From 5ab423d3f3e8ee1de96984a7b7e893868f876d42 Mon Sep 17 00:00:00 2001
From: duanery <corcpp@foxmail.com>
Date: Mon, 18 Mar 2024 10:10:17 +0800
Subject: [PATCH] convert: Fix double free of env.

*** Error in `./perf-prof': double free or corruption (!prev): 0x0000000001691040 ***

(gdb) bt
 #0  0x00007fc6f717d3a7 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:55
 #1  0x00007fc6f717ea98 in __GI_abort () at abort.c:90
 #2  0x00007fc6f71bfef7 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7fc6f72d2418 "*** Error in `%s': %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:196
 #3  0x00007fc6f71c86e9 in malloc_printerr (ar_ptr=0x7fc6f750f760 <main_arena>, ptr=<optimized out>, str=0x7fc6f72d2540 "double free or corruption (!prev)", action=3)
    at malloc.c:4967
 #4  _int_free (av=0x7fc6f750f760 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:3843
 #5  0x000000000041b3bb in perf_timespec_init (dev=dev@entry=0x169cec0) at convert.c:375
 #6  0x0000000000412cc4 in prof_dev_enable (dev=dev@entry=0x169cec0) at monitor.c:1820

(gdb) f 5
 #5  0x000000000041b3bb in perf_timespec_init (dev=dev@entry=0x169cec0) at convert.c:375

(gdb) info locals
 evlist = <optimized out>
 map = <optimized out>
 tidmap = 0x16686b0
 e = 0x1691040  ==> double free
 evt = 0x0

When prof_dev_open_cpu_thread_map() returns NULL, env has been freed.

Signed-off-by: duanery <corcpp@foxmail.com>
---
 convert.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/convert.c b/convert.c
index cfc31e2..eb2ce35 100644
--- a/convert.c
+++ b/convert.c
@@ -354,9 +354,9 @@ int perf_timespec_init(struct prof_dev *dev)
     e->tsc_offset = dev->env->tsc_offset;
 
     evt = prof_dev_open_cpu_thread_map(&evtime, e, NULL, tidmap, NULL);
-    if (!evt) goto NULL_evrt;
-
     e = NULL;
+    if (!evt) goto NULL_e;
+
     evt->private = dev;
 
     // trigger getpid syscall
@@ -371,8 +371,6 @@ int perf_timespec_init(struct prof_dev *dev)
         dev->time_ctx.base_timespec.tv_nsec = 0;
     }
 
-NULL_evrt:
-    if (e) free(e);
 NULL_e:
     perf_thread_map__put(tidmap);
 NULL_tidmap: