From: sashiko-bot@kernel.org
To: "Zide Chen" <zide.chen@intel.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH 6/7] perf/x86/intel/uncore: Fix uncore_box ref/unref ordering on CPU hotplug
Date: Thu, 14 May 2026 05:12:08 +0000 [thread overview]
Message-ID: <20260514051208.9140BC2BCB7@smtp.kernel.org> (raw)
In-Reply-To: <20260512233048.9577-7-zide.chen@intel.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Critical] Swapping the order of `uncore_box_unref()` and `uncore_change_context()` unmaps MMIO memory while perf events are still active on the offlining CPU, leading to a kernel panic.
--
commit c3109355d1e7c9f59ae1464588987b4aa4135388
Author: Zide Chen <zide.chen@intel.com>
perf/x86/intel/uncore: Fix uncore_box ref/unref ordering on CPU hotplug
This commit reorders the setup and teardown sequence in the uncore CPU
hotplug callbacks. It swaps the order of uncore_box_ref/unref and
uncore_change_context to ensure that the uncore box references the correct
context.
> diff --git a/arch/x86/events/intel/uncore.c b/arch/x86/events/intel/uncore.c
> index 4d31dcaf5405b..b9b901b789d15 100644
> --- a/arch/x86/events/intel/uncore.c
> +++ b/arch/x86/events/intel/uncore.c
> @@ -1555,9 +1555,15 @@ static int uncore_event_cpu_offline(unsigned int cpu)
> {
> int die, target;
>
> + /* Clear the references */
> + die = topology_logical_die_id(cpu);
> + uncore_box_unref(uncore_msr_uncores, die);
> + uncore_box_unref(uncore_mmio_uncores, die);
> +
When uncore_box_unref() executes before uncore_change_context(), can this
cause a page fault if there are active events?
During CPU offline, the uncore teardown callback runs at state
CPUHP_AP_PERF_X86_UNCORE_ONLINE, which executes before the generic perf core
teardown at CPUHP_AP_PERF_ONLINE.
If the offlining CPU is the last CPU in the die, cpu_refcnt reaches 0 and
uncore_box_exit() is called immediately. For MMIO PMUs, this calls
uncore_mmio_exit_box(), which executes iounmap(box->io_addr).
Since uncore_change_context() is called later with target = -1, no event
migration happens, and the active uncore perf events stay attached to the
offlining CPU's context.
When teardown reaches CPUHP_AP_PERF_ONLINE, perf_event_exit_cpu_context()
runs to clean up remaining events on the dying CPU. It calls pmu->stop()
to disable the events.
Will uncore_pmu_event_stop() dereference the unmapped box->io_addr via
uncore_perf_event_update() and disable_event(), leading to a kernel panic?
Even if a later patch adds uncore_pmu_unregister() to uncore_box_unref(),
this registration is only skipped if die_refcnt > 0. On a multi-die system,
offlining all CPUs in a single die leaves die_refcnt > 0, so the PMU
unregistration is skipped and the panic could still occur.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260512233048.9577-1-zide.chen@intel.com?part=6
next prev parent reply other threads:[~2026-05-14 5:12 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-12 23:30 [PATCH 0/7] perf/x86/intel/uncore: PMU setup robustness fixes Zide Chen
2026-05-12 23:30 ` [PATCH 1/7] perf/x86/intel/uncore: Rename refcount fields and other cleanups Zide Chen
2026-05-13 0:26 ` Ian Rogers
2026-05-14 0:58 ` sashiko-bot
2026-05-14 19:06 ` Chen, Zide
2026-05-12 23:30 ` [PATCH 2/7] perf/x86/intel/uncore: Let init_box() callback report failures Zide Chen
2026-05-13 0:23 ` Ian Rogers
2026-05-14 2:14 ` sashiko-bot
2026-05-12 23:30 ` [PATCH 3/7] perf/x86/intel/uncore: Keep PCI PMUs working when MMIO/MSR setup fails Zide Chen
2026-05-13 0:30 ` Ian Rogers
2026-05-12 23:30 ` [PATCH 4/7] perf/x86/intel/uncore: Factor out box setup code Zide Chen
2026-05-13 0:27 ` Ian Rogers
2026-05-14 3:34 ` sashiko-bot
2026-05-12 23:30 ` [PATCH 5/7] perf/x86/intel/uncore: Introduce PMU flags and broken state Zide Chen
2026-05-13 0:28 ` Ian Rogers
2026-05-14 4:27 ` sashiko-bot
2026-05-12 23:30 ` [PATCH 6/7] perf/x86/intel/uncore: Fix uncore_box ref/unref ordering on CPU hotplug Zide Chen
2026-05-13 0:32 ` Ian Rogers
2026-05-13 8:59 ` Mi, Dapeng
2026-05-13 18:43 ` Chen, Zide
2026-05-14 5:12 ` sashiko-bot [this message]
2026-05-12 23:30 ` [PATCH 7/7] perf/x86/intel/uncore: Implement lazy setup for MSR/MMIO PMU Zide Chen
2026-05-13 0:34 ` Ian Rogers
2026-05-13 9:03 ` Mi, Dapeng
2026-05-13 16:47 ` Chen, Zide
2026-05-14 5:38 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260514051208.9140BC2BCB7@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=zide.chen@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.