Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752651AbcJFGMO (ORCPT ); Thu, 6 Oct 2016 02:12:14 -0400 Received: from hapkido.dreamhost.com ([66.33.216.122]:40690 "EHLO hapkido.dreamhost.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752335AbcJFGMN (ORCPT ); Thu, 6 Oct 2016 02:12:13 -0400 Date: Wed, 5 Oct 2016 23:12:10 -0700 From: Krister Johansen To: Arnaldo Carvalho de Melo Cc: Krister Johansen , Masami Hiramatsu , Namhyung Kim , =?utf-8?B?RnLDqWTDqXJpYw==?= Weisbecker , linux-kernel@vger.kernel.org Subject: Re: callchain map refcounting fixes was Re: [PATCH perf/core] perf script: fix a use after free crash. Message-ID: <20161006061210.GB2525@templeofstupid.com> References: <20161002031336.GA2635@templeofstupid.com> <20161005114524.GY7143@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20161005114524.GY7143@kernel.org> User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1924 Lines: 39 On Wed, Oct 05, 2016 at 08:45:24AM -0300, Arnaldo Carvalho de Melo wrote: > Em Sat, Oct 01, 2016 at 08:13:36PM -0700, Krister Johansen escreveu: > > If dso__load_kcore frees all of the existing maps, but one has already > > been attached to a callchain cursor node, then we can get a SIGSEGV in > > any function that happens to try to use this cursor with the invalid > > map. Use the existing map refcount mechanism to forestall cleanup of a > > map until the cursor iterates past the node. > > Seems ok, thanks for working on this! Can you provide a test case that > causes the SEGV so that I can, in addition to reviewing your changes and > auditing the code to check if all cases ara plugged, to reproduce the > problem? Absolutely. Thanks for taking the time to look it over. AFIACT, this occurs when you're probing a .ko with its own debug information, but when the kernel has none. The kernel and all of the in-tree modules were built through an RPM build that strips out debuginfo into a separate package. On this particular system, the kernel debuginfo packages were not installed. However, I had recently changed a dkms build of an external module to use -g and to not strip. We had one lonely .ko with all of its debug information inside, and a kernel that perf was going to need to use kallsyms. I was able to insert the kprobe into the module and record events. It was just script and report that caused the core. It should be possible to reproduce this by running script against a trace that was recorded from kprobes in a module that has debug inforation, but while running a kernel that does not. I didn't specify any special options for lookup of vmlinux. I just let the tool figure it out. If you think it'd be useful, I can send along the notes that I took when I debugged this. They're about 15k, which is why I would hesitate to send it to the entire list unsolicited. Thanks again, -K