Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753223AbdDJLd3 (ORCPT ); Mon, 10 Apr 2017 07:33:29 -0400 Received: from mx1.redhat.com ([209.132.183.28]:50792 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752251AbdDJLd2 (ORCPT ); Mon, 10 Apr 2017 07:33:28 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 9793214BFE0 Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=jolsa@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 9793214BFE0 Date: Mon, 10 Apr 2017 13:33:25 +0200 From: Jiri Olsa To: "Du, Changbin" Cc: Arnaldo Carvalho de Melo , Namhyung Kim , Jiri Olsa , peterz@infradead.org, mingo@redhat.com, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2] perf: fix double free at function perf_hpp__reset_output_field Message-ID: <20170410113325.GE25354@krava> References: <20170315021631.31980-1-changbin.du@intel.com> <20170327062255.27309-1-changbin.du@intel.com> <20170404151940.GD12903@kernel.org> <20170410083950.GD25354@krava> <20170410102111.GA6437@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20170410102111.GA6437@intel.com> User-Agent: Mutt/1.8.0 (2017-02-23) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Mon, 10 Apr 2017 11:33:27 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2162 Lines: 55 On Mon, Apr 10, 2017 at 06:21:12PM +0800, Du, Changbin wrote: > On Mon, Apr 10, 2017 at 10:39:50AM +0200, Jiri Olsa wrote: > > On Tue, Apr 04, 2017 at 12:19:40PM -0300, Arnaldo Carvalho de Melo wrote: > > > > SNIP > > > > > > --- > > > > tools/perf/ui/hist.c | 25 +++++++++++++++---------- > > > > 1 file changed, 15 insertions(+), 10 deletions(-) > > > > > > > > diff --git a/tools/perf/ui/hist.c b/tools/perf/ui/hist.c > > > > index 5d632dc..f94b301 100644 > > > > --- a/tools/perf/ui/hist.c > > > > +++ b/tools/perf/ui/hist.c > > > > @@ -609,20 +609,25 @@ static void fmt_free(struct perf_hpp_fmt *fmt) > > > > > > > > void perf_hpp__reset_output_field(struct perf_hpp_list *list) > > > > { > > > > - struct perf_hpp_fmt *fmt, *tmp; > > > > + struct perf_hpp_fmt *field_fmt, *sort_fmt, *tmp1, *tmp2; > > > > > > > > /* reset output fields */ > > > > - perf_hpp_list__for_each_format_safe(list, fmt, tmp) { > > > > - list_del_init(&fmt->list); > > > > - list_del_init(&fmt->sort_list); > > > > - fmt_free(fmt); > > > > + perf_hpp_list__for_each_format_safe(list, field_fmt, tmp1) { > > > > + list_del_init(&field_fmt->list); > > > > + /* reset sort keys */ > > > > + perf_hpp_list__for_each_sort_list_safe(list, sort_fmt, tmp2) { > > > > + if (field_fmt == sort_fmt) { > > > > + list_del_init(&field_fmt->sort_list); > > > > + break; > > > > + } > > > > + } > > > > I agree with Namhyung in here.. seems like the only thing you > > added is to check if the field_fmt was also linked in as a sort > > entry before you call list_del_init on it > > > This is correct. > > > which I think should be also done with list_empty function, but > > more importantly I dont see a reason for that.. list_del_init > > call should be fine on empty list > > > You didn't catch the problem here. The problem is double free a fmt. > For exampe, fmt A is linked to both list. Then it will be first free > by the first iteration over list, then it will be freed again at the > second iteration over sort_list. This must cause application crash. the original code takes it out of both lists, so the next itaration won't go over that entry jirka