From: sashiko-bot@kernel.org
To: "Ian Rogers" <irogers@google.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH v1 04/12] perf tests: Add robust record retry helper and use subsecond workloads
Date: Tue, 16 Jun 2026 01:38:00 +0000 [thread overview]
Message-ID: <20260616013801.0A8351F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260616012744.4049193-5-irogers@google.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Predictable temporary file path in a world-writable directory allows local privilege escalation via symlink attack.
--
commit c60696a6dd47d2ab5c2a513da9f459f6cbd7d660
Author: Ian Rogers <irogers@google.com>
perf tests: Add robust record retry helper and use subsecond workloads
This commit introduces a retry helper in tests/shell/lib/perf_record.sh to
prevent transient failures during perf record tests. It updates several
existing tests to use this helper and scales durations up if initial runs
fail.
> diff --git a/tools/perf/tests/shell/lib/perf_record.sh b/tools/perf/tests/shell/lib/perf_record.sh
> new file mode 100644
> --- /dev/null
> +++ b/tools/perf/tests/shell/lib/perf_record.sh
> @@ -0,0 +1,47 @@
> +# SPDX-License-Identifier: GPL-2.0
> +
> +perf_record_with_retry() {
[ ... ]
> + local logfile
> + logfile="/tmp/__perf_record_retry.$(id -u).$BASHPID.log"
[Severity: High]
Could this predictable filename in a world-writable directory allow a symlink
attack?
Because BASHPID is easily guessable, a local attacker could pre-create a
symlink with this name.
[ ... ]
> + local duration
> + local first_run=true
> + local ret=1
> + for duration in 0.01 0.1 0.3 1.0 2.0; do
> + rm -f "${perfdata}" "${perfdata}".old
> + perf record "$@" -o "${perfdata}" ${testprog_base} ${duration} > "$logfile" 2>&1
Since these tests are often run as root to access performance counters,
could this shell redirection follow the attacker's symlink and overwrite
arbitrary system files?
Using mktemp instead would safely generate and create this temporary file.
[ ... ]
> diff --git a/tools/perf/tests/shell/record.sh b/tools/perf/tests/shell/record.sh
> --- a/tools/perf/tests/shell/record.sh
> +++ b/tools/perf/tests/shell/record.sh
[ ... ]
> +test_uid() {
> echo "Uid sampling test"
> - if ! perf record -aB --synth=no --uid "$(id -u)" -o "${perfdata}" ${testprog} \
> - > "${script_output}" 2>&1
> - then
> - if grep -q "libbpf.*EPERM" "${script_output}"
> + local logfile
> + logfile="/tmp/__perf_record_retry.$(id -u).$BASHPID.log"
[Severity: High]
Does this duplicate the predictable path logic from perf_record_with_retry()?
If the shared helper is updated to use mktemp, this hardcoded path check
in test_uid() will also need to be updated to match the securely generated
filename.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260616012744.4049193-1-irogers@google.com?part=4
next prev parent reply other threads:[~2026-06-16 1:38 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-16 1:27 [PATCH v1 00/12] perf tests: Enhancements, speedups, and flakiness fixes Ian Rogers
2026-06-16 1:27 ` [PATCH v1 01/12] perf parse-events: Restrict core PMU bypass to --cputype option Ian Rogers
2026-06-16 1:44 ` sashiko-bot
2026-06-16 1:27 ` [PATCH v1 02/12] perf test: Truncate test description to fit terminal width Ian Rogers
2026-06-16 1:38 ` sashiko-bot
2026-06-16 1:27 ` [PATCH v1 03/12] perf tests workloads: Support sub-second durations in noploop and thloop Ian Rogers
2026-06-16 1:35 ` sashiko-bot
2026-06-16 1:27 ` [PATCH v1 04/12] perf tests: Add robust record retry helper and use subsecond workloads Ian Rogers
2026-06-16 1:38 ` sashiko-bot [this message]
2026-06-16 1:27 ` [PATCH v1 05/12] perf tests: Skip metrics validation if system-wide recording lacks permission Ian Rogers
2026-06-16 1:41 ` sashiko-bot
2026-06-16 1:27 ` [PATCH v1 06/12] perf tests: Fix Python JIT dump profiling test failure Ian Rogers
2026-06-16 1:39 ` sashiko-bot
2026-06-16 1:27 ` [PATCH v1 07/12] perf tests: Fix flakiness in trace record and replay test Ian Rogers
2026-06-16 1:42 ` sashiko-bot
2026-06-16 1:27 ` [PATCH v1 08/12] perf tests: Fix flakiness in BPF counters test on hybrid systems Ian Rogers
2026-06-16 1:35 ` sashiko-bot
2026-06-16 1:27 ` [PATCH v1 09/12] perf tests: Fix flakiness in branch stack sampling tests Ian Rogers
2026-06-16 1:27 ` [PATCH v1 10/12] perf tests: Speed up off-cpu profiling tests Ian Rogers
2026-06-16 1:41 ` sashiko-bot
2026-06-16 1:27 ` [PATCH v1 11/12] perf tests: Speed up lock contention analysis shell test Ian Rogers
2026-06-16 1:27 ` [PATCH v1 12/12] perf tests: Speed up metrics checking shell tests Ian Rogers
-- strict thread matches above, loose matches on Subject: below --
2026-06-16 1:25 [PATCH v1 00/12] perf tests: Enhancements, speedups, and flakiness fixes Ian Rogers
2026-06-16 1:25 ` [PATCH v1 04/12] perf tests: Add robust record retry helper and use subsecond workloads Ian Rogers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260616013801.0A8351F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=irogers@google.com \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox