perf mmap: Guard cpu__get_node() return in aio_bind()

perf_mmap__aio_bind() passes the cpu__get_node() return value directly
to an unsigned long variable (node_index).  When cpu__get_node() returns
-1 for an unknown CPU, the implicit int-to-unsigned-long conversion
sign-extends it to ULONG_MAX.

This causes bitmap_zalloc(ULONG_MAX + 1) which wraps to
bitmap_zalloc(0), returning a zero-sized allocation.  The subsequent
__set_bit(ULONG_MAX, node_mask) then writes massively out of bounds.

Check the return value in a signed temporary before assigning to
node_index, and skip the NUMA binding when the node is unknown.

Fixes: c44a8b44ca9f ("perf record: Bind the AIO user space buffers to nodes")
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Cc: Alexey Budankov <alexey.budankov@linux.intel.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Assisted-by: Claude:claude-opus-4.6
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>

diff --git a/tools/perf/util/mmap.c b/tools/perf/util/mmap.c
index b69f926d314b148bb496db58682f89d21751c5a3..4404a99eee45f9c3d2a9942464fb7f97720898e1 100644 (file)
--- a/tools/perf/util/mmap.c
+++ b/tools/perf/util/mmap.c
@@ -104,9 +104,15 @@ static int perf_mmap__aio_bind(struct mmap *map, int idx, struct perf_cpu cpu, i
        int err = 0;
 
        if (affinity != PERF_AFFINITY_SYS && cpu__max_node() > 1) {
+               int node;
+
                data = map->aio.data[idx];
                mmap_len = mmap__mmap_len(map);
-               node_index = cpu__get_node(cpu);
+               node = cpu__get_node(cpu);
+               /* -1 sign-extends to ULONG_MAX, wrapping bitmap_zalloc(0) and OOB __set_bit */
+               if (node < 0)
+                       return 0;
+               node_index = node;
                node_mask = bitmap_zalloc(node_index + 1);
                if (!node_mask) {
                        pr_err("Failed to allocate node mask for mbind: error %m\n");