Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp503470rwb; Fri, 13 Jan 2023 00:04:25 -0800 (PST) X-Google-Smtp-Source: AMrXdXswZcwZb+aBpZtcqA5LMjmTQvPAama6PQCVheGbKScmevnzEl7ny1HrDdL+s1I9RipCzMXR X-Received: by 2002:a05:6a20:d39b:b0:af:7e01:706 with SMTP id iq27-20020a056a20d39b00b000af7e010706mr92855106pzb.52.1673597065402; Fri, 13 Jan 2023 00:04:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673597065; cv=none; d=google.com; s=arc-20160816; b=tVRMVLV31vP/C8jg3g7CyyF5owojOal2dsKn1myeEV1jlJdEtnfRJIY6wLD4Aq71U7 KGBXEQRDyMrmEoBzzDQwrrUML72pDXLcEKYKT4VJ1sYpT1ellBN1ZAVa7Kol81Fgiifo ajcxX836h4mirymxmME9YZat3R8g+IFSIciRL4/9ozQy4VWqDqFwcQlT1HjOwTm2MBfn Htv99CVwoFPmonKU7fQOTxBgsr0/ZU8q3fBS/ftoRjSXWvWcSn21yMw3cZgH9uHup7Kn t/NYWvx6NO1mZQ3enTOWtWO9bKbrYbiZmxlCnJ0IVsMNWA71HznixE/CUHZ0FxsZXhFu qU9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=erWTipeXDksA8+N9fJWXC7YFcwEz05AcWnbk7HuNpN8=; b=j6hq3hPpCCGLqRzAH54etaxs3V2paILqsqzpjFCrRGHnvfsllSbC9EHp/79o94SRuV N7vkgoA7bue2RvAskKzrL65jqSjyb8VxFOAnHnJ3CW0Z1MvNTuk0vM2xQu0ZUkeYXRQn eyx+bs6QWoBG6dXwtt7TpzHKWOJY7BYpYmbvI4MSiNMVRES9o+hf+86uOEyKTeX/svPY 2VQzJ2MUt/Yx5HuuQKfcTfHeD91b4ZQQfvQ7Kj4bsmvoE+mN8kB4z0QKFVMtYrOgcmJa M4mDTSawXfrVMn2vVmaoabs723GVU58BLQKAabf5a8ycguWUmsAMUdSpSOwxAnfoO/cC oPjg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id g4-20020a636b04000000b0049de6ef731bsi19580848pgc.340.2023.01.13.00.04.19; Fri, 13 Jan 2023 00:04:25 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232913AbjAMHkm (ORCPT + 50 others); Fri, 13 Jan 2023 02:40:42 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34610 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230473AbjAMHkj (ORCPT ); Fri, 13 Jan 2023 02:40:39 -0500 Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 46690264; Thu, 12 Jan 2023 23:40:37 -0800 (PST) Received: from kwepemm600003.china.huawei.com (unknown [172.30.72.55]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4NtYFX5BBNznTWg; Fri, 13 Jan 2023 15:38:56 +0800 (CST) Received: from localhost.localdomain (10.67.174.95) by kwepemm600003.china.huawei.com (7.193.23.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.34; Fri, 13 Jan 2023 15:40:34 +0800 From: Yang Jihong To: , , , , , , , , , CC: Subject: [PATCH v3] perf record: Fix segfault with --overwrite and --max-size Date: Fri, 13 Jan 2023 07:38:03 +0000 Message-ID: <20230113073803.102950-1-yangjihong1@huawei.com> X-Mailer: git-send-email 2.30.GIT MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.67.174.95] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To kwepemm600003.china.huawei.com (7.193.23.202) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When --overwrite and --max-size options of perf record are used together, a segmentation fault occurs. The following is an example: # perf record -e sched:sched* --overwrite --max-size 1K -a -- sleep 1 [ perf record: Woken up 1 times to write data ] perf: Segmentation fault Obtained 12 stack frames. ./perf/perf(+0x197673) [0x55f99710b673] /lib/x86_64-linux-gnu/libc.so.6(+0x3ef0f) [0x7fa45f3cff0f] ./perf/perf(+0x8eb40) [0x55f997002b40] ./perf/perf(+0x1f6882) [0x55f99716a882] ./perf/perf(+0x794c2) [0x55f996fed4c2] ./perf/perf(+0x7b7c7) [0x55f996fef7c7] ./perf/perf(+0x9074b) [0x55f99700474b] ./perf/perf(+0x12e23c) [0x55f9970a223c] ./perf/perf(+0x12e54a) [0x55f9970a254a] ./perf/perf(+0x7db60) [0x55f996ff1b60] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xe6) [0x7fa45f3b2c86] ./perf/perf(+0x7dfe9) [0x55f996ff1fe9] Segmentation fault (core dumped) backtrace of the core file is as follows: (gdb) bt #0 record__bytes_written (rec=0x55f99755a200 ) at builtin-record.c:234 #1 record__output_max_size_exceeded (rec=0x55f99755a200 ) at builtin-record.c:242 #2 record__write (map=0x0, size=12816, bf=0x55f9978da2e0, rec=0x55f99755a200 ) at builtin-record.c:263 #3 process_synthesized_event (tool=tool@entry=0x55f99755a200 , event=event@entry=0x55f9978da2e0, sample=sample@entry=0x0, machine=machine@entry=0x55f997893658) at builtin-record.c:618 #4 0x000055f99716a883 in __perf_event__synthesize_id_index (tool=tool@entry=0x55f99755a200 , process=process@entry=0x55f997002aa0 , evlist=0x55f9978928b0, machine=machine@entry=0x55f997893658, from=from@entry=0) at util/synthetic-events.c:1895 #5 0x000055f99716a91f in perf_event__synthesize_id_index (tool=tool@entry=0x55f99755a200 , process=process@entry=0x55f997002aa0 , evlist=, machine=machine@entry=0x55f997893658) at util/synthetic-events.c:1905 #6 0x000055f996fed4c3 in record__synthesize (tail=tail@entry=true, rec=0x55f99755a200 ) at builtin-record.c:1997 #7 0x000055f996fef7c8 in __cmd_record (argc=argc@entry=2, argv=argv@entry=0x7ffc67551260, rec=0x55f99755a200 ) at builtin-record.c:2802 #8 0x000055f99700474c in cmd_record (argc=, argv=0x7ffc67551260) at builtin-record.c:4258 #9 0x000055f9970a223d in run_builtin (p=0x55f997564d88 , argc=10, argv=0x7ffc67551260) at perf.c:330 #10 0x000055f9970a254b in handle_internal_command (argc=10, argv=0x7ffc67551260) at perf.c:384 #11 0x000055f996ff1b61 in run_argv (argcp=, argv=) at perf.c:428 #12 main (argc=, argv=0x7ffc67551260) at perf.c:562 The reason is that record__bytes_written accesses the freed memory rec->thread_data, The process is as follows: __cmd_record -> record__free_thread_data -> zfree(&rec->thread_data) // free rec->thread_data -> record__synthesize -> perf_event__synthesize_id_index -> process_synthesized_event -> record__write -> record__bytes_written // access rec->thread_data We add a member variable "thread_bytes_written" in the struct "record" to save the data size written by the threads. Fixes: 6d57581659f7 ("perf record: Add support for limit perf output file size") Signed-off-by: Yang Jihong --- Changes since v2: - Save data size written by threads to calculate the correct total data size. - Update commit message. Changes since v1: - Add variable check in record__bytes_written for code hardening. - Save bytes_written separately to reduce one calculation. - Remove rec->opts.tail_synthesize check. tools/perf/builtin-record.c | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/tools/perf/builtin-record.c b/tools/perf/builtin-record.c index 29dcd454b8e2..8374117e66f6 100644 --- a/tools/perf/builtin-record.c +++ b/tools/perf/builtin-record.c @@ -154,6 +154,7 @@ struct record { struct perf_tool tool; struct record_opts opts; u64 bytes_written; + u64 thread_bytes_written; struct perf_data data; struct auxtrace_record *itr; struct evlist *evlist; @@ -226,14 +227,7 @@ static bool switch_output_time(struct record *rec) static u64 record__bytes_written(struct record *rec) { - int t; - u64 bytes_written = rec->bytes_written; - struct record_thread *thread_data = rec->thread_data; - - for (t = 0; t < rec->nr_threads; t++) - bytes_written += thread_data[t].bytes_written; - - return bytes_written; + return rec->bytes_written + rec->thread_bytes_written; } static bool record__output_max_size_exceeded(struct record *rec) @@ -255,10 +249,12 @@ static int record__write(struct record *rec, struct mmap *map __maybe_unused, return -1; } - if (map && map->file) + if (map && map->file) { thread->bytes_written += size; - else + rec->thread_bytes_written += size; + } else { rec->bytes_written += size; + } if (record__output_max_size_exceeded(rec) && !done) { fprintf(stderr, "[ perf record: perf size limit reached (%" PRIu64 " KB)," -- 2.30.GIT