[PATCH v14 27/32] perf kmem: Add bounds checks to tracepoint read values
From: Ian Rogers
Date: Wed May 20 2026 - 17:05:22 EST
Sanitize order and migrate_type values from tracepoint payloads before using
them as array indexes.
When processing page_alloc_event and page_free_event, verify that 'order' is less
than MAX_PAGE_ORDER and 'migrate_type' is less than MAX_MIGRATE_TYPES. This
guarantees that indexing into order_stats[MAX_PAGE_ORDER][MAX_MIGRATE_TYPES] remains
strictly within bounds, avoiding out-of-bound heap or static segment accesses.
Signed-off-by: Ian Rogers <irogers@xxxxxxxxxx>
Acked-by: Namhyung Kim <namhyung@xxxxxxxxxx>
---
tools/perf/builtin-kmem.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/tools/perf/builtin-kmem.c b/tools/perf/builtin-kmem.c
index daf2272c7337..33585e353efe 100644
--- a/tools/perf/builtin-kmem.c
+++ b/tools/perf/builtin-kmem.c
@@ -826,6 +826,16 @@ static int evsel__process_page_alloc_event(struct perf_sample *sample)
.migrate_type = migrate_type,
};
+ if (order >= MAX_PAGE_ORDER) {
+ pr_debug("Out-of-bounds order %u\n", order);
+ return -1;
+ }
+
+ if (migrate_type >= MAX_MIGRATE_TYPES) {
+ pr_debug("Out-of-bounds migratetype %u\n", migrate_type);
+ return -1;
+ }
+
if (use_pfn)
page = perf_sample__intval(sample, "pfn");
else
@@ -892,6 +902,11 @@ static int evsel__process_page_free_event(struct perf_sample *sample)
.order = order,
};
+ if (order >= MAX_PAGE_ORDER) {
+ pr_debug("Out-of-bounds order %u\n", order);
+ return -1;
+ }
+
if (use_pfn)
page = perf_sample__intval(sample, "pfn");
else
--
2.54.0.746.g67dd491aae-goog