1. 14 3月, 2012 2 次提交
    • A
      perf tools: Incorrect use of snprintf results in SEGV · b832796c
      Anton Blanchard 提交于
      I have a workload where perf top scribbles over the stack and we SEGV.
      What makes it interesting is that an snprintf is causing this.
      
      The workload is a c++ gem that has method names over 3000 characters
      long, but snprintf is designed to avoid overrunning buffers. So what
      went wrong?
      
      The problem is we assume snprintf returns the number of characters
      written:
      
          ret += repsep_snprintf(bf + ret, size - ret, "[%c] ", self->level);
      ...
          ret += repsep_snprintf(bf + ret, size - ret, "%s", self->ms.sym->name);
      
      Unfortunately this is not how snprintf works. snprintf returns the
      number of characters that would have been written if there was enough
      space. In the above case, if the first snprintf returns a value larger
      than size, we pass a negative size into the second snprintf and happily
      scribble over the stack. If you have 3000 character c++ methods thats a
      lot of stack to trample.
      
      This patch fixes repsep_snprintf by clamping the value at size - 1 which
      is the maximum snprintf can write before adding the NULL terminator.
      
      I get the sinking feeling that there are a lot of other uses of snprintf
      that have this same bug, we should audit them all.
      
      Cc: David Ahern <dsahern@gmail.com>
      Cc: Eric B Munson <emunson@mgebm.net>
      Cc: Frederic Weisbecker <fweisbec@gmail.com>
      Cc: Ingo Molnar <mingo@elte.hu>
      Cc: Paul Mackerras <paulus@samba.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Yanmin Zhang <yanmin_zhang@linux.intel.com>
      Cc: stable@kernel.org
      Link: http://lkml.kernel.org/r/20120307114249.44275ca3@krytenSigned-off-by: NAnton Blanchard <anton@samba.org>
      Signed-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      b832796c
    • S
      perf record: Fix buffer overrun bug in tracepoint_id_to_path() · 8aa8a7c8
      Stephane Eranian 提交于
      This patch fixes a buffer overrun bug in
      tracepoint_id_to_path(). The bug manisfested itself as a memory
      error reported by perf record. I ran into it with perf sched:
      
       $ perf sched rec noploop 2 noploop for 2 seconds
       [ perf record: Woken up 14 times to write data ]
       [ perf record: Captured and wrote 42.701 MB perf.data (~1865622 samples) ]
       Fatal: No memory to alloc tracepoints list
      
      It turned out that tracepoint_id_to_path() was reading the
      tracepoint id using read() but the buffer was not large enough
      to include the \n terminator for id with 4 digits or more.
      
      The patch fixes the problem by extending the buffer to a more
      reasonable size covering all possible id length include \n
      terminator. Note that atoll() stops at the first non digit
      character, thus it is not necessary to clear the buffer between
      each read.
      Signed-off-by: NStephane Eranian <eranian@google.com>
      Acked-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      Acked-by: NPeter Zijlstra <a.p.zijlstra@chello.nl>
      Cc: fweisbec@gmail.com
      Cc: dsahern@gmail.com
      Link: http://lkml.kernel.org/r/20120313155102.GA6465@quadSigned-off-by: NIngo Molnar <mingo@elte.hu>
      8aa8a7c8
  2. 13 3月, 2012 1 次提交
    • P
      perf/x86: Fix local vs remote memory events for NHM/WSM · 87e24f4b
      Peter Zijlstra 提交于
      Verified using the below proglet.. before:
      
      [root@westmere ~]# perf stat -e node-stores -e node-store-misses ./numa 0
      remote write
      
       Performance counter stats for './numa 0':
      
               2,101,554 node-stores
               2,096,931 node-store-misses
      
             5.021546079 seconds time elapsed
      
      [root@westmere ~]# perf stat -e node-stores -e node-store-misses ./numa 1
      local write
      
       Performance counter stats for './numa 1':
      
                 501,137 node-stores
                     199 node-store-misses
      
             5.124451068 seconds time elapsed
      
      After:
      
      [root@westmere ~]# perf stat -e node-stores -e node-store-misses ./numa 0
      remote write
      
       Performance counter stats for './numa 0':
      
               2,107,516 node-stores
               2,097,187 node-store-misses
      
             5.012755149 seconds time elapsed
      
      [root@westmere ~]# perf stat -e node-stores -e node-store-misses ./numa 1
      local write
      
       Performance counter stats for './numa 1':
      
               2,063,355 node-stores
                     165 node-store-misses
      
             5.082091494 seconds time elapsed
      
      #define _GNU_SOURCE
      
      #include <sched.h>
      #include <stdio.h>
      #include <errno.h>
      #include <sys/mman.h>
      #include <sys/types.h>
      #include <dirent.h>
      #include <signal.h>
      #include <unistd.h>
      #include <numaif.h>
      #include <stdlib.h>
      
      #define SIZE (32*1024*1024)
      
      volatile int done;
      
      void sig_done(int sig)
      {
      	done = 1;
      }
      
      int main(int argc, char **argv)
      {
      	cpu_set_t *mask, *mask2;
      	size_t size;
      	int i, err, t;
      	int nrcpus = 1024;
      	char *mem;
      	unsigned long nodemask = 0x01; /* node 0 */
      	DIR *node;
      	struct dirent *de;
      	int read = 0;
      	int local = 0;
      
      	if (argc < 2) {
      		printf("usage: %s [0-3]\n", argv[0]);
      		printf("  bit0 - local/remote\n");
      		printf("  bit1 - read/write\n");
      		exit(0);
      	}
      
      	switch (atoi(argv[1])) {
      	case 0:
      		printf("remote write\n");
      		break;
      	case 1:
      		printf("local write\n");
      		local = 1;
      		break;
      	case 2:
      		printf("remote read\n");
      		read = 1;
      		break;
      	case 3:
      		printf("local read\n");
      		local = 1;
      		read = 1;
      		break;
      	}
      
      	mask = CPU_ALLOC(nrcpus);
      	size = CPU_ALLOC_SIZE(nrcpus);
      	CPU_ZERO_S(size, mask);
      
      	node = opendir("/sys/devices/system/node/node0/");
      	if (!node)
      		perror("opendir");
      	while ((de = readdir(node))) {
      		int cpu;
      
      		if (sscanf(de->d_name, "cpu%d", &cpu) == 1)
      			CPU_SET_S(cpu, size, mask);
      	}
      	closedir(node);
      
      	mask2 = CPU_ALLOC(nrcpus);
      	CPU_ZERO_S(size, mask2);
      	for (i = 0; i < size; i++)
      		CPU_SET_S(i, size, mask2);
      	CPU_XOR_S(size, mask2, mask2, mask); // invert
      
      	if (!local)
      		mask = mask2;
      
      	err = sched_setaffinity(0, size, mask);
      	if (err)
      		perror("sched_setaffinity");
      
      	mem = mmap(0, SIZE, PROT_READ|PROT_WRITE,
      			MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
      	err = mbind(mem, SIZE, MPOL_BIND, &nodemask, 8*sizeof(nodemask), MPOL_MF_MOVE);
      	if (err)
      		perror("mbind");
      
      	signal(SIGALRM, sig_done);
      	alarm(5);
      
      	if (!read) {
      		while (!done) {
      			for (i = 0; i < SIZE; i++)
      				mem[i] = 0x01;
      		}
      	} else {
      		while (!done) {
      			for (i = 0; i < SIZE; i++)
      				t += *(volatile char *)(mem + i);
      		}
      	}
      
      	return 0;
      }
      Signed-off-by: NPeter Zijlstra <a.p.zijlstra@chello.nl>
      Cc: Stephane Eranian <eranian@google.com>
      Cc: <stable@kernel.org>
      Link: http://lkml.kernel.org/n/tip-tq73sxus35xmqpojf7ootxgs@git.kernel.orgSigned-off-by: NIngo Molnar <mingo@elte.hu>
      87e24f4b
  3. 11 3月, 2012 1 次提交
  4. 10 3月, 2012 7 次提交
  5. 09 3月, 2012 13 次提交
  6. 08 3月, 2012 16 次提交