On Tue, 7 Jun 2016 03:54:38 +0000
Wang Nan <wangn...@huawei.com> wrote:
> build_id_cache__kallsyms_path() accept string buffer but also alloc buffer
> by itself using asnprintf. Unfortunately, the only user of it passes it
> a stack-allocated buffer. Freeing it causes crash like this:
>
> $ perf script
> *** Error in `/home/wangnan/perf': free(): invalid pointer:
> 0x00007fffffff9630 ***
> ======= Backtrace: =========
> lib64/libc.so.6(+0x6eeef)[0x7ffff5dbaeef]
> lib64/libc.so.6(+0x78cae)[0x7ffff5dc4cae]
> lib64/libc.so.6(+0x79987)[0x7ffff5dc5987]
> /home/w00229757/perf(build_id_cache__kallsyms_path+0x6b)[0x49681b]
> /home/w00229757/perf[0x4bdd40]
> /home/w00229757/perf(dso__load+0xa3a)[0x4c048a]
> /home/w00229757/perf(map__load+0x6f)[0x4d561f]
> /home/w00229757/perf(thread__find_addr_map+0x235)[0x49e935]
> /home/w00229757/perf(machine__resolve+0x7d)[0x49ec6d]
> /home/w00229757/perf[0x4555a8]
> /home/w00229757/perf[0x4d9507]
> /home/w00229757/perf[0x4d9e80]
> /home/w00229757/perf(ordered_events__flush+0x354)[0x4dd444]
> /home/w00229757/perf(perf_session__process_events+0x3d0)[0x4dc140]
> /home/w00229757/perf(cmd_script+0x12b0)[0x4592e0]
> /home/w00229757/perf[0x4911f1]
> /home/w00229757/perf(main+0x68f)[0x4352ef]
> /lib64/libc.so.6(__libc_start_main+0xf5)[0x7ffff5d6dbd5]
> /home/w00229757/perf[0x435415]
> ======= Memory map: ========
>
> This patch simplify build_id_cache__kallsyms_path(), don't even consider
> allocate string buffer, so never free anything. The caller of it should
> management memory allocation.
>
> Signed-off-by: Wang Nan <wangn...@huawei.com>
> Cc: Masami Hiramatsu <mhira...@kernel.org>
> Cc: Arnaldo Carvalho de Melo <a...@redhat.com>
> Fixes: 01412261d994 ("perf buildid-cache: Use path/to/bin/buildid/elf instead
> of path/to/bin/buildid")
> ---
> tools/perf/util/build-id.c | 11 ++++-------
> 1 file changed, 4 insertions(+), 7 deletions(-)
>
> diff --git a/tools/perf/util/build-id.c b/tools/perf/util/build-id.c
> index 67f986c..20aef90 100644
> --- a/tools/perf/util/build-id.c
> +++ b/tools/perf/util/build-id.c
> @@ -147,20 +147,17 @@ static int asnprintf(char **strp, size_t size, const
> char *fmt, ...)
> char *build_id_cache__kallsyms_path(const char *sbuild_id, char *bf,
> size_t size)
> {
> - bool is_alloc = !!bf;
Oops, I think this is the reason why it failed.
is_alloc should be !bf (means allocation needed)
> bool retry_old = true;
>
> - asnprintf(&bf, size, "%s/%s/%s/kallsyms",
> - buildid_dir, DSO__NAME_KALLSYMS, sbuild_id);
> + snprintf(bf, size, "%s/%s/%s/kallsyms",
> + buildid_dir, DSO__NAME_KALLSYMS, sbuild_id);
> retry:
> if (!access(bf, F_OK))
> return bf;
> - if (is_alloc)
> - free(bf);
Then, it works well.
Thanks,
> if (retry_old) {
> /* Try old style kallsyms cache */
> - asnprintf(&bf, size, "%s/%s/%s",
> - buildid_dir, DSO__NAME_KALLSYMS, sbuild_id);
> + snprintf(bf, size, "%s/%s/%s",
> + buildid_dir, DSO__NAME_KALLSYMS, sbuild_id);
> retry_old = false;
> goto retry;
> }
> --
> 1.8.3.4
>
--
Masami Hiramatsu <mhira...@kernel.org>
