From: Sasha Levin Date: Fri, 19 Apr 2019 13:48:34 +0000 (-0400) Subject: fixes for 5.0 X-Git-Tag: v4.9.170~10 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e26dbe5b52eb9c090ad16513b030794aeffea1a2;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 5.0 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/perf-data-don-t-store-auxtrace-index-for-directory-d.patch b/queue-4.19/perf-data-don-t-store-auxtrace-index-for-directory-d.patch deleted file mode 100644 index 3b38dc7852f..00000000000 --- a/queue-4.19/perf-data-don-t-store-auxtrace-index-for-directory-d.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 3c09cf395c1a70a32840b9a049402e0c726f0f90 Mon Sep 17 00:00:00 2001 -From: Jiri Olsa -Date: Fri, 8 Mar 2019 14:47:36 +0100 -Subject: perf data: Don't store auxtrace index for directory data file - -[ Upstream commit cd3dd8dd8ff62374d90cb3f2e54b8c94106c7810 ] - -We can't store the auxtrace index when we store into multiple files, -because we keep only offset for it, not the file. - -The auxtrace data will be processed correctly in the 'pipe' mode. - -Signed-off-by: Jiri Olsa -Cc: Adrian Hunter -Cc: Alexander Shishkin -Cc: Alexey Budankov -Cc: Andi Kleen -Cc: Namhyung Kim -Cc: Peter Zijlstra -Cc: Stephane Eranian -Link: http://lkml.kernel.org/r/20190308134745.5057-3-jolsa@kernel.org -Signed-off-by: Arnaldo Carvalho de Melo -Signed-off-by: Sasha Levin ---- - tools/perf/builtin-record.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tools/perf/builtin-record.c b/tools/perf/builtin-record.c -index 22ebeb92ac51..f5b438486a64 100644 ---- a/tools/perf/builtin-record.c -+++ b/tools/perf/builtin-record.c -@@ -178,7 +178,7 @@ static int record__process_auxtrace(struct perf_tool *tool, - size_t padding; - u8 pad[8] = {0}; - -- if (!perf_data__is_pipe(data)) { -+ if (!perf_data__is_pipe(data) && !perf_data__is_dir(data)) { - off_t file_offset; - int fd = perf_data__fd(data); - int err; --- -2.19.1 - diff --git a/queue-5.0/paride-pcd-fix-potential-null-pointer-dereference-an.patch b/queue-5.0/paride-pcd-fix-potential-null-pointer-dereference-an.patch new file mode 100644 index 00000000000..1a3845ccdb1 --- /dev/null +++ b/queue-5.0/paride-pcd-fix-potential-null-pointer-dereference-an.patch @@ -0,0 +1,122 @@ +From 2992eaf89c2bbe2187a28485bc3160939ce17046 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Fri, 5 Apr 2019 10:14:58 +0800 +Subject: paride/pcd: Fix potential NULL pointer dereference and mem leak + +[ Upstream commit f0d1762554014ce0ae347b9f0d088f2c157c8c72 ] + +Syzkaller report this: + +pcd: pcd version 1.07, major 46, nice 0 +pcd0: Autoprobe failed +pcd: No CD-ROM drive found +kasan: CONFIG_KASAN_INLINE enabled +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] SMP KASAN PTI +CPU: 1 PID: 4525 Comm: syz-executor.0 Not tainted 5.1.0-rc3+ #8 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +RIP: 0010:pcd_init+0x95c/0x1000 [pcd] +Code: c4 ab f7 48 89 d8 48 c1 e8 03 80 3c 28 00 74 08 48 89 df e8 56 a3 da f7 4c 8b 23 49 8d bc 24 80 05 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 74 05 e8 39 a3 da f7 49 8b bc 24 80 05 00 00 e8 cc b2 +RSP: 0018:ffff8881e84df880 EFLAGS: 00010202 +RAX: 00000000000000b0 RBX: ffffffffc155a088 RCX: ffffffffc1508935 +RDX: 0000000000040000 RSI: ffffc900014f0000 RDI: 0000000000000580 +RBP: dffffc0000000000 R08: ffffed103ee658b8 R09: ffffed103ee658b8 +R10: 0000000000000001 R11: ffffed103ee658b7 R12: 0000000000000000 +R13: ffffffffc155a778 R14: ffffffffc155a4a8 R15: 0000000000000003 +FS: 00007fe71bee3700(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000055a7334441a8 CR3: 00000001e9674003 CR4: 00000000007606e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + ? 0xffffffffc1508000 + ? 0xffffffffc1508000 + do_one_initcall+0xbc/0x47d init/main.c:901 + do_init_module+0x1b5/0x547 kernel/module.c:3456 + load_module+0x6405/0x8c10 kernel/module.c:3804 + __do_sys_finit_module+0x162/0x190 kernel/module.c:3898 + do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x462e99 +Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fe71bee2c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 +RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99 +RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003 +RBP: 00007fe71bee2c70 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe71bee36bc +R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004 +Modules linked in: pcd(+) paride solos_pci atm ts_fsm rtc_mt6397 mac80211 nhc_mobility nhc_udp nhc_ipv6 nhc_hop nhc_dest nhc_fragment nhc_routing 6lowpan rtc_cros_ec memconsole intel_xhci_usb_role_switch roles rtc_wm8350 usbcore industrialio_triggered_buffer kfifo_buf industrialio asc7621 dm_era dm_persistent_data dm_bufio dm_mod tpm gnss_ubx gnss_serial serdev gnss max2165 cpufreq_dt hid_penmount hid menf21bmc_wdt rc_core n_tracesink ide_gd_mod cdns_csi2tx v4l2_fwnode videodev media pinctrl_lewisburg pinctrl_intel iptable_security iptable_raw iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun joydev mousedev ppdev kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel aes_x86_64 crypto_simd + ide_pci_generic piix input_leds cryptd glue_helper psmouse ide_core intel_agp serio_raw intel_gtt ata_generic i2c_piix4 agpgart pata_acpi parport_pc parport floppy rtc_cmos sch_fq_codel ip_tables x_tables sha1_ssse3 sha1_generic ipv6 [last unloaded: bmc150_magn] +Dumping ftrace buffer: + (ftrace buffer empty) +---[ end trace d873691c3cd69f56 ]--- + +If alloc_disk fails in pcd_init_units, cd->disk will be +NULL, however in pcd_detect and pcd_exit, it's not check +this before free.It may result a NULL pointer dereference. + +Also when register_blkdev failed, blk_cleanup_queue() and +blk_mq_free_tag_set() should be called to free resources. + +Reported-by: Hulk Robot +Fixes: 81b74ac68c28 ("paride/pcd: cleanup queues when detection fails") +Signed-off-by: YueHaibing + +Signed-off-by: Jens Axboe + +Signed-off-by: Sasha Levin +--- + drivers/block/paride/pcd.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/drivers/block/paride/pcd.c b/drivers/block/paride/pcd.c +index 377a694dc228..6d415b20fb70 100644 +--- a/drivers/block/paride/pcd.c ++++ b/drivers/block/paride/pcd.c +@@ -314,6 +314,7 @@ static void pcd_init_units(void) + disk->queue = blk_mq_init_sq_queue(&cd->tag_set, &pcd_mq_ops, + 1, BLK_MQ_F_SHOULD_MERGE); + if (IS_ERR(disk->queue)) { ++ put_disk(disk); + disk->queue = NULL; + continue; + } +@@ -750,6 +751,8 @@ static int pcd_detect(void) + + printk("%s: No CD-ROM drive found\n", name); + for (unit = 0, cd = pcd; unit < PCD_UNITS; unit++, cd++) { ++ if (!cd->disk) ++ continue; + blk_cleanup_queue(cd->disk->queue); + cd->disk->queue = NULL; + blk_mq_free_tag_set(&cd->tag_set); +@@ -1010,8 +1013,14 @@ static int __init pcd_init(void) + pcd_probe_capabilities(); + + if (register_blkdev(major, name)) { +- for (unit = 0, cd = pcd; unit < PCD_UNITS; unit++, cd++) ++ for (unit = 0, cd = pcd; unit < PCD_UNITS; unit++, cd++) { ++ if (!cd->disk) ++ continue; ++ ++ blk_cleanup_queue(cd->disk->queue); ++ blk_mq_free_tag_set(&cd->tag_set); + put_disk(cd->disk); ++ } + return -EBUSY; + } + +@@ -1032,6 +1041,9 @@ static void __exit pcd_exit(void) + int unit; + + for (unit = 0, cd = pcd; unit < PCD_UNITS; unit++, cd++) { ++ if (!cd->disk) ++ continue; ++ + if (cd->present) { + del_gendisk(cd->disk); + pi_release(cd->pi); +-- +2.19.1 + diff --git a/queue-5.0/paride-pf-fix-potential-null-pointer-dereference.patch b/queue-5.0/paride-pf-fix-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..77278afff2b --- /dev/null +++ b/queue-5.0/paride-pf-fix-potential-null-pointer-dereference.patch @@ -0,0 +1,114 @@ +From f82fde9f7120dd528a33b3ca5137336ff18c8ce7 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Wed, 3 Apr 2019 11:37:07 +0800 +Subject: paride/pf: Fix potential NULL pointer dereference + +[ Upstream commit 58ccd2d31e502c37e108b285bf3d343eb00c235b ] + +Syzkaller report this: + +pf: pf version 1.04, major 47, cluster 64, nice 0 +pf: No ATAPI disk detected +kasan: CONFIG_KASAN_INLINE enabled +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] SMP KASAN PTI +CPU: 0 PID: 9887 Comm: syz-executor.0 Tainted: G C 5.1.0-rc3+ #8 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +RIP: 0010:pf_init+0x7af/0x1000 [pf] +Code: 46 77 d2 48 89 d8 48 c1 e8 03 80 3c 28 00 74 08 48 89 df e8 03 25 a6 d2 4c 8b 23 49 8d bc 24 80 05 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 74 05 e8 e6 24 a6 d2 49 8b bc 24 80 05 00 00 e8 79 34 +RSP: 0018:ffff8881abcbf998 EFLAGS: 00010202 +RAX: 00000000000000b0 RBX: ffffffffc1e4a8a8 RCX: ffffffffaec50788 +RDX: 0000000000039b10 RSI: ffffc9000153c000 RDI: 0000000000000580 +RBP: dffffc0000000000 R08: ffffed103ee44e59 R09: ffffed103ee44e59 +R10: 0000000000000001 R11: ffffed103ee44e58 R12: 0000000000000000 +R13: ffffffffc1e4b028 R14: 0000000000000000 R15: 0000000000000020 +FS: 00007f1b78a91700(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f6d72b207f8 CR3: 00000001d5790004 CR4: 00000000007606f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + ? 0xffffffffc1e50000 + do_one_initcall+0xbc/0x47d init/main.c:901 + do_init_module+0x1b5/0x547 kernel/module.c:3456 + load_module+0x6405/0x8c10 kernel/module.c:3804 + __do_sys_finit_module+0x162/0x190 kernel/module.c:3898 + do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x462e99 +Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f1b78a90c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 +RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99 +RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003 +RBP: 00007f1b78a90c70 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1b78a916bc +R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004 +Modules linked in: pf(+) paride gpio_tps65218 tps65218 i2c_cht_wc ati_remote dc395x act_meta_skbtcindex act_ife ife ecdh_generic rc_xbox_dvd sky81452_regulator v4l2_fwnode leds_blinkm snd_usb_hiface comedi(C) aes_ti slhc cfi_cmdset_0020 mtd cfi_util sx8654 mdio_gpio of_mdio fixed_phy mdio_bitbang libphy alcor_pci matrix_keymap hid_uclogic usbhid scsi_transport_fc videobuf2_v4l2 videobuf2_dma_sg snd_soc_pcm179x_spi snd_soc_pcm179x_codec i2c_demux_pinctrl mdev snd_indigodj isl6405 mii enc28j60 cmac adt7316_i2c(C) adt7316(C) fmc_trivial fmc nf_reject_ipv4 authenc rc_dtt200u rtc_ds1672 dvb_usb_dibusb_mc dvb_usb_dibusb_mc_common dib3000mc dibx000_common dvb_usb_dibusb_common dvb_usb dvb_core videobuf2_common videobuf2_vmalloc videobuf2_memops regulator_haptic adf7242 mac802154 ieee802154 s5h1409 da9034_ts snd_intel8x0m wmi cx24120 usbcore sdhci_cadence sdhci_pltfm sdhci mmc_core joydev i2c_algo_bit scsi_transport_iscsi iscsi_boot_sysfs ves1820 lockd grace nfs_acl auth_rpcgss sunrp + c + ip_vs snd_soc_adau7002 snd_cs4281 snd_rawmidi gameport snd_opl3_lib snd_seq_device snd_hwdep snd_ac97_codec ad7418 hid_primax hid snd_soc_cs4265 snd_soc_core snd_pcm_dmaengine snd_pcm snd_timer ac97_bus snd_compress snd soundcore ti_adc108s102 eeprom_93cx6 i2c_algo_pca mlxreg_hotplug st_pressure st_sensors industrialio_triggered_buffer kfifo_buf industrialio v4l2_common videodev media snd_soc_adau_utils rc_pinnacle_grey rc_core pps_gpio leds_lm3692x nandcore ledtrig_pattern iptable_security iptable_raw iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun mousedev ppdev tpm kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel ide_pci_generic aes_x86_64 piix crypto_simd input_leds psmouse cryp + td + glue_helper ide_core intel_agp serio_raw intel_gtt agpgart ata_generic i2c_piix4 pata_acpi parport_pc parport rtc_cmos floppy sch_fq_codel ip_tables x_tables sha1_ssse3 sha1_generic ipv6 [last unloaded: paride] +Dumping ftrace buffer: + (ftrace buffer empty) +---[ end trace 7a818cf5f210d79e ]--- + +If alloc_disk fails in pf_init_units, pf->disk will be +NULL, however in pf_detect and pf_exit, it's not check +this before free.It may result a NULL pointer dereference. + +Also when register_blkdev failed, blk_cleanup_queue() and +blk_mq_free_tag_set() should be called to free resources. + +Reported-by: Hulk Robot +Fixes: 6ce59025f118 ("paride/pf: cleanup queues when detection fails") +Signed-off-by: YueHaibing + +Signed-off-by: Jens Axboe + +Signed-off-by: Sasha Levin +--- + drivers/block/paride/pf.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/block/paride/pf.c b/drivers/block/paride/pf.c +index 103b617cdc31..35e6e271b219 100644 +--- a/drivers/block/paride/pf.c ++++ b/drivers/block/paride/pf.c +@@ -762,6 +762,8 @@ static int pf_detect(void) + + printk("%s: No ATAPI disk detected\n", name); + for (pf = units, unit = 0; unit < PF_UNITS; pf++, unit++) { ++ if (!pf->disk) ++ continue; + blk_cleanup_queue(pf->disk->queue); + pf->disk->queue = NULL; + blk_mq_free_tag_set(&pf->tag_set); +@@ -1029,8 +1031,13 @@ static int __init pf_init(void) + pf_busy = 0; + + if (register_blkdev(major, name)) { +- for (pf = units, unit = 0; unit < PF_UNITS; pf++, unit++) ++ for (pf = units, unit = 0; unit < PF_UNITS; pf++, unit++) { ++ if (!pf->disk) ++ continue; ++ blk_cleanup_queue(pf->disk->queue); ++ blk_mq_free_tag_set(&pf->tag_set); + put_disk(pf->disk); ++ } + return -EBUSY; + } + +@@ -1051,6 +1058,9 @@ static void __exit pf_exit(void) + int unit; + unregister_blkdev(major, name); + for (pf = units, unit = 0; unit < PF_UNITS; pf++, unit++) { ++ if (!pf->disk) ++ continue; ++ + if (pf->present) + del_gendisk(pf->disk); + +-- +2.19.1 + diff --git a/queue-5.0/perf-data-don-t-store-auxtrace-index-for-directory-d.patch b/queue-5.0/perf-data-don-t-store-auxtrace-index-for-directory-d.patch deleted file mode 100644 index d9a295534a7..00000000000 --- a/queue-5.0/perf-data-don-t-store-auxtrace-index-for-directory-d.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 87892f50188c79b2118388e3dbf7255f09046548 Mon Sep 17 00:00:00 2001 -From: Jiri Olsa -Date: Fri, 8 Mar 2019 14:47:36 +0100 -Subject: perf data: Don't store auxtrace index for directory data file - -[ Upstream commit cd3dd8dd8ff62374d90cb3f2e54b8c94106c7810 ] - -We can't store the auxtrace index when we store into multiple files, -because we keep only offset for it, not the file. - -The auxtrace data will be processed correctly in the 'pipe' mode. - -Signed-off-by: Jiri Olsa -Cc: Adrian Hunter -Cc: Alexander Shishkin -Cc: Alexey Budankov -Cc: Andi Kleen -Cc: Namhyung Kim -Cc: Peter Zijlstra -Cc: Stephane Eranian -Link: http://lkml.kernel.org/r/20190308134745.5057-3-jolsa@kernel.org -Signed-off-by: Arnaldo Carvalho de Melo -Signed-off-by: Sasha Levin ---- - tools/perf/builtin-record.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tools/perf/builtin-record.c b/tools/perf/builtin-record.c -index 882285fb9f64..3fd154f1701b 100644 ---- a/tools/perf/builtin-record.c -+++ b/tools/perf/builtin-record.c -@@ -386,7 +386,7 @@ static int record__process_auxtrace(struct perf_tool *tool, - size_t padding; - u8 pad[8] = {0}; - -- if (!perf_data__is_pipe(data)) { -+ if (!perf_data__is_pipe(data) && !perf_data__is_dir(data)) { - off_t file_offset; - int fd = perf_data__fd(data); - int err; --- -2.19.1 - diff --git a/queue-5.0/perf-top-delete-the-evlist-before-perf_session-fixin.patch b/queue-5.0/perf-top-delete-the-evlist-before-perf_session-fixin.patch deleted file mode 100644 index fe0e833392b..00000000000 --- a/queue-5.0/perf-top-delete-the-evlist-before-perf_session-fixin.patch +++ /dev/null @@ -1,212 +0,0 @@ -From ade81011a8f00f467f324afe868f7585f71893ef Mon Sep 17 00:00:00 2001 -From: Changbin Du -Date: Sat, 16 Mar 2019 16:05:47 +0800 -Subject: perf top: Delete the evlist before perf_session, fixing - heap-use-after-free issue - -[ Upstream commit 0dba9e4be95b59e77060645ca8e37ca3231061f5 ] - -The evlist should be destroyed before the perf session. - -Detected with gcc's ASan: - - ================================================================= - ==27350==ERROR: AddressSanitizer: heap-use-after-free on address 0x62b000002e38 at pc 0x5611da276999 bp 0x7ffce8f1d1a0 sp 0x7ffce8f1d190 - WRITE of size 8 at 0x62b000002e38 thread T0 - #0 0x5611da276998 in __list_del /home/work/linux/tools/include/linux/list.h:89 - #1 0x5611da276d4a in __list_del_entry /home/work/linux/tools/include/linux/list.h:102 - #2 0x5611da276e77 in list_del_init /home/work/linux/tools/include/linux/list.h:145 - #3 0x5611da2781cd in thread__put util/thread.c:130 - #4 0x5611da2cc0a8 in __thread__zput util/thread.h:68 - #5 0x5611da2d2dcb in hist_entry__delete util/hist.c:1148 - #6 0x5611da2cdf91 in hists__delete_entry util/hist.c:337 - #7 0x5611da2ce19e in hists__delete_entries util/hist.c:365 - #8 0x5611da2db2ab in hists__delete_all_entries util/hist.c:2639 - #9 0x5611da2db325 in hists_evsel__exit util/hist.c:2651 - #10 0x5611da1c5352 in perf_evsel__exit util/evsel.c:1304 - #11 0x5611da1c5390 in perf_evsel__delete util/evsel.c:1309 - #12 0x5611da1b35f0 in perf_evlist__purge util/evlist.c:124 - #13 0x5611da1b38e2 in perf_evlist__delete util/evlist.c:148 - #14 0x5611da069781 in cmd_top /home/changbin/work/linux/tools/perf/builtin-top.c:1645 - #15 0x5611da17d038 in run_builtin /home/changbin/work/linux/tools/perf/perf.c:302 - #16 0x5611da17d577 in handle_internal_command /home/changbin/work/linux/tools/perf/perf.c:354 - #17 0x5611da17d97b in run_argv /home/changbin/work/linux/tools/perf/perf.c:398 - #18 0x5611da17e0e9 in main /home/changbin/work/linux/tools/perf/perf.c:520 - #19 0x7fdcc970f09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) - #20 0x5611d9ff35c9 in _start (/home/work/linux/tools/perf/perf+0x3e95c9) - - 0x62b000002e38 is located 11320 bytes inside of 27448-byte region [0x62b000000200,0x62b000006d38) - freed by thread T0 here: - #0 0x7fdccb04ab70 in free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedb70) - #1 0x5611da260df4 in perf_session__delete util/session.c:201 - #2 0x5611da063de5 in __cmd_top /home/changbin/work/linux/tools/perf/builtin-top.c:1300 - #3 0x5611da06973c in cmd_top /home/changbin/work/linux/tools/perf/builtin-top.c:1642 - #4 0x5611da17d038 in run_builtin /home/changbin/work/linux/tools/perf/perf.c:302 - #5 0x5611da17d577 in handle_internal_command /home/changbin/work/linux/tools/perf/perf.c:354 - #6 0x5611da17d97b in run_argv /home/changbin/work/linux/tools/perf/perf.c:398 - #7 0x5611da17e0e9 in main /home/changbin/work/linux/tools/perf/perf.c:520 - #8 0x7fdcc970f09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) - - previously allocated by thread T0 here: - #0 0x7fdccb04b138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138) - #1 0x5611da26010c in zalloc util/util.h:23 - #2 0x5611da260824 in perf_session__new util/session.c:118 - #3 0x5611da0633a6 in __cmd_top /home/changbin/work/linux/tools/perf/builtin-top.c:1192 - #4 0x5611da06973c in cmd_top /home/changbin/work/linux/tools/perf/builtin-top.c:1642 - #5 0x5611da17d038 in run_builtin /home/changbin/work/linux/tools/perf/perf.c:302 - #6 0x5611da17d577 in handle_internal_command /home/changbin/work/linux/tools/perf/perf.c:354 - #7 0x5611da17d97b in run_argv /home/changbin/work/linux/tools/perf/perf.c:398 - #8 0x5611da17e0e9 in main /home/changbin/work/linux/tools/perf/perf.c:520 - #9 0x7fdcc970f09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) - - SUMMARY: AddressSanitizer: heap-use-after-free /home/work/linux/tools/include/linux/list.h:89 in __list_del - Shadow bytes around the buggy address: - 0x0c567fff8570: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd - 0x0c567fff8580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd - 0x0c567fff8590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd - 0x0c567fff85a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd - 0x0c567fff85b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd - =>0x0c567fff85c0: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd - 0x0c567fff85d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd - 0x0c567fff85e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd - 0x0c567fff85f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd - 0x0c567fff8600: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd - 0x0c567fff8610: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd - Shadow byte legend (one shadow byte represents 8 application bytes): - Addressable: 00 - Partially addressable: 01 02 03 04 05 06 07 - Heap left redzone: fa - Freed heap region: fd - Stack left redzone: f1 - Stack mid redzone: f2 - Stack right redzone: f3 - Stack after return: f5 - Stack use after scope: f8 - Global redzone: f9 - Global init order: f6 - Poisoned by user: f7 - Container overflow: fc - Array cookie: ac - Intra object redzone: bb - ASan internal: fe - Left alloca redzone: ca - Right alloca redzone: cb - ==27350==ABORTING - -Signed-off-by: Changbin Du -Reviewed-by: Jiri Olsa -Cc: Alexei Starovoitov -Cc: Daniel Borkmann -Cc: Namhyung Kim -Cc: Peter Zijlstra -Cc: Steven Rostedt (VMware) -Link: http://lkml.kernel.org/r/20190316080556.3075-8-changbin.du@gmail.com -Signed-off-by: Arnaldo Carvalho de Melo -Signed-off-by: Sasha Levin ---- - tools/perf/builtin-top.c | 42 ++++++++++++++++++---------------------- - 1 file changed, 19 insertions(+), 23 deletions(-) - -diff --git a/tools/perf/builtin-top.c b/tools/perf/builtin-top.c -index f64e312db787..9b215007924b 100644 ---- a/tools/perf/builtin-top.c -+++ b/tools/perf/builtin-top.c -@@ -1192,23 +1192,19 @@ static int __cmd_top(struct perf_top *top) - pthread_t thread, thread_process; - int ret; - -- top->session = perf_session__new(NULL, false, NULL); -- if (top->session == NULL) -- return -1; -- - if (!top->annotation_opts.objdump_path) { - ret = perf_env__lookup_objdump(&top->session->header.env, - &top->annotation_opts.objdump_path); - if (ret) -- goto out_delete; -+ return ret; - } - - ret = callchain_param__setup_sample_type(&callchain_param); - if (ret) -- goto out_delete; -+ return ret; - - if (perf_session__register_idle_thread(top->session) < 0) -- goto out_delete; -+ return ret; - - if (top->nr_threads_synthesize > 1) - perf_set_multithreaded(); -@@ -1224,13 +1220,18 @@ static int __cmd_top(struct perf_top *top) - - if (perf_hpp_list.socket) { - ret = perf_env__read_cpu_topology_map(&perf_env); -- if (ret < 0) -- goto out_err_cpu_topo; -+ if (ret < 0) { -+ char errbuf[BUFSIZ]; -+ const char *err = str_error_r(-ret, errbuf, sizeof(errbuf)); -+ -+ ui__error("Could not read the CPU topology map: %s\n", err); -+ return ret; -+ } - } - - ret = perf_top__start_counters(top); - if (ret) -- goto out_delete; -+ return ret; - - ret = perf_evlist__apply_drv_configs(evlist, &pos, &err_term); - if (ret) { -@@ -1257,7 +1258,7 @@ static int __cmd_top(struct perf_top *top) - ret = -1; - if (pthread_create(&thread_process, NULL, process_thread, top)) { - ui__error("Could not create process thread.\n"); -- goto out_delete; -+ return ret; - } - - if (pthread_create(&thread, NULL, (use_browser > 0 ? display_thread_tui : -@@ -1301,19 +1302,7 @@ static int __cmd_top(struct perf_top *top) - out_join_thread: - pthread_cond_signal(&top->qe.cond); - pthread_join(thread_process, NULL); --out_delete: -- perf_session__delete(top->session); -- top->session = NULL; -- - return ret; -- --out_err_cpu_topo: { -- char errbuf[BUFSIZ]; -- const char *err = str_error_r(-ret, errbuf, sizeof(errbuf)); -- -- ui__error("Could not read the CPU topology map: %s\n", err); -- goto out_delete; --} - } - - static int -@@ -1644,10 +1633,17 @@ int cmd_top(int argc, const char **argv) - signal(SIGWINCH, winch_sig); - } - -+ top.session = perf_session__new(NULL, false, NULL); -+ if (top.session == NULL) { -+ status = -1; -+ goto out_delete_evlist; -+ } -+ - status = __cmd_top(&top); - - out_delete_evlist: - perf_evlist__delete(top.evlist); -+ perf_session__delete(top.session); - - return status; - } --- -2.19.1 - diff --git a/queue-5.0/series b/queue-5.0/series index 56ae054abc4..70462673817 100644 --- a/queue-5.0/series +++ b/queue-5.0/series @@ -2,7 +2,6 @@ arc-u-boot-args-check-that-magic-number-is-correct.patch arc-hsdk_defconfig-enable-config_blk_dev_ram.patch inotify-fix-fsnotify_mark-refcount-leak-in-inotify_u.patch perf-core-restore-mmap-record-type-correctly.patch -perf-data-don-t-store-auxtrace-index-for-directory-d.patch mips-bcm47xx-enable-usb-power-on-netgear-wndr3400v2.patch ext4-avoid-panic-during-forced-reboot.patch ext4-add-missing-brelse-in-add_new_gdb_meta_bg.patch @@ -36,7 +35,6 @@ perf-tools-fix-errors-under-optimization-level-og.patch perf-config-fix-an-error-in-the-config-template-docu.patch perf-config-fix-a-memory-leak-in-collect_config.patch perf-build-id-fix-memory-leak-in-print_sdt_events.patch -perf-top-delete-the-evlist-before-perf_session-fixin.patch perf-top-fix-error-handling-in-cmd_top.patch perf-hist-add-missing-map__put-in-error-case.patch perf-map-remove-map-from-names-tree-in-__maps__remov.patch @@ -91,3 +89,5 @@ f2fs-fix-to-add-refcount-once-page-is-tagged-pg_priv.patch include-linux-swap.h-use-offsetof-instead-of-custom-.patch bpf-fix-use-after-free-in-bpf_evict_inode.patch ib-hfi1-failed-to-drain-send-queue-when-qp-is-put-into-error-state.patch +paride-pf-fix-potential-null-pointer-dereference.patch +paride-pcd-fix-potential-null-pointer-dereference-an.patch