From: Jiri Olsa <jolsa@redhat.com>
To: Ian Rogers <irogers@google.com>
Cc: Peter Zijlstra <peterz@infradead.org>,
Ingo Molnar <mingo@redhat.com>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
Mark Rutland <mark.rutland@arm.com>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Namhyung Kim <namhyung@kernel.org>,
linux-kernel@vger.kernel.org, clang-built-linux@googlegroups.com,
Stephane Eranian <eranian@google.com>
Subject: Re: [PATCH v2] perf mem2node: avoid double free related to realloc
Date: Thu, 30 Apr 2020 10:15:41 +0200 [thread overview]
Message-ID: <20200430081541.GA1681583@krava> (raw)
In-Reply-To: <20200320182347.87675-1-irogers@google.com>
On Fri, Mar 20, 2020 at 11:23:47AM -0700, Ian Rogers wrote:
> Realloc of size zero is a free not an error, avoid this causing a double
> free. Caught by clang's address sanitizer:
>
> ==2634==ERROR: AddressSanitizer: attempting double-free on 0x6020000015f0 in thread T0:
> #0 0x5649659297fd in free llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
> #1 0x5649659e9251 in __zfree tools/lib/zalloc.c:13:2
> #2 0x564965c0f92c in mem2node__exit tools/perf/util/mem2node.c:114:2
> #3 0x564965a08b4c in perf_c2c__report tools/perf/builtin-c2c.c:2867:2
> #4 0x564965a0616a in cmd_c2c tools/perf/builtin-c2c.c:2989:10
> #5 0x564965944348 in run_builtin tools/perf/perf.c:312:11
> #6 0x564965943235 in handle_internal_command tools/perf/perf.c:364:8
> #7 0x5649659440c4 in run_argv tools/perf/perf.c:408:2
> #8 0x564965942e41 in main tools/perf/perf.c:538:3
>
> 0x6020000015f0 is located 0 bytes inside of 1-byte region [0x6020000015f0,0x6020000015f1)
> freed by thread T0 here:
> #0 0x564965929da3 in realloc third_party/llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:164:3
> #1 0x564965c0f55e in mem2node__init tools/perf/util/mem2node.c:97:16
> #2 0x564965a08956 in perf_c2c__report tools/perf/builtin-c2c.c:2803:8
> #3 0x564965a0616a in cmd_c2c tools/perf/builtin-c2c.c:2989:10
> #4 0x564965944348 in run_builtin tools/perf/perf.c:312:11
> #5 0x564965943235 in handle_internal_command tools/perf/perf.c:364:8
> #6 0x5649659440c4 in run_argv tools/perf/perf.c:408:2
> #7 0x564965942e41 in main tools/perf/perf.c:538:3
>
> previously allocated by thread T0 here:
> #0 0x564965929c42 in calloc third_party/llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:154:3
> #1 0x5649659e9220 in zalloc tools/lib/zalloc.c:8:9
> #2 0x564965c0f32d in mem2node__init tools/perf/util/mem2node.c:61:12
> #3 0x564965a08956 in perf_c2c__report tools/perf/builtin-c2c.c:2803:8
> #4 0x564965a0616a in cmd_c2c tools/perf/builtin-c2c.c:2989:10
> #5 0x564965944348 in run_builtin tools/perf/perf.c:312:11
> #6 0x564965943235 in handle_internal_command tools/perf/perf.c:364:8
> #7 0x5649659440c4 in run_argv tools/perf/perf.c:408:2
> #8 0x564965942e41 in main tools/perf/perf.c:538:3
>
> v2: add a WARN_ON_ONCE when the free condition arises.
>
> Signed-off-by: Ian Rogers <irogers@google.com>
I overlooked v2 for this, sry
Acked-by: Jiri Olsa <jolsa@redhat.com>
thanks,
jirka
> ---
> tools/perf/util/mem2node.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/tools/perf/util/mem2node.c b/tools/perf/util/mem2node.c
> index 797d86a1ab09..c84f5841c7ab 100644
> --- a/tools/perf/util/mem2node.c
> +++ b/tools/perf/util/mem2node.c
> @@ -1,5 +1,6 @@
> #include <errno.h>
> #include <inttypes.h>
> +#include <asm/bug.h>
> #include <linux/bitmap.h>
> #include <linux/kernel.h>
> #include <linux/zalloc.h>
> @@ -95,7 +96,7 @@ int mem2node__init(struct mem2node *map, struct perf_env *env)
>
> /* Cut unused entries, due to merging. */
> tmp_entries = realloc(entries, sizeof(*entries) * j);
> - if (tmp_entries)
> + if (tmp_entries || WARN_ON_ONCE(j == 0))
> entries = tmp_entries;
>
> for (i = 0; i < j; i++) {
> --
> 2.25.1.696.g5e7596f4ac-goog
>
next prev parent reply other threads:[~2020-04-30 8:16 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-20 18:23 [PATCH v2] perf mem2node: avoid double free related to realloc Ian Rogers
2020-04-29 17:40 ` Ian Rogers
2020-04-29 17:45 ` Arnaldo Carvalho de Melo
2020-04-30 8:15 ` Jiri Olsa [this message]
2020-04-30 13:23 ` Arnaldo Carvalho de Melo
2020-05-08 13:04 ` [tip: perf/core] perf mem2node: Avoid " tip-bot2 for Ian Rogers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200430081541.GA1681583@krava \
--to=jolsa@redhat.com \
--cc=acme@kernel.org \
--cc=alexander.shishkin@linux.intel.com \
--cc=clang-built-linux@googlegroups.com \
--cc=eranian@google.com \
--cc=irogers@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=mingo@redhat.com \
--cc=namhyung@kernel.org \
--cc=peterz@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.