[PATCH v14 28/32] perf sched: Bounds check CPU in sched switch events
From: Ian Rogers
Date: Wed May 20 2026 - 15:25:12 EST
Ensure CPU indexes parsed from sched switch and runtime events fit within the
MAX_CPUS limit to prevent out-of-bounds indexing.
Add explicit bounds checks for sample->cpu against MAX_CPUS inside
process_sched_switch_event, process_sched_runtime_event, and
timehist_sched_change_event. This prevents indexing beyond the boundaries
of the sched->curr_pid tracking array, avoiding potential memory corruption or
undefined behavior.
Signed-off-by: Ian Rogers <irogers@xxxxxxxxxx>
Acked-by: Namhyung Kim <namhyung@xxxxxxxxxx>
---
tools/perf/builtin-sched.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c
index d984e58c7dbf..9d73c7043182 100644
--- a/tools/perf/builtin-sched.c
+++ b/tools/perf/builtin-sched.c
@@ -1791,6 +1791,11 @@ static int process_sched_switch_event(const struct perf_tool *tool,
u32 prev_pid = perf_sample__intval(sample, "prev_pid"),
next_pid = perf_sample__intval(sample, "next_pid");
+ if (this_cpu < 0 || this_cpu >= MAX_CPUS) {
+ pr_warning("Out-of-bound sample CPU %d. Skipping sample\n", this_cpu);
+ return 0;
+ }
+
if (sched->curr_pid[this_cpu] != (u32)-1) {
/*
* Are we trying to switch away a PID that is
@@ -1813,6 +1818,11 @@ static int process_sched_runtime_event(const struct perf_tool *tool,
{
struct perf_sched *sched = container_of(tool, struct perf_sched, tool);
+ if (sample->cpu >= MAX_CPUS) {
+ pr_warning("Out-of-bound sample CPU %u. Skipping sample\n", sample->cpu);
+ return 0;
+ }
+
if (sched->tp_handler->runtime_event)
return sched->tp_handler->runtime_event(sched, sample, machine);
@@ -2775,6 +2785,11 @@ static int timehist_sched_change_event(const struct perf_tool *tool,
int rc = 0;
const char state = perf_sample__taskstate(sample, "prev_state");
+ if (sample->cpu >= MAX_CPUS) {
+ pr_warning("Out-of-bound sample CPU %d. Skipping sample\n", sample->cpu);
+ return 0;
+ }
+
addr_location__init(&al);
if (machine__resolve(machine, &al, sample) < 0) {
pr_err("problem processing %d event. skipping it\n",
--
2.54.0.746.g67dd491aae-goog