Re: [PATCH v2] perf tests: Fix out of bounds memory access

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jiri Olsa <jolsa@redhat.com>
To: Leo Yan <leo.yan@linaro.org>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>,
	Peter Zijlstra <peterz@infradead.org>,
	Ingo Molnar <mingo@redhat.com>,
	Mark Rutland <mark.rutland@arm.com>,
	Alexander Shishkin <alexander.shishkin@linux.intel.com>,
	Namhyung Kim <namhyung@kernel.org>,
	linux-kernel@vger.kernel.org,
	Naresh Kamboju <naresh.kamboju@linaro.org>
Subject: Re: [PATCH v2] perf tests: Fix out of bounds memory access
Date: Thu, 7 Nov 2019 10:42:26 +0100	[thread overview]
Message-ID: <20191107094226.GC14657@krava> (raw)
In-Reply-To: <20191107020244.2427-1-leo.yan@linaro.org>

On Thu, Nov 07, 2019 at 10:02:44AM +0800, Leo Yan wrote:
> The test case 'Read backward ring buffer' failed on 32-bit architectures
> which were found by LKFT perf testing.  The test failed on arm32 x15
> device, qemu_arm32, qemu_i386, and found intermittent failure on i386;
> the failure log is as below:
> 
>   50: Read backward ring buffer                  :
>   --- start ---
>   test child forked, pid 510
>   Using CPUID GenuineIntel-6-9E-9
>   mmap size 1052672B
>   mmap size 8192B
>   Finished reading overwrite ring buffer: rewind
>   free(): invalid next size (fast)
>   test child interrupted
>   ---- end ----
>   Read backward ring buffer: FAILED!
> 
> The log hints there have issue for memory usage, thus free() reports
> error 'invalid next size' and directly exit for the case.  Finally, this
> issue is root caused as out of bounds memory access for the data array
> 'evsel->id'.
> 
> The backward ring buffer test invokes do_test() twice.  'evsel->id' is
> allocated at the first call with the flow:
> 
>   test__backward_ring_buffer()
>     `-> do_test()
> 	  `-> evlist__mmap()
> 	        `-> evlist__mmap_ex()
> 	              `-> perf_evsel__alloc_id()
> 
> So 'evsel->id' is allocated with one item, and it will be used in
> function perf_evlist__id_add():
> 
>    evsel->id[0] = id
>    evsel->ids   = 1
> 
> At the second call for do_test(), it skips to initialize 'evsel->id'
> and reuses the array which is allocated in the first call.  But
> 'evsel->ids' contains the stale value.  Thus:
> 
>    evsel->id[1] = id    -> out of bound access
>    evsel->ids   = 2
> 
> To fix this issue, we will use evlist__open() and evlist__close() pair
> functions to prepare and cleanup context for evlist; so 'evsel->id' and
> 'evsel->ids' can be initialized properly when invoke do_test() and avoid
> the out of bounds memory access.

right, we need to solve this on libperf level, so it's possible
to call mmap/munmap multiple time without close/open.. I'll try
to send something, but meanwhile this is good workaround

Reviewed-by: Jiri Olsa <jolsa@kernel.org>

thanks,
jirka

> 
> Signed-off-by: Leo Yan <leo.yan@linaro.org>
> ---
>  tools/perf/tests/backward-ring-buffer.c | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
> diff --git a/tools/perf/tests/backward-ring-buffer.c b/tools/perf/tests/backward-ring-buffer.c
> index 338cd9faa835..5128f727c0ef 100644
> --- a/tools/perf/tests/backward-ring-buffer.c
> +++ b/tools/perf/tests/backward-ring-buffer.c
> @@ -147,6 +147,15 @@ int test__backward_ring_buffer(struct test *test __maybe_unused, int subtest __m
>  		goto out_delete_evlist;
>  	}
>  
> +	evlist__close(evlist);
> +
> +	err = evlist__open(evlist);
> +	if (err < 0) {
> +		pr_debug("perf_evlist__open: %s\n",
> +			 str_error_r(errno, sbuf, sizeof(sbuf)));
> +		goto out_delete_evlist;
> +	}
> +
>  	err = do_test(evlist, 1, &sample_count, &comm_count);
>  	if (err != TEST_OK)
>  		goto out_delete_evlist;
> -- 
> 2.17.1
>

next prev parent reply	other threads:[~2019-11-07  9:42 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-07  2:02 [PATCH v2] perf tests: Fix out of bounds memory access Leo Yan
2019-11-07  9:42 ` Jiri Olsa [this message]
2019-11-07 10:20   ` Leo Yan
2019-11-07 12:06     ` Arnaldo Carvalho de Melo
2019-11-07 13:35       ` Leo Yan
2019-11-12 11:17 ` [tip: perf/core] " tip-bot2 for Leo Yan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191107094226.GC14657@krava \
    --to=jolsa@redhat.com \
    --cc=acme@kernel.org \
    --cc=alexander.shishkin@linux.intel.com \
    --cc=leo.yan@linaro.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mark.rutland@arm.com \
    --cc=mingo@redhat.com \
    --cc=namhyung@kernel.org \
    --cc=naresh.kamboju@linaro.org \
    --cc=peterz@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.