hotkey or triggers another
menu iteration, nr_options is reset to 0 without freeing the prior
strings, leaving them abandoned in the array and leaking memory on every
menu event.
Fix it by invoking free_popup_options(options, MAX_OPTIONS) at the
beginning of each menu iteration (covering both the while(1) start and
the 'do_hotkey:' label).
Closes: https://lore.kernel.org/linux-perf-users/20260709170834.52F1A1F000E9@smtp.kernel.org/
> diff --git a/tools/perf/ui/browsers/hists.c b/tools/perf/ui/browsers/hists.c
> index 8b4c7510991f3..aed154622467f 100644
> --- a/tools/perf/ui/browsers/hists.c
> +++ b/tools/perf/ui/browsers/hists.c
> @@ -3087,6 +3087,7 @@ static int evsel__hists_browse(struct evsel *evsel, int nr_events, const char *h
>
> key = 0; // reset key
> do_hotkey: // key came straight from options ui__popup_menu()
> + free_popup_options(options, MAX_OPTIONS);
> choice = nr_options = 0;
> key = hist_browser__run(browser, helpline, warn_lost_event, key);
>
[ ... ]
> @@ -3156,6 +3157,6 @@ static int evsel__hists_browse(struct evsel *evsel, int nr_events, const char *h
> if (!bi || !bi->to.ms.map)
> continue;
>
> actions->ms.sym = symbol__new_unresolved(bi->to.al_addr, bi->to.ms.map);
> actions->ms.thread = bi->to.ms.thread;
> actions->ms.map = bi->to.ms.map;
[Severity: Medium]
In tools/perf/ui/browsers/hists.c:evsel__hists_browse(), is it safe to
directly assign actions->ms.thread without using thread__get() when
processing the SORT_MODE__BRANCH selection?
It seems this raw pointer assignment of a reference-counted struct violates
lifecycle rules. Could this lead to asan use-after-free traps or lsan
leaks during the interactive menu loop?
[ ... ]
> @@ -3215,6 +3216,6 @@ static int evsel__hists_browse(struct evsel *evsel, int nr_events, const char *h
> case '/':
> if (ui_browser__input_window("Symbol to show",
> "Please enter the name of symbol you want to see.\n"
> "To remove the filter later, press / + ENTER.",
> buf, "ENTER: OK, ESC: Cancel",
> delay_secs * 2) == K_ENTER) {
> hists->symbol_filter_str = *buf ? buf : NULL;
> hists__filter_by_symbol(hists);
[Severity: High]
This is a pre-existing issue, but in tools/perf/ui/browsers/hists.c:evsel__hists_browse(),
doesn't this assign a stack-allocated buffer (buf) to the persistent
hists->symbol_filter_str pointer without duplicating it?
If a user applies a symbol filter in the single-event browser view and then
exits, could this cause a use-after-free when evsel__hists_browse() returns
while a background thread is still applying filters?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260710024952.1668911-1-irogers@google.com?part=5
next prev parent reply other threads:[~2026-07-10 3:05 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-08 23:46 [PATCH v1 1/3] perf ui hists: In report UI ensure thread is set Ian Rogers
2026-07-08 23:46 ` [PATCH v1 2/3] perf ui hists: Remove duplicated thread in popup_action Ian Rogers
2026-07-08 23:58 ` sashiko-bot
2026-07-08 23:46 ` [PATCH v1 3/3] perf annotate: Be robust to annotating without a thread Ian Rogers
2026-07-08 23:58 ` sashiko-bot
2026-07-09 3:36 ` [PATCH v2 1/4] perf ui hists: In report UI ensure thread is set Ian Rogers
2026-07-09 3:36 ` [PATCH v2 2/4] perf ui hists: Remove duplicated thread in popup_action Ian Rogers
2026-07-09 3:52 ` sashiko-bot
2026-07-09 3:37 ` [PATCH v2 3/4] perf annotate: Be robust to annotating without a thread Ian Rogers
2026-07-09 3:57 ` sashiko-bot
2026-07-09 3:37 ` [PATCH v2 4/4] perf hists browser: Increase MAX_OPTIONS to prevent stack buffer overflow Ian Rogers
2026-07-09 3:52 ` sashiko-bot
2026-07-09 3:54 ` [PATCH v2 1/4] perf ui hists: In report UI ensure thread is set sashiko-bot
2026-07-09 16:52 ` [PATCH v3 " Ian Rogers
2026-07-09 16:52 ` [PATCH v3 2/4] perf ui hists: Remove duplicated thread in popup_action Ian Rogers
2026-07-09 17:10 ` sashiko-bot
2026-07-09 16:52 ` [PATCH v3 3/4] perf annotate: Be robust to annotating without a thread Ian Rogers
2026-07-09 17:04 ` sashiko-bot
2026-07-09 16:52 ` [PATCH v3 4/4] perf hists browser: Increase MAX_OPTIONS to prevent stack buffer overflow Ian Rogers
2026-07-09 17:08 ` sashiko-bot
2026-07-09 17:08 ` [PATCH v3 1/4] perf ui hists: In report UI ensure thread is set sashiko-bot
2026-07-10 2:49 ` [PATCH v4 1/9] perf hists browser: Increase MAX_OPTIONS to prevent stack buffer overflow Ian Rogers
2026-07-10 2:49 ` [PATCH v4 2/9] perf ui hists: In report UI ensure thread is set Ian Rogers
2026-07-10 3:05 ` sashiko-bot
2026-07-10 2:49 ` [PATCH v4 3/9] perf disasm: Fix potential NULL pointer dereference in arch__find() Ian Rogers
2026-07-10 2:59 ` sashiko-bot
2026-07-10 2:49 ` [PATCH v4 4/9] perf ui hists: Fix uninitialized stack memory free on pstack allocation failure Ian Rogers
2026-07-10 3:09 ` sashiko-bot
2026-07-10 2:49 ` [PATCH v4 5/9] perf ui hists: Fix memory leak in evsel__hists_browse() interactive loop Ian Rogers
2026-07-10 3:05 ` sashiko-bot [this message]
2026-07-10 2:49 ` [PATCH v4 6/9] perf ui hists: Fix dso_filter reference leak and exit cleanup Ian Rogers
2026-07-10 3:07 ` sashiko-bot
2026-07-10 2:49 ` [PATCH v4 7/9] perf ui hists: Fix NULL pointer array gap in add_script_opt() Ian Rogers
2026-07-10 2:49 ` [PATCH v4 8/9] perf ui hists: Remove duplicated thread in popup_action Ian Rogers
2026-07-10 3:09 ` sashiko-bot
2026-07-10 2:49 ` [PATCH v4 9/9] perf annotate: Be robust to annotating without a thread Ian Rogers
2026-07-10 3:17 ` sashiko-bot
2026-07-10 3:06 ` [PATCH v4 1/9] perf hists browser: Increase MAX_OPTIONS to prevent stack buffer overflow sashiko-bot
2026-07-10 5:36 ` [PATCH v5 01/10] " Ian Rogers
2026-07-10 5:36 ` [PATCH v5 02/10] perf ui hists: Fix uninitialized stack memory free on pstack allocation failure Ian Rogers
2026-07-10 5:55 ` sashiko-bot
2026-07-10 5:36 ` [PATCH v5 03/10] perf ui hists: Include limits.h for PATH_MAX definition Ian Rogers
2026-07-10 5:36 ` [PATCH v5 04/10] perf ui hists: Fix stack use-after-return in symbol_filter_str Ian Rogers
2026-07-10 5:59 ` sashiko-bot
2026-07-10 5:36 ` [PATCH v5 05/10] perf disasm: Fix potential NULL pointer dereference and use-after-free in arch__find() Ian Rogers
2026-07-10 5:36 ` [PATCH v5 06/10] perf ui hists: Fix NULL pointer array gap in add_script_opt() Ian Rogers
2026-07-10 5:56 ` sashiko-bot
2026-07-10 5:36 ` [PATCH v5 07/10] perf ui hists: In report UI ensure thread is set with reference counting Ian Rogers
2026-07-10 5:54 ` sashiko-bot
2026-07-10 5:36 ` [PATCH v5 08/10] perf ui hists: Remove duplicated thread in popup_action Ian Rogers
2026-07-10 5:54 ` sashiko-bot
2026-07-10 5:36 ` [PATCH v5 09/10] perf ui hists: Fix dso_filter reference leak and exit zoom cleanup Ian Rogers
2026-07-10 5:58 ` sashiko-bot
2026-07-10 5:36 ` [PATCH v5 10/10] perf annotate: Be robust to annotating without a thread Ian Rogers
2026-07-10 6:08 ` sashiko-bot
2026-07-10 5:54 ` [PATCH v5 01/10] perf hists browser: Increase MAX_OPTIONS to prevent stack buffer overflow sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260710030547.A93851F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=irogers@google.com \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox