From nobody Mon Jun 8 04:24:20 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 37C5E1EE7B7; Mon, 8 Jun 2026 01:31:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780882276; cv=none; b=kVVGBO/rHm81ZJD41sLXBrzDdaKS24m3qOqFiIKOv65j3evi65c6EpD6y8yni1YHELcZFtFMvOOgtRtm5rZg3sh1PEvgg+g85A+jMeF31tKOEFD3zbtIlaoHdrZ8AHbmXRup7ZIZtkDL6DKUbJeo2icX3mAAIqpX5a33ksN6n60= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780882276; c=relaxed/simple; bh=5VWP2TekBIjJm70E0VzMP3ju0hgOjK8Wt8W8C1t9uZs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=swj5Nddm0w23C5I9fndRIOB5jIfbo44GmynmoLP2dxq7HTB0JJWGvsxwP3+Oy7BHWR+9vUJfd/KHaAgfxxPW9tC7sPECNW1cM1NoxkAG0jfQFDHTxp8d5rTqOPjXSc7kOAj7DXmIaaA4YNrGIK093mecqsiwP8JgxamIXO/+F5I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=cYftv8dB; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="cYftv8dB" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 070101F00898; Mon, 8 Jun 2026 01:31:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780882274; bh=R5WxjEJlqlEk6iV+ivR2s+nGEBp270wPJyGXkOmIs10=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=cYftv8dBlzwg5+wiqn8FzvtM1I9ETC+R2JvOAtxFVQgYT56c/mR7lBCdBI46ugl1G cwGZGHrKnfFiow9U9NsNDmOHA0TzEF5F5bAzH8K/X/bNUZgUyghg9+mMG+NkzRtrGl nJRUKJoX8k94bUS2+k7Fa+aXbRxL9GaIHUjzQfpPNp/mApWd0CQSYeb3KVHxbDuXHW OMlveSHTa/bSaRH7L9JL+s1F85MEATL+3o4kOOz912YYVQ1Yw5C8Jau8ZiSSLEAmTt 2YcVNvu31JZPQSmO4/tLMuFjT6PAZC+dO8Cuk3oQ6Dh0T5MPBQ8qOuarLvzBsiAIbk zOzQcDoAo7zLQ== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , James Clark , Jiri Olsa , Ian Rogers , Adrian Hunter , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , sashiko-bot , Don Zickus , "Claude Opus 4.6" Subject: [PATCH 01/11] perf tools: Fix get_max_num() size_t underflow on empty sysfs file Date: Sun, 7 Jun 2026 22:30:45 -0300 Message-ID: <20260608013057.1942953-2-acme@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260608013057.1942953-1-acme@kernel.org> References: <20260608013057.1942953-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: Arnaldo Carvalho de Melo get_max_num() reads a sysfs file (cpu/possible, cpu/present, or node/possible) and scans backward from the end to find the last number. If the file is empty, filename__read_str() returns num =3D=3D 0. The loop `while (--num)` decrements the size_t from 0 to SIZE_MAX, reading backward across the heap until a comma or hyphen is found or unmapped memory is hit. Add an early return for empty files before the backward scan. Fixes: 7780c25bae59fd04 ("perf tools: Allow ability to map cpus to nodes ea= sily") Reported-by: sashiko-bot Cc: Don Zickus Cc: Ian Rogers Assisted-by: Claude Opus 4.6 Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/util/cpumap.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tools/perf/util/cpumap.c b/tools/perf/util/cpumap.c index 21fa781b03cc7409..1fab00ec4a59a0c7 100644 --- a/tools/perf/util/cpumap.c +++ b/tools/perf/util/cpumap.c @@ -448,6 +448,12 @@ static int get_max_num(char *path, int *max) =20 buf[num] =3D '\0'; =20 + /* empty file =E2=80=94 nothing to parse */ + if (num =3D=3D 0) { + err =3D -1; + goto out; + } + /* start on the right, to find highest node num */ while (--num) { if ((buf[num] =3D=3D ',') || (buf[num] =3D=3D '-')) { --=20 2.54.0 From nobody Mon Jun 8 04:24:20 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 414642ECD3A; Mon, 8 Jun 2026 01:31:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780882282; cv=none; b=UVIC14UrIm2VnsUwSty4e6Egse9Tbo4uJ9TKgkoSlHZ+s03Whuj21BAUjUsuRC9ZSKbo1zf9o6ARkatcgMSxV7EH5en12uAe8MlQSYdYdWYt+UNiEIxKcTv+pthasyQwybcZnFXwkeinFhnlp5BAGY+T/EXpo0QVdf3sZ0zg/y4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780882282; c=relaxed/simple; bh=8oP7hB9MDt6oG1Hv7KYLG/CmRoOreb6KJ/kW2XKBrzc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=JBgpHBpP3s4K5DGWKqf3Wm8ieeFpLyE0wHF71W1LKHwEAlQQAcLKWwgGatpDpySglG3TKxnd6H2ZpvtKWhIUAb7YdNl2ZmVZU6ODA97e8tF9dy51r8CvZ5pGhbS9jh3FyiSKFI+5oBJ/rk/mZJ0uYEKTx5VlrDVQWZorjtk923k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=i6QK/oWT; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="i6QK/oWT" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 655FD1F00893; Mon, 8 Jun 2026 01:31:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780882280; bh=WWjO4YE2PlQ4rvEgx3bcf86O7xkbmHwbGnNMXwpflTU=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=i6QK/oWT/36Baf/PRuaAYBO+h6fJHwZEFfLGibIPgWcdaWQWX0G9bA8QL/7V3ywHt lo15EIBQQlyvBgHL/d/HAgAdmj9YMjsOzuoExQxSwRcuwwctynW4GtPp8lP2KmQ4KN Lii5LDAlQ9vbNJhtwyDGvbuf88/9xNRaE/TNjaEcq5XplZsFnKlu6UW6Yyt+xunQa0 FjNQDIEUd0Gc5aBTBqQejCFiSIuvFO8piSJMQGYgkPquXe1xxlY6PYEif9uvFqWpu+ EByI9aP5MhqPoPHjNzVFA5p8eMV8QkG9h5bAUrPPh+rPrWvfCbouqi5Y83Ijh/ieYl nOM1rAIOi3y2A== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , James Clark , Jiri Olsa , Ian Rogers , Adrian Hunter , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , sashiko-bot , "Claude Opus 4.6" Subject: [PATCH 02/11] perf tools: Use scnprintf() in cpu_map__snprint() to prevent overflow Date: Sun, 7 Jun 2026 22:30:46 -0300 Message-ID: <20260608013057.1942953-3-acme@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260608013057.1942953-1-acme@kernel.org> References: <20260608013057.1942953-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Arnaldo Carvalho de Melo cpu_map__snprint() accumulates snprintf() return values in ret. snprintf() returns the number of characters that *would have been written* on truncation, not the actual count. When a fragmented CPU list exceeds the buffer, ret grows past size, causing `size - ret` to underflow (both are size_t), and subsequent snprintf() calls write past the end of the caller's stack buffer. Switch to scnprintf() which returns the actual number of characters written, making ret accumulation safe by construction. Fixes: a24020e6b7cf6eb8 ("perf tools: Change cpu_map__fprintf output") Reported-by: sashiko-bot Cc: Jiri Olsa Cc: Ian Rogers Assisted-by: Claude Opus 4.6 Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/util/cpumap.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tools/perf/util/cpumap.c b/tools/perf/util/cpumap.c index 1fab00ec4a59a0c7..23ebe9b97f8e58af 100644 --- a/tools/perf/util/cpumap.c +++ b/tools/perf/util/cpumap.c @@ -692,21 +692,21 @@ size_t cpu_map__snprint(struct perf_cpu_map *map, cha= r *buf, size_t size) if (start =3D=3D -1) { start =3D i; if (last) { - ret +=3D snprintf(buf + ret, size - ret, - "%s%d", COMMA, - perf_cpu_map__cpu(map, i).cpu); + ret +=3D scnprintf(buf + ret, size - ret, + "%s%d", COMMA, + perf_cpu_map__cpu(map, i).cpu); } } else if (((i - start) !=3D (cpu.cpu - perf_cpu_map__cpu(map, start).cp= u)) || last) { int end =3D i - 1; =20 if (start =3D=3D end) { - ret +=3D snprintf(buf + ret, size - ret, - "%s%d", COMMA, - perf_cpu_map__cpu(map, start).cpu); + ret +=3D scnprintf(buf + ret, size - ret, + "%s%d", COMMA, + perf_cpu_map__cpu(map, start).cpu); } else { - ret +=3D snprintf(buf + ret, size - ret, - "%s%d-%d", COMMA, - perf_cpu_map__cpu(map, start).cpu, perf_cpu_map__cpu(map, end).cpu); + ret +=3D scnprintf(buf + ret, size - ret, + "%s%d-%d", COMMA, + perf_cpu_map__cpu(map, start).cpu, perf_cpu_map__cpu(map, end).cpu); } first =3D false; start =3D i; --=20 2.54.0 From nobody Mon Jun 8 04:24:20 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8DB1412CDBE; Mon, 8 Jun 2026 01:31:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780882289; cv=none; b=VhIrHrvGB5ZpK9ZP4r4P6EIMpjXoFSXasZQQfC9UdDe25IOKjn7zbhewLh+6D6IZTStsU/FLNAQeNLCuBf2KCIQ1MN2j3gEjVj9PDJ6o+wYpIlA1gov49YJ4sqPP6flG8LcOS1mfcGTcNOxaq9+H5+r4GgwTS4SzcNXAg6fAqUI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780882289; c=relaxed/simple; bh=DV6MxLEhw7qAh6KRaDlNzT53c+Txl827/7e6KFEnOsI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=mlkqdihZfMtc21nFYiiEinPUwNrNm7ecjkneCj69pxhDqJJzQuv31eXLnpgm0O7N/bchGNDB2ccq/IcrIpRUXyxQ0k4BUy0I4Mf4x8zGnDd3niMu64eyAXeRYXNQu2/bmwOG6F4sBaDGkhfoIL6gS9cELT9p72Hl3wBF8g1qFNc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=ZSKobBKL; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="ZSKobBKL" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 75D481F00898; Mon, 8 Jun 2026 01:31:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780882288; bh=CAPPe/vMoyb4wKCuPz6EN/06t84Hid4mzXfCYax9ccU=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=ZSKobBKLA/AR6FsNGXnybTIrCJd1X98i/Z2d0++Z2LAxVZ5rso0/Mx9++T0DW9E6u kDjFTQOxUy7cjUl8UhoeyZEnvPB9Mq3je+Ss0ZTQfUYcEApVJL4c5GNIHVfeTtF5xD QUHdwKPDyNglQQrxoYCjd+ZWMwBYbRKfqYt52Yg5DSS6TJ61FnIfJV/bDNxM3uAbHW lOAMQL/jDqZY2m8cwu43m0ykG2u8HTJUI1udVUdZaoDQaiGtvqk6UnttVvOEPF0jne IiCW1dj4khDVYV5Y7DMRvc3GNuYRjryTIGKGfvihfY8JOqNY9zviC5dkSkI8xeexAx KCNPCmgCwMZJQ== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , James Clark , Jiri Olsa , Ian Rogers , Adrian Hunter , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , sashiko-bot , Kan Liang , "Claude Opus 4.6" Subject: [PATCH 03/11] perf tools: Use perf_env__get_cpu_topology() in machine__resolve() Date: Sun, 7 Jun 2026 22:30:47 -0300 Message-ID: <20260608013057.1942953-4-acme@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260608013057.1942953-1-acme@kernel.org> References: <20260608013057.1942953-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Arnaldo Carvalho de Melo machine__resolve() accesses env->cpu[al->cpu].socket_id after checking al->cpu >=3D 0 and env->cpu !=3D NULL, but without validating al->cpu against env->nr_cpus_avail. Since al->cpu comes from the untrusted perf.data sample, a crafted file with a large CPU index causes an out-of-bounds heap read. Use perf_env__get_cpu_topology() which validates both NULL and bounds. Fixes: 0c4c4debb0adda4c ("perf tools: Add processor socket info to hist_ent= ry and addr_location") Reported-by: sashiko-bot Cc: Kan Liang Cc: Ian Rogers Assisted-by: Claude Opus 4.6 Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/util/event.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/tools/perf/util/event.c b/tools/perf/util/event.c index 66f4843bb235df53..66293fea64fde9fd 100644 --- a/tools/perf/util/event.c +++ b/tools/perf/util/event.c @@ -14,6 +14,7 @@ #include #include "cpumap.h" #include "dso.h" +#include "env.h" #include "event.h" #include "debug.h" #include "hist.h" @@ -835,9 +836,13 @@ int machine__resolve(struct machine *machine, struct a= ddr_location *al, =20 if (al->cpu >=3D 0) { struct perf_env *env =3D machine->env; + struct cpu_topology_map *topo; =20 - if (env && env->cpu) - al->socket =3D env->cpu[al->cpu].socket_id; + if (env) { + topo =3D perf_env__get_cpu_topology(env, (struct perf_cpu){ al->cpu }); + if (topo) + al->socket =3D topo->socket_id; + } } =20 /* Account for possible out-of-order switch events. */ --=20 2.54.0 From nobody Mon Jun 8 04:24:20 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EA6493009F6; Mon, 8 Jun 2026 01:31:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780882294; cv=none; b=LNHsArIzXKVD589Einfcu0Nb/RgmlZahRtCBDuonyEcWhalUFbRiZEieWAVpXP+k7RYJzXJ9egqXN7KQPq4hWVJFoGStDXFvQQUBohrqploE5Da19+NGe/tknM43qeLmn15PyHNzCUadDxEGdqiyYhVIUqbDFj1FUT7fWo8R0w4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780882294; c=relaxed/simple; bh=fp5aNOc0QaAaB+df522Lom/3m5C8UWJLa1uYJNH8s5A=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=YZ7p2aO16UFOiqddYwsTAzuX5pdXhbdHEz1rXf0W7mO9o/4CsSKr1VdVhMPpuFnquuAbxx0PlkKSThOw9YX/6WZAp1Ew4nNCDRti+seNF1HjfvLC2MpMmWh3ATI4KMRSJdXbK6Bdrixw/NB/vEJG6jA7hMAAV5CKTKki3i9DKeE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=C9YL4WzG; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="C9YL4WzG" Received: by smtp.kernel.org (Postfix) with ESMTPSA id C65D91F00893; Mon, 8 Jun 2026 01:31:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780882293; bh=DqRSKCvwdIVxBFjQ5Fuic688QpH8RP/c6GYvhZYObl4=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=C9YL4WzGuOO7APrErDtk6hCtQg0PtlsA7LZFUQWMA2lqGDQZy/GiEC8NA87qUuNKQ uctMVpQlikB60JfVzIVKIU7krbc63wfZtpbShHnNZN/Innvk3fgfhcB9FxyJw1OrY9 t2TpFI7FwHaIlvmrjQEVc7Fpp83lvBvAaFhwsWjxat/NpjeCuI8LK9mVorB0jbZbyz wr8CTFyu3JrYlbqgnOjJ90AIerytdL3K7/ma0vW9aBqkucB5HZR3kbJOjZmyk83Bj3 q70RYxdrp5ct2VfOUEgLxXM05IdCGhYUFynPsw7CEkTqx+GfCYPVVdp470PGI6xdj4 DPgNk+ASIXTDQ== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , James Clark , Jiri Olsa , Ian Rogers , Adrian Hunter , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , sashiko-bot , Alexey Budankov , "Claude Opus 4.6" Subject: [PATCH 04/11] perf mmap: Fix mbind() maxnode vs bitmap allocation mismatch in aio_bind Date: Sun, 7 Jun 2026 22:30:48 -0300 Message-ID: <20260608013057.1942953-5-acme@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260608013057.1942953-1-acme@kernel.org> References: <20260608013057.1942953-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: Arnaldo Carvalho de Melo perf_mmap__aio_bind() allocates a node mask bitmap with bitmap_zalloc(node_index + 1) bits, but passes node_index + 2 as the maxnode argument to mbind(). The mbind syscall interprets maxnode as the number of bits to read from the mask. When node_index + 2 crosses a BITS_PER_LONG boundary (e.g. node_index =3D 63 on 64-bit), the bitmap occupies 8 bytes but mbind reads 16 =E2=80=94 an out-of-bounds read of user heap memory into kernel space. Allocate node_index + 2 bits to match what mbind will actually read. Fixes: 44d462acc0bf3eab ("perf record: Fix binding of AIO user space buffer= s to nodes") Reported-by: sashiko-bot Cc: Alexey Budankov Assisted-by: Claude Opus 4.6 Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/util/mmap.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/perf/util/mmap.c b/tools/perf/util/mmap.c index d64aec6c7c843e81..8012301d3cf2ac9a 100644 --- a/tools/perf/util/mmap.c +++ b/tools/perf/util/mmap.c @@ -113,7 +113,8 @@ static int perf_mmap__aio_bind(struct mmap *map, int id= x, struct perf_cpu cpu, i if (node < 0) return 0; node_index =3D node; - node_mask =3D bitmap_zalloc(node_index + 1); + /* mbind's maxnode is node_index + 2 =E2=80=94 allocate to match */ + node_mask =3D bitmap_zalloc(node_index + 2); if (!node_mask) { pr_err("Failed to allocate node mask for mbind: error %m\n"); return -1; --=20 2.54.0 From nobody Mon Jun 8 04:24:20 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AC702265CA8; Mon, 8 Jun 2026 01:31:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780882301; cv=none; b=LRKUooXKUfGLGhPkqGHktqzyAiiTmq+nUj4CRqdZp66DkOvE33P6E4sbzPPyluJ44qOT4G8OP+8M7p2DwdcfJxjAP86FJW5M7J2LfN+a19wk48+nWiPDe5k/w5lrISPl9BsupUueElmfT2XkxeCfmXGITzGT5b2kPZ80aYZfJ+w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780882301; c=relaxed/simple; bh=NS10eLvR1wIFhOrcyHm5S3Szt5dZ5EAeLNZsWzPIJB0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=trL8JZZ7BYEj5J3NOLnkQnVQ5g/9umjomZ4gINzKyejPGDbi9GaD6Kn/ffDeVzIx+GWFTGrFmpPVmBFL7QtcegeQQlgnW6yzXMI/FYWZ6K+OEsAe+GrtTejHr+VnLFXrr6vEFWsv073kflk+mxybm2xRBQVeZWrBpEggKyy4s/8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=TvvrbbSj; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="TvvrbbSj" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 595BC1F00898; Mon, 8 Jun 2026 01:31:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780882300; bh=OoWkGv7kFgVWTn6c6kHUxAclF8Ie+haXIj31Xrb+qPs=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=TvvrbbSjym3Ew5Ja4JAx+4BqlD2AMfafL1UFdV9W/skhefuOe+9o8TRHj1QeEom3M 9doDHWG3ldS17Q0UHF+mtEsCbeqy6E8din7nKebx1HdIVRAPXPg9bA9iY3Cdd0vOjq ufMRtzpyyXzrspDSmhjgyvvBtGOb6JbMJU5MikZ0GLclFBTCZrXbSlGioKcvifPxWp mkrRPMMVHdO/i7Rtx2xrUU8zWfBb+u4ygZ7GLhV1DooJnot3VKK5XJQjHlBvvwfOn3 JybRK3gKBxku/e5YcPRdLIV5WYs+aotNc9VbfdNE3Qa/yplVq04w/Dh0lZD3hcmD7R QWBXAOZTwovOw== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , James Clark , Jiri Olsa , Ian Rogers , Adrian Hunter , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , sashiko-bot , Alexey Budankov , Alexey Bayduraev , "Claude Opus 4.6" Subject: [PATCH 05/11] perf tools: NULL bitmap pointers after bitmap_free() Date: Sun, 7 Jun 2026 22:30:49 -0300 Message-ID: <20260608013057.1942953-6-acme@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260608013057.1942953-1-acme@kernel.org> References: <20260608013057.1942953-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Arnaldo Carvalho de Melo Three call sites free bitmaps without NULLing the pointer, risking double-free if the structure is reused or cleanup is called twice: - mmap__munmap(): map->affinity_mask.bits - record__mmap_cpu_mask_free(): mask->bits - memory_node__delete_nodes(): nodesp[i].set Set each pointer to NULL after bitmap_free(). Fixes: 8384a2600c7ddfc8 ("perf record: Adapt affinity to machines with #CPU= s > 1K") Fixes: f466e5ed6c356d1d ("perf record: Extend --threads command line option= ") Fixes: 36d8658618c2505f ("perf header: Validate bitmap size before allocati= ng in do_read_bitmap()") Reported-by: sashiko-bot Cc: Alexey Budankov Cc: Alexey Bayduraev Cc: Arnaldo Carvalho de Melo Assisted-by: Claude Opus 4.6 Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/builtin-record.c | 1 + tools/perf/util/header.c | 4 +++- tools/perf/util/mmap.c | 1 + 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/tools/perf/builtin-record.c b/tools/perf/builtin-record.c index a33c78f030d91012..e915390556752b9e 100644 --- a/tools/perf/builtin-record.c +++ b/tools/perf/builtin-record.c @@ -3084,6 +3084,7 @@ static int record__mmap_cpu_mask_alloc(struct mmap_cp= u_mask *mask, int nr_bits) static void record__mmap_cpu_mask_free(struct mmap_cpu_mask *mask) { bitmap_free(mask->bits); + mask->bits =3D NULL; mask->nbits =3D 0; } =20 diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c index d7f41db7322cbcb4..8d2ab440a1c8ee4a 100644 --- a/tools/perf/util/header.c +++ b/tools/perf/util/header.c @@ -1481,8 +1481,10 @@ static int memory_node__read(struct memory_node *n, = unsigned long idx) =20 static void memory_node__delete_nodes(struct memory_node *nodesp, u64 cnt) { - for (u64 i =3D 0; i < cnt; i++) + for (u64 i =3D 0; i < cnt; i++) { bitmap_free(nodesp[i].set); + nodesp[i].set =3D NULL; + } =20 free(nodesp); } diff --git a/tools/perf/util/mmap.c b/tools/perf/util/mmap.c index 8012301d3cf2ac9a..ee3ebdf53e15291e 100644 --- a/tools/perf/util/mmap.c +++ b/tools/perf/util/mmap.c @@ -239,6 +239,7 @@ static void perf_mmap__aio_munmap(struct mmap *map __ma= ybe_unused) void mmap__munmap(struct mmap *map) { bitmap_free(map->affinity_mask.bits); + map->affinity_mask.bits =3D NULL; =20 zstd_fini(&map->zstd_data); =20 --=20 2.54.0 From nobody Mon Jun 8 04:24:20 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 587791EE7B7; Mon, 8 Jun 2026 01:31:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780882312; cv=none; b=Ow5rXZPDVAf1f2zB8+xqc97Zvy7sEbuMzoCZ/k6coN4KaMvM3p4GDVVimeE9msiem4HRHFow5O5AnmugyRFQ7HcaNGJlwk8oLY8ufpRbO5Yu6kVpSbthFHLdFR5DMa7CD/VArAv4KwNGPjHBbYqGxskUPKXTAbRCt+vW5gB4r3k= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780882312; c=relaxed/simple; bh=qhpSzTUfr2WSNk9SxgeFUVJPjncBg9uJYUKWVkl83uw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=L+ePVUrEH1O/UkJ8A7Nz77b91goPIZFUDgtGNWG0fuXgGQN7G6Wa2c5MsI/1Q2RYyfyShxRzXxGIRP8UhzUOds0cMTHIjTtNl7q8lT+R3nqndlHS/cgmiVeNtEOzWdaUjLT7yCHDCxNQJeWIMR9s1c+bo2Wt8Tq68xhYULnPrwk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=PtJJ1A4q; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="PtJJ1A4q" Received: by smtp.kernel.org (Postfix) with ESMTPSA id F10C41F00893; Mon, 8 Jun 2026 01:31:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780882310; bh=icuMweHg4yiYHwVQmznZP7hOig5bW5Sk7HaFwrdrijw=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=PtJJ1A4qLDfI6wvyGHd/qwlDbv01ogCD3tenIb7o/sbH7O7ftx1UEMzRZvkjq//9d FKykZhaVZhQ6ITAWyRskIWBH9+RAhSwuhTUuw1tvmPmti5re/+ACLRGeOWUBPJ3WAy RgX4YP2kc/cpUtXeJp7DoKC4wzRh7YoBAuunBObxwtneWVh/dJo7oI1j16MHiMlBPV o6FQ7G9qhkV+DqBzEs6P5UOYIr5XXAf+Pg+VcUPJfxHA9Xz8Xret0UNVY/I9EzGZb4 hn8wQVFazsWWkf4l07PW1RbByy0OrY2BNxrgc8UHCxVsj4hAJ2mqbeEpys+uhDaBkf OmEHeme01r+VA== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , James Clark , Jiri Olsa , Ian Rogers , Adrian Hunter , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , sashiko-bot , Yang Jihong , "Claude Opus 4.6" Subject: [PATCH 06/11] perf sched: Bounds-check prio before test_bit() in timehist Date: Sun, 7 Jun 2026 22:30:50 -0300 Message-ID: <20260608013057.1942953-7-acme@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260608013057.1942953-1-acme@kernel.org> References: <20260608013057.1942953-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: Arnaldo Carvalho de Melo timehist_skip_sample() reads prio from untrusted tracepoint data via perf_sample__intval(sample, "prev_prio") without bounds validation. A crafted perf.data with prev_prio >=3D MAX_PRIO (140) causes test_bit() to read past the end of the prio_bitmap, which is only MAX_PRIO bits. Add a prio >=3D 0 && prio < MAX_PRIO check before the test_bit() call. This also makes the !=3D -1 sentinel check explicit as >=3D 0. Fixes: 9b3a48bbe20d9692 ("perf sched timehist: Add --prio option") Reported-by: sashiko-bot Cc: Yang Jihong Assisted-by: Claude Opus 4.6 Signed-off-by: Arnaldo Carvalho de Melo --- tools/lib/perf/TODO | 7 +++++++ tools/perf/builtin-sched.c | 4 +++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/tools/lib/perf/TODO b/tools/lib/perf/TODO index 486dd95dc57208a8..1a3644aa1f38dde4 100644 --- a/tools/lib/perf/TODO +++ b/tools/lib/perf/TODO @@ -11,6 +11,13 @@ together. (x86_64 max is 8192, arm64 is 4096), but NR_CPUS limits keep growing. perf clamps to INT16_MAX in set_max_cpu_num() as a safety net. + - Code simplification: the int16_t forces defensive truncation + checks at every boundary where a wider CPU index (int from + sample->cpu, al->cpu, etc.) is narrowed into struct perf_cpu. + Without these checks, values > 32767 silently wrap to small + positive numbers, bypassing bounds validation. Widening to int + eliminates this entire class of silent truncation bugs and + removes the need for the INT16_MAX clamp in set_max_cpu_num(). - Scope: struct perf_cpu is embedded everywhere =E2=80=94 perf_cpu_map_= _cpu(), perf_cpu_map__min(), perf_cpu_map__max(), perf_cpu_map__has(), the for_each_cpu macros, and all internal callers. The perf_cpu_map diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c index 1ff01f03d2ad1ad3..ded511d8518803a0 100644 --- a/tools/perf/builtin-sched.c +++ b/tools/perf/builtin-sched.c @@ -2645,7 +2645,9 @@ static bool timehist_skip_sample(struct perf_sched *s= ched, else if (evsel__name_is(sample->evsel, "sched:sched_switch")) prio =3D perf_sample__intval(sample, "prev_prio"); =20 - if (prio !=3D -1 && !test_bit(prio, sched->prio_bitmap)) { + /* prio comes from untrusted tracepoint data =E2=80=94 bounds-check befo= re test_bit */ + if (prio >=3D 0 && + (prio >=3D MAX_PRIO || !test_bit(prio, sched->prio_bitmap))) { rc =3D true; sched->skipped_samples++; } --=20 2.54.0 From nobody Mon Jun 8 04:24:20 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E8D3B2F5A06; Mon, 8 Jun 2026 01:32:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780882322; cv=none; b=sfDUSXtzhipUn1kP1IqOudv6bkBjg99v72Bd0Xg1BcWDFEDIkYPWnlFyOFOTXTnE42mhKjp1a1nSMYkZpPtydHUM6bgmwr//OWs40diXh5E6d+1Al4rl/yQ62RKtAADDPSeFZnqdekgU7P56RQrYXMLVwn3edq3qxtzCkTEBgrk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780882322; c=relaxed/simple; bh=B6dyFLxN/0OWhF6b9zkvbGQgIWPWizl2ci9AOKR9bYQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=EOqOvG4lHXaot2rf+n2h2zVsrie3kCpsv4ziNDbqcEjde7hQGw7cprgJhUKMeNnrenrwYW0z7kgaNmNTekpxSttAK0Oh33TmsNcm3PyEjKedAH1ig202GDsqNrXMVNQLisMPFCKG+XbbpiccZFuTDmhVahgG42ezS2T+PvGkx1s= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=EIF94HpV; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="EIF94HpV" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7D0DF1F00893; Mon, 8 Jun 2026 01:31:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780882321; bh=w4Ux0WLWBUbFl2E+Iwv35lwtNI615EbPsu51cw49gYI=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=EIF94HpVhlWFyM/NAFgdzU74NXi7f4RPTg8SW8zGiO0ZPrddmht30InO5kxEolc9W r2idRvlB+PoRHxmo8LwOtVB3Y12L+sfST3B93qhisNx/jCujeUqrxnXjwfbB75pQXl eKBVqOqcJpAPgHSNi0gDJ7I1Wu91bXgZQEfDU0Hgk45rRWO84RdzkxTgZLQs0GJMjx BvjsuRRrEojQrrz7lwNEaccrhoZEWUMb6G3npUd95YTEThN/ccbV1+lR7jBXKkvRoC 2z2l/PJWyGSyhZfEc4u7t0jTJQb/3gluvfyhJdwumbYnt3IIkh92By4gi3GXcRgjgq sUEszIQd9hDCQ== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , James Clark , Jiri Olsa , Ian Rogers , Adrian Hunter , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , sashiko-bot , "Claude Opus 4.6" Subject: [PATCH 07/11] perf sched: Fix idle-hist callchain display using wrong rb_first variant Date: Sun, 7 Jun 2026 22:30:51 -0300 Message-ID: <20260608013057.1942953-8-acme@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260608013057.1942953-1-acme@kernel.org> References: <20260608013057.1942953-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: Arnaldo Carvalho de Melo timehist_print_idlehist_callchain() calls rb_first_cached() on sorted_root, but the sort function (callchain_param.sort) populates it via rb_insert_color() on the plain rb_root member =E2=80=94 not the cached variant. This means rb_leftmost is never set, so rb_first_cached() always returns NULL and the entire callchain summary is silently dropped from --idle-hist output. Use rb_first(&root->rb_root) to match how the tree was populated. Fixes: ba957ebb54893aca ("perf sched timehist: Show callchains for idle sta= t") Reported-by: sashiko-bot Cc: Namhyung Kim Assisted-by: Claude Opus 4.6 Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/builtin-sched.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c index ded511d8518803a0..85f11d388392d316 100644 --- a/tools/perf/builtin-sched.c +++ b/tools/perf/builtin-sched.c @@ -3130,7 +3130,8 @@ static size_t timehist_print_idlehist_callchain(struc= t rb_root_cached *root) size_t ret =3D 0; FILE *fp =3D stdout; struct callchain_node *chain; - struct rb_node *rb_node =3D rb_first_cached(root); + /* sort() uses rb_insert_color() on rb_root, not rb_root_cached */ + struct rb_node *rb_node =3D rb_first(&root->rb_root); =20 printf(" %16s %8s %s\n", "Idle time (msec)", "Count", "Callchains"); printf(" %.16s %.8s %.50s\n", graph_dotted_line, graph_dotted_line, --=20 2.54.0 From nobody Mon Jun 8 04:24:20 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1993B265CA8; Mon, 8 Jun 2026 01:32:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780882333; cv=none; b=BVcXK3KMbrY61fXFwdjfB+FqbMHXWbKLXGBqaFfxB7ADZ9TF3e0C38EXADeZI5uxnrxFc2fviGo4r8Zm46wCLhBlkpChvzq026zW/uG7uvRQz3BYgplYbkqhU2PN+Wy22YzHVMQqEEhAgPCc0AZO9tNVNhZa8ucQtQJ3+oVc3E4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780882333; c=relaxed/simple; bh=GmlkmpwNEIyUNU99GBS/vYd9JNh9cxHwCEU0fxnK4Jo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Mc4kUawHzqr6ivofqP3wW+L9O+L3v6It/EUlAYbPoQtAvuSrAWU56+IWug8eUGd45uB5qjfKkpV8t9KBoQM56CDgCCOftVJ+LojkXJMxxCHRC6X0zyB5hHBcykbkmzwGIJr4YKOrTPU8OwaU/VJC02SfnzideAXGxyo17XTBPx0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=F1yiFee/; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="F1yiFee/" Received: by smtp.kernel.org (Postfix) with ESMTPSA id B84E11F00898; Mon, 8 Jun 2026 01:32:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780882331; bh=xsbh6otPSU9/W94kKgL0+/butihCxeIySCs04NABBLg=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=F1yiFee/PO/WY6A4sDweE15OOHnjptXFbHxvIa5myPCqmEBF8URselIa1gM+o4+4a 1iU+5Fcx40ehXkulzjbANGfnv+70PBzc2HoClQCxA7gMBYFj/sErii9OtnEFgSyL5j tIKd+uv4wpJ+JKjLomvNiR1zZ5CzohBjWFFKVJFnMcjUeYBwaKmXf0/+nIp4I3kyZo wysNQmhYZN9BgHZwwCoWlPQd3+H401J/yMSGfdmfeq11S0+ISG6PGaC51KixyRl+0M 22oljxlcinSWEzLctEKjmI2DJGBDZqpvj+uzcq0NawFi+1FiuIBiXuCl21mGOBfywx S7SQqG8MLz1Nw== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , James Clark , Jiri Olsa , Ian Rogers , Adrian Hunter , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , sashiko-bot , "Claude Opus 4.6" Subject: [PATCH 08/11] perf tools: Add O_CLOEXEC to open() calls in DSO and ELF code Date: Sun, 7 Jun 2026 22:30:52 -0300 Message-ID: <20260608013057.1942953-9-acme@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260608013057.1942953-1-acme@kernel.org> References: <20260608013057.1942953-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Arnaldo Carvalho de Melo open() calls in dso.c and symbol-elf.c omit O_CLOEXEC, which leaks file descriptors to child processes spawned during symbol resolution (e.g., addr2line, objdump). This can exhaust the fd limit during long profiling sessions or when processing many DSOs. Add O_CLOEXEC to all open() calls in both files (12 call sites). Fixes: cdd059d731eeb466 ("perf tools: Move dso_* related functions into dso= object") Fixes: e5a1845fc0aeca85 ("perf symbols: Split out util/symbol-elf.c") Reported-by: sashiko-bot Cc: Jiri Olsa Cc: Namhyung Kim Assisted-by: Claude Opus 4.6 Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/util/dso.c | 4 ++-- tools/perf/util/symbol-elf.c | 20 ++++++++++---------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/tools/perf/util/dso.c b/tools/perf/util/dso.c index 7dced896c64eafd7..fb2e78fe2aa8eb94 100644 --- a/tools/perf/util/dso.c +++ b/tools/perf/util/dso.c @@ -344,7 +344,7 @@ int filename__decompress(const char *name, char *pathna= me, * descriptor to the uncompressed file. */ if (!compressions[comp].is_compressed(name)) - return open(name, O_RDONLY); + return open(name, O_RDONLY | O_CLOEXEC); =20 fd =3D mkstemp(tmpbuf); if (fd < 0) { @@ -1911,7 +1911,7 @@ static const u8 *__dso__read_symbol(struct dso *dso, = const char *symfs_filename, int saved_errno; =20 nsinfo__mountns_enter(dso__nsinfo(dso), &nsc); - fd =3D open(symfs_filename, O_RDONLY); + fd =3D open(symfs_filename, O_RDONLY | O_CLOEXEC); saved_errno =3D errno; nsinfo__mountns_exit(&nsc); if (fd < 0) { diff --git a/tools/perf/util/symbol-elf.c b/tools/perf/util/symbol-elf.c index 186e6d92ac3d7742..c2bdfd0003df2abe 100644 --- a/tools/perf/util/symbol-elf.c +++ b/tools/perf/util/symbol-elf.c @@ -217,7 +217,7 @@ bool filename__has_section(const char *filename, const = char *sec) GElf_Shdr shdr; bool found =3D false; =20 - fd =3D open(filename, O_RDONLY); + fd =3D open(filename, O_RDONLY | O_CLOEXEC); if (fd < 0) return false; =20 @@ -872,7 +872,7 @@ static int read_build_id(const char *filename, struct b= uild_id *bid) if (size < BUILD_ID_SIZE) goto out; =20 - fd =3D open(filename, O_RDONLY); + fd =3D open(filename, O_RDONLY | O_CLOEXEC); if (fd < 0) goto out; =20 @@ -935,7 +935,7 @@ int sysfs__read_build_id(const char *filename, struct b= uild_id *bid) size_t size =3D sizeof(bid->data); int fd, err =3D -1; =20 - fd =3D open(filename, O_RDONLY); + fd =3D open(filename, O_RDONLY | O_CLOEXEC); if (fd < 0) goto out; =20 @@ -995,7 +995,7 @@ int filename__read_debuglink(const char *filename, char= *debuglink, if (err >=3D 0) goto out; =20 - fd =3D open(filename, O_RDONLY); + fd =3D open(filename, O_RDONLY | O_CLOEXEC); if (fd < 0) goto out; =20 @@ -1153,7 +1153,7 @@ int symsrc__init(struct symsrc *ss, struct dso *dso, = const char *name, =20 type =3D dso__symtab_type(dso); } else { - fd =3D open(name, O_RDONLY); + fd =3D open(name, O_RDONLY | O_CLOEXEC); if (fd < 0) { *dso__load_errno(dso) =3D errno; return -1; @@ -1952,7 +1952,7 @@ static int kcore__open(struct kcore *kcore, const cha= r *filename) { GElf_Ehdr *ehdr; =20 - kcore->fd =3D open(filename, O_RDONLY); + kcore->fd =3D open(filename, O_RDONLY | O_CLOEXEC); if (kcore->fd =3D=3D -1) return -1; =20 @@ -1985,7 +1985,7 @@ static int kcore__init(struct kcore *kcore, char *fil= ename, int elfclass, if (temp) kcore->fd =3D mkstemp(filename); else - kcore->fd =3D open(filename, O_WRONLY | O_CREAT | O_EXCL, 0400); + kcore->fd =3D open(filename, O_WRONLY | O_CREAT | O_EXCL | O_CLOEXEC, 04= 00); if (kcore->fd =3D=3D -1) return -1; =20 @@ -2461,11 +2461,11 @@ static int kcore_copy__compare_files(const char *fr= om_filename, { int from, to, err =3D -1; =20 - from =3D open(from_filename, O_RDONLY); + from =3D open(from_filename, O_RDONLY | O_CLOEXEC); if (from < 0) return -1; =20 - to =3D open(to_filename, O_RDONLY); + to =3D open(to_filename, O_RDONLY | O_CLOEXEC); if (to < 0) goto out_close_from; =20 @@ -2883,7 +2883,7 @@ int get_sdt_note_list(struct list_head *head, const c= har *target) Elf *elf; int fd, ret; =20 - fd =3D open(target, O_RDONLY); + fd =3D open(target, O_RDONLY | O_CLOEXEC); if (fd < 0) return -EBADF; =20 --=20 2.54.0 From nobody Mon Jun 8 04:24:20 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F375C2F5A06; Mon, 8 Jun 2026 01:32:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780882342; cv=none; b=UEgegnRx+7oxTyx/My6IfPj5W08RCMGpZa7f7elHCzuvuDpC2pk9NJ6v5OPtOgq4iaaDWk13FD/cWW2MyD2QVo3rpzo1bUWSHZX5X/kipdKNLggHK2NEN/AsBVrpDKyRbnCulK84Q0LRJJC/xBWdxP6sbdF0y0cCMDzND/07zFc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780882342; c=relaxed/simple; bh=RgxiUMC4Gg5WEF6siaaurrn4gvKK0Ztv89csTlsz4Vc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Db8I24l1KPyJ1orI/ejGlTWOeQt8xflAUMC798OYxeX4kvM7yygp9e/D/q0r2nTzIGGbBi64ydQcdmESiYvApzh12TA9dGUVvR3OdTeSnvcoVSZdidvInOqEelz107N7kjDzq+AT4oYIXLcK2UrcW99rcA7W0jAL8luUNWdBRTk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=aQ/U14M2; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="aQ/U14M2" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8E86D1F00893; Mon, 8 Jun 2026 01:32:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780882341; bh=6pMIQ8hAJLYUSx6puyBFNWmCE2bhbXzI8u3T+QlW98w=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=aQ/U14M2+cE68AabdyJMR8v7ttWIb5IINt/Ho0YLBEE3B1HaNzCCTqTJC00zba8rU 82L2uk8HBDa5fsQZT8cnENMiqAwyTvb3sJPR3xyE66UIJjVO09Pf90LVav3l5UW3MN i+zXdfv2QptHFbtlfhh+XylnPxEHiiHF+EoYBiKTF4awnQjs7e36hDdcKSXREQyM1o QBCKM0Lk10fweMR8XYrgiDURgwAFtgJivsuhtXpEtuxFybUHAt4roY0l4oSRVKotj8 5QM0wBPPtaTeMDzsfxp7GS0tagYfR6/fEucn4QpaZ/wrxqKOzreTQ0qT03l44roeK2 z9yaWhq+I1sXg== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , James Clark , Jiri Olsa , Ian Rogers , Adrian Hunter , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , sashiko-bot , Song Liu , "Claude Opus 4.6" Subject: [PATCH 09/11] perf bpf: Use scnprintf() in snprintf_hex() and synthesize_bpf_prog_name() Date: Sun, 7 Jun 2026 22:30:53 -0300 Message-ID: <20260608013057.1942953-10-acme@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260608013057.1942953-1-acme@kernel.org> References: <20260608013057.1942953-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Arnaldo Carvalho de Melo Both functions accumulate formatted output via ret +=3D snprintf(buf + ret, size - ret, ...). If the buffer is too small and snprintf() returns more than the remaining space, ret exceeds size and the next 'size - ret' underflows, causing snprintf() to write past the buffer end. Switch to scnprintf() which returns the actual number of bytes written, making the accumulation safe. Fixes: 7b612e291a5affb1 ("perf tools: Synthesize PERF_RECORD_* for loaded B= PF programs") Reported-by: sashiko-bot Cc: Song Liu Assisted-by: Claude Opus 4.6 Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/util/bpf-event.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/tools/perf/util/bpf-event.c b/tools/perf/util/bpf-event.c index a27945c279efb779..2c09842469f1f28c 100644 --- a/tools/perf/util/bpf-event.c +++ b/tools/perf/util/bpf-event.c @@ -36,7 +36,7 @@ static int snprintf_hex(char *buf, size_t size, unsigned = char *data, size_t len) size_t i; =20 for (i =3D 0; i < len; i++) - ret +=3D snprintf(buf + ret, size - ret, "%02x", data[i]); + ret +=3D scnprintf(buf + ret, size - ret, "%02x", data[i]); return ret; } =20 @@ -140,7 +140,7 @@ static int synthesize_bpf_prog_name(char *buf, int size, const struct btf_type *t; int name_len; =20 - name_len =3D snprintf(buf, size, "bpf_prog_"); + name_len =3D scnprintf(buf, size, "bpf_prog_"); name_len +=3D snprintf_hex(buf + name_len, size - name_len, prog_tags[sub_id], BPF_TAG_SIZE); if (btf) { @@ -153,9 +153,10 @@ static int synthesize_bpf_prog_name(char *buf, int siz= e, short_name =3D info->name; } else short_name =3D "F"; - if (short_name) - name_len +=3D snprintf(buf + name_len, size - name_len, - "_%s", short_name); + if (short_name) { + name_len +=3D scnprintf(buf + name_len, size - name_len, + "_%s", short_name); + } return name_len; } =20 --=20 2.54.0 From nobody Mon Jun 8 04:24:20 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D23572FFFA4; Mon, 8 Jun 2026 01:32:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780882354; cv=none; b=bQ+oUyNW0qQEvadxtAH1NvbHski2oiIqV0xNxa5n+6fiRiK82qJWV5mTnZO+Mv0NSdaOeeau7xHdYyUtjro9rEsjSpqHOl1YRBCowlLsYz/t9nhHnwSWx5w6Ot6Sb/8ziV+kjKI4WFg7+zcriok6HSMoBxQmXgaA+9mpy+GC914= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780882354; c=relaxed/simple; bh=yzpqRp1KXXDtRZ3nmlG1tbtU+tGkMKMkq+qmu7cRbFE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=o8cTasuvn1WwgAoFup+aBfglmxM7bKYOGICzNiJHpkleBjHru4gBPTia5EF+AM0uQdKa2nufn6vW0Lmm1CSLO+FdxqXNt0ue7Zh6EwpCy7CT951sC4OUw6TV95P6UPEc9yDbJaxOMRNfM16WduUVO1bTqcki+o1mre7AVhPnMXI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=AsUYF/GX; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="AsUYF/GX" Received: by smtp.kernel.org (Postfix) with ESMTPSA id B2E751F00898; Mon, 8 Jun 2026 01:32:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780882353; bh=mb2YK/7aZ7ZZv5PM4t9lUCtnKOmzQa+WV7ppgUYJCqI=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=AsUYF/GXLh5J3ergfsE/4lolHbBJAy3gHbbrXl8BBJy8e/S4BlNNYXy0F6BiO7S22 wlqXI/JScpBR8VQVO7tZ5wB4wI/Wqja9xEk7G0Uxtw67+jzwT4HVIfY1yvkO6mRGT6 KIl/HXmxDcMTEZ42NDdhAqnKwH1AYLPEihkmmNBQ1V8b42ifWJvB/UYOPUuIvsKC/a Xsz+EX9VBMWhqjpD9Zg8LKm/WT48D4gTwjUaBJWHqRQJB5xJu9kw/XGbLsF2YK++df MiYMgamG5hFewzacOGGbCElKSj+M3f5DCtNRep4IDgNpqcovxwfWvLfdFaqBEXQhd4 ycMTA3w5vYxeg== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , James Clark , Jiri Olsa , Ian Rogers , Adrian Hunter , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , sashiko-bot , "Claude Opus 4.6" Subject: [PATCH 10/11] perf hists: Fix snprintf() in hists__scnprintf_title() UID filter path Date: Sun, 7 Jun 2026 22:30:54 -0300 Message-ID: <20260608013057.1942953-11-acme@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260608013057.1942953-1-acme@kernel.org> References: <20260608013057.1942953-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Arnaldo Carvalho de Melo hists__scnprintf_title() accumulates formatted output into a buffer using scnprintf() for all filter clauses except the UID filter, which uses snprintf(). If the buffer fills up and snprintf() returns more than the remaining space, printed exceeds size and the next 'size - printed' underflows, causing later scnprintf() calls to write past the buffer. Switch the UID filter clause to scnprintf() to match the rest of the function. Fixes: 25c312dbf88ca402 ("perf hists: Move hists__scnprintf_title() away fr= om the TUI code") Reported-by: sashiko-bot Cc: Arnaldo Carvalho de Melo Assisted-by: Claude Opus 4.6 Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/util/hist.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/tools/perf/util/hist.c b/tools/perf/util/hist.c index 811d68fa6770c5b7..df978c996b6c2262 100644 --- a/tools/perf/util/hist.c +++ b/tools/perf/util/hist.c @@ -2963,9 +2963,10 @@ int __hists__scnprintf_title(struct hists *hists, ch= ar *bf, size_t size, bool sh ev_name, sample_freq_str, enable_ref ? ref : " ", nr_events); =20 =20 - if (hists->uid_filter_str) - printed +=3D snprintf(bf + printed, size - printed, - ", UID: %s", hists->uid_filter_str); + if (hists->uid_filter_str) { + printed +=3D scnprintf(bf + printed, size - printed, + ", UID: %s", hists->uid_filter_str); + } if (thread) { if (hists__has(hists, thread)) { printed +=3D scnprintf(bf + printed, size - printed, --=20 2.54.0 From nobody Mon Jun 8 04:24:20 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E5BA52FF672; Mon, 8 Jun 2026 01:32:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780882363; cv=none; b=gSvg2K7JcwXwc3M0KSRhe8odLQHpLq7y5MCH3RmVAhYDAnZEAdUKNycVs8DWKW1OCNAbMZNSk+g2PoIVqnPIP5e38WGzuhFYWT9Q25Da839oQHGY3F9bQrZEklThEpgT11mufbH6l+J4Y+KNXciUF8hEZd0G+p5qxQ1fLZd9wK0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780882363; c=relaxed/simple; bh=pztbD3iX3pd/KugXnN4XjAccZtUYB6eLIx5zr1pj1X4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=aptjqoiZ1Ps/i5PqzHWcp4Hh9JpeVujv4uSXtlu46g3gW8ou1AhJUMGZrdwgWV83b+zJRM4vgAP55xOa5aTBLOajdgs4/1C0r6epFhrJ1U6S6gdGg3iWhpz3aUOO9Ik5C8cPxYcjOTnEHW1krR/Bp0QplysPlnHAVgw6b54cgT4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=PanchjKr; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="PanchjKr" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 562CF1F00893; Mon, 8 Jun 2026 01:32:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780882362; bh=vJrjz18WP9YOQVzzuYUbzW7bbrjWzAs6Y8JS41ckrzw=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=PanchjKrWbxEKsw3/+lBei8PMyInExfAPwQ0cLNJjXu68pB4k7+koAKTEYCOLMGOw 8+KYJTcaYkT5EyVoPkN9FwofmhmEA5uEj4Ucq0qzLuZVoar9IGLYCmivT9ey9XFAmn yn9IA2KjbezSBAmeQmJwPWL79/NSLd5sl5CaLWBvdRJpCyNOC8KZY+b5FuLIzGr+VR jMa6T5STjKpO/ct2A/rN4WpMQNnUWOCk81TjrGA2Bx69QSUFRBXTNwSHFuQJpMcD2y KSRF3vDHTM3N1F6Ke7IbPvFKBRb01jDAz/m7szD2WiME9Cy+CO+j4F5QJiohNBunKw sBAyeIlT9+CTw== From: Arnaldo Carvalho de Melo To: Namhyung Kim Cc: Ingo Molnar , Thomas Gleixner , James Clark , Jiri Olsa , Ian Rogers , Adrian Hunter , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , sashiko-bot , "Claude Opus 4.6" Subject: [PATCH 11/11] perf tools: Use scnprintf() in build_id__snprintf() and hwmon read_events() Date: Sun, 7 Jun 2026 22:30:55 -0300 Message-ID: <20260608013057.1942953-12-acme@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260608013057.1942953-1-acme@kernel.org> References: <20260608013057.1942953-1-acme@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Arnaldo Carvalho de Melo build_id__snprintf() and hwmon_pmu__read_events() accumulate formatted output via snprintf(), which returns the would-have-been-written count on truncation. In build_id__snprintf(), this inflates the return value beyond the buffer size. In hwmon_pmu__read_events(), len overshoots out_buf_len and the next 'out_buf_len - len' underflows. Switch both to scnprintf() which returns actual bytes written. Fixes: fccaaf6fbbc59910 ("perf build-id: Change sprintf functions to snprin= tf") Fixes: 53cc0b351ec99278 ("perf hwmon_pmu: Add a tool PMU exposing events fr= om hwmon in sysfs") Reported-by: sashiko-bot Cc: Ian Rogers Assisted-by: Claude Opus 4.6 Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/util/build-id.c | 2 +- tools/perf/util/hwmon_pmu.c | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/tools/perf/util/build-id.c b/tools/perf/util/build-id.c index 8c0a9ae932aa5798..a3b92108f96263c6 100644 --- a/tools/perf/util/build-id.c +++ b/tools/perf/util/build-id.c @@ -94,7 +94,7 @@ int build_id__snprintf(const struct build_id *build_id, c= har *bf, size_t bf_size } =20 for (size_t i =3D 0; i < build_id->size && offs < bf_size; ++i) - offs +=3D snprintf(bf + offs, bf_size - offs, "%02x", build_id->data[i]); + offs +=3D scnprintf(bf + offs, bf_size - offs, "%02x", build_id->data[i]= ); =20 return offs; } diff --git a/tools/perf/util/hwmon_pmu.c b/tools/perf/util/hwmon_pmu.c index fb3ffa8d32ad2a93..dbf6a71af47f9a42 100644 --- a/tools/perf/util/hwmon_pmu.c +++ b/tools/perf/util/hwmon_pmu.c @@ -442,12 +442,12 @@ static size_t hwmon_pmu__describe_items(struct hwmon_= pmu *hwm, char *out_buf, si =20 buf[read_len] =3D '\0'; val =3D strtoll(buf, /*endptr=3D*/NULL, 10); - len +=3D snprintf(out_buf + len, out_buf_len - len, "%s%s%s=3D%g%s", - len =3D=3D 0 ? " " : ", ", - hwmon_item_strs[bit], - is_alarm ? "_alarm" : "", - (double)val / 1000.0, - hwmon_units[key.type]); + len +=3D scnprintf(out_buf + len, out_buf_len - len, "%s%s%s=3D%g%s", + len =3D=3D 0 ? " " : ", ", + hwmon_item_strs[bit], + is_alarm ? "_alarm" : "", + (double)val / 1000.0, + hwmon_units[key.type]); } close(fd); } --=20 2.54.0