From: Arnaldo Carvalho de Melo <acme@kernel.org>
To: Namhyung Kim <namhyung@kernel.org>
Cc: Ingo Molnar <mingo@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
James Clark <james.clark@linaro.org>,
Jiri Olsa <jolsa@kernel.org>, Ian Rogers <irogers@google.com>,
Adrian Hunter <adrian.hunter@intel.com>,
Clark Williams <williams@redhat.com>,
linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org,
Arnaldo Carvalho de Melo <acme@kernel.org>
Subject: [PATCHES v4 0/9] perf tools: Fix pre-existing bugs in machine, cs-etm, c2c, bpf, and dso
Date: Mon, 15 Jun 2026 23:27:06 -0300 [thread overview]
Message-ID: <20260616022715.5739-1-acme@kernel.org> (raw)
Hi,
Nine more pre-existing bugs found by sashiko-bot during AI-assisted
code review. All are independent of the perf-data-validation hardening
series — they are latent bugs in surrounding code exposed during review.
The fixes are grouped by subsystem:
machine__init() error propagation (patches 1-2):
machine__init() always returns 0 on allocation failure because the
error code is never propagated through the return statement. Callers
(including machines__init() and __machine__new_host()) proceed with a
partially initialized machine struct. The error cleanup also uses
zfree() on refcounted kmaps instead of maps__zput(). Additionally,
machines__findnew() and machines__create_guest_kernel_maps() use
sprintf() with unsanitized guestmount paths that can overflow
PATH_MAX stack buffers.
CoreSight ETM metadata validation (patches 3-5):
cs_etm__process_auxtrace_info_full() reads num_cpu from untrusted
perf.data and uses it directly in a multiplication that can overflow
to zero on 32-bit, producing a zero-sized allocation followed by OOB
writes. The minimum size check in cs_etm__process_auxtrace_info()
doesn't cover the global header fields actually accessed.
cs_etm__get_queue() indexes queue_array[] without bounds checking
the CPU value from untrusted trace payload, and several queue
iteration loops dereference .priv without NULL checks after array
growth zero-initializes new entries.
c2c hist entry leaks (patches 6-7):
When c2c_hists__init() fails, dynamically allocated format structures
are leaked because the error path frees the container without
unregistering them. During resort merges, c2c_he_free() only walks
the output-sorted tree (empty before resort), leaking all inner
hist_entry objects from entries_in_array[] and entries_collapsed.
BPF prog info pointer validation (patch 8):
Several functions cast bpf_prog_info u64 fields to pointers without
checking whether bpil_offs_to_addr() actually converted the file
offsets. A crafted perf.data with PERF_BPIL_* bits unset but non-zero
counts causes raw file offsets to be dereferenced as pointers.
DSO decompression errno (patch 9):
dso__get_filename() sets errno to a negative custom DSO_LOAD_ERRNO
value on decompression failure. __open_dso() computes fd = -errno,
producing a large positive value that looks like a valid fd, causing
close_data_fd() to close an unrelated file descriptor.
Build-tested with gcc and clang. Passes perf test on x86_64.
Changes in v4 (patch 2 only):
- Remove incorrect get_kernel_version() reference from commit
message — that function already uses snprintf() in the baseline
(sashiko-bot).
Changes in v3 (patch 1 only):
- Move perf_env__init() before machines__init() in
__perf_session__new() so the goto out_delete error path doesn't
call perf_env__exit() on uninitialized mutexes/rwlocks
(sashiko-bot).
Changes in v2 (patch 1 only):
- Move dsos__init()/threads__init() before maps__new() so that
machine__exit() is safe to call when machine__init() fails at the
first allocation (sashiko-bot).
- Propagate machines__init() error in aslr_tool__init(), which was
added by the ASLR patches after v1 was written (sashiko-bot).
Arnaldo Carvalho de Melo (9):
perf machine: Propagate machine__init() error to callers
perf machine: Use snprintf() for guestmount path construction
perf cs-etm: Validate num_cpu before metadata allocation
perf cs-etm: Require full global header in auxtrace_info size check
perf cs-etm: Bounds-check CPU in cs_etm__get_queue()
perf c2c: Free format list entries when c2c_hists__init() fails
perf c2c: Fix hist entry and format list leaks in c2c_he_free()
perf bpf: Validate array presence before casting BPF prog info pointers
perf dso: Set standard errno on decompression failure
tools/perf/builtin-c2c.c | 3 ++-
tools/perf/tests/hists_cumulate.c | 3 ++-
tools/perf/tests/hists_filter.c | 3 ++-
tools/perf/tests/hists_link.c | 3 ++-
tools/perf/tests/hists_output.c | 3 ++-
tools/perf/tests/thread-maps-share.c | 2 +-
tools/perf/util/aslr.c | 12 +++++++++---
tools/perf/util/bpf-event.c | 20 ++++++++++++++++---
tools/perf/util/bpf-event.h | 4 ++--
tools/perf/util/cs-etm-base.c | 4 +++-
tools/perf/util/cs-etm.c | 37 ++++++++++++++++++++++++++++++++++--
tools/perf/util/dso.c | 18 +++++++++++++++++-
tools/perf/util/header.c | 3 +--
tools/perf/util/hist.c | 2 +-
tools/perf/util/hist.h | 1 +
tools/perf/util/machine.c | 32 +++++++++++++++++--------------
tools/perf/util/machine.h | 2 +-
tools/perf/util/session.c | 7 ++++---
18 files changed, 120 insertions(+), 39 deletions(-)
Developed with AI assistance (Claude/sashiko), tagged in commits.
Thanks,
- Arnaldo
next reply other threads:[~2026-06-16 2:27 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-16 2:27 Arnaldo Carvalho de Melo [this message]
2026-06-16 2:27 ` [PATCH 1/9] perf machine: Propagate machine__init() error to callers Arnaldo Carvalho de Melo
2026-06-16 2:50 ` sashiko-bot
2026-06-16 2:27 ` [PATCH 2/9] perf machine: Use snprintf() for guestmount path construction Arnaldo Carvalho de Melo
2026-06-16 2:40 ` sashiko-bot
2026-06-16 2:27 ` [PATCH 3/9] perf cs-etm: Validate num_cpu before metadata allocation Arnaldo Carvalho de Melo
2026-06-16 2:40 ` sashiko-bot
2026-06-16 2:27 ` [PATCH 4/9] perf cs-etm: Require full global header in auxtrace_info size check Arnaldo Carvalho de Melo
2026-06-16 2:43 ` sashiko-bot
2026-06-16 2:27 ` [PATCH 5/9] perf cs-etm: Bounds-check CPU in cs_etm__get_queue() Arnaldo Carvalho de Melo
2026-06-16 2:48 ` sashiko-bot
2026-06-16 2:27 ` [PATCH 6/9] perf c2c: Free format list entries when c2c_hists__init() fails Arnaldo Carvalho de Melo
2026-06-16 2:27 ` [PATCH 7/9] perf c2c: Fix hist entry and format list leaks in c2c_he_free() Arnaldo Carvalho de Melo
2026-06-16 2:27 ` [PATCH 8/9] perf bpf: Validate array presence before casting BPF prog info pointers Arnaldo Carvalho de Melo
2026-06-16 4:39 ` sashiko-bot
2026-06-16 2:27 ` [PATCH 9/9] perf dso: Set standard errno on decompression failure Arnaldo Carvalho de Melo
2026-06-16 2:44 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260616022715.5739-1-acme@kernel.org \
--to=acme@kernel.org \
--cc=adrian.hunter@intel.com \
--cc=irogers@google.com \
--cc=james.clark@linaro.org \
--cc=jolsa@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=namhyung@kernel.org \
--cc=tglx@linutronix.de \
--cc=williams@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox