From nobody Mon Jun 8 06:36:19 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9A1432B9BA; Fri, 5 Jun 2026 12:15:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780661732; cv=none; b=r5N+Uggb5D1o6v0W1vQ7loqaTZHHXZuQqhLey2WneAtH19jf4EX3HJszpbF2m+EnIPja6xIVfiri7YOrlAVUfe7B0mc+3VmfQbK+4N6k7tRa5Vz3uTkCALuoPkG0Kca74pOp+LX4FGef6wiz/y7Xfj+/ItS2RzjnnOQhH+tx+qs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780661732; c=relaxed/simple; bh=SF5ZF2BblWfErPptcvocSIo0q8Zm5fWA+7ob7hmIZMQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=lZwYowxdGp+eUzixxi1ari0jrmrLujs7HA88o2KUSkl37CW40N8PVLp+bvJfA8sS4SU8KQFpM9Jie5PC4tu6XwCD0wKX2vsvAOLf9EbKkfQJzrMCoKRCPlgEDU4sEGapctVGywtS1MhQa6iRboq7Lnhs4xxABBpKMi3H3X6q44w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Bxf+UBeD; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Bxf+UBeD" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 05FE91F00899; Fri, 5 Jun 2026 12:15:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780661731; bh=cGgiqBqVSTzmH2qdKzPTMwaQ+0wTc4gAaPhVbB6NQtI=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=Bxf+UBeD+Mboa8EOqm29dt/U3lY+vJxEMrpVv1RMXPNT2Vv39rPhXUffNRZOeD7kX 0cSNc465WNO+trW9D7H9/8Ks/5oEHsgTOX1Z9c1nIsGBo6AfSpwUSNkT2oWnYXHOp0 48PfHXg3chng/B8f3jS0Qt8q8O0kzfgrPzi/Zc8XXO+CrU3tNdKzGSftiO7qJisx7N b5luLljBa0O2m/OVdVUrpCe99c9LP0bdbmeB+l+noley8/5JQ26sjhyWig6IQz8xiI BgHQLdF2Vlv4GiFg+o6KukTVoVYRhInq+fAu9JYsACcZY3Eq28+S0c2pqRFQFcYjRG YgXB5Y85PXEsg== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , James Clark , Jiri Olsa , Ian Rogers , Adrian Hunter , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , sashiko-bot , Anton Blanchard , "Claude Opus 4.6" Subject: [PATCH 1/5] perf tools: Guard remaining test_bit calls from OOB sample CPU Date: Fri, 5 Jun 2026 09:15:10 -0300 Message-ID: <20260605121515.1725549-2-acme@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260605121515.1725549-1-acme@kernel.org> References: <20260605121515.1725549-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Arnaldo Carvalho de Melo auxtrace.c:filter_cpu() and builtin-script.c:filter_cpu() call test_bit(cpu, cpu_bitmap) where cpu_bitmap is declared with MAX_NR_CPUS bits. When the CPU value from a perf.data event is corrupt or absent (e.g. negative or >=3D MAX_NR_CPUS), test_bit reads out of bounds. Add bounds checks before test_bit(): >=3D 0 for the int16_t cpu.cpu in auxtrace (which also covers the -1 sentinel), and < MAX_NR_CPUS for both sites. Matches the pattern applied in the previous series for builtin-annotate.c, builtin-diff.c, builtin-report.c, and builtin-sched.c. Fixes: 644e0840ad46 ("perf auxtrace: Add CPU filter support") Fixes: 5d67be97f890 ("perf report/annotate/script: Add option to specify a = CPU range") Reported-by: sashiko-bot Cc: Adrian Hunter Cc: Anton Blanchard Cc: Jiri Olsa Assisted-by: Claude Opus 4.6 Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/builtin-script.c | 2 +- tools/perf/util/auxtrace.c | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/tools/perf/builtin-script.c b/tools/perf/builtin-script.c index f4aa255fc3297f90..9ac29bdc3cd547e6 100644 --- a/tools/perf/builtin-script.c +++ b/tools/perf/builtin-script.c @@ -2646,7 +2646,7 @@ static int cleanup_scripting(void) =20 static bool filter_cpu(struct perf_sample *sample) { - if (cpu_list && sample->cpu !=3D (u32)-1) + if (cpu_list && sample->cpu !=3D (u32)-1 && sample->cpu < MAX_NR_CPUS) return !test_bit(sample->cpu, cpu_bitmap); return false; } diff --git a/tools/perf/util/auxtrace.c b/tools/perf/util/auxtrace.c index 5f4aa1701aef649a..4cd2caf5401522ca 100644 --- a/tools/perf/util/auxtrace.c +++ b/tools/perf/util/auxtrace.c @@ -372,7 +372,8 @@ static bool filter_cpu(struct perf_session *session, st= ruct perf_cpu cpu) { unsigned long *cpu_bitmap =3D session->itrace_synth_opts->cpu_bitmap; =20 - return cpu_bitmap && cpu.cpu !=3D -1 && !test_bit(cpu.cpu, cpu_bitmap); + return cpu_bitmap && cpu.cpu >=3D 0 && cpu.cpu < MAX_NR_CPUS && + !test_bit(cpu.cpu, cpu_bitmap); } =20 static int auxtrace_queues__add_buffer(struct auxtrace_queues *queues, --=20 2.54.0 From nobody Mon Jun 8 06:36:19 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A37E22B9BA; Fri, 5 Jun 2026 12:15:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780661736; cv=none; b=LWqbRPkrI2cX4/TWDmmYeR12RUd8kHWIwvbDDgvN2eXR5WiAzrqHxfGDiGDXSpCw1zc5SxvitZDVLx48CILphjMXVpA7p+5LcxP5ktyM4CVkS7afnbOW2+7kUGpgOi1dDLWhdG8K/kyYH9mkcLtJvXbhC1laFBHvvd0FQcegUW8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780661736; c=relaxed/simple; bh=WUEkOw3pfnwRIHaep6MaTEoJAV7XUy6UEOuZbM88XO0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=r3KHLvcxLByRTB3RhQkJ4OdB0XNNWW+lTRxociEW4aE7z60XzvHVb4A33xlCVUTSG9O7ys6UHc4J4U8BFV+ICiCWWPw5E/drpxhmz+XHxBhH44DG9Owf+NHKs/37GuVfyFNvxhrlZ2pr2kA2Z1elu6sp3HBP4ekLLuc5hZCUKCI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=ZHIbIxLo; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="ZHIbIxLo" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0A2E11F00893; Fri, 5 Jun 2026 12:15:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780661735; bh=J4DKtdsgMH/xkJGYr3nWsu2C2qlTNkAXDeNikNsk5L8=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=ZHIbIxLofz9RhrQ1Rkdn53zo+SKMZTsnpp7AlEawM5gW9NWsUuqeqQ6YpPh7o0E5b m2P4qGbEtjW5hMV1oDd+ApzFGwdU97lnmQlDuUjJRJWb7bsoa7h5UFEdYbnl4EgGnO /gOYyLRBCJTqeiskQ2vWVWYwYwvOUjnN88j6uFSKAnS3bZIrXdq0FeHHDi2bfF67nu Mcuyo0PPhbBfasP6xDXKbhRyd4PrxK8WCgs6ZPr44RvdC0gDXGFlYl7zROB0kU2nkV Z3dtNuX5J2o+cfkEXqDXSv8EpjxDjoiwl/5Cj6ZoPplVM5dz0tATSwbAhVVTPfmtYJ 9TH63QFHFBcpQ== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , James Clark , Jiri Olsa , Ian Rogers , Adrian Hunter , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , sashiko-bot , "Claude Opus 4.6" Subject: [PATCH 2/5] perf tools: Add bounds check to cpu__get_node() Date: Fri, 5 Jun 2026 09:15:11 -0300 Message-ID: <20260605121515.1725549-3-acme@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260605121515.1725549-1-acme@kernel.org> References: <20260605121515.1725549-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Arnaldo Carvalho de Melo cpu__get_node() accesses cpunode_map[cpu.cpu] without checking against max_cpu_num, the allocation size of cpunode_map. Callers such as builtin-kmem.c:evsel__process_alloc_event() pass sample->cpu from perf.data events, which may exceed the host's CPU count when analyzing cross-machine recordings. Add a bounds check against max_cpu_num before indexing, returning -1 for out-of-range values. This is a central fix that protects all callers. Fixes: 86895b480a2f ("perf stat: Add --per-node agregation support") Reported-by: sashiko-bot Cc: Jiri Olsa Assisted-by: Claude Opus 4.6 Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/util/cpumap.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/perf/util/cpumap.c b/tools/perf/util/cpumap.c index b1e5c29c6e3ec8df..d3432622b2adc994 100644 --- a/tools/perf/util/cpumap.c +++ b/tools/perf/util/cpumap.c @@ -576,6 +576,10 @@ int cpu__get_node(struct perf_cpu cpu) return -1; } =20 + /* cpunode_map allocated for max_cpu_num entries; input may be untrusted = */ + if (cpu.cpu < 0 || cpu.cpu >=3D max_cpu_num.cpu) + return -1; + return cpunode_map[cpu.cpu]; } =20 --=20 2.54.0 From nobody Mon Jun 8 06:36:19 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 808FD2B9BA; Fri, 5 Jun 2026 12:15:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780661740; cv=none; b=YQx48WPTaOu6mT39cGD4vQ0VzFRUaK4Z5/amKG6qPVY5T3rz1q+cHfj5nxdpjIkUo1OqvXqIPoniJ9x67y0qW7BDOP86Gfi2QhV1qZHTGSCQ2JwNPM6P8X5rMBKwD3FFgcvXxelrh1ZHep1moewdPAo6NTMbfuto1FSFlyWIy8I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780661740; c=relaxed/simple; bh=ZMyhzIxdkE8Fx5Fs8l8voQf5Qk+0NmtxuAJ0555U4yM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Lp1tSddm0rPUMCxEuRByV1xbr12+yQDhryg03hbSr2+jl/IQBT7m8FvqtBstZ8CD68n6uySGNCCnXZddiepntHSZ/LePcbKedrJk0Gpf3KCGTcx9QUiNDpE0OkutRkvt5Oj4VdEMDsGadSYBH1ebuErnSHcTo5e2G1FW+18PlAg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=JfdyOUD+; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="JfdyOUD+" Received: by smtp.kernel.org (Postfix) with ESMTPSA id CF4B61F00898; Fri, 5 Jun 2026 12:15:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780661739; bh=ktJQjLRBRQFD3+kFSnPKTRz844UlVkyictA+q1icveI=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=JfdyOUD+hLqkJGYuLTe7j+TgaMZJL7OaQrv+xh+1x5gDs7Ghz3fExhJ83e9zCxaek ByteM/FRkJxRusGQJkjE0Bnlha/UpDjKwy/IYbeim0VsnSd70SW9RMUnuLywvVSxGL ET5nO/2yoOzo/2X7F5NGbjpi+QYZZpZlnqY8xtoe7ZIGbC9o/6a8uW9OgkGpPdLeaT LUN6gZ35hEg5Zu4x9yCPvDo2smXLe+36HRCvHsKf141ubTiWLDN89GwFpH1CttZKFU n3Xs3+xnjxHun/i7OKxykbgdWtAgjucjCndXL8EwwrbdQfms+in4B3lZjRAmiTZVpn /QHK5GHB9sCkw== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , James Clark , Jiri Olsa , Ian Rogers , Adrian Hunter , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , sashiko-bot , "Claude Opus 4.6" Subject: [PATCH 3/5] perf sched: Fix thread reference leaks in timehist_get_thread() Date: Fri, 5 Jun 2026 09:15:12 -0300 Message-ID: <20260605121515.1725549-4-acme@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260605121515.1725549-1-acme@kernel.org> References: <20260605121515.1725549-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Arnaldo Carvalho de Melo timehist_get_thread() acquires a thread reference via machine__findnew_thread() and an idle thread reference via get_idle_thread() (which calls thread__get()). Two error paths in the idle_hist block return NULL without releasing these references: - When get_idle_thread() fails, the thread reference leaks. - When thread__priv(idle) returns NULL, both idle and thread leak. Additionally, the idle thread reference acquired on the success path is never released, leaking a reference on every sample when --idle-hist is active. Add thread__put() calls on both error paths and release the idle reference after use on the success path. Fixes: 5d8f17fb5822 ("perf sched timehist: Add -I/--idle-hist option") Reported-by: sashiko-bot Cc: Namhyung Kim Assisted-by: Claude Opus 4.6 Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/builtin-sched.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c index 4aa7833cae6e36b8..7bd61028327b39db 100644 --- a/tools/perf/builtin-sched.c +++ b/tools/perf/builtin-sched.c @@ -2546,12 +2546,16 @@ static struct thread *timehist_get_thread(struct pe= rf_sched *sched, idle =3D get_idle_thread(sample->cpu); if (idle =3D=3D NULL) { pr_err("Failed to get idle thread for cpu %d.\n", sample->cpu); + thread__put(thread); return NULL; } =20 itr =3D thread__priv(idle); - if (itr =3D=3D NULL) + if (itr =3D=3D NULL) { + thread__put(idle); + thread__put(thread); return NULL; + } =20 thread__put(itr->last_thread); itr->last_thread =3D thread__get(thread); @@ -2559,6 +2563,8 @@ static struct thread *timehist_get_thread(struct perf= _sched *sched, /* copy task callchain when entering to idle */ if (perf_sample__intval(sample, "next_pid") =3D=3D 0) save_idle_callchain(sched, itr, sample); + + thread__put(idle); } } =20 --=20 2.54.0 From nobody Mon Jun 8 06:36:19 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 74E5C29C325; Fri, 5 Jun 2026 12:15:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780661744; cv=none; b=gX6YxJm98k0WnN/iIio5SFM+XUH8rois30hTojQnk/Cn1hSN3SsWqDCiOwSMzLio99eJMU5WVoNmB97Kp9jsPgymLEQfN2mft/B1XXZs0wBZVtWcB6GgYxlUJWiiYFOg6NZnE/w2UnEThwXZkCWZDcRkaq/5zudLLFPDbD6M1i0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780661744; c=relaxed/simple; bh=HOKHGRfUJcS6pTTmAVNE9L8dC7jTySlVCO3W5BsVoRI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=oT26Rp9GJmzii58kw+9IK1h3b306IrouUtzzFktu4DMU3yBBpkLSq7uadkPjnQezF9IfdP0ulRRFVtBsdKkDl5GXhqgjToanCycrSIBML35jGoFLGa6pXhJCz4PvpGeCt8GZ/M1UeUNm9TdH+dZ5h5S5zN7H+r5Y8XVYy73Txxc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=U6lWm+vZ; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="U6lWm+vZ" Received: by smtp.kernel.org (Postfix) with ESMTPSA id A00841F00893; Fri, 5 Jun 2026 12:15:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780661743; bh=PBIeMlQer6SU09WeehCC4HX+Dlyd2D3hPoy/580i8ZI=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=U6lWm+vZtBJknMv292XXONF59EKLqwKIMk+F84VjwWMjXJgZyt5snTfTOXVIqr37I wJaRKIvB8+BjxrnlJXP7YDQu8fPbkz2HP7YDew2eFAd7o+Lt0GrHr6pb6lRB8RdphX nzyOaJOES5AleGCGTwRUbj+oWEAcoI2uPftPEFr4NneCH2v81HDMZZHr/mrdsXtFbe IloJrh7GxJVR3lMQt9LzmaX208JPz+Wwn4CFvNHE4GEDhz8Xb6w7bUkVv9fZMbkRn2 Js99YzutqtSfDc4L5e85OCDVPVR/B9Li2N56yBJzddHCsGFTZgLTUvwB5vWVMdMg2L 7HW0vuSLz7F5Q== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , James Clark , Jiri Olsa , Ian Rogers , Adrian Hunter , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , sashiko-bot , David Ahern , "Claude Opus 4.6" Subject: [PATCH 4/5] perf sched: Cap max_cpu at MAX_CPUS in timehist sample processing Date: Fri, 5 Jun 2026 09:15:13 -0300 Message-ID: <20260605121515.1725549-5-acme@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260605121515.1725549-1-acme@kernel.org> References: <20260605121515.1725549-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Arnaldo Carvalho de Melo perf_timehist__process_sample() updates sched->max_cpu from the sample CPU without bounds checking. Later code uses max_cpu + 1 as an iteration count over arrays allocated with MAX_CPUS entries (curr_thread, cpu_last_switched). A recording with CPU IDs >=3D MAX_CPUS causes out-of-bounds array accesses. Also cap the env->nr_cpus_online initialization of max_cpu in perf_sched__timehist(), which could exceed MAX_CPUS on very large systems. Add bounds checks before both max_cpu updates, matching the pattern already used in map_switch_event(). Fixes: 49394a2a24c7 ("perf sched timehist: Introduce timehist command") Reported-by: sashiko-bot Cc: David Ahern Assisted-by: Claude Opus 4.6 Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/builtin-sched.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c index 7bd61028327b39db..87a1f4cf8760e1e9 100644 --- a/tools/perf/builtin-sched.c +++ b/tools/perf/builtin-sched.c @@ -3215,7 +3215,9 @@ static int perf_timehist__process_sample(const struct= perf_tool *tool, .cpu =3D sample->cpu, }; =20 - if (this_cpu.cpu > sched->max_cpu.cpu) + /* max_cpu indexes arrays allocated with MAX_CPUS entries */ + if (this_cpu.cpu >=3D 0 && this_cpu.cpu < MAX_CPUS && + this_cpu.cpu > sched->max_cpu.cpu) sched->max_cpu =3D this_cpu; =20 if (evsel->handler !=3D NULL) { @@ -3385,8 +3387,8 @@ static int perf_sched__timehist(struct perf_sched *sc= hed) perf_session__set_tracepoints_handlers(session, migrate_handlers)) goto out; =20 - /* pre-allocate struct for per-CPU idle stats */ - sched->max_cpu.cpu =3D env->nr_cpus_online; + /* pre-allocate struct for per-CPU idle stats; cap to array bounds */ + sched->max_cpu.cpu =3D min(env->nr_cpus_online, MAX_CPUS); if (sched->max_cpu.cpu =3D=3D 0) sched->max_cpu.cpu =3D 4; if (init_idle_threads(sched->max_cpu.cpu)) --=20 2.54.0 From nobody Mon Jun 8 06:36:19 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1BFF5296BCD; Fri, 5 Jun 2026 12:15:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780661749; cv=none; b=gJp2+8oOZX5/viHFxmkWE+oIQ17GqRsOCSh9DmeETtBzJcHQYtBljmg3n+cn15lgd/apAWw/oHuysNuV3FJ7lg+I8VSS9xfE1cN/g6f2wYmfGMlu9HSKTGBZ1sokaOOVV6eG5tk99xeQiV8PrWrNuWQp7rpeI1Psu+A5muULwsU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780661749; c=relaxed/simple; bh=E/X5t8VSuLeT43XVwJ4SLY/T8z0TgVNOuzEQHKxUA/A=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=USNWaNJyUYJqtgoaJgtW+Ugq/kXbjxIt62NK7iXtGJwYDUQlJc5hBgydLYCkS06TcPsJhNFa4djGg5VRFGgCR7wbiiVwHGoShdWjVBdhwViSp5tPDZ1WR3tCc+caPZmi2ULeUD1F1d9VqMexma5dOTOeugnoXS0YpPZ3NPKy8J0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=nUATDCJm; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="nUATDCJm" Received: by smtp.kernel.org (Postfix) with ESMTPSA id A38C61F00898; Fri, 5 Jun 2026 12:15:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780661747; bh=rVYHvTrmv3hexu3nlZplAr1TqsD9rzUEXCOoHGNhTmM=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=nUATDCJmbNdoi/EftTg7ojAD1ErDkjKVOpU6R4cMgQS/W2InOWZrC1Rq9zd63D79R l410XxU/KbLNWqY3x87ka9rVWbWB2fUc6JN7Ee9o1kS4Tn31x3I8LZwHLcpJrsmfEI ZnbRZsnHhdK9EgHRHj8t8y8IZkLmhcsSzQEEYthhKOB4zcGRAl2XqUnNhCRQmz45w/ 9psvdvMHZJaRD/fQ+WghcXPmJjEgtQ87c1BsWK1bJQJTo5/gnG3jMUGTjxkpoBsa3e benTgLPaCNCHN630Ch6CmOF0lZdaWQO5xFxSlNIyuO913UNqwbAsWoevB9zv3PR4Oq qmCysBqpuByow== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , James Clark , Jiri Olsa , Ian Rogers , Adrian Hunter , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , sashiko-bot , Ingo Molnar , "Claude Opus 4.6" Subject: [PATCH 5/5] perf sched: Fix register_pid() overflow, strcpy, and BUG_ON Date: Fri, 5 Jun 2026 09:15:14 -0300 Message-ID: <20260605121515.1725549-6-acme@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260605121515.1725549-1-acme@kernel.org> References: <20260605121515.1725549-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: Arnaldo Carvalho de Melo register_pid() has several issues when processing untrusted perf.data: 1. Integer overflow: (pid + 1) * sizeof(struct task_desc *) can wrap to a small value on 32-bit systems when pid is large (e.g. 0x40000000), causing realloc to return a tiny buffer followed by out-of-bounds writes in the initialization loop. 2. Heap buffer overflow: strcpy(task->comm, comm) copies the untrusted comm string into a fixed 20-byte COMM_LEN buffer with no length check. 3. BUG_ON on allocation failure: perf.data is untrusted input, so allocation failures should be handled gracefully rather than killing the process. 4. Realloc of sched->tasks assigned directly back, leaking the old pointer on failure; nr_tasks incremented before the realloc, leaving corrupted state on failure. Cap pid at PID_MAX_LIMIT (4194304, matching the kernel's maximum on 64-bit), replace strcpy with strlcpy, guard against NULL comm, replace BUG_ON with NULL returns using safe realloc patterns, and add NULL checks in callers that dereference the result. Fixes: ec156764d424 ("perf sched: Import schedbench.c") Reported-by: sashiko-bot Cc: Ingo Molnar Assisted-by: Claude Opus 4.6 Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/builtin-sched.c | 40 ++++++++++++++++++++++++++++---------- 1 file changed, 30 insertions(+), 10 deletions(-) diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c index 87a1f4cf8760e1e9..21fb820b625b43e1 100644 --- a/tools/perf/builtin-sched.c +++ b/tools/perf/builtin-sched.c @@ -55,6 +55,7 @@ #define COMM_LEN 20 #define SYM_LEN 129 #define MAX_PID 1024000 +#define PID_MAX_LIMIT 4194304 /* kernel limit on 64-bit */ #define MAX_PRIO 140 #define SEP_LEN 100 =20 @@ -448,17 +449,28 @@ static void add_sched_event_sleep(struct perf_sched *= sched, struct task_desc *ta static struct task_desc *register_pid(struct perf_sched *sched, unsigned long pid, const char *comm) { - struct task_desc *task; + struct task_desc *task, **tasks_p; static int pid_max; =20 + /* perf.data is untrusted =E2=80=94 cap pid to prevent overflow in size c= alculations */ + if (pid >=3D PID_MAX_LIMIT) { + pr_err("pid %lu exceeds limit %d, skipping\n", pid, PID_MAX_LIMIT); + return NULL; + } + if (sched->pid_to_task =3D=3D NULL) { if (sysctl__read_int("kernel/pid_max", &pid_max) < 0) pid_max =3D MAX_PID; - BUG_ON((sched->pid_to_task =3D calloc(pid_max, sizeof(struct task_desc *= ))) =3D=3D NULL); + sched->pid_to_task =3D calloc(pid_max, sizeof(struct task_desc *)); + if (sched->pid_to_task =3D=3D NULL) + return NULL; } if (pid >=3D (unsigned long)pid_max) { - BUG_ON((sched->pid_to_task =3D realloc(sched->pid_to_task, (pid + 1) * - sizeof(struct task_desc *))) =3D=3D NULL); + void *p =3D realloc(sched->pid_to_task, (pid + 1) * sizeof(struct task_d= esc *)); + + if (p =3D=3D NULL) + return NULL; + sched->pid_to_task =3D p; while (pid >=3D (unsigned long)pid_max) sched->pid_to_task[pid_max++] =3D NULL; } @@ -469,9 +481,11 @@ static struct task_desc *register_pid(struct perf_sche= d *sched, return task; =20 task =3D zalloc(sizeof(*task)); + if (task =3D=3D NULL) + return NULL; task->pid =3D pid; - task->nr =3D sched->nr_tasks; - strcpy(task->comm, comm); + if (comm) + strlcpy(task->comm, comm, sizeof(task->comm)); /* * every task starts in sleeping state - this gets ignored * if there's no wakeup pointing to this sleep state: @@ -479,10 +493,12 @@ static struct task_desc *register_pid(struct perf_sch= ed *sched, add_sched_event_sleep(sched, task, 0); =20 sched->pid_to_task[pid] =3D task; - sched->nr_tasks++; - sched->tasks =3D realloc(sched->tasks, sched->nr_tasks * sizeof(struct ta= sk_desc *)); - BUG_ON(!sched->tasks); - sched->tasks[task->nr] =3D task; + tasks_p =3D realloc(sched->tasks, (sched->nr_tasks + 1) * sizeof(struct t= ask_desc *)); + if (!tasks_p) + return NULL; + sched->tasks =3D tasks_p; + sched->tasks[sched->nr_tasks] =3D task; + task->nr =3D sched->nr_tasks++; =20 if (verbose > 0) printf("registered task #%ld, PID %ld (%s)\n", sched->nr_tasks, pid, com= m); @@ -841,6 +857,8 @@ replay_wakeup_event(struct perf_sched *sched, =20 waker =3D register_pid(sched, sample->tid, ""); wakee =3D register_pid(sched, pid, comm); + if (waker =3D=3D NULL || wakee =3D=3D NULL) + return -1; =20 add_sched_event_wakeup(sched, waker, sample->time, wakee); return 0; @@ -881,6 +899,8 @@ static int replay_switch_event(struct perf_sched *sched, =20 prev =3D register_pid(sched, prev_pid, prev_comm); next =3D register_pid(sched, next_pid, next_comm); + if (prev =3D=3D NULL || next =3D=3D NULL) + return -1; =20 sched->cpu_last_switched[cpu] =3D timestamp; =20 --=20 2.54.0