From: sashiko-bot@kernel.org
To: "Ian Rogers" <irogers@google.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH v5 02/10] perf ui hists: Fix uninitialized stack memory free on pstack allocation failure
Date: Fri, 10 Jul 2026 05:55:42 +0000 [thread overview]
Message-ID: <20260710055542.92F3E1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260710053628.1861645-2-irogers@google.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
Pre-existing issues:
- [Medium] Memory leak of dynamically allocated popup menu options during main interaction loop.
- [Medium] Unconditional pointer increments leave uninitialized or undefined array slots on allocation failure.
- [Low] Missing explicit POSIX header inclusions breaking musl libc compatibility.
--
--- Patch [2]: [PATCH v5 02/10] perf ui hists: Fix uninitialized stack memory free on pstack allocation failure ---
commit 77f870443b8c814782369da867fcd967bbc78bdf
Author: Ian Rogers <irogers@google.com>
perf ui hists: Fix uninitialized stack memory free on pstack allocation failure
Fixes heap corruption by initializing the options and actions arrays before
the pstack allocation check, preventing an uninitialized stack pointer from
being passed to free_popup_options() if the allocation fails.
Link: https://lore.kernel.org/linux-perf-users/20260709035230.6DBEE1F000E9@smtp.kernel.org/
> diff --git a/tools/perf/ui/browsers/hists.c b/tools/perf/ui/browsers/hists.c
> index 671961946d56c..45958bbe45092 100644
> --- a/tools/perf/ui/browsers/hists.c
> +++ b/tools/perf/ui/browsers/hists.c
> @@ -3064,15 +3064,15 @@ static int evsel__hists_browse(struct evsel *evsel, int nr_events, const char *h
> browser->min_pcnt = min_pcnt;
> hist_browser__update_nr_entries(browser);
>
> + memset(options, 0, sizeof(options));
> + memset(actions, 0, sizeof(actions));
> +
> browser->pstack = pstack__new(3);
> if (browser->pstack == NULL)
> goto out;
>
> ui_helpline__push(helpline);
>
> - memset(options, 0, sizeof(options));
> - memset(actions, 0, sizeof(actions));
> -
> if (symbol_conf.col_width_list_str)
> perf_hpp__set_user_width(symbol_conf.col_width_list_str);
[Severity: Medium]
This is a pre-existing issue, but does this code leak dynamically allocated
popup menu options during the main interaction loop?
Looking at evsel__hists_browse() when returning to the do_hotkey label:
tools/perf/ui/browsers/hists.c:evsel__hists_browse() {
...
do_hotkey: // key came straight from options ui__popup_menu()
choice = nr_options = 0;
...
}
It appears nr_options is reset to 0 without freeing the strings previously
allocated and stored in the options array. The subsequent iteration might
overwrite the string pointers, permanently leaking the previously allocated
strings. Could we ensure the strings are freed here?
[Severity: Low]
This is a pre-existing issue, but could missing explicit POSIX header
inclusions break musl libc compatibility?
For example, hist_browser__dump() uses access() and F_OK without explicitly
including <unistd.h>:
tools/perf/ui/browsers/hists.c:hist_browser__dump() {
...
if (access(filename, F_OK))
...
}
Similarly, switch_data_file() relies on PATH_MAX without explicitly including
<limits.h>:
tools/perf/ui/browsers/hists.c:switch_data_file() {
...
char path[PATH_MAX];
...
}
Could these headers be explicitly included to ensure musl libc builds don't
fail?
[Severity: Medium]
This is a pre-existing issue, but do unconditional pointer increments here
leave uninitialized array slots on allocation failure?
Looking at add_script_opt():
tools/perf/ui/browsers/hists.c:add_script_opt() {
...
optstr++;
act++;
...
}
If a previous call to add_script_opt_2() fails (e.g., asprintf fails and
returns 0), the target string pointer is left unpopulated. However, this
code unconditionally increments the array pointers. If a subsequent allocation
succeeds, the array gets populated with a gap, but nr_options is still
incremented.
Might this cause the UI menu iteration to dereference an undefined or NULL
pointer at the gap?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260710053628.1861645-1-irogers@google.com?part=2
next prev parent reply other threads:[~2026-07-10 5:55 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-08 23:46 [PATCH v1 1/3] perf ui hists: In report UI ensure thread is set Ian Rogers
2026-07-08 23:46 ` [PATCH v1 2/3] perf ui hists: Remove duplicated thread in popup_action Ian Rogers
2026-07-08 23:58 ` sashiko-bot
2026-07-08 23:46 ` [PATCH v1 3/3] perf annotate: Be robust to annotating without a thread Ian Rogers
2026-07-08 23:58 ` sashiko-bot
2026-07-09 3:36 ` [PATCH v2 1/4] perf ui hists: In report UI ensure thread is set Ian Rogers
2026-07-09 3:36 ` [PATCH v2 2/4] perf ui hists: Remove duplicated thread in popup_action Ian Rogers
2026-07-09 3:52 ` sashiko-bot
2026-07-09 3:37 ` [PATCH v2 3/4] perf annotate: Be robust to annotating without a thread Ian Rogers
2026-07-09 3:57 ` sashiko-bot
2026-07-09 3:37 ` [PATCH v2 4/4] perf hists browser: Increase MAX_OPTIONS to prevent stack buffer overflow Ian Rogers
2026-07-09 3:52 ` sashiko-bot
2026-07-09 3:54 ` [PATCH v2 1/4] perf ui hists: In report UI ensure thread is set sashiko-bot
2026-07-09 16:52 ` [PATCH v3 " Ian Rogers
2026-07-09 16:52 ` [PATCH v3 2/4] perf ui hists: Remove duplicated thread in popup_action Ian Rogers
2026-07-09 17:10 ` sashiko-bot
2026-07-09 16:52 ` [PATCH v3 3/4] perf annotate: Be robust to annotating without a thread Ian Rogers
2026-07-09 17:04 ` sashiko-bot
2026-07-09 16:52 ` [PATCH v3 4/4] perf hists browser: Increase MAX_OPTIONS to prevent stack buffer overflow Ian Rogers
2026-07-09 17:08 ` sashiko-bot
2026-07-09 17:08 ` [PATCH v3 1/4] perf ui hists: In report UI ensure thread is set sashiko-bot
2026-07-10 2:49 ` [PATCH v4 1/9] perf hists browser: Increase MAX_OPTIONS to prevent stack buffer overflow Ian Rogers
2026-07-10 2:49 ` [PATCH v4 2/9] perf ui hists: In report UI ensure thread is set Ian Rogers
2026-07-10 3:05 ` sashiko-bot
2026-07-10 2:49 ` [PATCH v4 3/9] perf disasm: Fix potential NULL pointer dereference in arch__find() Ian Rogers
2026-07-10 2:59 ` sashiko-bot
2026-07-10 2:49 ` [PATCH v4 4/9] perf ui hists: Fix uninitialized stack memory free on pstack allocation failure Ian Rogers
2026-07-10 3:09 ` sashiko-bot
2026-07-10 2:49 ` [PATCH v4 5/9] perf ui hists: Fix memory leak in evsel__hists_browse() interactive loop Ian Rogers
2026-07-10 3:05 ` sashiko-bot
2026-07-10 2:49 ` [PATCH v4 6/9] perf ui hists: Fix dso_filter reference leak and exit cleanup Ian Rogers
2026-07-10 3:07 ` sashiko-bot
2026-07-10 2:49 ` [PATCH v4 7/9] perf ui hists: Fix NULL pointer array gap in add_script_opt() Ian Rogers
2026-07-10 2:49 ` [PATCH v4 8/9] perf ui hists: Remove duplicated thread in popup_action Ian Rogers
2026-07-10 3:09 ` sashiko-bot
2026-07-10 2:49 ` [PATCH v4 9/9] perf annotate: Be robust to annotating without a thread Ian Rogers
2026-07-10 3:17 ` sashiko-bot
2026-07-10 3:06 ` [PATCH v4 1/9] perf hists browser: Increase MAX_OPTIONS to prevent stack buffer overflow sashiko-bot
2026-07-10 5:36 ` [PATCH v5 01/10] " Ian Rogers
2026-07-10 5:36 ` [PATCH v5 02/10] perf ui hists: Fix uninitialized stack memory free on pstack allocation failure Ian Rogers
2026-07-10 5:55 ` sashiko-bot [this message]
2026-07-10 5:36 ` [PATCH v5 03/10] perf ui hists: Include limits.h for PATH_MAX definition Ian Rogers
2026-07-10 5:36 ` [PATCH v5 04/10] perf ui hists: Fix stack use-after-return in symbol_filter_str Ian Rogers
2026-07-10 5:59 ` sashiko-bot
2026-07-10 5:36 ` [PATCH v5 05/10] perf disasm: Fix potential NULL pointer dereference and use-after-free in arch__find() Ian Rogers
2026-07-10 5:36 ` [PATCH v5 06/10] perf ui hists: Fix NULL pointer array gap in add_script_opt() Ian Rogers
2026-07-10 5:56 ` sashiko-bot
2026-07-10 5:36 ` [PATCH v5 07/10] perf ui hists: In report UI ensure thread is set with reference counting Ian Rogers
2026-07-10 5:54 ` sashiko-bot
2026-07-10 5:36 ` [PATCH v5 08/10] perf ui hists: Remove duplicated thread in popup_action Ian Rogers
2026-07-10 5:54 ` sashiko-bot
2026-07-10 5:36 ` [PATCH v5 09/10] perf ui hists: Fix dso_filter reference leak and exit zoom cleanup Ian Rogers
2026-07-10 5:58 ` sashiko-bot
2026-07-10 5:36 ` [PATCH v5 10/10] perf annotate: Be robust to annotating without a thread Ian Rogers
2026-07-10 6:08 ` sashiko-bot
2026-07-10 5:54 ` [PATCH v5 01/10] perf hists browser: Increase MAX_OPTIONS to prevent stack buffer overflow sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260710055542.92F3E1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=irogers@google.com \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox