From: Arnaldo Carvalho de Melo <acme@kernel.org>
To: Krister Johansen <kjlx@templeofstupid.com>
Cc: "Namhyung Kim" <namhyung@kernel.org>,
"Masami Hiramatsu" <mhiramat@kernel.org>,
"Frédéric Weisbecker" <fweisbec@gmail.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 perf/core] perf script: fix a use after free crash.
Date: Mon, 2 Jan 2017 12:15:14 -0300 [thread overview]
Message-ID: <20170102151514.GB21178@kernel.org> (raw)
In-Reply-To: <20161229013947.GA2341@templeofstupid.com>
Em Wed, Dec 28, 2016 at 05:39:47PM -0800, Krister Johansen escreveu:
> On Tue, Nov 22, 2016 at 04:01:06PM -0300, Arnaldo Carvalho de Melo wrote:
> > #include "evlist.h"
> > @@ -979,6 +980,7 @@ iter_finish_cumulative_entry(struct hist_entry_iter *iter,
> > {
> > zfree(&iter->priv);
> > iter->he = NULL;
> > + map__zput(al->map);
> As part of trying to tie up the year-end loose-ends, I went back and
> re-tested a rebase'd version of this patch against perf/core. I ended
> up with a merge that's identical to yours, except that I'm not seeing
> any assertion failures with 'perf top -g', 'perf script', or 'perf
> report'. Was perf/core the branch that was giving you trouble?
Yeah, I just tested it with my tip/perf/core and got this:
0.00% 0.00% [kernel] [k] file_free_rcu
0.00% 0.00% [kernel] [k] timerqueue_del
0.00% 0.00% [kernel] [k] irq_work_run
0.00% 0.00% [kernel] [k] native_irq_return_iret
0.00% 0.00% [kernel] [k] native_sched_clock
perf: util/map.c:246: map__exit: Assertion
`!(!((&map->rb_node)->__rb_parent_color == (unsigned long)(&map->rb_node)))' failed.
Aborted
(core dumped)
[root@jouet 3.4]#
Tried it again with what is in Linus' tree + your patch and got the same
problem:
[acme@jouet linux]$ git remote -v | grep torvalds.*fetch
torvalds git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git (fetch)
[acme@jouet linux]$ git checkout -b test-branch torvalds/master
Branch test-branch set up to track remote branch master from torvalds.
Switched to a new branch 'test-branch'
[acme@jouet linux]$ git cherry-pick f7347a33099dbad7e9fb3c22cea211f238bfd320
[test-branch 7d786f548b62] perf callchain: Fix a use after free crash due to refcounting bug
Author: Krister Johansen <kjlx@templeofstupid.com>
Date: Mon Jan 2 12:06:55 2017 -0300
3 files changed, 19 insertions(+), 2 deletions(-)
[acme@jouet linux]$ rm -rf /tmp/build/perf/ ; mkdir -p /tmp/build/perf ; make O=/tmp/build/perf -C tools/perf install-bin
make: Entering directory '/home/acme/git/linux/tools/perf'
BUILD: Doing 'make -j4' parallel build
HOSTCC /tmp/build/perf/fixdep.o
<SNIP>
Then I run it with a higher frequency and no delay in refreshing the screen, to
stress the refcounting code:
# perf top -F 10000 -g -d 0
Do it while running something like 'make -j32 allmodconfig' to create lots of
short lived processes (or use stress-ng, etc).
+ 0.79% 0.00% [kernel] [k] search_binary_handler
+ 0.79% 0.00% [kernel] [k] do_execveat_common.isra.37
+ 0.79% 0.00% [kernel] [k] sys_execve
+ 0.79% 0.00% [kernel] [k] do_syscall_64
perf: util/map.c:246: map__exit: Assertion `!(!((&map->rb_node)->__rb_parent_color == (unsigned long)(&map->rb_node)))' failed.
Aborted (core dumped)
[root@jouet 3.4]#
- Arnaldo
next prev parent reply other threads:[~2017-01-02 15:15 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-02 3:13 [PATCH perf/core] perf script: fix a use after free crash Krister Johansen
2016-10-05 11:45 ` callchain map refcounting fixes was " Arnaldo Carvalho de Melo
2016-10-06 0:29 ` Masami Hiramatsu
2016-10-06 6:12 ` Krister Johansen
2016-10-07 2:22 ` Namhyung Kim
2016-10-09 6:13 ` Krister Johansen
2016-10-11 9:28 ` Krister Johansen
2016-10-11 9:28 ` [PATCH v2 " Krister Johansen
2016-10-26 0:20 ` Krister Johansen
2016-10-26 13:44 ` Arnaldo Carvalho de Melo
2016-11-11 0:40 ` Krister Johansen
2016-11-22 19:01 ` Arnaldo Carvalho de Melo
2016-12-02 7:12 ` Krister Johansen
2016-12-29 1:39 ` Krister Johansen
2017-01-02 15:15 ` Arnaldo Carvalho de Melo [this message]
2017-01-02 17:35 ` Arnaldo Carvalho de Melo
2017-01-02 17:36 ` Arnaldo Carvalho de Melo
2017-01-02 19:39 ` Arnaldo Carvalho de Melo
2017-01-03 0:30 ` Arnaldo Carvalho de Melo
2017-01-04 8:37 ` Krister Johansen
2017-01-06 6:22 ` Krister Johansen
2017-01-06 6:23 ` [PATCH v3 " Krister Johansen
2017-01-21 1:48 ` Krister Johansen
2017-02-01 14:39 ` [tip:perf/core] perf callchain: Reference count maps tip-bot for Krister Johansen
2017-02-03 19:47 ` [tip:perf/urgent] " tip-bot for Krister Johansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170102151514.GB21178@kernel.org \
--to=acme@kernel.org \
--cc=fweisbec@gmail.com \
--cc=kjlx@templeofstupid.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mhiramat@kernel.org \
--cc=namhyung@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).