Re: [PATCH 2/2] perf tools: Fix fault in error patch of intel_pt_process_auxtrace_info()

[Adrian Hunter <adrian.hunter@intel.com>]

This patch does not fix the problem because the thread__zput() will still
segfault later if the error path is not taken.

Sorry, I didn't look closely at this patch because I was not expecting it
to be taken because of the fix I had already sent:

	http://marc.info/?l=linux-kernel&m=145431692623940

However if you want to keep the struct thread rbtree / list union, the
simple fix would be to reinstate the list initialization in this particular
case i.e.:


diff --git a/tools/perf/util/intel-pt.c b/tools/perf/util/intel-pt.c
index 81a2eb7..18245b8 100644
--- a/tools/perf/util/intel-pt.c
+++ b/tools/perf/util/intel-pt.c
@@ -2068,6 +2068,7 @@ int intel_pt_process_auxtrace_info(union perf_event
                err = -ENOMEM;
                goto err_free_queues;
        }
+       INIT_LIST_HEAD(&pt->unknown_thread->node);
        err = thread__set_comm(pt->unknown_thread, "unknown", 0);
        if (err)
                goto err_delete_thread;



On 01/02/16 19:13, Arnaldo Carvalho de Melo wrote:
> From: Wang Nan <wangnan0@huawei.com>
> 
> In error processing path of intel_pt_process_auxtrace_info() it calls
> thread__zput() to clean and free pt->unknown_thread which is created by
> thread__new(). However, when error raise, a segfault happen:
> 
>   # perf record -I -e intel_pt/tsc=1,noretcomp=1/u /bin/ls
>   0  a  anaconda-ks.cfg  bin   perf.data	perf.data.old  perf-f23-bringup.todo
>   [ perf record: Woken up 1 times to write data ]
>   [ perf record: Captured and wrote 0.217 MB perf.data ]
>   #
>   # perf script -F event,comm,pid,tid,time,addr,ip,sym,dso,iregs
>   Samples for 'instructions:u' event do not have IREGS attribute set. Cannot print 'iregs' field.
>   intel_pt_synth_events: failed to synthesize 'instructions' event type
>   Segmentation fault (core dumped)
>   #
> 
> The problem is: there's a union in 'struct thread' combines a list_head
> and a rb_node. The standard life cycle of a thread is: init rb_node during
> creating, inserted into machine->threads rbtree uses rb_node, move to
> machine->dead_threads using list_head, clean by thread__put:
> list_del_init(&thread->node).
> 
> In the above command, it clean a thread before adding it into list,
> causes the above segfault.
> 
> This patch gives a fake list_head and link the thread into it before
> calling thread__zput(), get rid of the segfault.
> 
> After this patch:
> 
>   # perf script -F event,comm,pid,tid,time,addr,ip,sym,dso,iregs
>   Samples for 'instructions:u' event do not have IREGS attribute set. Cannot print 'iregs' field.
>   intel_pt_synth_events: failed to synthesize 'instructions' event type
>   0x248 [0x88]: failed to process type: 70
>   #
> 
> Reported-by: Tong Zhang <ztong@vt.edu>
> Signed-off-by: Wang Nan <wangnan0@huawei.com>
> Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
> Cc: Adrian Hunter <adrian.hunter@intel.com>
> Cc: Josh Poimboeuf <jpoimboe@redhat.com>
> Link: http://lkml.kernel.org/r/1454296865-19749-1-git-send-email-wangnan0@huawei.com
> Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
> ---
>  tools/perf/util/intel-pt.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/tools/perf/util/intel-pt.c b/tools/perf/util/intel-pt.c
> index 81a2eb77ba7f..e2add6376fec 100644
> --- a/tools/perf/util/intel-pt.c
> +++ b/tools/perf/util/intel-pt.c
> @@ -2013,6 +2013,7 @@ int intel_pt_process_auxtrace_info(union perf_event *event,
>  	struct auxtrace_info_event *auxtrace_info = &event->auxtrace_info;
>  	size_t min_sz = sizeof(u64) * INTEL_PT_PER_CPU_MMAPS;
>  	struct intel_pt *pt;
> +	struct list_head dead_thread;
>  	int err;
>  
>  	if (auxtrace_info->header.size < sizeof(struct auxtrace_info_event) +
> @@ -2153,6 +2154,9 @@ int intel_pt_process_auxtrace_info(union perf_event *event,
>  	return 0;
>  
>  err_delete_thread:
> +	RB_CLEAR_NODE(&pt->unknown_thread->rb_node);
> +	INIT_LIST_HEAD(&dead_thread);
> +	list_add(&pt->unknown_thread->node, &dead_thread);
>  	thread__zput(pt->unknown_thread);
>  err_free_queues:
>  	intel_pt_log_disable();
>