From nobody Thu Apr  9 15:50:37 2026
Received: from mail-dl1-f73.google.com (mail-dl1-f73.google.com
 [74.125.82.73])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6C0913F9FB
	for <linux-kernel@vger.kernel.org>; Sat,  7 Mar 2026 00:22:26 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=74.125.82.73
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1772842947; cv=none;
 b=APc7E8SFJMnifNch+ZIXsz/gmaQqPSwy4nFY8vVHlQ7VkiWXQblepwsQEgPY7s3/9n78lXXhHcGAIncE1e+UxrtCZu8kPi/nh9qSzB8d4u9JsDOJ3MVhfNS04zsiwVd6Y33I8gRHyKfecjDZohac6S4KZbjle4Mc8IGK5jp0TVE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1772842947; c=relaxed/simple;
	bh=eWQYFbwgl94p3jmuxbH9YgoYlnKa580ycuvfZ+uUojg=;
	h=Date:Mime-Version:Message-ID:Subject:From:To:Content-Type;
 b=HNBDYss7gzBHhD+VJL+rwy06hqhb27pnOoZZXuyx7qFKF9K1s0NjShA0VNDFDQj3gKf9yDtzoHqnwGGY17zgksGS3N0uoPA0npmEExBX0B5Y3X0+dZRGhbgatNkcm/fscMRPBdWCA2qwED6r0GvsbzmxWAY4OkNQVxrtRL6FGnU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--irogers.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=rNC8MSVE; arc=none smtp.client-ip=74.125.82.73
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--irogers.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="rNC8MSVE"
Received: by mail-dl1-f73.google.com with SMTP id
 a92af1059eb24-12721cd1a2aso10296821c88.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 06 Mar 2026 16:22:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1772842946; x=1773447746;
 darn=vger.kernel.org;
        h=to:from:subject:message-id:mime-version:date:from:to:cc:subject
         :date:message-id:reply-to;
        bh=LPf3Axghl6gfwZpPkxBU3xu5lg7lW1gM/wsxQ2W2Ez8=;
        b=rNC8MSVEfOW2FX0Pb4YG2khOrCuNbvnEZLXkNI7prsjy0xGP5Qfi+ymQ0MerAiBQJS
         SY0qPX4be6CTK9dtSjZN5QrP5Ec4AbXN5vEim1YyHRFJ8b8qrzHSBIzE9R4ervCq6qqy
         8SPx41sfcAxGdQVSZ6+YzgkgqPnkkug/4FlaQt1+UGYn1O9ooZJnrdBF9Y9wJfKALNQx
         TFf7+asrh44TQiWHO7IzOed47Kf/RG2cJqBBlWUE+16fFREp1vOzCdJTVY80RLKZId5s
         UVvM+UQc2kXgSUYZT5N+E8S+7G5d74w7v0bmqiWVRpQ/clxP053i85/9Rn4CyAsyArEK
         M4ZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772842946; x=1773447746;
        h=to:from:subject:message-id:mime-version:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=LPf3Axghl6gfwZpPkxBU3xu5lg7lW1gM/wsxQ2W2Ez8=;
        b=UGxV2ljj+ansWyl718k7T4R+6VzR6bXuq1fMhGWjkdwX+2rDEdrlCbiWzmR1dVk7EE
         zZlMPLB+uJAXKuZZ1puLW5JHxBNYz6GfrzrIvDixZclnTTqj9nEpsO+EwxUX+FG9nr+S
         lywrlAnDch+BGLjegTEt4uwiKGItyRzMYVM/99Y/rwoiBC41hjXedCC5nJFj/zchw6az
         Xe0HP8QPO4YMH64lhTV/xltnEe5BclBi3X2ikWdMqrO7ro2tyiWVU0dfN2WMO7LLb0iO
         HzsasFSRkL82YXvBWjKEV6e8dK+UpgLv3mP7UTgZnVzW4s02TQb9eBEC6x2QpDAbf+BH
         2axw==
X-Forwarded-Encrypted: i=1;
 AJvYcCXwMBaM6VFM/4seOirkPmrx17L5ZIyEd/laHSI2Lqc9T7/Gok/8QNOyBYFWHZ/iFSgNclnrhbf+Wf9xkdM=@vger.kernel.org
X-Gm-Message-State: AOJu0Ywbl/6n10ntI80ILY9WYkVMEbkzQGEq30CzZN+B0D3Ypu4SPNF4
	l+PDumtUbBTIL8omp1CWwbgRMuVz7s6LKm388wc7Ix5Ok3/4syYjIkn1KQJvjWyQAdz5bIIzRrw
	KNvSRcXH24A==
X-Received: from dycoi5.prod.google.com
 ([2002:a05:7301:da85:b0:2be:3f20:9002])
 (user=irogers job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:7300:818c:b0:2be:22b0:8be7
 with SMTP id 5a478bee46e88-2be4e08b14emr1802520eec.35.1772842945433; Fri, 06
 Mar 2026 16:22:25 -0800 (PST)
Date: Fri,  6 Mar 2026 16:22:22 -0800
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
X-Mailer: git-send-email 2.53.0.473.g4a7958ca14-goog
Message-ID: <20260307002222.2463509-1-irogers@google.com>
Subject: [PATCH v2] perf disasm: Fix potential use-after-free on fileloc
From: Ian Rogers <irogers@google.com>
To: Peter Zijlstra <peterz@infradead.org>, Ingo Molnar <mingo@redhat.com>,
	Arnaldo Carvalho de Melo <acme@kernel.org>,
 Namhyung Kim <namhyung@kernel.org>, Jiri Olsa <jolsa@kernel.org>,
	Ian Rogers <irogers@google.com>, Adrian Hunter <adrian.hunter@intel.com>,
	James Clark <james.clark@linaro.org>, Athira Rajeev <atrajeev@linux.ibm.com>,
	linux-perf-users@vger.kernel.org, linux-kernel@vger.kernel.org
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The fileloc is a copy of a pointer to a string but in places like
symbol_disassemble__llvm this string appears to be freed setting up
potential use-after-frees:

llvm.c:
```
		dl =3D disasm_line__new(args);
		if (dl =3D=3D NULL)
			goto err;

		annotation_line__add(&dl->al, &notes->src->source);

		free(args->fileloc);
```
disasm.c:
```
static void annotation_line__init(struct annotation_line *al,
				  struct annotate_args *args,
				  int nr)
{
	al->offset =3D args->offset;
	al->line =3D strdup(args->line);
	al->line_nr =3D args->line_nr;
	al->fileloc =3D args->fileloc;
	al->data_nr =3D nr;
}

struct disasm_line *disasm_line__new(struct annotate_args *args)
{
	struct disasm_line *dl =3D NULL;
	struct annotation *notes =3D symbol__annotation(args->ms->sym);
	int nr =3D notes->src->nr_events;

	dl =3D zalloc(disasm_line_size(nr));
	if (!dl)
		return NULL;

	annotation_line__init(&dl->al, args, nr);
```

Fix this by making the fileloc a copy of the underlying string in its
init/exit.

Signed-off-by: Ian Rogers <irogers@google.com>
---
 tools/perf/util/disasm.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/tools/perf/util/disasm.c b/tools/perf/util/disasm.c
index ddcc488f2e5f..3fcb3634a7e0 100644
--- a/tools/perf/util/disasm.c
+++ b/tools/perf/util/disasm.c
@@ -908,13 +908,14 @@ static void annotation_line__init(struct annotation_l=
ine *al,
 	al->offset =3D args->offset;
 	al->line =3D strdup(args->line);
 	al->line_nr =3D args->line_nr;
-	al->fileloc =3D args->fileloc;
+	al->fileloc =3D args->fileloc ? strdup(args->fileloc) : NULL;
 	al->data_nr =3D nr;
 }
=20
 static void annotation_line__exit(struct annotation_line *al)
 {
 	zfree_srcline(&al->path);
+	zfree(&al->fileloc);
 	zfree(&al->line);
 	zfree(&al->cycles);
 	zfree(&al->br_cntr);
@@ -950,7 +951,7 @@ struct disasm_line *disasm_line__new(struct annotate_ar=
gs *args)
=20
 	annotation_line__init(&dl->al, args, nr);
 	if (dl->al.line =3D=3D NULL)
-		goto out_delete;
+		goto out_free_line;
=20
 	if (args->offset !=3D -1) {
 		if (arch__is_powerpc(args->arch)) {
@@ -965,8 +966,7 @@ struct disasm_line *disasm_line__new(struct annotate_ar=
gs *args)
 	return dl;
=20
 out_free_line:
-	zfree(&dl->al.line);
-out_delete:
+	annotation_line__exit(&dl->al);
 	free(dl);
 	return NULL;
 }
--=20
2.53.0.473.g4a7958ca14-goog