From: Arnaldo Carvalho de Melo <acme@kernel.org>
To: Namhyung Kim <namhyung@kernel.org>
Cc: Ingo Molnar <mingo@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
James Clark <james.clark@linaro.org>,
Jiri Olsa <jolsa@kernel.org>, Ian Rogers <irogers@google.com>,
Adrian Hunter <adrian.hunter@intel.com>,
Clark Williams <williams@redhat.com>,
linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org,
Arnaldo Carvalho de Melo <acme@kernel.org>
Subject: [PATCH v1 0/7] perf tools: Fix NULL derefs, OOB reads, use-after-free, and memory leaks
Date: Sat, 6 Jun 2026 17:05:52 -0300 [thread overview]
Message-ID: <20260606200601.1861227-1-acme@kernel.org> (raw)
Hi,
Fifth batch of pre-existing bugs found by sashiko-bot during AI-assisted
review of the perf-data-validation hardening series. All are independent
of that series -- they are latent bugs in surrounding code exposed during
review.
1. perf_mmap__aio_mmap() sets nr_cblocks before allocating arrays.
If calloc() fails, cleanup dereferences NULL map->aio.data.
2. env->cpu can be NULL when reading old-format perf.data that
predates topology info (process_cpu_topology() frees it while
nr_cpus_avail remains set). The six topology aggregation
callbacks in builtin-stat.c dereference NULL. Introduces
perf_env__get_cpu_topology() accessor with the NULL/bounds guard.
3. he__get_c2c_hists() error path frees hists without clearing
c2c_he->hists. Teardown finds the dangling pointer and calls
hists__delete_entries() on freed memory.
4. cpu2y() indexes topology_map[] without bounds check. Also fixes
str_to_bitmap() where perf_cpu_map__new("") returns cpu.cpu == -1,
bypassing the signed >= nr_cpus check and calling __set_bit(-1, ...).
5. set_max_cpu_num() assigns sysfs CPU count to int16_t max_cpu_num
without clamping. Systems with >32767 possible CPUs silently
truncate to negative, causing undersized allocations. Also makes
max_present_cpu_num clamp consistently instead of erroring.
6. free_idle_threads() calls free() on the thread priv without
deep-freeing callchain cursor nodes or callchain root entries
allocated during --idle-hist processing. Introduces
callchain_cursor_cleanup() for the cursor node linked list.
7. Documents the struct perf_cpu int16_t limitation as a libperf
ABI constraint, and creates tools/lib/perf/TODO to collect
items that require a future ABI bump.
All require crafted or unusual perf.data inputs to trigger (except
patch 6 which is a memory leak on normal --idle-hist runs, and patch 7
which is documentation only).
Verified with gcc and clang builds, checkpatch, and perf test.
Arnaldo Carvalho de Melo (7):
perf mmap: Fix NULL deref in aio cleanup on alloc failure
perf stat: Introduce perf_env__get_cpu_topology() to guard NULL env->cpu
perf c2c: Fix use-after-free in he__get_c2c_hists() error path
perf timechart: Fix cpu2y() OOB read on untrusted CPU index
perf tools: Fix int16_t truncation of max_cpu_num in set_max_cpu_num()
perf sched: Free callchain nodes in idle thread cleanup
libperf: Document struct perf_cpu int16_t ABI limitation
tools/lib/perf/TODO | 22 ++++++++++++++++
tools/lib/perf/include/perf/cpumap.h | 8 +++++-
tools/perf/builtin-c2c.c | 1 +
tools/perf/builtin-sched.c | 5 +++-
tools/perf/builtin-stat.c | 51 ++++++++++++++++++++----------------
tools/perf/util/callchain.c | 15 +++++++++++
tools/perf/util/callchain.h | 1 +
tools/perf/util/cpumap.c | 21 ++++++++++++---
tools/perf/util/env.h | 14 ++++++++++
tools/perf/util/mmap.c | 10 ++++---
tools/perf/util/svghelper.c | 10 ++++---
11 files changed, 121 insertions(+), 37 deletions(-)
create mode 100644 tools/lib/perf/TODO
Developed with AI assistance (Claude/sashiko), tagged in commits.
Thanks,
- Arnaldo
next reply other threads:[~2026-06-06 20:06 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-06 20:05 Arnaldo Carvalho de Melo [this message]
2026-06-06 20:05 ` [PATCH 1/7] perf mmap: Fix NULL deref in aio cleanup on alloc failure Arnaldo Carvalho de Melo
2026-06-06 20:05 ` [PATCH 2/7] perf stat: Introduce perf_env__get_cpu_topology() to guard NULL env->cpu Arnaldo Carvalho de Melo
2026-06-06 20:23 ` sashiko-bot
2026-06-06 21:47 ` Arnaldo Melo
2026-06-06 20:05 ` [PATCH 3/7] perf c2c: Fix use-after-free in he__get_c2c_hists() error path Arnaldo Carvalho de Melo
2026-06-06 20:05 ` [PATCH 4/7] perf timechart: Fix cpu2y() OOB read on untrusted CPU index Arnaldo Carvalho de Melo
2026-06-06 20:05 ` [PATCH 5/7] perf tools: Fix int16_t truncation of max_cpu_num in set_max_cpu_num() Arnaldo Carvalho de Melo
2026-06-06 20:19 ` sashiko-bot
2026-06-06 20:05 ` [PATCH 6/7] perf sched: Free callchain nodes in idle thread cleanup Arnaldo Carvalho de Melo
2026-06-06 20:05 ` [PATCH 7/7] libperf: Document struct perf_cpu int16_t ABI limitation Arnaldo Carvalho de Melo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260606200601.1861227-1-acme@kernel.org \
--to=acme@kernel.org \
--cc=adrian.hunter@intel.com \
--cc=irogers@google.com \
--cc=james.clark@linaro.org \
--cc=jolsa@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=namhyung@kernel.org \
--cc=tglx@linutronix.de \
--cc=williams@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.