mirror of
https://github.com/torvalds/linux.git
synced 2025-11-04 02:30:34 +02:00
266150c94c
Realloc of size zero is a free not an error, avoid this causing a double
free. Caught by clang's address sanitizer:
==2634==ERROR: AddressSanitizer: attempting double-free on 0x6020000015f0 in thread T0:
#0 0x5649659297fd in free llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
#1 0x5649659e9251 in __zfree tools/lib/zalloc.c:13:2
#2 0x564965c0f92c in mem2node__exit tools/perf/util/mem2node.c:114:2
#3 0x564965a08b4c in perf_c2c__report tools/perf/builtin-c2c.c:2867:2
#4 0x564965a0616a in cmd_c2c tools/perf/builtin-c2c.c:2989:10
#5 0x564965944348 in run_builtin tools/perf/perf.c:312:11
#6 0x564965943235 in handle_internal_command tools/perf/perf.c:364:8
#7 0x5649659440c4 in run_argv tools/perf/perf.c:408:2
#8 0x564965942e41 in main tools/perf/perf.c:538:3
0x6020000015f0 is located 0 bytes inside of 1-byte region [0x6020000015f0,0x6020000015f1)
freed by thread T0 here:
#0 0x564965929da3 in realloc third_party/llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:164:3
#1 0x564965c0f55e in mem2node__init tools/perf/util/mem2node.c:97:16
#2 0x564965a08956 in perf_c2c__report tools/perf/builtin-c2c.c:2803:8
#3 0x564965a0616a in cmd_c2c tools/perf/builtin-c2c.c:2989:10
#4 0x564965944348 in run_builtin tools/perf/perf.c:312:11
#5 0x564965943235 in handle_internal_command tools/perf/perf.c:364:8
#6 0x5649659440c4 in run_argv tools/perf/perf.c:408:2
#7 0x564965942e41 in main tools/perf/perf.c:538:3
previously allocated by thread T0 here:
#0 0x564965929c42 in calloc third_party/llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:154:3
#1 0x5649659e9220 in zalloc tools/lib/zalloc.c:8:9
#2 0x564965c0f32d in mem2node__init tools/perf/util/mem2node.c:61:12
#3 0x564965a08956 in perf_c2c__report tools/perf/builtin-c2c.c:2803:8
#4 0x564965a0616a in cmd_c2c tools/perf/builtin-c2c.c:2989:10
#5 0x564965944348 in run_builtin tools/perf/perf.c:312:11
#6 0x564965943235 in handle_internal_command tools/perf/perf.c:364:8
#7 0x5649659440c4 in run_argv tools/perf/perf.c:408:2
#8 0x564965942e41 in main tools/perf/perf.c:538:3
v2: add a WARN_ON_ONCE when the free condition arises.
Signed-off-by: Ian Rogers <irogers@google.com>
Acked-by: Jiri Olsa <jolsa@redhat.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: clang-built-linux@googlegroups.com
Link: http://lore.kernel.org/lkml/20200320182347.87675-1-irogers@google.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
138 lines
2.8 KiB
C
138 lines
2.8 KiB
C
#include <errno.h>
|
|
#include <inttypes.h>
|
|
#include <asm/bug.h>
|
|
#include <linux/bitmap.h>
|
|
#include <linux/kernel.h>
|
|
#include <linux/zalloc.h>
|
|
#include "debug.h"
|
|
#include "env.h"
|
|
#include "mem2node.h"
|
|
|
|
struct phys_entry {
|
|
struct rb_node rb_node;
|
|
u64 start;
|
|
u64 end;
|
|
u64 node;
|
|
};
|
|
|
|
static void phys_entry__insert(struct phys_entry *entry, struct rb_root *root)
|
|
{
|
|
struct rb_node **p = &root->rb_node;
|
|
struct rb_node *parent = NULL;
|
|
struct phys_entry *e;
|
|
|
|
while (*p != NULL) {
|
|
parent = *p;
|
|
e = rb_entry(parent, struct phys_entry, rb_node);
|
|
|
|
if (entry->start < e->start)
|
|
p = &(*p)->rb_left;
|
|
else
|
|
p = &(*p)->rb_right;
|
|
}
|
|
|
|
rb_link_node(&entry->rb_node, parent, p);
|
|
rb_insert_color(&entry->rb_node, root);
|
|
}
|
|
|
|
static void
|
|
phys_entry__init(struct phys_entry *entry, u64 start, u64 bsize, u64 node)
|
|
{
|
|
entry->start = start;
|
|
entry->end = start + bsize;
|
|
entry->node = node;
|
|
RB_CLEAR_NODE(&entry->rb_node);
|
|
}
|
|
|
|
int mem2node__init(struct mem2node *map, struct perf_env *env)
|
|
{
|
|
struct memory_node *n, *nodes = &env->memory_nodes[0];
|
|
struct phys_entry *entries, *tmp_entries;
|
|
u64 bsize = env->memory_bsize;
|
|
int i, j = 0, max = 0;
|
|
|
|
memset(map, 0x0, sizeof(*map));
|
|
map->root = RB_ROOT;
|
|
|
|
for (i = 0; i < env->nr_memory_nodes; i++) {
|
|
n = &nodes[i];
|
|
max += bitmap_weight(n->set, n->size);
|
|
}
|
|
|
|
entries = zalloc(sizeof(*entries) * max);
|
|
if (!entries)
|
|
return -ENOMEM;
|
|
|
|
for (i = 0; i < env->nr_memory_nodes; i++) {
|
|
u64 bit;
|
|
|
|
n = &nodes[i];
|
|
|
|
for (bit = 0; bit < n->size; bit++) {
|
|
u64 start;
|
|
|
|
if (!test_bit(bit, n->set))
|
|
continue;
|
|
|
|
start = bit * bsize;
|
|
|
|
/*
|
|
* Merge nearby areas, we walk in order
|
|
* through the bitmap, so no need to sort.
|
|
*/
|
|
if (j > 0) {
|
|
struct phys_entry *prev = &entries[j - 1];
|
|
|
|
if ((prev->end == start) &&
|
|
(prev->node == n->node)) {
|
|
prev->end += bsize;
|
|
continue;
|
|
}
|
|
}
|
|
|
|
phys_entry__init(&entries[j++], start, bsize, n->node);
|
|
}
|
|
}
|
|
|
|
/* Cut unused entries, due to merging. */
|
|
tmp_entries = realloc(entries, sizeof(*entries) * j);
|
|
if (tmp_entries || WARN_ON_ONCE(j == 0))
|
|
entries = tmp_entries;
|
|
|
|
for (i = 0; i < j; i++) {
|
|
pr_debug("mem2node %03" PRIu64 " [0x%016" PRIx64 "-0x%016" PRIx64 "]\n",
|
|
entries[i].node, entries[i].start, entries[i].end);
|
|
|
|
phys_entry__insert(&entries[i], &map->root);
|
|
}
|
|
|
|
map->entries = entries;
|
|
return 0;
|
|
}
|
|
|
|
void mem2node__exit(struct mem2node *map)
|
|
{
|
|
zfree(&map->entries);
|
|
}
|
|
|
|
int mem2node__node(struct mem2node *map, u64 addr)
|
|
{
|
|
struct rb_node **p, *parent = NULL;
|
|
struct phys_entry *entry;
|
|
|
|
p = &map->root.rb_node;
|
|
while (*p != NULL) {
|
|
parent = *p;
|
|
entry = rb_entry(parent, struct phys_entry, rb_node);
|
|
if (addr < entry->start)
|
|
p = &(*p)->rb_left;
|
|
else if (addr >= entry->end)
|
|
p = &(*p)->rb_right;
|
|
else
|
|
goto out;
|
|
}
|
|
|
|
entry = NULL;
|
|
out:
|
|
return entry ? (int) entry->node : -1;
|
|
}
|