Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=master 2026-04-14T06:41:11+00:00 2026-04-14T06:41:11+00:00 Rong Bao rong.bao@csmantle.top 2026-04-13T10:03:55+00:00 urn:sha1:a355eefc36c4481188249b067832b40a2c45fa5c Currently, the initialization of loongarch_jump_ops does not contain an assignment to its .free field. This causes disasm_line__free() to fall through to ins_ops__delete() for LoongArch jump instructions. ins_ops__delete() will free ins_operands.source.raw and ins_operands.source.name, and these fields overlaps with ins_operands.jump.raw_comment and ins_operands.jump.raw_func_start. Since in loongarch_jump__parse(), these two fields are populated by strchr()-ing the same buffer, trying to free them will lead to undefined behavior. This invalid free usually leads to crashes: Process 1712902 (perf) of user 1000 dumped core. Stack trace of thread 1712902: #0 0x00007fffef155c58 n/a (libc.so.6 + 0x95c58) #1 0x00007fffef0f7a94 raise (libc.so.6 + 0x37a94) #2 0x00007fffef0dd6a8 abort (libc.so.6 + 0x1d6a8) #3 0x00007fffef145490 n/a (libc.so.6 + 0x85490) #4 0x00007fffef1646f4 n/a (libc.so.6 + 0xa46f4) #5 0x00007fffef164718 n/a (libc.so.6 + 0xa4718) #6 0x00005555583a6764 __zfree (/home/csmantle/dist/linux-arch/tools/perf/perf + 0x106764) #7 0x000055555854fb70 disasm_line__free (/home/csmantle/dist/linux-arch/tools/perf/perf + 0x2afb70) #8 0x000055555853d618 annotated_source__purge (/home/csmantle/dist/linux-arch/tools/perf/perf + 0x29d618) #9 0x000055555852300c __hist_entry__tui_annotate (/home/csmantle/dist/linux-arch/tools/perf/perf + 0x28300c) #10 0x0000555558526718 do_annotate (/home/csmantle/dist/linux-arch/tools/perf/perf + 0x286718) #11 0x000055555852ed94 evsel__hists_browse (/home/csmantle/dist/linux-arch/tools/perf/perf + 0x28ed94) #12 0x000055555831fdd0 cmd_report (/home/csmantle/dist/linux-arch/tools/perf/perf + 0x7fdd0) #13 0x000055555839b644 handle_internal_command (/home/csmantle/dist/linux-arch/tools/perf/perf + 0xfb644) #14 0x00005555582fe6ac main (/home/csmantle/dist/linux-arch/tools/perf/perf + 0x5e6ac) #15 0x00007fffef0ddd90 n/a (libc.so.6 + 0x1dd90) #16 0x00007fffef0ddf0c __libc_start_main (libc.so.6 + 0x1df0c) #17 0x00005555582fed10 _start (/home/csmantle/dist/linux-arch/tools/perf/perf + 0x5ed10) ELF object binary architecture: LoongArch ... and it can be confirmed with Valgrind: ==1721834== Invalid free() / delete / delete[] / realloc() ==1721834== at 0x4EA9014: free (in /usr/lib/valgrind/vgpreload_memcheck-loongarch64-linux.so) ==1721834== by 0x4106287: __zfree (zalloc.c:13) ==1721834== by 0x42ADC8F: disasm_line__free (in /home/csmantle/dist/linux-arch/tools/perf/perf) ==1721834== by 0x429B737: annotated_source__purge (in /home/csmantle/dist/linux-arch/tools/perf/perf) ==1721834== by 0x42811EB: __hist_entry__tui_annotate (in /home/csmantle/dist/linux-arch/tools/perf/perf) ==1721834== by 0x42848D7: do_annotate (in /home/csmantle/dist/linux-arch/tools/perf/perf) ==1721834== by 0x428CF33: evsel__hists_browse (in /home/csmantle/dist/linux-arch/tools/perf/perf) ==1721834== Address 0x7d34303 is 35 bytes inside a block of size 62 alloc'd ==1721834== at 0x4EA59B8: malloc (in /usr/lib/valgrind/vgpreload_memcheck-loongarch64-linux.so) ==1721834== by 0x6B80B6F: strdup (strdup.c:42) ==1721834== by 0x42AD917: disasm_line__new (in /home/csmantle/dist/linux-arch/tools/perf/perf) ==1721834== by 0x42AE5A3: symbol__disassemble_objdump (in /home/csmantle/dist/linux-arch/tools/perf/perf) ==1721834== by 0x42AF0A7: symbol__disassemble (in /home/csmantle/dist/linux-arch/tools/perf/perf) ==1721834== by 0x429B3CF: symbol__annotate (in /home/csmantle/dist/linux-arch/tools/perf/perf) ==1721834== by 0x429C233: symbol__annotate2 (in /home/csmantle/dist/linux-arch/tools/perf/perf) ==1721834== by 0x42804D3: __hist_entry__tui_annotate (in /home/csmantle/dist/linux-arch/tools/perf/perf) ==1721834== by 0x42848D7: do_annotate (in /home/csmantle/dist/linux-arch/tools/perf/perf) ==1721834== by 0x428CF33: evsel__hists_browse (in /home/csmantle/dist/linux-arch/tools/perf/perf) This patch adds the missing free() specialization in loongarch_jump_ops, which prevents disasm_line__free() from invoking the default cleanup function. Fixes: fb7fd2a14a503b9a ("perf annotate: Move raw_comment and raw_func_start fields out of 'struct ins_operands'") Cc: stable@vger.kernel.org Cc: WANG Rui <wangrui@loongson.cn> Cc: Huacai Chen <chenhuacai@kernel.org> Cc: WANG Xuerui <kernel@xen0n.name> Cc: loongarch@lists.linux.dev Signed-off-by: Rong Bao <rong.bao@csmantle.top> Tested-by: WANG Rui <wangrui@loongson.cn> Signed-off-by: Namhyung Kim <namhyung@kernel.org> 2026-04-14T06:21:53+00:00 Arnaldo Carvalho de Melo acme@redhat.com 2026-04-10T22:09:05+00:00 urn:sha1:dff56bdafae8e65d9acb88cc98e1f5129c352201 Validate the BTF entry count and individual data sizes when reading HEADER_BPF_BTF from perf.data files to prevent excessive memory allocation from malformed files. Reuses the MAX_BPF_PROGS (131072) and MAX_BPF_DATA_LEN (256 MB) limits from HEADER_BPF_PROG_INFO processing. Cc: Song Liu <song@kernel.org> Cc: Jiri Olsa <jolsa@kernel.org> Cc: Namhyung Kim <namhyung@kernel.org> Cc: Ian Rogers <irogers@google.com> Cc: Adrian Hunter <adrian.hunter@intel.com> Assisted-by: Claude Code:claude-opus-4-6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: Namhyung Kim <namhyung@kernel.org> 2026-04-14T06:21:53+00:00 Arnaldo Carvalho de Melo acme@redhat.com 2026-04-10T22:09:04+00:00 urn:sha1:66af7e9b05c4e7ff435c0aef0d253a65d290f03c Add validation to process_bpf_prog_info() to harden against malformed perf.data files: - Upper bound on BPF program count (max 131072) - Upper bound on per-program data_len (max 256MB) Cc: Ian Rogers <irogers@google.com> Assisted-by: Claude Code:claude-opus-4-6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: Namhyung Kim <namhyung@kernel.org> 2026-04-14T06:21:53+00:00 Arnaldo Carvalho de Melo acme@redhat.com 2026-04-10T22:09:03+00:00 urn:sha1:f5722a6b6a443fd56ce0a71b4be4c75d7a857dbe Add upper bound checks in PMU capabilities processing to harden against malformed perf.data files: - nr_pmu bounded to MAX_PMU_MAPPINGS (4096) in process_pmu_caps() - nr_pmu_caps bounded to MAX_PMU_CAPS (512) in __process_pmu_caps() Cc: Ravi Bangoria <ravi.bangoria@amd.com> Cc: Ian Rogers <irogers@google.com> Assisted-by: Claude Code:claude-opus-4-6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: Namhyung Kim <namhyung@kernel.org> 2026-04-14T06:21:53+00:00 Arnaldo Carvalho de Melo acme@redhat.com 2026-04-10T22:09:02+00:00 urn:sha1:47c68eb15ae90fa3953db9a67b4569089ff63cd0 Add upper bound check on nr_nodes in process_hybrid_topology() to harden against malformed perf.data files (reuses MAX_PMU_MAPPINGS, 4096). Cc: Ian Rogers <irogers@google.com> Assisted-by: Claude Code:claude-opus-4-6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: Namhyung Kim <namhyung@kernel.org> 2026-04-14T06:21:53+00:00 Arnaldo Carvalho de Melo acme@redhat.com 2026-04-10T22:09:01+00:00 urn:sha1:110a661708a6a90997442f02f261e2043624a1c8 Add upper bound check on cache entry count in process_cache() to harden against malformed perf.data files (max 32768). Cc: Jiri Olsa <jolsa@kernel.org> Cc: Ian Rogers <irogers@google.com> Assisted-by: Claude Code:claude-opus-4-6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: Namhyung Kim <namhyung@kernel.org> 2026-04-14T06:21:53+00:00 Arnaldo Carvalho de Melo acme@redhat.com 2026-04-10T22:09:00+00:00 urn:sha1:6830e20c92e7388ae4834a3574a0d3d90500c4c1 Add upper bound check on nr_groups in process_group_desc() to harden against malformed perf.data files (max 32768), and move the env assignment after validation. Cc: Namhyung Kim <namhyung@kernel.org> Cc: Ian Rogers <irogers@google.com> Assisted-by: Claude Code:claude-opus-4-6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: Namhyung Kim <namhyung@kernel.org> 2026-04-14T06:21:53+00:00 Arnaldo Carvalho de Melo acme@redhat.com 2026-04-10T22:08:59+00:00 urn:sha1:f613a6d694aa499edb2a291ab2c2d906619585f2 Add upper bound check on pmu_num in process_pmu_mappings() to harden against malformed perf.data files (max 4096). Cc: Ian Rogers <irogers@google.com> Assisted-by: Claude Code:claude-opus-4-6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: Namhyung Kim <namhyung@kernel.org> 2026-04-14T06:21:53+00:00 Arnaldo Carvalho de Melo acme@redhat.com 2026-04-10T22:08:58+00:00 urn:sha1:a881fc56038a7baa5cb5074cdd52315d9ad9ee63 Add validation to process_mem_topology() to harden against malformed perf.data files: - Upper bound check on nr_nodes (reuses MAX_NUMA_NODES, 4096) - Minimum section size check before allocating This is particularly important here since nr is u64, making unbounded values especially dangerous. Cc: Jiri Olsa <jolsa@kernel.org> Cc: Ian Rogers <irogers@google.com> Assisted-by: Claude Code:claude-opus-4-6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: Namhyung Kim <namhyung@kernel.org> 2026-04-14T06:21:53+00:00 Arnaldo Carvalho de Melo acme@redhat.com 2026-04-10T22:08:57+00:00 urn:sha1:4ba223016b0be7ec11aad63f480cd251cecad594 Add validation to process_numa_topology() to harden against malformed perf.data files: - Upper bound check on nr_nodes (max 4096) - Minimum section size check before allocating Cc: Jiri Olsa <jolsa@kernel.org> Cc: Ian Rogers <irogers@google.com> Assisted-by: Claude Code:claude-opus-4-6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: Namhyung Kim <namhyung@kernel.org>