From: Thomas Richter <tmricht@linux.ibm.com>
To: linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org,
linux-perf-users@vger.kernel.org, acme@kernel.org,
namhyung@kernel.org, irogers@google.com, acme@redhat.com
Cc: agordeev@linux.ibm.com, gor@linux.ibm.com,
sumanthk@linux.ibm.com, hca@linux.ibm.com,
Thomas Richter <tmricht@linux.ibm.com>
Subject: [PATCH 2/2] perf/bench: Double free of dynamic allocated memory
Date: Tue, 18 Mar 2025 10:51:32 +0100 [thread overview]
Message-ID: <20250318095132.1502654-3-tmricht@linux.ibm.com> (raw)
In-Reply-To: <20250318095132.1502654-1-tmricht@linux.ibm.com>
On s390 z/VM the command 'perf bench internals pmu-scan'
dumps core, as can be seen:
Output before:
# ./perf bench internals pmu-scan
# Running 'internals/pmu-scan' benchmark:
Computing performance of sysfs PMU event scan for 100 times
perf: /root/linux/tools/include/linux/refcount.h:131:
refcount_sub_and_test: Assertion `!(new > val)' failed.
Aborted (core dumped)
#
The root cause is in
perf_pmus__scan()
+--> perf_pmu__create_placeholder_core_pmu()
+--> cpu_map__online()
cpu_map__online() has a static variable
static struct perf_cpu_map *online;
if (!online)
online = perf_cpu_map__new_online_cpus();
return online;
which is allocated once when entered for the first time.
However perf_pmu__create_placeholder_core_pmu() is actually called
two times.
First time:
run_pmu_scan()
+--> save_result()
+---> perf_pmus__scan_core()
+--> pmu_read_sysfs()
+--> perf_pmu__create_placeholder_core_pmu()
...
+--> perf_pmus__destroy()
Second time:
run_pmu_scan()
+--> perf_pmus__scan()
+--> pmu_read_sysfs()
+--> perf_pmu__create_placeholder_core_pmu()
...
+--> perf_pmus__destroy()
The second time the already allocated memory pointed to by variable
'online' is returned. However in between the first and second call
of perf_pmu__create_placeholder_core_pmu()
function save_result() also frees all PMUs:
save_result()
+--> perf_pmus__destroy()
+--> perf_pmu__delete()
+--> perf_cpu_map__put()
+--> cpu_map__delete()
cpu_map__delete() deletes the perf_cpu_map pointed to by variable
online, but this static variable is not set to NULL. In the second
invocation of perf_pmu__create_placeholder_core_pmu() the same
memory locattion stored in variable online is returned.
Later on run_pmu_scan() calls perf_pmus__destroy() again and then
cpu_map__delete() frees the PMU "cpu->cpus" a second time causing
the core dump.
Avoid core dump and always allocate the online CPUs.
Output after:
# ./perf bench internals pmu-scan
# Running 'internals/pmu-scan' benchmark:
Computing performance of sysfs PMU event scan for 100 times
Average core PMU scanning took: 7.970 usec (+- 0.147 usec)
Average PMU scanning took: 60.415 usec (+- 3.986 usec)
#
Background: s390 z/VM system do not support PMUs for sampling and
counting. In this case dummy events are created by the perf tool
and the PMUs "tool" and "fake" are created and freed.
Fixes: a0c41caebab2f ("perf pmu: Add CPU map for "cpu" PMUs")
Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
Cc: Ian Rogers <irogers@google.com>
---
tools/perf/util/cpumap.c | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/tools/perf/util/cpumap.c b/tools/perf/util/cpumap.c
index 5c329ad614e9..ab9e7a266af9 100644
--- a/tools/perf/util/cpumap.c
+++ b/tools/perf/util/cpumap.c
@@ -691,12 +691,7 @@ size_t cpu_map__snprint_mask(struct perf_cpu_map *map, char *buf, size_t size)
struct perf_cpu_map *cpu_map__online(void) /* thread unsafe */
{
- static struct perf_cpu_map *online;
-
- if (!online)
- online = perf_cpu_map__new_online_cpus(); /* from /sys/devices/system/cpu/online */
-
- return online;
+ return perf_cpu_map__new_online_cpus(); /* from /sys/devices/system/cpu/online */
}
bool aggr_cpu_id__equal(const struct aggr_cpu_id *a, const struct aggr_cpu_id *b)
--
2.48.1
next prev parent reply other threads:[~2025-03-18 9:52 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-18 9:51 [PATCH 0/2] perf bench: Fix core dumps on s390 z/VM Thomas Richter
2025-03-18 9:51 ` [PATCH 1/2] perf/bench: Fix perf bench internals pmu-scan core dump Thomas Richter
2025-03-18 16:28 ` Ian Rogers
2025-03-18 9:51 ` Thomas Richter [this message]
2025-03-18 16:37 ` [PATCH 2/2] perf/bench: Double free of dynamic allocated memory Ian Rogers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250318095132.1502654-3-tmricht@linux.ibm.com \
--to=tmricht@linux.ibm.com \
--cc=acme@kernel.org \
--cc=acme@redhat.com \
--cc=agordeev@linux.ibm.com \
--cc=gor@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=irogers@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=namhyung@kernel.org \
--cc=sumanthk@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox