Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp2050192ybi; Thu, 4 Jul 2019 04:22:52 -0700 (PDT) X-Google-Smtp-Source: APXvYqyHj9JshugbWxPGfy0WJjXD6gofGfOQxTRQLUUcT0rCniCNiXSLL3dR8oolHxqVtdW/7UoT X-Received: by 2002:a65:454c:: with SMTP id x12mr43031468pgr.354.1562239372197; Thu, 04 Jul 2019 04:22:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562239372; cv=none; d=google.com; s=arc-20160816; b=mBLNxgTKRvcPeoFzIPpLLmayAHRy66LqL3ore8ZcpkfdqWwHUKbN4Il96z2oQ+Lbe8 6v9IVsLmGNqNEyDg1QUUkuJyunyWM252ciZbHUdXt3Sy0SA+1xmFQvMf4uVAhSfWEBkL 64WxfSqujP62VnZT/pa+W9qYfJzeJaFRVHC+NwWteTd+KLUp/4jPPza7ZFt9lv0bIl23 nZT1LVuDVqhY7OQ/KStR/oMtEE2HVX/cHS3f+z1YBDLA6knul1scE3xn5RIvVI+YTmaV ApdIDMSRSGgjpQb4+A7dbscGmTOIAXG5HqURVB++XbUtlZUzcocbrfLBqClsPngWkTAc FLDw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:from:references:cc:to :subject; bh=reYd7PJFWqa/jmOOXjSeI2vlGtNg8YFzVzHtqy9Atbg=; b=cahfHsieiVSG1Hcthf5DJTmTgoBaYNFLPQ9fax2lPBTrNoY4/oxfRXiTZ8861eBrSl s/pi8AtODV1g/uZ+mjqv4RcvurEWhvrpFRXnyKCvmNLw3QZvA9/oAdezXIBfv3pAhxFu uFngHPMpHoJ617WR7WXVdHmtJYY5pjx50JWTbM7weU+Qr4bG4B6YxOlRdDwHbwz0N0Jr XO1ImPzOfAepMUAmuj+6XbND7TKrgLJBrNoc58dg5bB/VFYl7x0nhVrr4q8mDoDhx8/v qn2/PMmqZobLOZWeneJ6vkA5pvq8TgWqf26+aAZHfazUAjOtU1ONmTXnKiiBTroeDSAN 1TXQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h12si4684919pjt.4.2019.07.04.04.22.37; Thu, 04 Jul 2019 04:22:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727577AbfGDLVm (ORCPT + 99 others); Thu, 4 Jul 2019 07:21:42 -0400 Received: from szxga01-in.huawei.com ([45.249.212.187]:2965 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727436AbfGDLVl (ORCPT ); Thu, 4 Jul 2019 07:21:41 -0400 Received: from DGGEMM402-HUB.china.huawei.com (unknown [172.30.72.53]) by Forcepoint Email with ESMTP id 0C9124EBB6BABD9ABB88; Thu, 4 Jul 2019 19:21:40 +0800 (CST) Received: from dggeme754-chm.china.huawei.com (10.3.19.100) by DGGEMM402-HUB.china.huawei.com (10.3.20.210) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 4 Jul 2019 19:21:39 +0800 Received: from [127.0.0.1] (10.184.212.80) by dggeme754-chm.china.huawei.com (10.3.19.100) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1591.10; Thu, 4 Jul 2019 19:21:38 +0800 Subject: Re: [PATCH v2] fix use-after-free in perf_sched__lat To: Arnaldo Carvalho de Melo CC: Namhyung Kim , Alexander Shishkin , Peter Zijlstra , Ingo Molnar , Jiri Olsa , , References: <20190508143648.8153-1-liwei391@huawei.com> <20190522065555.GA206606@google.com> <20190522110823.GR8945@kernel.org> <20190523025011.GC196218@google.com> From: "liwei (GF)" Message-ID: Date: Thu, 4 Jul 2019 19:21:28 +0800 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: <20190523025011.GC196218@google.com> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Originating-IP: [10.184.212.80] X-ClientProxiedBy: dggeme708-chm.china.huawei.com (10.1.199.104) To dggeme754-chm.china.huawei.com (10.3.19.100) X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Arnaldo, I found this issue has not been fixed in mainline now, please take a glance at this. On 2019/5/23 10:50, Namhyung Kim wrote: > On Wed, May 22, 2019 at 08:08:23AM -0300, Arnaldo Carvalho de Melo wrote: >> Em Wed, May 22, 2019 at 03:56:10PM +0900, Namhyung Kim escreveu: >>> On Wed, May 08, 2019 at 10:36:48PM +0800, Wei Li wrote: >>>> After thread is added to machine->threads[i].dead in >>>> __machine__remove_thread, the machine->threads[i].dead is freed >>>> when calling free(session) in perf_session__delete(). So it get a >>>> Segmentation fault when accessing it in thread__put(). >>>> >>>> In this patch, we delay the perf_session__delete until all threads >>>> have been deleted. >>>> >>>> This can be reproduced by following steps: >>>> ulimit -c unlimited >>>> export MALLOC_MMAP_THRESHOLD_=0 >>>> perf sched record sleep 10 >>>> perf sched latency --sort max >>>> Segmentation fault (core dumped) >>>> >>>> Signed-off-by: Zhipeng Xie >>>> Signed-off-by: Wei Li >>> >>> Acked-by: Namhyung Kim >> >> I'll try to analyse this one soon, but my first impression was that we >> should just grab reference counts when keeping a pointer to those >> threads instead of keeping _all_ threads alive when supposedly we could >> trow away unreferenced data structures. >> >> But this is just a first impression from just reading the patch >> description, probably I'm missing something. > > No, thread refcounting is fine. We already did it and threads with the > refcount will be accessed only. > > But the problem is the head of the list. After using the thread, the > refcount is gone and thread is removed from the list and destroyed. > However the head of list is in a struct machine which was freed with > session already. > > Thanks, > Namhyung > > >> >> Thanks for providing instructions on readily triggering the segfault. >> >> - Arnaldo > > . > Thanks, Wei