Re: [PATCH 4/5] perf sched: Cap max_cpu at MAX_CPUS in timehist sample processing

Next message: David Woodhouse: "[PATCH 5/8] KVM: x86/xen: Latch shinfo mode in kvm_xen_schedop_poll()"
Previous message: Jason Gunthorpe: "Re: [PATCH v1 0/7] iommufd: Fix bugs in eventq fops_read paths"
In reply to: Arnaldo Carvalho de Melo: "[PATCH 4/5] perf sched: Cap max_cpu at MAX_CPUS in timehist sample processing"
Next in thread: Arnaldo Carvalho de Melo: "Re: [PATCH 4/5] perf sched: Cap max_cpu at MAX_CPUS in timehist sample processing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: David Ahern

Date: Fri Jun 05 2026 - 10:35:04 EST

On 6/5/26 6:15 AM, Arnaldo Carvalho de Melo wrote:
> From: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>
>
> perf_timehist__process_sample() updates sched->max_cpu from the
> sample CPU without bounds checking. Later code uses max_cpu + 1 as
> an iteration count over arrays allocated with MAX_CPUS entries
> (curr_thread, cpu_last_switched). A recording with CPU IDs >= MAX_CPUS
> causes out-of-bounds array accesses.
>
> Also cap the env->nr_cpus_online initialization of max_cpu in
> perf_sched__timehist(), which could exceed MAX_CPUS on very large
> systems.
>
> Add bounds checks before both max_cpu updates, matching the pattern
> already used in map_switch_event().
>
> Fixes: 49394a2a24c7 ("perf sched timehist: Introduce timehist command")
> Reported-by: sashiko-bot <sashiko-bot@xxxxxxxxxx>
> Cc: David Ahern <dsahern@xxxxxxxxx>
> Assisted-by: Claude Opus 4.6 <noreply@xxxxxxxxxxxxx>
> Signed-off-by: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>
> ---
> tools/perf/builtin-sched.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>

LGTM

Reviewed-by: David Ahern <dsahern@xxxxxxxxxx>