[PATCH 1/2] tools/power turbostat: Fix out-of-bounds memory access in thread_data allocation

[PATCH 1/2] tools/power turbostat: Fix out-of-bounds memory access in thread_data allocation

[Zhang Rui]

Turbostat suffers from a critical memory allocation bug that can cause
segmentation faults or silent data corruption.

This is because turbostat uses
1. num_cores * threads_per_core to allocate memory for per thread data
   (threads_per_core is calculated based on online CPU thread siblings,
   resulting in a value of 1 when SMT is inactive)
2. cpu_id to reference the thread data for a given cpu
And then, when SMT is inactive, it is possible that,
	num_cores * threads_per_core < cpu_id of certain online cpus
and this causes out-of-bounds memory access when referencing the thread
data for these CPUs.

For example,  on a 4-core system,
1. the core's are numbered 0,1,2,3
2. the CPU's are numbered 0,1,2,3 and the HT siblings are 4, 5,6,7,
When only CPU0 and CPU7 are online, turbostat allocates thread_data
memory for 4 threads (4 cores * 1 thread_per_core) but references
thread_data[7] for CPU7.

Fix the problem by using topo.max_cpu_num + 1 to represent the total
thread count instead. The topo.max_cpu_num value is derived from the
width of /sys/devices/system/cpu/cpuX/topology/thread_siblings, which
represents all possible CPUs regardless of their online/offline status.
This ensures adequate memory allocation for all potential CPU accesses.

Validated on multiple Intel platforms (ICX/SPR/SRF/EMR/GNR/CWF) with
various CPU online/offline configurations and SMT enabled/disabled
scenarios. No regression or memory access violation observed.

Fixes: a2b4d0f8bf07 ("tools/power turbostat: Favor cpu# over core#")
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
---
 tools/power/x86/turbostat/turbostat.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c
index 1a2671c28209..ae827485950d 100644
--- a/tools/power/x86/turbostat/turbostat.c
+++ b/tools/power/x86/turbostat/turbostat.c
@@ -9702,13 +9702,12 @@ void allocate_counters(struct counters *counters)
 {
 	int i;
 	int num_cores = topo.cores_per_node * topo.nodes_per_pkg * topo.num_packages;
-	int num_threads = topo.threads_per_core * num_cores;
 
-	counters->threads = calloc(num_threads, sizeof(struct thread_data));
+	counters->threads = calloc(topo.max_cpu_num + 1, sizeof(struct thread_data));
 	if (counters->threads == NULL)
 		goto error;
 
-	for (i = 0; i < num_threads; i++)
+	for (i = 0; i < topo.max_cpu_num + 1; i++)
 		(counters->threads)[i].cpu_id = -1;
 
 	counters->cores = calloc(num_cores, sizeof(struct core_data));
-- 
2.43.0

[PATCH 2/2] tools/power turbostat: Optimize core count calculation and fix naming inconsistency

[Zhang Rui]

The current core counting logic has both naming and efficiency issues.
The variable topo.cores_per_node is misleadingly named since it actually
represents the maximum number of cores per package, not per node. And
the core count calculation is suboptimal and wastes memory.

Rename topo.cores_per_node to topo.cores_per_pkg and improve the system
core count calculation algorithm to avoid memory over-allocation.

Validated on multiple Intel platforms (ICX/SPR/SRF/EMR/GNR/CWF) with
various CPU online/offline configurations and SMT enabled/disabled
scenarios. No functional changes found.

Signed-off-by: Zhang Rui <rui.zhang@intel.com>
---
 tools/power/x86/turbostat/turbostat.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c
index ae827485950d..ef3059ba07cd 100644
--- a/tools/power/x86/turbostat/turbostat.c
+++ b/tools/power/x86/turbostat/turbostat.c
@@ -2409,7 +2409,7 @@ struct topo_params {
 	int max_l3_id;
 	int max_node_num;
 	int nodes_per_pkg;
-	int cores_per_node;
+	int cores_per_pkg;
 	int threads_per_core;
 } topo;
 
@@ -9634,9 +9634,9 @@ void topology_probe(bool startup)
 	topo.max_core_id = max_core_id;	/* within a package */
 	topo.max_package_id = max_package_id;
 
-	topo.cores_per_node = max_core_id + 1;
+	topo.cores_per_pkg = max_core_id + 1;
 	if (debug > 1)
-		fprintf(outf, "max_core_id %d, sizing for %d cores per package\n", max_core_id, topo.cores_per_node);
+		fprintf(outf, "max_core_id %d, sizing for %d cores per package\n", max_core_id, topo.cores_per_pkg);
 	if (!summary_only)
 		BIC_PRESENT(BIC_Core);
 
@@ -9701,7 +9701,7 @@ void allocate_counters_1(struct counters *counters)
 void allocate_counters(struct counters *counters)
 {
 	int i;
-	int num_cores = topo.cores_per_node * topo.nodes_per_pkg * topo.num_packages;
+	int num_cores = topo.cores_per_pkg * topo.num_packages;
 
 	counters->threads = calloc(topo.max_cpu_num + 1, sizeof(struct thread_data));
 	if (counters->threads == NULL)
-- 
2.43.0

Re: [PATCH 1/2] tools/power turbostat: Fix out-of-bounds memory access in thread_data allocation

[Len Brown]

Applied, thanks!

i simplified the commit log a bit:

    tools/power turbostat: Fix illegal memory access when SMT is
present and disabled

    When SMT is present and disabled, turbostat may under-size
    the thread_data array.  This can corrupt results or
    cause turbostat to exit with a segmentation fault.

    [lenb: commit message]
    Fixes: a2b4d0f8bf07 ("tools/power turbostat: Favor cpu# over core#")
    Signed-off-by: Zhang Rui <rui.zhang@intel.com>
    Signed-off-by: Len Brown <len.brown@intel.com>



-- 
Len Brown, Intel Open Source Technology Center

Re: [PATCH 2/2] tools/power turbostat: Optimize core count calculation and fix naming inconsistency

[Len Brown]

Applied, thanks!

(I simplified the commit message a bit):

    tools/power turbostat: Eliminate unnecessary data structure allocation

    Linux core_id's are a per-package namespace, not a per-node namespace.

    Rename topo.cores_per_node to topo.cores_per_pkg to reflect this.

    Eliminate topo.nodes_per_pkg from the sizing for core data structures,
    since it has no role except to unnecessarily bloat the allocation.

    Validated on multiple Intel platforms (ICX/SPR/SRF/EMR/GNR/CWF) with
    various CPU online/offline configurations and SMT enabled/disabled
    scenarios.

    No functional changes.

    [lenb: commit message]
    Signed-off-by: Zhang Rui <rui.zhang@intel.com>
    Signed-off-by: Len Brown <len.brown@intel.com>

On Tue, Mar 10, 2026 at 2:04 AM Zhang Rui <rui.zhang@intel.com> wrote:
>
> The current core counting logic has both naming and efficiency issues.
> The variable topo.cores_per_node is misleadingly named since it actually
> represents the maximum number of cores per package, not per node. And
> the core count calculation is suboptimal and wastes memory.
>
> Rename topo.cores_per_node to topo.cores_per_pkg and improve the system
> core count calculation algorithm to avoid memory over-allocation.
>
> Validated on multiple Intel platforms (ICX/SPR/SRF/EMR/GNR/CWF) with
> various CPU online/offline configurations and SMT enabled/disabled
> scenarios. No functional changes found.
>
> Signed-off-by: Zhang Rui <rui.zhang@intel.com>
> ---
>  tools/power/x86/turbostat/turbostat.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c
> index ae827485950d..ef3059ba07cd 100644
> --- a/tools/power/x86/turbostat/turbostat.c
> +++ b/tools/power/x86/turbostat/turbostat.c
> @@ -2409,7 +2409,7 @@ struct topo_params {
>         int max_l3_id;
>         int max_node_num;
>         int nodes_per_pkg;
> -       int cores_per_node;
> +       int cores_per_pkg;
>         int threads_per_core;
>  } topo;
>
> @@ -9634,9 +9634,9 @@ void topology_probe(bool startup)
>         topo.max_core_id = max_core_id; /* within a package */
>         topo.max_package_id = max_package_id;
>
> -       topo.cores_per_node = max_core_id + 1;
> +       topo.cores_per_pkg = max_core_id + 1;
>         if (debug > 1)
> -               fprintf(outf, "max_core_id %d, sizing for %d cores per package\n", max_core_id, topo.cores_per_node);
> +               fprintf(outf, "max_core_id %d, sizing for %d cores per package\n", max_core_id, topo.cores_per_pkg);
>         if (!summary_only)
>                 BIC_PRESENT(BIC_Core);
>
> @@ -9701,7 +9701,7 @@ void allocate_counters_1(struct counters *counters)
>  void allocate_counters(struct counters *counters)
>  {
>         int i;
> -       int num_cores = topo.cores_per_node * topo.nodes_per_pkg * topo.num_packages;
> +       int num_cores = topo.cores_per_pkg * topo.num_packages;
>
>         counters->threads = calloc(topo.max_cpu_num + 1, sizeof(struct thread_data));
>         if (counters->threads == NULL)
> --
> 2.43.0
>
>


-- 
Len Brown, Intel Open Source Technology Center