[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20170102151514.GB21178@kernel.org>
Date: Mon, 2 Jan 2017 12:15:14 -0300
From: Arnaldo Carvalho de Melo <acme@...nel.org>
To: Krister Johansen <kjlx@...pleofstupid.com>
Cc: Namhyung Kim <namhyung@...nel.org>,
Masami Hiramatsu <mhiramat@...nel.org>,
Frédéric Weisbecker <fweisbec@...il.com>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 perf/core] perf script: fix a use after free crash.
Em Wed, Dec 28, 2016 at 05:39:47PM -0800, Krister Johansen escreveu:
> On Tue, Nov 22, 2016 at 04:01:06PM -0300, Arnaldo Carvalho de Melo wrote:
> > #include "evlist.h"
> > @@ -979,6 +980,7 @@ iter_finish_cumulative_entry(struct hist_entry_iter *iter,
> > {
> > zfree(&iter->priv);
> > iter->he = NULL;
> > + map__zput(al->map);
> As part of trying to tie up the year-end loose-ends, I went back and
> re-tested a rebase'd version of this patch against perf/core. I ended
> up with a merge that's identical to yours, except that I'm not seeing
> any assertion failures with 'perf top -g', 'perf script', or 'perf
> report'. Was perf/core the branch that was giving you trouble?
Yeah, I just tested it with my tip/perf/core and got this:
0.00% 0.00% [kernel] [k] file_free_rcu
0.00% 0.00% [kernel] [k] timerqueue_del
0.00% 0.00% [kernel] [k] irq_work_run
0.00% 0.00% [kernel] [k] native_irq_return_iret
0.00% 0.00% [kernel] [k] native_sched_clock
perf: util/map.c:246: map__exit: Assertion
`!(!((&map->rb_node)->__rb_parent_color == (unsigned long)(&map->rb_node)))' failed.
Aborted
(core dumped)
[root@...et 3.4]#
Tried it again with what is in Linus' tree + your patch and got the same
problem:
[acme@...et linux]$ git remote -v | grep torvalds.*fetch
torvalds git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git (fetch)
[acme@...et linux]$ git checkout -b test-branch torvalds/master
Branch test-branch set up to track remote branch master from torvalds.
Switched to a new branch 'test-branch'
[acme@...et linux]$ git cherry-pick f7347a33099dbad7e9fb3c22cea211f238bfd320
[test-branch 7d786f548b62] perf callchain: Fix a use after free crash due to refcounting bug
Author: Krister Johansen <kjlx@...pleofstupid.com>
Date: Mon Jan 2 12:06:55 2017 -0300
3 files changed, 19 insertions(+), 2 deletions(-)
[acme@...et linux]$ rm -rf /tmp/build/perf/ ; mkdir -p /tmp/build/perf ; make O=/tmp/build/perf -C tools/perf install-bin
make: Entering directory '/home/acme/git/linux/tools/perf'
BUILD: Doing 'make -j4' parallel build
HOSTCC /tmp/build/perf/fixdep.o
<SNIP>
Then I run it with a higher frequency and no delay in refreshing the screen, to
stress the refcounting code:
# perf top -F 10000 -g -d 0
Do it while running something like 'make -j32 allmodconfig' to create lots of
short lived processes (or use stress-ng, etc).
+ 0.79% 0.00% [kernel] [k] search_binary_handler
+ 0.79% 0.00% [kernel] [k] do_execveat_common.isra.37
+ 0.79% 0.00% [kernel] [k] sys_execve
+ 0.79% 0.00% [kernel] [k] do_syscall_64
perf: util/map.c:246: map__exit: Assertion `!(!((&map->rb_node)->__rb_parent_color == (unsigned long)(&map->rb_node)))' failed.
Aborted (core dumped)
[root@...et 3.4]#
- Arnaldo
Powered by blists - more mailing lists