All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jiri Olsa <jolsa@redhat.com>
To: Namhyung Kim <namhyung@kernel.org>
Cc: Jiri Olsa <jolsa@kernel.org>,
	Arnaldo Carvalho de Melo <acme@kernel.org>,
	lkml <linux-kernel@vger.kernel.org>,
	Ingo Molnar <mingo@kernel.org>, David Ahern <dsahern@gmail.com>,
	Alexander Shishkin <alexander.shishkin@linux.intel.com>,
	Peter Zijlstra <a.p.zijlstra@chello.nl>,
	Kan Liang <kan.liang@intel.com>, Andi Kleen <ak@linux.intel.com>,
	Lukasz Odzioba <lukasz.odzioba@intel.com>,
	Wang Nan <wangnan0@huawei.com>,
	kernel-team@lge.com
Subject: Re: [PATCH 1/4] perf tools: Fix struct comm_str removal crash
Date: Wed, 18 Jul 2018 12:44:08 +0200	[thread overview]
Message-ID: <20180718104408.GA15068@krava> (raw)
In-Reply-To: <20180717090245.GB8631@krava>

On Tue, Jul 17, 2018 at 11:02:45AM +0200, Jiri Olsa wrote:

SNIP

> +/*
> + * Pure refs increase without any chec/warn.
> + */
> +static inline void refcount_inc_no_warn(refcount_t *r)
> +{
> +	atomic_inc(&r->refs);
> +}
> +
>  /*
>   * Similar to atomic_dec_and_test(), it will WARN on underflow and fail to
>   * decrement when saturated at UINT_MAX.
> diff --git a/tools/perf/util/comm.c b/tools/perf/util/comm.c
> index 7798a2cc8a86..a2e338cf29d7 100644
> --- a/tools/perf/util/comm.c
> +++ b/tools/perf/util/comm.c
> @@ -21,7 +21,7 @@ static struct rw_semaphore comm_str_lock = {.lock = PTHREAD_RWLOCK_INITIALIZER,}
>  static struct comm_str *comm_str__get(struct comm_str *cs)
>  {
>  	if (cs)
> -		refcount_inc(&cs->refcnt);
> +		refcount_inc_no_warn(&cs->refcnt);
>  	return cs;
>  }
>  
> @@ -29,10 +29,12 @@ static void comm_str__put(struct comm_str *cs)
>  {
>  	if (cs && refcount_dec_and_test(&cs->refcnt)) {
>  		down_write(&comm_str_lock);
> -		rb_erase(&cs->rb_node, &comm_str_root);
> +		if (refcount_read(&cs->refcnt) == 0) {
> +			rb_erase(&cs->rb_node, &comm_str_root);
> +			zfree(&cs->str);
> +			free(cs);
> +		}
>  		up_write(&comm_str_lock);
> -		zfree(&cs->str);
> -		free(cs);
>  	}
>  }
>  

I'm still getting crashes with this code, there's another race
in comm_str__put, consider following paths (with 'cs' struct comm_str data):

thread 0:
  ...
  comm_str__put
    refcount_dec_and_test(&cs->refcnt) == true
    down_write(&comm_str_lock);
--> cs->refcnt == 0, but we are blocked and waiting for the lock to remove cs, and meanwhile:

	thread 1:
	  ...
	  __comm_str__findnew(...
	    comm_str__get(cs)
----------> cs->refcnt == 1

	thread 2:
	  ...
	  comm_str__put
	    refcount_dec_and_test(&cs->refcnt) == true
----------> cs->refcnt == 0, thread 2 gets the lock and removes cs
	  ...


thread 0:
  ...
--> comm_str__put gets the lock and removes 'cs' which aborts with double free


we don't have this problem if we ignore objects that dropped to
refcnt == 0, which was what my previous change was doing

jirka

  reply	other threads:[~2018-07-18 10:44 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-07-12 14:20 [PATCH 0/4] perf tools: Fix top crashes Jiri Olsa
2018-07-12 14:20 ` [PATCH 1/4] perf tools: Fix struct comm_str removal crash Jiri Olsa
2018-07-15 13:08   ` Namhyung Kim
2018-07-16 10:29     ` Jiri Olsa
2018-07-17  1:49       ` Namhyung Kim
2018-07-17  9:02         ` Jiri Olsa
2018-07-18 10:44           ` Jiri Olsa [this message]
2018-07-12 14:20 ` [PATCH 2/4] perf tools: Add threads__get_last_match function Jiri Olsa
2018-07-22  7:53   ` [lkp-robot] [perf tools] 600b7378cf: perf-sanity-tests.Share_thread_mg.fail kernel test robot
2018-07-22  7:53     ` kernel test robot
2018-07-23  6:59     ` Jiri Olsa
2018-07-23  6:59       ` Jiri Olsa
2018-07-12 14:20 ` [PATCH 3/4] perf tools: Add threads__set_last_match function Jiri Olsa
2018-07-12 14:20 ` [PATCH 4/4] perf tools: Use last_match threads cache only in single thread mode Jiri Olsa

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180718104408.GA15068@krava \
    --to=jolsa@redhat.com \
    --cc=a.p.zijlstra@chello.nl \
    --cc=acme@kernel.org \
    --cc=ak@linux.intel.com \
    --cc=alexander.shishkin@linux.intel.com \
    --cc=dsahern@gmail.com \
    --cc=jolsa@kernel.org \
    --cc=kan.liang@intel.com \
    --cc=kernel-team@lge.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lukasz.odzioba@intel.com \
    --cc=mingo@kernel.org \
    --cc=namhyung@kernel.org \
    --cc=wangnan0@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.