From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754027AbdDKKGJ (ORCPT ); Tue, 11 Apr 2017 06:06:09 -0400 Received: from mx1.redhat.com ([209.132.183.28]:35004 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753420AbdDKKFe (ORCPT ); Tue, 11 Apr 2017 06:05:34 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com C5BD4EEF24 Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=jolsa@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com C5BD4EEF24 Date: Tue, 11 Apr 2017 12:05:31 +0200 From: Jiri Olsa To: "Du, Changbin" Cc: Arnaldo Carvalho de Melo , Namhyung Kim , Jiri Olsa , peterz@infradead.org, mingo@redhat.com, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2] perf: fix double free at function perf_hpp__reset_output_field Message-ID: <20170411100531.GC21238@krava> References: <20170315021631.31980-1-changbin.du@intel.com> <20170327062255.27309-1-changbin.du@intel.com> <20170404151940.GD12903@kernel.org> <20170410083950.GD25354@krava> <20170410102111.GA6437@intel.com> <20170410113325.GE25354@krava> <20170411030614.GA9155@intel.com> <20170411073545.GA13796@krava> <20170411082550.GA5894@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20170411082550.GA5894@intel.com> User-Agent: Mutt/1.8.0 (2017-02-23) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Tue, 11 Apr 2017 10:05:34 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 11, 2017 at 04:25:50PM +0800, Du, Changbin wrote: > > > (gdb) print fmt.sort_list > > > $5 = {next = 0x9727d0 , prev = 0x9727d0 } > > > > > > In this case, the fmt is linked in sort_list, but not in list. So crash > > > at the list_del_init(&fmt->list) of second loop. > > > > so the only place I can see the POISON could get there > > is in perf_hpp__column_unregister.. can't we just get > > rid of it like below > > > > jirka > > > > > > --- > > diff --git a/tools/perf/ui/hist.c b/tools/perf/ui/hist.c > > index 5d632dca672a..7577effbf746 100644 > > --- a/tools/perf/ui/hist.c > > +++ b/tools/perf/ui/hist.c > > @@ -529,7 +529,7 @@ void perf_hpp_list__prepend_sort_field(struct perf_hpp_list *list, > > > > void perf_hpp__column_unregister(struct perf_hpp_fmt *format) > > { > > - list_del(&format->list); > > + list_del_init(&format->list); > > } > > > yes, this is an option. But for safety, I sugguest do not rely on list_del_init. > No rule rather than create one. > > But anyway, both are ok for me. What's your options? hum, also I dont think we need to touch that bit at all if we are going to remove it right away.. how about the change below? jirka --- diff --git a/tools/perf/ui/hist.c b/tools/perf/ui/hist.c index 5d632dca672a..0ee7db43dd7d 100644 --- a/tools/perf/ui/hist.c +++ b/tools/perf/ui/hist.c @@ -613,15 +613,15 @@ void perf_hpp__reset_output_field(struct perf_hpp_list *list) /* reset output fields */ perf_hpp_list__for_each_format_safe(list, fmt, tmp) { - list_del_init(&fmt->list); - list_del_init(&fmt->sort_list); + list_del(&fmt->list); + /* Remove the fmt from next loop processing. */ + list_del(&fmt->sort_list); fmt_free(fmt); } /* reset sort keys */ perf_hpp_list__for_each_sort_list_safe(list, fmt, tmp) { - list_del_init(&fmt->list); - list_del_init(&fmt->sort_list); + list_del(&fmt->sort_list); fmt_free(fmt); } }