From nobody Mon Jun 8 13:25:31 2026 Received: from mail-pj1-f48.google.com (mail-pj1-f48.google.com [209.85.216.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E547F32720D for ; Fri, 29 May 2026 06:49:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780037401; cv=none; b=UAn9arpRHvR2+tmrQ2tmw/Nte57okUoqX23l3bE0e/e2Y6l3LJmu9oBHy2e+TZJTds+3bhvzUvgLN6f2xlQ8m1cdsLRvZZX8zg3f3K5QPfxI0uUd9iQyFI3PkzUxVxd90qbzQncGMRVwPJkWOkPJeDBM0NbgaKSPMpUGivomb1o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780037401; c=relaxed/simple; bh=1zFTBXo/D2Dn7zaioloCJ3PMB7X/dTKopEatkpdaaOY=; h=Subject:From:To:Cc:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=pHzzIWsOe2UlEo9lGURCGFmCSWFT1ADtGmp+4lJvBA+BvFBc7mT7XXV4dTiBynPQwBCjBYxb+oaUyvqRPa5Mub16D1egKojlS1T5Ij2EONHCyafNhvvyWPhhBdIMf5Ut+FVj00n5h0nveL4FclNxiMl6kvXCUYXTRniBv5GWPEE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=He2NJyoE; arc=none smtp.client-ip=209.85.216.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="He2NJyoE" Received: by mail-pj1-f48.google.com with SMTP id 98e67ed59e1d1-367cbac9c37so8099741a91.2 for ; Thu, 28 May 2026 23:49:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780037399; x=1780642199; darn=vger.kernel.org; h=mime-version:references:in-reply-to:message-id:date:cc:to:from :subject:from:to:cc:subject:date:message-id:reply-to; bh=igljlLtxtfZIkBVJqC2QS3pcMFW6ywq/xhptp5glkXk=; b=He2NJyoEQbL3wL4Y0O68gTagaXxLvvzfy0uIrB++8BBGpzomjXXW1mpL6l6q7X2UHC EmBFhJ4V1PfoeG5oZT1+qROR/Xzj5H6zWQOBfZ0goi/agR+885QoQ4TXnvLbzIPywRJI 23jE0rQNLoubb/M1vOZ858Yjpari8SFTf+ufZ9F7Etp5/WRQXe8RvIGcKi3K/reOGHca hgen3NeZj/9mt8DfkjX/6mXm8S1oX1EDlSNWQXOC6VwEkrwxWaRlGMPgHYopjjpwvu9z 0ZMP9r2W/QJd3u7XjkvBtwrBq4AueKgoCtjKMlkYC2/ah5Go5bbshg0T6VDIfg4VZeLS LOvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780037399; x=1780642199; h=mime-version:references:in-reply-to:message-id:date:cc:to:from :subject:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=igljlLtxtfZIkBVJqC2QS3pcMFW6ywq/xhptp5glkXk=; b=Hyws4DeScjBFZ6hoOFi0FAiP9aAnMkIElkD/PpE7cZpyTySrZ1S8t55SefYq47cUTN 5C0N/SqJA/v0xWnm/f+5IaoMySFPhty9FhcOyOpxqFkajSH1CMtAfmuKMBg5uCwpbjHL 5Q3EiH9h86Fk/9WcNYrgM4DcdKYQfWX5OMzti5JkqtNHKad+A2wFgKLD6MdTKgL4Z9sx Ino2XjmXNxteFbD6oYzAb+KfTLoeNK22VvW8Ec90IPCs5mtTWNvn8eB6kWOOofm/Fy0V kkLCvQalh1pgB1u2bs+QhqACERiNyrKHXhdbCqeIKK4cZT0XrcWmqkwjZ9LXOeqzSTN7 zlUw== X-Forwarded-Encrypted: i=1; AFNElJ/wm/Qxvj9iJ23mlOoj4JAT1H2zKX/yHTUl42fY7dGEmGJJouxFAsy9kOozHdrb9TytrDdN3l9WymUJGjs=@vger.kernel.org X-Gm-Message-State: AOJu0Yz2JbsF5M4qfAeWm3dhmsspyPqBeIcZ2wykp3lBdayB1SBY4hMF qb8Ghqx8tUbHO9xrv2eNswGfVFJsj8hoTLf/fwNS1zbfhtg7o4Of26MW X-Gm-Gg: Acq92OGRlUU3V3hFhlhh2LXfud58/uGFWLL+YWAaLoL0KyEOqXOPk+Lgph5mhDNMNGL 5FnXfS7t1NFvI9+lVBxhWZsWLvcM4vnSJwvTbwHy7RwFlUPxjJx88zT3RMuXC0RmUQdKzGcO4He l3FDyQKpR/Dyup6CZPCcAdodLEC/QMr5lb7kNcA1fe29Eq3fxeRBjuBckTHiePf+F27X+YjUd8b 6MSSDczlVaSqWc2Mt7WP645UuNBAoRTyhcICjXW+lg5ESh9gTBziv5bI9Wzx7xKxbzGAdrv//KS Tt5Ae/mY6G+x3zEr8uVa3BFtkUD21EFdj2lock7Wlw5gDOyNEJ/aSowfwUNBQHXjnplQRHssy84 fC8RAgCRBPB1K3EonGg9dDU34TvslUUFGKzazfi464f9+d4zZPLGPcKnLLzzxOzWXjg1L5tI2Pw rN+sNB/cstqF9ddAJ6G6nTt6O55dO0zUqpBO2m17qN62U/r/X3 X-Received: by 2002:a17:90b:4ccf:b0:36b:71e6:3df1 with SMTP id 98e67ed59e1d1-36bbcad572cmr1880425a91.3.1780037398935; Thu, 28 May 2026 23:49:58 -0700 (PDT) Received: from [127.0.1.1] ([104.28.157.202]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-36bc0c1ab21sm952626a91.14.2026.05.28.23.49.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 May 2026 23:49:58 -0700 (PDT) Subject: [PATCH 1/6] perf/sched: fix memory leaks in schedstat processing From: Wang Haoran To: acme@kernel.org Cc: peterz@infradead.org, mingo@redhat.com, namhyung@kernel.org, mark.rutland@arm.com, alexander.shishkin@linux.intel.com, linux-perf-users@vger.kernel.org, linux-kernel@vger.kernel.org, haoranwangsec@gmail.com Date: Fri, 29 May 2026 14:49:51 +0800 Message-ID: <178003739172.62097.18263671852132331815@gmail.com> In-Reply-To: <178003738371.62097.10360938456907564684@gmail.com> References: <178003738371.62097.10360938456907564684@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4800197882669851314==" --===============4800197882669851314== Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" >From 82a2414eac53e2052646a1c90a8eb8c03cecef22 Mon Sep 17 00:00:00 2001 From: Wang Haoran Date: Thu, 28 May 2026 15:16:39 +0800 Subject: [PATCH 1/6] perf/sched: fix memory leaks in schedstat processing perf_sched__process_schedstat() allocates a schedstat_cpu (or schedstat_domain) struct and its embedded data pointer, but fails to free either when the data pointer allocation fails or when the after_workload_flag path discards the temporary struct after diffing. free_schedstat() walks the cpu_head list and frees each node but omits the cpu_data and domain_data pointers allocated inside each node, leaking them on every normal exit path. Fix all three cases: - free temp on zalloc failure of the inner data pointer - free temp and its data pointer after store_schedstat_*_diff() - free cpu_data/domain_data inside free_schedstat() Fixes: Signed-off-by: Wang Haoran --- tools/perf/builtin-sched.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c index 3f509cfdd..ab4c9ffa4 100644 --- a/tools/perf/builtin-sched.c +++ b/tools/perf/builtin-sched.c @@ -4413,8 +4413,10 @@ static int perf_sched__process_schedstat(const struc= t perf_tool *tool __maybe_un return -ENOMEM; =20 temp->cpu_data =3D zalloc(sizeof(*temp->cpu_data)); - if (!temp->cpu_data) + if (!temp->cpu_data) { + free(temp); return -ENOMEM; + } =20 memcpy(temp->cpu_data, &event->schedstat_cpu, sizeof(*temp->cpu_data)); =20 @@ -4439,6 +4441,8 @@ static int perf_sched__process_schedstat(const struct= perf_tool *tool __maybe_un domain_second_pass =3D list_first_entry(&cpu_second_pass->domain_head, struct schedstat_domain, domain_list); store_schedstat_cpu_diff(temp); + free(temp->cpu_data); + free(temp); } } else if (event->header.type =3D=3D PERF_RECORD_SCHEDSTAT_DOMAIN) { struct schedstat_cpu *cpu_tail; @@ -4448,8 +4452,10 @@ static int perf_sched__process_schedstat(const struc= t perf_tool *tool __maybe_un return -ENOMEM; =20 temp->domain_data =3D zalloc(sizeof(*temp->domain_data)); - if (!temp->domain_data) + if (!temp->domain_data) { + free(temp); return -ENOMEM; + } =20 memcpy(temp->domain_data, &event->schedstat_domain, sizeof(*temp->domain= _data)); =20 @@ -4458,6 +4464,8 @@ static int perf_sched__process_schedstat(const struct= perf_tool *tool __maybe_un list_add_tail(&temp->domain_list, &cpu_tail->domain_head); } else { store_schedstat_domain_diff(temp); + free(temp->domain_data); + free(temp); domain_second_pass =3D list_next_entry(domain_second_pass, domain_list); } } @@ -4473,9 +4481,11 @@ static void free_schedstat(struct list_head *head) list_for_each_entry_safe(cptr, n2, head, cpu_list) { list_for_each_entry_safe(dptr, n1, &cptr->domain_head, domain_list) { list_del_init(&dptr->domain_list); + free(dptr->domain_data); free(dptr); } list_del_init(&cptr->cpu_list); + free(cptr->cpu_data); free(cptr); } } --=20 2.53.0 --- ASan output on perf 7.0.6 (unpatched) with the attached PoC: 0xb0 [0]: failed to process type: 1685713920 [Invalid argument] =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D55915=3D=3DERROR: LeakSanitizer: detected memory leaks Direct leak of 73 byte(s) in 1 object(s) allocated from: #0 0x7f86f552b60f in malloc ../../../../src/libsanitizer/asan/asan_mall= oc_linux.cpp:67 #1 0x7f86f4096e6e in __vasprintf_internal libio/vasprintf.c:116 #2 0x7f86f4143172 in ___asprintf_chk debug/asprintf_chk.c:34 #3 0x6072f7e48ee3 in asprintf /usr/include/x86_64-linux-gnu/bits/stdio2= .h:206 #4 0x6072f7e48ee3 in astrcat=20 #5 0x6072f7e48ee3 in parse_options_subcommand=20 #6 0x6072f7de3ef0 in cmd_sched (perf+0x33eef0) (BuildId: 25d667fa7a7274= 046cb5bcb3375c4b1074f3f6db) #7 0x6072f7e2887f in handle_internal_command (perf+0x38387f) (BuildId: = 25d667fa7a7274046cb5bcb3375c4b1074f3f6db) #8 0x6072f7c9b836 in main (perf+0x1f6836) (BuildId: 25d667fa7a7274046cb= 5bcb3375c4b1074f3f6db) #9 0x7f86f402a600 in __libc_start_call_main ../sysdeps/nptl/libc_start_= call_main.h:59 #10 0x7f86f402a717 in __libc_start_main_impl ../csu/libc-start.c:360 #11 0x6072f7ca3754 in _start (perf+0x1fe754) (BuildId: 25d667fa7a727404= 6cb5bcb3375c4b1074f3f6db) Objects leaked above: 0x7bf6f33e0800 (73 bytes) Direct leak of 72 byte(s) in 1 object(s) allocated from: #0 0x7f86f552b40f in calloc ../../../../src/libsanitizer/asan/asan_mall= oc_linux.cpp:74 #1 0x6072f7dcfe52 in perf_sched__process_schedstat (perf+0x32ae52) (Bui= ldId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db) #2 0x6072f80fcdc2 in perf_session__process_user_event (perf+0x657dc2) (= BuildId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db) #3 0x6072f8101af8 in process_simple (perf+0x65caf8) (BuildId: 25d667fa7= a7274046cb5bcb3375c4b1074f3f6db) #4 0x6072f8103865 in reader__read_event (perf+0x65e865) (BuildId: 25d66= 7fa7a7274046cb5bcb3375c4b1074f3f6db) #5 0x6072f810421d in perf_session__process_events (perf+0x65f21d) (Buil= dId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db) #6 0x6072f7de9f97 in cmd_sched (perf+0x344f97) (BuildId: 25d667fa7a7274= 046cb5bcb3375c4b1074f3f6db) #7 0x6072f7e2887f in handle_internal_command (perf+0x38387f) (BuildId: = 25d667fa7a7274046cb5bcb3375c4b1074f3f6db) #8 0x6072f7c9b836 in main (perf+0x1f6836) (BuildId: 25d667fa7a7274046cb= 5bcb3375c4b1074f3f6db) #9 0x7f86f402a600 in __libc_start_call_main ../sysdeps/nptl/libc_start_= call_main.h:59 #10 0x7f86f402a717 in __libc_start_main_impl ../csu/libc-start.c:360 #11 0x6072f7ca3754 in _start (perf+0x1fe754) (BuildId: 25d667fa7a727404= 6cb5bcb3375c4b1074f3f6db) Objects leaked above: 0x7bf6f33e24e0 (72 bytes) SUMMARY: AddressSanitizer: 145 byte(s) leaked in 2 allocation(s). --===============4800197882669851314== Content-Type: application/octet-stream Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="crash_err234_iter50.data" MIME-Version: 1.0 UEVSRklMRTJoAAAAAAAAAKAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAAGgAAAAAAAAAYAQAAAAAAAAA AAAAAAAAAAAAAAAAAAAA+G9QAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABVAAAAAABIAPR5 ZAABAAAAAAAAABEAAAAAGCkNAOMYBADYjQYAkCQFAJFkpY6VAAAAhkv+/kUAAAB6tiQAAAAAAFYA AAAAANAA9HlkAAEAAAAAAAAAEQAAAH4OAADWDQAAWwAAAPIsAwDdPAAAAAAAAAAAAABlAAAAAQAA AAUAAADPDQAAVBcBAFUHAQBHCAAAuh8AALXRAwA0DwAAAAAAAG0IAAB4AAAAOAAAANgGAQD0JgAA gyMAAOUBAAB0BQAAcD8BAMwCAAAAAAAAjAEAAAsAAAAOAAAAKCMAAB8AAAAAAAAAHwAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAEhpAQBvAgAAAAAAAAAAAABVAAAAAABIAPR5ZAABAAAAAQAAABEA AAAiEwAAAAAAAAfrDgBySQQA+L4IAJrSBgA25I3LkAAAAJMQ8eRFAAAAgugoAAAAAABWAAAAAADQ APR5ZAABAAAAAQAAABEAAACqDQAAMA0AADYAAADHpQEAuDQAAAAAAAAAAAAAdwAAAAAAAAAGAAAA Kg0AAIIUAQDaBQEAPQcAADfBAAABgwMAQA0AAAAAAACOCAAAgQAAABwAAAB6BQEA/B8AAK4cAADn AQAAGQgAAKvnAADEAgAAAAAAAGcBAAAGAAAAAwAAAD0cAABzAAAAAQAAAHIAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAABe7AEA9QIAAAAAAAAAAAAAVQAAAAAASAAxgmQAAQAAAAAAAAARAAAAmxgA AAAAAAD/KQ0AQxkEAE+OBgDxJAUAucTIkZUAAAD3JQ3/RQAAAAG3JAAAAAAAVgAAAAAA0AAxgmQA AQAAAAAAAAARAAAAfg4AANYNAABbAAAA8iwDAN08AAAAAAAAAAAAAGUAAAABAAAABQAAAM8NAACG FwEAhgcBAEgIAAC6HwAAtdEDADUPAAAAAAAAbQgAAHgAAAA4AAAACQcBAPQmAACDIwAA5QEAAHQF AABwPwEAzAIAAAAAAACMAQAACwAAAA4AAAAoIwAAHwAAAAAAAAAfAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAXmkBAHACAAAAAAAAAAAAAFUAAAAAAEgAMYJkAAEAAAABAAAAEQAAACITAAAAAAAA H+0OAP1JBAAywAgAutMGAKZi0M6QAAAAgiKj5UUAAAAO6igAAAAAAFYAAAAAANAAMYJkAAEAAAAB AAAAEQAAAKsNAAAxDQAANgAAAMelAQC4NAAAAAAAAAAAAAB3AAAAAAAAAAYAAAArDQAArxQBAAYG AQA+BwAAN8EAAAGDAwBBDQAAAAAAAI4IAACBAAAAHAAAAKYFAQD8HwAArhwAAOcBAAAZCAAAq+cA AMQCAAAAAAAAZwEAAAYAAAADAAAAPRwAAHMAAAABAAAAcgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAHjsAQD2AgAAAAAAAAAAAAC4BQAAAAAAAEQAAAAAAAAA/AUAAAAAAABEAAAAAAAAAEAGAAAA AAAARAAAAAAAAACEBgAAAAAAAEQAAAAAAAAAyAYAAAAAAAAIAAAAAAAAANAGAAAAAAAARAAAAAAA AAAUBwAAAAAAAEQAAAAAAAAAWAcAAAAAAAAIAAAAAAAAAGAHAAAAAAAASAAAAAAAAACoBwAAAAAA ALwBAAAAAAAAZAkAAAAAAABcAAAAAAAAAMAJAAAAAAAA6AYAAAAAAACoEAAAAAAAADgAAAAAAAAA 4BAAAAAAAAC4AQAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAcGhyaXNtLVZNd2FyZS1WaXJ0dWFs LVBsYXRmb3JtAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAA2LjE5LjgtMDYx OTA4LWdlbmVyaWMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAA ADcuMC5yYzIuZzExNDM5YzQ2MzVlZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAABAAAAAeDg2XzY0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAIAAAACAAAAQAAAAEFNRCBSeXplbiA3IDU4MDBIIHdpdGggUmFk ZW9uIEdyYXBoaWNzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAQXV0aGVudGljQU1ELDI1 LDgwLDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMhhNAAAAAAA AQAAAEAAAAAvaG9tZS9waHJpc20vRGVza3RvcC9saW51eC90b29scy9wZXJmL3BlcmYAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAgAAAEAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAADEAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAQAAAADAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABA AAAAMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAACAAAAQAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAMQAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC AAAAAQAAAAAAAADIYTQAAAAAAMxGEQAAAAAAQAAAADAtMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAACAAAAAEAAABAAAAAQAAA AAgAAABAAAAARGF0YQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAEAAAAAzMksAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAQAAAAEAAAAAIAAAAQAAA AEluc3RydWN0aW9uAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAABAAAAAMzJLAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAEAAAABAAAAACAAAAEAAAABEYXRhAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA QAAAADMySwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAABAAAAAMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAABAAAAAQAAAAAgAAABAAAAASW5zdHJ1Y3Rpb24AAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAzMksA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAQAAAADEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAACAAAAQAAAAAAEAAAIAAAAQAAAAFVuaWZpZWQAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAANTEySwAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAw AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAgAAAEAAAAAABAAACAAAAEAAAABVbmlmaWVkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAADUxMksAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAMQAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMA AABAAAAAAEAAABAAAABAAAAAVW5pZmllZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAxNjM4NEsAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAADAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAQAAAAABA AAAQAAAAQAAAAFVuaWZpZWQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAABAAAAAMTYzODRLAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAxAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAIAAAAAAEA AAAAAAAAAAAAAAAAAAAoAAAAAAAAACgAAAAAAAAA////AP8AAAARAAAAAQAAAAAAAAABAAAAAAAA AEAAAABQS0cAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAQAAAADAwMDAwMDAwLDAwMDAwMDAwLDAwMDAwMDAwLDAwMDAwMDAzAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAMC0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAABAAAAAAAAAEAAAABQS0cAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA QAAAADAwMDAwMDAwLDAwMDAwMDAwLDAwMDAwMDAwLDAwMDAwMDAzAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAABAAAAAMC0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA== --===============4800197882669851314==-- From nobody Mon Jun 8 13:25:31 2026 Received: from mail-pj1-f54.google.com (mail-pj1-f54.google.com [209.85.216.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3523D39EF35 for ; Fri, 29 May 2026 06:50:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.54 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780037414; cv=none; b=IFXDE3/8/t8hlPufNqGZOt92dyfrC2lxVOxhvPJDsxs9C8bOr+7J8J5oHKj63QISP4FFjGzam3YPjQXHoVCdHji+gnahiqCIKwjZT8crm73Ifje2jzBNhl9153kTiskDgNgvAs7duL4QbLmk8e7zxPqQCUJNgImsxbbJVn2/Wys= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780037414; c=relaxed/simple; bh=l8VpUZffFor8YAf6zWGIP/ivE4EeTvVtWjyBJ4SlUhc=; h=Subject:From:To:Cc:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=Kup7dw9Ljlcv0DGdkMN7Yr7bWUar49FCodNs3AB9ZcBKL3v06qAVuRqfChzW7+a+NTFG2BxkkP1JQ4/p6ENIpohEtOU8DFroi7XhEb1jywCHeIpnXTROpEGbtBjWydEJrTiOLjR6Jrimjf36LwIAwfDJ6IzxUjECoqNmhgpeHLQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=KeXwiGU+; arc=none smtp.client-ip=209.85.216.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="KeXwiGU+" Received: by mail-pj1-f54.google.com with SMTP id 98e67ed59e1d1-3665a90bcd3so14250273a91.1 for ; Thu, 28 May 2026 23:50:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780037412; x=1780642212; darn=vger.kernel.org; h=mime-version:references:in-reply-to:message-id:date:cc:to:from :subject:from:to:cc:subject:date:message-id:reply-to; bh=vNZm916N27EU8apC4Pozmi2oKsvzQQeqDijK7mw9pNM=; b=KeXwiGU+QC4MzZMjK4NAHaDucVBCdHHQ1W08U2KkxYk7BHcSDdlFSnpjX0H+1ET37s Hsy9CplJIZB+WF0Qf2BA0JI0vxR4VI84HMdkAwim3I/ccdjzQApTisd32HDBRJ5V50IR ASWc/HKWHfT8kcPNjD3RXEtsDWbS4nrAHHg4tPBXC9meMrHAw0j5UDDcx4HZgmygXqSH LMmJXq5gReHxRiNId6WOO/e62wbdJ09jTLoDGOPaaE72ZhcqdVqjRMC4EKJCKNylNxBh +VpJk+oqOu9kAqgWq5PBIKRhcl1nRrF0el7SMLZPUO4ZNxmeHMSTVL4NxFCn2hQo9+F8 mzwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780037412; x=1780642212; h=mime-version:references:in-reply-to:message-id:date:cc:to:from :subject:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=vNZm916N27EU8apC4Pozmi2oKsvzQQeqDijK7mw9pNM=; b=DQqWgmMK6X58J+uvIuldgCkdju8iZp0aCALYoCmhuYQPseG2qqO3m6n+NkOz6sg3lQ 4DOGzN2Pk6Xr7dYi/iQoSnLh+GiKHU2FX9MEFNvb8lT1X50BLs6wgS5jD2syOIj5Tpjy 6xNCH5drhMXx5PWGJnjy7AbifM0uksQaO4/1ozNdMVx3DM1EzZNiQNoXkVe7G+su3EoQ 5Eb6YvSQqQjfhMcY8YbPenAVqYQXmoq1pePSIuzbZV/C+wmDN7x1P+PLRDQEq43Ya/p7 xwSfBMmShyguxone5uhtXvxdVhMc/wHp7yguSWDKR5xBm6iua/HxVmvPU0frkGzYPabl 0kYQ== X-Forwarded-Encrypted: i=1; AFNElJ9sR9A3YPI7WlWyzx9TvBQUcJy2thBov8aIaoeKqIpb5kA/RiHSPNXn8MRlyeMsEw0Wtb7Xx1crJcVoNG8=@vger.kernel.org X-Gm-Message-State: AOJu0Yyp8DUSWbkTTlte4b40roCZUumZYiv3HTh+UyxcGWIjSUowdx3e J+slbTlUSG4UuLIt96fU50HoFOxkJrjznjpxGMpca9zJceJMFAjEZWAy X-Gm-Gg: Acq92OHRzhb9sZNuSZIzChkvrvasvubKB5CEOtTkULy0c7u1bLjOLg4KjFKzAcRXh74 zNLxE4FtcyU4S9wZJ86yR0KPtATZbBEqRWxpslykvR8irV3Bzu0FuXaqcL1MmkbT8QVdUZkC3Uy VOOdrQ6GzIUVViVGoC5AajkEKButVc3A2A0abS30n8M3pLBDroFAIZOpbucPLQKSxeCDCLqN8we mw5DeJCtUNUsa+HkrvjvudatiYg5A9QJso+XxeSNwMH6hrWtKwRTwEsr5foMN67gvkns3qrZZAh 6ienp722H2+B5rEfiJvlBIJlN/qy8gaMO7YhaOJ81FIL0BkjbRg4zgL/5kIcBdeYWyXjWDY0TQJ faaOM6iOPZ6vvGRr2AMYqwQNI5wPTqyRMK+QtXvE4DoiMY4MOa2t4TUJR8pDf/8r2Ozeic3cPXY GwnDBlHgL3sakcTgJKg4Mgj9VOk0ufsjGxT5rr2w== X-Received: by 2002:a17:90b:5628:b0:366:5c38:fd61 with SMTP id 98e67ed59e1d1-36bbcd407bcmr1989741a91.12.1780037412294; Thu, 28 May 2026 23:50:12 -0700 (PDT) Received: from [127.0.1.1] ([104.28.157.202]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-36bc0c1ab21sm952626a91.14.2026.05.28.23.50.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 May 2026 23:50:11 -0700 (PDT) Subject: [PATCH 2/6] perf/header: validate bitmap size before allocation in do_read_bitmap From: Wang Haoran To: acme@kernel.org Cc: peterz@infradead.org, mingo@redhat.com, namhyung@kernel.org, mark.rutland@arm.com, alexander.shishkin@linux.intel.com, linux-perf-users@vger.kernel.org, linux-kernel@vger.kernel.org, haoranwangsec@gmail.com Date: Fri, 29 May 2026 14:50:00 +0800 Message-ID: <178003740032.62097.2831253079063258263@gmail.com> In-Reply-To: <178003738371.62097.10360938456907564684@gmail.com> References: <178003738371.62097.10360938456907564684@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4800812148004390372==" --===============4800812148004390372== Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" >From 3514ed156b02bdbbc9b37bf7a4b8cb8ee5e7e402 Mon Sep 17 00:00:00 2001 From: Wang Haoran Date: Thu, 28 May 2026 15:16:53 +0800 Subject: [PATCH 2/6] perf/header: validate bitmap size before allocation in do_read_bitmap do_read_bitmap() reads a u64 size from the file and passes it directly to bitmap_zalloc(), which takes an int. If size exceeds INT_MAX the truncated int value produces a tiny allocation while the subsequent loop reads BITS_TO_U64(size) u64 values using the original u64, writing far beyond the allocated buffer and causing a heap overflow. Add a bounds check that rejects any size that does not fit in an int before the allocation. Fixes: Signed-off-by: Wang Haoran --- tools/perf/util/header.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c index 9142a8ba4..e000eb9c1 100644 --- a/tools/perf/util/header.c +++ b/tools/perf/util/header.c @@ -287,6 +287,9 @@ static int do_read_bitmap(struct feat_fd *ff, unsigned = long **pset, u64 *psize) if (ret) return ret; =20 + if (size > INT_MAX) + return -EINVAL; + set =3D bitmap_zalloc(size); if (!set) return -ENOMEM; --=20 2.53.0 --- ASan output on perf 7.0.6 (unpatched) with the attached PoC: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D55925=3D=3DERROR: AddressSanitizer: heap-buffer-overflow on address 0= x6e688dfe0950 at pc 0x724890083d4c bp 0x7ffddd8621b0 sp 0x7ffddd861978 WRITE of size 8 at 0x6e688dfe0950 thread T0 #0 0x724890083d4b in read ../../../../src/libsanitizer/sanitizer_common= /sanitizer_common_interceptors.inc:1017 #1 0x6111c68ee74f in read /usr/include/x86_64-linux-gnu/bits/unistd.h:32 #2 0x6111c68ee74f in ion=20 #3 0x6111c68ee74f in readn=20 #4 0x6111c6b57dcb in process_mem_topology (perf+0x603dcb) (BuildId: 25d= 667fa7a7274046cb5bcb3375c4b1074f3f6db) #5 0x6111c6b51698 in perf_file_section__process (perf+0x5fd698) (BuildI= d: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db) #6 0x6111c6b70992 in perf_header__process_sections (perf+0x61c992) (Bui= ldId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db) #7 0x6111c6b72437 in perf_session__read_header (perf+0x61e437) (BuildId= : 25d667fa7a7274046cb5bcb3375c4b1074f3f6db) #8 0x6111c6bace67 in __perf_session__new (perf+0x658e67) (BuildId: 25d6= 67fa7a7274046cb5bcb3375c4b1074f3f6db) #9 0x6111c6898edd in cmd_sched (perf+0x344edd) (BuildId: 25d667fa7a7274= 046cb5bcb3375c4b1074f3f6db) #10 0x6111c68d787f in handle_internal_command (perf+0x38387f) (BuildId:= 25d667fa7a7274046cb5bcb3375c4b1074f3f6db) #11 0x6111c674a836 in main (perf+0x1f6836) (BuildId: 25d667fa7a7274046c= b5bcb3375c4b1074f3f6db) #12 0x72488ec2a600 in __libc_start_call_main ../sysdeps/nptl/libc_start= _call_main.h:59 #13 0x72488ec2a717 in __libc_start_main_impl ../csu/libc-start.c:360 #14 0x6111c6752754 in _start (perf+0x1fe754) (BuildId: 25d667fa7a727404= 6cb5bcb3375c4b1074f3f6db) 0x6e688dfe0951 is located 0 bytes after 1-byte region [0x6e688dfe0950,0x6e6= 88dfe0951) allocated by thread T0 here: #0 0x72489012b40f in calloc ../../../../src/libsanitizer/asan/asan_mall= oc_linux.cpp:74 #1 0x6111c6b5779d in process_mem_topology (perf+0x60379d) (BuildId: 25d= 667fa7a7274046cb5bcb3375c4b1074f3f6db) #2 0x6111c6b51698 in perf_file_section__process (perf+0x5fd698) (BuildI= d: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db) #3 0x6111c6b70992 in perf_header__process_sections (perf+0x61c992) (Bui= ldId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db) #4 0x6111c6b72437 in perf_session__read_header (perf+0x61e437) (BuildId= : 25d667fa7a7274046cb5bcb3375c4b1074f3f6db) #5 0x6111c6bace67 in __perf_session__new (perf+0x658e67) (BuildId: 25d6= 67fa7a7274046cb5bcb3375c4b1074f3f6db) #6 0x6111c6898edd in cmd_sched (perf+0x344edd) (BuildId: 25d667fa7a7274= 046cb5bcb3375c4b1074f3f6db) #7 0x6111c68d787f in handle_internal_command (perf+0x38387f) (BuildId: = 25d667fa7a7274046cb5bcb3375c4b1074f3f6db) #8 0x6111c674a836 in main (perf+0x1f6836) (BuildId: 25d667fa7a7274046cb= 5bcb3375c4b1074f3f6db) #9 0x72488ec2a600 in __libc_start_call_main ../sysdeps/nptl/libc_start_= call_main.h:59 #10 0x72488ec2a717 in __libc_start_main_impl ../csu/libc-start.c:360 #11 0x6111c6752754 in _start (perf+0x1fe754) (BuildId: 25d667fa7a727404= 6cb5bcb3375c4b1074f3f6db) SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/include/x86_64-linux-g= nu/bits/unistd.h:32 in read Shadow bytes around the buggy address: 0x6e688dfe0680: fa fa 00 00 fa fa 00 fa fa fa 00 00 fa fa 00 fa 0x6e688dfe0700: fa fa fa fa fa fa 00 00 fa fa 00 fa fa fa 00 00 0x6e688dfe0780: fa fa 00 fa fa fa 00 fa fa fa 00 00 fa fa 00 fa 0x6e688dfe0800: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00 0x6e688dfe0880: fa fa 00 00 fa fa 00 fa fa fa 01 fa fa fa 00 00 =3D>0x6e688dfe0900: fa fa 00 04 fa fa 00 fa fa fa[fa]fa fa fa fa fa 0x6e688dfe0980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x6e688dfe0a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x6e688dfe0a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x6e688dfe0b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x6e688dfe0b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07=20 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb AddressSanitizer:DEADLYSIGNAL =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D55925=3D=3DERROR: AddressSanitizer: SEGV on unknown address 0x0000000= 00000 (pc 0x6111c687a20c bp 0x7ffddd8628e0 sp 0x7ffddd862810 T0) =3D=3D55925=3D=3DThe signal is caused by a READ memory access. =3D=3D55925=3D=3DHint: address points to the zero page. #0 0x6111c687a20c in show_schedstat_data (perf+0x32620c) (BuildId: 25d6= 67fa7a7274046cb5bcb3375c4b1074f3f6db) #1 0x6111c6899d09 in cmd_sched (perf+0x345d09) (BuildId: 25d667fa7a7274= 046cb5bcb3375c4b1074f3f6db) #2 0x6111c68d787f in handle_internal_command (perf+0x38387f) (BuildId: = 25d667fa7a7274046cb5bcb3375c4b1074f3f6db) #3 0x6111c674a836 in main (perf+0x1f6836) (BuildId: 25d667fa7a7274046cb= 5bcb3375c4b1074f3f6db) #4 0x72488ec2a600 in __libc_start_call_main ../sysdeps/nptl/libc_start_= call_main.h:59 #5 0x72488ec2a717 in __libc_start_main_impl ../csu/libc-start.c:360 #6 0x6111c6752754 in _start (perf+0x1fe754) (BuildId: 25d667fa7a7274046= cb5bcb3375c4b1074f3f6db) =3D=3D55925=3D=3DRegister values: rax =3D 0x0000000000000000 rbx =3D 0x00006eb88dfe2710 rcx =3D 0x000000000= 0000000 rdx =3D 0x0000000000000000 =20 rdi =3D 0x0000000000000000 rsi =3D 0x0000000000000000 rbp =3D 0x00007ffdd= d8628e0 rsp =3D 0x00007ffddd862810 =20 r8 =3D 0x0000000000000000 r9 =3D 0x0000000000000000 r10 =3D 0x000000000= 0000002 r11 =3D 0x0000000000000000 =20 r12 =3D 0x0000000000000000 r13 =3D 0x0000000000000000 r14 =3D 0x000000000= 0000000 r15 =3D 0x000070188dfe0080 =20 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (perf+0x32620c) (BuildId: 25d667fa7a7274046= cb5bcb3375c4b1074f3f6db) in show_schedstat_data =3D=3D55925=3D=3DABORTING --===============4800812148004390372== Content-Type: application/octet-stream Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="crash_sig6_iter840.data" MIME-Version: 1.0 UEVSRklMRTJoAAAAAAAAAKAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAAGgAAAAAAAAAYAQAAAAAAAAA AAAAAAAAAAAAAAAAAAAA+G9QAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABVAAAAAABIAPR5 ZAABAAAAAAAAABEAAACbGAAAAAAAABgpDQDjGAQA2I0GAJAkBQCRZKWOlQAAAIZL/v5FAAAAerYk AAAAAABWAAAAAADQAPR5ZAABAAAAAAAAABEAAAB+DgAA1g0AAFsAAADyLAMA3TwAAAAAAAAAAAAA ZQAAAAEAAAAFAAAAzw0AAFQXAQBVBwEARwgAALofAAC10QMANA8AAAAAAABtCAAAeAAAADgAAADY BgEA9CYAAIMjAADlAQAAdAUAAHA/AQDMAgAAAAAAAIwBAAALAAAADgAAACgjAAAfAAAAAAAAAB8A AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABIaQEAbwIAAAAAAAAAAAAAVQAAAAAASAD0eWQAAQAA AAEAAAARAAAAIhMAAAAAAAAH6w4AckkEAPi+CACa0gYANuSNy5AAAACTEPHkRQAAAILoKAAAAAAA VgAAAAAA0AD0eWQAAQAAAAEAAAARAAAAqg0AADANAAA2AAAAx6UBALg0AAAAAAAAAAAAAHcAAAAA AAAABgAAACoNAACCFAEA2gUBAD0HAAA3wQAAAYMDAEANAAAAAAAAjggAAIEAAAAcAAAAegUBAPwf AACuHAAA5wEAABkIAACr5wAAxAIAAAAAAABnAQAABgAAAAMAAAA9HAAAcwAAAAEAAAByAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAXuwBAPUCAAAAAAAAAAAAAFUAAAAAAEgAMYJkAAEAAAAAAAAA EQAAAJsYAAAAAAAA/ykNAEMZBABPjgYA8SQFALnEyJGVAAAA9yUN/0UAAAABtyQAAAAAAFYAAAAA ANAAMYJkAAEAAAAAAAAAEQAAAH4OAADWDQAAWwAAAPIsAwDdPAAAAAAAAAAAAABlAAAAAQAAAAUA AADPDQAAhhcBAIYHAQBICAAAuh8AALXRAwA1DwAAAAAAAG0IAAB4AAAAOAAAAAkHAQD0JgAAgyMA AOUBAAB0BQAAcD8BAMwCAAAAAAAAjAEAAAsAAAAOAAAAKCMAAB8AAAAAAAAAHwAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAF5pAQBwAgAAAAAAAAAAAABVAAAAAABIADGCZAABAAAAAQAAABEAAAAi EwAAAAAAAB/tDgD9SQQAMsAIALrTBgCmYtDOkAAAAIIio+VFAAAADuooAAAAAABWAAAAAADQADGC ZAABAAAAAQAAABEAAACrDQAAMQ0AADYAAADHpQEAuDQAAAAAAAAAAAAAdwAAAAAAAAAGAAAAKw0A AK8UAQAGBgEAPgcAADfBAAABgwMAQQ0AAAAAAACOCAAAgQAAABwAAACmBQEA/B8AAK4cAADnAQAA GQgAAKvnAADEAgAAAAAAAGcBAAAGAAAAAwAAAD0cAABzAAAAAQAAAHIAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAB47AEA9gIAAAAAAAAAAAAAuAUAAAAAAABEAAAAAAAAAPwFAAAAAAAARAAAAAAA AABABgAAAAAAAEQAAAAAAAAAhAYAAAAAAABEAAAAAAAAAMgGAAAAAAAACAAAAAAAAADQBgAAAAAA AEQAAAAAAAAAFAcAAAAAAABEAAAAAAAAAFgHAAAAAAAACAAAAAAAAABgBwAAAAAAAEgAAAAAAAAA qAcAAAAAAAC8AQAAAAAAAGQJAAAAAAAAXAAAAAAAAADACQAAAAAAAOgGAAAAAAAAqBAAAAAAAAA4 AAAAAAAAAOAQAAAAAAAAuAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAHBocmlzbS1WTXdhcmUt VmlydHVhbC1QbGF0Zm9ybQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAANi4x OS44LTA2MTkwOC1nZW5lcmljAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAEAAAAA3LjAucmMyLmcxMTQzOWM0NjM1ZWQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAQAAAAHg4Nl82NAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAgAAAEAAAABBTUQgUnl6ZW4gNyA1ODAwSCB3 aXRoIFJhZGVvbiBHcmFwaGljcwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAEF1dGhlbnRp Y0FNRCwyNSw4MCwwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADI YTQAAAAAAAEAAABAAAAAL2hvbWUvcGhyaXNtL0Rlc2t0b3AvbGludXgvdG9vbHMvcGVyZi9wZXJm AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAxAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAEAAAAAw AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAQAAAADEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAgAAAEAAAAAwAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAADEAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAgAAAAEAAAAAAAAAyGE0AAAAAADMRhEAAAAAAEAAAAAwLTEAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAgAAAABAAAA QAAAAEAAAAAIAAAAQAAAAERhdGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAMzJLAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAwAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAEAAAABAAAAA CAAAAEAAAABJbnN0cnVjdGlvbgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAQAAAADMySwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAABAAAAAQAAAAAgAAABAAAAA RGF0YQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAEAAAAAzMksAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAQAAAADEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAQAAAAEAAAAAIAAAAQAAAAEluc3RydWN0 aW9uAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABA AAAAMzJLAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAEAAAAAxAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAEAAAAAABAAACAAAAEAAAABVbmlmaWVkAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAADUxMksA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAIAAABAAAAAAAQAAAgAAABAAAAAVW5pZmllZAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAA1MTJLAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAADEA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAADAAAAQAAAAABAAAAQAAAAQAAAAFVuaWZpZWQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAMTYzODRLAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAwAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAA AEAAAAAAQAAAEAAAAEAAAABVbmlmaWVkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAADE2Mzg0SwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAMQAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAA CAAAAAABAAAAAAAAAAAAAAAAACgAAAAAAAAAKAAAAAAAAAD///8A/wAAABEAAAABAAAAAAAAAAEA AAAAAAAAQAAAAFBLRwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAABAAAAAMDAwMDAwMDAsMDAwMDAwMDAsMDAwMDAwMDAsMDAwMDAwMDMA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAwLTEAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAEAAAAAAAAAQAAAAFBL RwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAABAAAAAMDAwMDAwMDAsMDAwMDAwMDAsMDAwMDAwMDAsMDAwMDAwMDMAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAEAAAAAwLTEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --===============4800812148004390372==-- From nobody Mon Jun 8 13:25:31 2026 Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com [209.85.216.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2935F3AB5DA for ; Fri, 29 May 2026 06:50:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780037425; cv=none; b=bbN5v3u08TgMcWmvVNpKfih2prOLF9I5O7eKVPR+/HRB6yaScJuQnrvwtkh64CKBZALwOQbU8WJB9gHDsXvkTSzY6Wv3j3nIOIWil32O+WlC72JQanMiN62BQS6utDKyS917CunVEnELdpv3Dr6ImttTTthzpYLEHFLuG9uCagc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780037425; c=relaxed/simple; bh=wKoADwIx3XBQeFkwJasifejVKolS7XjXeFd/igZgkkY=; h=Subject:From:To:Cc:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=kxzo4Zt5xs9c6VTF1pW2Kg4ZsFucU2Cpb4IuQIKM8Jsqf18e+Is+QrY+4Ox5q45+iuim7EJYn/Ibo7ddWdzXs/CHZWXccp26Rms+xUcf+6HuZ28/8pS2sRF6tKxUqDQTQrCAXtrIhQG7h5gvTIGTxpqwPmR1UGl9t+4Hs5ofshY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=jIvMt11h; arc=none smtp.client-ip=209.85.216.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="jIvMt11h" Received: by mail-pj1-f51.google.com with SMTP id 98e67ed59e1d1-36baeec21dcso512981a91.3 for ; Thu, 28 May 2026 23:50:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780037421; x=1780642221; darn=vger.kernel.org; h=mime-version:references:in-reply-to:message-id:date:cc:to:from :subject:from:to:cc:subject:date:message-id:reply-to; bh=+OBzLI/XrsBIlLjY2T9FRHc7sS3cebW3Ke1v2nfS0Ww=; b=jIvMt11h95Ox2deCXboX/UDRp4wjEDi51M5JIDOXpgg8lwoWM2YBs4dPcBROWDWpxQ 3x6aoQ62zLfkslS72zzrrPMjjUS/lpeSvMYkuIeahYupf9XkChS5WJe5N81pXBgEaWjc 6hdZkhnj36E/tMQAnxcrfGSkaa1tyARZ9QSCL0yb+dRid1gt7PJlq3BbAlBoP2f/i1Vt 5AernnH1bTM0y4rnCTRCgH+ncCOJ5m2mdTy9T0cWvZQddS0U/WNuL27wJxjhYQekLp1s VHXOpOpL/UaEs4q786Lz4CpHTZDFtwLUvL9IFVUz6asNpxCl74LGDLVCHuLS9h5hSPth BFOg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780037421; x=1780642221; h=mime-version:references:in-reply-to:message-id:date:cc:to:from :subject:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=+OBzLI/XrsBIlLjY2T9FRHc7sS3cebW3Ke1v2nfS0Ww=; b=AVbvD+oCvsaF8p4xoAc6hgbOJcENUsf1gjzu7o/Jrnp/86I9lgRBFI5dC4aul/YRt1 MN8vXjc41ZhdxQj+lwoG3gNciv9zldFHZyaNI94o9EBqtXpbAQPa501UpPkRFLnk7L3K 2nLVBBDajbLALtcLLaF780O9ibmg8ZQPrbC7a8vDLr0KAS/vNhF8EniCHjokpPdpwWbg jpXOZ9/9E1UQSCnVT9Q+v20CNr3Lj2yYOvw3/kKddbUgte0L26/AXXVTGGuljOgQozU0 YFQcqPm2khba0a6x4HKIgFI5Z2sfuXcGInsmxuYKA9anQcyLlHBY+hD0UPEDCZHVtvIq 6vfg== X-Forwarded-Encrypted: i=1; AFNElJ+dS3BC2Pvd60udkygCJSCXFDPpO0Z7ce0swL8YlnfGwT/9ZiGVqvV0Sf/yg2ojXFIbokF7sKSNkFBtY5M=@vger.kernel.org X-Gm-Message-State: AOJu0YxBpuN+RZ2KJBNKvEo1oMfRCWGU0A40FNkw3cACGE2Rcz+RGWAi BBHQOTO/0N7nk2Ip6QibvN4NWbdNLefBoC0Bdv+NESSUrRYE4D9I+028 X-Gm-Gg: Acq92OGEf+7hBRj7V6pXIQGxhU8bts8dq/tv/kQvIRAsKTia9IoWHD4iOBZOGKKyO32 /Gz7+9M0QOwicLa8aOP9mbm6izoymz1DcH4sRBQrU6BpDmI8mhziV2pJGBJZLaSrDH1pkRq7x6c 9kSxd5EaIkFj7b/Whaxyij8Y54UWHo4kNfIG8XPS65jG7M4rtLgpHw6oaBJfQQBzcKxVnjhBBPT T90T7f642x6LPdPrgRvBH69269O0+8w1q76sXdFd2W8nVKc6HFjEKs/NEpyvJfP8LnnZEGIJ5Wq 1qEo9MYUpDgi2hhzLizKcsdq1RNE+0PYWZCgCNhpx4KS5MBTe2r3odM8dBx3xWFVY+qY8cs7FiR pQK3G+SfA8oKRmxloeMVr5ZoBTFx0HNFQN/pcTU0hP409nlxxbHxnH3IeqeKNXB3fO2Gq+q2A80 0tz5SRYjAfG2gL05GvMm7XrxG9AlzaxHcDHm0mwg== X-Received: by 2002:a17:90a:d00b:b0:368:3854:3a2e with SMTP id 98e67ed59e1d1-36bbceb5f81mr1987769a91.26.1780037421065; Thu, 28 May 2026 23:50:21 -0700 (PDT) Received: from [127.0.1.1] ([104.28.157.202]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-36bc0c1ab21sm952626a91.14.2026.05.28.23.50.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 May 2026 23:50:20 -0700 (PDT) Subject: [PATCH 3/6] perf/header: reject data offset beyond file size From: Wang Haoran To: acme@kernel.org Cc: peterz@infradead.org, mingo@redhat.com, namhyung@kernel.org, mark.rutland@arm.com, alexander.shishkin@linux.intel.com, linux-perf-users@vger.kernel.org, linux-kernel@vger.kernel.org, haoranwangsec@gmail.com Date: Fri, 29 May 2026 14:50:13 +0800 Message-ID: <178003741374.62097.136470109571301341@gmail.com> In-Reply-To: <178003738371.62097.10360938456907564684@gmail.com> References: <178003738371.62097.10360938456907564684@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5064275133724409396==" --===============5064275133724409396== Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" >From cc2ff328f62f766f74de038347d88ee2dc75f78d Mon Sep 17 00:00:00 2001 From: Wang Haoran Date: Thu, 28 May 2026 15:17:07 +0800 Subject: [PATCH 3/6] perf/header: reject data offset beyond file size A crafted perf.data file can set data.offset to a value larger than the actual file size. perf then calls mmap() with that file offset, which succeeds but maps a region entirely past the end of the file. Any subsequent access to the mapped memory triggers SIGBUS. Add a fstat() check in perf_file_header__read() that rejects files whose claimed data.offset exceeds the real file size. Fixes: Signed-off-by: Wang Haoran --- tools/perf/util/header.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c index e000eb9c1..f1a1831cf 100644 --- a/tools/perf/util/header.c +++ b/tools/perf/util/header.c @@ -4335,6 +4335,15 @@ int perf_file_header__read(struct perf_file_header *= header, return -1; } =20 + { + struct stat st; + + if (fstat(fd, &st) =3D=3D 0 && header->data.offset > (u64)st.st_size) { + pr_err("Perf file header corrupt: data offset beyond file size\n"); + return -1; + } + } + if (header->size !=3D sizeof(*header)) { /* Support the previous format */ if (header->size =3D=3D offsetof(typeof(*header), adds_features)) --=20 2.53.0 --- ASan output on perf 7.0.6 (unpatched) with the attached PoC: AddressSanitizer:DEADLYSIGNAL =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D55933=3D=3DERROR: AddressSanitizer: BUS on unknown address (pc 0x5d35= 069296b4 bp 0x7fffd2df9100 sp 0x7fffd2df90a0 T0) =3D=3D55933=3D=3DThe signal is caused by a READ memory access. =3D=3D55933=3D=3DHint: this fault was caused by a dereference of a high val= ue address (see register values below). Disassemble the provided pc to lea= rn which register was used. #0 0x5d35069296b4 in reader__read_event (perf+0x65e6b4) (BuildId: 25d66= 7fa7a7274046cb5bcb3375c4b1074f3f6db) #1 0x5d350692a21d in perf_session__process_events (perf+0x65f21d) (Buil= dId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db) #2 0x5d350660ff97 in cmd_sched (perf+0x344f97) (BuildId: 25d667fa7a7274= 046cb5bcb3375c4b1074f3f6db) #3 0x5d350664e87f in handle_internal_command (perf+0x38387f) (BuildId: = 25d667fa7a7274046cb5bcb3375c4b1074f3f6db) #4 0x5d35064c1836 in main (perf+0x1f6836) (BuildId: 25d667fa7a7274046cb= 5bcb3375c4b1074f3f6db) #5 0x7f111f42a600 in __libc_start_call_main ../sysdeps/nptl/libc_start_= call_main.h:59 #6 0x7f111f42a717 in __libc_start_main_impl ../csu/libc-start.c:360 #7 0x5d35064c9754 in _start (perf+0x1fe754) (BuildId: 25d667fa7a7274046= cb5bcb3375c4b1074f3f6db) =3D=3D55933=3D=3DRegister values: rax =3D 0x0000000000000007 rbx =3D 0x00007b111d54bd90 rcx =3D 0x000000000= 0000001 rdx =3D 0x0000000000000000 =20 rdi =3D 0x00007b111d54bdd8 rsi =3D 0x00007ce11e5e0080 rbp =3D 0x00007fffd= 2df9100 rsp =3D 0x00007fffd2df90a0 =20 r8 =3D 0x0000000000000f68 r9 =3D 0x0000000000000000 r10 =3D 0x00007ce11= e5e0080 r11 =3D 0x0000000000000246 =20 r12 =3D 0x00007f111ebb7f68 r13 =3D 0x00000000000103c8 r14 =3D 0x00007f111= ebb7f6e r15 =3D 0x00007ce11e5e0080 =20 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: BUS (perf+0x65e6b4) (BuildId: 25d667fa7a7274046c= b5bcb3375c4b1074f3f6db) in reader__read_event =3D=3D55933=3D=3DABORTING --===============5064275133724409396== Content-Type: application/octet-stream Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="crash_sig7_iter210.data" MIME-Version: 1.0 UEVSRklMRTJoAAAAAAAAAKAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAAGj/AAAAAAAAYAQAAAAAAAAA AAAAAAAAAAAAAAAAAAAA+G9QAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABVAAAAAABIAPR5 ZAABAAAAAAAAABEAAACbGAAAAAAAABgpDQDjGAQA2I0GAJAkBQCRZKWOlQAAAIZL/v5FAAAAerYk AAAAAABWAAAAAADQAPR5ZAABAAAAAAAAABEAAAB+DgAA1g0AAFsAAADyLAMA3TwAAAAAAAAAAAAA ZQAAAAEAAAAFAAAAzw0AAFQXAQBVBwEARwgAALofAAC10QMANA8AAAAAAABtCAAAeAAAADgAAADY BgEA9CYAAIMjAADlAQAAdAUAAHA/AQDMAgAAAAAAAIwBAAALAAAADgAAACgjAAAfAAAAAAAAAB8A AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABIaQEAbwIAAAAAAAAAAAAAVQAAAAAASAD0eWQAAQAA AAEAAAARAAAAIhMAAAAAAAAH6w4AckkEAPi+CACa0gYANuSNy5AAAACTEPHkRQAAAILoKAAAAAAA VgAAAAAA0AD0eWQAAQAAAAEAAAARAAAAqg0AADANAAA2AAAAx6UBALg0AAAAAAAAAAAAAHcAAAAA AAAABgAAACoNAACCFAEA2gUBAD0HAAA3wQAAAYMDAEANAAAAAAAAjggAAIEAAAAcAAAAegUBAPwf AACuHAAA5wEAABkIAACr5wAAxAIAAAAAAABnAQAABgAAAAMAAAA9HAAAcwAAAAEAAAByAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAXuwBAPUCAAAAAAAAAAAAAFUAAAAAAEgAMYJkAAEAAAAAAAAA EQAAAJsYAAAAAAAA/ykNAEMZBABPjgYA8SQFALnEyJGVAAAA9yUN/0UAAAABtyQAAAAAAFYAAAAA ANAAMYJkAAEAAAAAAAAAEQAAAH4OAADWDQAAWwAAAPIsAwDdPAAAAAAAAAAAAABlAAAAAQAAAAUA AADPDQAAhhcBAIYHAQBICAAAuh8AALXRAwA1DwAAAAAAAG0IAAB4AAAAOAAAAAkHAQD0JgAAgyMA AOUBAAB0BQAAcD8BAMwCAAAAAAAAjAEAAAsAAAAOAAAAKCMAAB8AAAAAAAAAHwAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAF5pAQBwAgAAAAAAAAAAAABVAAAAAABIADGCZAABAAAAAQAAABEAAAAi EwAAAAAAAB/tDgD9SQQAMsAIALrTBgCmYtDOkAAAAIIio+VFAAAADuooAAAAAABWAAAAAADQADGC ZAABAAAAAQAAABEAAACrDQAAMQ0AADYAAADHpQEAuDQAAAAAAAAAAAAAdwAAAAAAAAAGAAAAKw0A AK8UAQAGBgEAPgcAADfBAAABgwMAQQ0AAAAAAACOCAAAgQAAABwAAACmBQEA/B8AAK4cAADnAQAA GQgAAKvnAADEAgAAAAAAAGcBAAAGAAAAAwAAAD0cAABzAAAAAQAAAHIAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAB47AEA9gIAAAAAAAAAAAAAuAUAAAAAAABEAAAAAAAAAPwFAAAAAAAARAAAAAAA AABABgAAAAAAAEQAAAAAAAAAhAYAAAAAAABEAAAAAAAAAMgGAAAAAAAACAAAAAAAAADQBgAAAAAA AEQAAAAAAAAAFAcAAAAAAABEAAAAAAAAAFgHAAAAAAAACAAAAAAAAABgBwAAAAAAAEgAAAAAAAAA qAcAAAAAAAC8AQAAAAAAAGQJAAAAAAAAXAAAAAAAAADACQAAAAAAAOgGAAAAAAAAqBAAAAAAAAA4 AAAAAAAAAOAQAAAAAAAAuAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAHBocmlzbS1WTXdhcmUt VmlydHVhbC1QbGF0Zm9ybQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAANi4x OS44LTA2MTkwOC1nZW5lcmljAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAEAAAAA3LjAucmMyLmcxMTQzOWM0NjM1ZWQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAQAAAAHg4Nl82NAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAgAAAEAAAABBTUQgUnl6ZW4gNyA1ODAwSCB3 aXRoIFJhZGVvbiBHcmFwaGljcwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAEF1dGhlbnRp Y0FNRCwyNSw4MCwwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADI YTQAAAAAAAEAAABAAAAAL2hvbWUvcGhyaXNtL0Rlc2t0b3AvbGludXgvdG9vbHMvcGVyZi9wZXJm AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAxAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAEAAAAAw AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAQAAAADEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAgAAAEAAAAAwAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAADEAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAgAAAAEAAAAAAAAAyGE0AAAAAADMRhEAAAAAAEAAAAAwLTEAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAgAAAABAAAA QAAAAEAAAAAIAAAAQAAAAERhdGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAMzJLAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAwAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAEAAAABAAAAA CAAAAEAAAABJbnN0cnVjdGlvbgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAQAAAADMySwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAABAAAAAQAAAAAgAAABAAAAA RGF0YQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAEAAAAAzMksAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAQAAAADEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAQAAAAEAAAAAIAAAAQAAAAEluc3RydWN0 aW9uAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABA AAAAMzJLAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAEAAAAAxAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAEAAAAAABAAACAAAAEAAAABVbmlmaWVkAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAADUxMksA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAIAAABAAAAAAAQAAAgAAABAAAAAVW5pZmllZAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAA1MTJLAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAADEA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAADAAAAQAAAAABAAAAQAAAAQAAAAFVuaWZpZWQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAMTYzODRLAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAwAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAA AEAAAAAAQAAAEAAAAEAAAABVbmlmaWVkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAADE2Mzg0SwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAMQAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAA CAAAAAABAAAAAAAAAAAAAAAAAAAAKAAAAAAAAAAoAAAAAAAAAP///wD/AAAAEQAAAAEAAAAAAAAA AQAAAAAAAABAAAAAUEtHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAwMDAwMDAwMCwwMDAwMDAwMCwwMDAwMDAwMCwwMDAwMDAw MwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAADAtMQAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAQAAAAAAAABAAAAA UEtHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAEAAAAAwMDAwMDAwMCwwMDAwMDAwMCwwMDAwMDAwMCwwMDAwMDAwMwAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAQAAAADAtMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= --===============5064275133724409396==-- From nobody Mon Jun 8 13:25:31 2026 Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com [209.85.216.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A7FBD30DD11 for ; Fri, 29 May 2026 06:50:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780037434; cv=none; b=BECn8yzNWdbsPtqMxN7wrUn/RgPa8p9am6kIb/krOyWoUhBooTbliZQ7QkJxvgtqHGaX6XHLjCsTi8MppxVkWVvp5jFyW5plz+8eAaYYzQ4wR031Tf4jLj06RInJEEACPJmOx7C87uhYHhUySlgSvZSIrQv2NWvKj85Yhj+iUmo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780037434; c=relaxed/simple; bh=Tku9P8eqLmHh9JLkHpXSR1LrG93knR6H+ckCcKNpQi0=; h=Subject:From:To:Cc:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=EYPN3ohDP/hr55naCX4+u4f7AjBjoNN1a2EY2rL/q+bjsU4putcmpG5Q/kOIpl/vul9EMCVdbp4JgIG+dWvI001vIenh+rZ5GSb/F3jwGFZp6i9IP8iZYBDNBOuVs+la/pRz5tIINa3nyWlvOcERrkEB5iOtZE+JfpA+I0qhLqg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=QJvmvjtc; arc=none smtp.client-ip=209.85.216.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="QJvmvjtc" Received: by mail-pj1-f42.google.com with SMTP id 98e67ed59e1d1-368f25ff4c4so7847444a91.2 for ; Thu, 28 May 2026 23:50:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780037432; x=1780642232; darn=vger.kernel.org; h=mime-version:references:in-reply-to:message-id:date:cc:to:from :subject:from:to:cc:subject:date:message-id:reply-to; bh=AuInCdR1LF34daPdYAnVt51MB+bFgCkH2SN8cZ5MttE=; b=QJvmvjtc66D3LPsqXFHUpBN7ukvO5Itn9/4TBUkHpdBJKOqEoKVhzLAgaqqZhIpcqs WmnRjrubsTy7Pl+zvApFLEaasilE8kJaJBnfdP3OKH0FWvCiGwFG2utuqVm+uSkWlG9u woP31LQzhkol0Mijy/Eb8urAh6O6bnJH7KR/W6icekDtoIHUJpWyFbXzbIKf41vKPnBz 3oNxM5G3K5KoLSGv2HfSQCjMyGw6PN1ZAG0F2qas5UlyJb4zCyKIPw/3Hgd4H4MuI/Cu 4Q8BgC2M7rTfO6ma9dr5GFt0fnWy9CHrYPFrYexe6wNh1RIOceeiD1+IyITcz30hpv6g /ZUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780037432; x=1780642232; h=mime-version:references:in-reply-to:message-id:date:cc:to:from :subject:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=AuInCdR1LF34daPdYAnVt51MB+bFgCkH2SN8cZ5MttE=; b=W4gSzESENN9bxYZg0U6qLJC2X0hr1FpZBiCoSob6nDGsGsuT0vVPM2CHjUuh9pKnxp MGcblth3lp9zQPSISp+g3PebwHVAXVNGYe59QlnGQuv7TT1ZdzrjBM8bACSExVK5geEc EEZCIlLWuSiely8WtOdl9zieKXHyTGZKgt3xsDfv5AJMmSSW2KBqNWvLfp2agCZz0ii8 3jzpiWjI1sW7keeIv3z06fQGMtDrJAHYGtqF4qi1DZvqbhrYkpEH+Ugv1I4zQ5EGqCRY BSJ/pIKqRXyaPSrTBPcs3xFg/29bvs9H5E4P6V5cU9q3wNPBNc5RtzyWtUsWBewfd+AJ 0fMw== X-Forwarded-Encrypted: i=1; AFNElJ+gxegSshh0Jr+Y5pRkNHmfUL6OoiRiXK9UcWKN4gvwwnBioSXd/qwnzdCTv5kOKNNcKjSyWRIA072UREk=@vger.kernel.org X-Gm-Message-State: AOJu0YwCxewGTC/cdxkmk33WwIjN68Gb/dlgMII8kVRg0ra0t2SRputp cxzFph4njboNaISDgiqtUqbqwcZ/kaI6WtMD1H93uuxgCrDdm5i2WZT2 X-Gm-Gg: Acq92OETITQahYZPssCIvSO/JJ03gHaMKz3q4bvERJ45xeTnd9f+YC9G6zjv0U0qbdv S38EzPtnh/0pblTQ/INLlf8U2nk9ibCGYedXVSVx8qMnyWy1gKXxzLK56hOQTHwDXWzsjJPfS3i nj/aWWpxcjSa3+pYCEiT9oZ8Wim+DZoiQrpz58iD89Xh5O0kc5vDGJ7wAUoP3MSfhQfpIK+Qcy/ BeZxFo1bA/VOM6XxPuJGJGHag3pl4T5I5IKka1N7ieiUZwZsIwgQv/qzJMzWQXdqASIIDLYb5xf udL6zkkfS879pSikfitiPz6r8QDRSsseaPgPk5aqKLqy2XuwEj9wdScaODlEfJiYNPVBg554uvo nG9MmGdoY7w+l6Q2W9wUcXuuA+/GDaigLSKRahG7Ls8PEVzgVUyxaRgLWU+BsIrWDMxk/lc0K+8 sJITBV7vGF9nJCQVENcHyDkzFpBcILXuT8ZWg3tw== X-Received: by 2002:a17:90b:1dd1:b0:36b:9e24:c692 with SMTP id 98e67ed59e1d1-36bbcfe6f4fmr1941131a91.20.1780037431532; Thu, 28 May 2026 23:50:31 -0700 (PDT) Received: from [127.0.1.1] ([104.28.157.202]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-36bc0c1ab21sm952626a91.14.2026.05.28.23.50.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 May 2026 23:50:31 -0700 (PDT) Subject: [PATCH 4/6] perf/header: add bounds check for domain index in process_cpu_domain_info From: Wang Haoran To: acme@kernel.org Cc: peterz@infradead.org, mingo@redhat.com, namhyung@kernel.org, mark.rutland@arm.com, alexander.shishkin@linux.intel.com, linux-perf-users@vger.kernel.org, linux-kernel@vger.kernel.org, haoranwangsec@gmail.com Date: Fri, 29 May 2026 14:50:22 +0800 Message-ID: <178003742265.62097.6645230837884864368@gmail.com> In-Reply-To: <178003738371.62097.10360938456907564684@gmail.com> References: <178003738371.62097.10360938456907564684@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8701719228398729701==" --===============8701719228398729701== Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" >From 6558dce0d11d81872d73655bc8290cfb1dc499b2 Mon Sep 17 00:00:00 2001 From: Wang Haoran Date: Thu, 28 May 2026 15:17:21 +0800 Subject: [PATCH 4/6] perf/header: add bounds check for domain index in process_cpu_domain_info process_cpu_domain_info() reads a domain index from the file and uses it directly as an array index into cd_map[cpu]->domains[], which has max_sched_domains entries. A crafted file can supply a domain value >=3D max_sched_domains, causing an out-of-bounds write. Add a bounds check that rejects domain values outside the valid range. Free the just-allocated d_info before returning to avoid a memory leak. Fixes: Signed-off-by: Wang Haoran --- tools/perf/util/header.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c index f1a1831cf..6281e97ee 100644 --- a/tools/perf/util/header.c +++ b/tools/perf/util/header.c @@ -3670,6 +3670,11 @@ static int process_cpu_domain_info(struct feat_fd *f= f, void *data __maybe_unused if (!d_info) return -1; =20 + if (domain >=3D max_sched_domains) { + free(d_info); + return -1; + } + assert(cd_map[cpu]->domains[domain] =3D=3D NULL); cd_map[cpu]->domains[domain] =3D d_info; d_info->domain =3D domain; --=20 2.53.0 --- ASan output on perf 7.0.6 (unpatched) with the attached PoC: AddressSanitizer:DEADLYSIGNAL =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D55941=3D=3DERROR: AddressSanitizer: SEGV on unknown address 0x729c3fb= e0790 (pc 0x5e98934d9c97 bp 0x7ffd2f046790 sp 0x7ffd2f046650 T0) =3D=3D55941=3D=3DThe signal is caused by a WRITE memory access. #0 0x5e98934d9c97 in process_cpu_domain_info (perf+0x610c97) (BuildId: = 25d667fa7a7274046cb5bcb3375c4b1074f3f6db) #1 0x5e98934c6698 in perf_file_section__process (perf+0x5fd698) (BuildI= d: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db) #2 0x5e98934e5992 in perf_header__process_sections (perf+0x61c992) (Bui= ldId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db) #3 0x5e98934e7437 in perf_session__read_header (perf+0x61e437) (BuildId= : 25d667fa7a7274046cb5bcb3375c4b1074f3f6db) #4 0x5e9893521e67 in __perf_session__new (perf+0x658e67) (BuildId: 25d6= 67fa7a7274046cb5bcb3375c4b1074f3f6db) #5 0x5e989320dedd in cmd_sched (perf+0x344edd) (BuildId: 25d667fa7a7274= 046cb5bcb3375c4b1074f3f6db) #6 0x5e989324c87f in handle_internal_command (perf+0x38387f) (BuildId: = 25d667fa7a7274046cb5bcb3375c4b1074f3f6db) #7 0x5e98930bf836 in main (perf+0x1f6836) (BuildId: 25d667fa7a7274046cb= 5bcb3375c4b1074f3f6db) #8 0x7669c0a2a600 in __libc_start_call_main ../sysdeps/nptl/libc_start_= call_main.h:59 #9 0x7669c0a2a717 in __libc_start_main_impl ../csu/libc-start.c:360 #10 0x5e98930c7754 in _start (perf+0x1fe754) (BuildId: 25d667fa7a727404= 6cb5bcb3375c4b1074f3f6db) =3D=3D55941=3D=3DRegister values: rax =3D 0x0000000050000000 rbx =3D 0x00007269be7f0a50 rcx =3D 0x00007289b= fbe0970 rdx =3D 0x0000000000000020 =20 rdi =3D 0x0000729c3fbe0790 rsi =3D 0x00007299bfbe07c0 rbp =3D 0x00007ffd2= f046790 rsp =3D 0x00007ffd2f046650 =20 r8 =3D 0x00000e5137f7c137 r9 =3D 0x0000000000000000 r10 =3D 0x000000000= 00000dc r11 =3D 0x00007669c24acfec =20 r12 =3D 0x00007269be7f0aa0 r13 =3D 0x0000000000000000 r14 =3D 0x00007299b= fbe07c0 r15 =3D 0x00007269be7f09b0 =20 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (perf+0x610c97) (BuildId: 25d667fa7a7274046= cb5bcb3375c4b1074f3f6db) in process_cpu_domain_info =3D=3D55941=3D=3DABORTING --===============8701719228398729701== Content-Type: application/octet-stream Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="crash_sig11_iter2.data" MIME-Version: 1.0 UEVSRklMRTJoAAAAAAAAAKAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAAGgAAAAAAAAAYAQAAAAAAAAA AAAAAAAAAAAAAAAAAAAA+G9QAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABVAAAAAABIAPR5 ZAABAAAAAAAAABEAAACbGAAAAAAAABgpDQDjGAQA2I0GAJAkBQCRZKWOlQAAAIZL/v5FAAAAerYk AAAAAABWAAAAAADQAPR5ZAABAAAAAAAAABEAAAB+DgAA1g0AAFsAAADyLAMA3TwAAAAAAAAAAAAA ZQAAAAEAAAAFAAAAzw0AAFQXAQBVBwEARwgAALofAAC10QMANA8AAAAAAABtCAAAeAAAADgAAADY BgEA9CYAAIMjAADlAQAAdAUAAHA/AQDMAgAAAAAAAIwBAAALAAAADgAAACgjAAAfAAAAAAAAAB8A AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABIaQEAbwIAAAAAAAAAAAAAVQAAAAAASAD0eWQAAQAA AAEAAAARAAAAIhMAAAAAAAAH6w4AckkEAPi+CACa0gYANuSNy5AAAACTEPHkRQAAAILoKAAAAAAA VgAAAAAA0AD0eWQAAQAAAAEAAAARAAAAqg0AADANAAA2AAAAx6UBALg0AAAAAAAAAAAAAHcAAAAA AAAABgAAACoNAACCFAEA2gUBAD0HAAA3wQAAAYMDAEANAAAAAAAAjggAAIEAAAAcAAAAegUBAPwf AACuHAAA5wEAABkIAACr5wAAxAIAAAAAAABnAQAABgAAAAMAAAA9HAAAcwAAAAEAAAByAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAXuwBAPUCAAAAAAAAAAAAAFUAAAAAAEgAMYJkAAEAAAAAAAAA EQAAAJsYAAAAAAAA/ykNAEMZBABPjgYA8SQFALnEyJGVAAAA9yUN/0UAAAABtyQAAAAAAFYAAAAA ANAAMYJkAAEAAAAAAAAAEQAAAH4OAADWDQAAWwAAAPIsAwDdPAAAAAAAAAAAAABlAAAAAQAAAAUA AADPDQAAhhcBAIYHAQBICAAAuh8AALXRAwA1DwAAAAAAAG0IAAB4AAAAOAAAAAkHAQD0JgAAgyMA AOUBAAB0BQAAcD8BAMwCAAAAAAAAjAEAAAsAAAAOAAAAKCMAAB8AAAAAAAAAHwAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAF5pAQBwAgAAAAAAAAAAAABVAAAAAABIADGCZAABAAAAAQAAABEAAAAi EwAAAAAAAB/tDgD9SQQAMsAIALrTBgCmYtDOkAAAAIIio+VFAAAADuooAAAAAABWAAAAAADQADGC ZAABAAAAAQAAABEAAACrDQAAMQ0AADYAAADHpQEAuDQAAAAAAAAAAAAAdwAAAAAAAAAGAAAAKw0A AK8UAQAGBgEAPgcAADfBAAABgwMAQQ0AAAAAAACOCAAAgQAAABwAAACmBQEA/B8AAK4cAADnAQAA GQgAAKvnAADEAgAAAAAAAGcBAAAGAAAAAwAAAD0cAABzAAAAAQAAAHIAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAB47AEA9gIAAAAAAAAAAAAAuAUAAAAAAABEAAAAAAAAAPwFAAAAAAAARAAAAAAA AABABgAAAAAAAEQAAAAAAAAAhAYAAAAAAABEAAAAAAAAAMgGAAAAAAAACAAAAAAAAADQBgAAAAAA AEQAAAAAAAAAFAcAAAAAAABEAAAAAAAAAFgHAAAAAAAACAAAAAAAAABgBwAAAAAAAEgAAAAAAAAA qAcAAAAAAAC8AQAAAAAAAGQJAAAAAAAAXAAAAAAAAADACQAAAAAAAOgGAAAAAAAAqBAAAAAAAAA4 AAAAAAAAAOAQAAAAAAAAuAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAHBocmlzbS1WTXdhcmUt VmlydHVhbC1QbGF0Zm9ybQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAANi4x OS44LTA2MTkwOC1nZW5lcmljAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAEAAAAA3LjAucmMyLmcxMTQzOWM0NjM1ZWQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAQAAAAHg4Nl82NAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAgAAAEAAAABBTUQgUnl6ZW4gNyA1ODAwSCB3 aXRoIFJhZGVvbiBHcmFwaGljcwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAEF1dGhlbnRp Y0FNRCwyNSw4MCwwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADI YTQAAAAAAAEAAABAAAAAL2hvbWUvcGhyaXNtL0Rlc2t0b3AvbGludXgvdG9vbHMvcGVyZi9wZXJm AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAxAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAEAAAAAw AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAQAAAADEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAgAAAEAAAAAwAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAADEAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAgAAAAEAAAAAAAAAyGE0AAAAAADMRhEAAAAAAEAAAAAwLTEAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAgAAAABAAAA QAAAAEAAAAAIAAAAQAAAAERhdGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAMzJLAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAwAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAEAAAABAAAAA CAAAAEAAAABJbnN0cnVjdGlvbgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAQAAAADMySwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAABAAAAAQAAAAAgAAABAAAAA RGF0YQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAEAAAAAzMksAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAQAAAADEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAQAAAAEAAAAAIAAAAQAAAAEluc3RydWN0 aW9uAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABA AAAAMzJLAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAEAAAAAxAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAEAAAAAABAAACAAAAEAAAABVbmlmaWVkAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAADUxMksA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAIAAABAAAAAAAQAAAgAAABAAAAAVW5pZmllZAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAA1MTJLAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAADEA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAADAAAAQAAAAABAAAAQAAAAQAAAAFVuaWZpZWQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAMTYzODRLAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAwAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAA AEAAAAAAQAAAEAAAAEAAAABVbmlmaWVkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAADE2Mzg0SwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAMQAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAA CAAAAAABAAAAAAAAAAAAAAAAAAAAKAAAAAAAAAAoAAAAAAAAAP///wD/AAAAEQAAAAEAAAAAAAAA AQAAAAAAAABAAAAAUEtHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAwMDAwMDAwMCwwMDAwMDAwMCwwMDAwMDAwMCwwMDAwMDAw MwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAADAtMQAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAQAAAAAAAFBLRwAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AABAAAAAMDAwMDAwMDAsMDAwMDAwMDAsMDAwMDAwMDAsMDAwMDAwMDMAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAEAAAAAwLTEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --===============8701719228398729701==-- From nobody Mon Jun 8 13:25:31 2026 Received: from mail-pj1-f41.google.com (mail-pj1-f41.google.com [209.85.216.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1B127311C07 for ; Fri, 29 May 2026 06:50:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.41 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780037446; cv=none; b=MrvBKw4e5Az+J/QA3iuPMqItdcgPOLaTw6hJABTkGnqoBZBL6DIXkzfCA4w5ZSTudQxgLqleDQkK3ORxOXTOdnSpYATvC9ViOlXe63wX+6IMcHkN6JZxsr9F663RY/GV/3veSunlbHNZ3craC709sI9qpXAM6yM1IRUcs4046Ts= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780037446; c=relaxed/simple; bh=ZzSyHONJflj3efN3iccXa2QiAHCxlRP6KBZP3LlVxtg=; h=Subject:From:To:Cc:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=m7vFTw6628YxF2BdbbgCNUz+JfDhmyQGpR0JQoGpkb0ngju5r1//wzgytwBomTWFXAdgWckrhqKMVlUXvA4Vi0hX5yL4t/exGQx1X3OHmcN2m60+7ejdjNcmSI1xMYPI3Pi4w8mCkLkqGdPJEqOq4EFb6YbdvZ+P4vYDDNtXry8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=jwnZkM6Y; arc=none smtp.client-ip=209.85.216.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="jwnZkM6Y" Received: by mail-pj1-f41.google.com with SMTP id 98e67ed59e1d1-36ba706ab46so619932a91.1 for ; Thu, 28 May 2026 23:50:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780037444; x=1780642244; darn=vger.kernel.org; h=mime-version:content-transfer-encoding:references:in-reply-to :message-id:date:cc:to:from:subject:from:to:cc:subject:date :message-id:reply-to; bh=Is2yEBAROvB5EB2jldyJiLF6pd7FhjvHXATJbOB/v9E=; b=jwnZkM6YCBuStLIW0P5cUej/lV5mS802mnMk0/CaFhAyzcgtMOMcK1L/j5vRv2dUOu lSFGOdm78iptUP0b7nPoWa8Y2QgO4OioF/olw0DVSPbRZssEtQlVvFaqULX4C5+HTLcM oUdPUbZKtG9MsRMJczHayTMWrqJiyQGG6qys7F9AT/UpaLD2KrJi1eucq1tU7A2isFgX vFPxOYln3hdebiQ9bGvJm6f1B9EuJYrA6dxooDI0+cNRXdGSYnFJOOnlAkaMXlhrS9F9 +XtTCIwr54Gn3c8aIzp1YDOh1lEi5LcyaOK6vZIiiFKn2SXlXAPlcn4p+kHoQKdJnAcg DAgQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780037444; x=1780642244; h=mime-version:content-transfer-encoding:references:in-reply-to :message-id:date:cc:to:from:subject:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Is2yEBAROvB5EB2jldyJiLF6pd7FhjvHXATJbOB/v9E=; b=Igjc6zUpnFlxU3ylp+pZ6+bW60FA33pKLeMgDQUrjv4Qwaj4ikHmnNyi3iahhQbUsw FbzRUyhC4FioXWOqIix3Zl5ZgYe2vSlWWd3wN0DqB3UD/r2ujbAYMgYyAfpfRCct3o1g ebAAEMyHj38uyO8pDj7CjY0BIstIHkj8kgq+DDP4jGlzPUPWKa8glkX5rSCy8CNN2ZuI 1J8i1CKTPWM/M8D404UauBlrnS7en1sVTZcKVa1Wp6/3JaUqK55JRAchh06Fvc+LaZ1p /NSfU3N9jmdGPip/g6CnsKBJwsDMYWPa3Gi/6llybbhNACjMQDckQy8lskAuI29q2FQ3 GtSg== X-Forwarded-Encrypted: i=1; AFNElJ9+Z+NXtOc6MPQzwI7DQZIM++JeUny/ChYdlB9063Wgzv7UJQWZ3rAbnVdDtJQUAURgei71dQhzxg6+2DY=@vger.kernel.org X-Gm-Message-State: AOJu0YyVqNDLc/qAAc/RWyd6RTnOFRLrw8EBOEpanxu94kWkw7hXiVPB /RveRxsTYjrWmAd6FIM3RVJTzS1aNCb/8f5P64Q+J0dXtqsz1sJ9F+nBw+yTaApN43fgQA== X-Gm-Gg: Acq92OFvVhFnqmAQ31d3ZDiPVfPnSFFjE9javLZ6yemjQ2VNvcgrJ9FhBW4ZO8u+6Eu ESjENtoLCxno2PgHO0PMhFYX7XoPWftuWRoUKOnI0Maf3qSBJTDl90YNl+JN93eC3K3jOzmIkf1 Td8InQtb+aPpBMpSlf7RSyOg3NuWMXAex6KsIWqiI32MNoJPh7kDzh42WUGvXpU0tVcKn0kkbZG yvkUni0VZLGTwTp3fSB39bE9CZOzDnmJWNucRibP/sycdvpCtZJqo9uC9F9l0wFasoMHzFXxyMk GNV1F1RGrycMbV5AtUWo9LaIpfpHAs0nUy0fsR/TiUmrrbxokLwoT55dkWXG7fBKzFNvttAHhTO LJDFj2vkUVJnDGCBHSug1PaA25WxSprgj+ywjGveqXDy6BRt2Ds4kJ1NN1WDJfyNY4oAxEQGOrm RXi1XLnIsWqR1RKPiQwBLSNWGkopINUnhhFgQOdQ== X-Received: by 2002:a17:90b:562d:b0:36a:cd8c:ad3d with SMTP id 98e67ed59e1d1-36bbceb34bbmr1987360a91.22.1780037444277; Thu, 28 May 2026 23:50:44 -0700 (PDT) Received: from [127.0.1.1] ([104.28.157.202]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-36bc0c1ab21sm952626a91.14.2026.05.28.23.50.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 May 2026 23:50:44 -0700 (PDT) Subject: [PATCH 5/6] perf/sched: replace list_first_entry with list_first_entry_or_null From: Wang Haoran To: acme@kernel.org Cc: peterz@infradead.org, mingo@redhat.com, namhyung@kernel.org, mark.rutland@arm.com, alexander.shishkin@linux.intel.com, linux-perf-users@vger.kernel.org, linux-kernel@vger.kernel.org, haoranwangsec@gmail.com Date: Fri, 29 May 2026 14:50:32 +0800 Message-ID: <178003743298.62097.12296428897032273088@gmail.com> In-Reply-To: <178003738371.62097.10360938456907564684@gmail.com> References: <178003738371.62097.10360938456907564684@gmail.com> Content-Transfer-Encoding: quoted-printable Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" >From f66a328ea7a6832689b8d19f4643f31b8caf1e28 Mon Sep 17 00:00:00 2001 From: Wang Haoran Date: Thu, 28 May 2026 15:18:07 +0800 Subject: [PATCH 5/6] perf/sched: replace list_first_entry with list_first_entry_or_null list_first_entry() is unsafe when called on a potentially empty list: it computes container_of() on the list head itself and returns a garbage pointer rather than NULL, so any NULL check on the result is dead code. get_all_cpu_stats() and show_schedstat_data() call list_first_entry() on lists that are populated from user-controlled perf.data content, making them reachable via crafted input. Replace every such call with list_first_entry_or_null() and add the corresponding NULL guards. Fixes: Signed-off-by: Wang Haoran --- tools/perf/builtin-sched.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c index ab4c9ffa4..55391f0b1 100644 --- a/tools/perf/builtin-sched.c +++ b/tools/perf/builtin-sched.c @@ -4170,7 +4170,7 @@ static void summarize_schedstat_domain(struct schedst= at_domain *summary_domain, */ static int get_all_cpu_stats(struct list_head *head) { - struct schedstat_cpu *cptr =3D list_first_entry(head, struct schedstat_cp= u, cpu_list); + struct schedstat_cpu *cptr =3D list_first_entry_or_null(head, struct sche= dstat_cpu, cpu_list); struct schedstat_cpu *summary_head =3D NULL; struct perf_record_schedstat_domain *ds; struct perf_record_schedstat_cpu *cs; @@ -4212,8 +4212,11 @@ static int get_all_cpu_stats(struct list_head *head) =20 cnt++; summarize_schedstat_cpu(summary_head, cptr, cnt, is_last); - tdptr =3D list_first_entry(&summary_head->domain_head, struct schedstat_= domain, - domain_list); + tdptr =3D list_first_entry_or_null(&summary_head->domain_head, + struct schedstat_domain, + domain_list); + if (!tdptr) + break; =20 list_for_each_entry(dptr, &cptr->domain_head, domain_list) { summarize_schedstat_domain(tdptr, dptr, cnt, is_last); @@ -4229,7 +4232,8 @@ static int show_schedstat_data(struct list_head *head= 1, struct cpu_domain_map ** struct list_head *head2, struct cpu_domain_map **cd_map2, bool summary_only) { - struct schedstat_cpu *cptr1 =3D list_first_entry(head1, struct schedstat_= cpu, cpu_list); + struct schedstat_cpu *cptr1 =3D + list_first_entry_or_null(head1, struct schedstat_cpu, cpu_list); struct perf_record_schedstat_domain *ds1 =3D NULL, *ds2 =3D NULL; struct perf_record_schedstat_cpu *cs1 =3D NULL, *cs2 =3D NULL; struct schedstat_domain *dptr1 =3D NULL, *dptr2 =3D NULL; @@ -4250,10 +4254,14 @@ static int show_schedstat_data(struct list_head *he= ad1, struct cpu_domain_map ** printf("\n"); =20 printf("%-65s: ", "Time elapsed (in jiffies)"); + if (!cptr1) + return -EINVAL; jiffies1 =3D cptr1->cpu_data->timestamp; printf("%11llu", jiffies1); if (head2) { - cptr2 =3D list_first_entry(head2, struct schedstat_cpu, cpu_list); + cptr2 =3D list_first_entry_or_null(head2, struct schedstat_cpu, cpu_list= ); + if (!cptr2) + return -EINVAL; jiffies2 =3D cptr2->cpu_data->timestamp; printf(",%11llu", jiffies2); } --=20 2.53.0 From nobody Mon Jun 8 13:25:31 2026 Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com [209.85.216.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 118F8311C07 for ; Fri, 29 May 2026 06:50:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780037461; cv=none; b=d5A3rl0Ut4tU+yEi5tO4U1K/YMMNoCmbdf134Qhzw96FExn5/USiWSKZmPahsYy2FOUdk5+W60PaoLBF+QBqgFe4vSuYgeIWO7OAtZWb3XWUG7XOO/p6TomZyUP5nLDsv6lp5CJSu3Nd6CxN6vjaMZkQF88s3udmo3DrN/bxJYc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780037461; c=relaxed/simple; bh=Fi4YYxgeVqRXXsJ6FdlB399l8Vxp5q59ohGMCLZ1sO0=; h=Subject:From:To:Cc:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=CRv7C98q7pPyGon8BrCehucRn9oq4vuxYPDMx5zFA4i8VwPkRLv8C+fbu6nkqOo54HTVAdqzfvSiYoYe0PEeDblcT+kf17VZ10xUmZt8q5fQ7Jo8e93ohSuDy/cmdT1wTUof6zdo1ur7Nj5eFa5WRV4QfObSPb9rGn1Gb2QSBh4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=LOhK4JJx; arc=none smtp.client-ip=209.85.216.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="LOhK4JJx" Received: by mail-pj1-f50.google.com with SMTP id 98e67ed59e1d1-36b8d414666so951848a91.3 for ; Thu, 28 May 2026 23:50:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780037459; x=1780642259; darn=vger.kernel.org; h=mime-version:references:in-reply-to:message-id:date:cc:to:from :subject:from:to:cc:subject:date:message-id:reply-to; bh=PoT2VtJk4v8nD6Pndx2Yw79/yA5m24hfWDbTI8RDQjc=; b=LOhK4JJxKkv+VREt0HLP3B0iEeXVNBatlErawpoQKFvfwpgnowODCFqObdQSKRhMOK H5+1eLi94rLdW9g4c9HrwouJBm0N1TZ/x4u3dl1HmGw4iDMxxJ0149+vui64l4K2zxTN L2/QKEGez4bcK6zB2t46xL46SgYSSEDK1GtS7mhdOpwtbVu0dX7/KWGTASAys4pxRc5X r6/qcx5w0xmcuD2rw9A0iS+2M5xDAjXlfNMlnQz1WqczjHIsh7e5Dp28Z+e8ucSzKkrD 4jprzbz57YZtGTVPIjkif7zFOiq0npZHB9yBAg6cXhhDs+NgLbaGXC0Cu3o1bTMELlvE lg1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780037459; x=1780642259; h=mime-version:references:in-reply-to:message-id:date:cc:to:from :subject:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=PoT2VtJk4v8nD6Pndx2Yw79/yA5m24hfWDbTI8RDQjc=; b=byvKX4KfCND9O9jWvMmERB7u5P2jhp3jgRRJo1B4/iCyt6f+1D34h1p7ZDP0slQ5iI eKwKhLD6US+7Dx/OqT7vyR/fluMMiIBUa7dEnJg4EgfkqHsaJX1c94c/tmayVR5W9zZV Y/sdxNNdjTUSqhWO5DQiF60z2jAf1YMx+0RglaKrS9MNKZQ1l5uP2Wt0b5H/pa2+2kI0 4+N38p3/vqIkQpw94hkzBxuuU9aBc+/RDPN/fCrDypNLl0EQMHbBAC7Y6qTByGP5a8+I 9jJ14Z78T8hBr/tgDygvcmoKyJYHihmz2tJ3PPHNtZZvZS7JeM+A/WpLwKErMNmm2cLZ BP0A== X-Forwarded-Encrypted: i=1; AFNElJ8vAnzwnJMeyR0VMx5cv6xS7qjh40bV8t/h598QMhLets6xpB/HtWwt3+/KcSN8ZOOUyfn8vsgA7wFMSIg=@vger.kernel.org X-Gm-Message-State: AOJu0YzyI2hgsp9XWd0ndBEMDe5jMdJK8lFXPPajsr9MBduq8VfKnaIb zEia1AO+urjRu+JFUGiHKtzDEQmvKnlTRbGERmJPsARd2ZVJEaMn24X4 X-Gm-Gg: Acq92OFCWZAnpJexXulVRZLCDf1mtclgNdfaCtm5pkjR25HVpKvYakYXe9YyiAZHC0G MAUUdSjk9xDKv2r/XrByLYqozANEMjfbl2BfbhEjlivfiE5unbrBfk5GE2LtF1PebM40u6fROP1 jZJkLkZdaFBOIgkiW7Hc17dACbmMXFnxjtuXQ5TQ4+aRm5SkhMC2sKSbGn0EL4qporoaBlE90Mx yoPSAJx+YW6ZjgAns6Xf659QEGtUH+AqzJivzG++RlW/G+l2R8NL6jZvPZMhyQlk7hv7WFSXva3 C6rDNjDByafQVwjoRcrDzV5B7lVWueaqVyuftrqo/0klzc7wLsbfQWPh248tGYeCd3JOY3ueEWS JbKTc8mjTt7upovJEgCDUvKaW40Q4UmIJTks556W3ErzTvTFMJ29ZaGH9xPLE0dZoAuZwJRJRZg dZvUvJ0Kt4zXNYLtqzT08Z1pkbFeLdX2KM5IN+og== X-Received: by 2002:a17:90b:2d4d:b0:35d:9c32:6219 with SMTP id 98e67ed59e1d1-36bbcd40bc9mr2445082a91.9.1780037459054; Thu, 28 May 2026 23:50:59 -0700 (PDT) Received: from [127.0.1.1] ([104.28.157.202]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-36bc0c1ab21sm952626a91.14.2026.05.28.23.50.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 May 2026 23:50:58 -0700 (PDT) Subject: [PATCH 6/6] subcmd: fix memory leak in parse_options_subcommand From: Wang Haoran To: acme@kernel.org Cc: peterz@infradead.org, mingo@redhat.com, namhyung@kernel.org, mark.rutland@arm.com, alexander.shishkin@linux.intel.com, linux-perf-users@vger.kernel.org, linux-kernel@vger.kernel.org, haoranwangsec@gmail.com Date: Fri, 29 May 2026 14:50:45 +0800 Message-ID: <178003744574.62097.15841011812312422288@gmail.com> In-Reply-To: <178003738371.62097.10360938456907564684@gmail.com> References: <178003738371.62097.10360938456907564684@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7114621159298678336==" --===============7114621159298678336== Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" >From 9e71ffe9400fd54c4fc958b16229e5628271e4ad Mon Sep 17 00:00:00 2001 From: Wang Haoran Date: Thu, 28 May 2026 15:18:33 +0800 Subject: [PATCH 6/6] subcmd: fix memory leak in parse_options_subcommand When subcommands are present and no usage string has been provided, parse_options_subcommand() builds a usage string via astrcat() and stores it in usagestr[0], but never frees it. The allocation leaks on every normal return path. Move the buf pointer to function scope and free it before returning. Fixes: Signed-off-by: Wang Haoran --- tools/lib/subcmd/parse-options.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/lib/subcmd/parse-options.c b/tools/lib/subcmd/parse-opti= ons.c index 555d617c1..1eb8053e8 100644 --- a/tools/lib/subcmd/parse-options.c +++ b/tools/lib/subcmd/parse-options.c @@ -633,10 +633,10 @@ int parse_options_subcommand(int argc, const char **a= rgv, const struct option *o const char *const subcommands[], const char *usagestr[], int flags) { struct parse_opt_ctx_t ctx; + char *buf =3D NULL; =20 /* build usage string if it's not provided */ if (subcommands && !usagestr[0]) { - char *buf =3D NULL; =20 astrcatf(&buf, "%s %s [] {", subcmd_config.exec_name, argv[0]); =20 @@ -680,6 +680,7 @@ int parse_options_subcommand(int argc, const char **arg= v, const struct option *o usage_with_options(usagestr, options); } =20 + free(buf); return parse_options_end(&ctx); } =20 --=20 2.53.0 --- ASan output on perf 7.0.6 (unpatched) with the attached PoC: Perf file header corrupt: header overlaps attrs incompatible file format (rerun with -v to learn more) Perf session creation failed. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D55949=3D=3DERROR: LeakSanitizer: detected memory leaks Direct leak of 73 byte(s) in 1 object(s) allocated from: #0 0x77ab3032b60f in malloc ../../../../src/libsanitizer/asan/asan_mall= oc_linux.cpp:67 #1 0x77ab2ee96e6e in __vasprintf_internal libio/vasprintf.c:116 #2 0x77ab2ef43172 in ___asprintf_chk debug/asprintf_chk.c:34 #3 0x568d03932ee3 in asprintf /usr/include/x86_64-linux-gnu/bits/stdio2= .h:206 #4 0x568d03932ee3 in astrcat=20 #5 0x568d03932ee3 in parse_options_subcommand=20 #6 0x568d038cdef0 in cmd_sched (perf+0x33eef0) (BuildId: 25d667fa7a7274= 046cb5bcb3375c4b1074f3f6db) #7 0x568d0391287f in handle_internal_command (perf+0x38387f) (BuildId: = 25d667fa7a7274046cb5bcb3375c4b1074f3f6db) #8 0x568d03785836 in main (perf+0x1f6836) (BuildId: 25d667fa7a7274046cb= 5bcb3375c4b1074f3f6db) #9 0x77ab2ee2a600 in __libc_start_call_main ../sysdeps/nptl/libc_start_= call_main.h:59 #10 0x77ab2ee2a717 in __libc_start_main_impl ../csu/libc-start.c:360 #11 0x568d0378d754 in _start (perf+0x1fe754) (BuildId: 25d667fa7a727404= 6cb5bcb3375c4b1074f3f6db) Objects leaked above: 0x741b2e1e0800 (73 bytes) SUMMARY: AddressSanitizer: 73 byte(s) leaked in 1 allocation(s). --===============7114621159298678336== Content-Type: application/octet-stream Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="crash_err255_iter46.data" MIME-Version: 1.0 UEVSRklMRTJoAP8AAAAAAKAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAAGgAAAAAAAAAYAQAAAAAAAAA AAAAAAAAAAAAAAAAAAAA+G9QAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABVAAAAAABIAPR5 ZAABAAAAAAAAABEAAACbGAAAAAAAABgpDQDjGAQA2I0GAJAkBQCRZKWOlQAAAIZL/v5FAAAAerYk AAAAAABWAAAAAADQAPR5ZAABAAAAAAAAABEAAAB+DgAA1g0AAFsAAADyLAMA3TwAAAAAAAAAAAAA ZQAAAAEAAAAFAAAAzw0AAFQXAQBVBwEARwgAALofAAC10QMANA8AAAAAAABtCAAAeAAAADgAAADY BgEA9CYAAIMjAADlAQAAdAUAAHA/AQDMAgAAAAAAAIwBAAALAAAADgAAACgjAAAfAAAAAAAAAB8A AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABIaQEAbwIAAAAAAAAAAAAAVQAAAAAASAD0eWQAAQAA AAEAAAARAAAAIhMAAAAAAAAH6w4AckkEAPi+CACa0gYANuSNy5AAAACTEPHkRQAAAILoKAAAAAAA VgAAAAAA0AD0eWQAAQAAAAEAAAARAAAAqg0AADANAAA2AAAAx6UBALg0AAAAAAAAAAAAAHcAAAAA AAAABgAAACoNAACCFAEA2gUBAD0HAAA3wQAAAYMDAEANAAAAAAAAjggAAIEAAAAcAAAAegUBAPwf AACuHAAA5wEAABkIAACr5wAAxAIAAAAAAABnAQAABgAAAAMAAAA9HAAAcwAAAAEAAAByAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAXuwBAPUCAAAAAAAAAAAAAFUAAAAAAEgAMYJkAAEAAAAAAAAA EQAAAJsYAAAAAAAA/ykNAEMZBABPjgYA8SQFALnEyJGVAAAA9yUN/0UAAAABtyQAAAAAAFYAAAAA ANAAMYJkAAEAAAAAAAAAEQAAAH4OAADWDQAAWwAAAPIsAwDdPAAAAAAAAAAAAABlAAAAAQAAAAUA AADPDQAAhhcBAIYHAQBICAAAuh8AALXRAwA1DwAAAAAAAG0IAAB4AAAAOAAAAAkHAQD0JgAAgyMA AOUBAAB0BQAAcD8BAMwCAAAAAAAAjAEAAAsAAAAOAAAAKCMAAB8AAAAAAAAAHwAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAF5pAQBwAgAAAAAAAAAAAABVAAAAAABIADGCZAABAAAAAQAAABEAAAAi EwAAAAAAAB/tDgD9SQQAMsAIALrTBgCmYtDOkAAAAIIio+VFAAAADuooAAAAAABWAAAAAADQADGC ZAABAAAAAQAAABEAAACrDQAAMQ0AADYAAADHpQEAuDQAAAAAAAAAAAAAdwAAAAAAAAAGAAAAKw0A AK8UAQAGBgEAPgcAADfBAAABgwMAQQ0AAAAAAACOCAAAgQAAABwAAACmBQEA/B8AAK4cAADnAQAA GQgAAKvnAADEAgAAAAAAAGcBAAAGAAAAAwAAAD0cAABzAAAAAQAAAHIAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAB47AEA9gIAAAAAAAAAAAAAuAUAAAAAAABEAAAAAAAAAPwFAAAAAAAARAAAAAAA AABABgAAAAAAAEQAAAAAAAAAhAYAAAAAAABEAAAAAAAAAMgGAAAAAAAACAAAAAAAAADQBgAAAAAA AEQAAAAAAAAAFAcAAAAAAABEAAAAAAAAAFgHAAAAAAAACAAAAAAAAABgBwAAAAAAAEgAAAAAAAAA qAcAAAAAAAC8AQAAAAAAAGQJAAAAAAAAXAAAAAAAAADACQAAAAAAAOgGAAAAAAAAqBAAAAAAAAA4 AAAAAAAAAOAQAAAAAAAAuAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAHBocmlzbS1WTXdhcmUt VmlydHVhbC1QbGF0Zm9ybQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAANi4x OS44LTA2MTkwOC1nZW5lcmljAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAEAAAAA3LjAucmMyLmcxMTQzOWM0NjM1ZWQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAQAAAAHg4Nl82NAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAgAAAEAAAABBTUQgUnl6ZW4gNyA1ODAwSCB3 aXRoIFJhZGVvbiBHcmFwaGljcwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAEF1dGhlbnRp Y0FNRCwyNSw4MCwwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADI YTQAAAAAAAEAAABAAAAAL2hvbWUvcGhyaXNtL0Rlc2t0b3AvbGludXgvdG9vbHMvcGVyZi9wZXJm AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAxAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAEAAAAAw AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAQAAAADEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAgAAAEAAAAAwAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAADEAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAgAAAAEAAAAAAAAAyGE0AAAAAADMRhEAAAAAAEAAAAAwLTEAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAgAAAABAAAA QAAAAEAAAAAIAAAAQAAAAERhdGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAMzJLAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAwAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAEAAAABAAAAA CAAAAEAAAABJbnN0cnVjdGlvbgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAQAAAADMySwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAABAAAAAQAAAAAgAAABAAAAA RGF0YQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAEAAAAAzMksAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAQAAAADEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAQAAAAEAAAAAIAAAAQAAAAEluc3RydWN0 aW9uAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABA AAAAMzJLAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAEAAAAAxAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAEAAAAAABAAACAAAAEAAAABVbmlmaWVkAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAADUxMksA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAIAAABAAAAAAAQAAAgAAABAAAAAVW5pZmllZAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAA1MTJLAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAADEA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAADAAAAQAAAAABAAAAQAAAAQAAAAFVuaWZpZWQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAMTYzODRLAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAwAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAA AEAAAAAAQAAAEAAAAEAAAABVbmlmaWVkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAADE2Mzg0SwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAMQAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAA CAAAAAABAAAAAAAAAAAAAAAAAAAAKAAAAAAAAAAoAAAAAAAAAP///wD/AAAAEQAAAAEAAAAAAAAA AQAAAAAAAABAAAAAUEtHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAwMDAwMDAwMCwwMDAwMDAwMCwwMDAwMDAwMCwwMDAwMDAw MwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAADAtMQAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAQAAAAAAAABAAAAA UEtHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAEAAAAAwMDAwMDAwMCwwMDAwMDAwMCwwMDAwMDAwMCwwMDAwMDAwMwAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAQAAAADAtMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= --===============7114621159298678336==--