From: sashiko-bot@kernel.org
To: "Zide Chen" <zide.chen@intel.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH 4/7] perf/x86/intel/uncore: Factor out box setup code
Date: Thu, 14 May 2026 03:34:30 +0000 [thread overview]
Message-ID: <20260514033430.B4425C19425@smtp.kernel.org> (raw)
In-Reply-To: <20260512233048.9577-5-zide.chen@intel.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Fatal NULL pointer dereference in uncore_bus_notify() on removal of unbound PCI devices.
--
commit 6a9ba5cde2aa109e895cd057ed9fdc789f5590c7
Author: Zide Chen <zide.chen@intel.com>
perf/x86/intel/uncore: Factor out box setup code
This commit factors the lazy registration management of the PCI uncore PMU
path into a shared helper function. This allows the same code to be reused
by the MSR and MMIO paths in future changes.
> diff --git a/arch/x86/events/intel/uncore.c b/arch/x86/events/intel/uncore.c
> index 65e9d0c64f8f9..617a68c1d76c3 100644
> --- a/arch/x86/events/intel/uncore.c
> +++ b/arch/x86/events/intel/uncore.c
[ ... ]
> @@ -1154,19 +1177,13 @@ static int uncore_pci_pmu_register(struct pci_dev *pdev,
> box->dieid = die;
> box->pci_dev = pdev;
> box->pmu = pmu;
> - uncore_box_init(box);
> -
> - pmu->boxes[die] = box;
> - if (atomic_inc_return(&pmu->die_refcnt) > 1)
> - return 0;
>
> - /* First active box registers the pmu */
> - ret = uncore_pmu_register(pmu);
> - if (ret) {
> - pmu->boxes[die] = NULL;
> - uncore_box_exit(box);
> + ret = uncore_box_setup(pmu, box);
> + if (!ret)
> + pmu->boxes[die] = box;
> + else
> kfree(box);
This isn't a bug introduced by your patch, but can this cause a NULL pointer
dereference if the device is later removed?
If uncore_box_setup() fails, pmu->boxes[die] remains NULL while the device
remains on the PCI bus without a bound driver. If this device is later
removed, uncore_bus_notify() fires for BUS_NOTIFY_DEL_DEVICE:
uncore_bus_notify() {
...
if (action != BUS_NOTIFY_DEL_DEVICE)
return NOTIFY_DONE;
pmu = uncore_pci_find_dev_pmu(pdev, ids);
...
uncore_pci_pmu_unregister(pmu, die);
}
This identifies the PMU via PCI IDs and unconditionally calls
uncore_pci_pmu_unregister(), without checking if the driver actually
bound to the device.
uncore_pci_pmu_unregister() {
struct intel_uncore_box *box = pmu->boxes[die];
...
uncore_box_exit(box);
kfree(box);
}
Since box is NULL here, will uncore_box_exit() dereference the NULL pointer
when it calls test_and_clear_bit(UNCORE_BOX_FLAG_INITIALIZED, &box->flags)?
> +
> return ret;
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260512233048.9577-1-zide.chen@intel.com?part=4
next prev parent reply other threads:[~2026-05-14 3:34 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-12 23:30 [PATCH 0/7] perf/x86/intel/uncore: PMU setup robustness fixes Zide Chen
2026-05-12 23:30 ` [PATCH 1/7] perf/x86/intel/uncore: Rename refcount fields and other cleanups Zide Chen
2026-05-13 0:26 ` Ian Rogers
2026-05-14 0:58 ` sashiko-bot
2026-05-14 19:06 ` Chen, Zide
2026-05-12 23:30 ` [PATCH 2/7] perf/x86/intel/uncore: Let init_box() callback report failures Zide Chen
2026-05-13 0:23 ` Ian Rogers
2026-05-14 2:14 ` sashiko-bot
2026-05-12 23:30 ` [PATCH 3/7] perf/x86/intel/uncore: Keep PCI PMUs working when MMIO/MSR setup fails Zide Chen
2026-05-13 0:30 ` Ian Rogers
2026-05-12 23:30 ` [PATCH 4/7] perf/x86/intel/uncore: Factor out box setup code Zide Chen
2026-05-13 0:27 ` Ian Rogers
2026-05-14 3:34 ` sashiko-bot [this message]
2026-05-12 23:30 ` [PATCH 5/7] perf/x86/intel/uncore: Introduce PMU flags and broken state Zide Chen
2026-05-13 0:28 ` Ian Rogers
2026-05-14 4:27 ` sashiko-bot
2026-05-12 23:30 ` [PATCH 6/7] perf/x86/intel/uncore: Fix uncore_box ref/unref ordering on CPU hotplug Zide Chen
2026-05-13 0:32 ` Ian Rogers
2026-05-13 8:59 ` Mi, Dapeng
2026-05-13 18:43 ` Chen, Zide
2026-05-14 5:12 ` sashiko-bot
2026-05-12 23:30 ` [PATCH 7/7] perf/x86/intel/uncore: Implement lazy setup for MSR/MMIO PMU Zide Chen
2026-05-13 0:34 ` Ian Rogers
2026-05-13 9:03 ` Mi, Dapeng
2026-05-13 16:47 ` Chen, Zide
2026-05-14 5:38 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260514033430.B4425C19425@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=zide.chen@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.