1. 19 Jun, 2021 4 commits
    • Riccardo Mancini's avatar
      perf machine: Fix refcount usage when processing PERF_RECORD_KSYMBOL · c087e948
      Riccardo Mancini authored
      ASan reported a memory leak of BPF-related ksymbols map and dso. The
      leak is caused by refount never reaching 0, due to missing __put calls
      in the function machine__process_ksymbol_register.
      
      Once the dso is inserted in the map, dso__put() should be called
      (map__new2() increases the refcount to 2).
      
      The same thing applies for the map when it's inserted into maps
      (maps__insert() increases the refcount to 2).
      
        $ sudo ./perf record -- sleep 5
        [ perf record: Woken up 1 times to write data ]
        [ perf record: Captured and wrote 0.025 MB perf.data (8 samples) ]
      
        =================================================================
        ==297735==ERROR: LeakSanitizer: detected memory leaks
      
        Direct leak of 6992 byte(s) in 19 object(s) allocated from:
            #0 0x4f43c7 in calloc (/home/user/linux/tools/perf/perf+0x4f43c7)
            #1 0x8e4e53 in map__new2 /home/user/linux/tools/perf/util/map.c:216:20
            #2 0x8cf68c in machine__process_ksymbol_register /home/user/linux/tools/perf/util/machine.c:778:10
            [...]
      
        Indirect leak of 8702 byte(s) in 19 object(s) allocated from:
            #0 0x4f43c7 in calloc (/home/user/linux/tools/perf/perf+0x4f43c7)
            #1 0x8728d7 in dso__new_id /home/user/linux/tools/perf/util/dso.c:1256:20
            #2 0x872015 in dso__new /home/user/linux/tools/perf/util/dso.c:1295:9
            #3 0x8cf623 in machine__process_ksymbol_register /home/user/linux/tools/perf/util/machine.c:774:21
            [...]
      
        Indirect leak of 1520 byte(s) in 19 object(s) allocated from:
            #0 0x4f43c7 in calloc (/home/user/linux/tools/perf/perf+0x4f43c7)
            #1 0x87b3da in symbol__new /home/user/linux/tools/perf/util/symbol.c:269:23
            #2 0x888954 in map__process_kallsym_symbol /home/user/linux/tools/perf/util/symbol.c:710:8
            [...]
      
        Indirect leak of 1406 byte(s) in 19 object(s) allocated from:
            #0 0x4f43c7 in calloc (/home/user/linux/tools/perf/perf+0x4f43c7)
            #1 0x87b3da in symbol__new /home/user/linux/tools/perf/util/symbol.c:269:23
            #2 0x8cfbd8 in machine__process_ksymbol_register /home/user/linux/tools/perf/util/machine.c:803:8
            [...]
      Signed-off-by: default avatarRiccardo Mancini <rickyman7@gmail.com>
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: Ian Rogers <irogers@google.com>
      Cc: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Tommi Rantala <tommi.t.rantala@nokia.com>
      Link: http://lore.kernel.org/lkml/20210612173751.188582-1-rickyman7@gmail.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      c087e948
    • John Garry's avatar
      perf metricgroup: Return error code from metricgroup__add_metric_sys_event_iter() · fe7a98b9
      John Garry authored
      The error code is not set at all in the sys event iter function.
      
      This may lead to an uninitialized value of "ret" in
      metricgroup__add_metric() when no CPU metric is added.
      
      Fix by properly setting the error code.
      
      It is not necessary to init "ret" to 0 in metricgroup__add_metric(), as
      if we have no CPU or sys event metric matching, then "has_match" should
      be 0 and "ret" is set to -EINVAL.
      
      However gcc cannot detect that it may not have been set after the
      map_for_each_metric() loop for CPU metrics, which is strange.
      
      Fixes: be335ec2 ("perf metricgroup: Support adding metrics for system PMUs")
      Signed-off-by: default avatarJohn Garry <john.garry@huawei.com>
      Acked-by: default avatarIan Rogers <irogers@google.com>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Kajol Jain <kjain@linux.ibm.com>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Link: http://lore.kernel.org/lkml/1623335580-187317-3-git-send-email-john.garry@huawei.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      fe7a98b9
    • John Garry's avatar
      perf metricgroup: Fix find_evsel_group() event selector · fc96ec4d
      John Garry authored
      The following command segfaults on my x86 broadwell:
      
        $ ./perf stat  -M frontend_bound,retiring,backend_bound,bad_speculation sleep 1
        WARNING: grouped events cpus do not match, disabling group:
          anon group { raw 0x10e }
          anon group { raw 0x10e }
        perf: util/evsel.c:1596: get_group_fd: Assertion `!(!leader->core.fd)' failed.
        Aborted (core dumped)
      
      The issue shows itself as a use-after-free in evlist__check_cpu_maps(),
      whereby the leader of an event selector (evsel) has been deleted (yet we
      still attempt to verify for an evsel).
      
      Fundamentally the problem comes from metricgroup__setup_events() ->
      find_evsel_group(), and has developed from the previous fix attempt in
      commit 9c880c24 ("perf metricgroup: Fix for metrics containing
      duration_time").
      
      The problem now is that the logic in checking if an evsel is in the same
      group is subtly broken for the "cycles" event. For the "cycles" event,
      the pmu_name is NULL; however the logic in find_evsel_group() may set an
      event matched against "cycles" as used, when it should not be.
      
      This leads to a condition where an evsel is set, yet its leader is not.
      
      Fix the check for evsel pmu_name by not matching evsels when either has a
      NULL pmu_name.
      
      There is still a pre-existing metric issue whereby the ordering of the
      metrics may break the 'stat' function, as discussed at:
      https://lore.kernel.org/lkml/49c6fccb-b716-1bf0-18a6-cace1cdb66b9@huawei.com/
      
      Fixes: 9c880c24 ("perf metricgroup: Fix for metrics containing duration_time")
      Signed-off-by: default avatarJohn Garry <john.garry@huawei.com>
      Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com> # On a Thinkpad T450S
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Ian Rogers <irogers@google.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Kajol Jain <kjain@linux.ibm.com>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Link: http://lore.kernel.org/lkml/1623335580-187317-2-git-send-email-john.garry@huawei.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      fc96ec4d
    • Linus Torvalds's avatar
      Merge tag 'net-5.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 9ed13a17
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Networking fixes for 5.13-rc7, including fixes from wireless, bpf,
        bluetooth, netfilter and can.
      
        Current release - regressions:
      
         - mlxsw: spectrum_qdisc: Pass handle, not band number to find_class()
           to fix modifying offloaded qdiscs
      
         - lantiq: net: fix duplicated skb in rx descriptor ring
      
         - rtnetlink: fix regression in bridge VLAN configuration, empty info
           is not an error, bot-generated "fix" was not needed
      
         - libbpf: s/rx/tx/ typo on umem->rx_ring_setup_done to fix umem
           creation
      
        Current release - new code bugs:
      
         - ethtool: fix NULL pointer dereference during module EEPROM dump via
           the new netlink API
      
         - mlx5e: don't update netdev RQs with PTP-RQ, the special purpose
           queue should not be visible to the stack
      
         - mlx5e: select special PTP queue only for SKBTX_HW_TSTAMP skbs
      
         - mlx5e: verify dev is present in get devlink port ndo, avoid a panic
      
        Previous releases - regressions:
      
         - neighbour: allow NUD_NOARP entries to be force GCed
      
         - further fixes for fallout from reorg of WiFi locking (staging:
           rtl8723bs, mac80211, cfg80211)
      
         - skbuff: fix incorrect msg_zerocopy copy notifications
      
         - mac80211: fix NULL ptr deref for injected rate info
      
         - Revert "net/mlx5: Arm only EQs with EQEs" it may cause missed IRQs
      
        Previous releases - always broken:
      
         - bpf: more speculative execution fixes
      
         - netfilter: nft_fib_ipv6: skip ipv6 packets from any to link-local
      
         - udp: fix race between close() and udp_abort() resulting in a panic
      
         - fix out of bounds when parsing TCP options before packets are
           validated (in netfilter: synproxy, tc: sch_cake and mptcp)
      
         - mptcp: improve operation under memory pressure, add missing
           wake-ups
      
         - mptcp: fix double-lock/soft lookup in subflow_error_report()
      
         - bridge: fix races (null pointer deref and UAF) in vlan tunnel
           egress
      
         - ena: fix DMA mapping function issues in XDP
      
         - rds: fix memory leak in rds_recvmsg
      
        Misc:
      
         - vrf: allow larger MTUs
      
         - icmp: don't send out ICMP messages with a source address of 0.0.0.0
      
         - cdc_ncm: switch to eth%d interface naming"
      
      * tag 'net-5.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (139 commits)
        net: ethernet: fix potential use-after-free in ec_bhf_remove
        selftests/net: Add icmp.sh for testing ICMP dummy address responses
        icmp: don't send out ICMP messages with a source address of 0.0.0.0
        net: ll_temac: Avoid ndo_start_xmit returning NETDEV_TX_BUSY
        net: ll_temac: Fix TX BD buffer overwrite
        net: ll_temac: Add memory-barriers for TX BD access
        net: ll_temac: Make sure to free skb when it is completely used
        MAINTAINERS: add Guvenc as SMC maintainer
        bnxt_en: Call bnxt_ethtool_free() in bnxt_init_one() error path
        bnxt_en: Fix TQM fastpath ring backing store computation
        bnxt_en: Rediscover PHY capabilities after firmware reset
        cxgb4: fix wrong shift.
        mac80211: handle various extensible elements correctly
        mac80211: reset profile_periodicity/ema_ap
        cfg80211: avoid double free of PMSR request
        cfg80211: make certificate generation more robust
        mac80211: minstrel_ht: fix sample time check
        net: qed: Fix memcpy() overflow of qed_dcbx_params()
        net: cdc_eem: fix tx fixup skb leak
        net: hamradio: fix memory leak in mkiss_close
        ...
      9ed13a17
  2. 18 Jun, 2021 36 commits