From nobody Mon Jun 8 06:36:18 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4D8C93BBFB9; Fri, 5 Jun 2026 23:38:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780702732; cv=none; b=jrJvQYiZqRKdzOtXQ9YCsXf4nETbPzQ/ETiW8lUgdxe3vtJgxY5kE7N4G4LoimDXWiryZCG5FJgeTTd8vGEfuvxHetq/w6ENYI4yIdg2izYKMAyUCIZ5GVFv9cTDullhng2xAV8iK0jsUvaqeu1H1I2z2ibla8spoxumMyj0vgg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780702732; c=relaxed/simple; bh=FOd6JyZeWlr24mktVwuzD6FYgJzFTfIwVsNwD10nF5Q=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=huzqIeD1bpQ6fmUuOA9E1UAYN6xaOlkY/8BkaXj2lpDOn10Dw3M6/MPXhBiDfrWd/mZ7s+zAGZHq5s+TdAGL9LIXDOdGW12Gd/1pvpTx8LbaLW/IUa2w/0/bdeLYe/Gtrd3IuZ4tN/WxOK0q3AplBTDkbGhM38JxSh6Wmm98Mx0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=JJ1/684Q; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="JJ1/684Q" Received: by smtp.kernel.org (Postfix) with ESMTPSA id C693F1F00898; Fri, 5 Jun 2026 23:38:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780702731; bh=HuLCee+v//zB3kkmxSNkXDO1Qjnhp5eVfzOoWiMeB9s=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=JJ1/684QVnYOG2y0z6PT9nFSTq8+DutL08Lw7GBcxmmGsi2pc6xlzKJKyg12OgWbG ddlZyaZtzdrIl9EQdYcHhoNZyw4d8zfK2ckTv+QPFiKL0spfTHniH95qtYufArJAtQ A3jO4SXGz1laB3gAS3cJ1b5sCO1kRUf+CheV/qWhUFE58NvUfgY/H+LKuw+5SoCfe/ NBqaeyBJCLAtMqCjs6pI+8W3OnIe4gVpT7baLEJPMEFlt5ldB4Q3mcvLtrOWE/dMAw GCa2JWOgdlzjkO65NeuODTwAm1URxiRgyXaTmdr7hIq1Zu+rfsH3nluRfAf2Rke9oR Xw5MOobcXiaSg== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , James Clark , Jiri Olsa , Ian Rogers , Adrian Hunter , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , sashiko-bot , Alexey Budankov , "Claude Opus 4.6" Subject: [PATCH 1/9] perf mmap: Guard cpu__get_node() return in aio_bind() Date: Fri, 5 Jun 2026 20:38:29 -0300 Message-ID: <20260605233837.1773732-2-acme@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260605233837.1773732-1-acme@kernel.org> References: <20260605233837.1773732-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Arnaldo Carvalho de Melo perf_mmap__aio_bind() passes the cpu__get_node() return value directly to an unsigned long variable (node_index). When cpu__get_node() returns -1 for an unknown CPU, the implicit int-to-unsigned-long conversion sign-extends it to ULONG_MAX. This causes bitmap_zalloc(ULONG_MAX + 1) which wraps to bitmap_zalloc(0), returning a zero-sized allocation. The subsequent __set_bit(ULONG_MAX, node_mask) then writes massively out of bounds. Check the return value in a signed temporary before assigning to node_index, and skip the NUMA binding when the node is unknown. Fixes: c44a8b44ca9f ("perf record: Bind the AIO user space buffers to nodes= ") Reported-by: sashiko-bot Cc: Alexey Budankov Cc: Jiri Olsa Cc: Namhyung Kim Assisted-by: Claude Opus 4.6 Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/util/mmap.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tools/perf/util/mmap.c b/tools/perf/util/mmap.c index b69f926d314b148b..4404a99eee45f9c3 100644 --- a/tools/perf/util/mmap.c +++ b/tools/perf/util/mmap.c @@ -104,9 +104,15 @@ static int perf_mmap__aio_bind(struct mmap *map, int i= dx, struct perf_cpu cpu, i int err =3D 0; =20 if (affinity !=3D PERF_AFFINITY_SYS && cpu__max_node() > 1) { + int node; + data =3D map->aio.data[idx]; mmap_len =3D mmap__mmap_len(map); - node_index =3D cpu__get_node(cpu); + node =3D cpu__get_node(cpu); + /* -1 sign-extends to ULONG_MAX, wrapping bitmap_zalloc(0) and OOB __set= _bit */ + if (node < 0) + return 0; + node_index =3D node; node_mask =3D bitmap_zalloc(node_index + 1); if (!node_mask) { pr_err("Failed to allocate node mask for mbind: error %m\n"); --=20 2.54.0 From nobody Mon Jun 8 06:36:18 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B9CD83C1F24; Fri, 5 Jun 2026 23:38:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780702737; cv=none; b=AQ3T8/QcWUdUR0DtmSfAeqk0pCCP5qwdBRHEz9DxF75Jo1qdRk7njofuqlFLWJXilOSiun+cE6oDTTvBmruprXMUWc+Rk9yrPhAh9Ac4tF1NwVGHIrkZCaUk9EQHKAV41sHscXpch4l5oJWF/SDhYf0C2P+7NnRapYtyP58BIqg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780702737; c=relaxed/simple; bh=XgZP7SK7uYiC4TjhX28Gv+Nl9bhv/cL0Krq5o7kQkmI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=QCQM38seC3aO0TonLWawuMjpcUM/uJRSe2h0T5RY9ybLx+wKyvL5lVReg/To1hUsEs+DCyehFMeSLGsElLRu9zKmrCBxFo4vVaS2EjdQk7FDvKS14d/vZ08Na+6iblTzgvS2YTjNBrzdQB51QFGzelTVVqgzla2G6Nb+y6WrDsE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=CfDUOmiB; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="CfDUOmiB" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9EF021F00893; Fri, 5 Jun 2026 23:38:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780702736; bh=jIuBMZzMYmjdLuIIX5AbWMSFgi1s/MOxyVVDk1VwGDk=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=CfDUOmiBqH6OK5jTUCtcRvxeHP0eUXZLcUXnVoxAO8dpGOy9zRr35FbhC8MjL8mcs zfiofmxztKVCJXM/MK8AyMrNCOEQMJ99MQHoOYtZvW3DAatao0nJHqrXoAqOXp0xwH Vsy3GiN8mCzkQSIemmkWG86QhEYI1BM6FJyB6Jg3wIFPhrsazrL+SLPqO5zmhkn29X U3rXmtbte52595f24nDYX0rWnRgY7yZKpuhU4c48Z19W5IeA+a7mwgonJbDLXwPIzF jFB9bJRydkHqXI4CXyY7dLP4hW3UBaajqgzvrjSiSMACHP0H0RsQ/kcsFc7feSJt57 TtjD4cFRpJ4OQ== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , James Clark , Jiri Olsa , Ian Rogers , Adrian Hunter , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , sashiko-bot , "Claude Opus 4.6" Subject: [PATCH 2/9] perf stat: Bounds-check CPU index in topology aggregation callbacks Date: Fri, 5 Jun 2026 20:38:30 -0300 Message-ID: <20260605233837.1773732-3-acme@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260605233837.1773732-1-acme@kernel.org> References: <20260605233837.1773732-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Arnaldo Carvalho de Melo Six perf_env__get_*_aggr_by_cpu() functions access env->cpu[cpu.cpu] after only checking cpu.cpu !=3D -1. env->cpu[] is allocated with env->nr_cpus_avail entries, so a CPU index from an untrusted perf.data file that exceeds that count causes an out-of-bounds heap read. Replace the !=3D -1 guard with >=3D 0 && < env->nr_cpus_avail in all six functions. The >=3D 0 check also catches -1 and any other negative values that could bypass the old check. Affected functions: - perf_env__get_socket_aggr_by_cpu() - perf_env__get_die_aggr_by_cpu() - perf_env__get_cache_aggr_by_cpu() - perf_env__get_cluster_aggr_by_cpu() - perf_env__get_core_aggr_by_cpu() - perf_env__get_cpu_aggr_by_cpu() Fixes: 68d702f7a120 ("perf stat report: Add support to initialize aggr_map = from file") Reported-by: sashiko-bot Cc: Ian Rogers Cc: Jiri Olsa Cc: Namhyung Kim Assisted-by: Claude Opus 4.6 Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/builtin-stat.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/tools/perf/builtin-stat.c b/tools/perf/builtin-stat.c index 99d7db372b480800..9a045811c4197ccd 100644 --- a/tools/perf/builtin-stat.c +++ b/tools/perf/builtin-stat.c @@ -1638,7 +1638,8 @@ static struct aggr_cpu_id perf_env__get_socket_aggr_b= y_cpu(struct perf_cpu cpu, struct perf_env *env =3D data; struct aggr_cpu_id id =3D aggr_cpu_id__empty(); =20 - if (cpu.cpu !=3D -1) + /* env->cpu[] has env->nr_cpus_avail entries; reject untrusted indices */ + if (cpu.cpu >=3D 0 && cpu.cpu < env->nr_cpus_avail) id.socket =3D env->cpu[cpu.cpu].socket_id; =20 return id; @@ -1649,7 +1650,7 @@ static struct aggr_cpu_id perf_env__get_die_aggr_by_c= pu(struct perf_cpu cpu, voi struct perf_env *env =3D data; struct aggr_cpu_id id =3D aggr_cpu_id__empty(); =20 - if (cpu.cpu !=3D -1) { + if (cpu.cpu >=3D 0 && cpu.cpu < env->nr_cpus_avail) { /* * die_id is relative to socket, so start * with the socket ID and then add die to @@ -1705,7 +1706,7 @@ static struct aggr_cpu_id perf_env__get_cache_aggr_by= _cpu(struct perf_cpu cpu, struct perf_env *env =3D data; struct aggr_cpu_id id =3D aggr_cpu_id__empty(); =20 - if (cpu.cpu !=3D -1) { + if (cpu.cpu >=3D 0 && cpu.cpu < env->nr_cpus_avail) { u32 cache_level =3D (perf_stat.aggr_level) ?: stat_config.aggr_level; =20 id.socket =3D env->cpu[cpu.cpu].socket_id; @@ -1722,7 +1723,7 @@ static struct aggr_cpu_id perf_env__get_cluster_aggr_= by_cpu(struct perf_cpu cpu, struct perf_env *env =3D data; struct aggr_cpu_id id =3D aggr_cpu_id__empty(); =20 - if (cpu.cpu !=3D -1) { + if (cpu.cpu >=3D 0 && cpu.cpu < env->nr_cpus_avail) { id.socket =3D env->cpu[cpu.cpu].socket_id; id.die =3D env->cpu[cpu.cpu].die_id; id.cluster =3D env->cpu[cpu.cpu].cluster_id; @@ -1736,7 +1737,7 @@ static struct aggr_cpu_id perf_env__get_core_aggr_by_= cpu(struct perf_cpu cpu, vo struct perf_env *env =3D data; struct aggr_cpu_id id =3D aggr_cpu_id__empty(); =20 - if (cpu.cpu !=3D -1) { + if (cpu.cpu >=3D 0 && cpu.cpu < env->nr_cpus_avail) { /* * core_id is relative to socket, die and cluster, we need a * global id. So we set socket, die id, cluster id and core id. @@ -1755,7 +1756,7 @@ static struct aggr_cpu_id perf_env__get_cpu_aggr_by_c= pu(struct perf_cpu cpu, voi struct perf_env *env =3D data; struct aggr_cpu_id id =3D aggr_cpu_id__empty(); =20 - if (cpu.cpu !=3D -1) { + if (cpu.cpu >=3D 0 && cpu.cpu < env->nr_cpus_avail) { /* * core_id is relative to socket and die, * we need a global id. So we set --=20 2.54.0 From nobody Mon Jun 8 06:36:18 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0D62F3BBFDB; Fri, 5 Jun 2026 23:39:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780702743; cv=none; b=cZ/W+NUwHUSw9iTRRGcJdPl+6H4kNmd1A5lY4kXA4QAiwGEpSDozyN5FSfo5zjzTZP0lkVuI/MKBWNq+Rt9CjZSSZQEFYe6B7zFpwP/IPnoP9ALvcOhhtTarCZH9+VLzjnwgaFCDU4o3F10wsAvVjin05X3rgsABa7kGZwQXN8M= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780702743; c=relaxed/simple; bh=pwvR8w2UjjI/8KEV+WmN7gI1K8WY8+krXN+FKiuq4Lw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=euvtnL8CpbynLDPDYk3dpUJW62LxF+FIkhBHAufzigKK2vmLEg7LvE7Wz9YSnzN6tYeAlQbAzKWq6JdHgNQlZG+zF2GhnNOzwV2WgievynYbh5Qtp+fh4mMW4M+Nlds+3q0eYhRPVpbgegT3r5vKuSBHSCEXveWTJ5DYqlqcHjU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=YQ7geLtk; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="YQ7geLtk" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 14F8E1F00898; Fri, 5 Jun 2026 23:38:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780702741; bh=LH/ITcZtqV/imoJd8hoOXrXcGvyAMyBhfSkua7qTUgs=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=YQ7geLtkRvi4fauUyC9j2p233MZqMVHfAi1Brt+APrsvIlPUlacTsDNlYam2boaSx ijzj9IU3GRW1wohTBifSKXmghG68xMPv8KPY81bm/5vMD4y+nGTSPvu/WHsxiZEE9E lv1F4PoV0hScNdywJBEBe4UHSBRywMCKPxM50MHkqds//Aq7H2kdMPmIjhr2poZJPp Hx+f2uESTcbezsc9zf4+U2mdTPNT+QsT/sv6USyuOC2YQ39fyxbm72bkpD0sPc+tzs 6TlMefniFNKFLoRoatAYI/RHgozn4jzzVCTcJAuJzyQKqQl2P1Q6KLnIAvYJRMA4fA pze2XtbY6Lv1A== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , James Clark , Jiri Olsa , Ian Rogers , Adrian Hunter , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , sashiko-bot , "Claude Opus 4.6" Subject: [PATCH 3/9] perf c2c: Bounds-check CPU and node IDs before bitmap and array access Date: Fri, 5 Jun 2026 20:38:31 -0300 Message-ID: <20260605233837.1773732-4-acme@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260605233837.1773732-1-acme@kernel.org> References: <20260605233837.1773732-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Arnaldo Carvalho de Melo c2c_he__set_cpu() passes sample->cpu directly to __set_bit(cpu, cpuset) after only checking for the (u32)-1 sentinel. The cpuset bitmap is allocated with c2c.cpus_cnt bits (from env->nr_cpus_avail), so a crafted perf.data with CPU IDs exceeding that count causes out-of-bounds heap writes. c2c_he__set_node() similarly passes the node ID from mem2node__node() to __set_bit(node, nodeset) after only checking for negative values. The nodeset bitmap is sized to c2c.nodes_cnt (from env->nr_numa_nodes), so a node ID exceeding that causes OOB writes. process_sample_event() indexes c2c.cpu2node[cpu] and c2c_he->node_stats[node] without bounds checking. Both arrays are sized to c2c.cpus_cnt and c2c.nodes_cnt respectively. Add bounds checks in all three paths: - c2c_he__set_cpu(): return if sample->cpu >=3D c2c.cpus_cnt - c2c_he__set_node(): return if node >=3D c2c.nodes_cnt - process_sample_event(): clamp cpu to 0 if >=3D cpus_cnt, guard node_stats access with bounds check Fixes: 1e181b92a2da ("perf c2c report: Add 'node' sort key") Reported-by: sashiko-bot Cc: Jiri Olsa Cc: Namhyung Kim Assisted-by: Claude Opus 4.6 Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/builtin-c2c.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/tools/perf/builtin-c2c.c b/tools/perf/builtin-c2c.c index 3dd45a550fdb772a..f060dfbe11c285bf 100644 --- a/tools/perf/builtin-c2c.c +++ b/tools/perf/builtin-c2c.c @@ -245,6 +245,10 @@ static void c2c_he__set_cpu(struct c2c_hist_entry *c2c= _he, "WARNING: no sample cpu value")) return; =20 + /* cpuset bitmap has c2c.cpus_cnt bits from env->nr_cpus_avail */ + if (sample->cpu >=3D (unsigned int)c2c.cpus_cnt) + return; + __set_bit(sample->cpu, c2c_he->cpuset); } =20 @@ -262,6 +266,10 @@ static void c2c_he__set_node(struct c2c_hist_entry *c2= c_he, if (WARN_ONCE(node < 0, "WARNING: failed to find node\n")) return; =20 + /* nodeset bitmap has c2c.nodes_cnt bits from env->nr_numa_nodes */ + if (node >=3D c2c.nodes_cnt) + return; + __set_bit(node, c2c_he->nodeset); =20 if (c2c_he->paddr !=3D sample->phys_addr) { @@ -391,7 +399,12 @@ static int process_sample_event(const struct perf_tool= *tool __maybe_unused, * Doing node stats only for single callchain data. */ int cpu =3D sample->cpu =3D=3D (unsigned int) -1 ? 0 : sample->cpu; - int node =3D c2c.cpu2node[cpu]; + int node; + + /* cpu2node[] has c2c.cpus_cnt entries; large u32 wraps signed negative = */ + if (cpu < 0 || cpu >=3D c2c.cpus_cnt) + cpu =3D 0; + node =3D c2c.cpu2node[cpu]; =20 c2c_hists =3D he__get_c2c_hists(he, c2c.cl_sort, 2, machine->env); if (!c2c_hists) { @@ -410,7 +423,9 @@ static int process_sample_event(const struct perf_tool = *tool __maybe_unused, c2c_he =3D container_of(he, struct c2c_hist_entry, he); c2c_add_stats(&c2c_he->stats, &stats); c2c_add_stats(&c2c_hists->stats, &stats); - c2c_add_stats(&c2c_he->node_stats[node], &stats); + /* node_stats[] has c2c.nodes_cnt entries */ + if (node >=3D 0 && node < c2c.nodes_cnt) + c2c_add_stats(&c2c_he->node_stats[node], &stats); =20 compute_stats(c2c_he, &stats, sample->weight); =20 --=20 2.54.0 From nobody Mon Jun 8 06:36:18 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EC10E3D333B; Fri, 5 Jun 2026 23:39:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780702747; cv=none; b=p7vaGKoJo9tigyFQnbXpYWhJibvqeZREcWODtwv471ziA98mRERforbYnUbdWZhRqyUUTao5xO1IGvC4GDRWezGSTupjo4ccW4HctqbmzhQRRD8KDQPScxA/4AxQGaJ17ULO8VArG0idyjQwaqRZ5UdQsQVfkd4iZeBfTlJ56mg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780702747; c=relaxed/simple; bh=wsh4JuGgIqUgiXKRo7BowkB0a41LNv4Yvy0huKtHVyc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=gR9kGNAS0lPmgoWJPBzpNK/QqnPSruajA7hAY1yBg1yRtzhZJjb4BnJk2qyGX5dBE6VEgOYblGsTfTnPfS3ExrApHYF11qhT4TsvfjMyNVyMFrSk++/VV4gUPNa4HF7JCMhQ8eZhkITd5GMbi1z7++Twy1Nr/Jutyu7HTZI/dL0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=kIosFTEp; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="kIosFTEp" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 802F71F00893; Fri, 5 Jun 2026 23:39:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780702746; bh=K2oueR5mEBrYT6l9sk1hoSDKCiu+04BmUJFrhby1NZc=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=kIosFTEpF+jYlDxQ7KOcgxyi8/gJOdbDe+qEiVtHgW277TtfhG0kAnNeGrCR1TLfq COe0G9M0pT0XGWj9LwxXR90eJ5Gaf2NjJI3exxx95CCz77JFQSVpHkJlXQWZkbog7+ T1bPlQn9gPk/aBnKkVoItPH+mlBDPkdhthrxxiE93lmb6gBWL4IfGRQGDGuYWytrkN uiiH5TOGIteZYaM3OuuhPladDtQpSYNfbyqF0mNNskLywDdPw7xOA1ifsg1EfuTO5T 7mea9h2FrBTyqTjLHJVOQ9oEBnPxU3L/T6u0HLPLDsR8RlJ2gr6wGsrXNWr/PT1Ldg Ugo39Os5IwIOQ== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , James Clark , Jiri Olsa , Ian Rogers , Adrian Hunter , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , sashiko-bot , "Claude Opus 4.6" Subject: [PATCH 4/9] perf c2c: Bounds-check CPU IDs in setup_nodes() topology loop Date: Fri, 5 Jun 2026 20:38:32 -0300 Message-ID: <20260605233837.1773732-5-acme@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260605233837.1773732-1-acme@kernel.org> References: <20260605233837.1773732-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Arnaldo Carvalho de Melo setup_nodes() iterates CPU maps from the perf.data topology header and uses cpu.cpu directly as an array index into cpu2node[] (allocated with c2c.cpus_cnt =3D env->nr_cpus_avail entries) and __set_bit(cpu.cpu, set) (bitmap also sized to c2c.cpus_cnt). A crafted perf.data with topology CPU IDs exceeding nr_cpus_avail causes out-of-bounds heap writes into both the cpu2node array and the per-node bitmap. Add a bounds check to skip CPU IDs that fall outside the valid range. Fixes: 1e181b92a2da ("perf c2c report: Add 'node' sort key") Reported-by: sashiko-bot Cc: Jiri Olsa Cc: Namhyung Kim Assisted-by: Claude Opus 4.6 Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/builtin-c2c.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/perf/builtin-c2c.c b/tools/perf/builtin-c2c.c index f060dfbe11c285bf..cfc1ebe8c0af74dc 100644 --- a/tools/perf/builtin-c2c.c +++ b/tools/perf/builtin-c2c.c @@ -2371,6 +2371,10 @@ static int setup_nodes(struct perf_session *session) nodes[node] =3D set; =20 perf_cpu_map__for_each_cpu_skip_any(cpu, idx, map) { + /* topology CPU IDs from perf.data may exceed nr_cpus_avail */ + if (cpu.cpu < 0 || cpu.cpu >=3D c2c.cpus_cnt) + continue; + __set_bit(cpu.cpu, set); =20 if (WARN_ONCE(cpu2node[cpu.cpu] !=3D -1, "node/cpu topology bug")) --=20 2.54.0 From nobody Mon Jun 8 06:36:18 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C3DDC3C1F24; Fri, 5 Jun 2026 23:39:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780702753; cv=none; b=cw4p5sbKy6Bqixc7TV5yIhhxPu6gPxHGBuSFH9y9qiD6eCDtkwfmlE6xpGccrulMpeJ+QTyalXa6N66YIwiVeLSuczyuDFkKMv4Z93HGaThFMmJlmtFKurlwmDYt+65OU2M2sYo2x3gTEy976fsZjt/IuUYVqzCrpnFis/ravl8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780702753; c=relaxed/simple; bh=uhxftI9WmsUrBDfnoqZy0tuVYE1n1UQaoDsc0yoOhJ0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=XaAXAvitsvxcD/Ks+PZ5E6oyYZCfUsCw7r4i4MmUuQ1/RixXXTIIetQhwKCXfCgmbzBGaaC6IehQL6oVxnDI/kT9mOMbwNYfFZWRl5etgirG/pyR6uRz1ljd8pVhFUgF16ZPmWYiFoCU7/pj7MDI/gLdvLmkts+DrqeUUdyyu84= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=KlK3oPLt; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="KlK3oPLt" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7FFDC1F00898; Fri, 5 Jun 2026 23:39:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780702752; bh=IXy4NLgeuZa5Txig+iDrTM/ihMQrKWz9XknvMb5CkSI=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=KlK3oPLtJuyb0lWd1+n+AkKliBmT49iAbmkhPi6F09gr0kxWgsVN8Fiy9H9OSfnQb IzAWCddNERADyXKOzCBZYYNFFxY52m/fORJt28eDSY24T5S0mXiRMs0vQrPNRQnC5/ PYDoJ8+dJT6iSa8f307vzbzj0oBV2rZyCIAJj/ihSStBvSBviTmHVl44AlOHqQbvlK oareP2UxNtG8Jr2hJELsDiLHxG+RxkOrAmogM1w14vNDKidb350ICVTRnLeQCdcDib CF+au0GEFbjOtTvTibUv77dEPawirVh9HPbb36GiOFxEW+RVNIYJwOFojaLKGbZH5L ZRb/eQ0z9oCyA== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , James Clark , Jiri Olsa , Ian Rogers , Adrian Hunter , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , sashiko-bot , David Ahern , "Claude Opus 4.6" Subject: [PATCH 5/9] perf sched: Clean up idle_threads entry on init failure Date: Fri, 5 Jun 2026 20:38:33 -0300 Message-ID: <20260605233837.1773732-6-acme@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260605233837.1773732-1-acme@kernel.org> References: <20260605233837.1773732-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Arnaldo Carvalho de Melo get_idle_thread() allocates a thread via thread__new() and stores it in idle_threads[cpu], then calls init_idle_thread() to set up the private data. If init_idle_thread() fails (e.g. OOM for the idle_thread_runtime struct), the function returns NULL but leaves the partially initialized thread in idle_threads[cpu]. On subsequent calls for the same CPU, get_idle_thread() finds a non-NULL idle_threads[cpu], skips allocation, and returns thread__get() on a thread that has no priv data. Callers then get a thread whose thread__priv() returns NULL, leading to unexpected behavior. Release the thread and reset the slot to NULL on init failure so the entry doesn't persist in a corrupted state. Fixes: 49394a2a24c7 ("perf sched timehist: Introduce timehist command") Reported-by: sashiko-bot Cc: David Ahern Cc: Namhyung Kim Assisted-by: Claude Opus 4.6 Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/builtin-sched.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c index 21fb820b625b43e1..e4378cc9ab3ed48b 100644 --- a/tools/perf/builtin-sched.c +++ b/tools/perf/builtin-sched.c @@ -2514,8 +2514,11 @@ static struct thread *get_idle_thread(int cpu) idle_threads[cpu] =3D thread__new(0, 0); =20 if (idle_threads[cpu]) { - if (init_idle_thread(idle_threads[cpu]) < 0) + if (init_idle_thread(idle_threads[cpu]) < 0) { + /* clean up so next call doesn't find a half-initialized thread */ + thread__zput(idle_threads[cpu]); return NULL; + } } } =20 --=20 2.54.0 From nobody Mon Jun 8 06:36:18 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 77E6A3C1F24; Fri, 5 Jun 2026 23:39:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780702759; cv=none; b=GX64BN+Lkfmvm5n15re8S8dCjpWV7wfxHPx4fTQTqkBMIj1tBDfMTZ1tuu0E0A/bgeUyzmS9Awz3jFn9JBQ+L/ux+lUabozd/ULPnZfCjlw1UL/LaRVdEb2o5lv43SLHGoMourTTHcJBdJmzbXcUCUu7Z4Ulfz1mwFdIIi8iXmA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780702759; c=relaxed/simple; bh=Cbrq3cpZwD+oX414J8jZItla5ek07lji+9WiZWkNi8g=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=tGx+OTvSfi61Ry6GO320iJGxECr4WaQrQntU8ecsMwykBFGZ+R5xPwmEwtpy/8eQ6P8xdjYIoioUJtGd3HTVAb/Z89rORvEbOnlSYfaop6VM0E1B/3RJMzZVTgMW1fEujwYgXqSaW8LR/mjzt+LhZ8wVNrtKw+/LeI+Kjp6a+gI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=C2XzSsTV; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="C2XzSsTV" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 57D591F00893; Fri, 5 Jun 2026 23:39:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780702758; bh=Z5o78F2Stfbj/pKDui8rLKqKq0bLY5NdYhdB/BC5DCA=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=C2XzSsTVwEg5lCtAAstChDWOedxJQXG+KK8OhzLfdWtmLi3b6ZhodEHE+810TNPJj DhbXJ8uEFXGEwMIbBfCU0bPLv0c4d2g+kD6G8OTWxQTAZ/1KpZzFwPw3nY0uj3m9j5 o3Y4c0CMYDv8d6PbqwzXrEy164MfwcC0SJNPOpgqlMgRchUHitfnpooOcjmY8ksgkc THKcoUfJgzc5MpoLPHOE9p7lwbnqvfX7fHXU0suKbNx2GgBmox/S0VNMTaasRSRISF Dr0zAeZlk/9TdQV1//63+4s6JjdwL0pUE5wEfzplD90Uah6gZR/b0JJfo0y50AyUv7 Kk1X5yP6cXNFA== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , James Clark , Jiri Olsa , Ian Rogers , Adrian Hunter , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , sashiko-bot , "Claude Opus 4.6" Subject: [PATCH 6/9] perf sched: Use is_idle_sample() for idle thread runtime cast guard Date: Fri, 5 Jun 2026 20:38:34 -0300 Message-ID: <20260605233837.1773732-7-acme@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260605233837.1773732-1-acme@kernel.org> References: <20260605233837.1773732-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: Arnaldo Carvalho de Melo timehist_sched_change_event() uses thread__tid(thread) =3D=3D 0 to decide whether to cast thread_runtime to idle_thread_runtime. However, a crafted perf.data can set common_pid=3D0 and common_tid=3D0 (the perf_sample fields) while prev_pid !=3D 0 (the tracepoint field). is_idle_sample() returns false (it checks prev_pid for sched_switch), so timehist_get_thread() goes through machine__findnew_thread() and returns the machine's TID 0 thread =E2=80=94 whose priv data is a regular thread_ru= ntime, not the larger idle_thread_runtime allocated by init_idle_thread(). The subsequent cast to idle_thread_runtime reads past the thread_runtime allocation, accessing itr->last_thread, itr->cursor, and itr->callchain from adjacent heap memory. Writing to itr->last_thread corrupts the heap; calling thread__put() on the OOB value frees an arbitrary pointer. Replace the thread__tid() =3D=3D 0 check with is_idle_sample(), which uses the tracepoint-specific prev_pid field and correctly identifies whether the sample originated from an idle thread with idle_thread_runtime priv. Fixes: 5d8f17fb5822 ("perf sched timehist: Add -I/--idle-hist option") Reported-by: sashiko-bot Cc: Namhyung Kim Assisted-by: Claude Opus 4.6 Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/builtin-sched.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c index e4378cc9ab3ed48b..4600d70b486104dd 100644 --- a/tools/perf/builtin-sched.c +++ b/tools/perf/builtin-sched.c @@ -2902,7 +2902,13 @@ static int timehist_sched_change_event(const struct = perf_tool *tool, t =3D ptime->end; } =20 - if (!sched->idle_hist || thread__tid(thread) =3D=3D 0) { + /* + * Use is_idle_sample() not thread__tid() =3D=3D 0: a crafted perf.data + * can set common_pid=3D0 with prev_pid!=3D0, giving us a machine thread + * whose priv is thread_runtime, not idle_thread_runtime =E2=80=94 the ca= st + * below would read past the allocation. + */ + if (!sched->idle_hist || is_idle_sample(sample)) { if (!cpu_list || (sample->cpu < MAX_NR_CPUS && test_bit(sample->cpu, cpu_bitmap))) timehist_update_runtime_stats(tr, t, tprev); --=20 2.54.0 From nobody Mon Jun 8 06:36:18 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B0BCF3DE43F; Fri, 5 Jun 2026 23:39:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780702764; cv=none; b=GlQm+VV7W3sgpeuXSzE+UqWGrwMvnLwqBiwAPRb5EVL65f+b7B2bt2AtZ8rqT+zUYNBMq/BxiF1nihBeTL2qu4zcVM814jcKaB/HMqjv/qoKCmpK7QDT90Gq95M4Ft6WyJpfj3IijD55QbpA505Mt19IIe3mBdQppN0q9VCu2E0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780702764; c=relaxed/simple; bh=NHgzWvSjJ7xclTBwzWp6Bjk2yNLkkyNWXdXWAEEC5dA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=OLvw6yNgzW62QkN3Zl5Een6Iv2Oekx2XsKvuvthcyMx2qcI8nx0kSvZNFC1emW5oKTPEclWI1RruW5v3d6WlHcEPTIZtGcJucbusVM5Eavg0IWdLQRiWLEHuTcupI/GhDXDjz2toBhLFYY4aNBdEviP5oFENun7F8ay869aJry8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=gk4x27nQ; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="gk4x27nQ" Received: by smtp.kernel.org (Postfix) with ESMTPSA id C0FA11F00898; Fri, 5 Jun 2026 23:39:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780702763; bh=hYBNmm3RVgxIwHwUN8g4kAEEgIyPRkbd7WM1Q4vJyW4=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=gk4x27nQn7oKDn/Q3uY9WNnxP2uywUxGjxhu+sDvXIhAvaWbgvhpdrzGg6voQWN2r TvwHCk1xMmX9Kjgo7UgGsfQqsvZWdONPedSx2cPm/FPy4qeSINwsMOPYbyJ3uvCy0U XzV4S0xGiFKIfszopuIwbBn68PzoW01FfVoM2HRBrpfLcLBynEx+FV5h3NXzAjXTNA tesn5YRSS6PAX2/RGiUwaM1yPBtoGxl9Fuxh6pIhsBQPj2DgdGm4VOKuERzPBZnqb2 IYJa+seh4mjahmnk0ogf6Wi8M4Abojnx4q5haavw1DWEThJIA4itc7+DUTusiBE9fx Q9u/JSq5wqI6g== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , James Clark , Jiri Olsa , Ian Rogers , Adrian Hunter , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , sashiko-bot , David Ahern , "Claude Opus 4.6" Subject: [PATCH 7/9] perf sched: Fix thread reference leak in idle hist processing Date: Fri, 5 Jun 2026 20:38:35 -0300 Message-ID: <20260605233837.1773732-8-acme@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260605233837.1773732-1-acme@kernel.org> References: <20260605233837.1773732-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Arnaldo Carvalho de Melo timehist_sched_change_event() sets itr->last_thread to NULL at the end of idle hist processing without calling thread__put() first. The thread reference was acquired via thread__get() in timehist_get_thread() (line 2581), so every idle context switch leaks a thread reference when --idle-hist is active. Use thread__zput() to properly release the reference before clearing the pointer. Fixes: 5d8f17fb5822 ("perf sched timehist: Add -I/--idle-hist option") Reported-by: sashiko-bot Cc: David Ahern Cc: Namhyung Kim Assisted-by: Claude Opus 4.6 Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/builtin-sched.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c index 4600d70b486104dd..c0cd3cbb602aa4c0 100644 --- a/tools/perf/builtin-sched.c +++ b/tools/perf/builtin-sched.c @@ -2940,7 +2940,7 @@ static int timehist_sched_change_event(const struct p= erf_tool *tool, if (itr->cursor.nr) callchain_append(&itr->callchain, &itr->cursor, t - tprev); =20 - itr->last_thread =3D NULL; + thread__zput(itr->last_thread); } =20 if (!sched->summary_only) --=20 2.54.0 From nobody Mon Jun 8 06:36:18 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1551B3DFC61; Fri, 5 Jun 2026 23:39:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780702770; cv=none; b=kSjp5mos3BNlKWdokuSJADCJVxciaq3FTGxmNdfFsfi6uBnOv0EXFwc13IVeQJ4v/6WIxO+w3WQ5X2e3g3QARFl7z3CQNroLlA5M8Gwro0JckOC7tsPP6k5P+CJoNr/+EBU7M6faC5Xx7uHmCWvk6+nP3jlgXg2AggEiwxUoi7w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780702770; c=relaxed/simple; bh=WtrrDXKiDxIbs99Gm+qAELVsqsOTsu5vRDXbZ5/Fy1g=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=kqfaW3LUt3NPjHpM33wjLAt3KFbJ0PTEQt5jPcF9pMMh20UV/cDvtcT0chD1dW43GK2uO5y5Nq9/cabYGMJu+P/kGnfudIltPZbkDiE8t66Z+4feVtFaZwxc2zgRLfbrQYv1GlCofpvkISG5S0qyynSoOkGZtNhhYgclEKp2tZU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=aU41hQ9m; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="aU41hQ9m" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 02EB31F00893; Fri, 5 Jun 2026 23:39:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780702769; bh=Gk6/priqYvwcZIoohK9yYGBxtpztJnmaiEMTYJz0TqQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=aU41hQ9m8AKjPdCbaXZmaA+fFnLuTgQRN23SA8nY+WyjGT+TrGs1ge55g0qWX9mW2 7U/gVu1gltmF+QUsUspLtpHHAtuMoFeBu/UuZLnj4Im/LyMSAykSKcBt4D6c4FYEhy F49Ac0hxOb8r0oU1GpOl2H18/wzJ8VeNNPyKiylUjflTSNwBotcXO3hVssyLU8lTkV L68axWe2tLkfFjoWhMoUXUiNyx4JWeepsSZwfxIlT28lpdbwWCE8pFEZ3oQQh7DpqN AfenKRhU2QLQZBrGwABWek2qrIIjBnCoRTlpXgH1OkBqG47l45vIV/5Yz7ii517gpK v/JPoQyzPz10w== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , James Clark , Jiri Olsa , Ian Rogers , Adrian Hunter , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , sashiko-bot , David Ahern , "Claude Opus 4.6" Subject: [PATCH 8/9] perf sched: Use thread__put() in free_idle_threads() Date: Fri, 5 Jun 2026 20:38:36 -0300 Message-ID: <20260605233837.1773732-9-acme@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260605233837.1773732-1-acme@kernel.org> References: <20260605233837.1773732-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: Arnaldo Carvalho de Melo free_idle_threads() calls thread__delete() directly instead of thread__put(), bypassing the reference counting lifecycle. Under REFCNT_CHECKING builds, this leaks the pointer handle since thread__delete() frees the object without going through the refcount wrapper. The idle threads are created via thread__new() (refcount=3D1) in get_idle_thread(). Callers get additional references via thread__get() which they release with thread__put(). free_idle_threads() drops the base reference =E2=80=94 thread__put() is the correct call, matching the thread__new() acquisition. Fixes: 49394a2a24c7 ("perf sched timehist: Introduce timehist command") Reported-by: sashiko-bot Cc: David Ahern Cc: Namhyung Kim Assisted-by: Claude Opus 4.6 Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/builtin-sched.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c index c0cd3cbb602aa4c0..732c65008a8a5240 100644 --- a/tools/perf/builtin-sched.c +++ b/tools/perf/builtin-sched.c @@ -2481,7 +2481,7 @@ static void free_idle_threads(void) if (itr) thread__put(itr->last_thread); =20 - thread__delete(idle); + thread__put(idle); } } =20 --=20 2.54.0 From nobody Mon Jun 8 06:36:18 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 63A313C1F24; Fri, 5 Jun 2026 23:39:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780702775; cv=none; b=nQRSeJ29HDhvbfnPgiilhjE2y3FcAurGuWeM7qFL1zPu95m5XjaVIMyeRnU4zm3ugihA7kKkNbqSeZCC1cenVXAVynACGTvhdWCCZ+7B2IpPf5gKb2tgpxoChZt9UBAo44giOEiAxio5FKQ8VZIdbPlYLFM0Km2+bKCv3/3+xII= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780702775; c=relaxed/simple; bh=7E+u88YjhqSFrOC8EAI6iyi24IFEPnQ79oxxisFcQrc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=iYmIV1GoQjyDVQcrSw1qReg7BMcPnRWr8+J01QqGDOHr4IWYZJf46aqajfePJzb8g1dE3K7QLPQTcAKZ5+VlRrsJy2P8YLrCJgkG+ekEnf2aO0aRRcxn8Yj/WwruVSbbsZzn4IiF3RIFjcQh7ij35rfhaxCXJWaMDjcb/wrxhIc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=EO+wPeSd; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="EO+wPeSd" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 86BB51F00898; Fri, 5 Jun 2026 23:39:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780702774; bh=Mf/zzc3NHCDU7+/AiwA0r3A/M8he1jXO0lPdQVV+t+k=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=EO+wPeSdMZGPZ84N2SKJgIrpjvrXu2+KpWhVU/B8ssJ1vpH9GOHhWYjK6cZJpqUW5 6r0+zDXip2lDy/mrGUneE256hieX3JCUKuDQeet971Sz77VfX3yxrDs473TL9zdzW3 eUv9JK2XwSKrbYVgoQpUhh/0bLVMkgQfA8xtye1FdE/aPHFx4TxlaSAtBiqcsljLow iBegfAbC2KeVtUo+vwZnh24SB8QqXiQGhbamDkn7bhReHR+SzXfeLRtKWH7BnJFTn2 d2nvLtCvG9f5lst5Lar1kINCUcCEIl0D32+jrrxtoDWVqZTpNsvf7n8Xq13DffBmr8 VhgTP2bffwrXQ== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , James Clark , Jiri Olsa , Ian Rogers , Adrian Hunter , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , sashiko-bot , "Claude Opus 4.6" Subject: [PATCH 9/9] perf sched: Replace BUG_ON and add NULL checks in replay event helpers Date: Fri, 5 Jun 2026 20:38:37 -0300 Message-ID: <20260605233837.1773732-10-acme@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260605233837.1773732-1-acme@kernel.org> References: <20260605233837.1773732-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Arnaldo Carvalho de Melo get_new_event() has three issues: 1. The zalloc() result is dereferenced without a NULL check, crashing on allocation failure. 2. BUG_ON(!task->atoms) kills the process when realloc() fails. Since perf.data is untrusted input, this should be a graceful error. 3. The realloc pattern assigns directly to task->atoms, losing the old pointer on failure. task->nr_events is also incremented before the realloc, leaving corrupted state on failure. Fix get_new_event() to: - Check the zalloc() result before dereferencing - Use a temporary for realloc() to avoid losing the old pointer - Increment nr_events only after successful realloc - Return NULL instead of calling BUG_ON on failure Also fix add_sched_event_wakeup() where zalloc() for wait_sem is passed to sem_init() without a NULL check. Update all callers (add_sched_event_run, add_sched_event_wakeup, add_sched_event_sleep) to handle NULL returns by returning early. The replay may produce incomplete output on OOM but will not crash. Fixes: ec156764d424 ("perf sched: Import schedbench.c") Reported-by: sashiko-bot Cc: Ingo Molnar Cc: Namhyung Kim Assisted-by: Claude Opus 4.6 Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/builtin-sched.c | 28 +++++++++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c index 732c65008a8a5240..b7ccdc6a985d1c7b 100644 --- a/tools/perf/builtin-sched.c +++ b/tools/perf/builtin-sched.c @@ -365,14 +365,25 @@ get_new_event(struct task_desc *task, u64 timestamp) struct sched_atom *event =3D zalloc(sizeof(*event)); unsigned long idx =3D task->nr_events; size_t size; + struct sched_atom **atoms_p; + + if (event =3D=3D NULL) { + pr_err("ERROR: sched: failed to allocate event\n"); + return NULL; + } =20 event->timestamp =3D timestamp; event->nr =3D idx; =20 + size =3D sizeof(struct sched_atom *) * (task->nr_events + 1); + atoms_p =3D realloc(task->atoms, size); + if (!atoms_p) { + pr_err("ERROR: sched: failed to grow atoms array\n"); + free(event); + return NULL; + } + task->atoms =3D atoms_p; task->nr_events++; - size =3D sizeof(struct sched_atom *) * task->nr_events; - task->atoms =3D realloc(task->atoms, size); - BUG_ON(!task->atoms); =20 task->atoms[idx] =3D event; =20 @@ -403,6 +414,8 @@ static void add_sched_event_run(struct perf_sched *sche= d, struct task_desc *task } =20 event =3D get_new_event(task, timestamp); + if (event =3D=3D NULL) + return; =20 event->type =3D SCHED_EVENT_RUN; event->duration =3D duration; @@ -416,6 +429,8 @@ static void add_sched_event_wakeup(struct perf_sched *s= ched, struct task_desc *t struct sched_atom *event, *wakee_event; =20 event =3D get_new_event(task, timestamp); + if (event =3D=3D NULL) + return; event->type =3D SCHED_EVENT_WAKEUP; event->wakee =3D wakee; =20 @@ -430,6 +445,10 @@ static void add_sched_event_wakeup(struct perf_sched *= sched, struct task_desc *t } =20 wakee_event->wait_sem =3D zalloc(sizeof(*wakee_event->wait_sem)); + if (!wakee_event->wait_sem) { + pr_err("ERROR: sched: failed to allocate semaphore\n"); + return; + } sem_init(wakee_event->wait_sem, 0, 0); event->wait_sem =3D wakee_event->wait_sem; =20 @@ -441,6 +460,9 @@ static void add_sched_event_sleep(struct perf_sched *sc= hed, struct task_desc *ta { struct sched_atom *event =3D get_new_event(task, timestamp); =20 + if (event =3D=3D NULL) + return; + event->type =3D SCHED_EVENT_SLEEP; =20 sched->nr_sleep_events++; --=20 2.54.0