From: sashiko-bot@kernel.org
To: "Arnaldo Carvalho de Melo" <acme@kernel.org>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH 04/13] perf header: Sanity check HEADER_CPU_TOPOLOGY
Date: Fri, 10 Apr 2026 01:14:27 +0000 [thread overview]
Message-ID: <20260410011427.C7864C4CEF7@smtp.kernel.org> (raw)
In-Reply-To: <20260410004000.148138-5-acme@kernel.org>
Sashiko AI review found 1 potential issue(s):
- [High] The patch introduces a deterministic NULL pointer dereference crash on malformed inputs by incorrectly freeing `env->cpu`. The author changed `return -1;` to `goto free_cpu;` (which calls `zfree(&env->cpu)`) under the mistaken assumption that `env->cpu` was leaking.
--
commit 725d6d7d1ccd2df010084b584d9517330e1864ac
Author: Arnaldo Carvalho de Melo <acme@redhat.com>
perf header: Sanity check HEADER_CPU_TOPOLOGY
This commit adds bounds checking for sibling counts against available
CPUs in the CPU topology header and attempts to prevent a perceived
leak of the env->cpu array on error paths.
> diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
> index 2d23dbc666b67..a7df8ed9a69e9 100644
> --- a/tools/perf/util/header.c
> +++ b/tools/perf/util/header.c
[ ... ]
> @@ -2866,6 +2871,12 @@ static int process_cpu_topology(struct feat_fd *ff, void *data __maybe_unused)
> if (do_read_u32(ff, &nr))
> goto free_cpu;
>
> + if (nr > (u32)cpu_nr) {
> + pr_err("Invalid HEADER_CPU_TOPOLOGY: nr_sibling_cores (%u) > nr_cpus_avail (%d)\n",
> + nr, cpu_nr);
> + goto free_cpu;
> + }
> +
[ ... ]
> error:
> strbuf_release(&sb);
> zfree(&str);
> free_cpu:
> zfree(&env->cpu);
> return -1;
> }
Does this zfree() cause a NULL pointer dereference regression on malformed
inputs?
When a parsing error occurs, env->cpu is freed and set to NULL. However,
perf_session__read_header() ignores the error returned by
perf_header__process_sections() and proceeds with the session.
If the session continues, tools like perf stat will later call functions
such as perf_env__get_socket_aggr_by_cpu(), which unconditionally
dereferences env->cpu[cpu.cpu].socket_id.
Was env->cpu actually leaking before this change? It appears to be safely
cleaned up during teardown by perf_env__exit() even if an error is
encountered here.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260410004000.148138-1-acme@kernel.org?part=4
next prev parent reply other threads:[~2026-04-10 1:14 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-10 0:39 [PATCHES perf-tools-next v1 00/13] Sanity check perf.data headers Arnaldo Carvalho de Melo
2026-04-10 0:39 ` [PATCH 01/13] perf header: Validate nr_domains when reading HEADER_CPU_DOMAIN_INFO Arnaldo Carvalho de Melo
2026-04-10 0:39 ` [PATCH 02/13] perf header: Bump up the max number of command line args allowed Arnaldo Carvalho de Melo
2026-04-10 1:08 ` sashiko-bot
2026-04-10 0:39 ` [PATCH 03/13] perf header: Sanity check HEADER_NRCPUS and HEADER_CPU_DOMAIN_INFO Arnaldo Carvalho de Melo
2026-04-10 0:39 ` [PATCH 04/13] perf header: Sanity check HEADER_CPU_TOPOLOGY Arnaldo Carvalho de Melo
2026-04-10 1:14 ` sashiko-bot [this message]
2026-04-10 0:39 ` [PATCH 05/13] perf header: Sanity check HEADER_NUMA_TOPOLOGY Arnaldo Carvalho de Melo
2026-04-10 1:04 ` sashiko-bot
2026-04-10 0:39 ` [PATCH 06/13] perf header: Sanity check HEADER_MEM_TOPOLOGY Arnaldo Carvalho de Melo
2026-04-10 1:04 ` sashiko-bot
2026-04-10 0:39 ` [PATCH 07/13] perf header: Sanity check HEADER_PMU_MAPPINGS Arnaldo Carvalho de Melo
2026-04-10 1:10 ` sashiko-bot
2026-04-10 0:39 ` [PATCH 08/13] perf header: Sanity check HEADER_GROUP_DESC Arnaldo Carvalho de Melo
2026-04-10 0:39 ` [PATCH 09/13] perf header: Sanity check HEADER_CACHE Arnaldo Carvalho de Melo
2026-04-10 0:39 ` [PATCH 10/13] perf header: Sanity check HEADER_HYBRID_TOPOLOGY Arnaldo Carvalho de Melo
2026-04-10 0:58 ` sashiko-bot
2026-04-10 1:01 ` Arnaldo Carvalho de Melo
2026-04-10 0:39 ` [PATCH 11/13] perf header: Sanity check HEADER_PMU_CAPS Arnaldo Carvalho de Melo
2026-04-10 0:39 ` [PATCH 12/13] perf header: Sanity check HEADER_BPF_PROG_INFO Arnaldo Carvalho de Melo
2026-04-10 0:40 ` [PATCH 13/13] perf header: Add sanity checks to HEADER_BPF_BTF processing Arnaldo Carvalho de Melo
2026-04-10 1:30 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260410011427.C7864C4CEF7@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=acme@kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox