Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp1118363pxb; Wed, 15 Sep 2021 23:24:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyUZpp5W9vo3DZbAfB6aUzearuWWRkOmSB7hPI4Xsprx7+1hqyEHhmeZBgRNMym80HQMY/N X-Received: by 2002:a17:906:7848:: with SMTP id p8mr4440660ejm.212.1631773474689; Wed, 15 Sep 2021 23:24:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631773474; cv=none; d=google.com; s=arc-20160816; b=EBSV+MGjxjZ8u3g+hwVjTh2lvOuOS88r39Z90vQVGPOTsQcbIPUQde+95uUinvF39D xuRQvDlYSQAlTRcATFtgZD35HVoXszRkcJJlY+WzMQZnP4R1mSV9SfrEBIPyxCiqsmQ+ 1WkeBEp9S1qeIL5/trYheRm18pRNZyuIQqAazFZkLqEAmVLvoDzWq7Vu9Ba4XEEKUUGV IgVXbVA5LSBMIqJfTTu35qhuebX9nF3K+ZD6TZOL2ut+bCG36J3sC9y100bbdv8Z0sut QNOV77V03TT3CXZoZWOsUbXJNsgMpIWYBjTTaS+W0Nu/MpriLxJKEnmhyPQVLX0FgG+R Ph7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:mime-version:message-id:date :dkim-signature; bh=2zO9I+WpfIAi/lsn9jzqdmaKYibtEk4wOlr2sTHiCKA=; b=Uyzq6Nttq+MLprDmspVzDq+xunQfOe0fqlwrJOHoEbq60ruhCCDNj9pz260OFUw4PY fWCnd72nJgd0cSAwcLszNIwaZYoMysVJJH2Fl9sgRLolgpYMdcP2FvYKZO+neeyPJdGC KzpdA3LBt+7atidDIKriepf2UPw9Ogstr2+MrW8M5z9PcsnKvEFDy9MwmLi6FXw5X+js SjQ6qzYvxmcJuAM5elhMVZ3DU/WaBuOHjVVHW8FtpasI+oGprzEZt3xlCtLLi6J7wx7F OG+rIJvlel2VmOEB6B9rRPMdYtuqd/u5dZNNLva6B4wxLxLRsgbXm3VcVLDh77gUIRGf mgVg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=U87j3QSz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n10si3311706edx.474.2021.09.15.23.24.10; Wed, 15 Sep 2021 23:24:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=U87j3QSz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231255AbhIPGYI (ORCPT + 99 others); Thu, 16 Sep 2021 02:24:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48732 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232531AbhIPGYF (ORCPT ); Thu, 16 Sep 2021 02:24:05 -0400 Received: from mail-qk1-x74a.google.com (mail-qk1-x74a.google.com [IPv6:2607:f8b0:4864:20::74a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0189CC061764 for ; Wed, 15 Sep 2021 23:22:44 -0700 (PDT) Received: by mail-qk1-x74a.google.com with SMTP id g73-20020a379d4c000000b003d3ed03ca28so25065805qke.23 for ; Wed, 15 Sep 2021 23:22:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:message-id:mime-version:subject:from:to:cc; bh=2zO9I+WpfIAi/lsn9jzqdmaKYibtEk4wOlr2sTHiCKA=; b=U87j3QSzlqk1gZ15ATT+N2Q/rNB64XKHG4vZLZ8Qo8+64V4c8fh/q1p9xWaxh3STAx VxXHa3CGRBonUhe5AXsjfxApP9/ctReV1GBHf/IBfQgrH2UkP0de61nID+CHcjFu0dSY nti1Yo5cmQWeDGaRNk5XntoyL2xPerKQgSKYWQZz2FYh99+AXjGlo63Qk38QizK7J+9R GUWTwMTGPAyL6Phj8D+6RfE1wskRLPZnoGwZJgVbNBi232YVJ5aYSmyZMIZ39izoq7/M jhoG1dOfihf8X1vsmLEtIZC7L9px6SbvvNDGW05wF5GQNk3r2TV137VfuOr0/FEexbKN m++w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=2zO9I+WpfIAi/lsn9jzqdmaKYibtEk4wOlr2sTHiCKA=; b=j5NE7a6whHrlcykuHYEQxTkjP4gqjzFGwhIY5DtT6x0fULp/JIxZxnb1fYha004TyR lPrt3Sk+X1ioC9ME29TuTQohBQZwy9dd1VEZElF0w8jj3WmmmQB4a2pGAf9Cykt5YluY NP5UpJ+VxAx7Up7Bm0RECLuzTEPSppfD8e3QOgIrOHvXX/g4Wf4/oMxRiQE9iFixYdWx XuTDb02HTmC+JMCnhRK14QdwEcxsk0n11soLmXSButRwPmjPDL/gi4ubu8f08lFsEGUk RkeO5k04t2HYpUWUpwMp/1FRFr47w0H+DYg1F8v2EEQaXRKYr47y53i2j4dBYRfAVo/v 4/Rw== X-Gm-Message-State: AOAM532OsCWb5Yn0iuyYtzeNWKJqLnjv1iVVkUjn9u+vOf9pLV8g02UZ baxqQYGjLFr6HFsY/9QS5re4y3XdZxXW X-Received: from irogers.svl.corp.google.com ([2620:15c:2cd:202:7b71:ab93:de5f:617b]) (user=irogers job=sendgmr) by 2002:a0c:f38b:: with SMTP id i11mr3708217qvk.42.1631773364019; Wed, 15 Sep 2021 23:22:44 -0700 (PDT) Date: Wed, 15 Sep 2021 23:22:39 -0700 Message-Id: <20210916062239.1894011-1-irogers@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.33.0.309.g3052b89438-goog Subject: [PATCH v2] libperf evsel: Make use of FD robust. From: Ian Rogers To: Peter Zijlstra , Ingo Molnar , Arnaldo Carvalho de Melo , Mark Rutland , Alexander Shishkin , Jiri Olsa , Namhyung Kim , linux-perf-users@vger.kernel.org, linux-kernel@vger.kernel.org Cc: eranian@google.com, Ian Rogers Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org FD uses xyarray__entry that may return NULL if an index is out of bounds. If NULL is returned then a segv happens as FD unconditionally dereferences the pointer. This was happening in a case of with perf iostat as shown below. The fix is to make FD an "int*" rather than an int and handle the NULL case as either invalid input or a closed fd. $ sudo gdb --args perf stat --iostat list ... Breakpoint 1, perf_evsel__alloc_fd (evsel=0x5555560951a0, ncpus=1, nthreads=1) at evsel.c:50 50 { (gdb) bt #0 perf_evsel__alloc_fd (evsel=0x5555560951a0, ncpus=1, nthreads=1) at evsel.c:50 #1 0x000055555585c188 in evsel__open_cpu (evsel=0x5555560951a0, cpus=0x555556093410, threads=0x555556086fb0, start_cpu=0, end_cpu=1) at util/evsel.c:1792 #2 0x000055555585cfb2 in evsel__open (evsel=0x5555560951a0, cpus=0x0, threads=0x555556086fb0) at util/evsel.c:2045 #3 0x000055555585d0db in evsel__open_per_thread (evsel=0x5555560951a0, threads=0x555556086fb0) at util/evsel.c:2065 #4 0x00005555558ece64 in create_perf_stat_counter (evsel=0x5555560951a0, config=0x555555c34700 , target=0x555555c2f1c0 , cpu=0) at util/stat.c:590 #5 0x000055555578e927 in __run_perf_stat (argc=1, argv=0x7fffffffe4a0, run_idx=0) at builtin-stat.c:833 #6 0x000055555578f3c6 in run_perf_stat (argc=1, argv=0x7fffffffe4a0, run_idx=0) at builtin-stat.c:1048 #7 0x0000555555792ee5 in cmd_stat (argc=1, argv=0x7fffffffe4a0) at builtin-stat.c:2534 #8 0x0000555555835ed3 in run_builtin (p=0x555555c3f540 , argc=3, argv=0x7fffffffe4a0) at perf.c:313 #9 0x0000555555836154 in handle_internal_command (argc=3, argv=0x7fffffffe4a0) at perf.c:365 #10 0x000055555583629f in run_argv (argcp=0x7fffffffe2ec, argv=0x7fffffffe2e0) at perf.c:409 #11 0x0000555555836692 in main (argc=3, argv=0x7fffffffe4a0) at perf.c:539 ... (gdb) c Continuing. Error: The sys_perf_event_open() syscall returned with 22 (Invalid argument) for event (uncore_iio_0/event=0x83,umask=0x04,ch_mask=0xF,fc_mask=0x07/). /bin/dmesg | grep -i perf may provide additional information. Program received signal SIGSEGV, Segmentation fault. 0x00005555559b03ea in perf_evsel__close_fd_cpu (evsel=0x5555560951a0, cpu=1) at evsel.c:166 166 if (FD(evsel, cpu, thread) >= 0) v2. is a rebase. Signed-off-by: Ian Rogers --- tools/lib/perf/evsel.c | 64 +++++++++++++++++++++++++++--------------- 1 file changed, 41 insertions(+), 23 deletions(-) diff --git a/tools/lib/perf/evsel.c b/tools/lib/perf/evsel.c index d8886720e83d..ede7af4d183c 100644 --- a/tools/lib/perf/evsel.c +++ b/tools/lib/perf/evsel.c @@ -43,7 +43,7 @@ void perf_evsel__delete(struct perf_evsel *evsel) free(evsel); } -#define FD(e, x, y) (*(int *) xyarray__entry(e->fd, x, y)) +#define FD(e, x, y) (int *) xyarray__entry(e->fd, x, y) #define MMAP(e, x, y) (e->mmap ? ((struct perf_mmap *) xyarray__entry(e->mmap, x, y)) : NULL) int perf_evsel__alloc_fd(struct perf_evsel *evsel, int ncpus, int nthreads) @@ -54,7 +54,10 @@ int perf_evsel__alloc_fd(struct perf_evsel *evsel, int ncpus, int nthreads) int cpu, thread; for (cpu = 0; cpu < ncpus; cpu++) { for (thread = 0; thread < nthreads; thread++) { - FD(evsel, cpu, thread) = -1; + int *fd = FD(evsel, cpu, thread); + + if (fd) + *fd = -1; } } } @@ -80,7 +83,7 @@ sys_perf_event_open(struct perf_event_attr *attr, static int get_group_fd(struct perf_evsel *evsel, int cpu, int thread, int *group_fd) { struct perf_evsel *leader = evsel->leader; - int fd; + int *fd; if (evsel == leader) { *group_fd = -1; @@ -95,10 +98,10 @@ static int get_group_fd(struct perf_evsel *evsel, int cpu, int thread, int *grou return -ENOTCONN; fd = FD(leader, cpu, thread); - if (fd == -1) + if (fd == NULL || *fd == -1) return -EBADF; - *group_fd = fd; + *group_fd = *fd; return 0; } @@ -138,7 +141,11 @@ int perf_evsel__open(struct perf_evsel *evsel, struct perf_cpu_map *cpus, for (cpu = 0; cpu < cpus->nr; cpu++) { for (thread = 0; thread < threads->nr; thread++) { - int fd, group_fd; + int fd, group_fd, *evsel_fd; + + evsel_fd = FD(evsel, cpu, thread); + if (evsel_fd == NULL) + return -EINVAL; err = get_group_fd(evsel, cpu, thread, &group_fd); if (err < 0) @@ -151,7 +158,7 @@ int perf_evsel__open(struct perf_evsel *evsel, struct perf_cpu_map *cpus, if (fd < 0) return -errno; - FD(evsel, cpu, thread) = fd; + *evsel_fd = fd; } } @@ -163,9 +170,12 @@ static void perf_evsel__close_fd_cpu(struct perf_evsel *evsel, int cpu) int thread; for (thread = 0; thread < xyarray__max_y(evsel->fd); ++thread) { - if (FD(evsel, cpu, thread) >= 0) - close(FD(evsel, cpu, thread)); - FD(evsel, cpu, thread) = -1; + int *fd = FD(evsel, cpu, thread); + + if (fd && *fd >= 0) { + close(*fd); + *fd = -1; + } } } @@ -209,13 +219,12 @@ void perf_evsel__munmap(struct perf_evsel *evsel) for (cpu = 0; cpu < xyarray__max_x(evsel->fd); cpu++) { for (thread = 0; thread < xyarray__max_y(evsel->fd); thread++) { - int fd = FD(evsel, cpu, thread); - struct perf_mmap *map = MMAP(evsel, cpu, thread); + int *fd = FD(evsel, cpu, thread); - if (fd < 0) + if (fd == NULL || *fd < 0) continue; - perf_mmap__munmap(map); + perf_mmap__munmap(MMAP(evsel, cpu, thread)); } } @@ -239,15 +248,16 @@ int perf_evsel__mmap(struct perf_evsel *evsel, int pages) for (cpu = 0; cpu < xyarray__max_x(evsel->fd); cpu++) { for (thread = 0; thread < xyarray__max_y(evsel->fd); thread++) { - int fd = FD(evsel, cpu, thread); - struct perf_mmap *map = MMAP(evsel, cpu, thread); + int *fd = FD(evsel, cpu, thread); + struct perf_mmap *map; - if (fd < 0) + if (fd == NULL || *fd < 0) continue; + map = MMAP(evsel, cpu, thread); perf_mmap__init(map, NULL, false, NULL); - ret = perf_mmap__mmap(map, &mp, fd, cpu); + ret = perf_mmap__mmap(map, &mp, *fd, cpu); if (ret) { perf_evsel__munmap(evsel); return ret; @@ -260,7 +270,9 @@ int perf_evsel__mmap(struct perf_evsel *evsel, int pages) void *perf_evsel__mmap_base(struct perf_evsel *evsel, int cpu, int thread) { - if (FD(evsel, cpu, thread) < 0 || MMAP(evsel, cpu, thread) == NULL) + int *fd = FD(evsel, cpu, thread); + + if (fd == NULL || *fd < 0 || MMAP(evsel, cpu, thread) == NULL) return NULL; return MMAP(evsel, cpu, thread)->base; @@ -295,17 +307,18 @@ int perf_evsel__read(struct perf_evsel *evsel, int cpu, int thread, struct perf_counts_values *count) { size_t size = perf_evsel__read_size(evsel); + int *fd = FD(evsel, cpu, thread); memset(count, 0, sizeof(*count)); - if (FD(evsel, cpu, thread) < 0) + if (fd == NULL || *fd < 0) return -EINVAL; if (MMAP(evsel, cpu, thread) && !perf_mmap__read_self(MMAP(evsel, cpu, thread), count)) return 0; - if (readn(FD(evsel, cpu, thread), count->values, size) <= 0) + if (readn(*fd, count->values, size) <= 0) return -errno; return 0; @@ -318,8 +331,13 @@ static int perf_evsel__run_ioctl(struct perf_evsel *evsel, int thread; for (thread = 0; thread < xyarray__max_y(evsel->fd); thread++) { - int fd = FD(evsel, cpu, thread), - err = ioctl(fd, ioc, arg); + int err; + int *fd = FD(evsel, cpu, thread); + + if (fd || *fd < 0) + return -1; + + err = ioctl(*fd, ioc, arg); if (err) return err; -- 2.33.0.309.g3052b89438-goog