]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
perf sched: Fix comp_cpus heap overflow with cross-machine recordings
authorArnaldo Carvalho de Melo <acme@redhat.com>
Thu, 4 Jun 2026 16:05:10 +0000 (13:05 -0300)
committerArnaldo Carvalho de Melo <acme@redhat.com>
Thu, 4 Jun 2026 20:40:25 +0000 (17:40 -0300)
setup_map_cpus() allocates comp_cpus based on
sysconf(_SC_NPROCESSORS_CONF), the host machine's CPU count.  But
map_switch_event() indexes comp_cpus using cpus_nr derived from
bitmap_weight(comp_cpus_mask, MAX_CPUS), where comp_cpus_mask is
declared as DECLARE_BITMAP(..., MAX_CPUS) with MAX_CPUS=4096.

When analyzing a perf.data recording from a machine with more CPUs
than the analysis host (e.g. 128-CPU server recording analyzed on an
8-CPU laptop), cpus_nr exceeds the allocation size, causing a heap
buffer overflow.

Also fix a type mismatch: comp_cpus is 'struct perf_cpu *' (2 bytes
per element) but was allocated with sizeof(int) (4 bytes per element).

Allocate comp_cpus with MAX_CPUS entries using the correct element
size, matching the comp_cpus_mask bitmap bounds.  Remove the
sysconf(_SC_NPROCESSORS_CONF) initialization of max_cpu — its only
consumer was the comp_cpus allocation, and max_cpu is dynamically
updated from the recording's events during processing.  Fix the
non-compact path to use max_cpu.cpu + 1 as cpus_nr, converting from
0-based index to count — sysconf() returned a count which masked
this off-by-one.

Fixes: 99623c628f54 ("perf sched: Add compact display option")
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Assisted-by: Claude:claude-opus-4.6
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
tools/perf/builtin-sched.c

index 36da451447b5e59f77aebfd410be2512e5b40a32..4aa7833cae6e36b8a07583621115d26ec3fa9155 100644 (file)
@@ -1670,7 +1670,7 @@ static int map_switch_event(struct perf_sched *sched,  struct perf_sample *sampl
                        new_cpu = true;
                }
        } else
-               cpus_nr = sched->max_cpu.cpu;
+               cpus_nr = sched->max_cpu.cpu + 1;
 
        timestamp0 = sched->cpu_last_switched[this_cpu.cpu];
        sched->cpu_last_switched[this_cpu.cpu] = timestamp;
@@ -3573,10 +3573,8 @@ out_free_cpus_switch_event:
 
 static int setup_map_cpus(struct perf_sched *sched)
 {
-       sched->max_cpu.cpu  = sysconf(_SC_NPROCESSORS_CONF);
-
        if (sched->map.comp) {
-               sched->map.comp_cpus = calloc(sched->max_cpu.cpu, sizeof(int));
+               sched->map.comp_cpus = calloc(MAX_CPUS, sizeof(*sched->map.comp_cpus));
                if (!sched->map.comp_cpus)
                        return -1;
        }