Re: [PATCH] perf: Fix crash due to null pointer dereference when iterating cpu map

From: He Zhe
Date: Sun Mar 08 2020 - 06:24:22 EST

Next message: Marc Zyngier: "Re: [PATCH] irqchip/gic-v3: avoid reading typer2 if GICv3"
Previous message: tip-bot2 for Thomas Gleixner: "[tip: irq/core] genirq: Sanitize state handling in check_irq_resend()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 3/6/20 4:30 PM, Jiri Olsa wrote:
> On Fri, Mar 06, 2020 at 03:20:55PM +0800, He Zhe wrote:
>>
>> On 3/6/20 3:58 AM, Arnaldo Carvalho de Melo wrote:
>>> Em Thu, Mar 05, 2020 at 10:32:06AM -0800, Andi Kleen escreveu:
>>>> On Thu, Mar 05, 2020 at 12:27:55PM -0300, Arnaldo Carvalho de Melo wrote:
>>>>> Em Thu, Mar 05, 2020 at 06:47:19PM +0800, zhe.he@xxxxxxxxxxxxx escreveu:
>>>>>> From: He Zhe <zhe.he@xxxxxxxxxxxxx>
>>>>>>
>>>>>> NULL pointer may be passed to perf_cpu_map__cpu and then cause the
>>>>>> following crash.
>>>>>>
>>>>>> perf ftrace -G start_kernel ls
>>>>>> failed to set tracing filters
>>>>>> [ 208.710716] perf[341]: segfault at 4 ip 00000000567c7c98
>>>>>> sp 00000000ff937ae0 error 4 in perf[56630000+1b2000]
>>>>>> [ 208.724778] Code: fc ff ff e8 aa 9b 01 00 8d b4 26 00 00 00 00 8d
>>>>>> 76 00 55 89 e5 83 ec 18 65 8b 0d 14 00 00 00 89
>>>>>> 4d f4 31 c9 8b 45 08 8b9
>>>>>> Segmentation fault
>>>>> I'm not being able to repro this here, what is the tree you are using?
>>>> I believe that's the same bug that Jann Horn reported recently for perf trace.
>>>> I thought the patch for that went in.
>>> Ok, Zhe, that patch is at the end of this message, and it is in:
>>>
>>> [acme@five perf]$ git tag --contains cb71f7d43ece3d5a4f400f510c61b2ec7c9ce9a1 | grep ^v
>>> v5.6-rc1
>>> v5.6-rc2
>>> v5.6-rc3
>>> v5.6-rc4
>>> [acme@five perf]$
>>>
>>> Can you try with that?
>> Thanks, that does fix the issue I met.
>>
>> BTW, my change in perf_cpu_map__cpu can be used as a preventive check
>> and the "1"Â in perf_cpu_map__cpu should be "0", and assigning a NULL in
> I agree, can't see why we had 1 in here.. must be connected to the dummy
> map.. could you please double check with all the perf_cpu_map__nr usages
> that the 0 will work as expected?

I just checked the callers of perf_cpu_map__nr. They really depend on it
returning 1 as the only one cpu at least. And the same trick is played in
perf_thread_map__nr. So perf_cpu_map__nr should remain unchanged.

I'll send v2 for the rest of the hunks.

Thanks,
Zhe

>
>> perf_evlist__exit makes the clearing complete. So are they worth a new patch?
> the rest of the hunks looks good as preventive checks
>
> thanks,
> jirka
>

Next message: Marc Zyngier: "Re: [PATCH] irqchip/gic-v3: avoid reading typer2 if GICv3"
Previous message: tip-bot2 for Thomas Gleixner: "[tip: irq/core] genirq: Sanitize state handling in check_irq_resend()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]