From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753914AbdDKHhP (ORCPT ); Tue, 11 Apr 2017 03:37:15 -0400 Received: from mx1.redhat.com ([209.132.183.28]:37754 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753724AbdDKHgA (ORCPT ); Tue, 11 Apr 2017 03:36:00 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 5BC677AE93 Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=jolsa@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 5BC677AE93 Date: Tue, 11 Apr 2017 09:35:45 +0200 From: Jiri Olsa To: "Du, Changbin" Cc: Arnaldo Carvalho de Melo , Namhyung Kim , Jiri Olsa , peterz@infradead.org, mingo@redhat.com, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2] perf: fix double free at function perf_hpp__reset_output_field Message-ID: <20170411073545.GA13796@krava> References: <20170315021631.31980-1-changbin.du@intel.com> <20170327062255.27309-1-changbin.du@intel.com> <20170404151940.GD12903@kernel.org> <20170410083950.GD25354@krava> <20170410102111.GA6437@intel.com> <20170410113325.GE25354@krava> <20170411030614.GA9155@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20170411030614.GA9155@intel.com> User-Agent: Mutt/1.8.0 (2017-02-23) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Tue, 11 Apr 2017 07:35:50 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 11, 2017 at 11:06:14AM +0800, Du, Changbin wrote: SNIP > > the original code takes it out of both lists, > > so the next itaration won't go over that entry > > > oh, my bad, my desc is wrong. I replayed the crash. The problem is > list_del_init a unlinked entry. > > perf: Segmentation fault > -------- backtrace -------- > ./perf[0x57394b] > /lib/x86_64-linux-gnu/libc.so.6(+0x354b0)[0x7fb8da3034b0] > ./perf(perf_hpp__reset_output_field+0xb7)[0x55dfe7] > ./perf(hists__sort_by_fields+0x3d7)[0x509777] > ./perf[0x5704c1] > ./perf(perf_evlist__tui_browse_hists+0x2e5)[0x5723e5] > ./perf(cmd_report+0x1a9b)[0x43b4fb] > ./perf[0x494731] > ./perf(main+0x704)[0x426304] > /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fb8da2ee830] > ./perf(_start+0x29)[0x4263f9] > [0x0] > > (gdb) print fmt.list > $4 = {next = 0x100, prev = 0x200} // LIST_POISON > (gdb) print fmt.sort_list > $5 = {next = 0x9727d0 , prev = 0x9727d0 } > > In this case, the fmt is linked in sort_list, but not in list. So crash > at the list_del_init(&fmt->list) of second loop. so the only place I can see the POISON could get there is in perf_hpp__column_unregister.. can't we just get rid of it like below jirka --- diff --git a/tools/perf/ui/hist.c b/tools/perf/ui/hist.c index 5d632dca672a..7577effbf746 100644 --- a/tools/perf/ui/hist.c +++ b/tools/perf/ui/hist.c @@ -529,7 +529,7 @@ void perf_hpp_list__prepend_sort_field(struct perf_hpp_list *list, void perf_hpp__column_unregister(struct perf_hpp_fmt *format) { - list_del(&format->list); + list_del_init(&format->list); } void perf_hpp__cancel_cumulate(void)