From: Ian Rogers <irogers@google.com>
To: Peter Zijlstra <peterz@infradead.org>,
Ingo Molnar <mingo@redhat.com>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
Mark Rutland <mark.rutland@arm.com>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Jiri Olsa <jolsa@kernel.org>, Namhyung Kim <namhyung@kernel.org>,
Ian Rogers <irogers@google.com>,
Adrian Hunter <adrian.hunter@intel.com>,
Nick Terrell <terrelln@fb.com>,
Kan Liang <kan.liang@linux.intel.com>,
Andi Kleen <ak@linux.intel.com>, Leo Yan <leo.yan@linaro.org>,
Song Liu <song@kernel.org>, Sandipan Das <sandipan.das@amd.com>,
James Clark <james.clark@arm.com>,
Anshuman Khandual <anshuman.khandual@arm.com>,
Miguel Ojeda <ojeda@kernel.org>,
Liam Howlett <liam.howlett@oracle.com>,
Yang Jihong <yangjihong1@huawei.com>,
Athira Rajeev <atrajeev@linux.vnet.ibm.com>,
Kajol Jain <kjain@linux.ibm.com>,
K Prateek Nayak <kprateek.nayak@amd.com>,
Sean Christopherson <seanjc@google.com>,
Yanteng Si <siyanteng@loongson.cn>,
Ravi Bangoria <ravi.bangoria@amd.com>,
German Gomez <german.gomez@arm.com>,
Changbin Du <changbin.du@huawei.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Masami Hiramatsu <mhiramat@kernel.org>,
liuwenyu <liuwenyu7@huawei.com>,
linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org
Subject: [PATCH v3 39/50] perf maps: Get map before returning in maps__find
Date: Tue, 24 Oct 2023 15:23:42 -0700 [thread overview]
Message-ID: <20231024222353.3024098-40-irogers@google.com> (raw)
In-Reply-To: <20231024222353.3024098-1-irogers@google.com>
Finding a map is done under a lock, returning the map without a
reference count means it can be removed without notice and causing
uses after free. Grab a reference count to the map within the lock
region and return this. Fix up locations that need a map__put
following this.
Signed-off-by: Ian Rogers <irogers@google.com>
---
tools/perf/arch/x86/tests/dwarf-unwind.c | 1 +
tools/perf/tests/vmlinux-kallsyms.c | 5 ++---
tools/perf/util/bpf-event.c | 1 +
tools/perf/util/event.c | 4 ++--
tools/perf/util/machine.c | 22 ++++++++--------------
tools/perf/util/maps.c | 17 ++++++++++-------
tools/perf/util/symbol.c | 3 ++-
7 files changed, 26 insertions(+), 27 deletions(-)
diff --git a/tools/perf/arch/x86/tests/dwarf-unwind.c b/tools/perf/arch/x86/tests/dwarf-unwind.c
index 5bfec3345d59..c05c0a85dad4 100644
--- a/tools/perf/arch/x86/tests/dwarf-unwind.c
+++ b/tools/perf/arch/x86/tests/dwarf-unwind.c
@@ -34,6 +34,7 @@ static int sample_ustack(struct perf_sample *sample,
}
stack_size = map__end(map) - sp;
+ map__put(map);
stack_size = stack_size > STACK_SIZE ? STACK_SIZE : stack_size;
memcpy(buf, (void *) sp, stack_size);
diff --git a/tools/perf/tests/vmlinux-kallsyms.c b/tools/perf/tests/vmlinux-kallsyms.c
index 822f893e67d5..e808e6fc8f76 100644
--- a/tools/perf/tests/vmlinux-kallsyms.c
+++ b/tools/perf/tests/vmlinux-kallsyms.c
@@ -151,10 +151,8 @@ static int test__vmlinux_matches_kallsyms_cb2(struct map *map, void *data)
u64 mem_end = map__unmap_ip(args->vmlinux_map, map__end(map));
pair = maps__find(args->kallsyms.kmaps, mem_start);
- if (pair == NULL || map__priv(pair))
- return 0;
- if (map__start(pair) == mem_start) {
+ if (pair != NULL && !map__priv(pair) && map__start(pair) == mem_start) {
struct dso *dso = map__dso(map);
if (!args->header_printed) {
@@ -170,6 +168,7 @@ static int test__vmlinux_matches_kallsyms_cb2(struct map *map, void *data)
pr_info(" %s\n", dso->name);
map__set_priv(pair, 1);
}
+ map__put(pair);
return 0;
}
diff --git a/tools/perf/util/bpf-event.c b/tools/perf/util/bpf-event.c
index 830711cae30d..d07fd5ffa823 100644
--- a/tools/perf/util/bpf-event.c
+++ b/tools/perf/util/bpf-event.c
@@ -63,6 +63,7 @@ static int machine__process_bpf_event_load(struct machine *machine,
dso->bpf_prog.id = id;
dso->bpf_prog.sub_id = i;
dso->bpf_prog.env = env;
+ map__put(map);
}
}
return 0;
diff --git a/tools/perf/util/event.c b/tools/perf/util/event.c
index 68f45e9e63b6..198903157f9e 100644
--- a/tools/perf/util/event.c
+++ b/tools/perf/util/event.c
@@ -511,7 +511,7 @@ size_t perf_event__fprintf_text_poke(union perf_event *event, struct machine *ma
struct addr_location al;
addr_location__init(&al);
- al.map = map__get(maps__find(machine__kernel_maps(machine), tp->addr));
+ al.map = maps__find(machine__kernel_maps(machine), tp->addr);
if (al.map && map__load(al.map) >= 0) {
al.addr = map__map_ip(al.map, tp->addr);
al.sym = map__find_symbol(al.map, al.addr);
@@ -641,7 +641,7 @@ struct map *thread__find_map(struct thread *thread, u8 cpumode, u64 addr,
return NULL;
}
al->maps = maps__get(maps);
- al->map = map__get(maps__find(maps, al->addr));
+ al->map = maps__find(maps, al->addr);
if (al->map != NULL) {
/*
* Kernel maps might be changed when loading symbols so loading
diff --git a/tools/perf/util/machine.c b/tools/perf/util/machine.c
index ab345604f274..1112a9dbb21a 100644
--- a/tools/perf/util/machine.c
+++ b/tools/perf/util/machine.c
@@ -897,7 +897,6 @@ static int machine__process_ksymbol_register(struct machine *machine,
struct symbol *sym;
struct dso *dso;
struct map *map = maps__find(machine__kernel_maps(machine), event->ksymbol.addr);
- bool put_map = false;
int err = 0;
if (!map) {
@@ -914,12 +913,6 @@ static int machine__process_ksymbol_register(struct machine *machine,
err = -ENOMEM;
goto out;
}
- /*
- * The inserted map has a get on it, we need to put to release
- * the reference count here, but do it after all accesses are
- * done.
- */
- put_map = true;
if (event->ksymbol.ksym_type == PERF_RECORD_KSYMBOL_TYPE_OOL) {
dso->binary_type = DSO_BINARY_TYPE__OOL;
dso->data.file_size = event->ksymbol.len;
@@ -953,8 +946,7 @@ static int machine__process_ksymbol_register(struct machine *machine,
}
dso__insert_symbol(dso, sym);
out:
- if (put_map)
- map__put(map);
+ map__put(map);
return err;
}
@@ -978,7 +970,7 @@ static int machine__process_ksymbol_unregister(struct machine *machine,
if (sym)
dso__delete_symbol(dso, sym);
}
-
+ map__put(map);
return 0;
}
@@ -1006,11 +998,11 @@ int machine__process_text_poke(struct machine *machine, union perf_event *event,
perf_event__fprintf_text_poke(event, machine, stdout);
if (!event->text_poke.new_len)
- return 0;
+ goto out;
if (cpumode != PERF_RECORD_MISC_KERNEL) {
pr_debug("%s: unsupported cpumode - ignoring\n", __func__);
- return 0;
+ goto out;
}
if (dso) {
@@ -1033,7 +1025,8 @@ int machine__process_text_poke(struct machine *machine, union perf_event *event,
pr_debug("Failed to find kernel text poke address map for %#" PRI_lx64 "\n",
event->text_poke.addr);
}
-
+out:
+ map__put(map);
return 0;
}
@@ -1301,9 +1294,10 @@ static int machine__map_x86_64_entry_trampolines_cb(struct map *map, void *data)
return 0;
dest_map = maps__find(args->kmaps, map__pgoff(map));
- if (dest_map != map)
+ if (RC_CHK_ACCESS(dest_map) != RC_CHK_ACCESS(map))
map__set_pgoff(map, map__map_ip(dest_map, map__pgoff(map)));
+ map__put(dest_map);
args->found = true;
return 0;
}
diff --git a/tools/perf/util/maps.c b/tools/perf/util/maps.c
index 06fdd8a7c2a2..28facfdac1d7 100644
--- a/tools/perf/util/maps.c
+++ b/tools/perf/util/maps.c
@@ -487,15 +487,18 @@ void maps__remove_maps(struct maps *maps, bool (*cb)(struct map *map, void *data
struct symbol *maps__find_symbol(struct maps *maps, u64 addr, struct map **mapp)
{
struct map *map = maps__find(maps, addr);
+ struct symbol *result = NULL;
/* Ensure map is loaded before using map->map_ip */
if (map != NULL && map__load(map) >= 0) {
- if (mapp != NULL)
- *mapp = map; // TODO: map_put on else path when find returns a get.
- return map__find_symbol(map, map__map_ip(map, addr));
- }
+ if (mapp)
+ *mapp = map;
- return NULL;
+ result = map__find_symbol(map, map__map_ip(map, addr));
+ if (!mapp)
+ map__put(map);
+ }
+ return result;
}
struct maps__find_symbol_by_name_args {
@@ -539,7 +542,7 @@ int maps__find_ams(struct maps *maps, struct addr_map_symbol *ams)
if (ams->addr < map__start(ams->ms.map) || ams->addr >= map__end(ams->ms.map)) {
if (maps == NULL)
return -1;
- ams->ms.map = maps__find(maps, ams->addr); // TODO: map_get
+ ams->ms.map = maps__find(maps, ams->addr);
if (ams->ms.map == NULL)
return -1;
}
@@ -848,7 +851,7 @@ struct map *maps__find(struct maps *maps, u64 ip)
sizeof(*mapp), map__addr_cmp);
if (mapp)
- result = *mapp; // map__get(*mapp);
+ result = map__get(*mapp);
done = true;
}
up_read(maps__lock(maps));
diff --git a/tools/perf/util/symbol.c b/tools/perf/util/symbol.c
index 30da8a405d11..ad4819a24320 100644
--- a/tools/perf/util/symbol.c
+++ b/tools/perf/util/symbol.c
@@ -757,7 +757,6 @@ static int dso__load_all_kallsyms(struct dso *dso, const char *filename)
static int maps__split_kallsyms_for_kcore(struct maps *kmaps, struct dso *dso)
{
- struct map *curr_map;
struct symbol *pos;
int count = 0;
struct rb_root_cached old_root = dso->symbols;
@@ -770,6 +769,7 @@ static int maps__split_kallsyms_for_kcore(struct maps *kmaps, struct dso *dso)
*root = RB_ROOT_CACHED;
while (next) {
+ struct map *curr_map;
struct dso *curr_map_dso;
char *module;
@@ -796,6 +796,7 @@ static int maps__split_kallsyms_for_kcore(struct maps *kmaps, struct dso *dso)
pos->end -= map__start(curr_map) - map__pgoff(curr_map);
symbols__insert(&curr_map_dso->symbols, pos);
++count;
+ map__put(curr_map);
}
/* Symbols have been adjusted */
--
2.42.0.758.gaed0368e0e-goog
next prev parent reply other threads:[~2023-10-24 22:26 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-24 22:23 [PATCH v3 00/50] Improvements to memory use Ian Rogers
2023-10-24 22:23 ` [PATCH v3 01/50] perf rwsem: Add debug mode that uses a mutex Ian Rogers
2023-10-24 22:23 ` [PATCH v3 02/50] perf machine: Avoid out of bounds LBR memory read Ian Rogers
2023-10-24 22:23 ` [PATCH v3 03/50] libperf rc_check: Make implicit enabling work for GCC Ian Rogers
2023-10-24 22:23 ` [PATCH v3 04/50] libperf rc_check: Add RC_CHK_EQUAL Ian Rogers
2023-10-24 22:23 ` [PATCH v3 05/50] perf hist: Add missing puts to hist__account_cycles Ian Rogers
2023-10-24 22:23 ` [PATCH v3 06/50] perf threads: Remove unused dead thread list Ian Rogers
2023-10-24 22:23 ` [PATCH v3 07/50] perf offcpu: Add missed btf_free Ian Rogers
2023-10-24 22:23 ` [PATCH v3 08/50] perf callchain: Make display use of branch_type_stat const Ian Rogers
2023-10-24 22:23 ` [PATCH v3 09/50] perf callchain: Make brtype_stat in callchain_list optional Ian Rogers
2023-10-24 22:23 ` [PATCH v3 10/50] perf callchain: Minor layout changes to callchain_list Ian Rogers
2023-10-24 22:23 ` [PATCH v3 11/50] perf mem_info: Add and use map_symbol__exit and addr_map_symbol__exit Ian Rogers
2023-10-24 22:23 ` [PATCH v3 12/50] perf record: Lazy load kernel symbols Ian Rogers
2023-10-25 18:25 ` Namhyung Kim
2023-10-25 18:35 ` Adrian Hunter
2023-10-24 22:23 ` [PATCH v3 13/50] libperf: Lazily allocate mmap event copy Ian Rogers
2023-10-25 2:38 ` Yang Jihong
2023-10-25 3:28 ` Ian Rogers
2023-10-24 22:23 ` [PATCH v3 14/50] perf mmap: Lazily initialize zstd streams Ian Rogers
2023-10-24 22:23 ` [PATCH v3 15/50] perf machine thread: Remove exited threads by default Ian Rogers
2023-10-24 22:23 ` [PATCH v3 16/50] tools api fs: Switch filename__read_str to use io.h Ian Rogers
2023-10-24 22:23 ` [PATCH v3 17/50] tools api fs: Avoid reading whole file for a 1 byte bool Ian Rogers
2023-10-24 22:23 ` [PATCH v3 18/50] tools lib api: Add io_dir an allocation free readdir alternative Ian Rogers
2023-10-25 18:43 ` Namhyung Kim
2023-10-25 22:15 ` Ian Rogers
2023-10-24 22:23 ` [PATCH v3 19/50] perf maps: Switch modules tree walk to io_dir__readdir Ian Rogers
2023-10-24 22:23 ` [PATCH v3 20/50] perf record: Be lazier in allocating lost samples buffer Ian Rogers
2023-10-25 3:44 ` Yang Jihong
2023-10-25 17:00 ` Ian Rogers
2023-10-25 19:04 ` Namhyung Kim
2023-10-25 19:00 ` Namhyung Kim
2023-10-24 22:23 ` [PATCH v3 21/50] perf pmu: Switch to io_dir__readdir Ian Rogers
2023-10-24 22:23 ` [PATCH v3 22/50] perf bpf: Don't synthesize BPF events when disabled Ian Rogers
2023-10-24 22:23 ` [PATCH v3 23/50] perf header: Switch mem topology to io_dir__readdir Ian Rogers
2023-10-24 22:23 ` [PATCH v3 24/50] perf events: Remove scandir in thread synthesis Ian Rogers
2023-10-24 22:23 ` [PATCH v3 25/50] perf map: Simplify map_ip/unmap_ip and make map size smaller Ian Rogers
2023-10-24 22:23 ` [PATCH v3 26/50] perf maps: Move symbol maps functions to maps.c Ian Rogers
2023-10-24 22:23 ` [PATCH v3 27/50] perf thread: Add missing RC_CHK_ACCESS Ian Rogers
2023-10-24 22:23 ` [PATCH v3 28/50] perf maps: Add maps__for_each_map to call a function on each entry Ian Rogers
2023-10-24 22:23 ` [PATCH v3 29/50] perf maps: Add remove maps function to remove a map based on callback Ian Rogers
2023-10-24 22:23 ` [PATCH v3 30/50] perf debug: Expose debug file Ian Rogers
2023-10-24 22:23 ` [PATCH v3 31/50] perf maps: Refactor maps__fixup_overlappings Ian Rogers
2023-10-24 22:23 ` [PATCH v3 32/50] perf maps: Do simple merge if given map doesn't overlap Ian Rogers
2023-10-24 22:23 ` [PATCH v3 33/50] perf maps: Rename clone to copy from Ian Rogers
2023-10-24 22:23 ` [PATCH v3 34/50] perf maps: Add maps__load_first Ian Rogers
2023-10-24 22:23 ` [PATCH v3 35/50] perf maps: Add find next entry to give entry after the given map Ian Rogers
2023-10-24 22:23 ` [PATCH v3 36/50] perf maps: Reduce scope of map_rb_node and maps internals Ian Rogers
2023-10-24 22:23 ` [PATCH v3 37/50] perf maps: Fix up overlaps during fixup_end Ian Rogers
2023-10-24 22:23 ` [PATCH v3 38/50] perf maps: Switch from rbtree to lazily sorted array for addresses Ian Rogers
2023-10-24 22:23 ` Ian Rogers [this message]
2023-10-24 22:23 ` [PATCH v3 40/50] perf maps: Get map before returning in maps__find_by_name Ian Rogers
2023-10-24 22:23 ` [PATCH v3 41/50] perf maps: Get map before returning in maps__find_next_entry Ian Rogers
2023-10-24 22:23 ` [PATCH v3 42/50] perf maps: Hide maps internals Ian Rogers
2023-10-24 22:23 ` [PATCH v3 43/50] perf maps: Locking tidy up of nr_maps Ian Rogers
2023-10-24 22:23 ` [PATCH v3 44/50] perf dso: Reorder variables to save space in struct dso Ian Rogers
2023-10-24 22:23 ` [PATCH v3 45/50] perf report: Sort child tasks by tid Ian Rogers
2023-10-24 22:23 ` [PATCH v3 46/50] perf trace: Ignore thread hashing in summary Ian Rogers
2023-10-24 22:23 ` [PATCH v3 47/50] perf machine: Move fprintf to for_each loop and a callback Ian Rogers
2023-10-24 22:23 ` [PATCH v3 48/50] perf threads: Move threads to its own files Ian Rogers
2023-10-24 22:23 ` [PATCH v3 49/50] perf threads: Switch from rbtree to hashmap Ian Rogers
2023-10-24 22:23 ` [PATCH v3 50/50] perf threads: Reduce table size from 256 to 8 Ian Rogers
2023-10-26 17:11 ` (subset) [PATCH v3 00/50] Improvements to memory use Namhyung Kim
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231024222353.3024098-40-irogers@google.com \
--to=irogers@google.com \
--cc=acme@kernel.org \
--cc=adrian.hunter@intel.com \
--cc=ak@linux.intel.com \
--cc=alexander.shishkin@linux.intel.com \
--cc=anshuman.khandual@arm.com \
--cc=atrajeev@linux.vnet.ibm.com \
--cc=changbin.du@huawei.com \
--cc=german.gomez@arm.com \
--cc=james.clark@arm.com \
--cc=jolsa@kernel.org \
--cc=kan.liang@linux.intel.com \
--cc=kjain@linux.ibm.com \
--cc=kprateek.nayak@amd.com \
--cc=leo.yan@linaro.org \
--cc=liam.howlett@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=liuwenyu7@huawei.com \
--cc=mark.rutland@arm.com \
--cc=mhiramat@kernel.org \
--cc=mingo@redhat.com \
--cc=namhyung@kernel.org \
--cc=ojeda@kernel.org \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=ravi.bangoria@amd.com \
--cc=sandipan.das@amd.com \
--cc=seanjc@google.com \
--cc=siyanteng@loongson.cn \
--cc=song@kernel.org \
--cc=terrelln@fb.com \
--cc=yangjihong1@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.