1. Patchew
  2. linux
  3. View series

[PATCHES v4 00/29] perf: Harden perf.data parsing against crafted/corrupted files

Arnaldo Carvalho de Melo posted 29 patches 3 days, 11 hours ago 
tools/lib/perf/include/perf/event.h           |    9 +-
tools/perf/builtin-inject.c                   |   23 +-
tools/perf/builtin-kwork.c                    |   45 +-
tools/perf/builtin-record.c                   |    6 +-
tools/perf/tests/parse-no-sample-id-all.c     |    6 +
tools/perf/tests/shell/data_validation.sh     |   85 ++
tools/perf/trace/beauty/perf_event_open.c     |   23 +-
tools/perf/util/arm-spe.c                     |    2 +-
tools/perf/util/auxtrace.c                    |   24 +-
tools/perf/util/cpumap.c                      |   62 +-
tools/perf/util/cs-etm.c                      |    2 +-
tools/perf/util/header.c                      |  625 +++++++-
tools/perf/util/jitdump.c                     |    2 +-
tools/perf/util/kwork.h                       |    1 +
tools/perf/util/perf_event_attr_fprintf.c     |  141 +-
.../scripting-engines/trace-event-python.c    |   28 +-
tools/perf/util/session.c                     | 1355 +++++++++++++++--
tools/perf/util/session.h                     |    2 +
tools/perf/util/synthetic-events.c            |   25 +-
tools/perf/util/tool.c                        |   51 +-
tools/perf/util/tsc.c                         |    2 +-
tools/perf/util/zstd.c                        |   47 +-
22 files changed, 2272 insertions(+), 294 deletions(-)
create mode 100755 tools/perf/tests/shell/data_validation.sh
[PATCHES v4 00/29] perf: Harden perf.data parsing against crafted/corrupted files
Posted by Arnaldo Carvalho de Melo 3 days, 11 hours ago 
perf.data validation and hardening (29 patches)

A crafted or corrupted perf.data file can cause out-of-bounds
reads/writes, infinite loops, heap overflows, and segfaults in perf
report, perf script, perf inject, perf timechart, and perf kwork.
This series adds defense-in-depth validation for file parsing:

- Per-event-type minimum size table, enforced before swap and
  processing on both native and cross-endian paths.

- Bounds-checking the one_mmap fast path in peek_event against the
  mapped region size, preventing OOB reads from crafted file_offset.

- Swap handler return values (void -> int) so handlers can propagate
  errors instead of silently corrupting adjacent memory.

- Bounds checking for string fields (null-termination), array counts
  (nr vs payload size), feature section sizes (vs file size), and
  CPU indices (vs nr_cpus_avail / array allocation).

- ABI0 handling for perf_event_attr.size == 0 across all code paths
  (swap, native, synthesize, read_event_desc), with consistent
  behavior regardless of file endianness.

- READ_ONCE() snapshot of event->header.size in process_user_event()
  to prevent compiler rematerialization from MAP_SHARED memory.

- Sanitizer-aware shell test: the truncated perf.data test captures
  stderr and checks for ASAN/MSAN/TSAN/UBSAN markers, since sanitizer
  exits use code 1 which otherwise looks like a clean error exit.

Pre-existing bugs fixed along the way:

- event_contains() macro off-by-one (checked start, not full extent)

- zstd_decompress_stream multi-iteration output.pos bug

- zstd_compress_stream_to_records: broken memcpy fallback -> return -1
  + ZSTD context reset + dst_size underflow guard

- PERF_RECORD_SWITCH sample_id_all offset wrong for non-CPU_WIDE

- cpu_map__from_range any_cpu used as count instead of boolean

- cpu_map__from_mask double-fetch heap overflow (j >= weight guard)

- kwork cpus_runtime BUG_ON with signed comparison

- perf_header__getbuffer64 EOF without errno (silent success)

- read_event_desc ABI0 sentinel (attr.size=0 -> free_event_desc early stop)

- EVENT_UPDATE MASK: missing offsetof underflow guard + pr_warning on
  mask32/mask64 validation paths

Additional pre-existing issues were noticed during review and will be
addressed in follow-up series.

Testing
-------

- perf test at baseline and at patches 1, 8, 11, 17, 21, 26, 29
  with 300s timeout -- no regressions detected.
- Build with both gcc and clang at every patch.
- checkpatch.pl on all 29 patches.
- Full root perf test on x86_64 (x1, i7-1260P) and aarch64
  (Raspberry Pi 4, Cortex-A72, Debian trixie).

Developed with AI assistance (Claude/sashiko), tagged in commits.

It is available at:

  https://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools-next.git perf-data-validation

  https://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools-next.git/log/?h=perf-data-validation

I think this is the last one, followup series will deal with the
pre-existing issues found while working on this series, its all in
several TODO files.

Best regards,

- Arnaldo

Changes in v4
-------------

- Patch 22: fix comment in process_mem_topology() — per-node fields
  are node_id + mem_size + bitmap_nr_bits, not version + bitmap_size.
- Patch 29: add mktemp failure guards (exit 2 = skip) so empty
  variables don't cause 'rm -f .old' in cleanup.  Use dd bs=$cut_at
  count=1 instead of bs=1 count=$cut_at to avoid one syscall per byte.

Changes in v3
-------------

- Patch 10: fix perf_event__repipe_attr() in builtin-inject.c to
  handle ABI0 attr.size==0 — was using the raw size for memcpy and
  the perf_record_header_attr_id() macro, which both break when
  attr.size is 0.
- Patch 12: add sample_id_all handling to perf_event__build_id_swap()
  — perf_event__synthesize_build_id() appends id_sample data, so
  cross-endian pipe mode must swap those trailing fields.
- Patch 24: remove comp_mmap_len upper-bound cap that rejected valid
  perf record -m 2G recordings (mmap_len exceeds 2GB - 4096).  The
  downstream decompression path already checks against SIZE_MAX.

Changes in v2
-------------

- Patch 8: strnlen with 'end - data' limit instead of open-ended strlen
- Patch 10: ABI0 attr.size==0 handling for native-endian path
- Patch 13: READ_ONCE snapshot for mask32_data.nr, long_size validation
- Patch 17: attr_size bounds check for all PRINT_ATTRn macros

Arnaldo Carvalho de Melo (29):
  perf session: Add minimum event size and alignment validation
  perf session: Bounds-check one_mmap event pointer in peek_event
  perf tools: Fix event_contains() macro to verify full field extent
  perf zstd: Fix compression error path in zstd_compress_stream_to_records()
  perf zstd: Fix multi-iteration decompression and error handling
  perf session: Fix PERF_RECORD_READ swap and dump for variable-length events
  perf session: Fix swap_sample_id_all() crash on crafted events
  perf session: Add validated swap infrastructure with null-termination checks
  perf session: Use bounded copy for PERF_RECORD_TIME_CONV
  perf session: Validate HEADER_ATTR attr.size before swapping
  perf session: Validate nr fields against event size on both swap and common paths
  perf header: Byte-swap build ID event pid and bounds check section entries
  perf cpumap: Reject RANGE_CPUS with start_cpu > end_cpu
  perf auxtrace: Harden auxtrace_error event handling
  perf session: Add byte-swap and bounds check for PERF_RECORD_BPF_METADATA events
  perf header: Validate null-termination in PERF_RECORD_EVENT_UPDATE string fields
  perf tools: Bounds check perf_event_attr fields against attr.size before printing
  perf header: Propagate feature section processing errors
  perf header: Validate f_attr.ids section before use in perf_session__read_header()
  perf header: Validate feature section size and add read path bounds checking
  perf header: Sanity check HEADER_EVENT_DESC attr.size before swap
  perf header: Validate bitmap size before allocating in do_read_bitmap()
  perf session: Add byte-swap handler for PERF_RECORD_COMPRESSED2
  perf tools: Harden compressed event processing
  perf session: Check for decompression buffer size overflow
  perf session: Bound nr_cpus_avail and validate sample CPU
  perf kwork: Bounds check work->cpu before indexing cpus_runtime[]
  perf session: Snapshot event->header.size in process_user_event()
  perf test: Add truncated perf.data robustness test

 tools/lib/perf/include/perf/event.h           |    9 +-
 tools/perf/builtin-inject.c                   |   23 +-
 tools/perf/builtin-kwork.c                    |   45 +-
 tools/perf/builtin-record.c                   |    6 +-
 tools/perf/tests/parse-no-sample-id-all.c     |    6 +
 tools/perf/tests/shell/data_validation.sh     |   85 ++
 tools/perf/trace/beauty/perf_event_open.c     |   23 +-
 tools/perf/util/arm-spe.c                     |    2 +-
 tools/perf/util/auxtrace.c                    |   24 +-
 tools/perf/util/cpumap.c                      |   62 +-
 tools/perf/util/cs-etm.c                      |    2 +-
 tools/perf/util/header.c                      |  625 +++++++-
 tools/perf/util/jitdump.c                     |    2 +-
 tools/perf/util/kwork.h                       |    1 +
 tools/perf/util/perf_event_attr_fprintf.c     |  141 +-
 .../scripting-engines/trace-event-python.c    |   28 +-
 tools/perf/util/session.c                     | 1355 +++++++++++++++--
 tools/perf/util/session.h                     |    2 +
 tools/perf/util/synthetic-events.c            |   25 +-
 tools/perf/util/tool.c                        |   51 +-
 tools/perf/util/tsc.c                         |    2 +-
 tools/perf/util/zstd.c                        |   47 +-
 22 files changed, 2272 insertions(+), 294 deletions(-)
 create mode 100755 tools/perf/tests/shell/data_validation.sh

-- 
2.54.0
Re: [PATCHES v4 00/29] perf: Harden perf.data parsing against crafted/corrupted files
Posted by Arnaldo Carvalho de Melo 3 days, 7 hours ago 
On Tue, May 26, 2026 at 06:17:36PM -0300, Arnaldo Carvalho de Melo wrote:
> perf.data validation and hardening (29 patches)
> 
> A crafted or corrupted perf.data file can cause out-of-bounds
> reads/writes, infinite loops, heap overflows, and segfaults in perf
> report, perf script, perf inject, perf timechart, and perf kwork.
> This series adds defense-in-depth validation for file parsing:

The analysis about Sashiko's remaining comments is below, unless someone
has something not related by Sashiko, I'll merge this tomorrow and
continue processing the other outstanding patches.

● Here's the v4 sashiko.dev review triage — 13 of 29 patches got reviews:

  Patches with findings:

  Patch: 02 (peek_event bounds)
  Findings: 1 High: mmap_size - page_offset underflow
  Verdict: Pre-existing — reader__init() validates data_size, page_offset can't exceed mmap_size
  ────────────────────────────────────────
  Patch: 04 (zstd compress)
  Findings: 1 Critical + 3 High: multi-record header overflow, AIO data_size, flush return, decompress pos
  Verdict: All pre-existing — the Critical is about process_header() aggregate size, and the decompress issue is fixed later in patch 05
  ────────────────────────────────────────
  Patch: 05 (zstd decompress)
  Findings: 1 High: O_NONBLOCK missing on file opens
  Verdict: Pre-existing — not introduced by this patch, unrelated to zstd

This one IIRC Ian sent a patch for review-prompts, merged recently that
will make its way to Sashiko and will stop being flagged as a problem:

  "kernel/subsystem/perf.md: Remove section describing non-blocking IO"
  https://github.com/masoncl/review-prompts/commit/261d73261dbb11f38ff9c653da3608b162741e03

  ────────────────────────────────────────
  Patch: 08 (swap infra)
  Findings: 2 High: mmap2 prot/flags not swapped, event_update union not swapped
  Verdict: Both pre-existing — correct observations for follow-up series
  ────────────────────────────────────────
  Patch: 10 (HEADER_ATTR)
  Findings: same as v3 — already triaged
  Verdict:
  ────────────────────────────────────────
  Patch: 11 (nr validation)
  Findings: 1 Medium: native path aborts vs swap path skips on bad THREAD_MAP
  Verdict: Valid observation — but intentional: native path returns -EINVAL to catch corruption, swap path skips to keep session alive.
  ────────────────────────────────────────
  Patch: 12 (build_id_swap)
  Findings: same as v3 — already fixed in v4
  Verdict:
  ────────────────────────────────────────
  Patch: 15 (BPF_METADATA)
  Findings: 1 High new: double-fetch of header.size in swap path; 2 High pre-existing: TOCTOU on native path
  Verdict: The double-fetch is valid for swap but swap runs on MAP_PRIVATE (writable copy), so no concurrent modification possible.
  ────────────────────────────────────────
  Patch: 24 (compressed hardening)
  Findings: 1 Medium: double-fetch of event->header.size in tool.c
  Verdict: Same TOCTOU pattern
  ────────────────────────────────────────
  Patch: 26 (CPU bounds)
  Findings: 1 High: global clamp corrupts data for >4096 CPUs
  Verdict: Known limitation — memory [[MAX_NR_CPUS dynamic allocation]] TODO
  ────────────────────────────────────────
  Patch: 28 (READ_ONCE snapshot)
  Findings: 4 High: incomplete TOCTOU fix, type confusion, array count re-reads
  Verdict: All pre-existing MAP_SHARED TOCTOU. The full fix would be MAP_PRIVATE, noted as follow-up
  ────────────────────────────────────────
  Patch: 29 (shell test)

  Fixed and sent the diff in response to Sashiko's review e-mail.

  Summary: 1 new actionable issue in v4. All the other findings are
  either pre-existing (documented in the cover letter), already fixed in
  this version, or intentional design decisions. The mmap2 prot/flags
  and event_update union swap gaps (patch 08) are valid pre-existing
  bugs for a follow-up series.

-------------------------------------------------------------------------
Re: [PATCHES v4 00/29] perf: Harden perf.data parsing against crafted/corrupted files
Posted by Arnaldo Carvalho de Melo 1 day, 10 hours ago 
On Tue, May 26, 2026 at 10:06:10PM -0300, Arnaldo Carvalho de Melo wrote:
> On Tue, May 26, 2026 at 06:17:36PM -0300, Arnaldo Carvalho de Melo wrote:
> > perf.data validation and hardening (29 patches)
> > 
> > A crafted or corrupted perf.data file can cause out-of-bounds
> > reads/writes, infinite loops, heap overflows, and segfaults in perf
> > report, perf script, perf inject, perf timechart, and perf kwork.
> > This series adds defense-in-depth validation for file parsing:
> 
> The analysis about Sashiko's remaining comments is below, unless someone
> has something not related by Sashiko, I'll merge this tomorrow and
> continue processing the other outstanding patches.

Merged into perf-tools-next,

- Arnaldo
 
> ● Here's the v4 sashiko.dev review triage — 13 of 29 patches got reviews:
> 
>   Patches with findings:
> 
>   Patch: 02 (peek_event bounds)
>   Findings: 1 High: mmap_size - page_offset underflow
>   Verdict: Pre-existing — reader__init() validates data_size, page_offset can't exceed mmap_size
>   ────────────────────────────────────────
>   Patch: 04 (zstd compress)
>   Findings: 1 Critical + 3 High: multi-record header overflow, AIO data_size, flush return, decompress pos
>   Verdict: All pre-existing — the Critical is about process_header() aggregate size, and the decompress issue is fixed later in patch 05
>   ────────────────────────────────────────
>   Patch: 05 (zstd decompress)
>   Findings: 1 High: O_NONBLOCK missing on file opens
>   Verdict: Pre-existing — not introduced by this patch, unrelated to zstd
> 
> This one IIRC Ian sent a patch for review-prompts, merged recently that
> will make its way to Sashiko and will stop being flagged as a problem:
> 
>   "kernel/subsystem/perf.md: Remove section describing non-blocking IO"
>   https://github.com/masoncl/review-prompts/commit/261d73261dbb11f38ff9c653da3608b162741e03
> 
>   ────────────────────────────────────────
>   Patch: 08 (swap infra)
>   Findings: 2 High: mmap2 prot/flags not swapped, event_update union not swapped
>   Verdict: Both pre-existing — correct observations for follow-up series
>   ────────────────────────────────────────
>   Patch: 10 (HEADER_ATTR)
>   Findings: same as v3 — already triaged
>   Verdict:
>   ────────────────────────────────────────
>   Patch: 11 (nr validation)
>   Findings: 1 Medium: native path aborts vs swap path skips on bad THREAD_MAP
>   Verdict: Valid observation — but intentional: native path returns -EINVAL to catch corruption, swap path skips to keep session alive.
>   ────────────────────────────────────────
>   Patch: 12 (build_id_swap)
>   Findings: same as v3 — already fixed in v4
>   Verdict:
>   ────────────────────────────────────────
>   Patch: 15 (BPF_METADATA)
>   Findings: 1 High new: double-fetch of header.size in swap path; 2 High pre-existing: TOCTOU on native path
>   Verdict: The double-fetch is valid for swap but swap runs on MAP_PRIVATE (writable copy), so no concurrent modification possible.
>   ────────────────────────────────────────
>   Patch: 24 (compressed hardening)
>   Findings: 1 Medium: double-fetch of event->header.size in tool.c
>   Verdict: Same TOCTOU pattern
>   ────────────────────────────────────────
>   Patch: 26 (CPU bounds)
>   Findings: 1 High: global clamp corrupts data for >4096 CPUs
>   Verdict: Known limitation — memory [[MAX_NR_CPUS dynamic allocation]] TODO
>   ────────────────────────────────────────
>   Patch: 28 (READ_ONCE snapshot)
>   Findings: 4 High: incomplete TOCTOU fix, type confusion, array count re-reads
>   Verdict: All pre-existing MAP_SHARED TOCTOU. The full fix would be MAP_PRIVATE, noted as follow-up
>   ────────────────────────────────────────
>   Patch: 29 (shell test)
> 
>   Fixed and sent the diff in response to Sashiko's review e-mail.
> 
>   Summary: 1 new actionable issue in v4. All the other findings are
>   either pre-existing (documented in the cover letter), already fixed in
>   this version, or intentional design decisions. The mmap2 prot/flags
>   and event_update union swap gaps (patch 08) are valid pre-existing
>   bugs for a follow-up series.
> 
> -------------------------------------------------------------------------
Re: [PATCHES v4 00/29] perf: Harden perf.data parsing against crafted/corrupted files
Posted by Ian Rogers 1 day, 10 hours ago 
On Tue, May 26, 2026 at 6:06 PM Arnaldo Carvalho de Melo
<acme@kernel.org> wrote:
>
> On Tue, May 26, 2026 at 06:17:36PM -0300, Arnaldo Carvalho de Melo wrote:
> > perf.data validation and hardening (29 patches)
> >
> > A crafted or corrupted perf.data file can cause out-of-bounds
> > reads/writes, infinite loops, heap overflows, and segfaults in perf
> > report, perf script, perf inject, perf timechart, and perf kwork.
> > This series adds defense-in-depth validation for file parsing:
>
> The analysis about Sashiko's remaining comments is below, unless someone
> has something not related by Sashiko, I'll merge this tomorrow and
> continue processing the other outstanding patches.
>
> ● Here's the v4 sashiko.dev review triage — 13 of 29 patches got reviews:
>
>   Patches with findings:
>
>   Patch: 02 (peek_event bounds)
>   Findings: 1 High: mmap_size - page_offset underflow
>   Verdict: Pre-existing — reader__init() validates data_size, page_offset can't exceed mmap_size
>   ────────────────────────────────────────
>   Patch: 04 (zstd compress)
>   Findings: 1 Critical + 3 High: multi-record header overflow, AIO data_size, flush return, decompress pos
>   Verdict: All pre-existing — the Critical is about process_header() aggregate size, and the decompress issue is fixed later in patch 05
>   ────────────────────────────────────────
>   Patch: 05 (zstd decompress)
>   Findings: 1 High: O_NONBLOCK missing on file opens
>   Verdict: Pre-existing — not introduced by this patch, unrelated to zstd
>
> This one IIRC Ian sent a patch for review-prompts, merged recently that
> will make its way to Sashiko and will stop being flagged as a problem:
>
>   "kernel/subsystem/perf.md: Remove section describing non-blocking IO"
>   https://github.com/masoncl/review-prompts/commit/261d73261dbb11f38ff9c653da3608b162741e03
>
>   ────────────────────────────────────────
>   Patch: 08 (swap infra)
>   Findings: 2 High: mmap2 prot/flags not swapped, event_update union not swapped
>   Verdict: Both pre-existing — correct observations for follow-up series
>   ────────────────────────────────────────
>   Patch: 10 (HEADER_ATTR)
>   Findings: same as v3 — already triaged
>   Verdict:
>   ────────────────────────────────────────
>   Patch: 11 (nr validation)
>   Findings: 1 Medium: native path aborts vs swap path skips on bad THREAD_MAP
>   Verdict: Valid observation — but intentional: native path returns -EINVAL to catch corruption, swap path skips to keep session alive.
>   ────────────────────────────────────────
>   Patch: 12 (build_id_swap)
>   Findings: same as v3 — already fixed in v4
>   Verdict:
>   ────────────────────────────────────────
>   Patch: 15 (BPF_METADATA)
>   Findings: 1 High new: double-fetch of header.size in swap path; 2 High pre-existing: TOCTOU on native path
>   Verdict: The double-fetch is valid for swap but swap runs on MAP_PRIVATE (writable copy), so no concurrent modification possible.
>   ────────────────────────────────────────
>   Patch: 24 (compressed hardening)
>   Findings: 1 Medium: double-fetch of event->header.size in tool.c
>   Verdict: Same TOCTOU pattern
>   ────────────────────────────────────────
>   Patch: 26 (CPU bounds)
>   Findings: 1 High: global clamp corrupts data for >4096 CPUs
>   Verdict: Known limitation — memory [[MAX_NR_CPUS dynamic allocation]] TODO
>   ────────────────────────────────────────
>   Patch: 28 (READ_ONCE snapshot)
>   Findings: 4 High: incomplete TOCTOU fix, type confusion, array count re-reads
>   Verdict: All pre-existing MAP_SHARED TOCTOU. The full fix would be MAP_PRIVATE, noted as follow-up
>   ────────────────────────────────────────
>   Patch: 29 (shell test)
>
>   Fixed and sent the diff in response to Sashiko's review e-mail.
>
>   Summary: 1 new actionable issue in v4. All the other findings are
>   either pre-existing (documented in the cover letter), already fixed in
>   this version, or intentional design decisions. The mmap2 prot/flags
>   and event_update union swap gaps (patch 08) are valid pre-existing
>   bugs for a follow-up series.
>
> -------------------------------------------------------------------------

I'm more than happy with this merge, good not being the enemy of
perfect and things like that.

Reviewed-by: Ian Rogers <irogers@google.com>

Thanks,
Ian
Re: [PATCHES v4 00/29] perf: Harden perf.data parsing against crafted/corrupted files
Posted by Arnaldo Carvalho de Melo 17 hours ago 
On Thu, May 28, 2026 at 03:07:13PM -0700, Ian Rogers wrote:
> On Tue, May 26, 2026 at 6:06 PM Arnaldo Carvalho de Melo
> <acme@kernel.org> wrote:
> >
> > On Tue, May 26, 2026 at 06:17:36PM -0300, Arnaldo Carvalho de Melo wrote:
> > > perf.data validation and hardening (29 patches)
> > >
> > > A crafted or corrupted perf.data file can cause out-of-bounds
> > > reads/writes, infinite loops, heap overflows, and segfaults in perf
> > > report, perf script, perf inject, perf timechart, and perf kwork.
> > > This series adds defense-in-depth validation for file parsing:
> >
> > The analysis about Sashiko's remaining comments is below, unless someone
> > has something not related by Sashiko, I'll merge this tomorrow and
> > continue processing the other outstanding patches.
> >
> > ● Here's the v4 sashiko.dev review triage — 13 of 29 patches got reviews:
> >
> >   Patches with findings:
> >
> >   Patch: 02 (peek_event bounds)
> >   Findings: 1 High: mmap_size - page_offset underflow
> >   Verdict: Pre-existing — reader__init() validates data_size, page_offset can't exceed mmap_size
> >   ────────────────────────────────────────
> >   Patch: 04 (zstd compress)
> >   Findings: 1 Critical + 3 High: multi-record header overflow, AIO data_size, flush return, decompress pos
> >   Verdict: All pre-existing — the Critical is about process_header() aggregate size, and the decompress issue is fixed later in patch 05
> >   ────────────────────────────────────────
> >   Patch: 05 (zstd decompress)
> >   Findings: 1 High: O_NONBLOCK missing on file opens
> >   Verdict: Pre-existing — not introduced by this patch, unrelated to zstd
> >
> > This one IIRC Ian sent a patch for review-prompts, merged recently that
> > will make its way to Sashiko and will stop being flagged as a problem:
> >
> >   "kernel/subsystem/perf.md: Remove section describing non-blocking IO"
> >   https://github.com/masoncl/review-prompts/commit/261d73261dbb11f38ff9c653da3608b162741e03
> >
> >   ────────────────────────────────────────
> >   Patch: 08 (swap infra)
> >   Findings: 2 High: mmap2 prot/flags not swapped, event_update union not swapped
> >   Verdict: Both pre-existing — correct observations for follow-up series
> >   ────────────────────────────────────────
> >   Patch: 10 (HEADER_ATTR)
> >   Findings: same as v3 — already triaged
> >   Verdict:
> >   ────────────────────────────────────────
> >   Patch: 11 (nr validation)
> >   Findings: 1 Medium: native path aborts vs swap path skips on bad THREAD_MAP
> >   Verdict: Valid observation — but intentional: native path returns -EINVAL to catch corruption, swap path skips to keep session alive.
> >   ────────────────────────────────────────
> >   Patch: 12 (build_id_swap)
> >   Findings: same as v3 — already fixed in v4
> >   Verdict:
> >   ────────────────────────────────────────
> >   Patch: 15 (BPF_METADATA)
> >   Findings: 1 High new: double-fetch of header.size in swap path; 2 High pre-existing: TOCTOU on native path
> >   Verdict: The double-fetch is valid for swap but swap runs on MAP_PRIVATE (writable copy), so no concurrent modification possible.
> >   ────────────────────────────────────────
> >   Patch: 24 (compressed hardening)
> >   Findings: 1 Medium: double-fetch of event->header.size in tool.c
> >   Verdict: Same TOCTOU pattern
> >   ────────────────────────────────────────
> >   Patch: 26 (CPU bounds)
> >   Findings: 1 High: global clamp corrupts data for >4096 CPUs
> >   Verdict: Known limitation — memory [[MAX_NR_CPUS dynamic allocation]] TODO
> >   ────────────────────────────────────────
> >   Patch: 28 (READ_ONCE snapshot)
> >   Findings: 4 High: incomplete TOCTOU fix, type confusion, array count re-reads
> >   Verdict: All pre-existing MAP_SHARED TOCTOU. The full fix would be MAP_PRIVATE, noted as follow-up
> >   ────────────────────────────────────────
> >   Patch: 29 (shell test)
> >
> >   Fixed and sent the diff in response to Sashiko's review e-mail.
> >
> >   Summary: 1 new actionable issue in v4. All the other findings are
> >   either pre-existing (documented in the cover letter), already fixed in
> >   this version, or intentional design decisions. The mmap2 prot/flags
> >   and event_update union swap gaps (patch 08) are valid pre-existing
> >   bugs for a follow-up series.
> >
> > -------------------------------------------------------------------------
> 
> I'm more than happy with this merge, good not being the enemy of
> perfect and things like that.
> 
> Reviewed-by: Ian Rogers <irogers@google.com>

Thanks, added to the csets, now to go on those other pre-existing
bugs...

- Arnaldo

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.