From: Ian Rogers <irogers@google.com>
To: Peter Zijlstra <peterz@infradead.org>,
Ingo Molnar <mingo@redhat.com>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
Mark Rutland <mark.rutland@arm.com>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Jiri Olsa <jolsa@kernel.org>, Namhyung Kim <namhyung@kernel.org>,
Ian Rogers <irogers@google.com>,
Adrian Hunter <adrian.hunter@intel.com>,
Nick Terrell <terrelln@fb.com>,
Kan Liang <kan.liang@linux.intel.com>,
Andi Kleen <ak@linux.intel.com>, Kajol Jain <kjain@linux.ibm.com>,
Athira Rajeev <atrajeev@linux.vnet.ibm.com>,
Huacai Chen <chenhuacai@kernel.org>,
Masami Hiramatsu <mhiramat@kernel.org>,
Vincent Whitchurch <vincent.whitchurch@axis.com>,
"Steinar H. Gunderson" <sesse@google.com>,
Liam Howlett <liam.howlett@oracle.com>,
Miguel Ojeda <ojeda@kernel.org>,
Colin Ian King <colin.i.king@gmail.com>,
Dmitrii Dolgov <9erthalion6@gmail.com>,
Yang Jihong <yangjihong1@huawei.com>,
Ming Wang <wangming01@loongson.cn>,
James Clark <james.clark@arm.com>,
K Prateek Nayak <kprateek.nayak@amd.com>,
Sean Christopherson <seanjc@google.com>,
Leo Yan <leo.yan@linaro.org>,
Ravi Bangoria <ravi.bangoria@amd.com>,
German Gomez <german.gomez@arm.com>,
Changbin Du <changbin.du@huawei.com>,
Paolo Bonzini <pbonzini@redhat.com>, Li Dong <lidong@vivo.com>,
Sandipan Das <sandipan.das@amd.com>,
liuwenyu <liuwenyu7@huawei.com>,
linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org
Subject: [PATCH v4 29/53] perf maps: Get map before returning in maps__find
Date: Thu, 2 Nov 2023 10:57:11 -0700 [thread overview]
Message-ID: <20231102175735.2272696-30-irogers@google.com> (raw)
In-Reply-To: <20231102175735.2272696-1-irogers@google.com>
Finding a map is done under a lock, returning the map without a
reference count means it can be removed without notice and causing
uses after free. Grab a reference count to the map within the lock
region and return this. Fix up locations that need a map__put
following this.
Signed-off-by: Ian Rogers <irogers@google.com>
---
tools/perf/arch/x86/tests/dwarf-unwind.c | 1 +
tools/perf/tests/vmlinux-kallsyms.c | 5 ++---
tools/perf/util/bpf-event.c | 1 +
tools/perf/util/event.c | 4 ++--
tools/perf/util/machine.c | 22 ++++++++--------------
tools/perf/util/maps.c | 17 ++++++++++-------
tools/perf/util/symbol.c | 3 ++-
7 files changed, 26 insertions(+), 27 deletions(-)
diff --git a/tools/perf/arch/x86/tests/dwarf-unwind.c b/tools/perf/arch/x86/tests/dwarf-unwind.c
index 5bfec3345d59..c05c0a85dad4 100644
--- a/tools/perf/arch/x86/tests/dwarf-unwind.c
+++ b/tools/perf/arch/x86/tests/dwarf-unwind.c
@@ -34,6 +34,7 @@ static int sample_ustack(struct perf_sample *sample,
}
stack_size = map__end(map) - sp;
+ map__put(map);
stack_size = stack_size > STACK_SIZE ? STACK_SIZE : stack_size;
memcpy(buf, (void *) sp, stack_size);
diff --git a/tools/perf/tests/vmlinux-kallsyms.c b/tools/perf/tests/vmlinux-kallsyms.c
index 822f893e67d5..e808e6fc8f76 100644
--- a/tools/perf/tests/vmlinux-kallsyms.c
+++ b/tools/perf/tests/vmlinux-kallsyms.c
@@ -151,10 +151,8 @@ static int test__vmlinux_matches_kallsyms_cb2(struct map *map, void *data)
u64 mem_end = map__unmap_ip(args->vmlinux_map, map__end(map));
pair = maps__find(args->kallsyms.kmaps, mem_start);
- if (pair == NULL || map__priv(pair))
- return 0;
- if (map__start(pair) == mem_start) {
+ if (pair != NULL && !map__priv(pair) && map__start(pair) == mem_start) {
struct dso *dso = map__dso(map);
if (!args->header_printed) {
@@ -170,6 +168,7 @@ static int test__vmlinux_matches_kallsyms_cb2(struct map *map, void *data)
pr_info(" %s\n", dso->name);
map__set_priv(pair, 1);
}
+ map__put(pair);
return 0;
}
diff --git a/tools/perf/util/bpf-event.c b/tools/perf/util/bpf-event.c
index 830711cae30d..d07fd5ffa823 100644
--- a/tools/perf/util/bpf-event.c
+++ b/tools/perf/util/bpf-event.c
@@ -63,6 +63,7 @@ static int machine__process_bpf_event_load(struct machine *machine,
dso->bpf_prog.id = id;
dso->bpf_prog.sub_id = i;
dso->bpf_prog.env = env;
+ map__put(map);
}
}
return 0;
diff --git a/tools/perf/util/event.c b/tools/perf/util/event.c
index 68f45e9e63b6..198903157f9e 100644
--- a/tools/perf/util/event.c
+++ b/tools/perf/util/event.c
@@ -511,7 +511,7 @@ size_t perf_event__fprintf_text_poke(union perf_event *event, struct machine *ma
struct addr_location al;
addr_location__init(&al);
- al.map = map__get(maps__find(machine__kernel_maps(machine), tp->addr));
+ al.map = maps__find(machine__kernel_maps(machine), tp->addr);
if (al.map && map__load(al.map) >= 0) {
al.addr = map__map_ip(al.map, tp->addr);
al.sym = map__find_symbol(al.map, al.addr);
@@ -641,7 +641,7 @@ struct map *thread__find_map(struct thread *thread, u8 cpumode, u64 addr,
return NULL;
}
al->maps = maps__get(maps);
- al->map = map__get(maps__find(maps, al->addr));
+ al->map = maps__find(maps, al->addr);
if (al->map != NULL) {
/*
* Kernel maps might be changed when loading symbols so loading
diff --git a/tools/perf/util/machine.c b/tools/perf/util/machine.c
index ab345604f274..1112a9dbb21a 100644
--- a/tools/perf/util/machine.c
+++ b/tools/perf/util/machine.c
@@ -897,7 +897,6 @@ static int machine__process_ksymbol_register(struct machine *machine,
struct symbol *sym;
struct dso *dso;
struct map *map = maps__find(machine__kernel_maps(machine), event->ksymbol.addr);
- bool put_map = false;
int err = 0;
if (!map) {
@@ -914,12 +913,6 @@ static int machine__process_ksymbol_register(struct machine *machine,
err = -ENOMEM;
goto out;
}
- /*
- * The inserted map has a get on it, we need to put to release
- * the reference count here, but do it after all accesses are
- * done.
- */
- put_map = true;
if (event->ksymbol.ksym_type == PERF_RECORD_KSYMBOL_TYPE_OOL) {
dso->binary_type = DSO_BINARY_TYPE__OOL;
dso->data.file_size = event->ksymbol.len;
@@ -953,8 +946,7 @@ static int machine__process_ksymbol_register(struct machine *machine,
}
dso__insert_symbol(dso, sym);
out:
- if (put_map)
- map__put(map);
+ map__put(map);
return err;
}
@@ -978,7 +970,7 @@ static int machine__process_ksymbol_unregister(struct machine *machine,
if (sym)
dso__delete_symbol(dso, sym);
}
-
+ map__put(map);
return 0;
}
@@ -1006,11 +998,11 @@ int machine__process_text_poke(struct machine *machine, union perf_event *event,
perf_event__fprintf_text_poke(event, machine, stdout);
if (!event->text_poke.new_len)
- return 0;
+ goto out;
if (cpumode != PERF_RECORD_MISC_KERNEL) {
pr_debug("%s: unsupported cpumode - ignoring\n", __func__);
- return 0;
+ goto out;
}
if (dso) {
@@ -1033,7 +1025,8 @@ int machine__process_text_poke(struct machine *machine, union perf_event *event,
pr_debug("Failed to find kernel text poke address map for %#" PRI_lx64 "\n",
event->text_poke.addr);
}
-
+out:
+ map__put(map);
return 0;
}
@@ -1301,9 +1294,10 @@ static int machine__map_x86_64_entry_trampolines_cb(struct map *map, void *data)
return 0;
dest_map = maps__find(args->kmaps, map__pgoff(map));
- if (dest_map != map)
+ if (RC_CHK_ACCESS(dest_map) != RC_CHK_ACCESS(map))
map__set_pgoff(map, map__map_ip(dest_map, map__pgoff(map)));
+ map__put(dest_map);
args->found = true;
return 0;
}
diff --git a/tools/perf/util/maps.c b/tools/perf/util/maps.c
index 06fdd8a7c2a2..28facfdac1d7 100644
--- a/tools/perf/util/maps.c
+++ b/tools/perf/util/maps.c
@@ -487,15 +487,18 @@ void maps__remove_maps(struct maps *maps, bool (*cb)(struct map *map, void *data
struct symbol *maps__find_symbol(struct maps *maps, u64 addr, struct map **mapp)
{
struct map *map = maps__find(maps, addr);
+ struct symbol *result = NULL;
/* Ensure map is loaded before using map->map_ip */
if (map != NULL && map__load(map) >= 0) {
- if (mapp != NULL)
- *mapp = map; // TODO: map_put on else path when find returns a get.
- return map__find_symbol(map, map__map_ip(map, addr));
- }
+ if (mapp)
+ *mapp = map;
- return NULL;
+ result = map__find_symbol(map, map__map_ip(map, addr));
+ if (!mapp)
+ map__put(map);
+ }
+ return result;
}
struct maps__find_symbol_by_name_args {
@@ -539,7 +542,7 @@ int maps__find_ams(struct maps *maps, struct addr_map_symbol *ams)
if (ams->addr < map__start(ams->ms.map) || ams->addr >= map__end(ams->ms.map)) {
if (maps == NULL)
return -1;
- ams->ms.map = maps__find(maps, ams->addr); // TODO: map_get
+ ams->ms.map = maps__find(maps, ams->addr);
if (ams->ms.map == NULL)
return -1;
}
@@ -848,7 +851,7 @@ struct map *maps__find(struct maps *maps, u64 ip)
sizeof(*mapp), map__addr_cmp);
if (mapp)
- result = *mapp; // map__get(*mapp);
+ result = map__get(*mapp);
done = true;
}
up_read(maps__lock(maps));
diff --git a/tools/perf/util/symbol.c b/tools/perf/util/symbol.c
index 30da8a405d11..ad4819a24320 100644
--- a/tools/perf/util/symbol.c
+++ b/tools/perf/util/symbol.c
@@ -757,7 +757,6 @@ static int dso__load_all_kallsyms(struct dso *dso, const char *filename)
static int maps__split_kallsyms_for_kcore(struct maps *kmaps, struct dso *dso)
{
- struct map *curr_map;
struct symbol *pos;
int count = 0;
struct rb_root_cached old_root = dso->symbols;
@@ -770,6 +769,7 @@ static int maps__split_kallsyms_for_kcore(struct maps *kmaps, struct dso *dso)
*root = RB_ROOT_CACHED;
while (next) {
+ struct map *curr_map;
struct dso *curr_map_dso;
char *module;
@@ -796,6 +796,7 @@ static int maps__split_kallsyms_for_kcore(struct maps *kmaps, struct dso *dso)
pos->end -= map__start(curr_map) - map__pgoff(curr_map);
symbols__insert(&curr_map_dso->symbols, pos);
++count;
+ map__put(curr_map);
}
/* Symbols have been adjusted */
--
2.42.0.869.gea05f2083d-goog
next prev parent reply other threads:[~2023-11-02 18:00 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-02 17:56 [PATCH v4 00/53] Improvements to memory use Ian Rogers
2023-11-02 17:56 ` [PATCH v4 01/53] perf comm: Use regular mutex Ian Rogers
2023-11-05 17:31 ` Namhyung Kim
2023-11-05 21:35 ` Ian Rogers
2023-11-06 3:58 ` Namhyung Kim
2023-11-27 18:59 ` Ian Rogers
2023-11-27 21:53 ` Arnaldo Carvalho de Melo
2023-11-28 0:48 ` Arnaldo Carvalho de Melo
2023-11-02 17:56 ` [PATCH v4 02/53] perf record: Lazy load kernel symbols Ian Rogers
2023-11-05 17:34 ` Namhyung Kim
2023-11-06 11:00 ` Adrian Hunter
2023-11-08 16:01 ` Arnaldo Carvalho de Melo
2023-11-02 17:56 ` [PATCH v4 03/53] libperf: Lazily allocate mmap event copy Ian Rogers
2023-11-03 8:32 ` Guilherme Amadio
2023-11-03 15:48 ` Ian Rogers
2023-11-05 18:12 ` Namhyung Kim
2023-11-27 19:28 ` Ian Rogers
2023-11-02 17:56 ` [PATCH v4 04/53] perf mmap: Lazily initialize zstd streams Ian Rogers
2023-11-27 22:00 ` Arnaldo Carvalho de Melo
2023-11-28 17:14 ` Arnaldo Carvalho de Melo
2023-11-28 17:38 ` Arnaldo Carvalho de Melo
2023-11-28 17:55 ` Ian Rogers
2023-11-28 20:29 ` Arnaldo Carvalho de Melo
2023-11-02 17:56 ` [PATCH v4 05/53] perf machine thread: Remove exited threads by default Ian Rogers
2023-11-06 11:28 ` Adrian Hunter
2023-11-08 16:04 ` Arnaldo Carvalho de Melo
2023-11-02 17:56 ` [PATCH v4 06/53] tools api fs: Switch filename__read_str to use io.h Ian Rogers
2023-11-06 3:53 ` Namhyung Kim
2023-11-27 20:26 ` Ian Rogers
2023-11-02 17:56 ` [PATCH v4 07/53] tools api fs: Avoid reading whole file for a 1 byte bool Ian Rogers
2023-11-06 3:55 ` Namhyung Kim
2023-11-27 20:41 ` Ian Rogers
2023-11-02 17:56 ` [PATCH v4 08/53] tools lib api: Add io_dir an allocation free readdir alternative Ian Rogers
2023-11-02 17:56 ` [PATCH v4 09/53] perf maps: Switch modules tree walk to io_dir__readdir Ian Rogers
2023-11-02 17:56 ` [PATCH v4 10/53] perf record: Be lazier in allocating lost samples buffer Ian Rogers
2023-11-27 22:03 ` Arnaldo Carvalho de Melo
2023-11-27 22:23 ` Ian Rogers
2023-11-02 17:56 ` [PATCH v4 11/53] perf pmu: Switch to io_dir__readdir Ian Rogers
2023-11-02 17:56 ` [PATCH v4 12/53] perf bpf: Don't synthesize BPF events when disabled Ian Rogers
2023-11-08 16:14 ` Arnaldo Carvalho de Melo
2023-11-08 23:03 ` Song Liu
2023-11-09 16:10 ` Arnaldo Carvalho de Melo
2023-11-02 17:56 ` [PATCH v4 13/53] perf header: Switch mem topology to io_dir__readdir Ian Rogers
2023-11-02 17:56 ` [PATCH v4 14/53] perf events: Remove scandir in thread synthesis Ian Rogers
2023-11-02 17:56 ` [PATCH v4 15/53] perf map: Simplify map_ip/unmap_ip and make map size smaller Ian Rogers
2023-11-02 17:56 ` [PATCH v4 16/53] perf maps: Move symbol maps functions to maps.c Ian Rogers
2023-11-02 17:56 ` [PATCH v4 17/53] perf thread: Add missing RC_CHK_EQUAL Ian Rogers
2023-11-02 17:57 ` [PATCH v4 18/53] perf maps: Add maps__for_each_map to call a function on each entry Ian Rogers
2023-11-02 17:57 ` [PATCH v4 19/53] perf maps: Add remove maps function to remove a map based on callback Ian Rogers
2023-11-02 17:57 ` [PATCH v4 20/53] perf debug: Expose debug file Ian Rogers
2023-11-02 17:57 ` [PATCH v4 21/53] perf maps: Refactor maps__fixup_overlappings Ian Rogers
2023-11-02 17:57 ` [PATCH v4 22/53] perf maps: Do simple merge if given map doesn't overlap Ian Rogers
2023-11-02 17:57 ` [PATCH v4 23/53] perf maps: Rename clone to copy from Ian Rogers
2023-11-02 17:57 ` [PATCH v4 24/53] perf maps: Add maps__load_first Ian Rogers
2023-11-02 17:57 ` [PATCH v4 25/53] perf maps: Add find next entry to give entry after the given map Ian Rogers
2023-11-02 17:57 ` [PATCH v4 26/53] perf maps: Reduce scope of map_rb_node and maps internals Ian Rogers
2023-11-02 17:57 ` [PATCH v4 27/53] perf maps: Fix up overlaps during fixup_end Ian Rogers
2023-11-02 17:57 ` [PATCH v4 28/53] perf maps: Switch from rbtree to lazily sorted array for addresses Ian Rogers
2023-11-02 17:57 ` Ian Rogers [this message]
2023-11-02 17:57 ` [PATCH v4 30/53] perf maps: Get map before returning in maps__find_by_name Ian Rogers
2023-11-02 17:57 ` [PATCH v4 31/53] perf maps: Get map before returning in maps__find_next_entry Ian Rogers
2023-11-02 17:57 ` [PATCH v4 32/53] perf maps: Hide maps internals Ian Rogers
2023-11-02 17:57 ` [PATCH v4 33/53] perf maps: Locking tidy up of nr_maps Ian Rogers
2023-11-02 17:57 ` [PATCH v4 34/53] perf dso: Reorder variables to save space in struct dso Ian Rogers
2023-11-02 17:57 ` [PATCH v4 35/53] perf report: Sort child tasks by tid Ian Rogers
2023-11-02 17:57 ` [PATCH v4 36/53] perf trace: Ignore thread hashing in summary Ian Rogers
2023-11-02 17:57 ` [PATCH v4 37/53] perf machine: Move fprintf to for_each loop and a callback Ian Rogers
2023-11-02 17:57 ` [PATCH v4 38/53] perf threads: Move threads to its own files Ian Rogers
2023-11-02 17:57 ` [PATCH v4 39/53] perf threads: Switch from rbtree to hashmap Ian Rogers
2023-11-02 17:57 ` [PATCH v4 40/53] perf threads: Reduce table size from 256 to 8 Ian Rogers
2023-11-02 17:57 ` [PATCH v4 41/53] perf dsos: Attempt to better abstract dsos internals Ian Rogers
2023-11-02 17:57 ` [PATCH v4 42/53] perf dsos: Tidy reference counting and locking Ian Rogers
2023-11-02 17:57 ` [PATCH v4 43/53] perf dsos: Add dsos__for_each_dso Ian Rogers
2023-11-02 17:57 ` [PATCH v4 44/53] perf dso: Move dso functions out of dsos Ian Rogers
2023-11-02 17:57 ` [PATCH v4 45/53] perf dsos: Switch more loops to dsos__for_each_dso Ian Rogers
2023-11-02 17:57 ` [PATCH v4 46/53] perf dsos: Switch backing storage to array from rbtree/list Ian Rogers
2023-11-02 17:57 ` [PATCH v4 47/53] perf dsos: Remove __dsos__addnew Ian Rogers
2023-11-02 17:57 ` [PATCH v4 48/53] perf dsos: Remove __dsos__findnew_link_by_longname_id Ian Rogers
2023-11-02 17:57 ` [PATCH v4 49/53] perf dsos: Switch hand code to bsearch Ian Rogers
2023-11-02 17:57 ` [PATCH v4 50/53] perf dso: Add reference count checking and accessor functions Ian Rogers
2023-11-02 17:57 ` [PATCH v4 51/53] perf dso: Reference counting related fixes Ian Rogers
2023-11-02 17:57 ` [PATCH v4 52/53] perf dso: Use container_of to avoid a pointer in dso_data Ian Rogers
2023-11-02 17:57 ` [PATCH v4 53/53] perf env: Avoid recursively taking env->bpf_progs.lock Ian Rogers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231102175735.2272696-30-irogers@google.com \
--to=irogers@google.com \
--cc=9erthalion6@gmail.com \
--cc=acme@kernel.org \
--cc=adrian.hunter@intel.com \
--cc=ak@linux.intel.com \
--cc=alexander.shishkin@linux.intel.com \
--cc=atrajeev@linux.vnet.ibm.com \
--cc=changbin.du@huawei.com \
--cc=chenhuacai@kernel.org \
--cc=colin.i.king@gmail.com \
--cc=german.gomez@arm.com \
--cc=james.clark@arm.com \
--cc=jolsa@kernel.org \
--cc=kan.liang@linux.intel.com \
--cc=kjain@linux.ibm.com \
--cc=kprateek.nayak@amd.com \
--cc=leo.yan@linaro.org \
--cc=liam.howlett@oracle.com \
--cc=lidong@vivo.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=liuwenyu7@huawei.com \
--cc=mark.rutland@arm.com \
--cc=mhiramat@kernel.org \
--cc=mingo@redhat.com \
--cc=namhyung@kernel.org \
--cc=ojeda@kernel.org \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=ravi.bangoria@amd.com \
--cc=sandipan.das@amd.com \
--cc=seanjc@google.com \
--cc=sesse@google.com \
--cc=terrelln@fb.com \
--cc=vincent.whitchurch@axis.com \
--cc=wangming01@loongson.cn \
--cc=yangjihong1@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox