linux/tools/perf/util/mem2node.c
Ian Rogers 266150c94c perf mem2node: Avoid double free related to realloc
Realloc of size zero is a free not an error, avoid this causing a double
free. Caught by clang's address sanitizer:

==2634==ERROR: AddressSanitizer: attempting double-free on 0x6020000015f0 in thread T0:
    #0 0x5649659297fd in free llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
    #1 0x5649659e9251 in __zfree tools/lib/zalloc.c:13:2
    #2 0x564965c0f92c in mem2node__exit tools/perf/util/mem2node.c:114:2
    #3 0x564965a08b4c in perf_c2c__report tools/perf/builtin-c2c.c:2867:2
    #4 0x564965a0616a in cmd_c2c tools/perf/builtin-c2c.c:2989:10
    #5 0x564965944348 in run_builtin tools/perf/perf.c:312:11
    #6 0x564965943235 in handle_internal_command tools/perf/perf.c:364:8
    #7 0x5649659440c4 in run_argv tools/perf/perf.c:408:2
    #8 0x564965942e41 in main tools/perf/perf.c:538:3

0x6020000015f0 is located 0 bytes inside of 1-byte region [0x6020000015f0,0x6020000015f1)
freed by thread T0 here:
    #0 0x564965929da3 in realloc third_party/llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:164:3
    #1 0x564965c0f55e in mem2node__init tools/perf/util/mem2node.c:97:16
    #2 0x564965a08956 in perf_c2c__report tools/perf/builtin-c2c.c:2803:8
    #3 0x564965a0616a in cmd_c2c tools/perf/builtin-c2c.c:2989:10
    #4 0x564965944348 in run_builtin tools/perf/perf.c:312:11
    #5 0x564965943235 in handle_internal_command tools/perf/perf.c:364:8
    #6 0x5649659440c4 in run_argv tools/perf/perf.c:408:2
    #7 0x564965942e41 in main tools/perf/perf.c:538:3

previously allocated by thread T0 here:
    #0 0x564965929c42 in calloc third_party/llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:154:3
    #1 0x5649659e9220 in zalloc tools/lib/zalloc.c:8:9
    #2 0x564965c0f32d in mem2node__init tools/perf/util/mem2node.c:61:12
    #3 0x564965a08956 in perf_c2c__report tools/perf/builtin-c2c.c:2803:8
    #4 0x564965a0616a in cmd_c2c tools/perf/builtin-c2c.c:2989:10
    #5 0x564965944348 in run_builtin tools/perf/perf.c:312:11
    #6 0x564965943235 in handle_internal_command tools/perf/perf.c:364:8
    #7 0x5649659440c4 in run_argv tools/perf/perf.c:408:2
    #8 0x564965942e41 in main tools/perf/perf.c:538:3

v2: add a WARN_ON_ONCE when the free condition arises.

Signed-off-by: Ian Rogers <irogers@google.com>
Acked-by: Jiri Olsa <jolsa@redhat.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: clang-built-linux@googlegroups.com
Link: http://lore.kernel.org/lkml/20200320182347.87675-1-irogers@google.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2020-05-05 16:35:30 -03:00

139 lines
2.8 KiB
C

#include <errno.h>
#include <inttypes.h>
#include <asm/bug.h>
#include <linux/bitmap.h>
#include <linux/kernel.h>
#include <linux/zalloc.h>
#include "debug.h"
#include "env.h"
#include "mem2node.h"
struct phys_entry {
struct rb_node rb_node;
u64 start;
u64 end;
u64 node;
};
static void phys_entry__insert(struct phys_entry *entry, struct rb_root *root)
{
struct rb_node **p = &root->rb_node;
struct rb_node *parent = NULL;
struct phys_entry *e;
while (*p != NULL) {
parent = *p;
e = rb_entry(parent, struct phys_entry, rb_node);
if (entry->start < e->start)
p = &(*p)->rb_left;
else
p = &(*p)->rb_right;
}
rb_link_node(&entry->rb_node, parent, p);
rb_insert_color(&entry->rb_node, root);
}
static void
phys_entry__init(struct phys_entry *entry, u64 start, u64 bsize, u64 node)
{
entry->start = start;
entry->end = start + bsize;
entry->node = node;
RB_CLEAR_NODE(&entry->rb_node);
}
int mem2node__init(struct mem2node *map, struct perf_env *env)
{
struct memory_node *n, *nodes = &env->memory_nodes[0];
struct phys_entry *entries, *tmp_entries;
u64 bsize = env->memory_bsize;
int i, j = 0, max = 0;
memset(map, 0x0, sizeof(*map));
map->root = RB_ROOT;
for (i = 0; i < env->nr_memory_nodes; i++) {
n = &nodes[i];
max += bitmap_weight(n->set, n->size);
}
entries = zalloc(sizeof(*entries) * max);
if (!entries)
return -ENOMEM;
for (i = 0; i < env->nr_memory_nodes; i++) {
u64 bit;
n = &nodes[i];
for (bit = 0; bit < n->size; bit++) {
u64 start;
if (!test_bit(bit, n->set))
continue;
start = bit * bsize;
/*
* Merge nearby areas, we walk in order
* through the bitmap, so no need to sort.
*/
if (j > 0) {
struct phys_entry *prev = &entries[j - 1];
if ((prev->end == start) &&
(prev->node == n->node)) {
prev->end += bsize;
continue;
}
}
phys_entry__init(&entries[j++], start, bsize, n->node);
}
}
/* Cut unused entries, due to merging. */
tmp_entries = realloc(entries, sizeof(*entries) * j);
if (tmp_entries || WARN_ON_ONCE(j == 0))
entries = tmp_entries;
for (i = 0; i < j; i++) {
pr_debug("mem2node %03" PRIu64 " [0x%016" PRIx64 "-0x%016" PRIx64 "]\n",
entries[i].node, entries[i].start, entries[i].end);
phys_entry__insert(&entries[i], &map->root);
}
map->entries = entries;
return 0;
}
void mem2node__exit(struct mem2node *map)
{
zfree(&map->entries);
}
int mem2node__node(struct mem2node *map, u64 addr)
{
struct rb_node **p, *parent = NULL;
struct phys_entry *entry;
p = &map->root.rb_node;
while (*p != NULL) {
parent = *p;
entry = rb_entry(parent, struct phys_entry, rb_node);
if (addr < entry->start)
p = &(*p)->rb_left;
else if (addr >= entry->end)
p = &(*p)->rb_right;
else
goto out;
}
entry = NULL;
out:
return entry ? (int) entry->node : -1;
}