From nobody Thu Jun 25 00:31:11 2026
Received: from smtp.kernel.org
 (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 79CB739A074;
	Mon,  8 Jun 2026 20:18:04 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=100.103.45.18
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780949886; cv=none;
 b=SKyI6L+eKCVwqhiydb4AkZdrFEWVvxbTkk4lmPJj+QHbNxo0tmU/nPP3iC4/O6rdRLsbDPx4epFsxfKtrzVA51v2uN6iEELmcK6J5hicgS0dSzSmyULA/eq2O6F1/eZmKhB2TNS7JDqkpGa/pDLLbe3VwSMfieeJllwS1YJsn84=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780949886; c=relaxed/simple;
	bh=5VWP2TekBIjJm70E0VzMP3ju0hgOjK8Wt8W8C1t9uZs=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=HM7e8a8ndEruOjz7fw5Ol7f98PbL6Qgsdt2JV2KeRAZCSaPP7dPs0isY+lNRl3aOZD+aPbAPVL0Iy0fKomfKi+m/pDc+1OXMEU5SrNqlhfKwW1ojG/8GaunfIlANUwdxB3OZqpuAQSDEjJtNgruAMOFgrH8EUMNT7LMHXH3v6Z8=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=fynMTwlL; arc=none smtp.client-ip=100.103.45.18
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="fynMTwlL"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id BB86F1F00893;
	Mon,  8 Jun 2026 20:18:00 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org;
	s=k20260515; t=1780949884;
	bh=R5WxjEJlqlEk6iV+ivR2s+nGEBp270wPJyGXkOmIs10=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=fynMTwlL1moNGwxc7F16l1JkI/514mGV79oDLfpvYraGNBUcS30KCTogTtmX3BDXt
	 9kLYktb00UBKEWKGUoWoAXMXrq7OdXTn5AVAkf/MnfyJBfKVVieOfQ8ibZTkmgFG6o
	 dkhpl/DkrHwPYaSJxYYh9sJhJOS31gGgXEo4Z58hq/STg2D7qMAlKbYLVoX/Yvo3d1
	 TmaJLd5IxsQ9gbkPFQSjn5delP8q4TDEdTTW6nBr6XDARImb9mxzTxYSrQLqnECrQv
	 zCbzKjCXfIv/0AQ+hQ4wzLNPSAq0jM4sGZwF9pVaKh4OMu7JZt4J2V+2+VH3D+NYKz
	 ohR4TdiDTcstA==
From: Arnaldo Carvalho de Melo <acme@kernel.org>
To: Namhyung Kim <namhyung@kernel.org>
Cc: Ingo Molnar <mingo@kernel.org>,
	Thomas Gleixner <tglx@linutronix.de>,
	James Clark <james.clark@linaro.org>,
	Jiri Olsa <jolsa@kernel.org>,
	Ian Rogers <irogers@google.com>,
	Adrian Hunter <adrian.hunter@intel.com>,
	Clark Williams <williams@redhat.com>,
	linux-kernel@vger.kernel.org,
	linux-perf-users@vger.kernel.org,
	Arnaldo Carvalho de Melo <acme@redhat.com>,
	sashiko-bot <sashiko-bot@kernel.org>,
	Don Zickus <dzickus@redhat.com>,
	"Claude Opus 4.6" <noreply@anthropic.com>
Subject: [PATCH 01/11] perf tools: Fix get_max_num() size_t underflow on empty
 sysfs file
Date: Mon,  8 Jun 2026 17:17:41 -0300
Message-ID: <20260608201753.1979464-2-acme@kernel.org>
X-Mailer: git-send-email 2.54.0
In-Reply-To: <20260608201753.1979464-1-acme@kernel.org>
References: <20260608201753.1979464-1-acme@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

From: Arnaldo Carvalho de Melo <acme@redhat.com>

get_max_num() reads a sysfs file (cpu/possible, cpu/present, or
node/possible) and scans backward from the end to find the last
number.  If the file is empty, filename__read_str() returns num =3D=3D 0.
The loop `while (--num)` decrements the size_t from 0 to SIZE_MAX,
reading backward across the heap until a comma or hyphen is found
or unmapped memory is hit.

Add an early return for empty files before the backward scan.

Fixes: 7780c25bae59fd04 ("perf tools: Allow ability to map cpus to nodes ea=
sily")
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Cc: Don Zickus <dzickus@redhat.com>
Cc: Ian Rogers <irogers@google.com>
Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Reviewed-by: Ian Rogers <irogers@google.com>
---
 tools/perf/util/cpumap.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/tools/perf/util/cpumap.c b/tools/perf/util/cpumap.c
index 21fa781b03cc7409..1fab00ec4a59a0c7 100644
--- a/tools/perf/util/cpumap.c
+++ b/tools/perf/util/cpumap.c
@@ -448,6 +448,12 @@ static int get_max_num(char *path, int *max)
=20
 	buf[num] =3D '\0';
=20
+	/* empty file =E2=80=94 nothing to parse */
+	if (num =3D=3D 0) {
+		err =3D -1;
+		goto out;
+	}
+
 	/* start on the right, to find highest node num */
 	while (--num) {
 		if ((buf[num] =3D=3D ',') || (buf[num] =3D=3D '-')) {
--=20
2.54.0

From nobody Thu Jun 25 00:31:11 2026
Received: from smtp.kernel.org
 (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 722E93E9C36;
	Mon,  8 Jun 2026 20:18:08 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=100.103.45.18
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780949891; cv=none;
 b=hbK4Hqq0AML5mVmNxI0XaMz13ZxUiwigA0X3F9dzQGlF+8pH0GEysdAoUQ5inan6qzj2877YTIjtWFFhjlLyxUz+Fc15JYUVnW6E6Qtl59elOGtDGgaBd3QE3SJj2jPyZfG7yyc8kzvOLWo+84SyPvrUYHGQPZvW8UeJXPVQn3A=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780949891; c=relaxed/simple;
	bh=8oP7hB9MDt6oG1Hv7KYLG/CmRoOreb6KJ/kW2XKBrzc=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=EQ8ggdztf/aiYJc+hUmZvLMSeZHi6HZ/yGfzmwkKKcXn6FixGVusysY0Hc/ZNIK+en97peqjM+f7H2YxAT1ev9pYqTowBUQrCMzy11FywSj8FWlxvV3BobjAvBF62Xe6jsyyzEI2/lqYqCuEfS1kFsDyHn2DqUFYQmd1Rzs21vE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=XnrYN2Mh; arc=none smtp.client-ip=100.103.45.18
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="XnrYN2Mh"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9A1B21F00898;
	Mon,  8 Jun 2026 20:18:04 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org;
	s=k20260515; t=1780949887;
	bh=WWjO4YE2PlQ4rvEgx3bcf86O7xkbmHwbGnNMXwpflTU=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=XnrYN2MhjUnjjwm4oWVkwphXa6uiL7IiLRozDIRhlibA7VVM8kJ5AWYnE8xK/y6cQ
	 McSdYox9+gDTIZsLv/yoW20M7MDmWowpSWawBA3OqWig17KSdbiHPfq9Gu2tHHFo8F
	 6AIbvVWxBgs1PN+jVxJRHtYg8HhXIm+RpG9F/kY9AB4Bkkx9Xc4IzgLfAJPSqpr4F6
	 2Qs3M8nGVgJfZmQ6OdhnYeqB8ecoxebxiT3zt1adamHjO91m0osk+YormMln7Z/gyV
	 rA+nx1IMMCRfa6NGXPmu3hqnFA8pXatvuwUK3Q3hyYRLAdDk6xjAQ0VPtd+KbSVJ5z
	 4E/sAb7oXSNBg==
From: Arnaldo Carvalho de Melo <acme@kernel.org>
To: Namhyung Kim <namhyung@kernel.org>
Cc: Ingo Molnar <mingo@kernel.org>,
	Thomas Gleixner <tglx@linutronix.de>,
	James Clark <james.clark@linaro.org>,
	Jiri Olsa <jolsa@kernel.org>,
	Ian Rogers <irogers@google.com>,
	Adrian Hunter <adrian.hunter@intel.com>,
	Clark Williams <williams@redhat.com>,
	linux-kernel@vger.kernel.org,
	linux-perf-users@vger.kernel.org,
	Arnaldo Carvalho de Melo <acme@redhat.com>,
	sashiko-bot <sashiko-bot@kernel.org>,
	"Claude Opus 4.6" <noreply@anthropic.com>
Subject: [PATCH 02/11] perf tools: Use scnprintf() in cpu_map__snprint() to
 prevent overflow
Date: Mon,  8 Jun 2026 17:17:42 -0300
Message-ID: <20260608201753.1979464-3-acme@kernel.org>
X-Mailer: git-send-email 2.54.0
In-Reply-To: <20260608201753.1979464-1-acme@kernel.org>
References: <20260608201753.1979464-1-acme@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Arnaldo Carvalho de Melo <acme@redhat.com>

cpu_map__snprint() accumulates snprintf() return values in ret.
snprintf() returns the number of characters that *would have been
written* on truncation, not the actual count.  When a fragmented CPU
list exceeds the buffer, ret grows past size, causing `size - ret` to
underflow (both are size_t), and subsequent snprintf() calls write
past the end of the caller's stack buffer.

Switch to scnprintf() which returns the actual number of characters
written, making ret accumulation safe by construction.

Fixes: a24020e6b7cf6eb8 ("perf tools: Change cpu_map__fprintf output")
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Ian Rogers <irogers@google.com>
Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Reviewed-by: Ian Rogers <irogers@google.com>
---
 tools/perf/util/cpumap.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/tools/perf/util/cpumap.c b/tools/perf/util/cpumap.c
index 1fab00ec4a59a0c7..23ebe9b97f8e58af 100644
--- a/tools/perf/util/cpumap.c
+++ b/tools/perf/util/cpumap.c
@@ -692,21 +692,21 @@ size_t cpu_map__snprint(struct perf_cpu_map *map, cha=
r *buf, size_t size)
 		if (start =3D=3D -1) {
 			start =3D i;
 			if (last) {
-				ret +=3D snprintf(buf + ret, size - ret,
-						"%s%d", COMMA,
-						perf_cpu_map__cpu(map, i).cpu);
+				ret +=3D scnprintf(buf + ret, size - ret,
+						 "%s%d", COMMA,
+						 perf_cpu_map__cpu(map, i).cpu);
 			}
 		} else if (((i - start) !=3D (cpu.cpu - perf_cpu_map__cpu(map, start).cp=
u)) || last) {
 			int end =3D i - 1;
=20
 			if (start =3D=3D end) {
-				ret +=3D snprintf(buf + ret, size - ret,
-						"%s%d", COMMA,
-						perf_cpu_map__cpu(map, start).cpu);
+				ret +=3D scnprintf(buf + ret, size - ret,
+						 "%s%d", COMMA,
+						 perf_cpu_map__cpu(map, start).cpu);
 			} else {
-				ret +=3D snprintf(buf + ret, size - ret,
-						"%s%d-%d", COMMA,
-						perf_cpu_map__cpu(map, start).cpu, perf_cpu_map__cpu(map, end).cpu);
+				ret +=3D scnprintf(buf + ret, size - ret,
+						 "%s%d-%d", COMMA,
+						 perf_cpu_map__cpu(map, start).cpu, perf_cpu_map__cpu(map, end).cpu);
 			}
 			first =3D false;
 			start =3D i;
--=20
2.54.0
From nobody Thu Jun 25 00:31:11 2026
Received: from smtp.kernel.org
 (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C94D43EA971;
	Mon,  8 Jun 2026 20:18:11 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=100.103.45.18
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780949893; cv=none;
 b=MGk2lh0JWAaUxk5suRcE7aJ1jftTWGVatEA87JEylUXCMtNRJZvh7vtdUrt/bdW4pV1/BJOZdW/BHlg0Itz/YYnH/THNqJ1atwA9vb7qi9W5nkGDdCXOSTvOqvxaT9XnTtHgqDqBostL1GGoVDZHNyp8ZlUAP4fO2IDUfiNuNls=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780949893; c=relaxed/simple;
	bh=/ffXGm9Kksyrvg3z29g+RicPxKBRm9uriEFUyItqHQ0=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=lZoCbXYsHSKyo90RXZl9k83XY2TuCRq8/x8RMlC43Zx2mKtZAKVYiWAn8ub148OixX8eEofLlm41+LX8+GAr1FW9BSVS4Dv7hI2IZWO152GSTfUM4Hhf9SkgXalMmGfx/Qv53Zwq94aq8fdxOqD5HequYYfbH4v61lMD4p5lT1E=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=RNK271rc; arc=none smtp.client-ip=100.103.45.18
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="RNK271rc"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4C9531F00893;
	Mon,  8 Jun 2026 20:18:08 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org;
	s=k20260515; t=1780949891;
	bh=JsgcVWDK/PGVV9Sj8BFVXWjYMfU3D46Fs8NDI43aCo0=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=RNK271rcrTN/AQnx37uo5OV0CBA419kt2RZfqbz5IeEvGzaD8T0Fyi3uTPV3G3HN/
	 VG4h3SFvWipz6k3LwA0ZFuN0gvkuwSOQcDrRQ44cw+RJcmCQljNTbwhGCdy1QaaHgr
	 hfQy3hA4tlrKvuSIORFYGiVPLiBnaLqkAOwGlkF7M6FPzwYa8+OqLsHv5EP7QYqExc
	 RBGFK2jSrZ16tNhlPVk/HVA8nb1IsWP5ZqXVzcpYA0Nde/DG3muS0rmITscV5Ii5ax
	 kYlUsZYD3aDyV5yqVw+x07Ya827XGcRomPF2UDygr3s5JHmsxG+BC2sh8pTA5eUVFH
	 5FP4cfJA6n3oA==
From: Arnaldo Carvalho de Melo <acme@kernel.org>
To: Namhyung Kim <namhyung@kernel.org>
Cc: Ingo Molnar <mingo@kernel.org>,
	Thomas Gleixner <tglx@linutronix.de>,
	James Clark <james.clark@linaro.org>,
	Jiri Olsa <jolsa@kernel.org>,
	Ian Rogers <irogers@google.com>,
	Adrian Hunter <adrian.hunter@intel.com>,
	Clark Williams <williams@redhat.com>,
	linux-kernel@vger.kernel.org,
	linux-perf-users@vger.kernel.org,
	Arnaldo Carvalho de Melo <acme@redhat.com>,
	sashiko-bot <sashiko-bot@kernel.org>,
	Kan Liang <kan.liang@intel.com>,
	"Claude Opus 4.6" <noreply@anthropic.com>
Subject: [PATCH 03/11] perf tools: Use perf_env__get_cpu_topology() in
 machine__resolve()
Date: Mon,  8 Jun 2026 17:17:43 -0300
Message-ID: <20260608201753.1979464-4-acme@kernel.org>
X-Mailer: git-send-email 2.54.0
In-Reply-To: <20260608201753.1979464-1-acme@kernel.org>
References: <20260608201753.1979464-1-acme@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Arnaldo Carvalho de Melo <acme@redhat.com>

machine__resolve() accesses env->cpu[al->cpu].socket_id after checking
al->cpu >=3D 0 and env->cpu !=3D NULL, but without validating al->cpu
against env->nr_cpus_avail.  Since al->cpu comes from the untrusted
perf.data sample, a crafted file with a large CPU index causes an
out-of-bounds heap read.

Use perf_env__get_cpu_topology() which validates both NULL and bounds.

Fixes: 0c4c4debb0adda4c ("perf tools: Add processor socket info to hist_ent=
ry and addr_location")
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Cc: Kan Liang <kan.liang@intel.com>
Cc: Ian Rogers <irogers@google.com>
Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
---
 tools/perf/util/event.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/tools/perf/util/event.c b/tools/perf/util/event.c
index 66f4843bb235df53..001db00be1073ad4 100644
--- a/tools/perf/util/event.c
+++ b/tools/perf/util/event.c
@@ -14,6 +14,7 @@
 #include <linux/perf_event.h>
 #include "cpumap.h"
 #include "dso.h"
+#include "env.h"
 #include "event.h"
 #include "debug.h"
 #include "hist.h"
@@ -836,8 +837,14 @@ int machine__resolve(struct machine *machine, struct a=
ddr_location *al,
 	if (al->cpu >=3D 0) {
 		struct perf_env *env =3D machine->env;
=20
-		if (env && env->cpu)
-			al->socket =3D env->cpu[al->cpu].socket_id;
+		/* bounds-check before truncating to struct perf_cpu (int16_t) */
+		if (env && al->cpu < env->nr_cpus_avail) {
+			struct cpu_topology_map *topo;
+
+			topo =3D perf_env__get_cpu_topology(env, (struct perf_cpu){ al->cpu });
+			if (topo)
+				al->socket =3D topo->socket_id;
+		}
 	}
=20
 	/* Account for possible out-of-order switch events. */
--=20
2.54.0
From nobody Thu Jun 25 00:31:11 2026
Received: from smtp.kernel.org
 (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id E26BF3EA97B;
	Mon,  8 Jun 2026 20:18:15 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=100.103.45.18
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780949897; cv=none;
 b=ojmnvqbfjrxiVj7ABrcasNg8KFCjMLZTmr2iuwKU4L9X1HfLvHPjaF2FYgQ3VqzUYM/PzE09zIt9PwD7s96/mtaruRLIUotolWcn3wT5PoTY6GOQK/BZcUJLgoUHBbeqNgQf8jRTD/+Q+69iye5dLZq2NNBcrVXUKMcEuq484AY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780949897; c=relaxed/simple;
	bh=D+Btd+P6P6EBYT1bld6K9EDJrGmjb0z1SMMuJwJq++g=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=lQEsGzThkXDEqmI2cx+QD9NrZDyMTZslIBhclnXILyJVtuXt2+WI4G6cnyUjJHd4DJAkhD7ns72wp/tEckNNCwKMG3x2/3wYNyP98H5ox7nyziskr75k5WrCwhDK6Ht00cCi3XqiCelPCVd4K7bc0kOuATIw7Zk8xbXoOrWqGUk=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=Ussl6iws; arc=none smtp.client-ip=100.103.45.18
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="Ussl6iws"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 194DB1F00899;
	Mon,  8 Jun 2026 20:18:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org;
	s=k20260515; t=1780949895;
	bh=f3AaD08Djt7PRBkkv9nm5JBCOTC6JVj0r+NCWl5MIkQ=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=Ussl6iws/ODqNeG6LXxvtbdcWn53U+c0P0Cwj8ppKzakf+KpuJ5kOFbtTUTkjkW2t
	 92Cskk2h5gFdsYWGunuxgVzoaBQuFc6vpOyA5PLRgBkgyVpeFLFNrGK0O4sB2I921C
	 YDqxkM128+RaRq/m5B9cZqnPvwJviMow8OmqNWApb58gaA1FgPoAR1mxtaoT1nIc8T
	 GPm6B6eduR1qERh+F2Z0jKiehsBGx0B+ZhpPRIuNxDuMp4qOWFVOGz5pyo27/VrHrr
	 qoWjpzfXjGm3wj4S0qUj09zmnUjkM3c0yVG6vzAQ1M6jJigj2lvsO+41on16zuUdid
	 fJTMntKEXABdw==
From: Arnaldo Carvalho de Melo <acme@kernel.org>
To: Namhyung Kim <namhyung@kernel.org>
Cc: Ingo Molnar <mingo@kernel.org>,
	Thomas Gleixner <tglx@linutronix.de>,
	James Clark <james.clark@linaro.org>,
	Jiri Olsa <jolsa@kernel.org>,
	Ian Rogers <irogers@google.com>,
	Adrian Hunter <adrian.hunter@intel.com>,
	Clark Williams <williams@redhat.com>,
	linux-kernel@vger.kernel.org,
	linux-perf-users@vger.kernel.org,
	Arnaldo Carvalho de Melo <acme@redhat.com>,
	sashiko-bot <sashiko-bot@kernel.org>,
	Alexey Budankov <alexey.budankov@linux.intel.com>,
	Alexey Bayduraev <alexey.v.bayduraev@linux.intel.com>,
	"Claude Opus 4.6" <noreply@anthropic.com>
Subject: [PATCH 04/11] perf tools: NULL bitmap pointers after bitmap_free()
Date: Mon,  8 Jun 2026 17:17:44 -0300
Message-ID: <20260608201753.1979464-5-acme@kernel.org>
X-Mailer: git-send-email 2.54.0
In-Reply-To: <20260608201753.1979464-1-acme@kernel.org>
References: <20260608201753.1979464-1-acme@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Arnaldo Carvalho de Melo <acme@redhat.com>

Two call sites free bitmaps without NULLing the pointer, risking
double-free if the structure is reused or cleanup is called twice:

 - mmap__munmap():                 map->affinity_mask.bits
 - record__mmap_cpu_mask_free():   mask->bits

Set each pointer to NULL after bitmap_free().

Fixes: 8384a2600c7ddfc8 ("perf record: Adapt affinity to machines with #CPU=
s > 1K")
Fixes: f466e5ed6c356d1d ("perf record: Extend --threads command line option=
")
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Cc: Alexey Budankov <alexey.budankov@linux.intel.com>
Cc: Alexey Bayduraev <alexey.v.bayduraev@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Reviewed-by: Ian Rogers <irogers@google.com>
---
 tools/perf/builtin-record.c | 1 +
 tools/perf/util/mmap.c      | 1 +
 2 files changed, 2 insertions(+)

diff --git a/tools/perf/builtin-record.c b/tools/perf/builtin-record.c
index a33c78f030d91012..e915390556752b9e 100644
--- a/tools/perf/builtin-record.c
+++ b/tools/perf/builtin-record.c
@@ -3084,6 +3084,7 @@ static int record__mmap_cpu_mask_alloc(struct mmap_cp=
u_mask *mask, int nr_bits)
 static void record__mmap_cpu_mask_free(struct mmap_cpu_mask *mask)
 {
 	bitmap_free(mask->bits);
+	mask->bits =3D NULL;
 	mask->nbits =3D 0;
 }
=20
diff --git a/tools/perf/util/mmap.c b/tools/perf/util/mmap.c
index d64aec6c7c843e81..c6bd4c37d50ee57e 100644
--- a/tools/perf/util/mmap.c
+++ b/tools/perf/util/mmap.c
@@ -238,6 +238,7 @@ static void perf_mmap__aio_munmap(struct mmap *map __ma=
ybe_unused)
 void mmap__munmap(struct mmap *map)
 {
 	bitmap_free(map->affinity_mask.bits);
+	map->affinity_mask.bits =3D NULL;
=20
 	zstd_fini(&map->zstd_data);
=20
--=20
2.54.0
From nobody Thu Jun 25 00:31:11 2026
Received: from smtp.kernel.org
 (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0F4F03EB7FD;
	Mon,  8 Jun 2026 20:18:19 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=100.103.45.18
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780949901; cv=none;
 b=LDDr5J2sHU9oPu6J0ZEARFFBmzelxiUhyv16YsM789guaY3qOaPolpunMKv2kM4uHWUZHtg5i+1qQTvjaApKnaieGg3jtl6ajwfK0BpM2Tmzi7bXh7JRb9amSGW4RuYjiLAKYz82DL/CYoOsHxukP0hzDu4Q95Wo1bCEa4d3YxI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780949901; c=relaxed/simple;
	bh=uE/y55Y4wO9VpI0s7KbodScVan8Bdc0fQaM+gMPhY5Q=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=AFYVASw/kYNb3ksWBz0exXuB0+fwFr7G3x9tdTNL/nOL7bAJJqDvdofy53ZPajl1et/OKH7zFrIo936N1zqZZXkPSyKZNuSL4wMdpkAGez+Z6aMbgxia6O5iCFH1j9Q3BPuT3O3ipC77kZeDh7S3nMlD08mKyOZLY5IyGKC3OZM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=MwzcYhrC; arc=none smtp.client-ip=100.103.45.18
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="MwzcYhrC"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 385A11F00898;
	Mon,  8 Jun 2026 20:18:15 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org;
	s=k20260515; t=1780949899;
	bh=T4MMV1Jcr0EJugKy/vIYVVm9jYSiXjL1itCdJjdxmSc=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=MwzcYhrCBWqEntt0U+epJft5ZTpQYPHG3Z+lRRkyadjTmZ0SZi+BrA8zOrMCOQf2j
	 pK1NZuLMS2LxAC5ErRpZcPCdnlKiGKBHQCQG0+OrpdvF++A/RJWaQ0XRUzQIQlkDIa
	 a+gc2TF+XdkMXvzxAFbDk6l2P7XopQnS4hxrstPqTpv5NHk9lwmtGtSnebWz08LNmD
	 uYuknZRrfqpOXCyvrOJiAWSzZIuu4NXGtoqChNmquz65OKNBZVmmi0gz9nqfo1X7e0
	 7gjQCqS6V8cQFaS2sZOLjv1KlrO4saO7m6vi8iycgGDx+GGXJlSmHWW22cait5thaS
	 yQP6Ibf6nAMqQ==
From: Arnaldo Carvalho de Melo <acme@kernel.org>
To: Namhyung Kim <namhyung@kernel.org>
Cc: Ingo Molnar <mingo@kernel.org>,
	Thomas Gleixner <tglx@linutronix.de>,
	James Clark <james.clark@linaro.org>,
	Jiri Olsa <jolsa@kernel.org>,
	Ian Rogers <irogers@google.com>,
	Adrian Hunter <adrian.hunter@intel.com>,
	Clark Williams <williams@redhat.com>,
	linux-kernel@vger.kernel.org,
	linux-perf-users@vger.kernel.org,
	Arnaldo Carvalho de Melo <acme@redhat.com>,
	sashiko-bot <sashiko-bot@kernel.org>,
	Yang Jihong <yangjihong@bytedance.com>,
	"Claude Opus 4.6" <noreply@anthropic.com>
Subject: [PATCH 05/11] perf sched: Bounds-check prio before test_bit() in
 timehist
Date: Mon,  8 Jun 2026 17:17:45 -0300
Message-ID: <20260608201753.1979464-6-acme@kernel.org>
X-Mailer: git-send-email 2.54.0
In-Reply-To: <20260608201753.1979464-1-acme@kernel.org>
References: <20260608201753.1979464-1-acme@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

From: Arnaldo Carvalho de Melo <acme@redhat.com>

timehist_skip_sample() reads prio from untrusted tracepoint data via
perf_sample__intval(sample, "prev_prio") without bounds validation.
A crafted perf.data with prev_prio >=3D MAX_PRIO (140) causes test_bit()
to read past the end of the prio_bitmap, which is only MAX_PRIO bits.

Add a prio >=3D 0 && prio < MAX_PRIO check before the test_bit() call.
This also makes the !=3D -1 sentinel check explicit as >=3D 0.

Fixes: 9b3a48bbe20d9692 ("perf sched timehist: Add --prio option")
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Cc: Yang Jihong <yangjihong@bytedance.com>
Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Reviewed-by: Ian Rogers <irogers@google.com>
---
 tools/perf/builtin-sched.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c
index 1ff01f03d2ad1ad3..ded511d8518803a0 100644
--- a/tools/perf/builtin-sched.c
+++ b/tools/perf/builtin-sched.c
@@ -2645,7 +2645,9 @@ static bool timehist_skip_sample(struct perf_sched *s=
ched,
 		else if (evsel__name_is(sample->evsel, "sched:sched_switch"))
 			prio =3D perf_sample__intval(sample, "prev_prio");
=20
-		if (prio !=3D -1 && !test_bit(prio, sched->prio_bitmap)) {
+		/* prio comes from untrusted tracepoint data =E2=80=94 bounds-check befo=
re test_bit */
+		if (prio >=3D 0 &&
+		    (prio >=3D MAX_PRIO || !test_bit(prio, sched->prio_bitmap))) {
 			rc =3D true;
 			sched->skipped_samples++;
 		}
--=20
2.54.0

From nobody Thu Jun 25 00:31:11 2026
Received: from smtp.kernel.org
 (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D52313A9615;
	Mon,  8 Jun 2026 20:18:23 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=100.103.45.18
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780949904; cv=none;
 b=N+MtgII0LM+bvfDrv/b88UuctVNDd8bwAlo724t18xq2ICFvnqO84ra6O7586dOumwH0atvDkBZJ8yqP/SZXPzj+z5jXivtqTlYGzb7xSb08o/5UvWZD+nzfjJTxI5Cew8+7/eDi7AxFlbfFJVHy4d8jm+yxkjR7u6d25YH6Cuk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780949904; c=relaxed/simple;
	bh=GXEDCBl+bN1a4zMPkClDUbibNaQ50EoaRRLssS1jg2E=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=c1bm7fxuy0616eUc7zD3Ha49361USKB1UzUS8FfSgR9lkN6x5HhJx7jIyYcIo1aEK0nxgnmpeD0Xs6SXMqe2h5GQfK50fI+byTEdI2pFyerNCPwx2WTH06Tf1QdukKAmlgffofH0KX6dMutQXeYP2VGDOIkJSZnTvIKrp9OvPtc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=lylruMK/; arc=none smtp.client-ip=100.103.45.18
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="lylruMK/"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2EBD91F00899;
	Mon,  8 Jun 2026 20:18:20 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org;
	s=k20260515; t=1780949903;
	bh=Cs6jyL7mNP1mOsQffemH7BARrW+I13IL52Pz+ofnTkA=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=lylruMK/8I+r+LZ/yz7SYKW7XK82cg0WlH/YK1yZVusz1HMM2LuzVJsSyonAmLssf
	 rWtc5fGuDxDs2k5p8Iu0DUB3gYmJKtK4YYKWJpkZ8Yd3hkMJRlYxdBrxpOKgoF8uVg
	 p1OdoMduyWGZUTf48Z6mV+ryoa2lJnsyudFOf7UiKp1Zmr+RZ9mvKdJNdTq6lCiqqu
	 y5n1HV0wOmZ+NYfBhISJp4c+M6K8VMG7huMVq4Yr34PL8VRDSy+1CJT/6EcKIdUpsk
	 wonsRvPhbiu20rQ47SCNF+KAVddbiizXyxTNPqhExCJAznorye/z0UKgGz5G46+8LB
	 u3As/onCPbGtg==
From: Arnaldo Carvalho de Melo <acme@kernel.org>
To: Namhyung Kim <namhyung@kernel.org>
Cc: Ingo Molnar <mingo@kernel.org>,
	Thomas Gleixner <tglx@linutronix.de>,
	James Clark <james.clark@linaro.org>,
	Jiri Olsa <jolsa@kernel.org>,
	Ian Rogers <irogers@google.com>,
	Adrian Hunter <adrian.hunter@intel.com>,
	Clark Williams <williams@redhat.com>,
	linux-kernel@vger.kernel.org,
	linux-perf-users@vger.kernel.org,
	Arnaldo Carvalho de Melo <acme@redhat.com>,
	sashiko-bot <sashiko-bot@kernel.org>,
	Davidlohr Bueso <dave@stgolabs.net>,
	"Claude Opus 4.6" <noreply@anthropic.com>
Subject: [PATCH 06/11] perf sched: Fix idle-hist callchain display using wrong
 rb_first variant
Date: Mon,  8 Jun 2026 17:17:46 -0300
Message-ID: <20260608201753.1979464-7-acme@kernel.org>
X-Mailer: git-send-email 2.54.0
In-Reply-To: <20260608201753.1979464-1-acme@kernel.org>
References: <20260608201753.1979464-1-acme@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

From: Arnaldo Carvalho de Melo <acme@redhat.com>

timehist_print_idlehist_callchain() calls rb_first_cached() on
sorted_root, but the sort function (callchain_param.sort) populates it
via rb_insert_color() on the plain rb_root member =E2=80=94 not the cached
variant.  This means rb_leftmost is never set, so rb_first_cached()
always returns NULL and the entire callchain summary is silently
dropped from --idle-hist output.

The original code in ba957ebb54893aca ("perf sched timehist: Show
callchains for idle stat") was correct =E2=80=94 it used struct rb_root and
rb_first().  The bug was introduced when sorted_root was converted to
rb_root_cached without converting the sort insertion path to use
rb_insert_color_cached().

Use rb_first(&root->rb_root) to match how the tree was populated.

Fixes: cb4c13a5137766c3 ("perf sched: Use cached rbtrees")
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Namhyung Kim <namhyung@kernel.org>
Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Acked-by: Ian Rogers <irogers@google.com>
---
 tools/perf/builtin-sched.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c
index ded511d8518803a0..85f11d388392d316 100644
--- a/tools/perf/builtin-sched.c
+++ b/tools/perf/builtin-sched.c
@@ -3130,7 +3130,8 @@ static size_t timehist_print_idlehist_callchain(struc=
t rb_root_cached *root)
 	size_t ret =3D 0;
 	FILE *fp =3D stdout;
 	struct callchain_node *chain;
-	struct rb_node *rb_node =3D rb_first_cached(root);
+	/* sort() uses rb_insert_color() on rb_root, not rb_root_cached */
+	struct rb_node *rb_node =3D rb_first(&root->rb_root);
=20
 	printf("  %16s  %8s  %s\n", "Idle time (msec)", "Count", "Callchains");
 	printf("  %.16s  %.8s  %.50s\n", graph_dotted_line, graph_dotted_line,
--=20
2.54.0

From nobody Thu Jun 25 00:31:11 2026
Received: from smtp.kernel.org
 (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 21BB63E95AE;
	Mon,  8 Jun 2026 20:18:27 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=100.103.45.18
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780949908; cv=none;
 b=mlysVF6I09ycQIbzL4lsrFAQYvvQFg1h8EiKKlqTzzMfar5aZA3xqwealpusz2wEIu+eMiA0O/225RwzAZXasQHoGJJn6pbAvzUp/2OWHCiFifDAz0a7i8I6egaG9FF2K2yrvXzwVafap1eKU8AJf3q/ROyT/1QQyobPpr5Sq7c=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780949908; c=relaxed/simple;
	bh=GmlkmpwNEIyUNU99GBS/vYd9JNh9cxHwCEU0fxnK4Jo=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=P6Dc9ll8PLot4yCIya/auDuwf88LGuLmublZq9yrIOJmlClYNIFTJA0sYmf6xNwqXnM4R9t2VIH9JYBjJ/fCkDBUhSEiFqmf7tK6UGPkTs28+dY8x/iGelJYPPRjAfIjdDAohlnlrPJ6c7OBo4lNFVNFxG96X+gxMX27TtxlxdA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=nwD5GIP+; arc=none smtp.client-ip=100.103.45.18
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="nwD5GIP+"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id E01451F00898;
	Mon,  8 Jun 2026 20:18:23 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org;
	s=k20260515; t=1780949907;
	bh=xsbh6otPSU9/W94kKgL0+/butihCxeIySCs04NABBLg=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=nwD5GIP+sDgLiRThGe94tE6xig6zzDXXRpqLKLPvTjaIex69wAFtHm5LLz7ZLWSjJ
	 huJsB1Wfv30D2GUMdPh7MpGTWdK3wXqmVs+etmzwSMKG7+JC0MXphOSg+10cAQvAWK
	 gH3Mnbn+d5ZmUOzfieQBRQ1Ap/1XKVCEYrmIJn0RXEnQXFcqUVQzswznyu9DI+ksJ2
	 w9GAtQ7F6BUptoNPI64GopJgvTig5xXhbwZUkfIGREnrCIXABpTTM36GED+xSt7v7y
	 x8IbTRgAfHQVVIimeHueUdVYEz30VO830ofhoIJVTsflifT4tjEGlsU8gzg0p8ri+O
	 r8ZLSMXDzv3pQ==
From: Arnaldo Carvalho de Melo <acme@kernel.org>
To: Namhyung Kim <namhyung@kernel.org>
Cc: Ingo Molnar <mingo@kernel.org>,
	Thomas Gleixner <tglx@linutronix.de>,
	James Clark <james.clark@linaro.org>,
	Jiri Olsa <jolsa@kernel.org>,
	Ian Rogers <irogers@google.com>,
	Adrian Hunter <adrian.hunter@intel.com>,
	Clark Williams <williams@redhat.com>,
	linux-kernel@vger.kernel.org,
	linux-perf-users@vger.kernel.org,
	Arnaldo Carvalho de Melo <acme@redhat.com>,
	sashiko-bot <sashiko-bot@kernel.org>,
	"Claude Opus 4.6" <noreply@anthropic.com>
Subject: [PATCH 07/11] perf tools: Add O_CLOEXEC to open() calls in DSO and
 ELF code
Date: Mon,  8 Jun 2026 17:17:47 -0300
Message-ID: <20260608201753.1979464-8-acme@kernel.org>
X-Mailer: git-send-email 2.54.0
In-Reply-To: <20260608201753.1979464-1-acme@kernel.org>
References: <20260608201753.1979464-1-acme@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Arnaldo Carvalho de Melo <acme@redhat.com>

open() calls in dso.c and symbol-elf.c omit O_CLOEXEC, which leaks
file descriptors to child processes spawned during symbol resolution
(e.g., addr2line, objdump).  This can exhaust the fd limit during
long profiling sessions or when processing many DSOs.

Add O_CLOEXEC to all open() calls in both files (12 call sites).

Fixes: cdd059d731eeb466 ("perf tools: Move dso_* related functions into dso=
 object")
Fixes: e5a1845fc0aeca85 ("perf symbols: Split out util/symbol-elf.c")
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Reviewed-by: Ian Rogers <irogers@google.com>
---
 tools/perf/util/dso.c        |  4 ++--
 tools/perf/util/symbol-elf.c | 20 ++++++++++----------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/tools/perf/util/dso.c b/tools/perf/util/dso.c
index 7dced896c64eafd7..fb2e78fe2aa8eb94 100644
--- a/tools/perf/util/dso.c
+++ b/tools/perf/util/dso.c
@@ -344,7 +344,7 @@ int filename__decompress(const char *name, char *pathna=
me,
 	 * descriptor to the uncompressed file.
 	 */
 	if (!compressions[comp].is_compressed(name))
-		return open(name, O_RDONLY);
+		return open(name, O_RDONLY | O_CLOEXEC);
=20
 	fd =3D mkstemp(tmpbuf);
 	if (fd < 0) {
@@ -1911,7 +1911,7 @@ static const u8 *__dso__read_symbol(struct dso *dso, =
const char *symfs_filename,
 	int saved_errno;
=20
 	nsinfo__mountns_enter(dso__nsinfo(dso), &nsc);
-	fd =3D open(symfs_filename, O_RDONLY);
+	fd =3D open(symfs_filename, O_RDONLY | O_CLOEXEC);
 	saved_errno =3D errno;
 	nsinfo__mountns_exit(&nsc);
 	if (fd < 0) {
diff --git a/tools/perf/util/symbol-elf.c b/tools/perf/util/symbol-elf.c
index 186e6d92ac3d7742..c2bdfd0003df2abe 100644
--- a/tools/perf/util/symbol-elf.c
+++ b/tools/perf/util/symbol-elf.c
@@ -217,7 +217,7 @@ bool filename__has_section(const char *filename, const =
char *sec)
 	GElf_Shdr shdr;
 	bool found =3D false;
=20
-	fd =3D open(filename, O_RDONLY);
+	fd =3D open(filename, O_RDONLY | O_CLOEXEC);
 	if (fd < 0)
 		return false;
=20
@@ -872,7 +872,7 @@ static int read_build_id(const char *filename, struct b=
uild_id *bid)
 	if (size < BUILD_ID_SIZE)
 		goto out;
=20
-	fd =3D open(filename, O_RDONLY);
+	fd =3D open(filename, O_RDONLY | O_CLOEXEC);
 	if (fd < 0)
 		goto out;
=20
@@ -935,7 +935,7 @@ int sysfs__read_build_id(const char *filename, struct b=
uild_id *bid)
 	size_t size =3D sizeof(bid->data);
 	int fd, err =3D -1;
=20
-	fd =3D open(filename, O_RDONLY);
+	fd =3D open(filename, O_RDONLY | O_CLOEXEC);
 	if (fd < 0)
 		goto out;
=20
@@ -995,7 +995,7 @@ int filename__read_debuglink(const char *filename, char=
 *debuglink,
 	if (err >=3D 0)
 		goto out;
=20
-	fd =3D open(filename, O_RDONLY);
+	fd =3D open(filename, O_RDONLY | O_CLOEXEC);
 	if (fd < 0)
 		goto out;
=20
@@ -1153,7 +1153,7 @@ int symsrc__init(struct symsrc *ss, struct dso *dso, =
const char *name,
=20
 		type =3D dso__symtab_type(dso);
 	} else {
-		fd =3D open(name, O_RDONLY);
+		fd =3D open(name, O_RDONLY | O_CLOEXEC);
 		if (fd < 0) {
 			*dso__load_errno(dso) =3D errno;
 			return -1;
@@ -1952,7 +1952,7 @@ static int kcore__open(struct kcore *kcore, const cha=
r *filename)
 {
 	GElf_Ehdr *ehdr;
=20
-	kcore->fd =3D open(filename, O_RDONLY);
+	kcore->fd =3D open(filename, O_RDONLY | O_CLOEXEC);
 	if (kcore->fd =3D=3D -1)
 		return -1;
=20
@@ -1985,7 +1985,7 @@ static int kcore__init(struct kcore *kcore, char *fil=
ename, int elfclass,
 	if (temp)
 		kcore->fd =3D mkstemp(filename);
 	else
-		kcore->fd =3D open(filename, O_WRONLY | O_CREAT | O_EXCL, 0400);
+		kcore->fd =3D open(filename, O_WRONLY | O_CREAT | O_EXCL | O_CLOEXEC, 04=
00);
 	if (kcore->fd =3D=3D -1)
 		return -1;
=20
@@ -2461,11 +2461,11 @@ static int kcore_copy__compare_files(const char *fr=
om_filename,
 {
 	int from, to, err =3D -1;
=20
-	from =3D open(from_filename, O_RDONLY);
+	from =3D open(from_filename, O_RDONLY | O_CLOEXEC);
 	if (from < 0)
 		return -1;
=20
-	to =3D open(to_filename, O_RDONLY);
+	to =3D open(to_filename, O_RDONLY | O_CLOEXEC);
 	if (to < 0)
 		goto out_close_from;
=20
@@ -2883,7 +2883,7 @@ int get_sdt_note_list(struct list_head *head, const c=
har *target)
 	Elf *elf;
 	int fd, ret;
=20
-	fd =3D open(target, O_RDONLY);
+	fd =3D open(target, O_RDONLY | O_CLOEXEC);
 	if (fd < 0)
 		return -EBADF;
=20
--=20
2.54.0
From nobody Thu Jun 25 00:31:11 2026
Received: from smtp.kernel.org
 (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4F88A2C11C4;
	Mon,  8 Jun 2026 20:18:31 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=100.103.45.18
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780949913; cv=none;
 b=hUtTYPsTBeGawN39b+YTCDfR3MGE5EAx4IvjttiWalYIkxpL/8G+6Xdl61kil1gKwHRoUzzQF/QNJAR6oqZl06h+gLTYpvDzCLaHGcy/iZRj4y3oG+Rw6Je9Gt5fOk3Qo1ieDwU1jlEus7E24cy83o9Zb0RavXTYpOPchjLOV+M=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780949913; c=relaxed/simple;
	bh=RgxiUMC4Gg5WEF6siaaurrn4gvKK0Ztv89csTlsz4Vc=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=sK85aBCBeb3kxCjvesHNPzNDrvfvj/6bAv8ktVN3uw5nbGX5vP3RTuvitUURcTFy0IVuV8lGpcpmSxVNSOR8iTHvLEsu6+C1aH7pil143CEV/hbHofKcNLRuzqT8fFrCv2VyCKPnJrVs9y5CHcT/LIO77ttugpdnkjCBWERFqBU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=bH7Q/qtw; arc=none smtp.client-ip=100.103.45.18
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="bH7Q/qtw"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8AF141F00899;
	Mon,  8 Jun 2026 20:18:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org;
	s=k20260515; t=1780949911;
	bh=6pMIQ8hAJLYUSx6puyBFNWmCE2bhbXzI8u3T+QlW98w=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=bH7Q/qtw2xoewEu11bEzlRnojNrRvkK+OZa3g6sHTdP64XBgaW/jhpfC2QGo+Biz6
	 SPJNmtLKQDhKPKu+QrJemxqpJayW0SIznri0fvzLxyI0AsLAqq48R/PYSBmDxcJyuv
	 8/ow5XJRVolfo86dZ5dI1pVpZbkdfDg+3qNge23z/y3+k75cTaCMt+S91MbbcijqGP
	 KfL2LqV5w5thRlrCtAyailDVrcjKv1oZFfUTZVI6Cb6c2w/nichk+Etd303ghKUDFY
	 t3EB4zC9tSqH62/MiGtEobaTImIZUVyDY5mjrW3PogHvS/VctZjNlaBCms8rTMpMVG
	 p6D6TEuAhG4FQ==
From: Arnaldo Carvalho de Melo <acme@kernel.org>
To: Namhyung Kim <namhyung@kernel.org>
Cc: Ingo Molnar <mingo@kernel.org>,
	Thomas Gleixner <tglx@linutronix.de>,
	James Clark <james.clark@linaro.org>,
	Jiri Olsa <jolsa@kernel.org>,
	Ian Rogers <irogers@google.com>,
	Adrian Hunter <adrian.hunter@intel.com>,
	Clark Williams <williams@redhat.com>,
	linux-kernel@vger.kernel.org,
	linux-perf-users@vger.kernel.org,
	Arnaldo Carvalho de Melo <acme@redhat.com>,
	sashiko-bot <sashiko-bot@kernel.org>,
	Song Liu <song@kernel.org>,
	"Claude Opus 4.6" <noreply@anthropic.com>
Subject: [PATCH 08/11] perf bpf: Use scnprintf() in snprintf_hex() and
 synthesize_bpf_prog_name()
Date: Mon,  8 Jun 2026 17:17:48 -0300
Message-ID: <20260608201753.1979464-9-acme@kernel.org>
X-Mailer: git-send-email 2.54.0
In-Reply-To: <20260608201753.1979464-1-acme@kernel.org>
References: <20260608201753.1979464-1-acme@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Arnaldo Carvalho de Melo <acme@redhat.com>

Both functions accumulate formatted output via ret +=3D snprintf(buf + ret,
size - ret, ...).  If the buffer is too small and snprintf() returns more
than the remaining space, ret exceeds size and the next 'size - ret'
underflows, causing snprintf() to write past the buffer end.

Switch to scnprintf() which returns the actual number of bytes written,
making the accumulation safe.

Fixes: 7b612e291a5affb1 ("perf tools: Synthesize PERF_RECORD_* for loaded B=
PF programs")
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Cc: Song Liu <song@kernel.org>
Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Reviewed-by: Ian Rogers <irogers@google.com>
---
 tools/perf/util/bpf-event.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/tools/perf/util/bpf-event.c b/tools/perf/util/bpf-event.c
index a27945c279efb779..2c09842469f1f28c 100644
--- a/tools/perf/util/bpf-event.c
+++ b/tools/perf/util/bpf-event.c
@@ -36,7 +36,7 @@ static int snprintf_hex(char *buf, size_t size, unsigned =
char *data, size_t len)
 	size_t i;
=20
 	for (i =3D 0; i < len; i++)
-		ret +=3D snprintf(buf + ret, size - ret, "%02x", data[i]);
+		ret +=3D scnprintf(buf + ret, size - ret, "%02x", data[i]);
 	return ret;
 }
=20
@@ -140,7 +140,7 @@ static int synthesize_bpf_prog_name(char *buf, int size,
 	const struct btf_type *t;
 	int name_len;
=20
-	name_len =3D snprintf(buf, size, "bpf_prog_");
+	name_len =3D scnprintf(buf, size, "bpf_prog_");
 	name_len +=3D snprintf_hex(buf + name_len, size - name_len,
 				 prog_tags[sub_id], BPF_TAG_SIZE);
 	if (btf) {
@@ -153,9 +153,10 @@ static int synthesize_bpf_prog_name(char *buf, int siz=
e,
 			short_name =3D info->name;
 	} else
 		short_name =3D "F";
-	if (short_name)
-		name_len +=3D snprintf(buf + name_len, size - name_len,
-				     "_%s", short_name);
+	if (short_name) {
+		name_len +=3D scnprintf(buf + name_len, size - name_len,
+				      "_%s", short_name);
+	}
 	return name_len;
 }
=20
--=20
2.54.0
From nobody Thu Jun 25 00:31:11 2026
Received: from smtp.kernel.org
 (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0C3B03EE1C4;
	Mon,  8 Jun 2026 20:18:34 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=100.103.45.18
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780949916; cv=none;
 b=Y+QLBTJDsAbfeGjElLpaDaZE2Ya5zxY9J9Y/ceFTznZLpaJUlEuwr2s4aw0eDiYmsE5+oiH2pi87Zw4f3mbtEuKkOV9vPd2jps8D0BCOjF0Ou3/P3NsOl91aoKPLBYTVcUzskyCt9rVTr0ExN8teX6O/jQVm9UVH4CBJcDYeV6Y=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780949916; c=relaxed/simple;
	bh=yzpqRp1KXXDtRZ3nmlG1tbtU+tGkMKMkq+qmu7cRbFE=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=IwzfAKjXPP/h1/4yZfWAKzpmZd5GQjDREMU2aN/H2JBGEA12rAqMGAViuNKa5vMkVs9vIW850lgcE01c7Wic+s8nAxDSfSI1Xq3bDxMvEAu7PEoP5N7NgI4i8FVeGQm+ar48Pkan6L6ikJBCyYC7/lGDKEv/Y8Rq+LMBbF/Z+UU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=eDOTNTTb; arc=none smtp.client-ip=100.103.45.18
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="eDOTNTTb"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 887DD1F00898;
	Mon,  8 Jun 2026 20:18:31 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org;
	s=k20260515; t=1780949914;
	bh=mb2YK/7aZ7ZZv5PM4t9lUCtnKOmzQa+WV7ppgUYJCqI=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=eDOTNTTbLOStCf8Y3t/nG+1nXV6ZfNm0aQXHOCE6GLiptjXtMXBoJW6qOW2bPEJT6
	 4wi/lQ9MM6fDa6LKWWojQwcTnEBA7ajTJ2XPF5SAY1LsPfkMHJoD0GCqjjmIuBPvrk
	 9cLp7RS9ZSQafQBR+8H8fBJp085pt72T0u0c/Ab8TkoKNZva2NM1vdZyCd79KsNYM0
	 r+nBcgePik4y6py5F0iPWe8Vbz7kAfc8h7aCyN9c/GQG2JE8cTOmDNoLBgz9ju3Rdp
	 eNukdJhHNJ9qJWc1i7IbqAYvZaJOPMp7Uow/vDgdfvgmDrscWQ6BfPoQ8292QAKYud
	 yjcYm2kKLF5BQ==
From: Arnaldo Carvalho de Melo <acme@kernel.org>
To: Namhyung Kim <namhyung@kernel.org>
Cc: Ingo Molnar <mingo@kernel.org>,
	Thomas Gleixner <tglx@linutronix.de>,
	James Clark <james.clark@linaro.org>,
	Jiri Olsa <jolsa@kernel.org>,
	Ian Rogers <irogers@google.com>,
	Adrian Hunter <adrian.hunter@intel.com>,
	Clark Williams <williams@redhat.com>,
	linux-kernel@vger.kernel.org,
	linux-perf-users@vger.kernel.org,
	Arnaldo Carvalho de Melo <acme@redhat.com>,
	sashiko-bot <sashiko-bot@kernel.org>,
	"Claude Opus 4.6" <noreply@anthropic.com>
Subject: [PATCH 09/11] perf hists: Fix snprintf() in hists__scnprintf_title()
 UID filter path
Date: Mon,  8 Jun 2026 17:17:49 -0300
Message-ID: <20260608201753.1979464-10-acme@kernel.org>
X-Mailer: git-send-email 2.54.0
In-Reply-To: <20260608201753.1979464-1-acme@kernel.org>
References: <20260608201753.1979464-1-acme@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Arnaldo Carvalho de Melo <acme@redhat.com>

hists__scnprintf_title() accumulates formatted output into a buffer
using scnprintf() for all filter clauses except the UID filter, which
uses snprintf().  If the buffer fills up and snprintf() returns more
than the remaining space, printed exceeds size and the next 'size -
printed' underflows, causing later scnprintf() calls to write past
the buffer.

Switch the UID filter clause to scnprintf() to match the rest of the
function.

Fixes: 25c312dbf88ca402 ("perf hists: Move hists__scnprintf_title() away fr=
om the TUI code")
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
---
 tools/perf/util/hist.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/tools/perf/util/hist.c b/tools/perf/util/hist.c
index 811d68fa6770c5b7..df978c996b6c2262 100644
--- a/tools/perf/util/hist.c
+++ b/tools/perf/util/hist.c
@@ -2963,9 +2963,10 @@ int __hists__scnprintf_title(struct hists *hists, ch=
ar *bf, size_t size, bool sh
 			   ev_name, sample_freq_str, enable_ref ? ref : " ", nr_events);
=20
=20
-	if (hists->uid_filter_str)
-		printed +=3D snprintf(bf + printed, size - printed,
-				    ", UID: %s", hists->uid_filter_str);
+	if (hists->uid_filter_str) {
+		printed +=3D scnprintf(bf + printed, size - printed,
+				     ", UID: %s", hists->uid_filter_str);
+	}
 	if (thread) {
 		if (hists__has(hists, thread)) {
 			printed +=3D scnprintf(bf + printed, size - printed,
--=20
2.54.0
From nobody Thu Jun 25 00:31:11 2026
Received: from smtp.kernel.org
 (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A71E33B14C6;
	Mon,  8 Jun 2026 20:18:38 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=100.103.45.18
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780949919; cv=none;
 b=pvy+MMDnp2mB6lEpgu55b+6Gpl5qGCkaSrhfGE/FqKN57H6NTCCpYEop6x3Jzqwo0m5D3hcOziYGBPphd0dxTB1uieGQ9R3alehqYR9/pJktD02H7VmljfY9lHO06b5cc+za2OIiPgnzCbVrVzSNLQPGRlUkHzzKRFtrgz306Mk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780949919; c=relaxed/simple;
	bh=pztbD3iX3pd/KugXnN4XjAccZtUYB6eLIx5zr1pj1X4=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=q+aHdOX7HjA7/C13/bhq6QcZOpWwyq2lhfonz9+TipdXg/HfBCAPqsiQKFoA4kes4XLUVdq5nmjE3iOatyFQLjCDtIiT88Xm21ztDt4IPM8oM6sNG+In1Hw6ju1wyMZ9+6T4x6PeO0rZEebd6ljfd/Ue86l8yeRt7ZYFCjUvmkw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=HP7+4lmd; arc=none smtp.client-ip=100.103.45.18
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="HP7+4lmd"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2A1551F00899;
	Mon,  8 Jun 2026 20:18:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org;
	s=k20260515; t=1780949918;
	bh=vJrjz18WP9YOQVzzuYUbzW7bbrjWzAs6Y8JS41ckrzw=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=HP7+4lmdXH9pu/7aMbDszMELk4LMj6izyqs1MGP0QYX+mhcUc2CjYvsxms2dNpefO
	 I1Xk6PSB+cQr65mLidR1b5IRv+Q+KnHRneCZHJcVLKdUzGM+htE8KeKgKaaSVYJQBm
	 DxIbjf3Wz9CRONZhEo9aoghe4RcyBww21AhpNqiHtecZRtHwgGLWl+eW0SUVriQwXn
	 OyhvYxsY0Q9OY7IuW8cYUpSruLwJ1T2ILanOdyk/5EvppYKJm/hqn3Trp3Pp4HW4lb
	 NfEWdrZe8hXLExQw6204OfPC4nRdOdguhCIOUtP6JbFnwbvzVDYNDnDpq3HBac5Cgv
	 FblWI952ZLM3Q==
From: Arnaldo Carvalho de Melo <acme@kernel.org>
To: Namhyung Kim <namhyung@kernel.org>
Cc: Ingo Molnar <mingo@kernel.org>,
	Thomas Gleixner <tglx@linutronix.de>,
	James Clark <james.clark@linaro.org>,
	Jiri Olsa <jolsa@kernel.org>,
	Ian Rogers <irogers@google.com>,
	Adrian Hunter <adrian.hunter@intel.com>,
	Clark Williams <williams@redhat.com>,
	linux-kernel@vger.kernel.org,
	linux-perf-users@vger.kernel.org,
	Arnaldo Carvalho de Melo <acme@redhat.com>,
	sashiko-bot <sashiko-bot@kernel.org>,
	"Claude Opus 4.6" <noreply@anthropic.com>
Subject: [PATCH 10/11] perf tools: Use scnprintf() in build_id__snprintf() and
 hwmon read_events()
Date: Mon,  8 Jun 2026 17:17:50 -0300
Message-ID: <20260608201753.1979464-11-acme@kernel.org>
X-Mailer: git-send-email 2.54.0
In-Reply-To: <20260608201753.1979464-1-acme@kernel.org>
References: <20260608201753.1979464-1-acme@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Arnaldo Carvalho de Melo <acme@redhat.com>

build_id__snprintf() and hwmon_pmu__read_events() accumulate formatted
output via snprintf(), which returns the would-have-been-written count
on truncation.  In build_id__snprintf(), this inflates the return
value beyond the buffer size.  In hwmon_pmu__read_events(), len
overshoots out_buf_len and the next 'out_buf_len - len' underflows.

Switch both to scnprintf() which returns actual bytes written.

Fixes: fccaaf6fbbc59910 ("perf build-id: Change sprintf functions to snprin=
tf")
Fixes: 53cc0b351ec99278 ("perf hwmon_pmu: Add a tool PMU exposing events fr=
om hwmon in sysfs")
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Cc: Ian Rogers <irogers@google.com>
Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
---
 tools/perf/util/build-id.c  |  2 +-
 tools/perf/util/hwmon_pmu.c | 12 ++++++------
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/tools/perf/util/build-id.c b/tools/perf/util/build-id.c
index 8c0a9ae932aa5798..a3b92108f96263c6 100644
--- a/tools/perf/util/build-id.c
+++ b/tools/perf/util/build-id.c
@@ -94,7 +94,7 @@ int build_id__snprintf(const struct build_id *build_id, c=
har *bf, size_t bf_size
 	}
=20
 	for (size_t i =3D 0; i < build_id->size && offs < bf_size; ++i)
-		offs +=3D snprintf(bf + offs, bf_size - offs, "%02x", build_id->data[i]);
+		offs +=3D scnprintf(bf + offs, bf_size - offs, "%02x", build_id->data[i]=
);
=20
 	return offs;
 }
diff --git a/tools/perf/util/hwmon_pmu.c b/tools/perf/util/hwmon_pmu.c
index fb3ffa8d32ad2a93..dbf6a71af47f9a42 100644
--- a/tools/perf/util/hwmon_pmu.c
+++ b/tools/perf/util/hwmon_pmu.c
@@ -442,12 +442,12 @@ static size_t hwmon_pmu__describe_items(struct hwmon_=
pmu *hwm, char *out_buf, si
=20
 				buf[read_len] =3D '\0';
 				val =3D strtoll(buf, /*endptr=3D*/NULL, 10);
-				len +=3D snprintf(out_buf + len, out_buf_len - len, "%s%s%s=3D%g%s",
-						len =3D=3D 0 ? " " : ", ",
-						hwmon_item_strs[bit],
-						is_alarm ? "_alarm" : "",
-						(double)val / 1000.0,
-						hwmon_units[key.type]);
+				len +=3D scnprintf(out_buf + len, out_buf_len - len, "%s%s%s=3D%g%s",
+						 len =3D=3D 0 ? " " : ", ",
+						 hwmon_item_strs[bit],
+						 is_alarm ? "_alarm" : "",
+						 (double)val / 1000.0,
+						 hwmon_units[key.type]);
 			}
 			close(fd);
 		}
--=20
2.54.0
From nobody Thu Jun 25 00:31:11 2026
Received: from smtp.kernel.org
 (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A514D3B1013;
	Mon,  8 Jun 2026 20:18:41 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=100.103.45.18
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780949922; cv=none;
 b=tfvvDdFbBE9lrHimGzed4+pIQECo13HyJNqpnRQmHas/wkmUgaI8Ch18Xij6MqyX/CuYsEHYzEHkZuPE4w/aQIOoJlTqxFyyORqsMZ6WCiS/JOZhDz7uGlFW5NBt6zKXg4GlwkAs6mTUbX5GC6CBhRXQCpi8xScz/ZtOyClpcPU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780949922; c=relaxed/simple;
	bh=Yxt2oGqbnRLOMT0IaI+YY3WRaZ1CguTk5gpMRDf8Kug=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=ZOElEyDDD6amCYZxXJ/KvwJeGeftryyeSLYLUfKci83WBDfrHxiKuwH+bhxzeoLpzwdQOt0elAyPEt+WTmvC3HxnOfiAGruXajkO9sh+QwikzI2I4J0MXCV5MxiBXABJ8AtsREHQWlH/ztjC96Xltn9gHz9nadcEfFwmgNyNSk8=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=gyXnSrUe; arc=none smtp.client-ip=100.103.45.18
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="gyXnSrUe"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id B40BE1F00893;
	Mon,  8 Jun 2026 20:18:38 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org;
	s=k20260515; t=1780949921;
	bh=9W8x4UTgIbevM4uKCUF+8Jr1ycseFqIZcpnfDeqRiXc=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=gyXnSrUeEGWByGquW/CSpRDp1hUaMrwPW00qaLLjyCFXgQ9W9NscD7fLyuikTgmh4
	 AusOxtSuEraP1KIhX59yy0HvrUWX2F1ZGCS/OnXy6NwERTK2C7ChGoXE3rokUC74RP
	 8vr5RHyjfv230MwfJp0TtTOxhKwjjXNRQk4R8IDalCnm2knQR9rSCv6m5DtHf747y9
	 yt3z0MNhy6eVEh1jFrAFZar+w3M05mQOgxfye0Pv/c1QyDP/xqJPn6uf+kypHSxDVy
	 uyZYB2qTR/SFpPXrfe+wHBMlCv0uoD0XQ9OTcJhDhj6SFOq0VeSYMCr35rzaDEoSGa
	 hyUISCMTuL4/Q==
From: Arnaldo Carvalho de Melo <acme@kernel.org>
To: Namhyung Kim <namhyung@kernel.org>
Cc: Ingo Molnar <mingo@kernel.org>,
	Thomas Gleixner <tglx@linutronix.de>,
	James Clark <james.clark@linaro.org>,
	Jiri Olsa <jolsa@kernel.org>,
	Ian Rogers <irogers@google.com>,
	Adrian Hunter <adrian.hunter@intel.com>,
	Clark Williams <williams@redhat.com>,
	linux-kernel@vger.kernel.org,
	linux-perf-users@vger.kernel.org,
	Arnaldo Carvalho de Melo <acme@redhat.com>,
	"Claude Opus 4.6" <noreply@anthropic.com>
Subject: [PATCH 11/11] libperf: Document code simplification case for widening
 struct perf_cpu
Date: Mon,  8 Jun 2026 17:17:51 -0300
Message-ID: <20260608201753.1979464-12-acme@kernel.org>
X-Mailer: git-send-email 2.54.0
In-Reply-To: <20260608201753.1979464-1-acme@kernel.org>
References: <20260608201753.1979464-1-acme@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

From: Arnaldo Carvalho de Melo <acme@redhat.com>

Add a bullet point to the libperf ABI TODO explaining the code
simplification benefit of widening struct perf_cpu.cpu from int16_t
to int: the narrow type forces defensive truncation checks at every
boundary where wider CPU indices are narrowed, and values > 32767
silently wrap past bounds validation without them.

Cc: Ian Rogers <irogers@google.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
---
 tools/lib/perf/TODO | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/tools/lib/perf/TODO b/tools/lib/perf/TODO
index 486dd95dc57208a8..1a3644aa1f38dde4 100644
--- a/tools/lib/perf/TODO
+++ b/tools/lib/perf/TODO
@@ -11,6 +11,13 @@ together.
      (x86_64 max is 8192, arm64 is 4096), but NR_CPUS limits keep
      growing.  perf clamps to INT16_MAX in set_max_cpu_num() as a
      safety net.
+   - Code simplification: the int16_t forces defensive truncation
+     checks at every boundary where a wider CPU index (int from
+     sample->cpu, al->cpu, etc.) is narrowed into struct perf_cpu.
+     Without these checks, values > 32767 silently wrap to small
+     positive numbers, bypassing bounds validation.  Widening to int
+     eliminates this entire class of silent truncation bugs and
+     removes the need for the INT16_MAX clamp in set_max_cpu_num().
    - Scope: struct perf_cpu is embedded everywhere =E2=80=94 perf_cpu_map_=
_cpu(),
      perf_cpu_map__min(), perf_cpu_map__max(), perf_cpu_map__has(), the
      for_each_cpu macros, and all internal callers.  The perf_cpu_map
--=20
2.54.0