Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1731796imm; Thu, 9 Aug 2018 00:40:53 -0700 (PDT) X-Google-Smtp-Source: AA+uWPyzGgl2A4+PTbIWELmFktjPZe7xVxHeVz2CoLxpQCGOsZOxoqpxw6YyhCJTCg2V18zHJohk X-Received: by 2002:a62:5d55:: with SMTP id r82-v6mr1179455pfb.150.1533800453803; Thu, 09 Aug 2018 00:40:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533800453; cv=none; d=google.com; s=arc-20160816; b=JJWMJQjKsYIQplL32rsrv0Z5YlSX+YR2CQP3dBdWrgK4nn4IgmzimqBQqaj2Y0mddA evaMLxnA+eAa/scNLabAdq/D6wRSF1qdWL1iEcx1SqmNZ+3tY6m1aIOcqUiBo6K2ge7N w6aBVh0BbnoESenIewYF2g9TH6EhgMAb7fcs3G213go+9iOethBScJpDD5u1gQlkuC+X bHgOeEQDvBPnCMePJdXPLrwyfjeSniln+GDtBoVbaWFf2KMAe1cC2VwnOnMfKpBBjKPb T16uBwnRp16FfptfIjssZJy00tmTZGJVUCXfKWuq0taH2Ypg1VwZ6bluMX6RepWhU0TJ ElQA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=KOg3bt4+ncoO/AmjrjbMVgaxGhmeIOYMoTZNRe9RfZQ=; b=afo3lIlacwRs3QJoIERG4Z63h8Ov+jhsChh0u49m0HI5N/iooP8tN9ZGi9VOkijt68 +sgubEMYuHxzluLOYhfE8jZX2m3tUX1rNLbeBxF6FoZ8ZPZMufvKUtbvrJYzjKC7VOOB eN8YBZz6MhLc0brfkqqjIRHF13o0F/cUm8ne03B5kXmxwxo+8bxORvt1uyZ4jw9WK8VS vXMNjicKrBFCs7Kat7wULDQOeQB9xvM3OxByfGcAWNiST1XopTO4VoZlHqWUsWESUa2F YqFSlmuyiZk5SVjOVMLkitGa2Wl1riIVt6G83IuFRUQdilr6c3orHoxLlIbC9MGg2o2C dbjw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f15-v6si5066602pli.194.2018.08.09.00.40.38; Thu, 09 Aug 2018 00:40:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727986AbeHIKDW (ORCPT + 99 others); Thu, 9 Aug 2018 06:03:22 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:39134 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727237AbeHIKDW (ORCPT ); Thu, 9 Aug 2018 06:03:22 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7B2D5F2B41; Thu, 9 Aug 2018 07:39:48 +0000 (UTC) Received: from krava (unknown [10.40.205.2]) by smtp.corp.redhat.com (Postfix) with SMTP id AE4502026D68; Thu, 9 Aug 2018 07:39:46 +0000 (UTC) Date: Thu, 9 Aug 2018 09:39:45 +0200 From: Jiri Olsa To: Stephane Eranian Cc: LKML , Arnaldo Carvalho de Melo , Peter Zijlstra , mingo@elte.hu Subject: Re: [PATCH] perf ordered_events: fix crash in free_dup_event() Message-ID: <20180809073945.GA19243@krava> References: <1533605015-19514-1-git-send-email-eranian@google.com> <20180807072029.GA7716@krava> <20180807085010.GC7716@krava> <20180808082347.GB20320@krava> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Thu, 09 Aug 2018 07:39:48 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Thu, 09 Aug 2018 07:39:48 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'jolsa@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Aug 08, 2018 at 02:47:42PM -0700, Stephane Eranian wrote: > Hi, > > Ok, I found the problem. It still exists upstream , just very tricky to trigger. > Took me lots of time with gdb + watchpoints to track this down, where > in fact it was just in front of me. > > From the crashdump: > Program received signal SIGSEGV, Segmentation fault. > free_dup_event (oe=0x26a39a0, event=0xffffffff00000000) > > I was puzzled by the 0xffffffff00000000. I tracked down where this > value was coming from using watchpoints. > In my case the memory was used before by elfutils to back the struct > Elf. The -1 in the upper bits came from: > > file_read_elf () at third_party/elfutils/libelf/elf_begin.c:451 > elf->state.elf64.scns.data[cnt].shndx_index = -1; > > And yet the next access to that memory location was in the crash. That > meant the memory was released by > elfutils and reused by ordered_events, yet without any initialization. > But looking at alloc_event(), it was > not obvious to figure out how a new_event->event could be uninitialized. > > Well, it turns out there is this little hack where the code > commandeers the first element in the oe->buffer to > use as a list_head for the oe->to_free freelist. The problem is that > this entry also gets freed, but its > event->event field is NEVER initialized. So depending on how the > memory was previously used, you > could get a on NULL value and crash in free_dup_event(). This is what > happened to me. I am glad > I pursued this further because the bug is still in the upstream > version. The patch is a one-liner fixing > the initialization of the event->event = NULL. For the other elements > in the list, the initialization is > already done at the end of alloc_event(). > > I will send the patch separately. nice ;-) thanks jirka