From: Arnaldo Carvalho de Melo <acme@kernel.org>
To: Namhyung Kim <namhyung@kernel.org>
Cc: Ingo Molnar <mingo@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
James Clark <james.clark@linaro.org>,
Jiri Olsa <jolsa@kernel.org>, Ian Rogers <irogers@google.com>,
Adrian Hunter <adrian.hunter@intel.com>,
Clark Williams <williams@redhat.com>,
linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org,
Arnaldo Carvalho de Melo <acme@redhat.com>
Subject: [PATCHES v3 00/11] perf tools: Assorted fixes
Date: Mon, 8 Jun 2026 17:17:40 -0300 [thread overview]
Message-ID: <20260608201753.1979464-1-acme@kernel.org> (raw)
From: Arnaldo Carvalho de Melo <acme@redhat.com>
Hi,
Sixth batch of pre-existing bug fixes found by sashiko-bot AI review
during the perf-data-validation hardening series. All bugs are latent
in existing code — none were introduced by the hardening patches.
Three broad categories:
1. snprintf() accumulation overflows (patches 2, 8, 9, 10):
Several functions accumulate formatted output via ret += snprintf().
snprintf() returns the would-have-been-written count, so on truncation
ret overshoots the buffer size and the next 'size - ret' underflows
to a huge unsigned value, disabling bounds checking. Switched to
scnprintf() which returns actual bytes written.
Affected: cpu_map__snprint(), snprintf_hex(),
synthesize_bpf_prog_name(), hists__scnprintf_title(),
build_id__snprintf(), hwmon_pmu__describe_items().
2. Missing safety checks on untrusted data (patches 1, 3, 5, 6):
- get_max_num(): size_t underflow on empty sysfs file causes heap
over-read.
- machine__resolve(): unguarded env->cpu[] access with untrusted
CPU index — switched to perf_env__get_cpu_topology() accessor,
added bounds check before int16_t truncation.
- timehist: test_bit(prio, ...) without bounds check on untrusted
tracepoint priority.
- idle-hist: rb_first_cached() on a tree populated with plain
rb_insert_color() — rb_leftmost never set, callchains silently
dropped.
3. Resource hygiene (patches 4, 7):
- bitmap_free() without NULLing the pointer (2 call sites).
- O_CLOEXEC missing from open() calls in DSO and ELF code
(12 call sites across 2 files).
Also expanded the libperf ABI TODO (tools/lib/perf/TODO) to emphasize
the code simplification argument for widening struct perf_cpu.cpu from
int16_t to int — the narrow type forces defensive truncation checks at
every boundary where wider CPU indices are narrowed.
Arnaldo Carvalho de Melo (10):
perf tools: Fix get_max_num() size_t underflow on empty sysfs file
perf tools: Use scnprintf() in cpu_map__snprint() to prevent overflow
perf tools: Use perf_env__get_cpu_topology() in machine__resolve()
perf tools: NULL bitmap pointers after bitmap_free()
perf sched: Bounds-check prio before test_bit() in timehist
perf sched: Fix idle-hist callchain display using wrong rb_first variant
perf tools: Add O_CLOEXEC to open() calls in DSO and ELF code
perf bpf: Use scnprintf() in snprintf_hex() and synthesize_bpf_prog_name()
perf hists: Fix snprintf() in hists__scnprintf_title() UID filter path
perf tools: Use scnprintf() in build_id__snprintf() and hwmon read_events()
tools/lib/perf/TODO | 7 +++++++
tools/perf/builtin-record.c | 1 +
tools/perf/builtin-sched.c | 7 +++++--
tools/perf/util/bpf-event.c | 11 ++++++-----
tools/perf/util/build-id.c | 2 +-
tools/perf/util/cpumap.c | 24 +++++++++++++++---------
tools/perf/util/dso.c | 4 ++--
tools/perf/util/event.c | 11 +++++++++--
tools/perf/util/hist.c | 7 ++++---
tools/perf/util/hwmon_pmu.c | 12 ++++++------
tools/perf/util/mmap.c | 1 +
tools/perf/util/symbol-elf.c | 20 ++++++++++----------
12 files changed, 67 insertions(+), 40 deletions(-)
Changes since v2:
- Dropped mbind patch (was v2 patch 4): the original code was
correct — get_nodes() does --maxnode before computing
BITS_TO_LONGS, so bitmap_zalloc(node_index + 1) with
maxnode = node_index + 2 already match. The commit message
misstated the kernel-side semantics.
- Patch 3 (machine__resolve): bounds-check al->cpu against
env->nr_cpus_avail before truncating to int16_t struct perf_cpu.
(Found by sashiko-bot lore review)
- Patch 4 (was v2 patch 5, bitmap_free): reworded from "Three
call sites" to "Two call sites" — removed dead store from
memory_node__delete_nodes() where NULLing a pointer right
before freeing the containing struct was useless.
(Found by sashiko-bot lore review)
Changes since v1:
- Patch 5 (was v1 patch 6): fix prio bounds-check logic — the
v1 condition (prio < 0 || prio >= MAX_PRIO || !test_bit(...))
incorrectly skipped events with unknown priority (prio == -1).
Changed to (prio >= 0 && (prio >= MAX_PRIO || !test_bit(...)))
to preserve the original pass-through for events without
priority info.
(Found by sashiko-bot lore review)
Developed with AI assistance (Claude/sashiko), tagged in commits.
Thanks,
- Arnaldo
next reply other threads:[~2026-06-08 20:18 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-08 20:17 Arnaldo Carvalho de Melo [this message]
2026-06-08 20:17 ` [PATCH 01/11] perf tools: Fix get_max_num() size_t underflow on empty sysfs file Arnaldo Carvalho de Melo
2026-06-08 20:31 ` sashiko-bot
2026-06-08 21:40 ` Ian Rogers
2026-06-08 20:17 ` [PATCH 02/11] perf tools: Use scnprintf() in cpu_map__snprint() to prevent overflow Arnaldo Carvalho de Melo
2026-06-08 21:42 ` Ian Rogers
2026-06-08 20:17 ` [PATCH 03/11] perf tools: Use perf_env__get_cpu_topology() in machine__resolve() Arnaldo Carvalho de Melo
2026-06-08 21:56 ` Ian Rogers
2026-06-08 20:17 ` [PATCH 04/11] perf tools: NULL bitmap pointers after bitmap_free() Arnaldo Carvalho de Melo
2026-06-08 21:58 ` Ian Rogers
2026-06-08 20:17 ` [PATCH 05/11] perf sched: Bounds-check prio before test_bit() in timehist Arnaldo Carvalho de Melo
2026-06-08 21:58 ` Ian Rogers
2026-06-08 20:17 ` [PATCH 06/11] perf sched: Fix idle-hist callchain display using wrong rb_first variant Arnaldo Carvalho de Melo
2026-06-08 21:59 ` Ian Rogers
2026-06-08 20:17 ` [PATCH 07/11] perf tools: Add O_CLOEXEC to open() calls in DSO and ELF code Arnaldo Carvalho de Melo
2026-06-08 20:40 ` sashiko-bot
2026-06-08 22:01 ` Ian Rogers
2026-06-08 20:17 ` [PATCH 08/11] perf bpf: Use scnprintf() in snprintf_hex() and synthesize_bpf_prog_name() Arnaldo Carvalho de Melo
2026-06-08 20:50 ` sashiko-bot
2026-06-08 22:01 ` Ian Rogers
2026-06-08 20:17 ` [PATCH 09/11] perf hists: Fix snprintf() in hists__scnprintf_title() UID filter path Arnaldo Carvalho de Melo
2026-06-08 22:02 ` Ian Rogers
2026-06-08 20:17 ` [PATCH 10/11] perf tools: Use scnprintf() in build_id__snprintf() and hwmon read_events() Arnaldo Carvalho de Melo
2026-06-08 20:50 ` sashiko-bot
2026-06-08 22:03 ` Ian Rogers
2026-06-08 20:17 ` [PATCH 11/11] libperf: Document code simplification case for widening struct perf_cpu Arnaldo Carvalho de Melo
2026-06-08 20:45 ` sashiko-bot
2026-06-08 22:04 ` Ian Rogers
2026-06-08 23:25 ` Arnaldo Carvalho de Melo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260608201753.1979464-1-acme@kernel.org \
--to=acme@kernel.org \
--cc=acme@redhat.com \
--cc=adrian.hunter@intel.com \
--cc=irogers@google.com \
--cc=james.clark@linaro.org \
--cc=jolsa@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=namhyung@kernel.org \
--cc=tglx@linutronix.de \
--cc=williams@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.