From nobody Mon Jun 8 06:35:41 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B65987404E; Fri, 5 Jun 2026 20:33:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780691612; cv=none; b=BCUCHhvg9hSoh0tjBEw6LPzA0FO/paB4vcXRbU6q591gwClcsBZuejVAGEqI4f6vmjoVe0BjQPzeajYUi2RsejKf+v1F2lqEeoJbjcdh6XeB12MyCvnjj9aMHU7xEpZ8abkfGiTciffyRdR94VYASwV15JSVWgThp+CpeXvlPLo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780691612; c=relaxed/simple; bh=FOd6JyZeWlr24mktVwuzD6FYgJzFTfIwVsNwD10nF5Q=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Rx35YtTJGwlbTVn2aYX/g82Em/GAxJ+QDGzDj6cJoEY2nB7JRhbcUBK7E6ysbz6nD5OzgMW6fM1ZdS0flu13KfVh8UaNuz0WnjQYN8xj5Nb6HHbGgSxPYfeIDCaAtACTM+TE3zHNMIblmXwPTlD++EtY/2cyqDURBSRldcbmTQk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=SCvYYVxm; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="SCvYYVxm" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8A35F1F00898; Fri, 5 Jun 2026 20:33:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780691611; bh=HuLCee+v//zB3kkmxSNkXDO1Qjnhp5eVfzOoWiMeB9s=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=SCvYYVxm2N+fzHfeCFsPGJ/e4P71UDmZFI+CF0E9jP4crHBR+3VfLJvl5mRVMBsiy kjg1TuBiCqlBaV2jsHvR9zZ9bk4Gkl3jhMDZe4T/k9fTrKb3jaKczx6RhlCB0O24IF Xv/jLKvhyy8RB2vrtdAURIKC+XAtua6Qb6IB1lagIrlqhrnSzWoQzwOQ2DYNjR+8dg HxpB/SRUeY4l/fYQv1yKrwCXNbyMzWV5UcC/aghc76wQCLwMia+pklZNlPRnCm53Ln P135R11AWd7FoHjeddFkmiie10aHBtjz/2SO/tYUM4qrrPEe6IEQUFjyhMSVALPvwU yfDZW9g1yGF4Q== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , James Clark , Jiri Olsa , Ian Rogers , Adrian Hunter , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , sashiko-bot , Alexey Budankov , "Claude Opus 4.6" Subject: [PATCH 1/8] perf mmap: Guard cpu__get_node() return in aio_bind() Date: Fri, 5 Jun 2026 17:33:09 -0300 Message-ID: <20260605203316.1758661-2-acme@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260605203316.1758661-1-acme@kernel.org> References: <20260605203316.1758661-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Arnaldo Carvalho de Melo perf_mmap__aio_bind() passes the cpu__get_node() return value directly to an unsigned long variable (node_index). When cpu__get_node() returns -1 for an unknown CPU, the implicit int-to-unsigned-long conversion sign-extends it to ULONG_MAX. This causes bitmap_zalloc(ULONG_MAX + 1) which wraps to bitmap_zalloc(0), returning a zero-sized allocation. The subsequent __set_bit(ULONG_MAX, node_mask) then writes massively out of bounds. Check the return value in a signed temporary before assigning to node_index, and skip the NUMA binding when the node is unknown. Fixes: c44a8b44ca9f ("perf record: Bind the AIO user space buffers to nodes= ") Reported-by: sashiko-bot Cc: Alexey Budankov Cc: Jiri Olsa Cc: Namhyung Kim Assisted-by: Claude Opus 4.6 Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/util/mmap.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tools/perf/util/mmap.c b/tools/perf/util/mmap.c index b69f926d314b148b..4404a99eee45f9c3 100644 --- a/tools/perf/util/mmap.c +++ b/tools/perf/util/mmap.c @@ -104,9 +104,15 @@ static int perf_mmap__aio_bind(struct mmap *map, int i= dx, struct perf_cpu cpu, i int err =3D 0; =20 if (affinity !=3D PERF_AFFINITY_SYS && cpu__max_node() > 1) { + int node; + data =3D map->aio.data[idx]; mmap_len =3D mmap__mmap_len(map); - node_index =3D cpu__get_node(cpu); + node =3D cpu__get_node(cpu); + /* -1 sign-extends to ULONG_MAX, wrapping bitmap_zalloc(0) and OOB __set= _bit */ + if (node < 0) + return 0; + node_index =3D node; node_mask =3D bitmap_zalloc(node_index + 1); if (!node_mask) { pr_err("Failed to allocate node mask for mbind: error %m\n"); --=20 2.54.0 From nobody Mon Jun 8 06:35:41 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DD9973655E8; Fri, 5 Jun 2026 20:33:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780691617; cv=none; b=FiMpMjqzIVsnPqm4k95G/VGsAgwbZzmFfBBZXR51rS9Ri1XhPCJl9WgW2FsSQl8auaKmeneldSac2YfdPCgKPe2Dbz8Z3N9AWdzHgLpFcH7cVwWfGScgHoFG437J/dneqbjQBE1AicBrh5n5JpYCw8M9H+qdVRcLs6CBq8gRmrw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780691617; c=relaxed/simple; bh=XgZP7SK7uYiC4TjhX28Gv+Nl9bhv/cL0Krq5o7kQkmI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=XFU3DMGq2MjGjfDK167Iegm2b5pjv7RVDgWqow+I7oAz0nGn9scU5IkogjoeCRbCPmjfS+H3aRZnxrD4HWrb+CNFHERMDmOiyYQjnNX+5TPd/SNK94EEFKzJ9g5AxokN2+TIVtDic+6iDM+4GNiDMllSLTF+q7UZsZ1kC53WLZE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=fkt/AoCz; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="fkt/AoCz" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 185021F00893; Fri, 5 Jun 2026 20:33:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780691616; bh=jIuBMZzMYmjdLuIIX5AbWMSFgi1s/MOxyVVDk1VwGDk=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=fkt/AoCzzJWNe6xSO7WY3WBgaBX0AyIKM52927rMkaToeYCDj8eRWiBebLV5o0pzB i/KeYu/+Evvyi7Y6/CWE8klOmHTLjjDzN/G6xYnstpPt1pBOLQ+JO2MRU2duRE1TMO oyeU7Ze80Ga4PpKhd62uNsXMTNWkhKKOA4Lp9ObhDYCJ4lDIhEmsFYJRcVCYm6ss8/ dNnYWsL+ftTaxXLp+LdSuYKNa6uXLoNs6wySqTHaBA7iWliX5yY4qSSpS1wHxI+Hfm nABCHIza1qEe8tPh8mNECNHe3lW5B379/FL8+okP6xYRhHGJyD59wldZfnbHkxcjhB 8HT+vnNBQ9+pw== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , James Clark , Jiri Olsa , Ian Rogers , Adrian Hunter , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , sashiko-bot , "Claude Opus 4.6" Subject: [PATCH 2/8] perf stat: Bounds-check CPU index in topology aggregation callbacks Date: Fri, 5 Jun 2026 17:33:10 -0300 Message-ID: <20260605203316.1758661-3-acme@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260605203316.1758661-1-acme@kernel.org> References: <20260605203316.1758661-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Arnaldo Carvalho de Melo Six perf_env__get_*_aggr_by_cpu() functions access env->cpu[cpu.cpu] after only checking cpu.cpu !=3D -1. env->cpu[] is allocated with env->nr_cpus_avail entries, so a CPU index from an untrusted perf.data file that exceeds that count causes an out-of-bounds heap read. Replace the !=3D -1 guard with >=3D 0 && < env->nr_cpus_avail in all six functions. The >=3D 0 check also catches -1 and any other negative values that could bypass the old check. Affected functions: - perf_env__get_socket_aggr_by_cpu() - perf_env__get_die_aggr_by_cpu() - perf_env__get_cache_aggr_by_cpu() - perf_env__get_cluster_aggr_by_cpu() - perf_env__get_core_aggr_by_cpu() - perf_env__get_cpu_aggr_by_cpu() Fixes: 68d702f7a120 ("perf stat report: Add support to initialize aggr_map = from file") Reported-by: sashiko-bot Cc: Ian Rogers Cc: Jiri Olsa Cc: Namhyung Kim Assisted-by: Claude Opus 4.6 Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/builtin-stat.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/tools/perf/builtin-stat.c b/tools/perf/builtin-stat.c index 99d7db372b480800..9a045811c4197ccd 100644 --- a/tools/perf/builtin-stat.c +++ b/tools/perf/builtin-stat.c @@ -1638,7 +1638,8 @@ static struct aggr_cpu_id perf_env__get_socket_aggr_b= y_cpu(struct perf_cpu cpu, struct perf_env *env =3D data; struct aggr_cpu_id id =3D aggr_cpu_id__empty(); =20 - if (cpu.cpu !=3D -1) + /* env->cpu[] has env->nr_cpus_avail entries; reject untrusted indices */ + if (cpu.cpu >=3D 0 && cpu.cpu < env->nr_cpus_avail) id.socket =3D env->cpu[cpu.cpu].socket_id; =20 return id; @@ -1649,7 +1650,7 @@ static struct aggr_cpu_id perf_env__get_die_aggr_by_c= pu(struct perf_cpu cpu, voi struct perf_env *env =3D data; struct aggr_cpu_id id =3D aggr_cpu_id__empty(); =20 - if (cpu.cpu !=3D -1) { + if (cpu.cpu >=3D 0 && cpu.cpu < env->nr_cpus_avail) { /* * die_id is relative to socket, so start * with the socket ID and then add die to @@ -1705,7 +1706,7 @@ static struct aggr_cpu_id perf_env__get_cache_aggr_by= _cpu(struct perf_cpu cpu, struct perf_env *env =3D data; struct aggr_cpu_id id =3D aggr_cpu_id__empty(); =20 - if (cpu.cpu !=3D -1) { + if (cpu.cpu >=3D 0 && cpu.cpu < env->nr_cpus_avail) { u32 cache_level =3D (perf_stat.aggr_level) ?: stat_config.aggr_level; =20 id.socket =3D env->cpu[cpu.cpu].socket_id; @@ -1722,7 +1723,7 @@ static struct aggr_cpu_id perf_env__get_cluster_aggr_= by_cpu(struct perf_cpu cpu, struct perf_env *env =3D data; struct aggr_cpu_id id =3D aggr_cpu_id__empty(); =20 - if (cpu.cpu !=3D -1) { + if (cpu.cpu >=3D 0 && cpu.cpu < env->nr_cpus_avail) { id.socket =3D env->cpu[cpu.cpu].socket_id; id.die =3D env->cpu[cpu.cpu].die_id; id.cluster =3D env->cpu[cpu.cpu].cluster_id; @@ -1736,7 +1737,7 @@ static struct aggr_cpu_id perf_env__get_core_aggr_by_= cpu(struct perf_cpu cpu, vo struct perf_env *env =3D data; struct aggr_cpu_id id =3D aggr_cpu_id__empty(); =20 - if (cpu.cpu !=3D -1) { + if (cpu.cpu >=3D 0 && cpu.cpu < env->nr_cpus_avail) { /* * core_id is relative to socket, die and cluster, we need a * global id. So we set socket, die id, cluster id and core id. @@ -1755,7 +1756,7 @@ static struct aggr_cpu_id perf_env__get_cpu_aggr_by_c= pu(struct perf_cpu cpu, voi struct perf_env *env =3D data; struct aggr_cpu_id id =3D aggr_cpu_id__empty(); =20 - if (cpu.cpu !=3D -1) { + if (cpu.cpu >=3D 0 && cpu.cpu < env->nr_cpus_avail) { /* * core_id is relative to socket and die, * we need a global id. So we set --=20 2.54.0 From nobody Mon Jun 8 06:35:41 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F36B7380FFD; Fri, 5 Jun 2026 20:33:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780691623; cv=none; b=X0e3y2IJZHdVI6lNrnfx9YJDsnpRWHGsSLENr7YV6arm6liPgH5reJFep5r/huhXGKdQY6OwDoZAaUWKHM1zyV6nX/qGmT/XpUlpWedvKg0VHtK7z+Aos2E3zdELdzdrKviRn7WG9IoIRJddm5FuSGfiQRdRSkFhXfzw174mR4U= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780691623; c=relaxed/simple; bh=0MAAfeBHwYeUdp6heW6Bjz4QdacL1KA7uA44fEAIV/Q=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Rwz1V1a1BqwZT7uE9PcN94TWZ7kQYBQXyxFv9p7RVOPMwth160iIa7TYeQjzasKHgnRacLuA4SdGWXVrMvgP2rgzfRfQc7iRKgbRIGAfV2Di6I76a8mQLbSj7otJhI2BvjkncxQBvJ0n/8Vu6UopGQDsvoLeARbFSxqhgBuD2kg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=fFOHVOeE; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="fFOHVOeE" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4F01B1F00898; Fri, 5 Jun 2026 20:33:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780691621; bh=Aa99HOLdkmWISjzE0sEk8/YdGuG35CujgOlO9etwj4Q=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=fFOHVOeErVGvczbsuYGKq48dRhG35upQkQPNPKpd/KdBzz1WZid0KdOddi9gT0hOP kSxGaT6iveeJGQRcCkn1seEoV964CCvMoVSqN/+FZSkVPS9a11KKQ3M//jaYOb6fFB FGoK7LeE+5A2EnRtiXog1GBoLASyFuY371V99HG2ggNvmyll+/jBIC29KR+rq1TLyL LnogwiKjXOeP0482Uufa4YXFPgydRts4V5OXpmI3O4xodlZzEaiRqU9mLuNMBboR0l Ts8MrugmjM205TBCcNuOgu917DBqXmNckBqUf6dI3lpRIP8Enc6t9aDjT/GtNO/afv DEDuXv0nwXS6w== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , James Clark , Jiri Olsa , Ian Rogers , Adrian Hunter , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , sashiko-bot , "Claude Opus 4.6" Subject: [PATCH 3/8] perf c2c: Bounds-check CPU and node IDs before bitmap and array access Date: Fri, 5 Jun 2026 17:33:11 -0300 Message-ID: <20260605203316.1758661-4-acme@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260605203316.1758661-1-acme@kernel.org> References: <20260605203316.1758661-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Arnaldo Carvalho de Melo c2c_he__set_cpu() passes sample->cpu directly to __set_bit(cpu, cpuset) after only checking for the (u32)-1 sentinel. The cpuset bitmap is allocated with c2c.cpus_cnt bits (from env->nr_cpus_avail), so a crafted perf.data with CPU IDs exceeding that count causes out-of-bounds heap writes. c2c_he__set_node() similarly passes the node ID from mem2node__node() to __set_bit(node, nodeset) after only checking for negative values. The nodeset bitmap is sized to c2c.nodes_cnt (from env->nr_numa_nodes), so a node ID exceeding that causes OOB writes. process_sample_event() indexes c2c.cpu2node[cpu] and c2c_he->node_stats[node] without bounds checking. Both arrays are sized to c2c.cpus_cnt and c2c.nodes_cnt respectively. Add bounds checks in all three paths: - c2c_he__set_cpu(): return if sample->cpu >=3D c2c.cpus_cnt - c2c_he__set_node(): return if node >=3D c2c.nodes_cnt - process_sample_event(): clamp cpu to 0 if >=3D cpus_cnt, guard node_stats access with bounds check Fixes: 1e181b92a2da ("perf c2c report: Add 'node' sort key") Reported-by: sashiko-bot Cc: Jiri Olsa Cc: Namhyung Kim Assisted-by: Claude Opus 4.6 Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/builtin-c2c.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/tools/perf/builtin-c2c.c b/tools/perf/builtin-c2c.c index 3dd45a550fdb772a..b78217d98988a75c 100644 --- a/tools/perf/builtin-c2c.c +++ b/tools/perf/builtin-c2c.c @@ -245,6 +245,10 @@ static void c2c_he__set_cpu(struct c2c_hist_entry *c2c= _he, "WARNING: no sample cpu value")) return; =20 + /* cpuset bitmap has c2c.cpus_cnt bits from env->nr_cpus_avail */ + if (sample->cpu >=3D (unsigned int)c2c.cpus_cnt) + return; + __set_bit(sample->cpu, c2c_he->cpuset); } =20 @@ -262,6 +266,10 @@ static void c2c_he__set_node(struct c2c_hist_entry *c2= c_he, if (WARN_ONCE(node < 0, "WARNING: failed to find node\n")) return; =20 + /* nodeset bitmap has c2c.nodes_cnt bits from env->nr_numa_nodes */ + if (node >=3D c2c.nodes_cnt) + return; + __set_bit(node, c2c_he->nodeset); =20 if (c2c_he->paddr !=3D sample->phys_addr) { @@ -391,7 +399,12 @@ static int process_sample_event(const struct perf_tool= *tool __maybe_unused, * Doing node stats only for single callchain data. */ int cpu =3D sample->cpu =3D=3D (unsigned int) -1 ? 0 : sample->cpu; - int node =3D c2c.cpu2node[cpu]; + int node; + + /* cpu2node[] has c2c.cpus_cnt entries from env->nr_cpus_avail */ + if (cpu >=3D c2c.cpus_cnt) + cpu =3D 0; + node =3D c2c.cpu2node[cpu]; =20 c2c_hists =3D he__get_c2c_hists(he, c2c.cl_sort, 2, machine->env); if (!c2c_hists) { @@ -410,7 +423,9 @@ static int process_sample_event(const struct perf_tool = *tool __maybe_unused, c2c_he =3D container_of(he, struct c2c_hist_entry, he); c2c_add_stats(&c2c_he->stats, &stats); c2c_add_stats(&c2c_hists->stats, &stats); - c2c_add_stats(&c2c_he->node_stats[node], &stats); + /* node_stats[] has c2c.nodes_cnt entries */ + if (node >=3D 0 && node < c2c.nodes_cnt) + c2c_add_stats(&c2c_he->node_stats[node], &stats); =20 compute_stats(c2c_he, &stats, sample->weight); =20 --=20 2.54.0 From nobody Mon Jun 8 06:35:41 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 23B4A7404E; Fri, 5 Jun 2026 20:33:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780691628; cv=none; b=b4Ft+gxsNzhSSCgIVlDlavv3ql+u7jZayVS4U24q8Jx6WAH6xolQe/VNl33YHdliDYOalRnH98brHbfdkutWO3RIpGlX5zOXTK37dPTnZld8qH/2SVDmm3x7jicj6pFX3DsjlAT9nvmFetoFykOtIhNaKE0etO2GBNBbPw3YYKA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780691628; c=relaxed/simple; bh=DtRKOLnUfmfS2epWRSorWYdhI0EMiqjGopIwKkqU0Po=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Vkq3cu8JfAxOjvtLplc3Sed9qX6fMEm7/FT5p0vMUsumsdE7ozPdbkm7hUZDf0p8gfjlwh+4YMb11Nydp7P9GU7xb8stXncSUHBX/dRmxIndKHEgcMnhwzl+jyJ9aL+6B0k/gcjdp9finokuPQZa0DFn4WbaX+TtwEAW6V3KHXU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=bw0YnQB5; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="bw0YnQB5" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 629A91F00893; Fri, 5 Jun 2026 20:33:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780691626; bh=XQy4zT4Nms9P0xdtxPNVdKMuPS+RkQp6GJQAz9nA6c4=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=bw0YnQB5OhXR/RIpeNiv5krGA+tBFwPb/sVOf1ZdeCJpCsAhtil86fkTBhL/JOUke bXK1hoRBLPiIp4uiVERF26te1SFA3CAmECuzUH/u1B7QrxuNXN3TahsEy36zxVBllT Xxt+VbyaPiox+1hIgvSj+qlfD4LwlAcKO4lx4NUOgbADLwe3BuWgJElw0SmLnNRmed E0/pER/W/hvff3Du9fux3t5GFynqQoCFAVM4qBGl3KADHQu7W3XXzbQtbWCOrMuMpg +7A/3vX2IfTGnIrymkamWvTPX2fJih2gH9uUzXXmdGva3W9/P9CWy70n1Xrc7KyMCB XwHSzbfQsgCUA== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , James Clark , Jiri Olsa , Ian Rogers , Adrian Hunter , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , sashiko-bot , "Claude Opus 4.6" Subject: [PATCH 4/8] perf c2c: Bounds-check CPU IDs in setup_nodes() topology loop Date: Fri, 5 Jun 2026 17:33:12 -0300 Message-ID: <20260605203316.1758661-5-acme@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260605203316.1758661-1-acme@kernel.org> References: <20260605203316.1758661-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Arnaldo Carvalho de Melo setup_nodes() iterates CPU maps from the perf.data topology header and uses cpu.cpu directly as an array index into cpu2node[] (allocated with c2c.cpus_cnt =3D env->nr_cpus_avail entries) and __set_bit(cpu.cpu, set) (bitmap also sized to c2c.cpus_cnt). A crafted perf.data with topology CPU IDs exceeding nr_cpus_avail causes out-of-bounds heap writes into both the cpu2node array and the per-node bitmap. Add a bounds check to skip CPU IDs that fall outside the valid range. Fixes: 1e181b92a2da ("perf c2c report: Add 'node' sort key") Reported-by: sashiko-bot Cc: Jiri Olsa Cc: Namhyung Kim Assisted-by: Claude Opus 4.6 Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/builtin-c2c.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/perf/builtin-c2c.c b/tools/perf/builtin-c2c.c index b78217d98988a75c..cbe0e993053d403c 100644 --- a/tools/perf/builtin-c2c.c +++ b/tools/perf/builtin-c2c.c @@ -2371,6 +2371,10 @@ static int setup_nodes(struct perf_session *session) nodes[node] =3D set; =20 perf_cpu_map__for_each_cpu_skip_any(cpu, idx, map) { + /* topology CPU IDs from perf.data may exceed nr_cpus_avail */ + if (cpu.cpu < 0 || cpu.cpu >=3D c2c.cpus_cnt) + continue; + __set_bit(cpu.cpu, set); =20 if (WARN_ONCE(cpu2node[cpu.cpu] !=3D -1, "node/cpu topology bug")) --=20 2.54.0 From nobody Mon Jun 8 06:35:41 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 603F7380FFD; Fri, 5 Jun 2026 20:33:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780691633; cv=none; b=SzDOMfnj09i/5Lle6nw7lG6VMgXsGDtARGIuCIGzHRTmmTxeLqBdT2NDXN7c6uN52flqYdJh5fCkMNC8RDfwKjrXqGbWU+BIg4w36woSqeoKoBqWauiA9IWVKHZQBQV3dMUx8MaFoNG9gg8r+7aROsaSY360ju1/i97iF0EyyCQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780691633; c=relaxed/simple; bh=uhxftI9WmsUrBDfnoqZy0tuVYE1n1UQaoDsc0yoOhJ0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=roHpgjfsCoM8S6FnhSIt1szHSmb7AkBa44OorHRq++Djte7i1FoCI5FFQVdltbTD4ywLPquMc2LnIYw6lEo4jKLF06txmokkEysP77DHqalhn8FOj+wghSCCrUOQWnghd/mLDRvEDKAMdLalNKOw3UWG/2LMfOG0pLCj5TS/rEU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=HhGFp7Vq; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="HhGFp7Vq" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 580B91F00898; Fri, 5 Jun 2026 20:33:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780691631; bh=IXy4NLgeuZa5Txig+iDrTM/ihMQrKWz9XknvMb5CkSI=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=HhGFp7VqtfE4sbPNOjyVTB1b4vQCwFJynZzbew66+wAVSsDRRWTfzI0mMN0raHqsC Y/v0hDtMcRi9kAGbkXJHitPK8Dl1+ZYm1VKO10Kk1x0JyH15JFlUXqh8LUA8v4Sf/g AmX6oablinR/pUWCz/b1w7OIE3nMsf65ttOcI9VoRZSjCwpi6qXf7xFjIxGM1pim1o KXeC07bGYXofpvLPtDl5Z/LgXbX8HviG62XJDcQveSVqCnLIYIM4unR2dQHeq+slOA 40+5OEZH1tkYZF1Vx/8EG1wrJvgNEtomQDySjNhpsdc0p+9/AwKhw1mA4yBlP+/P24 6qQUcY63JLvqQ== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , James Clark , Jiri Olsa , Ian Rogers , Adrian Hunter , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , sashiko-bot , David Ahern , "Claude Opus 4.6" Subject: [PATCH 5/8] perf sched: Clean up idle_threads entry on init failure Date: Fri, 5 Jun 2026 17:33:13 -0300 Message-ID: <20260605203316.1758661-6-acme@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260605203316.1758661-1-acme@kernel.org> References: <20260605203316.1758661-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Arnaldo Carvalho de Melo get_idle_thread() allocates a thread via thread__new() and stores it in idle_threads[cpu], then calls init_idle_thread() to set up the private data. If init_idle_thread() fails (e.g. OOM for the idle_thread_runtime struct), the function returns NULL but leaves the partially initialized thread in idle_threads[cpu]. On subsequent calls for the same CPU, get_idle_thread() finds a non-NULL idle_threads[cpu], skips allocation, and returns thread__get() on a thread that has no priv data. Callers then get a thread whose thread__priv() returns NULL, leading to unexpected behavior. Release the thread and reset the slot to NULL on init failure so the entry doesn't persist in a corrupted state. Fixes: 49394a2a24c7 ("perf sched timehist: Introduce timehist command") Reported-by: sashiko-bot Cc: David Ahern Cc: Namhyung Kim Assisted-by: Claude Opus 4.6 Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/builtin-sched.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c index 21fb820b625b43e1..e4378cc9ab3ed48b 100644 --- a/tools/perf/builtin-sched.c +++ b/tools/perf/builtin-sched.c @@ -2514,8 +2514,11 @@ static struct thread *get_idle_thread(int cpu) idle_threads[cpu] =3D thread__new(0, 0); =20 if (idle_threads[cpu]) { - if (init_idle_thread(idle_threads[cpu]) < 0) + if (init_idle_thread(idle_threads[cpu]) < 0) { + /* clean up so next call doesn't find a half-initialized thread */ + thread__zput(idle_threads[cpu]); return NULL; + } } } =20 --=20 2.54.0 From nobody Mon Jun 8 06:35:41 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F33383B7769; Fri, 5 Jun 2026 20:33:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780691638; cv=none; b=koN/ypajMyvTay34LkU2Z8YL5klV39ZBKEjgMTU4MOJNlsF6WAGqrV0uFi7xzp3evQYV/mh9S/K5SadaR2eZOFM/6YpiKWuXd877ZPdTP5ESO1TP9xrKqEXoczgXR/LGKm1oZVyYuj4CiUwzrj4pxjf3s9nBKVs4QHgXfJVuI3M= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780691638; c=relaxed/simple; bh=Wmj909kKRpel5f3kMWhTPHtDbOoQDSXyGxEK4cvZGMQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=V26nfMIwo2bmPLDR5tonmYShzfz2yT1Jl4gf4Nhw4WjyV5I/Ml8r7N1aQxEXb1AipPhkGrMrdL3jUovXsyX6UA9TWn5r+LWEHl26sG5bC+U5xNvO6j50So/F8kp9SZtRA/WGNSY5AoAcoRAUYHNdv1+dQxYB8cst6cd4WjFgRiQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=dFhQ/Zjl; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="dFhQ/Zjl" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8DBA51F00893; Fri, 5 Jun 2026 20:33:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780691637; bh=AzHRciR+fZp4kINwoY3eSWSWvXjjxsj3wz+XPt8kJM8=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=dFhQ/ZjlAK2mpc7EBjmReCsEhCSyPVdQM/KW/92DF9xsWGw7Sax8jeLKtTneEDybt 1e82pQvauF90I1NnHBSKhvWQM2qfuYSvUpW8pHsJixjBAcYi/Z8+C0p7sX0uUyzxbT IB5zik7hVgdz7T+NmR2TlWmUHG05Xdh+oZ2hWct6hZMJNDd5kekO3E6blbMfPh7OC0 O9F6Cqre69csJcz/KU9hz7/GX1dQe2ILAal5sptfBlXfePOFoIJ5i7VjytwsDZCdHo 75pcMwy3Si1J2aPJfTqe0kMWYcT+PWRA9dCLrw/gBQki7XgMAJtkn9Y/tI3tqbdGqe Dk897aOKsPPmA== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , James Clark , Jiri Olsa , Ian Rogers , Adrian Hunter , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , sashiko-bot , David Ahern , "Claude Opus 4.6" Subject: [PATCH 6/8] perf sched: Fix thread reference leak in idle hist processing Date: Fri, 5 Jun 2026 17:33:14 -0300 Message-ID: <20260605203316.1758661-7-acme@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260605203316.1758661-1-acme@kernel.org> References: <20260605203316.1758661-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Arnaldo Carvalho de Melo timehist_sched_change_event() sets itr->last_thread to NULL at the end of idle hist processing without calling thread__put() first. The thread reference was acquired via thread__get() in timehist_get_thread() (line 2581), so every idle context switch leaks a thread reference when --idle-hist is active. Use thread__zput() to properly release the reference before clearing the pointer. Fixes: 5d8f17fb5822 ("perf sched timehist: Add -I/--idle-hist option") Reported-by: sashiko-bot Cc: David Ahern Cc: Namhyung Kim Assisted-by: Claude Opus 4.6 Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/builtin-sched.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c index e4378cc9ab3ed48b..af6322ffaaa6eb1d 100644 --- a/tools/perf/builtin-sched.c +++ b/tools/perf/builtin-sched.c @@ -2934,7 +2934,7 @@ static int timehist_sched_change_event(const struct p= erf_tool *tool, if (itr->cursor.nr) callchain_append(&itr->callchain, &itr->cursor, t - tprev); =20 - itr->last_thread =3D NULL; + thread__zput(itr->last_thread); } =20 if (!sched->summary_only) --=20 2.54.0 From nobody Mon Jun 8 06:35:41 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 50CE83B7769; Fri, 5 Jun 2026 20:34:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780691643; cv=none; b=G4IQowjIbyoNbqA1Mfw3ZKpJNN06qfNMqyb54dCQ4Gv2SZ5A6SCAspLT4kcZTFoDPBsr97MSjl+QeIyFuVPl/z8KTUk4Sq50ggTMAZCMVmhYvqGyQWy4W73AMeb8BcuKCu4H9SAGjXk3+DAZtoKyzb3iUl3EYNUhu7sEYdBNIRc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780691643; c=relaxed/simple; bh=8zVKOytPidba42CCO5uk3rYknH2kLtRMBSzZDgyjXLc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=WW+W4/ImQayX6fbZT5Y/7l4zkv/FpdKSUvbZw7r2HUGsXZGUZBLxT0w9Rpro2adQW73CqMvn/QQ39hnzR7GFu9/mqHW3ZJjgYl6acQRn8EpZXhLs1fGwiH9MlPuzikICnW32cbILTzfnMT6e7ddwJGQPtXzj0pql3xrI+c0FNvQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=mxgT7hcm; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="mxgT7hcm" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1EFA41F00898; Fri, 5 Jun 2026 20:33:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780691642; bh=GraoFdIITf74OVmkd+NYzAN9KfdWC2E1x83zmhk9dQI=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=mxgT7hcmIjfhk4AFUvW1H3KSbry4gpUPo0hxDkORggB+1AdrgQl++skCZNSVSJwOg YjASrxqFXYoZ/l/3E+6NEf5sZPt+twKvVivN9ng45KFrs84t29mvr3hBJISs09tX9F GDgkQjvMCM/GDv7+2m3fYzMZVhQVsF832S8nb5RpflnGb6tlGFXBXlguH5dYdxWO2Z dtWTnNt60Ts14xnm/8+uVrWNRegL5ZEYVIXx9K2uKK0Lj88QnJThJrOdNAB6UkXU7D PBFWhzLC7Cauh/US8Sa0U12C6Or0FAaLqsaf6QBXgjKNwprTNiXEVconyizuAoRAqU 5s2fRw7xoeI2g== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , James Clark , Jiri Olsa , Ian Rogers , Adrian Hunter , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , sashiko-bot , David Ahern , "Claude Opus 4.6" Subject: [PATCH 7/8] perf sched: Use thread__put() in free_idle_threads() Date: Fri, 5 Jun 2026 17:33:15 -0300 Message-ID: <20260605203316.1758661-8-acme@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260605203316.1758661-1-acme@kernel.org> References: <20260605203316.1758661-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: Arnaldo Carvalho de Melo free_idle_threads() calls thread__delete() directly instead of thread__put(), bypassing the reference counting lifecycle. Under REFCNT_CHECKING builds, this leaks the pointer handle since thread__delete() frees the object without going through the refcount wrapper. The idle threads are created via thread__new() (refcount=3D1) in get_idle_thread(). Callers get additional references via thread__get() which they release with thread__put(). free_idle_threads() drops the base reference =E2=80=94 thread__put() is the correct call, matching the thread__new() acquisition. Fixes: 49394a2a24c7 ("perf sched timehist: Introduce timehist command") Reported-by: sashiko-bot Cc: David Ahern Cc: Namhyung Kim Assisted-by: Claude Opus 4.6 Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/builtin-sched.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c index af6322ffaaa6eb1d..3668048ca96cb71a 100644 --- a/tools/perf/builtin-sched.c +++ b/tools/perf/builtin-sched.c @@ -2481,7 +2481,7 @@ static void free_idle_threads(void) if (itr) thread__put(itr->last_thread); =20 - thread__delete(idle); + thread__put(idle); } } =20 --=20 2.54.0 From nobody Mon Jun 8 06:35:41 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 365AD407CD7; Fri, 5 Jun 2026 20:34:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780691647; cv=none; b=TtDHStyJt9Z4KpWt+JZmBL0EDXWMBBWY220SsO4PRIIDMMxdk64Mlu4hz149VARiZ9ZklxuglXLgicw6bCjU8uSIr27IEBO4AL99DKocWxeWyj2GGEy7r0tQ/cRE9ht/Xf5UVLcGrxLBCfp3Q5M9MOON1fIVCh1lQiIS612TfQc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780691647; c=relaxed/simple; bh=y/3Y1kzgtOtetBhhtbcQKNafHZfpVeknDKaJQi9vO78=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=PHLZnSxLjYNvJ8PXHruoaSl5xCQ/zqcirP9x2BFPHSlP6l4L9B95iiGrwe/qPmzu2LKVX+rgTqs68PNkGoVDARW8dTYe4BD6qabbWpAhYJg1zxuP/A8HCNZsMvoy8vo8+NDDq1kKMMIDWAAL7+nV/vXC6bakR7X+OZU8er/qhHY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=eyqBw2uR; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="eyqBw2uR" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 895E31F00899; Fri, 5 Jun 2026 20:34:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780691645; bh=Kx49sQD2NgfXn7N4XpF6tp9WxmFwCEE3TA0rGGRUtuw=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=eyqBw2uRj/dPCYiB9IJuAIK1s5X1dJUD25JjEDUPmujjW9B6GnRtYHSLSDrSgHZ8p +smCmSskbKVjsEzxPLyyMbVJiNemAiFCWDnoKLt4nMW2+UAbk4lZSNjt4JK2jyomhD i7fjPi7cfIYpOk6NftHmbciRdeTmV7UO31p4NwxcpRM49Rc9hxujmo17xWO6NJMbV1 ZGiylRkZeQJJnADd/bXby/VlZQVF3rdfoLHpfUdPRdS3EGFiCWZoEppD6mGeqARdIx 9jVaNPGsbsodIkd7gFqSu8u74rVIxHmvMkz515i11hN7oryNw1X1sdXJGfadkXencD ygpa5REY8PghQ== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , James Clark , Jiri Olsa , Ian Rogers , Adrian Hunter , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , sashiko-bot , "Claude Opus 4.6" Subject: [PATCH 8/8] perf sched: Replace BUG_ON and add NULL checks in replay event helpers Date: Fri, 5 Jun 2026 17:33:16 -0300 Message-ID: <20260605203316.1758661-9-acme@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260605203316.1758661-1-acme@kernel.org> References: <20260605203316.1758661-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Arnaldo Carvalho de Melo get_new_event() has three issues: 1. The zalloc() result is dereferenced without a NULL check, crashing on allocation failure. 2. BUG_ON(!task->atoms) kills the process when realloc() fails. Since perf.data is untrusted input, this should be a graceful error. 3. The realloc pattern assigns directly to task->atoms, losing the old pointer on failure. task->nr_events is also incremented before the realloc, leaving corrupted state on failure. Fix get_new_event() to: - Check the zalloc() result before dereferencing - Use a temporary for realloc() to avoid losing the old pointer - Increment nr_events only after successful realloc - Return NULL instead of calling BUG_ON on failure Also fix add_sched_event_wakeup() where zalloc() for wait_sem is passed to sem_init() without a NULL check. Update all callers (add_sched_event_run, add_sched_event_wakeup, add_sched_event_sleep) to handle NULL returns by returning early. The replay may produce incomplete output on OOM but will not crash. Fixes: ec156764d424 ("perf sched: Import schedbench.c") Reported-by: sashiko-bot Cc: Ingo Molnar Cc: Namhyung Kim Assisted-by: Claude Opus 4.6 Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/builtin-sched.c | 28 +++++++++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c index 3668048ca96cb71a..e7e55925532ff6f1 100644 --- a/tools/perf/builtin-sched.c +++ b/tools/perf/builtin-sched.c @@ -365,14 +365,25 @@ get_new_event(struct task_desc *task, u64 timestamp) struct sched_atom *event =3D zalloc(sizeof(*event)); unsigned long idx =3D task->nr_events; size_t size; + struct sched_atom **atoms_p; + + if (event =3D=3D NULL) { + pr_err("ERROR: sched: failed to allocate event\n"); + return NULL; + } =20 event->timestamp =3D timestamp; event->nr =3D idx; =20 + size =3D sizeof(struct sched_atom *) * (task->nr_events + 1); + atoms_p =3D realloc(task->atoms, size); + if (!atoms_p) { + pr_err("ERROR: sched: failed to grow atoms array\n"); + free(event); + return NULL; + } + task->atoms =3D atoms_p; task->nr_events++; - size =3D sizeof(struct sched_atom *) * task->nr_events; - task->atoms =3D realloc(task->atoms, size); - BUG_ON(!task->atoms); =20 task->atoms[idx] =3D event; =20 @@ -403,6 +414,8 @@ static void add_sched_event_run(struct perf_sched *sche= d, struct task_desc *task } =20 event =3D get_new_event(task, timestamp); + if (event =3D=3D NULL) + return; =20 event->type =3D SCHED_EVENT_RUN; event->duration =3D duration; @@ -416,6 +429,8 @@ static void add_sched_event_wakeup(struct perf_sched *s= ched, struct task_desc *t struct sched_atom *event, *wakee_event; =20 event =3D get_new_event(task, timestamp); + if (event =3D=3D NULL) + return; event->type =3D SCHED_EVENT_WAKEUP; event->wakee =3D wakee; =20 @@ -430,6 +445,10 @@ static void add_sched_event_wakeup(struct perf_sched *= sched, struct task_desc *t } =20 wakee_event->wait_sem =3D zalloc(sizeof(*wakee_event->wait_sem)); + if (!wakee_event->wait_sem) { + pr_err("ERROR: sched: failed to allocate semaphore\n"); + return; + } sem_init(wakee_event->wait_sem, 0, 0); event->wait_sem =3D wakee_event->wait_sem; =20 @@ -441,6 +460,9 @@ static void add_sched_event_sleep(struct perf_sched *sc= hed, struct task_desc *ta { struct sched_atom *event =3D get_new_event(task, timestamp); =20 + if (event =3D=3D NULL) + return; + event->type =3D SCHED_EVENT_SLEEP; =20 sched->nr_sleep_events++; --=20 2.54.0