On Tue, Jul 17, 2018 at 11:02:45AM +0200, Jiri Olsa wrote:
SNIP
> +/*
> + * Pure refs increase without any chec/warn.
> + */
> +static inline void refcount_inc_no_warn(refcount_t *r)
> +{
> + atomic_inc(&r->refs);
> +}
> +
> /*
> * Similar to atomic_dec_and_test(), it will WARN on underflow and fail to
> * decrement when saturated at UINT_MAX.
> diff --git a/tools/perf/util/comm.c b/tools/perf/util/comm.c
> index 7798a2cc8a86..a2e338cf29d7 100644
> --- a/tools/perf/util/comm.c
> +++ b/tools/perf/util/comm.c
> @@ -21,7 +21,7 @@ static struct rw_semaphore comm_str_lock = {.lock =
> PTHREAD_RWLOCK_INITIALIZER,}
> static struct comm_str *comm_str__get(struct comm_str *cs)
> {
> if (cs)
> - refcount_inc(&cs->refcnt);
> + refcount_inc_no_warn(&cs->refcnt);
> return cs;
> }
>
> @@ -29,10 +29,12 @@ static void comm_str__put(struct comm_str *cs)
> {
> if (cs && refcount_dec_and_test(&cs->refcnt)) {
> down_write(&comm_str_lock);
> - rb_erase(&cs->rb_node, &comm_str_root);
> + if (refcount_read(&cs->refcnt) == 0) {
> + rb_erase(&cs->rb_node, &comm_str_root);
> + zfree(&cs->str);
> + free(cs);
> + }
> up_write(&comm_str_lock);
> - zfree(&cs->str);
> - free(cs);
> }
> }
>
I'm still getting crashes with this code, there's another race
in comm_str__put, consider following paths (with 'cs' struct comm_str data):
thread 0:
...
comm_str__put
refcount_dec_and_test(&cs->refcnt) == true
down_write(&comm_str_lock);
--> cs->refcnt == 0, but we are blocked and waiting for the lock to remove cs,
and meanwhile:
thread 1:
...
__comm_str__findnew(...
comm_str__get(cs)
----------> cs->refcnt == 1
thread 2:
...
comm_str__put
refcount_dec_and_test(&cs->refcnt) == true
----------> cs->refcnt == 0, thread 2 gets the lock and removes cs
...
thread 0:
...
--> comm_str__put gets the lock and removes 'cs' which aborts with double free
we don't have this problem if we ignore objects that dropped to
refcnt == 0, which was what my previous change was doing
jirka
