From: tip-bot for Krister Johansen <tipbot@zytor.com>
To: linux-tip-commits@vger.kernel.org
Cc: hpa@zytor.com, mingo@kernel.org, mhiramat@kernel.org,
acme@redhat.com, namhyung@kernel.org, kjlx@templeofstupid.com,
fweisbec@gmail.com, linux-kernel@vger.kernel.org,
tglx@linutronix.de
Subject: [tip:perf/urgent] perf callchain: Reference count maps
Date: Fri, 3 Feb 2017 11:47:47 -0800 [thread overview]
Message-ID: <tip-aa33b9b9a2ebb00d33c83a5312d4fbf2d5aeba36@git.kernel.org> (raw)
In-Reply-To: <20170106062331.GB2707@templeofstupid.com>
Commit-ID: aa33b9b9a2ebb00d33c83a5312d4fbf2d5aeba36
Gitweb: http://git.kernel.org/tip/aa33b9b9a2ebb00d33c83a5312d4fbf2d5aeba36
Author: Krister Johansen <kjlx@templeofstupid.com>
AuthorDate: Thu, 5 Jan 2017 22:23:31 -0800
Committer: Arnaldo Carvalho de Melo <acme@redhat.com>
CommitDate: Thu, 2 Feb 2017 11:39:09 -0300
perf callchain: Reference count maps
If dso__load_kcore frees all of the existing maps, but one has already
been attached to a callchain cursor node, then we can get a SIGSEGV in
any function that happens to try to use this invalid cursor. Use the
existing map refcount mechanism to forestall cleanup of a map until the
cursor iterates past the node.
Signed-off-by: Krister Johansen <kjlx@templeofstupid.com>
Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: stable@kernel.org
Fixes: 84c2cafa2889 ("perf tools: Reference count struct map")
Link: http://lkml.kernel.org/r/20170106062331.GB2707@templeofstupid.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
---
tools/perf/util/callchain.c | 11 +++++++++--
tools/perf/util/callchain.h | 6 ++++++
tools/perf/util/hist.c | 7 +++++++
3 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/tools/perf/util/callchain.c b/tools/perf/util/callchain.c
index 4292251..8b610dd 100644
--- a/tools/perf/util/callchain.c
+++ b/tools/perf/util/callchain.c
@@ -437,7 +437,7 @@ fill_node(struct callchain_node *node, struct callchain_cursor *cursor)
}
call->ip = cursor_node->ip;
call->ms.sym = cursor_node->sym;
- call->ms.map = cursor_node->map;
+ call->ms.map = map__get(cursor_node->map);
if (cursor_node->branch) {
call->branch_count = 1;
@@ -477,6 +477,7 @@ add_child(struct callchain_node *parent,
list_for_each_entry_safe(call, tmp, &new->val, list) {
list_del(&call->list);
+ map__zput(call->ms.map);
free(call);
}
free(new);
@@ -761,6 +762,7 @@ merge_chain_branch(struct callchain_cursor *cursor,
list->ms.map, list->ms.sym,
false, NULL, 0, 0);
list_del(&list->list);
+ map__zput(list->ms.map);
free(list);
}
@@ -811,7 +813,8 @@ int callchain_cursor_append(struct callchain_cursor *cursor,
}
node->ip = ip;
- node->map = map;
+ map__zput(node->map);
+ node->map = map__get(map);
node->sym = sym;
node->branch = branch;
node->nr_loop_iter = nr_loop_iter;
@@ -1142,11 +1145,13 @@ static void free_callchain_node(struct callchain_node *node)
list_for_each_entry_safe(list, tmp, &node->parent_val, list) {
list_del(&list->list);
+ map__zput(list->ms.map);
free(list);
}
list_for_each_entry_safe(list, tmp, &node->val, list) {
list_del(&list->list);
+ map__zput(list->ms.map);
free(list);
}
@@ -1210,6 +1215,7 @@ int callchain_node__make_parent_list(struct callchain_node *node)
goto out;
*new = *chain;
new->has_children = false;
+ map__get(new->ms.map);
list_add_tail(&new->list, &head);
}
parent = parent->parent;
@@ -1230,6 +1236,7 @@ int callchain_node__make_parent_list(struct callchain_node *node)
out:
list_for_each_entry_safe(chain, new, &head, list) {
list_del(&chain->list);
+ map__zput(chain->ms.map);
free(chain);
}
return -ENOMEM;
diff --git a/tools/perf/util/callchain.h b/tools/perf/util/callchain.h
index 35c8e37..4f4b60f 100644
--- a/tools/perf/util/callchain.h
+++ b/tools/perf/util/callchain.h
@@ -5,6 +5,7 @@
#include <linux/list.h>
#include <linux/rbtree.h>
#include "event.h"
+#include "map.h"
#include "symbol.h"
#define HELP_PAD "\t\t\t\t"
@@ -184,8 +185,13 @@ int callchain_merge(struct callchain_cursor *cursor,
*/
static inline void callchain_cursor_reset(struct callchain_cursor *cursor)
{
+ struct callchain_cursor_node *node;
+
cursor->nr = 0;
cursor->last = &cursor->first;
+
+ for (node = cursor->first; node != NULL; node = node->next)
+ map__zput(node->map);
}
int callchain_cursor_append(struct callchain_cursor *cursor, u64 ip,
diff --git a/tools/perf/util/hist.c b/tools/perf/util/hist.c
index 6770a96..7d1b7d3 100644
--- a/tools/perf/util/hist.c
+++ b/tools/perf/util/hist.c
@@ -1,6 +1,7 @@
#include "util.h"
#include "build-id.h"
#include "hist.h"
+#include "map.h"
#include "session.h"
#include "sort.h"
#include "evlist.h"
@@ -1019,6 +1020,10 @@ int hist_entry_iter__add(struct hist_entry_iter *iter, struct addr_location *al,
int max_stack_depth, void *arg)
{
int err, err2;
+ struct map *alm = NULL;
+
+ if (al && al->map)
+ alm = map__get(al->map);
err = sample__resolve_callchain(iter->sample, &callchain_cursor, &iter->parent,
iter->evsel, al, max_stack_depth);
@@ -1058,6 +1063,8 @@ out:
if (!err)
err = err2;
+ map__put(alm);
+
return err;
}
prev parent reply other threads:[~2017-02-03 19:48 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-02 3:13 [PATCH perf/core] perf script: fix a use after free crash Krister Johansen
2016-10-05 11:45 ` callchain map refcounting fixes was " Arnaldo Carvalho de Melo
2016-10-06 0:29 ` Masami Hiramatsu
2016-10-06 6:12 ` Krister Johansen
2016-10-07 2:22 ` Namhyung Kim
2016-10-09 6:13 ` Krister Johansen
2016-10-11 9:28 ` Krister Johansen
2016-10-11 9:28 ` [PATCH v2 " Krister Johansen
2016-10-26 0:20 ` Krister Johansen
2016-10-26 13:44 ` Arnaldo Carvalho de Melo
2016-11-11 0:40 ` Krister Johansen
2016-11-22 19:01 ` Arnaldo Carvalho de Melo
2016-12-02 7:12 ` Krister Johansen
2016-12-29 1:39 ` Krister Johansen
2017-01-02 15:15 ` Arnaldo Carvalho de Melo
2017-01-02 17:35 ` Arnaldo Carvalho de Melo
2017-01-02 17:36 ` Arnaldo Carvalho de Melo
2017-01-02 19:39 ` Arnaldo Carvalho de Melo
2017-01-03 0:30 ` Arnaldo Carvalho de Melo
2017-01-04 8:37 ` Krister Johansen
2017-01-06 6:22 ` Krister Johansen
2017-01-06 6:23 ` [PATCH v3 " Krister Johansen
2017-01-21 1:48 ` Krister Johansen
2017-02-01 14:39 ` [tip:perf/core] perf callchain: Reference count maps tip-bot for Krister Johansen
2017-02-03 19:47 ` tip-bot for Krister Johansen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=tip-aa33b9b9a2ebb00d33c83a5312d4fbf2d5aeba36@git.kernel.org \
--to=tipbot@zytor.com \
--cc=acme@redhat.com \
--cc=fweisbec@gmail.com \
--cc=hpa@zytor.com \
--cc=kjlx@templeofstupid.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-tip-commits@vger.kernel.org \
--cc=mhiramat@kernel.org \
--cc=mingo@kernel.org \
--cc=namhyung@kernel.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.