* [PATCH v1 1/2] perf maps: Avoid RC_CHK use after free
@ 2025-11-19 5:05 Ian Rogers
2025-11-19 5:05 ` [PATCH v1 2/2] perf test maps: Additional maps__fixup_overlap_and_insert tests Ian Rogers
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Ian Rogers @ 2025-11-19 5:05 UTC (permalink / raw)
To: Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo,
Namhyung Kim, Alexander Shishkin, Jiri Olsa, Ian Rogers,
Adrian Hunter, James Clark, German Gomez, Ravi Bangoria,
Christophe Leroy, Chun-Tse Shao, linux-perf-users, linux-kernel,
kernel test robot
The case of __maps__fixup_overlap_and_insert where the "new" maps
covers existing mappings can create a use-after-free with reference
count checking enabled. The issue is that "pos" holds a map pointer
from maps_by_address that is put from maps_by_address but then used to
look for a map in maps_by_name (the compared map is now a
use-after-free). The issue stems from using maps__remove which redoes
some of the searches already done by __maps__fixup_overlap_and_insert,
so optimize the code (by avoiding repeated searches) and avoid the
use-after-free by inlining the appropriate removal code.
Reported-by: kernel test robot <oliver.sang@intel.com>
Closes: https://lore.kernel.org/oe-lkp/202511141407.f9edcfa6-lkp@intel.com
Signed-off-by: Ian Rogers <irogers@google.com>
---
tools/perf/util/maps.c | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/tools/perf/util/maps.c b/tools/perf/util/maps.c
index 779f6230130a..c321d4f4d846 100644
--- a/tools/perf/util/maps.c
+++ b/tools/perf/util/maps.c
@@ -931,8 +931,9 @@ static int __maps__fixup_overlap_and_insert(struct maps *maps, struct map *new)
return err;
} else {
struct map *next = NULL;
+ unsigned int nr_maps = maps__nr_maps(maps);
- if (i + 1 < maps__nr_maps(maps))
+ if (i + 1 < nr_maps)
next = maps_by_address[i + 1];
if (!next || map__start(next) >= map__end(new)) {
@@ -953,7 +954,24 @@ static int __maps__fixup_overlap_and_insert(struct maps *maps, struct map *new)
check_invariants(maps);
return err;
}
- __maps__remove(maps, pos);
+ /*
+ * pos fully covers the previous mapping so remove
+ * it. The following is an inlined version of
+ * maps__remove that reuses the already computed
+ * indices.
+ */
+ map__put(maps_by_address[i]);
+ memmove(&maps_by_address[i],
+ &maps_by_address[i + 1],
+ (nr_maps - i - 1) * sizeof(*maps_by_address));
+
+ if (maps_by_name) {
+ map__put(maps_by_name[ni]);
+ memmove(&maps_by_name[ni],
+ &maps_by_name[ni + 1],
+ (nr_maps - ni - 1) * sizeof(*maps_by_name));
+ }
+ --RC_CHK_ACCESS(maps)->nr_maps;
check_invariants(maps);
/*
* Maps are ordered but no need to increase `i` as the
--
2.52.0.rc1.455.g30608eb744-goog
^ permalink raw reply related [flat|nested] 5+ messages in thread* [PATCH v1 2/2] perf test maps: Additional maps__fixup_overlap_and_insert tests 2025-11-19 5:05 [PATCH v1 1/2] perf maps: Avoid RC_CHK use after free Ian Rogers @ 2025-11-19 5:05 ` Ian Rogers 2025-11-19 12:33 ` James Clark 2025-11-19 12:33 ` [PATCH v1 1/2] perf maps: Avoid RC_CHK use after free James Clark 2025-11-20 19:02 ` Namhyung Kim 2 siblings, 1 reply; 5+ messages in thread From: Ian Rogers @ 2025-11-19 5:05 UTC (permalink / raw) To: Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo, Namhyung Kim, Alexander Shishkin, Jiri Olsa, Ian Rogers, Adrian Hunter, James Clark, German Gomez, Ravi Bangoria, Christophe Leroy, Chun-Tse Shao, linux-perf-users, linux-kernel, kernel test robot Add additional test to the maps covering maps__fixup_overlap_and_insert. Change the test suite to be for more than just 1 test. Signed-off-by: Ian Rogers <irogers@google.com> --- tools/perf/tests/builtin-test.c | 2 +- tools/perf/tests/maps.c | 82 ++++++++++++++++++++++++++++++++- tools/perf/tests/tests.h | 2 +- 3 files changed, 83 insertions(+), 3 deletions(-) diff --git a/tools/perf/tests/builtin-test.c b/tools/perf/tests/builtin-test.c index 0d2fb7a4ae5b..9090e8238a44 100644 --- a/tools/perf/tests/builtin-test.c +++ b/tools/perf/tests/builtin-test.c @@ -126,7 +126,7 @@ static struct test_suite *generic_tests[] = { &suite__jit_write_elf, &suite__pfm, &suite__api_io, - &suite__maps__merge_in, + &suite__maps, &suite__demangle_java, &suite__demangle_ocaml, &suite__demangle_rust, diff --git a/tools/perf/tests/maps.c b/tools/perf/tests/maps.c index 4f1f9385ea9c..2c05d62f40dc 100644 --- a/tools/perf/tests/maps.c +++ b/tools/perf/tests/maps.c @@ -162,4 +162,84 @@ static int test__maps__merge_in(struct test_suite *t __maybe_unused, int subtest return TEST_OK; } -DEFINE_SUITE("maps__merge_in", maps__merge_in); +static int test__maps__fixup_overlap_and_insert(struct test_suite *t __maybe_unused, + int subtest __maybe_unused) +{ + struct map_def initial_maps[] = { + { "target_map", 1000, 2000 }, + { "next_map", 3000, 4000 }, + }; + struct map_def insert_split = { "split_map", 1400, 1600 }; + struct map_def expected_after_split[] = { + { "target_map", 1000, 1400 }, + { "split_map", 1400, 1600 }, + { "target_map", 1600, 2000 }, + { "next_map", 3000, 4000 }, + }; + + struct map_def insert_eclipse = { "eclipse_map", 2500, 4500 }; + struct map_def expected_final[] = { + { "target_map", 1000, 1400 }, + { "split_map", 1400, 1600 }, + { "target_map", 1600, 2000 }, + { "eclipse_map", 2500, 4500 }, + /* "next_map" (3000-4000) is removed */ + }; + + struct map *map_split, *map_eclipse; + int ret; + unsigned int i; + struct maps *maps = maps__new(NULL); + + TEST_ASSERT_VAL("failed to create maps", maps); + + for (i = 0; i < ARRAY_SIZE(initial_maps); i++) { + struct map *map = dso__new_map(initial_maps[i].name); + + TEST_ASSERT_VAL("failed to create map", map); + map__set_start(map, initial_maps[i].start); + map__set_end(map, initial_maps[i].end); + TEST_ASSERT_VAL("failed to insert map", maps__insert(maps, map) == 0); + map__put(map); + } + + // Check splitting. + map_split = dso__new_map(insert_split.name); + TEST_ASSERT_VAL("failed to create split map", map_split); + map__set_start(map_split, insert_split.start); + map__set_end(map_split, insert_split.end); + + ret = maps__fixup_overlap_and_insert(maps, map_split); + TEST_ASSERT_VAL("failed to fixup and insert split map", !ret); + + map__zput(map_split); + ret = check_maps(expected_after_split, ARRAY_SIZE(expected_after_split), maps); + TEST_ASSERT_VAL("split check failed", !ret); + + // Check cover 1 map with another. + map_eclipse = dso__new_map(insert_eclipse.name); + TEST_ASSERT_VAL("failed to create eclipse map", map_eclipse); + map__set_start(map_eclipse, insert_eclipse.start); + map__set_end(map_eclipse, insert_eclipse.end); + + ret = maps__fixup_overlap_and_insert(maps, map_eclipse); + TEST_ASSERT_VAL("failed to fixup and insert eclipse map", !ret); + + map__zput(map_eclipse); + ret = check_maps(expected_final, ARRAY_SIZE(expected_final), maps); + TEST_ASSERT_VAL("eclipse check failed", !ret); + + maps__zput(maps); + return TEST_OK; +} + +static struct test_case tests__maps[] = { + TEST_CASE("Test merge_in interface", maps__merge_in), + TEST_CASE("Test fix up overlap interface", maps__fixup_overlap_and_insert), + { .name = NULL, } +}; + +struct test_suite suite__maps = { + .desc = "Maps - per process mmaps abstraction", + .test_cases = tests__maps, +}; diff --git a/tools/perf/tests/tests.h b/tools/perf/tests/tests.h index 33de16dde737..f5fba95b6f3f 100644 --- a/tools/perf/tests/tests.h +++ b/tools/perf/tests/tests.h @@ -160,7 +160,7 @@ DECLARE_SUITE(bitmap_print); DECLARE_SUITE(perf_hooks); DECLARE_SUITE(unit_number__scnprint); DECLARE_SUITE(mem2node); -DECLARE_SUITE(maps__merge_in); +DECLARE_SUITE(maps); DECLARE_SUITE(time_utils); DECLARE_SUITE(jit_write_elf); DECLARE_SUITE(api_io); -- 2.52.0.rc1.455.g30608eb744-goog ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v1 2/2] perf test maps: Additional maps__fixup_overlap_and_insert tests 2025-11-19 5:05 ` [PATCH v1 2/2] perf test maps: Additional maps__fixup_overlap_and_insert tests Ian Rogers @ 2025-11-19 12:33 ` James Clark 0 siblings, 0 replies; 5+ messages in thread From: James Clark @ 2025-11-19 12:33 UTC (permalink / raw) To: Ian Rogers Cc: Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo, Namhyung Kim, Alexander Shishkin, Jiri Olsa, Adrian Hunter, German Gomez, Ravi Bangoria, Christophe Leroy, Chun-Tse Shao, linux-perf-users, linux-kernel, kernel test robot On 19/11/2025 5:05 am, Ian Rogers wrote: > Add additional test to the maps covering > maps__fixup_overlap_and_insert. Change the test suite to be for more > than just 1 test. > > Signed-off-by: Ian Rogers <irogers@google.com> Reviewed-by: James Clark <james.clark@linaro.org> > --- > tools/perf/tests/builtin-test.c | 2 +- > tools/perf/tests/maps.c | 82 ++++++++++++++++++++++++++++++++- > tools/perf/tests/tests.h | 2 +- > 3 files changed, 83 insertions(+), 3 deletions(-) > > diff --git a/tools/perf/tests/builtin-test.c b/tools/perf/tests/builtin-test.c > index 0d2fb7a4ae5b..9090e8238a44 100644 > --- a/tools/perf/tests/builtin-test.c > +++ b/tools/perf/tests/builtin-test.c > @@ -126,7 +126,7 @@ static struct test_suite *generic_tests[] = { > &suite__jit_write_elf, > &suite__pfm, > &suite__api_io, > - &suite__maps__merge_in, > + &suite__maps, > &suite__demangle_java, > &suite__demangle_ocaml, > &suite__demangle_rust, > diff --git a/tools/perf/tests/maps.c b/tools/perf/tests/maps.c > index 4f1f9385ea9c..2c05d62f40dc 100644 > --- a/tools/perf/tests/maps.c > +++ b/tools/perf/tests/maps.c > @@ -162,4 +162,84 @@ static int test__maps__merge_in(struct test_suite *t __maybe_unused, int subtest > return TEST_OK; > } > > -DEFINE_SUITE("maps__merge_in", maps__merge_in); > +static int test__maps__fixup_overlap_and_insert(struct test_suite *t __maybe_unused, > + int subtest __maybe_unused) > +{ > + struct map_def initial_maps[] = { > + { "target_map", 1000, 2000 }, > + { "next_map", 3000, 4000 }, > + }; > + struct map_def insert_split = { "split_map", 1400, 1600 }; > + struct map_def expected_after_split[] = { > + { "target_map", 1000, 1400 }, > + { "split_map", 1400, 1600 }, > + { "target_map", 1600, 2000 }, > + { "next_map", 3000, 4000 }, > + }; > + > + struct map_def insert_eclipse = { "eclipse_map", 2500, 4500 }; > + struct map_def expected_final[] = { > + { "target_map", 1000, 1400 }, > + { "split_map", 1400, 1600 }, > + { "target_map", 1600, 2000 }, > + { "eclipse_map", 2500, 4500 }, > + /* "next_map" (3000-4000) is removed */ > + }; > + > + struct map *map_split, *map_eclipse; > + int ret; > + unsigned int i; > + struct maps *maps = maps__new(NULL); > + > + TEST_ASSERT_VAL("failed to create maps", maps); > + > + for (i = 0; i < ARRAY_SIZE(initial_maps); i++) { > + struct map *map = dso__new_map(initial_maps[i].name); > + > + TEST_ASSERT_VAL("failed to create map", map); > + map__set_start(map, initial_maps[i].start); > + map__set_end(map, initial_maps[i].end); > + TEST_ASSERT_VAL("failed to insert map", maps__insert(maps, map) == 0); > + map__put(map); > + } > + > + // Check splitting. > + map_split = dso__new_map(insert_split.name); > + TEST_ASSERT_VAL("failed to create split map", map_split); > + map__set_start(map_split, insert_split.start); > + map__set_end(map_split, insert_split.end); > + > + ret = maps__fixup_overlap_and_insert(maps, map_split); > + TEST_ASSERT_VAL("failed to fixup and insert split map", !ret); > + > + map__zput(map_split); > + ret = check_maps(expected_after_split, ARRAY_SIZE(expected_after_split), maps); > + TEST_ASSERT_VAL("split check failed", !ret); > + > + // Check cover 1 map with another. > + map_eclipse = dso__new_map(insert_eclipse.name); > + TEST_ASSERT_VAL("failed to create eclipse map", map_eclipse); > + map__set_start(map_eclipse, insert_eclipse.start); > + map__set_end(map_eclipse, insert_eclipse.end); > + > + ret = maps__fixup_overlap_and_insert(maps, map_eclipse); > + TEST_ASSERT_VAL("failed to fixup and insert eclipse map", !ret); > + > + map__zput(map_eclipse); > + ret = check_maps(expected_final, ARRAY_SIZE(expected_final), maps); > + TEST_ASSERT_VAL("eclipse check failed", !ret); > + > + maps__zput(maps); > + return TEST_OK; > +} > + > +static struct test_case tests__maps[] = { > + TEST_CASE("Test merge_in interface", maps__merge_in), > + TEST_CASE("Test fix up overlap interface", maps__fixup_overlap_and_insert), > + { .name = NULL, } > +}; > + > +struct test_suite suite__maps = { > + .desc = "Maps - per process mmaps abstraction", > + .test_cases = tests__maps, > +}; > diff --git a/tools/perf/tests/tests.h b/tools/perf/tests/tests.h > index 33de16dde737..f5fba95b6f3f 100644 > --- a/tools/perf/tests/tests.h > +++ b/tools/perf/tests/tests.h > @@ -160,7 +160,7 @@ DECLARE_SUITE(bitmap_print); > DECLARE_SUITE(perf_hooks); > DECLARE_SUITE(unit_number__scnprint); > DECLARE_SUITE(mem2node); > -DECLARE_SUITE(maps__merge_in); > +DECLARE_SUITE(maps); > DECLARE_SUITE(time_utils); > DECLARE_SUITE(jit_write_elf); > DECLARE_SUITE(api_io); ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v1 1/2] perf maps: Avoid RC_CHK use after free 2025-11-19 5:05 [PATCH v1 1/2] perf maps: Avoid RC_CHK use after free Ian Rogers 2025-11-19 5:05 ` [PATCH v1 2/2] perf test maps: Additional maps__fixup_overlap_and_insert tests Ian Rogers @ 2025-11-19 12:33 ` James Clark 2025-11-20 19:02 ` Namhyung Kim 2 siblings, 0 replies; 5+ messages in thread From: James Clark @ 2025-11-19 12:33 UTC (permalink / raw) To: Ian Rogers Cc: Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo, Namhyung Kim, Alexander Shishkin, Jiri Olsa, Adrian Hunter, German Gomez, Ravi Bangoria, Christophe Leroy, Chun-Tse Shao, linux-perf-users, linux-kernel, kernel test robot On 19/11/2025 5:05 am, Ian Rogers wrote: > The case of __maps__fixup_overlap_and_insert where the "new" maps > covers existing mappings can create a use-after-free with reference > count checking enabled. The issue is that "pos" holds a map pointer > from maps_by_address that is put from maps_by_address but then used to > look for a map in maps_by_name (the compared map is now a > use-after-free). The issue stems from using maps__remove which redoes > some of the searches already done by __maps__fixup_overlap_and_insert, > so optimize the code (by avoiding repeated searches) and avoid the > use-after-free by inlining the appropriate removal code. > > Reported-by: kernel test robot <oliver.sang@intel.com> > Closes: https://lore.kernel.org/oe-lkp/202511141407.f9edcfa6-lkp@intel.com > Signed-off-by: Ian Rogers <irogers@google.com> Reviewed-by: James Clark <james.clark@linaro.org> > --- > tools/perf/util/maps.c | 22 ++++++++++++++++++++-- > 1 file changed, 20 insertions(+), 2 deletions(-) > > diff --git a/tools/perf/util/maps.c b/tools/perf/util/maps.c > index 779f6230130a..c321d4f4d846 100644 > --- a/tools/perf/util/maps.c > +++ b/tools/perf/util/maps.c > @@ -931,8 +931,9 @@ static int __maps__fixup_overlap_and_insert(struct maps *maps, struct map *new) > return err; > } else { > struct map *next = NULL; > + unsigned int nr_maps = maps__nr_maps(maps); > > - if (i + 1 < maps__nr_maps(maps)) > + if (i + 1 < nr_maps) > next = maps_by_address[i + 1]; > > if (!next || map__start(next) >= map__end(new)) { > @@ -953,7 +954,24 @@ static int __maps__fixup_overlap_and_insert(struct maps *maps, struct map *new) > check_invariants(maps); > return err; > } > - __maps__remove(maps, pos); > + /* > + * pos fully covers the previous mapping so remove > + * it. The following is an inlined version of > + * maps__remove that reuses the already computed > + * indices. > + */ > + map__put(maps_by_address[i]); > + memmove(&maps_by_address[i], > + &maps_by_address[i + 1], > + (nr_maps - i - 1) * sizeof(*maps_by_address)); > + > + if (maps_by_name) { > + map__put(maps_by_name[ni]); > + memmove(&maps_by_name[ni], > + &maps_by_name[ni + 1], > + (nr_maps - ni - 1) * sizeof(*maps_by_name)); > + } > + --RC_CHK_ACCESS(maps)->nr_maps; > check_invariants(maps); > /* > * Maps are ordered but no need to increase `i` as the ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v1 1/2] perf maps: Avoid RC_CHK use after free 2025-11-19 5:05 [PATCH v1 1/2] perf maps: Avoid RC_CHK use after free Ian Rogers 2025-11-19 5:05 ` [PATCH v1 2/2] perf test maps: Additional maps__fixup_overlap_and_insert tests Ian Rogers 2025-11-19 12:33 ` [PATCH v1 1/2] perf maps: Avoid RC_CHK use after free James Clark @ 2025-11-20 19:02 ` Namhyung Kim 2 siblings, 0 replies; 5+ messages in thread From: Namhyung Kim @ 2025-11-20 19:02 UTC (permalink / raw) To: Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo, Alexander Shishkin, Jiri Olsa, Adrian Hunter, James Clark, German Gomez, Ravi Bangoria, Christophe Leroy, Chun-Tse Shao, linux-perf-users, linux-kernel, kernel test robot, Ian Rogers On Tue, 18 Nov 2025 21:05:54 -0800, Ian Rogers wrote: > The case of __maps__fixup_overlap_and_insert where the "new" maps > covers existing mappings can create a use-after-free with reference > count checking enabled. The issue is that "pos" holds a map pointer > from maps_by_address that is put from maps_by_address but then used to > look for a map in maps_by_name (the compared map is now a > use-after-free). The issue stems from using maps__remove which redoes > some of the searches already done by __maps__fixup_overlap_and_insert, > so optimize the code (by avoiding repeated searches) and avoid the > use-after-free by inlining the appropriate removal code. > > [...] Applied to perf-tools-next, thanks! Best regards, Namhyung ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-11-20 19:02 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-11-19 5:05 [PATCH v1 1/2] perf maps: Avoid RC_CHK use after free Ian Rogers 2025-11-19 5:05 ` [PATCH v1 2/2] perf test maps: Additional maps__fixup_overlap_and_insert tests Ian Rogers 2025-11-19 12:33 ` James Clark 2025-11-19 12:33 ` [PATCH v1 1/2] perf maps: Avoid RC_CHK use after free James Clark 2025-11-20 19:02 ` Namhyung Kim
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).