Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp386811pxk; Thu, 1 Oct 2020 05:05:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyhRsf8RNgd9t7MuTWIdOBE7qrwISAPUBhyNlm6U1e51H+1PJXaGZRArLwpQdFaixkasezy X-Received: by 2002:aa7:c683:: with SMTP id n3mr7585003edq.146.1601553920417; Thu, 01 Oct 2020 05:05:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1601553920; cv=none; d=google.com; s=arc-20160816; b=PC/BZa1JnoqF8ymLb0v5pA1KmmR+s5PSZ8BCdLRuuHXr4AYyK2VPIb42oR3tf2Tihd v9gzrija1ht/CQgfhaQXrzSXyWaa8Ygkt0WnU8H15X1fvFz+/WMfMyvdL0b+VrxrI2+W gu3BNQ3ibsOIak1rzM0UuM/LijjPXluN/mjvnxsSc216FQZZkV/rywrkwbj1KJre/SWr CnysJmGgfmx7wDgDxTmAAxPwtrTRiH+3gYhwPJ60MOQmu8GQvqF804+QXeJ0R4i7Mx91 DvpOAWb2B/Douoi7bfdwEEM+gQY4G6MOHBN35L4wVsOLL3Ebhc93a5clNH2meS/1Rf79 xzgQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=8rSAuDjaYS/xhpYtV0Z7C26dlgFqaBfzQc5gXNZ9rXQ=; b=v8qKUgJmkbFg52hvY8AVmr6Uxnt3CD9iBPAB16sug3aVst9RyRWqdywOUbNZLAne7k cYwFYHMyBXzHTTpGy8xTXJ6kZvWMvr4ddQ1uwWB3tr6GB6WE/yGdCQ1ukCy2rPDSMpma kh/uOLfWouX4mR7+/P1ELjD1Q/UcEK+TMBdrSE+fsIBBvKMoU9Bx4SVAT/B5syGli+K8 HvqYmvgzsGKNkFEKIDr/78mYXnGQf91CkaJyt8a+B64xSO0hB7u+NAn1+Lx1DYDWxIg8 F8uMRwluq8eT/fXL6U597Zh8IDuGqbBjH/h3n6oW0lT7nXLN87oJHbtBAq+5uve/ibuQ ayJA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a9si3154840edr.259.2020.10.01.05.04.51; Thu, 01 Oct 2020 05:05:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731866AbgJAMBA (ORCPT + 99 others); Thu, 1 Oct 2020 08:01:00 -0400 Received: from szxga04-in.huawei.com ([45.249.212.190]:14794 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1731816AbgJAMBA (ORCPT ); Thu, 1 Oct 2020 08:01:00 -0400 Received: from DGGEMS412-HUB.china.huawei.com (unknown [172.30.72.58]) by Forcepoint Email with ESMTP id C0F4AFDFF130EFB85FEA; Thu, 1 Oct 2020 20:00:56 +0800 (CST) Received: from SWX921481.china.huawei.com (10.126.200.149) by DGGEMS412-HUB.china.huawei.com (10.3.19.212) with Microsoft SMTP Server id 14.3.487.0; Thu, 1 Oct 2020 20:00:46 +0800 From: Barry Song To: CC: , Barry Song , Andi Kleen , Peter Zijlstra , Ingo Molnar , Arnaldo Carvalho de Melo , Mark Rutland , Alexander Shishkin , Jiri Olsa , "Namhyung Kim" , Adrian Hunter , "Alexey Budankov" Subject: [PATCH] perf evlist: fix memory corruption for Kernel PMU event Date: Fri, 2 Oct 2020 00:57:29 +1300 Message-ID: <20201001115729.27116-1-song.bao.hua@hisilicon.com> X-Mailer: git-send-email 2.21.0.windows.1 MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.126.200.149] X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Commit 7736627b865d ("perf stat: Use affinity for closing file descriptors") will use FD(evsel, cpu, thread) to read and write file descriptors xyarray. For a kernel PMU event, this leads to serious memory corruption and perf crash. I have seen evlist->core.cpus->nr is 1 while evsel has cpus->nr with the total number of CPUs. so xyarray which is allocated by evlist->core.cpus->nr will get overflow. This leads to various segmentation faults in perf tool for kernel PMU events, eg: ./perf stat -e bus_cycles sleep 1 *** Error in `./perf': free(): invalid next size (fast): 0x00000000401e6370 *** Aborted (core dumped) Fixes: 7736627b865d ("perf stat: Use affinity for closing file descriptors") Cc: Andi Kleen Cc: Peter Zijlstra Cc: Ingo Molnar Cc: Arnaldo Carvalho de Melo Cc: Mark Rutland Cc: Alexander Shishkin Cc: Jiri Olsa Cc: Namhyung Kim Cc: Adrian Hunter Cc: Alexey Budankov Signed-off-by: Barry Song --- tools/perf/util/evlist.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tools/perf/util/evlist.c b/tools/perf/util/evlist.c index c0768c6..3022152 100644 --- a/tools/perf/util/evlist.c +++ b/tools/perf/util/evlist.c @@ -1226,10 +1226,14 @@ void evlist__close(struct evlist *evlist) int cpu, i; /* - * With perf record core.cpus is usually NULL. + * With perf record core.cpus is usually NULL; + * For Kernel PMU event x, "perf stat -e x" will set evlist->core.cpus->nr to + * 1 while evsel has cpus->nr which contains all CPUs. evsel__cpu_iter_skip() + * will be false, memory corruption will happen if we use affinity to close + * file descriptors; * Use the old method to handle this for now. */ - if (!evlist->core.cpus) { + if (!evlist->core.cpus || evlist->core.cpus->nr == 1) { evlist__for_each_entry_reverse(evlist, evsel) evsel__close(evsel); return; -- 2.7.4