From: sashiko-bot@kernel.org
To: "Ian Rogers" <irogers@google.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH v2] perf data: Clean up use_stdio and structures
Date: Wed, 08 Apr 2026 00:37:31 +0000 [thread overview]
Message-ID: <20260408003731.C6798C116C6@smtp.kernel.org> (raw)
In-Reply-To: <20260408001416.101493-1-irogers@google.com>
Sashiko AI review found 3 potential issue(s):
- [High] Uninitialized `use_stdio` flag in `perf_data__open_dir` leads to undefined behavior and potential segmentation faults.
- [High] `perf_data__seek` triggers an assertion failure when attempting to switch output on a pipe.
- [High] Unchecked `fptr` in `perf_data_file__close` leads to `fclose(NULL)` (segmentation fault) on error paths.
--
commit ec97569bb8fdfc232fc8bacde6d26424b25c9ef5
Author: Ian Rogers <irogers@google.com>
perf data: Clean up use_stdio and structures
use_stdio was associated with struct perf_data and not perf_data_file
meaning there was implicit use of fd rather than fptr that may not be
safe. For example, in perf_data_file__write. Reorganize perf_data_file
to better abstract use_stdio, add kernel-doc and more consistently use
perf_data__ accessors so that use_stdio is better respected.
> diff --git a/tools/perf/util/data.c b/tools/perf/util/data.c
> index 90df41da1a32b..41993dfd6c2bc 100644
> --- a/tools/perf/util/data.c
> +++ b/tools/perf/util/data.c
> @@ -20,18 +20,30 @@
> #include "rlimit.h"
> #include <internal/lib.h>
>
> -static void close_dir(struct perf_data_file *files, int nr)
> +static void perf_data_file__close(struct perf_data_file *file)
> {
> - while (--nr >= 0) {
> - close(files[nr].fd);
> - zfree(&files[nr].path);
> + if (file->use_stdio) {
> + fclose(file->fptr);
Does this need a check for file->fptr != NULL before calling fclose()?
If a tool initializes its output with .file.use_stdio = true and
.file.fptr = NULL (such as inject.output in cmd_inject() when using
--in-place), and an error occurs before the file is fully opened, the error
path jumps to out_close_output and calls perf_data__close(). This blindly
executes fclose(NULL), which will cause a segmentation fault.
Also, since use_stdio is read here, can it contain uninitialized memory?
In perf_data__open_dir(), the files array is dynamically grown using
realloc(files, (nr + 1) * sizeof(*files)). When a new struct perf_data_file
is appended, its path, fd, and size fields are set, but the newly added
use_stdio boolean is never explicitly initialized. Because realloc() does
not zero memory, use_stdio will contain uninitialized heap garbage.
When perf_data__close_dir() iterates over the files to close them via
this function, it reads this garbage flag. If it evaluates to true, the code
incorrectly assumes the file uses stdio and calls fclose(file->fptr). Since
fptr is part of a union with fd (or also garbage), this results in an
arbitrary pointer dereference and a segmentation fault.
[ ... ]
> +off_t perf_data__seek(struct perf_data *data, off_t offset, int whence)
> +{
> + assert(!data->is_pipe);
> + return perf_data_file__seek(&data->file, offset, whence);
> +}
> +
> int perf_data__switch(struct perf_data *data,
> const char *postfix,
> size_t pos, bool at_exit,
> @@ -420,19 +448,18 @@ int perf_data__switch(struct perf_data *data,
> pr_warning("Failed to rename %s to %s\n", data->path, *new_filepath);
>
> if (!at_exit) {
> - close(data->file.fd);
> + perf_data_file__close(&data->file);
> ret = perf_data__open(data);
> if (ret < 0)
> goto out;
>
> - if (lseek(data->file.fd, pos, SEEK_SET) == (off_t)-1) {
> + if (perf_data__seek(data, pos, SEEK_SET) == (off_t)-1) {
Will this assertion crash the tool if a user specifies a pipe for output and
triggers an output switch (e.g., perf record -o - --switch-output)?
When the user triggers an output switch, perf_data__switch() re-opens the
pipe (correctly setting data->is_pipe = true) and then unconditionally calls
perf_data__seek() to restore the offset.
Before this patch, calling lseek() on a pipe simply returned -1 with
errno == ESPIPE and the tool handled the error gracefully. The new assertion
turns this previously handled error into a hard crash that can be reached
directly via user arguments.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260408001416.101493-1-irogers@google.com?part=1
prev parent reply other threads:[~2026-04-08 0:37 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-08 0:14 [PATCH v2] perf data: Clean up use_stdio and structures Ian Rogers
2026-04-08 0:37 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260408003731.C6798C116C6@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=irogers@google.com \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox