Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp407861ybc; Tue, 12 Nov 2019 03:24:49 -0800 (PST) X-Google-Smtp-Source: APXvYqyTDkrbdLx8CxLykuui/kUzNL/cLygqJ1NH1ooVjJA63cjQUTKpCVg2iBbu/Iliwskb5LRz X-Received: by 2002:aa7:cb18:: with SMTP id s24mr32349358edt.281.1573557889200; Tue, 12 Nov 2019 03:24:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573557889; cv=none; d=google.com; s=arc-20160816; b=LWHtyNx1m6b0CBlryqUOnNL7hYjizSbP6dOCylThvfy9C/WVs7XvbJL6IOEZVsfzMH 6Sy8mIalFENnuYHZL+zDPD5Q6d9fP1ykaK/76pyy8rWCZDRXURLfxozYexqWvpmoYNhL aDRn92OwtPu4vdsfGurko6z3ugDwhWcmLIixlchdwN0Sa7CPpA6NSrOIqrO1dBHfQjDX qP42k2X8IELPASzIRSJWN6JnOp8WmDZ4zbFtTB/o7rALM/uOSjPO7A9ZSmGlKJ4V5pgH gzY50N/l6gh+cdixUwCoDg8/FkSNSnyZQoHmXccqyOrRYSx7HLXm1tWbbBmqoRyGMoWS FrGw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :robot-unsubscribe:robot-id:message-id:mime-version:references :in-reply-to:cc:subject:to:reply-to:from:date; bh=8ECgY+eDxXKpW/DkBuelQPTWftLiGPr1V6H/e9iKIuQ=; b=os79TkaLWEnRNbnjlWePKLpDqgYpPKGv5Ax4c6otJOM3iiXDM1aZAiYDeH6psgKYAy e7KNgAelP+9EJ3NygcGnKgoU7ZIni8C+dVotaj/Y8oZt+x1Vc0VAOTFek72BeloOjVbr fhO936KDHqV9C7ynYk/VfgPPjERTWfDgzAXYLSfpmMYvMxTmwYBYnQzZco3TLn3VGz9/ 0MPixULOjlHnewDB+sSpIeuWOtQHjpo1QoULXRxV2dSXziYPkMJ6tXcRARY0oYDHfjy4 zLwSyx2j6SC/hP6+AGcGfppBh1A14QqpMDPjRc9t6LMsLPgqjBIT8W5y83f7NoSrHHpQ Fdng== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u17si13054749edd.276.2019.11.12.03.24.24; Tue, 12 Nov 2019 03:24:49 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727986AbfKLLWN (ORCPT + 99 others); Tue, 12 Nov 2019 06:22:13 -0500 Received: from Galois.linutronix.de ([193.142.43.55]:33538 "EHLO Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727189AbfKLLSG (ORCPT ); Tue, 12 Nov 2019 06:18:06 -0500 Received: from [5.158.153.53] (helo=tip-bot2.lab.linutronix.de) by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1iUUBE-0000FX-6A; Tue, 12 Nov 2019 12:17:52 +0100 Received: from [127.0.1.1] (localhost [IPv6:::1]) by tip-bot2.lab.linutronix.de (Postfix) with ESMTP id D58781C0357; Tue, 12 Nov 2019 12:17:51 +0100 (CET) Date: Tue, 12 Nov 2019 11:17:51 -0000 From: "tip-bot2 for Leo Yan" Reply-to: linux-kernel@vger.kernel.org To: linux-tip-commits@vger.kernel.org Subject: [tip: perf/core] perf tests: Fix out of bounds memory access Cc: Leo Yan , Jiri Olsa , Alexander Shishkin , Mark Rutland , Namhyung Kim , Naresh Kamboju , Peter Zijlstra , Wang Nan , stable@vger.kernel.org, #@tip-bot2.tec.linutronix.de, v4.10+@tip-bot2.tec.linutronix.de, Arnaldo Carvalho de Melo , Ingo Molnar , Borislav Petkov , linux-kernel@vger.kernel.org In-Reply-To: <20191107020244.2427-1-leo.yan@linaro.org> References: <20191107020244.2427-1-leo.yan@linaro.org> MIME-Version: 1.0 Message-ID: <157355747152.29376.9122205661301300130.tip-bot2@tip-bot2> X-Mailer: tip-git-log-daemon Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Linutronix-Spam-Score: -1.0 X-Linutronix-Spam-Level: - X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The following commit has been merged into the perf/core branch of tip: Commit-ID: af8490eb2b33684e26a0a927a9d93ae43cd08890 Gitweb: https://git.kernel.org/tip/af8490eb2b33684e26a0a927a9d93ae43cd08890 Author: Leo Yan AuthorDate: Thu, 07 Nov 2019 10:02:44 +08:00 Committer: Arnaldo Carvalho de Melo CommitterDate: Thu, 07 Nov 2019 09:04:22 -03:00 perf tests: Fix out of bounds memory access The test case 'Read backward ring buffer' failed on 32-bit architectures which were found by LKFT perf testing. The test failed on arm32 x15 device, qemu_arm32, qemu_i386, and found intermittent failure on i386; the failure log is as below: 50: Read backward ring buffer : --- start --- test child forked, pid 510 Using CPUID GenuineIntel-6-9E-9 mmap size 1052672B mmap size 8192B Finished reading overwrite ring buffer: rewind free(): invalid next size (fast) test child interrupted ---- end ---- Read backward ring buffer: FAILED! The log hints there have issue for memory usage, thus free() reports error 'invalid next size' and directly exit for the case. Finally, this issue is root caused as out of bounds memory access for the data array 'evsel->id'. The backward ring buffer test invokes do_test() twice. 'evsel->id' is allocated at the first call with the flow: test__backward_ring_buffer() `-> do_test() `-> evlist__mmap() `-> evlist__mmap_ex() `-> perf_evsel__alloc_id() So 'evsel->id' is allocated with one item, and it will be used in function perf_evlist__id_add(): evsel->id[0] = id evsel->ids = 1 At the second call for do_test(), it skips to initialize 'evsel->id' and reuses the array which is allocated in the first call. But 'evsel->ids' contains the stale value. Thus: evsel->id[1] = id -> out of bound access evsel->ids = 2 To fix this issue, we will use evlist__open() and evlist__close() pair functions to prepare and cleanup context for evlist; so 'evsel->id' and 'evsel->ids' can be initialized properly when invoke do_test() and avoid the out of bounds memory access. Fixes: ee74701ed8ad ("perf tests: Add test to check backward ring buffer") Signed-off-by: Leo Yan Reviewed-by: Jiri Olsa Cc: Alexander Shishkin Cc: Mark Rutland Cc: Namhyung Kim Cc: Naresh Kamboju Cc: Peter Zijlstra Cc: Wang Nan Cc: stable@vger.kernel.org # v4.10+ Link: http://lore.kernel.org/lkml/20191107020244.2427-1-leo.yan@linaro.org Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/tests/backward-ring-buffer.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tools/perf/tests/backward-ring-buffer.c b/tools/perf/tests/backward-ring-buffer.c index a4cd30c..15cea51 100644 --- a/tools/perf/tests/backward-ring-buffer.c +++ b/tools/perf/tests/backward-ring-buffer.c @@ -148,6 +148,15 @@ int test__backward_ring_buffer(struct test *test __maybe_unused, int subtest __m goto out_delete_evlist; } + evlist__close(evlist); + + err = evlist__open(evlist); + if (err < 0) { + pr_debug("perf_evlist__open: %s\n", + str_error_r(errno, sbuf, sizeof(sbuf))); + goto out_delete_evlist; + } + err = do_test(evlist, 1, &sample_count, &comm_count); if (err != TEST_OK) goto out_delete_evlist;