Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753287AbbDGJgE (ORCPT <rfc822;w@1wt.eu>);
	Tue, 7 Apr 2015 05:36:04 -0400
Received: from szxga03-in.huawei.com ([119.145.14.66]:20496 "EHLO
	szxga03-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752855AbbDGJgA (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 7 Apr 2015 05:36:00 -0400
From: He Kuang <hekuang@huawei.com>
To: <acme@kernel.org>, <a.p.zijlstra@chello.nl>, <mingo@redhat.com>,
        <jolsa@kernel.org>
CC: <wangnan0@huawei.com>, <linux-kernel@vger.kernel.org>
Subject: [PATCH 2/2] perf trace: Fix segmentfault on perf trace
Date: Tue, 7 Apr 2015 17:31:11 +0800
Message-ID: <1428399071-7141-2-git-send-email-hekuang@huawei.com>
X-Mailer: git-send-email 2.3.3.220.g9ab698f
In-Reply-To: <1428399071-7141-1-git-send-email-hekuang@huawei.com>
References: <1428399071-7141-1-git-send-email-hekuang@huawei.com>
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [10.107.197.189]
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0),
	refid=str=0001.0A020206.5523A4FD.01B4,ss=1,re=0.001,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0,
	ip=0.0.0.0,
	so=2013-05-26 15:14:31,
	dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: cf3a2a2dad6be2ae5829da05a94b7949
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2203
Lines: 70

After perf_evlist__filter_pollfd() filters out fds and releases
perf_mmap by using perf_evlist__mmap_put(), refcnt of perf_mmap hits 1
then perf_evlist__mmap_consume() will do the final unmap. In this
condition, perf_evlist__mmap_read() will crash by referencing invalid
mmap. Put refcnt check before use.

Can be reproduced as following:

  $ perf trace --duration 1.0 ls
    ...
    perf: Segmentation fault
    Obtained 14 stack frames.
    ./perf(dump_stack+0x2e) [0x503c2d]
    ./perf(sighandler_dump_stack+0x2e)
    [0x503d0c]
    /lib64/libc.so.6(+0x34df0) [0x7f5fd9a4adf0]
    ./perf() [0x4a8fda]
    ./perf(perf_evlist__mmap_read+0x56)
    [0x4aae93]
    ./perf() [0x470b28]
    ./perf(cmd_trace+0xada) [0x4727bd]
    ./perf() [0x49c4f4]
    ./perf() [0x49c74d]
    ./perf() [0x49c899]
    ./perf(main+0x23b)
    [0x49cbfa]
    /lib64/libc.so.6(__libc_start_main+0xf5)
    [0x7f5fd9a377b5]
    ./perf() [0x434ea5]
    [(nil)]

Signed-off-by: He Kuang <hekuang@huawei.com>
---
 tools/perf/util/evlist.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/tools/perf/util/evlist.c b/tools/perf/util/evlist.c
index 76ef7ee..9d36433 100644
--- a/tools/perf/util/evlist.c
+++ b/tools/perf/util/evlist.c
@@ -634,11 +634,18 @@ static struct perf_evsel *perf_evlist__event2evsel(struct perf_evlist *evlist,
 union perf_event *perf_evlist__mmap_read(struct perf_evlist *evlist, int idx)
 {
 	struct perf_mmap *md = &evlist->mmap[idx];
-	unsigned int head = perf_mmap__read_head(md);
-	unsigned int old = md->prev;
-	unsigned char *data = md->base + page_size;
+	unsigned int head;
+	unsigned int old;
+	unsigned char *data;
 	union perf_event *event = NULL;
 
+	if (md == NULL || md->refcnt == 0)
+		return NULL;
+
+	head = perf_mmap__read_head(md);
+	old = md->prev;
+	data = md->base + page_size;
+
 	if (evlist->overwrite) {
 		/*
 		 * If we're further behind than half the buffer, there's a chance
-- 
2.3.3.220.g9ab698f

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/