From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755919AbdABPPX (ORCPT ); Mon, 2 Jan 2017 10:15:23 -0500 Received: from mail.kernel.org ([198.145.29.136]:47272 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755805AbdABPPW (ORCPT ); Mon, 2 Jan 2017 10:15:22 -0500 Date: Mon, 2 Jan 2017 12:15:14 -0300 From: Arnaldo Carvalho de Melo To: Krister Johansen Cc: Namhyung Kim , Masami Hiramatsu , =?iso-8859-1?Q?Fr=E9d=E9ric?= Weisbecker , linux-kernel@vger.kernel.org Subject: Re: [PATCH v2 perf/core] perf script: fix a use after free crash. Message-ID: <20170102151514.GB21178@kernel.org> References: <20161007022200.GB31113@sejong> <20161011092839.GC7837@templeofstupid.com> <20161026002010.GD2525@templeofstupid.com> <20161026134453.GA4936@kernel.org> <20161111004046.GA2185@templeofstupid.com> <20161122190106.GE5390@kernel.org> <20161229013947.GA2341@templeofstupid.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20161229013947.GA2341@templeofstupid.com> X-Url: http://acmel.wordpress.com User-Agent: Mutt/1.7.1 (2016-10-04) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Em Wed, Dec 28, 2016 at 05:39:47PM -0800, Krister Johansen escreveu: > On Tue, Nov 22, 2016 at 04:01:06PM -0300, Arnaldo Carvalho de Melo wrote: > > #include "evlist.h" > > @@ -979,6 +980,7 @@ iter_finish_cumulative_entry(struct hist_entry_iter *iter, > > { > > zfree(&iter->priv); > > iter->he = NULL; > > + map__zput(al->map); > As part of trying to tie up the year-end loose-ends, I went back and > re-tested a rebase'd version of this patch against perf/core. I ended > up with a merge that's identical to yours, except that I'm not seeing > any assertion failures with 'perf top -g', 'perf script', or 'perf > report'. Was perf/core the branch that was giving you trouble? Yeah, I just tested it with my tip/perf/core and got this: 0.00% 0.00% [kernel] [k] file_free_rcu 0.00% 0.00% [kernel] [k] timerqueue_del 0.00% 0.00% [kernel] [k] irq_work_run 0.00% 0.00% [kernel] [k] native_irq_return_iret 0.00% 0.00% [kernel] [k] native_sched_clock perf: util/map.c:246: map__exit: Assertion `!(!((&map->rb_node)->__rb_parent_color == (unsigned long)(&map->rb_node)))' failed. Aborted (core dumped) [root@jouet 3.4]# Tried it again with what is in Linus' tree + your patch and got the same problem: [acme@jouet linux]$ git remote -v | grep torvalds.*fetch torvalds git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git (fetch) [acme@jouet linux]$ git checkout -b test-branch torvalds/master Branch test-branch set up to track remote branch master from torvalds. Switched to a new branch 'test-branch' [acme@jouet linux]$ git cherry-pick f7347a33099dbad7e9fb3c22cea211f238bfd320 [test-branch 7d786f548b62] perf callchain: Fix a use after free crash due to refcounting bug Author: Krister Johansen Date: Mon Jan 2 12:06:55 2017 -0300 3 files changed, 19 insertions(+), 2 deletions(-) [acme@jouet linux]$ rm -rf /tmp/build/perf/ ; mkdir -p /tmp/build/perf ; make O=/tmp/build/perf -C tools/perf install-bin make: Entering directory '/home/acme/git/linux/tools/perf' BUILD: Doing 'make -j4' parallel build HOSTCC /tmp/build/perf/fixdep.o Then I run it with a higher frequency and no delay in refreshing the screen, to stress the refcounting code: # perf top -F 10000 -g -d 0 Do it while running something like 'make -j32 allmodconfig' to create lots of short lived processes (or use stress-ng, etc). + 0.79% 0.00% [kernel] [k] search_binary_handler + 0.79% 0.00% [kernel] [k] do_execveat_common.isra.37 + 0.79% 0.00% [kernel] [k] sys_execve + 0.79% 0.00% [kernel] [k] do_syscall_64 perf: util/map.c:246: map__exit: Assertion `!(!((&map->rb_node)->__rb_parent_color == (unsigned long)(&map->rb_node)))' failed. Aborted (core dumped) [root@jouet 3.4]# - Arnaldo