From patchwork Mon Dec 16 17:49:27 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 181782 Delivered-To: patch@linaro.org Received: by 2002:a92:3001:0:0:0:0:0 with SMTP id x1csp4668291ile; Mon, 16 Dec 2019 10:18:56 -0800 (PST) X-Google-Smtp-Source: APXvYqyeyGtfmODRiyyYRuWzPZfEiTnsliBYItDFGCX6TgZxt+nNjbTiq8kq21vqjldIv54Eb/tx X-Received: by 2002:a05:6830:22e2:: with SMTP id t2mr33922174otc.129.1576520336790; Mon, 16 Dec 2019 10:18:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1576520336; cv=none; d=google.com; s=arc-20160816; b=qv18lBdyDBZlfZfRUEcdFlCVrUljcA3A69MQMnHJhPaM2vz3/0csTlNH01xP89bCuw vm2fzWOFDZ7zRBMihE6ksMtDVXxMvXY/7TaXzGliZ4IpC+31EoaPHq5dRvsm3NgfSirv AAuLyC+6RgHNv8Xg8+VpDlcHw25ffzrsT8mXMeAUy0HJ02+KlWxEnQUr6nFlq5m/7J4t s7pGU3Ra8M59kWYiqnaFxM76MZyINrSIfb46DTwVyXmRioQ2+QoQRBfqWZV1PGQ1kIyJ kZ+CegXPqWiYYvFWFWnxw6IpaUAVUY/736Gw0UFPO5QU2o21Q+kZvm5g53kYZeiohX2c W5TA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=sCqV9Ik5IKoyORTKqXxipUz6fJ8pV/YGfRYVbNvnfmo=; b=leMPZoU+Hy6vkiOvfrfWRrHPF5tUOfY/J3SOdjc//vZcn1ahII21EO2F/ou2t3aH+g EptJcF6QFQrHl1ciPv+ajn/5Gs0K03fRQQPWw+5Ppskn31LdctGA80ep5Plk+7UA8dwN s1EyzrBXEUITpy4PJB/USSkxVRQsEDmf0OODK9NPMVraaLINXMTXdRO581uSsGWK8wdz YSEjgkMVG+sgpxQGSTJ8qrPItn9ezkY2HFVofZbIzLCUE97MSHnwsaQSiqViv2A17HZn mTwSN/dTTWqRkoSIGlbtdAGhX9LV9zIxvLOCCUxTYHvRXCwDqi6oRYU0pS1LBPyKhp91 wfDw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=actTZaSA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k188si10811300oib.201.2019.12.16.10.18.56; Mon, 16 Dec 2019 10:18:56 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=actTZaSA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731869AbfLPSSz (ORCPT + 27 others); Mon, 16 Dec 2019 13:18:55 -0500 Received: from mail.kernel.org ([198.145.29.99]:45472 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731858AbfLPSSx (ORCPT ); Mon, 16 Dec 2019 13:18:53 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id CE427207FF; Mon, 16 Dec 2019 18:18:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1576520332; bh=wwlmxGK47+3NKt/tCyF1WitVXEn7YD87pa8sUS9EE8g=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=actTZaSAtAlkWvsRA8QMeGxhX3/mtNZybOInMhK/8cs2ZndyYb2yXFz31+Londt/n xRf8CO7qIiE832uiHTI9FOTzSXcQLGBL0PQiuVimDTjsF/lHgtYyNpGqvm0+++p2wA 29+LJQHRSeZ2XVNy0pfuXhPlCO0I/LJtu9B0c0mk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Leo Yan , Jiri Olsa , Alexander Shishkin , Mark Rutland , Namhyung Kim , Naresh Kamboju , Peter Zijlstra , Wang Nan , Arnaldo Carvalho de Melo Subject: [PATCH 5.4 111/177] perf tests: Fix out of bounds memory access Date: Mon, 16 Dec 2019 18:49:27 +0100 Message-Id: <20191216174842.136673983@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20191216174811.158424118@linuxfoundation.org> References: <20191216174811.158424118@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Leo Yan commit af8490eb2b33684e26a0a927a9d93ae43cd08890 upstream. The test case 'Read backward ring buffer' failed on 32-bit architectures which were found by LKFT perf testing. The test failed on arm32 x15 device, qemu_arm32, qemu_i386, and found intermittent failure on i386; the failure log is as below: 50: Read backward ring buffer : --- start --- test child forked, pid 510 Using CPUID GenuineIntel-6-9E-9 mmap size 1052672B mmap size 8192B Finished reading overwrite ring buffer: rewind free(): invalid next size (fast) test child interrupted ---- end ---- Read backward ring buffer: FAILED! The log hints there have issue for memory usage, thus free() reports error 'invalid next size' and directly exit for the case. Finally, this issue is root caused as out of bounds memory access for the data array 'evsel->id'. The backward ring buffer test invokes do_test() twice. 'evsel->id' is allocated at the first call with the flow: test__backward_ring_buffer() `-> do_test() `-> evlist__mmap() `-> evlist__mmap_ex() `-> perf_evsel__alloc_id() So 'evsel->id' is allocated with one item, and it will be used in function perf_evlist__id_add(): evsel->id[0] = id evsel->ids = 1 At the second call for do_test(), it skips to initialize 'evsel->id' and reuses the array which is allocated in the first call. But 'evsel->ids' contains the stale value. Thus: evsel->id[1] = id -> out of bound access evsel->ids = 2 To fix this issue, we will use evlist__open() and evlist__close() pair functions to prepare and cleanup context for evlist; so 'evsel->id' and 'evsel->ids' can be initialized properly when invoke do_test() and avoid the out of bounds memory access. Fixes: ee74701ed8ad ("perf tests: Add test to check backward ring buffer") Signed-off-by: Leo Yan Reviewed-by: Jiri Olsa Cc: Alexander Shishkin Cc: Mark Rutland Cc: Namhyung Kim Cc: Naresh Kamboju Cc: Peter Zijlstra Cc: Wang Nan Cc: stable@vger.kernel.org # v4.10+ Link: http://lore.kernel.org/lkml/20191107020244.2427-1-leo.yan@linaro.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman --- tools/perf/tests/backward-ring-buffer.c | 9 +++++++++ 1 file changed, 9 insertions(+) --- a/tools/perf/tests/backward-ring-buffer.c +++ b/tools/perf/tests/backward-ring-buffer.c @@ -147,6 +147,15 @@ int test__backward_ring_buffer(struct te goto out_delete_evlist; } + evlist__close(evlist); + + err = evlist__open(evlist); + if (err < 0) { + pr_debug("perf_evlist__open: %s\n", + str_error_r(errno, sbuf, sizeof(sbuf))); + goto out_delete_evlist; + } + err = do_test(evlist, 1, &sample_count, &comm_count); if (err != TEST_OK) goto out_delete_evlist;