From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753214AbdDJKYP (ORCPT ); Mon, 10 Apr 2017 06:24:15 -0400 Received: from mga06.intel.com ([134.134.136.31]:28102 "EHLO mga06.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752856AbdDJKYO (ORCPT ); Mon, 10 Apr 2017 06:24:14 -0400 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.37,182,1488873600"; d="asc'?scan'208";a="85528094" Date: Mon, 10 Apr 2017 18:21:12 +0800 From: "Du, Changbin" To: Jiri Olsa Cc: Arnaldo Carvalho de Melo , Namhyung Kim , Jiri Olsa , changbin.du@intel.com, peterz@infradead.org, mingo@redhat.com, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2] perf: fix double free at function perf_hpp__reset_output_field Message-ID: <20170410102111.GA6437@intel.com> References: <20170315021631.31980-1-changbin.du@intel.com> <20170327062255.27309-1-changbin.du@intel.com> <20170404151940.GD12903@kernel.org> <20170410083950.GD25354@krava> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="T4sUOijqQbZv57TR" Content-Disposition: inline In-Reply-To: <20170410083950.GD25354@krava> User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --T4sUOijqQbZv57TR Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 10, 2017 at 10:39:50AM +0200, Jiri Olsa wrote: > On Tue, Apr 04, 2017 at 12:19:40PM -0300, Arnaldo Carvalho de Melo wrote: >=20 > SNIP >=20 > > > --- > > > tools/perf/ui/hist.c | 25 +++++++++++++++---------- > > > 1 file changed, 15 insertions(+), 10 deletions(-) > > >=20 > > > diff --git a/tools/perf/ui/hist.c b/tools/perf/ui/hist.c > > > index 5d632dc..f94b301 100644 > > > --- a/tools/perf/ui/hist.c > > > +++ b/tools/perf/ui/hist.c > > > @@ -609,20 +609,25 @@ static void fmt_free(struct perf_hpp_fmt *fmt) > > > =20 > > > void perf_hpp__reset_output_field(struct perf_hpp_list *list) > > > { > > > - struct perf_hpp_fmt *fmt, *tmp; > > > + struct perf_hpp_fmt *field_fmt, *sort_fmt, *tmp1, *tmp2; > > > =20 > > > /* reset output fields */ > > > - perf_hpp_list__for_each_format_safe(list, fmt, tmp) { > > > - list_del_init(&fmt->list); > > > - list_del_init(&fmt->sort_list); > > > - fmt_free(fmt); > > > + perf_hpp_list__for_each_format_safe(list, field_fmt, tmp1) { > > > + list_del_init(&field_fmt->list); > > > + /* reset sort keys */ > > > + perf_hpp_list__for_each_sort_list_safe(list, sort_fmt, tmp2) { > > > + if (field_fmt =3D=3D sort_fmt) { > > > + list_del_init(&field_fmt->sort_list); > > > + break; > > > + } > > > + } >=20 > I agree with Namhyung in here.. seems like the only thing you > added is to check if the field_fmt was also linked in as a sort > entry before you call list_del_init on it > This is correct. > which I think should be also done with list_empty function, but > more importantly I dont see a reason for that.. list_del_init > call should be fine on empty list >=20 You didn't catch the problem here. The problem is double free a fmt. For exampe, fmt A is linked to both list. Then it will be first free by the first iteration over list, then it will be freed again at the second iteration over sort_list. This must cause application crash. > please describe the issue in more details, perhaps we'ew missing > something >=20 > jirka --=20 Thanks, Changbin Du --T4sUOijqQbZv57TR Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJY61yXAAoJEAanuZwLnPNU2TAH/ifcZV4BD5pQmUPuX4lexVRX yNYuf5LdAU1Z+yX+wIVrmNMJ5aE/kF/H3mwWgL/fdsZBnivTPaTyJ1CKoJRRb0vy J4ZVS2lSPhK284cUHAMXg5Z0Epqy0neLVGXo4q9ys6p235jnlMu+Un8X9EldqgW4 q64WX9tygGoZsII1sOl7KOhwHH2iUxyztlBGcsQ+31RPUeKWMhqoljBNFJWVDfXV dQcy6cRkBL+jIoGK/S7y3LUc1K7ne6rluM1RWvUkP8RVYL+l8tUoJdtZIZyy0zRj 1NEUocAqn0EF2E0wI+VQLpwVIX34eOzwLCP5Zw2XC7SPlxjrvLICgHmX663/ZGY= =t9tO -----END PGP SIGNATURE----- --T4sUOijqQbZv57TR--