Re: callchain map refcounting fixes was Re: [PATCH perf/core] perf script: fix a use after free crash.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Krister Johansen <kjlx@templeofstupid.com>
To: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: "Krister Johansen" <kjlx@templeofstupid.com>,
	"Masami Hiramatsu" <mhiramat@kernel.org>,
	"Namhyung Kim" <namhyung@kernel.org>,
	"Frédéric Weisbecker" <fweisbec@gmail.com>,
	linux-kernel@vger.kernel.org
Subject: Re: callchain map refcounting fixes was Re: [PATCH perf/core] perf script: fix a use after free crash.
Date: Wed, 5 Oct 2016 23:12:10 -0700	[thread overview]
Message-ID: <20161006061210.GB2525@templeofstupid.com> (raw)
In-Reply-To: <20161005114524.GY7143@kernel.org>

On Wed, Oct 05, 2016 at 08:45:24AM -0300, Arnaldo Carvalho de Melo wrote:
> Em Sat, Oct 01, 2016 at 08:13:36PM -0700, Krister Johansen escreveu:
> > If dso__load_kcore frees all of the existing maps, but one has already
> > been attached to a callchain cursor node, then we can get a SIGSEGV in
> > any function that happens to try to use this cursor with the invalid
> > map.  Use the existing map refcount mechanism to forestall cleanup of a
> > map until the cursor iterates past the node.
> 
> Seems ok, thanks for working on this! Can you provide a test case that
> causes the SEGV so that I can, in addition to reviewing your changes and
> auditing the code to check if all cases ara plugged, to reproduce the
> problem?

Absolutely.  Thanks for taking the time to look it over.

AFIACT, this occurs when you're probing a .ko with its own debug
information, but when the kernel has none.  The kernel and all of the
in-tree modules were built through an RPM build that strips out
debuginfo into a separate package.  On this particular system, the
kernel debuginfo packages were not installed.  However, I had recently
changed a dkms build of an external module to use -g and to not strip.
We had one lonely .ko with all of its debug information inside, and a
kernel that perf was going to need to use kallsyms.  I was able to
insert the kprobe into the module and record events.  It was just script
and report that caused the core.

It should be possible to reproduce this by running script against a
trace that was recorded from kprobes in a module that has debug
inforation, but while running a kernel that does not.  I didn't specify
any special options for lookup of vmlinux.  I just let the tool figure
it out.

If you think it'd be useful, I can send along the notes that I took when
I debugged this.  They're about 15k, which is why I would hesitate to
send it to the entire list unsolicited.

Thanks again,

-K

next prev parent reply	other threads:[~2016-10-06  6:12 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-10-02  3:13 [PATCH perf/core] perf script: fix a use after free crash Krister Johansen
2016-10-05 11:45 ` callchain map refcounting fixes was " Arnaldo Carvalho de Melo
2016-10-06  0:29   ` Masami Hiramatsu
2016-10-06  6:12   ` Krister Johansen [this message]
2016-10-07  2:22   ` Namhyung Kim
2016-10-09  6:13     ` Krister Johansen
2016-10-11  9:28       ` Krister Johansen
2016-10-11  9:28     ` [PATCH v2 " Krister Johansen
2016-10-26  0:20       ` Krister Johansen
2016-10-26 13:44         ` Arnaldo Carvalho de Melo
2016-11-11  0:40           ` Krister Johansen
2016-11-22 19:01             ` Arnaldo Carvalho de Melo
2016-12-02  7:12               ` Krister Johansen
2016-12-29  1:39               ` Krister Johansen
2017-01-02 15:15                 ` Arnaldo Carvalho de Melo
2017-01-02 17:35                   ` Arnaldo Carvalho de Melo
2017-01-02 17:36                     ` Arnaldo Carvalho de Melo
2017-01-02 19:39                       ` Arnaldo Carvalho de Melo
2017-01-03  0:30                         ` Arnaldo Carvalho de Melo
2017-01-04  8:37                           ` Krister Johansen
2017-01-06  6:22                             ` Krister Johansen
2017-01-06  6:23                           ` [PATCH v3 " Krister Johansen
2017-01-21  1:48                             ` Krister Johansen
2017-02-01 14:39                             ` [tip:perf/core] perf callchain: Reference count maps tip-bot for Krister Johansen
2017-02-03 19:47                             ` [tip:perf/urgent] " tip-bot for Krister Johansen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161006061210.GB2525@templeofstupid.com \
    --to=kjlx@templeofstupid.com \
    --cc=acme@kernel.org \
    --cc=fweisbec@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mhiramat@kernel.org \
    --cc=namhyung@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.