[Bug 1835940] [NEW] perf core dump at tool/perf/util/namespaces.c:144

Qin Li 1835940 at bugs.launchpad.net
Tue Jul 9 18:33:36 UTC 2019 

Public bug reported:

Running the following perf collect inside a running docker could
potentially crash:

$ perf record -F 100 -ag -o /tmp/perf-100Hz-10s -- sleep 10

The dump is caused by SIGSEGV for de-referencing nullptr in
nsinfo__copy() in at namespaces.c:144

$ lldb -c /tmp/cores/perf.core.07092019
(lldb) target create --core "/tmp/cores/perf.core.07092019"
Core file '/tmp/cores/perf.core.07092019' (x86_64) was loaded.
(lldb) bt
* thread #1, name = 'perf', stop reason = signal SIGSEGV
  * frame #0: 0x0000558f2dda2014 perf`nsinfo__copy(nsi=0x0000000000000000) at namespaces.c:144
    frame #1: 0x0000558f2dd98779 perf`map__new(machine=0x0000558f31213c48, start=140723782385664, len=8192, pgoff=0, d_maj=<unavailable>, d_min=<unavailable>, ino=0, ino_gen=0, prot=5, flags=4098, filename="", type=MAP__FUNCTION, thread=0x0000558f316f94c0) at map.c:192
    frame #2: 0x0000558f2dd96a39 perf`machine__process_mmap2_event(machine=0x0000558f31213c48, event=0x00007fdd8f1105f0, sample=<unavailable>) at machine.c:1428
    frame #3: 0x0000558f2dd9d7bc perf`ordered_events__deliver_event at session.c:1343
    frame #4: 0x0000558f2dd9d798 perf`ordered_events__deliver_event
    frame #5: 0x0000558f2dd9d790 perf`ordered_events__deliver_event(oe=0x0000558f31219e00, event=<unavailable>) at session.c:120
    frame #6: 0x0000558f2dda1073 perf`ordered_events__flush at ordered-events.c:211
    frame #7: 0x0000558f2dda0fb6 perf`ordered_events__flush(oe=0x0000558f31219e00, how=OE_FLUSH__ROUND) at ordered-events.c:278
    frame #8: 0x0000558f2dd9e854 perf`perf_session__process_event at session.c:1383
    frame #9: 0x0000558f2dd9e570 perf`perf_session__process_event(session=0x0000558f31213b60, event=0x00007fdd8f148050, file_offset=565328) at session.c:1511
    frame #10: 0x0000558f2dd9ff40 perf`perf_session__process_events at session.c:1903
    frame #11: 0x0000558f2dd9fec0 perf`perf_session__process_events(session=0x0000558f31213b60) at session.c:1957
    frame #12: 0x0000558f2dcd76bc perf`cmd_record at builtin-record.c:442
    frame #13: 0x0000558f2dcd7695 perf`cmd_record at builtin-record.c:574
    frame #14: 0x0000558f2dcd7695 perf`cmd_record at builtin-record.c:1115
    frame #15: 0x0000558f2dcd7601 perf`cmd_record(argc=<unavailable>, argv=<unavailable>) at builtin-record.c:1809
    frame #16: 0x0000558f2dd3da01 perf`run_builtin(p=0x0000558f2e1f12b8, argc=9, argv=0x00007ffc21201e30) at perf.c:297
    frame #17: 0x0000558f2dd3dcfe perf`handle_internal_command(argc=9, argv=0x00007ffc21201e30) at perf.c:349
    frame #18: 0x0000558f2dcc17b9 perf`main [inlined] run_argv(argcp=<unavailable>, argv=<unavailable>) at perf.c:393
    frame #19: 0x0000558f2dcc17ae perf`main(argc=<unavailable>, argv=0x00007ffc21201e30) at perf.c:537
    frame #20: 0x00007fdd8fad5b97 libc.so.6`__libc_start_main + 231
    frame #21: 0x0000558f2dcc1c3a perf`_start + 42

The fix for this has already been merged to Linux 4.19-rc, since
8/10/2018, see the original lkml post
https://lore.kernel.org/lkml/20180810133614.9925-1-bevers@mesosphere.com/.

bf2e710b3cb84 (Krister Johansen         2017-07-05 18:48:09 -0700 137) struct nsinfo *nsinfo__copy(struct nsinfo *nsi)
bf2e710b3cb84 (Krister Johansen         2017-07-05 18:48:09 -0700 138) {
bf2e710b3cb84 (Krister Johansen         2017-07-05 18:48:09 -0700 139)  struct nsinfo *nnsi;
bf2e710b3cb84 (Krister Johansen         2017-07-05 18:48:09 -0700 140) 
3f4417d693b43 (Benno Evers              2018-08-10 15:36:13 +0200 141)  if (nsi == NULL)
3f4417d693b43 (Benno Evers              2018-08-10 15:36:13 +0200 142)          return NULL;
3f4417d693b43 (Benno Evers              2018-08-10 15:36:13 +0200 143) 
bf2e710b3cb84 (Krister Johansen         2017-07-05 18:48:09 -0700 144)  nnsi = calloc(1, sizeof(*nnsi));

I verified locally that this fix works by manually applying to 4.15 and
rebuild perf executable after that.

To port the fix to 4.15, or other versions earlier than 4.19-rc, we could run:
$ git cherry-pick 3f4417d693b43

** Affects: linux (Ubuntu)
     Importance: Undecided
         Status: New

** Attachment added: "perf.core.07092019.gz"
   https://bugs.launchpad.net/bugs/1835940/+attachment/5275915/+files/perf.core.07092019.gz

** Package changed: systemd (Ubuntu) => linux (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1835940

Title:
  perf core dump at tool/perf/util/namespaces.c:144

Status in linux package in Ubuntu:
  New

Bug description:
  Running the following perf collect inside a running docker could
  potentially crash:

  $ perf record -F 100 -ag -o /tmp/perf-100Hz-10s -- sleep 10

  The dump is caused by SIGSEGV for de-referencing nullptr in
  nsinfo__copy() in at namespaces.c:144

  $ lldb -c /tmp/cores/perf.core.07092019
  (lldb) target create --core "/tmp/cores/perf.core.07092019"
  Core file '/tmp/cores/perf.core.07092019' (x86_64) was loaded.
  (lldb) bt
  * thread #1, name = 'perf', stop reason = signal SIGSEGV
    * frame #0: 0x0000558f2dda2014 perf`nsinfo__copy(nsi=0x0000000000000000) at namespaces.c:144
      frame #1: 0x0000558f2dd98779 perf`map__new(machine=0x0000558f31213c48, start=140723782385664, len=8192, pgoff=0, d_maj=<unavailable>, d_min=<unavailable>, ino=0, ino_gen=0, prot=5, flags=4098, filename="", type=MAP__FUNCTION, thread=0x0000558f316f94c0) at map.c:192
      frame #2: 0x0000558f2dd96a39 perf`machine__process_mmap2_event(machine=0x0000558f31213c48, event=0x00007fdd8f1105f0, sample=<unavailable>) at machine.c:1428
      frame #3: 0x0000558f2dd9d7bc perf`ordered_events__deliver_event at session.c:1343
      frame #4: 0x0000558f2dd9d798 perf`ordered_events__deliver_event
      frame #5: 0x0000558f2dd9d790 perf`ordered_events__deliver_event(oe=0x0000558f31219e00, event=<unavailable>) at session.c:120
      frame #6: 0x0000558f2dda1073 perf`ordered_events__flush at ordered-events.c:211
      frame #7: 0x0000558f2dda0fb6 perf`ordered_events__flush(oe=0x0000558f31219e00, how=OE_FLUSH__ROUND) at ordered-events.c:278
      frame #8: 0x0000558f2dd9e854 perf`perf_session__process_event at session.c:1383
      frame #9: 0x0000558f2dd9e570 perf`perf_session__process_event(session=0x0000558f31213b60, event=0x00007fdd8f148050, file_offset=565328) at session.c:1511
      frame #10: 0x0000558f2dd9ff40 perf`perf_session__process_events at session.c:1903
      frame #11: 0x0000558f2dd9fec0 perf`perf_session__process_events(session=0x0000558f31213b60) at session.c:1957
      frame #12: 0x0000558f2dcd76bc perf`cmd_record at builtin-record.c:442
      frame #13: 0x0000558f2dcd7695 perf`cmd_record at builtin-record.c:574
      frame #14: 0x0000558f2dcd7695 perf`cmd_record at builtin-record.c:1115
      frame #15: 0x0000558f2dcd7601 perf`cmd_record(argc=<unavailable>, argv=<unavailable>) at builtin-record.c:1809
      frame #16: 0x0000558f2dd3da01 perf`run_builtin(p=0x0000558f2e1f12b8, argc=9, argv=0x00007ffc21201e30) at perf.c:297
      frame #17: 0x0000558f2dd3dcfe perf`handle_internal_command(argc=9, argv=0x00007ffc21201e30) at perf.c:349
      frame #18: 0x0000558f2dcc17b9 perf`main [inlined] run_argv(argcp=<unavailable>, argv=<unavailable>) at perf.c:393
      frame #19: 0x0000558f2dcc17ae perf`main(argc=<unavailable>, argv=0x00007ffc21201e30) at perf.c:537
      frame #20: 0x00007fdd8fad5b97 libc.so.6`__libc_start_main + 231
      frame #21: 0x0000558f2dcc1c3a perf`_start + 42

  The fix for this has already been merged to Linux 4.19-rc, since
  8/10/2018, see the original lkml post
  https://lore.kernel.org/lkml/20180810133614.9925-1-bevers@mesosphere.com/.

  bf2e710b3cb84 (Krister Johansen         2017-07-05 18:48:09 -0700 137) struct nsinfo *nsinfo__copy(struct nsinfo *nsi)
  bf2e710b3cb84 (Krister Johansen         2017-07-05 18:48:09 -0700 138) {
  bf2e710b3cb84 (Krister Johansen         2017-07-05 18:48:09 -0700 139)  struct nsinfo *nnsi;
  bf2e710b3cb84 (Krister Johansen         2017-07-05 18:48:09 -0700 140) 
  3f4417d693b43 (Benno Evers              2018-08-10 15:36:13 +0200 141)  if (nsi == NULL)
  3f4417d693b43 (Benno Evers              2018-08-10 15:36:13 +0200 142)          return NULL;
  3f4417d693b43 (Benno Evers              2018-08-10 15:36:13 +0200 143) 
  bf2e710b3cb84 (Krister Johansen         2017-07-05 18:48:09 -0700 144)  nnsi = calloc(1, sizeof(*nnsi));

  I verified locally that this fix works by manually applying to 4.15
  and rebuild perf executable after that.

  To port the fix to 4.15, or other versions earlier than 4.19-rc, we could run:
  $ git cherry-pick 3f4417d693b43

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1835940/+subscriptions

More information about the foundations-bugs mailing list