| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 2 Jan 2017 16:39:04 -0300
From: Arnaldo Carvalho de Melo <acme@...nel.org>
To: Krister Johansen <kjlx@...pleofstupid.com>
Cc: Namhyung Kim <namhyung@...nel.org>,
Masami Hiramatsu <mhiramat@...nel.org>,
Frédéric Weisbecker <fweisbec@...il.com>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 perf/core] perf script: fix a use after free crash.
Em Mon, Jan 02, 2017 at 02:36:57PM -0300, Arnaldo Carvalho de Melo escreveu:
> Em Mon, Jan 02, 2017 at 02:35:30PM -0300, Arnaldo Carvalho de Melo escreveu:
> > Em Mon, Jan 02, 2017 at 12:15:14PM -0300, Arnaldo Carvalho de Melo escreveu:
> {
> zfree(&iter->priv);
> iter->he = NULL;
> + map__zput(al->map);
What this pairs to? I was expecting that since this is called via:
hist_entry_iter__add()
{
<SNIP>
err2 = iter->ops->finish_entry(iter, al);
}
Then it would have to match something done earlier in
hist_entry_iter__add(), most likely by some iter->ops->() method, but I
couldn'd find anything to that extent, can you clarify?
- Arnaldo
> return 0;
> }
>
> > perf: util/map.c:246: map__exit: Assertion `!(!((&map->rb_node)->__rb_parent_color == (unsigned long)(&map->rb_node)))' failed.
> >
> > Thread 1 "perf" received signal SIGABRT, Aborted.
> > 0x00007ffff522691f in raise () from /lib64/libc.so.6
> > (gdb) bt
> > #0 0x00007ffff522691f in raise () from /lib64/libc.so.6
> > #1 0x00007ffff522851a in abort () from /lib64/libc.so.6
> > #2 0x00007ffff521eda7 in __assert_fail_base () from /lib64/libc.so.6
> > #3 0x00007ffff521ee52 in __assert_fail () from /lib64/libc.so.6
> > #4 0x0000000000504e57 in map__exit (map=0x2393790) at util/map.c:246
> > #5 0x0000000000504ea5 in map__delete (map=0x2393790) at util/map.c:252
> > #6 0x0000000000504f0a in map__put (map=0x2393790) at util/map.c:259
> > #7 0x000000000052fa01 in __map__zput (map=0x7fffffff8230) at util/map.h:161
> > #8 0x000000000053295b in iter_finish_cumulative_entry (iter=0x7fffffff8260, al=0x7fffffff8220) at util/hist.c:983
> > #9 0x0000000000532b53 in hist_entry_iter__add (iter=0x7fffffff8260, al=0x7fffffff8220, max_stack_depth=127, arg=0x7fffffffa7b0) at util/hist.c:1059
> > #10 0x000000000044f5cf in perf_event__process_sample (tool=0x7fffffffa7b0, event=0x7ffff7e24578, evsel=0x21515d0, sample=0x7fffffff8410, machine=0x21b2bf8)
> > at builtin-top.c:774
> > #11 0x000000000044f8ee in perf_top__mmap_read_idx (top=0x7fffffffa7b0, idx=2) at builtin-top.c:840
> > #12 0x000000000044fa0d in perf_top__mmap_read (top=0x7fffffffa7b0) at builtin-top.c:857
> > #13 0x0000000000450080 in __cmd_top (top=0x7fffffffa7b0) at builtin-top.c:1002
> > #14 0x00000000004514e0 in cmd_top (argc=0, argv=0x7fffffffe130, prefix=0x0) at builtin-top.c:1330
> > #15 0x00000000004b5af5 in run_builtin (p=0xa0baf8 <commands+312>, argc=6, argv=0x7fffffffe130) at perf.c:358
> > #16 0x00000000004b5d62 in handle_internal_command (argc=6, argv=0x7fffffffe130) at perf.c:420
> > #17 0x00000000004b5ea7 in run_argv (argcp=0x7fffffffdf8c, argv=0x7fffffffdf80) at perf.c:466
> > #18 0x00000000004b6290 in main (argc=6, argv=0x7fffffffe130) at perf.c:610
> > (gdb) fr 4
> > #4 0x0000000000504e57 in map__exit (map=0x2393790) at util/map.c:246
> > 246 BUG_ON(!RB_EMPTY_NODE(&map->rb_node));
> > (gdb) p map
> > $1 = (struct map *) 0x2393790
> > (gdb) p *map
> > $2 = {{rb_node = {__rb_parent_color = 37304353, rb_right = 0x0, rb_left = 0x0}, node = {next = 0x2393821, prev = 0x0}}, start = 140434683187200,
> > end = 140434690723840, type = 0 '\000', erange_warned = false, priv = 0, prot = 5, flags = 2, pgoff = 0, reloc = 0, maj = 253, min = 0, ino = 132875,
> > ino_generation = 3472328296227680304, map_ip = 0x504125 <map__map_ip>, unmap_ip = 0x504174 <map__unmap_ip>, dso = 0x22b3890, groups = 0x2385290, refcnt = {
> > counter = 0}}
> > (gdb)
Powered by blists - more mailing lists