Re: [PATCH v8 4/8] perf cs-etm: Use thread-stack for last branch entries

[Leo Yan <leo.yan@arm.com>]

On Thu, Jun 11, 2026 at 05:18:46PM +0000, sashiko-bot@kernel.org wrote:

[...]

> > @@ -1644,8 +1593,11 @@ static int cs_etm__synth_instruction_sample(struct cs_etm_queue *etmq,
> >  
> >  	cs_etm__copy_insn(etmq, tidq, packet, &sample);
> >  
> > -	if (etm->synth_opts.last_branch)
> > +	if (etm->synth_opts.last_branch) {
> > +		thread_stack__br_sample(tidq->frontend_thread, tidq->packet->cpu,
> > +					tidq->last_branch, tidq->br_stack_sz);
> 
> [Severity: Critical]
> This is a pre-existing issue, but calling thread_stack__br_sample() can
> trigger an out-of-bounds write in that function.
> 
> In thread_stack__br_sample(), when copying from the wrapped ring buffer, it
> calculates bounds using nr but ignores it in memcpy:
> 
> 	nr = min(ts->br_stack_pos, sz);
> 	memcpy(be, &src->entries[0], bsz * ts->br_stack_pos);
> 
> If the destination buffer size sz is smaller than ts->br_stack_pos, does the
> memcpy write beyond the allocated bounds for nr elements?

This is a common bug but irrelevant to this series. I will
use a separate patch set to address the issue.

> 
> >  		sample.branch_stack = tidq->last_branch;
> > +	}
> 
> [ ... ]
> 
> > @@ -2020,7 +1956,7 @@ static int cs_etm__flush(struct cs_etm_queue *etmq,
> >  
> >  	/* Reset last branches after flush the trace */
> >  	if (etm->synth_opts.last_branch)
> > -		cs_etm__reset_last_branch_rb(tidq);
> > +		thread_stack__flush(tidq->frontend_thread);

[...]

> [Severity: Medium]
> Looking at thread_stack__flush(), it clears the call stack but does not
> reset the branch stack array (ts->br_stack_pos and ts->br_stack_rb remain
> intact).
> 
> Will this leave stale branch entries from before a trace gap to be prepended
> to the new trace segment?

Seems it should clean up both ts->br_stack_pos and br_stack_rb->nr.
This will be addressed in separate series for fix common code.

Thanks,
Leo