From: Krister Johansen <kjlx@templeofstupid.com>
To: Namhyung Kim <namhyung@kernel.org>
Cc: "Arnaldo Carvalho de Melo" <acme@kernel.org>,
"Masami Hiramatsu" <mhiramat@kernel.org>,
"Frédéric Weisbecker" <fweisbec@gmail.com>,
linux-kernel@vger.kernel.org
Subject: Re: callchain map refcounting fixes was Re: [PATCH perf/core] perf script: fix a use after free crash.
Date: Sat, 8 Oct 2016 23:13:21 -0700 [thread overview]
Message-ID: <20161009061321.GA2677@templeofstupid.com> (raw)
In-Reply-To: <20161007022200.GB31113@sejong>
Hi Namhyung,
Thanks for looking this over.
On Fri, Oct 07, 2016 at 11:22:00AM +0900, Namhyung Kim wrote:
> On Wed, Oct 05, 2016 at 08:45:24AM -0300, Arnaldo Carvalho de Melo wrote:
> > Em Sat, Oct 01, 2016 at 08:13:36PM -0700, Krister Johansen escreveu:
> > > diff --git a/tools/perf/util/callchain.c b/tools/perf/util/callchain.c
> > > index 07fd30b..15c89b2 100644
> > > --- a/tools/perf/util/callchain.c
> > > +++ b/tools/perf/util/callchain.c
> > > @@ -439,7 +439,7 @@ fill_node(struct callchain_node *node, struct callchain_cursor *cursor)
> > > }
> > > call->ip = cursor_node->ip;
> > > call->ms.sym = cursor_node->sym;
> > > - call->ms.map = cursor_node->map;
> > > + call->ms.map = map__get(cursor_node->map);
> > > list_add_tail(&call->list, &node->val);
> > >
> > > callchain_cursor_advance(cursor);
> > > @@ -464,6 +464,7 @@ add_child(struct callchain_node *parent,
> > >
> > > list_for_each_entry_safe(call, tmp, &new->val, list) {
> > > list_del(&call->list);
> > > + map__zput(call->ms.map);
> > > free(call);
> > > }
> > > free(new);
> > > @@ -732,6 +733,7 @@ merge_chain_branch(struct callchain_cursor *cursor,
> > > callchain_cursor_append(cursor, list->ip,
> > > list->ms.map, list->ms.sym);
> > > list_del(&list->list);
> > > + map__zput(list->ms.map);
> > > free(list);
> > > }
> > >
> > > @@ -780,7 +782,8 @@ int callchain_cursor_append(struct callchain_cursor *cursor,
> > > }
> > >
> > > node->ip = ip;
> > > - node->map = map;
> > > + map__zput(node->map);
> > > + node->map = map__get(map);
> > > node->sym = sym;
> > >
> > > cursor->nr++;
> > > @@ -830,6 +833,8 @@ int fill_callchain_info(struct addr_location *al, struct callchain_cursor_node *
> > > goto out;
> > > }
> > >
> > > + map__get(al->map);
> > > +
> > > if (al->map->groups == &al->machine->kmaps) {
> > > if (machine__is_host(al->machine)) {
> > > al->cpumode = PERF_RECORD_MISC_KERNEL;
> > > @@ -947,11 +952,13 @@ static void free_callchain_node(struct callchain_node *node)
> > >
> > > list_for_each_entry_safe(list, tmp, &node->parent_val, list) {
> > > list_del(&list->list);
> > > + map__zput(list->ms.map);
> > > free(list);
> > > }
> > >
> > > list_for_each_entry_safe(list, tmp, &node->val, list) {
> > > list_del(&list->list);
> > > + map__zput(list->ms.map);
> > > free(list);
> > > }
> > >
> > > @@ -1035,6 +1042,7 @@ int callchain_node__make_parent_list(struct callchain_node *node)
> > > out:
> > > list_for_each_entry_safe(chain, new, &head, list) {
> > > list_del(&chain->list);
> > > + map__zput(chain->ms.map);
>
> I think you need to grab the refcnt in the "while (parent)" loop above.
Thanks; good catch. I'll fix this.
> > > diff --git a/tools/perf/util/hist.c b/tools/perf/util/hist.c
> > > index b02992e..f8335e8 100644
> > > --- a/tools/perf/util/hist.c
> > > +++ b/tools/perf/util/hist.c
> > > @@ -1,6 +1,7 @@
> > > #include "util.h"
> > > #include "build-id.h"
> > > #include "hist.h"
> > > +#include "map.h"
> > > #include "session.h"
> > > #include "sort.h"
> > > #include "evlist.h"
> > > @@ -970,6 +971,8 @@ iter_add_next_cumulative_entry(struct hist_entry_iter *iter,
> > >
> > > if (symbol_conf.use_callchain)
> > > callchain_append(he->callchain, &cursor, sample->period);
> > > + /* Cleanup temporary cursor. */
> > > + callchain_cursor_snapshot_rele(&cursor);
>
> This callchain shotshot is used in a short period of time, and it's
> guaranteed that the maps in callchains will not freed due to refcnt in
> the orignal callchain cursor. So I think we can skip to get/put
> refcnt on the snapshot cursor. Also "rele" seems not a good name..
Ok. I'll remove the get/put from the snapshot stuff, and will excise the
rele function.
> > > return 0;
> > > }
> > >
> > > @@ -979,6 +982,7 @@ iter_finish_cumulative_entry(struct hist_entry_iter *iter,
> > > {
> > > zfree(&iter->priv);
> > > iter->he = NULL;
> > > + map__zput(al->map);
>
> What is this needed? Why other places like iter_finish_normal_entry
> isn't?
I put a map__zput() here because iter_next_cumulative_entry() calls
fill_callchain_info(), which takes a reference on the al->map in the
struct addr_location that it returns. I had forgotten all of this by
the time you asked. When I went back to work out my rationale, I
stumbled across addr_location__put(). Think it would make sense to
relocate the put of al->map there instead?
Thanks for the feedback. I'll send out a v2 once I get your changes
incorporated and tested.
-K
next prev parent reply other threads:[~2016-10-09 6:13 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-02 3:13 [PATCH perf/core] perf script: fix a use after free crash Krister Johansen
2016-10-05 11:45 ` callchain map refcounting fixes was " Arnaldo Carvalho de Melo
2016-10-06 0:29 ` Masami Hiramatsu
2016-10-06 6:12 ` Krister Johansen
2016-10-07 2:22 ` Namhyung Kim
2016-10-09 6:13 ` Krister Johansen [this message]
2016-10-11 9:28 ` Krister Johansen
2016-10-11 9:28 ` [PATCH v2 " Krister Johansen
2016-10-26 0:20 ` Krister Johansen
2016-10-26 13:44 ` Arnaldo Carvalho de Melo
2016-11-11 0:40 ` Krister Johansen
2016-11-22 19:01 ` Arnaldo Carvalho de Melo
2016-12-02 7:12 ` Krister Johansen
2016-12-29 1:39 ` Krister Johansen
2017-01-02 15:15 ` Arnaldo Carvalho de Melo
2017-01-02 17:35 ` Arnaldo Carvalho de Melo
2017-01-02 17:36 ` Arnaldo Carvalho de Melo
2017-01-02 19:39 ` Arnaldo Carvalho de Melo
2017-01-03 0:30 ` Arnaldo Carvalho de Melo
2017-01-04 8:37 ` Krister Johansen
2017-01-06 6:22 ` Krister Johansen
2017-01-06 6:23 ` [PATCH v3 " Krister Johansen
2017-01-21 1:48 ` Krister Johansen
2017-02-01 14:39 ` [tip:perf/core] perf callchain: Reference count maps tip-bot for Krister Johansen
2017-02-03 19:47 ` [tip:perf/urgent] " tip-bot for Krister Johansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161009061321.GA2677@templeofstupid.com \
--to=kjlx@templeofstupid.com \
--cc=acme@kernel.org \
--cc=fweisbec@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mhiramat@kernel.org \
--cc=namhyung@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.