Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp338432ybx; Wed, 6 Nov 2019 18:06:22 -0800 (PST) X-Google-Smtp-Source: APXvYqxlcgTgEyhUVEjJV634za7k6iqG8nRZOD8bdvlNtQvNCLIiZlgtcVeiwhZoUOgZIWb29+EK X-Received: by 2002:aa7:df87:: with SMTP id b7mr973151edy.296.1573092382720; Wed, 06 Nov 2019 18:06:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573092382; cv=none; d=google.com; s=arc-20160816; b=gumKn8xN6GqdcYi7Uumy+ma8rLp/E656brImM/PZ8b5FicmOnh3d57RW2xgIiUkA+6 kW0A+XBKzfdXdc7OJQJDrnnHs6RqQ9WtFDdb0UKTS2wWGRx5WZtJt6X6fQVzWvGn94lR W7d6SRLo0E2Ks0q/s+hXKpJjBTfgourUZIbT560LVcsOdo29C4ISMO8MvuZX+a97rrcA p7rbjqtHYlQwJXTO6NzbHy6A8IY/a+sjUw7xh6NrWeAK+zTnemplil34U3vDEOaAm+4t Ow8MIvWLmv/Fno7fUImx4XeF0vupTDZ2xjugE27awzSWw4pnCWNxBH8P/pJPqB9g+a8C 4hbA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:to :from:date:dkim-signature; bh=tTT0dMOEqgZW1kV1sG/4ggHTaPX+X0/vvJoLumgE0QE=; b=T2V59WV9lCqDsjuWYIJDeZTW8Lk98mcYO4L4391gwQgzehA5DrnyuRJBlmUazE/kee IdUI8+Bm/1enpWlO1x+TV9ViY/ppO0QVqbwnNj6LU/c26seMroZn+NP4AG59yvdHjomF f50Wp50On6z2/b2K+a4G+6fdxezIeSe5mMYnD49vAr6dII3t48e9r9dT8dnC3gJA9fUH tyd6HXfaFRq5wUvmwfFcJifPmBn901Y7WV8biU7YL9kO8fZWF1oIV6wauJ2xYZrv+FsR vG4Ogs5JbxTL29UKI8Bgs3Mk8x1/fCTpBy2t/qfQITx1FPMHaG37ggo9c/pGqawUY2pC 965w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=nwKiejIO; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h18si336083edh.352.2019.11.06.18.05.59; Wed, 06 Nov 2019 18:06:22 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=nwKiejIO; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732928AbfKGCEw (ORCPT + 99 others); Wed, 6 Nov 2019 21:04:52 -0500 Received: from mail-yw1-f68.google.com ([209.85.161.68]:43408 "EHLO mail-yw1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727328AbfKGCEw (ORCPT ); Wed, 6 Nov 2019 21:04:52 -0500 Received: by mail-yw1-f68.google.com with SMTP id g77so79887ywb.10 for ; Wed, 06 Nov 2019 18:04:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=date:from:to:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=tTT0dMOEqgZW1kV1sG/4ggHTaPX+X0/vvJoLumgE0QE=; b=nwKiejIONICC8a1e9UtTPzcvwk33OVhxyR+rHFggtmA7ta4wqFG7X0xpOIh3EMbknq pBuwvexBQSGPn0PK9n2GPanJdAApK6v07KUs6+B3T/iB8Mu6UePWuvaOZn/DzFEXVsA1 ZQyXE4QbIVSjaiaAkZbJ3xwuh9LM+hOPXx1LxQ/O0TbBbhH9/FwgoytOgCuwOI0JaAHh tRIeodQncd1GOIHhwAQn/9v2S39MY6cgIErsyXqw2gYNPu0iQZz99NPClFl0U+c8TPpu NXFdv4O2zU25BBM/4/RaiK8bz8wxz3giHN50/eaMzT0tCOXaddlcrS1rEhF3beOeOaZl y6zw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=tTT0dMOEqgZW1kV1sG/4ggHTaPX+X0/vvJoLumgE0QE=; b=Zuda7/ebWoyWj+O1ywb8TH34yrp0SOw8HkTZn0Xzph3ins0ufCASTPWhrCLyvo7gW9 haW55BdKDPIhdsBVMfXaASUQ9Ru5N5gv62h+WOQ9wqqfhyRb6nNjJm97wawUPcgndhFx 8YcKOPB3k/qLpEP6akTyauf8w2xSs2KFGkafw/c80y7Y4xxMVfmvNOyqKQSaNW+TMC68 av3tiEUYhWpD7MPnRRCcxjSFMq/G9s7K3hMdg6262AC3h6WVInNcN22Spq0ClSRmufZD xeDigdkqoBJpP6JqrMCYqQN7678ObPH/PL7c3YEoxWZetcygboY7hqndHCswt4hCjOOf ip/A== X-Gm-Message-State: APjAAAW/C7bZgGKIIspwLnDC6DvQ02y3wuvPDj5C8cMY1HLN72bDGAy+ ea5C8XxacO/PgDwxV51zXL2l7w== X-Received: by 2002:a81:8ac4:: with SMTP id a187mr525991ywg.87.1573092289701; Wed, 06 Nov 2019 18:04:49 -0800 (PST) Received: from leoy-ThinkPad-X240s (li1038-30.members.linode.com. [45.33.96.30]) by smtp.gmail.com with ESMTPSA id z16sm172524ywj.93.2019.11.06.18.04.46 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 06 Nov 2019 18:04:49 -0800 (PST) Date: Thu, 7 Nov 2019 10:04:43 +0800 From: Leo Yan To: Arnaldo Carvalho de Melo , Peter Zijlstra , Ingo Molnar , Mark Rutland , Alexander Shishkin , Jiri Olsa , Namhyung Kim , Changbin Du , linux-kernel@vger.kernel.org, Naresh Kamboju Subject: Re: [PATCH] perf tests: Fix out of bounds memory access Message-ID: <20191107020443.GC12850@leoy-ThinkPad-X240s> References: <20191107014848.30008-1-leo.yan@linaro.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20191107014848.30008-1-leo.yan@linaro.org> User-Agent: Mutt/1.9.4 (2018-02-28) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Nov 07, 2019 at 09:48:48AM +0800, Leo Yan wrote: > The test case 'Read backward ring buffer' failed on 32bit architectures > which were found by LKFT pert testing. The test failed on arm32 x15 ^^^^ s/pert/perf Sorry for typo and spamming, I sent patch v2 for reviewing. Thanks, Leo Yan > device, qemu_arm32, qemu_i386, and found intermittent failure on i386; > the failure log is as below: > > 50: Read backward ring buffer : > --- start --- > test child forked, pid 510 > Using CPUID GenuineIntel-6-9E-9 > mmap size 1052672B > mmap size 8192B > Finished reading overwrite ring buffer: rewind > free(): invalid next size (fast) > test child interrupted > ---- end ---- > Read backward ring buffer: FAILED! > > The log hints there have issues for memory usage, thus free() reports > error 'invalid next size' and directly exit for the case. Finally, this > issue is root caused as out of bounds memory access for the data array > 'evsel->id'. > > The backward ring buffer test invokes do_test() twice. 'evsel->id' is > allocated at the first call with the flow: > > test__backward_ring_buffer() > `-> do_test() > `-> evlist__mmap() > `-> evlist__mmap_ex() > `-> perf_evsel__alloc_id() > > So 'evsel->id' is allocated with one item, and it will be used in > function perf_evlist__id_add(): > > evsel->id[0] = id > evsel->ids = 1 > > At the second call for do_test(), it skips to initialize 'evsel->id' > and reuses the array which is allocated in the first call. But > 'evsel->ids' contains the stale value. Thus: > > evsel->id[1] = id -> out of bound access > evsel->ids = 2 > > To fix this issue, we will use evlist__open() and evlist__close() pair > functions to prepare and cleanup context for evlist; so 'evsel->id' and > 'evsel->ids' can be initialized properly when invoke do_test() and avoid > the out of bounds memory access. > > Signed-off-by: Leo Yan > --- > tools/perf/tests/backward-ring-buffer.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/tools/perf/tests/backward-ring-buffer.c b/tools/perf/tests/backward-ring-buffer.c > index 338cd9faa835..5128f727c0ef 100644 > --- a/tools/perf/tests/backward-ring-buffer.c > +++ b/tools/perf/tests/backward-ring-buffer.c > @@ -147,6 +147,15 @@ int test__backward_ring_buffer(struct test *test __maybe_unused, int subtest __m > goto out_delete_evlist; > } > > + evlist__close(evlist); > + > + err = evlist__open(evlist); > + if (err < 0) { > + pr_debug("perf_evlist__open: %s\n", > + str_error_r(errno, sbuf, sizeof(sbuf))); > + goto out_delete_evlist; > + } > + > err = do_test(evlist, 1, &sample_count, &comm_count); > if (err != TEST_OK) > goto out_delete_evlist; > -- > 2.17.1 >