[BUG] perf: double free in perf test 21 (code-reading.c)

[BUG] perf: double free in perf test 21 (code-reading.c)

[Jiri Olsa]

hi,
the alternative setup (when perf_evlist__open fails) calls
perf_evlist__delete which releases cpu_maps. And that is
not expected byt the test so it segfaults.

Using perf_event_max_sample_rate setup to hit the alternative setup.

thanks,
jirka

[root@krava perf]# echo 1000 > /proc/sys/kernel/perf_event_max_sample_rate
[root@krava perf]# ./perf test 21
21: Test object code reading                               :Segmentation fault
[root@krava perf]# gdb ./perf
GNU gdb (GDB) Fedora (7.3.1-47.fc15)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/jolsa/linux-perf/tools/perf/perf...done.
(gdb) r test 21
Starting program: /home/jolsa/linux-perf/tools/perf/perf test 21
[Thread debugging using libthread_db enabled]
21: Test object code reading                               :
Program received signal SIGSEGV, Segmentation fault.
0x080907db in __perf_evlist__munmap (idx=14700, evlist=<optimized out>) at util/evlist.c:583
583                     evlist->mmap[idx].base = NULL;
Missing separate debuginfos, use: debuginfo-install bzip2-libs-1.0.6-3.fc15.i686 elfutils-libelf-0.152-1.fc15.i686 elfutils-libs-0.152-1.fc15.i686 glibc-2.14.1-6.i686 libgcc-4.6.3-2.fc15.i686 libunwind-0.99-0.16.20090430betagit4b8404d1.fc15.i686 python-libs-2.7.1-7.fc15.i686 slang-2.2.3-2.fc15.i686 xz-libs-5.0.3-1.fc15.i686 zlib-1.2.5-6.fc15.i686
(gdb) bt
#0  0x080907db in __perf_evlist__munmap (idx=14700, evlist=<optimized out>) at util/evlist.c:583
#1  perf_evlist__munmap (evlist=0x82e7c18) at util/evlist.c:595
#2  perf_evlist__delete (evlist=0x82e7c18) at util/evlist.c:110
#3  0x080f3909 in do_test_code_reading (try_kcore=false) at tests/code-reading.c:543
#4  0x080f3d46 in test__code_reading () at tests/code-reading.c:559
#5  0x08087232 in __cmd_test (skiplist=0x0, argv=0xbffff5f8, argc=1) at tests/builtin-test.c:187
#6  cmd_test (argc=1, argv=0xbffff5f8, prefix=0x0) at tests/builtin-test.c:252
#7  0x0805c8de in run_builtin (p=0x821bf10, argc=2, argv=0xbffff5f8) at perf.c:319
#8  0x0805c127 in handle_internal_command (argv=0xbffff5f8, argc=2) at perf.c:376
#9  run_argv (argv=0xbffff498, argcp=0xbffff49c) at perf.c:420
#10 main (argc=2, argv=0xbffff5f8) at perf.c:529
(gdb) 

[PATCH] perf tools: Fix double free in perf test 21 (code-reading.c)

[Adrian Hunter]

perf_evlist__delete() deletes attached cpu and thread maps
but the test is still using them, so remove them from the
evlist before deleting it.

Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
---
 tools/perf/tests/code-reading.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/perf/tests/code-reading.c b/tools/perf/tests/code-reading.c
index 653a8fe..bfb1869 100644
--- a/tools/perf/tests/code-reading.c
+++ b/tools/perf/tests/code-reading.c
@@ -504,6 +504,7 @@ static int do_test_code_reading(bool try_kcore)
 		if (ret < 0) {
 			if (!excl_kernel) {
 				excl_kernel = true;
+				perf_evlist__set_maps(evlist, NULL, NULL);
 				perf_evlist__delete(evlist);
 				evlist = NULL;
 				continue;
-- 
1.8.3.2

Re: [PATCH] perf tools: Fix double free in perf test 21 (code-reading.c)

[Jiri Olsa]

On Thu, Apr 10, 2014 at 12:02:54PM +0300, Adrian Hunter wrote:
> perf_evlist__delete() deletes attached cpu and thread maps
> but the test is still using them, so remove them from the
> evlist before deleting it.
> 
> Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
> ---
>  tools/perf/tests/code-reading.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/tools/perf/tests/code-reading.c b/tools/perf/tests/code-reading.c
> index 653a8fe..bfb1869 100644
> --- a/tools/perf/tests/code-reading.c
> +++ b/tools/perf/tests/code-reading.c
> @@ -504,6 +504,7 @@ static int do_test_code_reading(bool try_kcore)
>  		if (ret < 0) {
>  			if (!excl_kernel) {
>  				excl_kernel = true;
> +				perf_evlist__set_maps(evlist, NULL, NULL);
>  				perf_evlist__delete(evlist);
>  				evlist = NULL;
>  				continue;
> -- 
> 1.8.3.2
> 
> 

Acked-by: Jiri Olsa <jolsa@redhat.com>

thanks,
jirka

[tip:perf/urgent] perf tools: Fix double free in perf test 21 ( code-reading.c)

[tip-bot for Adrian Hunter]

Commit-ID:  ae450a7d054cd1fe8d003a085858ca5b90cc74d9
Gitweb:     http://git.kernel.org/tip/ae450a7d054cd1fe8d003a085858ca5b90cc74d9
Author:     Adrian Hunter <adrian.hunter@intel.com>
AuthorDate: Thu, 10 Apr 2014 12:02:54 +0300
Committer:  Jiri Olsa <jolsa@redhat.com>
CommitDate: Tue, 15 Apr 2014 13:57:14 +0200

perf tools: Fix double free in perf test 21 (code-reading.c)

perf_evlist__delete() deletes attached cpu and thread maps
but the test is still using them, so remove them from the
evlist before deleting it.

Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Link: http://lkml.kernel.org/r/53465E3E.8070201@intel.com
Signed-off-by: Jiri Olsa <jolsa@redhat.com>
---
 tools/perf/tests/code-reading.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/perf/tests/code-reading.c b/tools/perf/tests/code-reading.c
index 653a8fe..bfb1869 100644
--- a/tools/perf/tests/code-reading.c
+++ b/tools/perf/tests/code-reading.c
@@ -504,6 +504,7 @@ static int do_test_code_reading(bool try_kcore)
 		if (ret < 0) {
 			if (!excl_kernel) {
 				excl_kernel = true;
+				perf_evlist__set_maps(evlist, NULL, NULL);
 				perf_evlist__delete(evlist);
 				evlist = NULL;
 				continue;