From: "Mi, Dapeng" <dapeng1.mi@linux.intel.com>
To: Wentao Liang <vulab@iscas.ac.cn>,
peterz@infradead.org, mingo@redhat.com, acme@kernel.org,
namhyung@kernel.org, tglx@kernel.org, bp@alien8.de,
dave.hansen@linux.intel.com, x86@kernel.org
Cc: mark.rutland@arm.com, alexander.shishkin@linux.intel.com,
jolsa@kernel.org, irogers@google.com, adrian.hunter@intel.com,
james.clark@linaro.org, hpa@zytor.com,
linux-perf-users@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH] perf/x86/intel/uncore: Fix reference leak in discover_upi_topology()
Date: Fri, 26 Jun 2026 09:12:42 +0800 [thread overview]
Message-ID: <08340bd1-c115-468b-8145-dfc7c4eae3e2@linux.intel.com> (raw)
In-Reply-To: <20260625075311.45599-1-vulab@iscas.ac.cn>
On 6/25/2026 3:53 PM, Wentao Liang wrote:
> In discover_upi_topology(), pci_get_domain_bus_and_slot() returns a PCI
> device with its reference count incremented. The caller must call
> pci_dev_put() after use.
>
> However, the inner loop overwrites dev without releasing the previous
> reference, causing leaks:
> - Between inner loop iterations within the same outer loop iteration.
> - Between outer loop iterations (dev from a previous ubox's inner
> loop is overwritten at the start of the next inner loop).
> - On the normal exit path from the while loop (the last dev is never
> put before falling through to err:).
>
> Fix by calling pci_dev_put(dev) and clearing dev after upi_fill_topology()
> succeeds, so each reference is released immediately after use. The error
> path (goto err) already calls pci_dev_put(dev) and remains correct since
> dev is set to NULL after release, making the subsequent put a no-op.
>
> The similar sad_cfg_iio_topology() function does not have this problem
> because it uses a single pci_get_device() loop and releases the last
> reference correctly in all exit paths.
>
> Cc: stable@vger.kernel.org
> Fixes: fdd041028f22 ("perf/x86/intel/uncore: Factor out topology_gidnid_map()")
> Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
> ---
> arch/x86/events/intel/uncore_snbep.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c
> index 215d33e260ed..1561bda43835 100644
> --- a/arch/x86/events/intel/uncore_snbep.c
> +++ b/arch/x86/events/intel/uncore_snbep.c
> @@ -5499,6 +5499,8 @@ static int discover_upi_topology(struct intel_uncore_type *type, int ubox_did, i
> devfn);
> if (dev) {
> ret = upi_fill_topology(dev, upi, idx);
> + pci_dev_put(dev);
> + dev = NULL;
> if (ret)
> goto err;
> }
Thanks for fixing this issue, but it looks this issue has been fixed by
this patch
https://lore.kernel.org/all/20260602144908.263680-4-zide.chen@intel.com/. :)
prev parent reply other threads:[~2026-06-26 1:12 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-25 7:53 [PATCH] perf/x86/intel/uncore: Fix reference leak in discover_upi_topology() Wentao Liang
2026-06-26 1:12 ` Mi, Dapeng [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=08340bd1-c115-468b-8145-dfc7c4eae3e2@linux.intel.com \
--to=dapeng1.mi@linux.intel.com \
--cc=acme@kernel.org \
--cc=adrian.hunter@intel.com \
--cc=alexander.shishkin@linux.intel.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=irogers@google.com \
--cc=james.clark@linaro.org \
--cc=jolsa@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=mingo@redhat.com \
--cc=namhyung@kernel.org \
--cc=peterz@infradead.org \
--cc=stable@vger.kernel.org \
--cc=tglx@kernel.org \
--cc=vulab@iscas.ac.cn \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.