Re: callchain map refcounting fixes was Re: [PATCH perf/core] perf script: fix a use after free crash.

From: Krister Johansen
Date: Thu Oct 06 2016 - 02:13:46 EST

On Wed, Oct 05, 2016 at 08:45:24AM -0300, Arnaldo Carvalho de Melo wrote:
> Em Sat, Oct 01, 2016 at 08:13:36PM -0700, Krister Johansen escreveu:
> > If dso__load_kcore frees all of the existing maps, but one has already
> > been attached to a callchain cursor node, then we can get a SIGSEGV in
> > any function that happens to try to use this cursor with the invalid
> > map. Use the existing map refcount mechanism to forestall cleanup of a
> > map until the cursor iterates past the node.
> Seems ok, thanks for working on this! Can you provide a test case that
> causes the SEGV so that I can, in addition to reviewing your changes and
> auditing the code to check if all cases ara plugged, to reproduce the
> problem?

Absolutely. Thanks for taking the time to look it over.

AFIACT, this occurs when you're probing a .ko with its own debug
information, but when the kernel has none. The kernel and all of the
in-tree modules were built through an RPM build that strips out
debuginfo into a separate package. On this particular system, the
kernel debuginfo packages were not installed. However, I had recently
changed a dkms build of an external module to use -g and to not strip.
We had one lonely .ko with all of its debug information inside, and a
kernel that perf was going to need to use kallsyms. I was able to
insert the kprobe into the module and record events. It was just script
and report that caused the core.

It should be possible to reproduce this by running script against a
trace that was recorded from kprobes in a module that has debug
inforation, but while running a kernel that does not. I didn't specify
any special options for lookup of vmlinux. I just let the tool figure
it out.

If you think it'd be useful, I can send along the notes that I took when
I debugged this. They're about 15k, which is why I would hesitate to
send it to the entire list unsolicited.

Thanks again,