From: Krister Johansen <kjlx@templeofstupid.com>
To: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: "Namhyung Kim" <namhyung@kernel.org>,
"Masami Hiramatsu" <mhiramat@kernel.org>,
"Frédéric Weisbecker" <fweisbec@gmail.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 perf/core] perf script: fix a use after free crash.
Date: Thu, 5 Jan 2017 22:22:50 -0800 [thread overview]
Message-ID: <20170106062250.GA2707@templeofstupid.com> (raw)
In-Reply-To: <20170104083739.GA3009@templeofstupid.com>
On Wed, Jan 04, 2017 at 12:37:39AM -0800, Krister Johansen wrote:
> On Mon, Jan 02, 2017 at 09:30:33PM -0300, Arnaldo Carvalho de Melo wrote:
> > Em Mon, Jan 02, 2017 at 04:39:04PM -0300, Arnaldo Carvalho de Melo escreveu:
> > > Em Mon, Jan 02, 2017 at 02:36:57PM -0300, Arnaldo Carvalho de Melo escreveu:
> > > > Em Mon, Jan 02, 2017 at 02:35:30PM -0300, Arnaldo Carvalho de Melo escreveu:
> > > > > Em Mon, Jan 02, 2017 at 12:15:14PM -0300, Arnaldo Carvalho de Melo escreveu:
> > > > {
> > > > zfree(&iter->priv);
> > > > iter->he = NULL;
> > > > + map__zput(al->map);
> > >
> > > What this pairs to? I was expecting that since this is called via:
> > >
> > > hist_entry_iter__add()
> > > {
> > > <SNIP>
> > > err2 = iter->ops->finish_entry(iter, al);
> > > }
> > >
> > > Then it would have to match something done earlier in
> > > hist_entry_iter__add(), most likely by some iter->ops->() method, but I
> > > couldn'd find anything to that extent, can you clarify?
> >
> > With the following patch it has been running all day, care to explain
> > why it is needed? I need to run this on valgrind or with Masami's
> > refcount debugger to get more clues :-\
>
> Let me try a version of this patch that dispenses with the code in both
> fill_callchain_info() and iter_finish_cumulative_entry. However, before
> I do that I'll make sure I can figure out how to reproduce the core that
> you were seeing. I don't want to send you yet another patch that
> doesn't run. The busy system may be the clue I needed. I had been
> running these on a mostly idle system.
I was able to reproduce your assertion failure using more load on a
system. After fixing up the issues caused by incorrectly updating the
refcounts in the hist_entry_iter's function pointers, I re-ran my own
tests and found that I was still getting a failure for 'perf report'.
The problem there seemed to be that a map was getting into a hist entry,
but was freed before the entry was actually created. The call to
hist_entry__init() that took a reference on the map was actually getting
freed memory by the time it tried to increment the reference count.
To address that, I modified hist_entry_iter__add() to take a reference
on the incoming al->map, if one exists. It drops that reference on the
way out of the function. With that change, I'm able to pass both your
'perf top' test under load and my own tests against a kernel without
debug info, but a kmod that has it.
I'll send out a v3 in just a moment.
Thanks again,
-K
next prev parent reply other threads:[~2017-01-06 6:24 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-02 3:13 [PATCH perf/core] perf script: fix a use after free crash Krister Johansen
2016-10-05 11:45 ` callchain map refcounting fixes was " Arnaldo Carvalho de Melo
2016-10-06 0:29 ` Masami Hiramatsu
2016-10-06 6:12 ` Krister Johansen
2016-10-07 2:22 ` Namhyung Kim
2016-10-09 6:13 ` Krister Johansen
2016-10-11 9:28 ` Krister Johansen
2016-10-11 9:28 ` [PATCH v2 " Krister Johansen
2016-10-26 0:20 ` Krister Johansen
2016-10-26 13:44 ` Arnaldo Carvalho de Melo
2016-11-11 0:40 ` Krister Johansen
2016-11-22 19:01 ` Arnaldo Carvalho de Melo
2016-12-02 7:12 ` Krister Johansen
2016-12-29 1:39 ` Krister Johansen
2017-01-02 15:15 ` Arnaldo Carvalho de Melo
2017-01-02 17:35 ` Arnaldo Carvalho de Melo
2017-01-02 17:36 ` Arnaldo Carvalho de Melo
2017-01-02 19:39 ` Arnaldo Carvalho de Melo
2017-01-03 0:30 ` Arnaldo Carvalho de Melo
2017-01-04 8:37 ` Krister Johansen
2017-01-06 6:22 ` Krister Johansen [this message]
2017-01-06 6:23 ` [PATCH v3 " Krister Johansen
2017-01-21 1:48 ` Krister Johansen
2017-02-01 14:39 ` [tip:perf/core] perf callchain: Reference count maps tip-bot for Krister Johansen
2017-02-03 19:47 ` [tip:perf/urgent] " tip-bot for Krister Johansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170106062250.GA2707@templeofstupid.com \
--to=kjlx@templeofstupid.com \
--cc=acme@kernel.org \
--cc=fweisbec@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mhiramat@kernel.org \
--cc=namhyung@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.