[PATCH v11 32/33] perf kwork: Fix address sanitizer issues
From: Ian Rogers
Date: Sun Apr 12 2026 - 21:26:26 EST
There is a double free in the record array due to how parse_options
will mutate the array. Fix by keeping an array that isn't
mutated. Ensure kwork_usage is freed on all paths.
Signed-off-by: Ian Rogers <irogers@xxxxxxxxxx>
---
tools/perf/builtin-kwork.c | 30 +++++++++++++++++++++---------
1 file changed, 21 insertions(+), 9 deletions(-)
diff --git a/tools/perf/builtin-kwork.c b/tools/perf/builtin-kwork.c
index 59a54d11f7fa..a4604e152002 100644
--- a/tools/perf/builtin-kwork.c
+++ b/tools/perf/builtin-kwork.c
@@ -2258,7 +2258,7 @@ static void setup_event_list(struct perf_kwork *kwork,
static int perf_kwork__record(struct perf_kwork *kwork,
int argc, const char **argv)
{
- const char **rec_argv;
+ const char **rec_argv, **to_free = NULL;
unsigned int rec_argc, i, j;
struct kwork_class *class;
int ret;
@@ -2295,16 +2295,27 @@ static int perf_kwork__record(struct perf_kwork *kwork,
BUG_ON(i != rec_argc);
+ /* Save the pointers as the array will be mutated by cmd_record. */
+ to_free = calloc(rec_argc + 1, sizeof(char *));
+ if (to_free == NULL) {
+ ret = -ENOMEM;
+ goto EXIT;
+ }
+
pr_debug("record comm: ");
- for (j = 0; j < rec_argc; j++)
+ for (j = 0; j < rec_argc; j++) {
pr_debug("%s ", rec_argv[j]);
+ to_free[j] = rec_argv[j];
+ }
pr_debug("\n");
ret = cmd_record(i, rec_argv);
EXIT:
for (i = 0; i < rec_argc; i++)
- free((void *)rec_argv[i]);
+ free((void *)(to_free ? to_free[i] : rec_argv[i]));
+
+ free(to_free);
free(rec_argv);
return ret;
}
@@ -2447,6 +2458,7 @@ int cmd_kwork(int argc, const char **argv)
const char *const kwork_subcommands[] = {
"record", "report", "latency", "timehist", "top", NULL
};
+ int ret = 0;
perf_tool__init(&kwork.tool, /*ordered_events=*/true);
kwork.tool.mmap = perf_event__process_mmap;
@@ -2463,7 +2475,7 @@ int cmd_kwork(int argc, const char **argv)
if (strlen(argv[0]) > 2 && strstarts("record", argv[0])) {
setup_event_list(&kwork, kwork_options, kwork_usage);
- return perf_kwork__record(&kwork, argc, argv);
+ ret = perf_kwork__record(&kwork, argc, argv);
} else if (strlen(argv[0]) > 2 && strstarts("report", argv[0])) {
kwork.sort_order = default_report_sort_order;
if (argc > 1) {
@@ -2474,7 +2486,7 @@ int cmd_kwork(int argc, const char **argv)
kwork.report = KWORK_REPORT_RUNTIME;
setup_sorting(&kwork, report_options, report_usage);
setup_event_list(&kwork, kwork_options, kwork_usage);
- return perf_kwork__report(&kwork);
+ ret = perf_kwork__report(&kwork);
} else if (strlen(argv[0]) > 2 && strstarts("latency", argv[0])) {
kwork.sort_order = default_latency_sort_order;
if (argc > 1) {
@@ -2485,7 +2497,7 @@ int cmd_kwork(int argc, const char **argv)
kwork.report = KWORK_REPORT_LATENCY;
setup_sorting(&kwork, latency_options, latency_usage);
setup_event_list(&kwork, kwork_options, kwork_usage);
- return perf_kwork__report(&kwork);
+ ret = perf_kwork__report(&kwork);
} else if (strlen(argv[0]) > 2 && strstarts("timehist", argv[0])) {
if (argc > 1) {
argc = parse_options(argc, argv, timehist_options, timehist_usage, 0);
@@ -2494,7 +2506,7 @@ int cmd_kwork(int argc, const char **argv)
}
kwork.report = KWORK_REPORT_TIMEHIST;
setup_event_list(&kwork, kwork_options, kwork_usage);
- return perf_kwork__timehist(&kwork);
+ ret = perf_kwork__timehist(&kwork);
} else if (strlen(argv[0]) > 2 && strstarts("top", argv[0])) {
kwork.sort_order = default_top_sort_order;
if (argc > 1) {
@@ -2507,12 +2519,12 @@ int cmd_kwork(int argc, const char **argv)
kwork.event_list_str = "sched, irq, softirq";
setup_event_list(&kwork, kwork_options, kwork_usage);
setup_sorting(&kwork, top_options, top_usage);
- return perf_kwork__top(&kwork);
+ ret = perf_kwork__top(&kwork);
} else
usage_with_options(kwork_usage, kwork_options);
/* free usage string allocated by parse_options_subcommand */
free((void *)kwork_usage[0]);
- return 0;
+ return ret;
}
--
2.53.0.1213.gd9a14994de-goog