* [PATCH v1 1/2] perf maps: Avoid RC_CHK use after free
@ 2025-11-19 5:05 Ian Rogers
2025-11-19 5:05 ` [PATCH v1 2/2] perf test maps: Additional maps__fixup_overlap_and_insert tests Ian Rogers
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Ian Rogers @ 2025-11-19 5:05 UTC (permalink / raw)
To: Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo,
Namhyung Kim, Alexander Shishkin, Jiri Olsa, Ian Rogers,
Adrian Hunter, James Clark, German Gomez, Ravi Bangoria,
Christophe Leroy, Chun-Tse Shao, linux-perf-users, linux-kernel,
kernel test robot
The case of __maps__fixup_overlap_and_insert where the "new" maps
covers existing mappings can create a use-after-free with reference
count checking enabled. The issue is that "pos" holds a map pointer
from maps_by_address that is put from maps_by_address but then used to
look for a map in maps_by_name (the compared map is now a
use-after-free). The issue stems from using maps__remove which redoes
some of the searches already done by __maps__fixup_overlap_and_insert,
so optimize the code (by avoiding repeated searches) and avoid the
use-after-free by inlining the appropriate removal code.
Reported-by: kernel test robot <oliver.sang@intel.com>
Closes: https://lore.kernel.org/oe-lkp/202511141407.f9edcfa6-lkp@intel.com
Signed-off-by: Ian Rogers <irogers@google.com>
---
tools/perf/util/maps.c | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/tools/perf/util/maps.c b/tools/perf/util/maps.c
index 779f6230130a..c321d4f4d846 100644
--- a/tools/perf/util/maps.c
+++ b/tools/perf/util/maps.c
@@ -931,8 +931,9 @@ static int __maps__fixup_overlap_and_insert(struct maps *maps, struct map *new)
return err;
} else {
struct map *next = NULL;
+ unsigned int nr_maps = maps__nr_maps(maps);
- if (i + 1 < maps__nr_maps(maps))
+ if (i + 1 < nr_maps)
next = maps_by_address[i + 1];
if (!next || map__start(next) >= map__end(new)) {
@@ -953,7 +954,24 @@ static int __maps__fixup_overlap_and_insert(struct maps *maps, struct map *new)
check_invariants(maps);
return err;
}
- __maps__remove(maps, pos);
+ /*
+ * pos fully covers the previous mapping so remove
+ * it. The following is an inlined version of
+ * maps__remove that reuses the already computed
+ * indices.
+ */
+ map__put(maps_by_address[i]);
+ memmove(&maps_by_address[i],
+ &maps_by_address[i + 1],
+ (nr_maps - i - 1) * sizeof(*maps_by_address));
+
+ if (maps_by_name) {
+ map__put(maps_by_name[ni]);
+ memmove(&maps_by_name[ni],
+ &maps_by_name[ni + 1],
+ (nr_maps - ni - 1) * sizeof(*maps_by_name));
+ }
+ --RC_CHK_ACCESS(maps)->nr_maps;
check_invariants(maps);
/*
* Maps are ordered but no need to increase `i` as the
--
2.52.0.rc1.455.g30608eb744-goog
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH v1 2/2] perf test maps: Additional maps__fixup_overlap_and_insert tests
2025-11-19 5:05 [PATCH v1 1/2] perf maps: Avoid RC_CHK use after free Ian Rogers
@ 2025-11-19 5:05 ` Ian Rogers
2025-11-19 12:33 ` James Clark
2025-11-19 12:33 ` [PATCH v1 1/2] perf maps: Avoid RC_CHK use after free James Clark
2025-11-20 19:02 ` Namhyung Kim
2 siblings, 1 reply; 5+ messages in thread
From: Ian Rogers @ 2025-11-19 5:05 UTC (permalink / raw)
To: Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo,
Namhyung Kim, Alexander Shishkin, Jiri Olsa, Ian Rogers,
Adrian Hunter, James Clark, German Gomez, Ravi Bangoria,
Christophe Leroy, Chun-Tse Shao, linux-perf-users, linux-kernel,
kernel test robot
Add additional test to the maps covering
maps__fixup_overlap_and_insert. Change the test suite to be for more
than just 1 test.
Signed-off-by: Ian Rogers <irogers@google.com>
---
tools/perf/tests/builtin-test.c | 2 +-
tools/perf/tests/maps.c | 82 ++++++++++++++++++++++++++++++++-
tools/perf/tests/tests.h | 2 +-
3 files changed, 83 insertions(+), 3 deletions(-)
diff --git a/tools/perf/tests/builtin-test.c b/tools/perf/tests/builtin-test.c
index 0d2fb7a4ae5b..9090e8238a44 100644
--- a/tools/perf/tests/builtin-test.c
+++ b/tools/perf/tests/builtin-test.c
@@ -126,7 +126,7 @@ static struct test_suite *generic_tests[] = {
&suite__jit_write_elf,
&suite__pfm,
&suite__api_io,
- &suite__maps__merge_in,
+ &suite__maps,
&suite__demangle_java,
&suite__demangle_ocaml,
&suite__demangle_rust,
diff --git a/tools/perf/tests/maps.c b/tools/perf/tests/maps.c
index 4f1f9385ea9c..2c05d62f40dc 100644
--- a/tools/perf/tests/maps.c
+++ b/tools/perf/tests/maps.c
@@ -162,4 +162,84 @@ static int test__maps__merge_in(struct test_suite *t __maybe_unused, int subtest
return TEST_OK;
}
-DEFINE_SUITE("maps__merge_in", maps__merge_in);
+static int test__maps__fixup_overlap_and_insert(struct test_suite *t __maybe_unused,
+ int subtest __maybe_unused)
+{
+ struct map_def initial_maps[] = {
+ { "target_map", 1000, 2000 },
+ { "next_map", 3000, 4000 },
+ };
+ struct map_def insert_split = { "split_map", 1400, 1600 };
+ struct map_def expected_after_split[] = {
+ { "target_map", 1000, 1400 },
+ { "split_map", 1400, 1600 },
+ { "target_map", 1600, 2000 },
+ { "next_map", 3000, 4000 },
+ };
+
+ struct map_def insert_eclipse = { "eclipse_map", 2500, 4500 };
+ struct map_def expected_final[] = {
+ { "target_map", 1000, 1400 },
+ { "split_map", 1400, 1600 },
+ { "target_map", 1600, 2000 },
+ { "eclipse_map", 2500, 4500 },
+ /* "next_map" (3000-4000) is removed */
+ };
+
+ struct map *map_split, *map_eclipse;
+ int ret;
+ unsigned int i;
+ struct maps *maps = maps__new(NULL);
+
+ TEST_ASSERT_VAL("failed to create maps", maps);
+
+ for (i = 0; i < ARRAY_SIZE(initial_maps); i++) {
+ struct map *map = dso__new_map(initial_maps[i].name);
+
+ TEST_ASSERT_VAL("failed to create map", map);
+ map__set_start(map, initial_maps[i].start);
+ map__set_end(map, initial_maps[i].end);
+ TEST_ASSERT_VAL("failed to insert map", maps__insert(maps, map) == 0);
+ map__put(map);
+ }
+
+ // Check splitting.
+ map_split = dso__new_map(insert_split.name);
+ TEST_ASSERT_VAL("failed to create split map", map_split);
+ map__set_start(map_split, insert_split.start);
+ map__set_end(map_split, insert_split.end);
+
+ ret = maps__fixup_overlap_and_insert(maps, map_split);
+ TEST_ASSERT_VAL("failed to fixup and insert split map", !ret);
+
+ map__zput(map_split);
+ ret = check_maps(expected_after_split, ARRAY_SIZE(expected_after_split), maps);
+ TEST_ASSERT_VAL("split check failed", !ret);
+
+ // Check cover 1 map with another.
+ map_eclipse = dso__new_map(insert_eclipse.name);
+ TEST_ASSERT_VAL("failed to create eclipse map", map_eclipse);
+ map__set_start(map_eclipse, insert_eclipse.start);
+ map__set_end(map_eclipse, insert_eclipse.end);
+
+ ret = maps__fixup_overlap_and_insert(maps, map_eclipse);
+ TEST_ASSERT_VAL("failed to fixup and insert eclipse map", !ret);
+
+ map__zput(map_eclipse);
+ ret = check_maps(expected_final, ARRAY_SIZE(expected_final), maps);
+ TEST_ASSERT_VAL("eclipse check failed", !ret);
+
+ maps__zput(maps);
+ return TEST_OK;
+}
+
+static struct test_case tests__maps[] = {
+ TEST_CASE("Test merge_in interface", maps__merge_in),
+ TEST_CASE("Test fix up overlap interface", maps__fixup_overlap_and_insert),
+ { .name = NULL, }
+};
+
+struct test_suite suite__maps = {
+ .desc = "Maps - per process mmaps abstraction",
+ .test_cases = tests__maps,
+};
diff --git a/tools/perf/tests/tests.h b/tools/perf/tests/tests.h
index 33de16dde737..f5fba95b6f3f 100644
--- a/tools/perf/tests/tests.h
+++ b/tools/perf/tests/tests.h
@@ -160,7 +160,7 @@ DECLARE_SUITE(bitmap_print);
DECLARE_SUITE(perf_hooks);
DECLARE_SUITE(unit_number__scnprint);
DECLARE_SUITE(mem2node);
-DECLARE_SUITE(maps__merge_in);
+DECLARE_SUITE(maps);
DECLARE_SUITE(time_utils);
DECLARE_SUITE(jit_write_elf);
DECLARE_SUITE(api_io);
--
2.52.0.rc1.455.g30608eb744-goog
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v1 1/2] perf maps: Avoid RC_CHK use after free
2025-11-19 5:05 [PATCH v1 1/2] perf maps: Avoid RC_CHK use after free Ian Rogers
2025-11-19 5:05 ` [PATCH v1 2/2] perf test maps: Additional maps__fixup_overlap_and_insert tests Ian Rogers
@ 2025-11-19 12:33 ` James Clark
2025-11-20 19:02 ` Namhyung Kim
2 siblings, 0 replies; 5+ messages in thread
From: James Clark @ 2025-11-19 12:33 UTC (permalink / raw)
To: Ian Rogers
Cc: Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo,
Namhyung Kim, Alexander Shishkin, Jiri Olsa, Adrian Hunter,
German Gomez, Ravi Bangoria, Christophe Leroy, Chun-Tse Shao,
linux-perf-users, linux-kernel, kernel test robot
On 19/11/2025 5:05 am, Ian Rogers wrote:
> The case of __maps__fixup_overlap_and_insert where the "new" maps
> covers existing mappings can create a use-after-free with reference
> count checking enabled. The issue is that "pos" holds a map pointer
> from maps_by_address that is put from maps_by_address but then used to
> look for a map in maps_by_name (the compared map is now a
> use-after-free). The issue stems from using maps__remove which redoes
> some of the searches already done by __maps__fixup_overlap_and_insert,
> so optimize the code (by avoiding repeated searches) and avoid the
> use-after-free by inlining the appropriate removal code.
>
> Reported-by: kernel test robot <oliver.sang@intel.com>
> Closes: https://lore.kernel.org/oe-lkp/202511141407.f9edcfa6-lkp@intel.com
> Signed-off-by: Ian Rogers <irogers@google.com>
Reviewed-by: James Clark <james.clark@linaro.org>
> ---
> tools/perf/util/maps.c | 22 ++++++++++++++++++++--
> 1 file changed, 20 insertions(+), 2 deletions(-)
>
> diff --git a/tools/perf/util/maps.c b/tools/perf/util/maps.c
> index 779f6230130a..c321d4f4d846 100644
> --- a/tools/perf/util/maps.c
> +++ b/tools/perf/util/maps.c
> @@ -931,8 +931,9 @@ static int __maps__fixup_overlap_and_insert(struct maps *maps, struct map *new)
> return err;
> } else {
> struct map *next = NULL;
> + unsigned int nr_maps = maps__nr_maps(maps);
>
> - if (i + 1 < maps__nr_maps(maps))
> + if (i + 1 < nr_maps)
> next = maps_by_address[i + 1];
>
> if (!next || map__start(next) >= map__end(new)) {
> @@ -953,7 +954,24 @@ static int __maps__fixup_overlap_and_insert(struct maps *maps, struct map *new)
> check_invariants(maps);
> return err;
> }
> - __maps__remove(maps, pos);
> + /*
> + * pos fully covers the previous mapping so remove
> + * it. The following is an inlined version of
> + * maps__remove that reuses the already computed
> + * indices.
> + */
> + map__put(maps_by_address[i]);
> + memmove(&maps_by_address[i],
> + &maps_by_address[i + 1],
> + (nr_maps - i - 1) * sizeof(*maps_by_address));
> +
> + if (maps_by_name) {
> + map__put(maps_by_name[ni]);
> + memmove(&maps_by_name[ni],
> + &maps_by_name[ni + 1],
> + (nr_maps - ni - 1) * sizeof(*maps_by_name));
> + }
> + --RC_CHK_ACCESS(maps)->nr_maps;
> check_invariants(maps);
> /*
> * Maps are ordered but no need to increase `i` as the
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v1 2/2] perf test maps: Additional maps__fixup_overlap_and_insert tests
2025-11-19 5:05 ` [PATCH v1 2/2] perf test maps: Additional maps__fixup_overlap_and_insert tests Ian Rogers
@ 2025-11-19 12:33 ` James Clark
0 siblings, 0 replies; 5+ messages in thread
From: James Clark @ 2025-11-19 12:33 UTC (permalink / raw)
To: Ian Rogers
Cc: Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo,
Namhyung Kim, Alexander Shishkin, Jiri Olsa, Adrian Hunter,
German Gomez, Ravi Bangoria, Christophe Leroy, Chun-Tse Shao,
linux-perf-users, linux-kernel, kernel test robot
On 19/11/2025 5:05 am, Ian Rogers wrote:
> Add additional test to the maps covering
> maps__fixup_overlap_and_insert. Change the test suite to be for more
> than just 1 test.
>
> Signed-off-by: Ian Rogers <irogers@google.com>
Reviewed-by: James Clark <james.clark@linaro.org>
> ---
> tools/perf/tests/builtin-test.c | 2 +-
> tools/perf/tests/maps.c | 82 ++++++++++++++++++++++++++++++++-
> tools/perf/tests/tests.h | 2 +-
> 3 files changed, 83 insertions(+), 3 deletions(-)
>
> diff --git a/tools/perf/tests/builtin-test.c b/tools/perf/tests/builtin-test.c
> index 0d2fb7a4ae5b..9090e8238a44 100644
> --- a/tools/perf/tests/builtin-test.c
> +++ b/tools/perf/tests/builtin-test.c
> @@ -126,7 +126,7 @@ static struct test_suite *generic_tests[] = {
> &suite__jit_write_elf,
> &suite__pfm,
> &suite__api_io,
> - &suite__maps__merge_in,
> + &suite__maps,
> &suite__demangle_java,
> &suite__demangle_ocaml,
> &suite__demangle_rust,
> diff --git a/tools/perf/tests/maps.c b/tools/perf/tests/maps.c
> index 4f1f9385ea9c..2c05d62f40dc 100644
> --- a/tools/perf/tests/maps.c
> +++ b/tools/perf/tests/maps.c
> @@ -162,4 +162,84 @@ static int test__maps__merge_in(struct test_suite *t __maybe_unused, int subtest
> return TEST_OK;
> }
>
> -DEFINE_SUITE("maps__merge_in", maps__merge_in);
> +static int test__maps__fixup_overlap_and_insert(struct test_suite *t __maybe_unused,
> + int subtest __maybe_unused)
> +{
> + struct map_def initial_maps[] = {
> + { "target_map", 1000, 2000 },
> + { "next_map", 3000, 4000 },
> + };
> + struct map_def insert_split = { "split_map", 1400, 1600 };
> + struct map_def expected_after_split[] = {
> + { "target_map", 1000, 1400 },
> + { "split_map", 1400, 1600 },
> + { "target_map", 1600, 2000 },
> + { "next_map", 3000, 4000 },
> + };
> +
> + struct map_def insert_eclipse = { "eclipse_map", 2500, 4500 };
> + struct map_def expected_final[] = {
> + { "target_map", 1000, 1400 },
> + { "split_map", 1400, 1600 },
> + { "target_map", 1600, 2000 },
> + { "eclipse_map", 2500, 4500 },
> + /* "next_map" (3000-4000) is removed */
> + };
> +
> + struct map *map_split, *map_eclipse;
> + int ret;
> + unsigned int i;
> + struct maps *maps = maps__new(NULL);
> +
> + TEST_ASSERT_VAL("failed to create maps", maps);
> +
> + for (i = 0; i < ARRAY_SIZE(initial_maps); i++) {
> + struct map *map = dso__new_map(initial_maps[i].name);
> +
> + TEST_ASSERT_VAL("failed to create map", map);
> + map__set_start(map, initial_maps[i].start);
> + map__set_end(map, initial_maps[i].end);
> + TEST_ASSERT_VAL("failed to insert map", maps__insert(maps, map) == 0);
> + map__put(map);
> + }
> +
> + // Check splitting.
> + map_split = dso__new_map(insert_split.name);
> + TEST_ASSERT_VAL("failed to create split map", map_split);
> + map__set_start(map_split, insert_split.start);
> + map__set_end(map_split, insert_split.end);
> +
> + ret = maps__fixup_overlap_and_insert(maps, map_split);
> + TEST_ASSERT_VAL("failed to fixup and insert split map", !ret);
> +
> + map__zput(map_split);
> + ret = check_maps(expected_after_split, ARRAY_SIZE(expected_after_split), maps);
> + TEST_ASSERT_VAL("split check failed", !ret);
> +
> + // Check cover 1 map with another.
> + map_eclipse = dso__new_map(insert_eclipse.name);
> + TEST_ASSERT_VAL("failed to create eclipse map", map_eclipse);
> + map__set_start(map_eclipse, insert_eclipse.start);
> + map__set_end(map_eclipse, insert_eclipse.end);
> +
> + ret = maps__fixup_overlap_and_insert(maps, map_eclipse);
> + TEST_ASSERT_VAL("failed to fixup and insert eclipse map", !ret);
> +
> + map__zput(map_eclipse);
> + ret = check_maps(expected_final, ARRAY_SIZE(expected_final), maps);
> + TEST_ASSERT_VAL("eclipse check failed", !ret);
> +
> + maps__zput(maps);
> + return TEST_OK;
> +}
> +
> +static struct test_case tests__maps[] = {
> + TEST_CASE("Test merge_in interface", maps__merge_in),
> + TEST_CASE("Test fix up overlap interface", maps__fixup_overlap_and_insert),
> + { .name = NULL, }
> +};
> +
> +struct test_suite suite__maps = {
> + .desc = "Maps - per process mmaps abstraction",
> + .test_cases = tests__maps,
> +};
> diff --git a/tools/perf/tests/tests.h b/tools/perf/tests/tests.h
> index 33de16dde737..f5fba95b6f3f 100644
> --- a/tools/perf/tests/tests.h
> +++ b/tools/perf/tests/tests.h
> @@ -160,7 +160,7 @@ DECLARE_SUITE(bitmap_print);
> DECLARE_SUITE(perf_hooks);
> DECLARE_SUITE(unit_number__scnprint);
> DECLARE_SUITE(mem2node);
> -DECLARE_SUITE(maps__merge_in);
> +DECLARE_SUITE(maps);
> DECLARE_SUITE(time_utils);
> DECLARE_SUITE(jit_write_elf);
> DECLARE_SUITE(api_io);
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v1 1/2] perf maps: Avoid RC_CHK use after free
2025-11-19 5:05 [PATCH v1 1/2] perf maps: Avoid RC_CHK use after free Ian Rogers
2025-11-19 5:05 ` [PATCH v1 2/2] perf test maps: Additional maps__fixup_overlap_and_insert tests Ian Rogers
2025-11-19 12:33 ` [PATCH v1 1/2] perf maps: Avoid RC_CHK use after free James Clark
@ 2025-11-20 19:02 ` Namhyung Kim
2 siblings, 0 replies; 5+ messages in thread
From: Namhyung Kim @ 2025-11-20 19:02 UTC (permalink / raw)
To: Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo,
Alexander Shishkin, Jiri Olsa, Adrian Hunter, James Clark,
German Gomez, Ravi Bangoria, Christophe Leroy, Chun-Tse Shao,
linux-perf-users, linux-kernel, kernel test robot, Ian Rogers
On Tue, 18 Nov 2025 21:05:54 -0800, Ian Rogers wrote:
> The case of __maps__fixup_overlap_and_insert where the "new" maps
> covers existing mappings can create a use-after-free with reference
> count checking enabled. The issue is that "pos" holds a map pointer
> from maps_by_address that is put from maps_by_address but then used to
> look for a map in maps_by_name (the compared map is now a
> use-after-free). The issue stems from using maps__remove which redoes
> some of the searches already done by __maps__fixup_overlap_and_insert,
> so optimize the code (by avoiding repeated searches) and avoid the
> use-after-free by inlining the appropriate removal code.
>
> [...]
Applied to perf-tools-next, thanks!
Best regards,
Namhyung
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-11-20 19:02 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-19 5:05 [PATCH v1 1/2] perf maps: Avoid RC_CHK use after free Ian Rogers
2025-11-19 5:05 ` [PATCH v1 2/2] perf test maps: Additional maps__fixup_overlap_and_insert tests Ian Rogers
2025-11-19 12:33 ` James Clark
2025-11-19 12:33 ` [PATCH v1 1/2] perf maps: Avoid RC_CHK use after free James Clark
2025-11-20 19:02 ` Namhyung Kim
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).