perf cpumap: Add reference count checking

Enabled when REFCNT_CHECKING is defined. The change adds a memory
allocated pointer that is interposed between the reference counted cpu
map at a get and freed by a put. The pointer replaces the original
perf_cpu_map struct, so use of the perf_cpu_map via APIs remains
unchanged. Any use of the cpu map without the API requires two versions,
handled via the RC_CHK_ACCESS macro.

This change is intended to catch:

- use after put: using a cpumap after you have put it will cause a
segv.
- unbalanced puts: two puts for a get will result in a double free
that can be captured and reported by tools like address sanitizer,
including with the associated stack traces of allocation and frees.
- missing puts: if a put is missing then the get turns into a memory
leak that can be reported by leak sanitizer, including the stack
trace at the point the get occurs.

Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Alexey Bayduraev <alexey.v.bayduraev@linux.intel.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Darren Hart <dvhart@infradead.org>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Dmitriy Vyukov <dvyukov@google.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: German Gomez <german.gomez@arm.com>
Cc: Hao Luo <haoluo@google.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Clark <james.clark@arm.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: John Garry <john.g.garry@oracle.com>
Cc: Kajol Jain <kjain@linux.ibm.com>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Leo Yan <leo.yan@linaro.org>
Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Miaoqian Lin <linmq006@gmail.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Riccardo Mancini <rickyman7@gmail.com>
Cc: Shunsuke Nakamura <nakamura.shun@fujitsu.com>
Cc: Song Liu <song@kernel.org>
Cc: Stephen Brennan <stephen.s.brennan@oracle.com>
Cc: Steven Rostedt (VMware) <rostedt@goodmis.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Thomas Richter <tmricht@linux.ibm.com>,
Cc: Yury Norov <yury.norov@gmail.com>
Link: https://lore.kernel.org/lkml/20230407230405.2931830-3-irogers@google.com
[ Extracted from a larger patch ]
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>

authored by

Ian Rogers and committed by

Arnaldo Carvalho de Melo 3 years ago da885a0e 491b13c4

+58 -50

5 changed files

expand all

tools

lib

perf

Makefile

cpumap.c

include

internal

cpumap.h

perf

util

cpumap.c

pmu.c

+1 -1

tools/lib/perf/Makefile

··· 188 188 cp -fpR $(LIBPERF_ALL) $(DESTDIR)$(libdir_SQ) 189 189 190 190 HDRS := bpf_perf.h core.h cpumap.h threadmap.h evlist.h evsel.h event.h mmap.h 191 - INTERNAL_HDRS := cpumap.h evlist.h evsel.h lib.h mmap.h threadmap.h xyarray.h 191 + INTERNAL_HDRS := cpumap.h evlist.h evsel.h lib.h mmap.h rc_check.h threadmap.h xyarray.h 192 192 193 193 INSTALL_HDRS_PFX := $(DESTDIR)$(prefix)/include/perf 194 194 INSTALL_HDRS := $(addprefix $(INSTALL_HDRS_PFX)/, $(HDRS))

+46 -39

tools/lib/perf/cpumap.c

··· 12 12 13 13 void perf_cpu_map__set_nr(struct perf_cpu_map *map, int nr_cpus) 14 14 { 15 - map->nr = nr_cpus; 15 + RC_CHK_ACCESS(map)->nr = nr_cpus; 16 16 } 17 17 18 18 struct perf_cpu_map *perf_cpu_map__alloc(int nr_cpus) 19 19 { 20 - struct perf_cpu_map *cpus = malloc(sizeof(*cpus) + sizeof(struct perf_cpu) * nr_cpus); 20 + RC_STRUCT(perf_cpu_map) *cpus = malloc(sizeof(*cpus) + sizeof(struct perf_cpu) * nr_cpus); 21 + struct perf_cpu_map *result; 21 22 22 - if (cpus != NULL) { 23 + if (ADD_RC_CHK(result, cpus)) { 23 24 cpus->nr = nr_cpus; 24 25 refcount_set(&cpus->refcnt, 1); 25 - 26 26 } 27 - return cpus; 27 + return result; 28 28 } 29 29 30 30 struct perf_cpu_map *perf_cpu_map__dummy_new(void) ··· 32 32 struct perf_cpu_map *cpus = perf_cpu_map__alloc(1); 33 33 34 34 if (cpus) 35 - cpus->map[0].cpu = -1; 35 + RC_CHK_ACCESS(cpus)->map[0].cpu = -1; 36 36 37 37 return cpus; 38 38 } ··· 42 42 if (map) { 43 43 WARN_ONCE(refcount_read(perf_cpu_map__refcnt(map)) != 0, 44 44 "cpu_map refcnt unbalanced\n"); 45 - free(map); 45 + RC_CHK_FREE(map); 46 46 } 47 47 } 48 48 49 49 struct perf_cpu_map *perf_cpu_map__get(struct perf_cpu_map *map) 50 50 { 51 - if (map) 51 + struct perf_cpu_map *result; 52 + 53 + if (RC_CHK_GET(result, map)) 52 54 refcount_inc(perf_cpu_map__refcnt(map)); 53 - return map; 55 + 56 + return result; 54 57 } 55 58 56 59 void perf_cpu_map__put(struct perf_cpu_map *map) 57 60 { 58 - if (map && refcount_dec_and_test(perf_cpu_map__refcnt(map))) 59 - cpu_map__delete(map); 61 + if (map) { 62 + if (refcount_dec_and_test(perf_cpu_map__refcnt(map))) 63 + cpu_map__delete(map); 64 + else 65 + RC_CHK_PUT(map); 66 + } 60 67 } 61 68 62 69 static struct perf_cpu_map *cpu_map__default_new(void) ··· 80 73 int i; 81 74 82 75 for (i = 0; i < nr_cpus; ++i) 83 - cpus->map[i].cpu = i; 76 + RC_CHK_ACCESS(cpus)->map[i].cpu = i; 84 77 } 85 78 86 79 return cpus; ··· 106 99 int i, j; 107 100 108 101 if (cpus != NULL) { 109 - memcpy(cpus->map, tmp_cpus, payload_size); 110 - qsort(cpus->map, nr_cpus, sizeof(struct perf_cpu), cmp_cpu); 102 + memcpy(RC_CHK_ACCESS(cpus)->map, tmp_cpus, payload_size); 103 + qsort(RC_CHK_ACCESS(cpus)->map, nr_cpus, sizeof(struct perf_cpu), cmp_cpu); 111 104 /* Remove dups */ 112 105 j = 0; 113 106 for (i = 0; i < nr_cpus; i++) { 114 - if (i == 0 || cpus->map[i].cpu != cpus->map[i - 1].cpu) 115 - cpus->map[j++].cpu = cpus->map[i].cpu; 107 + if (i == 0 || RC_CHK_ACCESS(cpus)->map[i].cpu != RC_CHK_ACCESS(cpus)->map[i - 1].cpu) 108 + RC_CHK_ACCESS(cpus)->map[j++].cpu = RC_CHK_ACCESS(cpus)->map[i].cpu; 116 109 } 117 - cpus->nr = j; 110 + perf_cpu_map__set_nr(cpus, j); 118 111 assert(j <= nr_cpus); 119 112 } 120 113 return cpus; ··· 275 268 .cpu = -1 276 269 }; 277 270 278 - if (cpus && idx < cpus->nr) 279 - return cpus->map[idx]; 271 + if (cpus && idx < RC_CHK_ACCESS(cpus)->nr) 272 + return RC_CHK_ACCESS(cpus)->map[idx]; 280 273 281 274 return result; 282 275 } 283 276 284 277 int perf_cpu_map__nr(const struct perf_cpu_map *cpus) 285 278 { 286 - return cpus ? cpus->nr : 1; 279 + return cpus ? RC_CHK_ACCESS(cpus)->nr : 1; 287 280 } 288 281 289 282 bool perf_cpu_map__empty(const struct perf_cpu_map *map) 290 283 { 291 - return map ? map->map[0].cpu == -1 : true; 284 + return map ? RC_CHK_ACCESS(map)->map[0].cpu == -1 : true; 292 285 } 293 286 294 287 int perf_cpu_map__idx(const struct perf_cpu_map *cpus, struct perf_cpu cpu) ··· 299 292 return -1; 300 293 301 294 low = 0; 302 - high = cpus->nr; 295 + high = RC_CHK_ACCESS(cpus)->nr; 303 296 while (low < high) { 304 297 int idx = (low + high) / 2; 305 - struct perf_cpu cpu_at_idx = cpus->map[idx]; 298 + struct perf_cpu cpu_at_idx = RC_CHK_ACCESS(cpus)->map[idx]; 306 299 307 300 if (cpu_at_idx.cpu == cpu.cpu) 308 301 return idx; ··· 328 321 }; 329 322 330 323 // cpu_map__trim_new() qsort()s it, cpu_map__default_new() sorts it as well. 331 - return map->nr > 0 ? map->map[map->nr - 1] : result; 324 + return RC_CHK_ACCESS(map)->nr > 0 ? RC_CHK_ACCESS(map)->map[RC_CHK_ACCESS(map)->nr - 1] : result; 332 325 } 333 326 334 327 /** Is 'b' a subset of 'a'. */ ··· 336 329 { 337 330 if (a == b || !b) 338 331 return true; 339 - if (!a || b->nr > a->nr) 332 + if (!a || RC_CHK_ACCESS(b)->nr > RC_CHK_ACCESS(a)->nr) 340 333 return false; 341 334 342 - for (int i = 0, j = 0; i < a->nr; i++) { 343 - if (a->map[i].cpu > b->map[j].cpu) 335 + for (int i = 0, j = 0; i < RC_CHK_ACCESS(a)->nr; i++) { 336 + if (RC_CHK_ACCESS(a)->map[i].cpu > RC_CHK_ACCESS(b)->map[j].cpu) 344 337 return false; 345 - if (a->map[i].cpu == b->map[j].cpu) { 338 + if (RC_CHK_ACCESS(a)->map[i].cpu == RC_CHK_ACCESS(b)->map[j].cpu) { 346 339 j++; 347 - if (j == b->nr) 340 + if (j == RC_CHK_ACCESS(b)->nr) 348 341 return true; 349 342 } 350 343 } ··· 374 367 return perf_cpu_map__get(other); 375 368 } 376 369 377 - tmp_len = orig->nr + other->nr; 370 + tmp_len = RC_CHK_ACCESS(orig)->nr + RC_CHK_ACCESS(other)->nr; 378 371 tmp_cpus = malloc(tmp_len * sizeof(struct perf_cpu)); 379 372 if (!tmp_cpus) 380 373 return NULL; 381 374 382 375 /* Standard merge algorithm from wikipedia */ 383 376 i = j = k = 0; 384 - while (i < orig->nr && j < other->nr) { 385 - if (orig->map[i].cpu <= other->map[j].cpu) { 386 - if (orig->map[i].cpu == other->map[j].cpu) 377 + while (i < RC_CHK_ACCESS(orig)->nr && j < RC_CHK_ACCESS(other)->nr) { 378 + if (RC_CHK_ACCESS(orig)->map[i].cpu <= RC_CHK_ACCESS(other)->map[j].cpu) { 379 + if (RC_CHK_ACCESS(orig)->map[i].cpu == RC_CHK_ACCESS(other)->map[j].cpu) 387 380 j++; 388 - tmp_cpus[k++] = orig->map[i++]; 381 + tmp_cpus[k++] = RC_CHK_ACCESS(orig)->map[i++]; 389 382 } else 390 - tmp_cpus[k++] = other->map[j++]; 383 + tmp_cpus[k++] = RC_CHK_ACCESS(other)->map[j++]; 391 384 } 392 385 393 - while (i < orig->nr) 394 - tmp_cpus[k++] = orig->map[i++]; 386 + while (i < RC_CHK_ACCESS(orig)->nr) 387 + tmp_cpus[k++] = RC_CHK_ACCESS(orig)->map[i++]; 395 388 396 - while (j < other->nr) 397 - tmp_cpus[k++] = other->map[j++]; 389 + while (j < RC_CHK_ACCESS(other)->nr) 390 + tmp_cpus[k++] = RC_CHK_ACCESS(other)->map[j++]; 398 391 assert(k <= tmp_len); 399 392 400 393 merged = cpu_map__trim_new(k, tmp_cpus);

+3 -2

tools/lib/perf/include/internal/cpumap.h

··· 4 4 5 5 #include <linux/refcount.h> 6 6 #include <perf/cpumap.h> 7 + #include <internal/rc_check.h> 7 8 8 9 /** 9 10 * A sized, reference counted, sorted array of integers representing CPU ··· 13 12 * gaps if CPU numbers were used. For events associated with a pid, rather than 14 13 * a CPU, a single dummy map with an entry of -1 is used. 15 14 */ 16 - struct perf_cpu_map { 15 + DECLARE_RC_STRUCT(perf_cpu_map) { 17 16 refcount_t refcnt; 18 17 /** Length of the map array. */ 19 18 int nr; ··· 33 32 34 33 static inline refcount_t *perf_cpu_map__refcnt(struct perf_cpu_map *map) 35 34 { 36 - return &map->refcnt; 35 + return &RC_CHK_ACCESS(map)->refcnt; 37 36 } 38 37 #endif /* __LIBPERF_INTERNAL_CPUMAP_H */

+6 -6

tools/perf/util/cpumap.c

··· 77 77 * otherwise it would become 65535. 78 78 */ 79 79 if (data->cpus_data.cpu[i] == (u16) -1) 80 - map->map[i].cpu = -1; 80 + RC_CHK_ACCESS(map)->map[i].cpu = -1; 81 81 else 82 - map->map[i].cpu = (int) data->cpus_data.cpu[i]; 82 + RC_CHK_ACCESS(map)->map[i].cpu = (int) data->cpus_data.cpu[i]; 83 83 } 84 84 } 85 85 ··· 107 107 108 108 perf_record_cpu_map_data__read_one_mask(data, i, local_copy); 109 109 for_each_set_bit(cpu, local_copy, 64) 110 - map->map[j++].cpu = cpu + cpus_per_i; 110 + RC_CHK_ACCESS(map)->map[j++].cpu = cpu + cpus_per_i; 111 111 } 112 112 return map; 113 113 ··· 124 124 return NULL; 125 125 126 126 if (data->range_cpu_data.any_cpu) 127 - map->map[i++].cpu = -1; 127 + RC_CHK_ACCESS(map)->map[i++].cpu = -1; 128 128 129 129 for (int cpu = data->range_cpu_data.start_cpu; cpu <= data->range_cpu_data.end_cpu; 130 130 i++, cpu++) 131 - map->map[i].cpu = cpu; 131 + RC_CHK_ACCESS(map)->map[i].cpu = cpu; 132 132 133 133 return map; 134 134 } ··· 164 164 165 165 if (cpus != NULL) { 166 166 for (int i = 0; i < nr; i++) 167 - cpus->map[i].cpu = -1; 167 + RC_CHK_ACCESS(cpus)->map[i].cpu = -1; 168 168 } 169 169 170 170 return cpus;

+2 -2

tools/perf/util/pmu.c

··· 2015 2015 2016 2016 perf_cpu_map__for_each_cpu(cpu, i, cpus) { 2017 2017 if (!perf_cpu_map__has(pmu_cpus, cpu)) 2018 - unmatched_cpus->map[unmatched_nr++] = cpu; 2018 + RC_CHK_ACCESS(unmatched_cpus)->map[unmatched_nr++] = cpu; 2019 2019 else 2020 - matched_cpus->map[matched_nr++] = cpu; 2020 + RC_CHK_ACCESS(matched_cpus)->map[matched_nr++] = cpu; 2021 2021 } 2022 2022 2023 2023 perf_cpu_map__set_nr(unmatched_cpus, unmatched_nr);

Configure Feed

Configure Feed