From: sashiko-bot@kernel.org
To: "Zide Chen" <zide.chen@intel.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH V2 2/7] perf/x86/intel/uncore: Guard against invalid box control address
Date: Wed, 27 May 2026 17:28:39 +0000 [thread overview]
Message-ID: <20260527172840.399211F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260527151154.130505-2-zide.chen@intel.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] The patch guards box-level operations against invalid (0) control addresses when a discovery unit is missing, but it critically misses event-level operations. This omission allows an unprivileged or privileged user running `perf` to trigger a #GP fault (kernel panic) or PCI configuration space corruption.
--
commit 65ddbcdd36196085490e8783cb658d7e20c2e9c5
Author: Zide Chen <zide.chen@intel.com>
perf/x86/intel/uncore: Guard against invalid box control address
This commit guards against a NULL return value from
intel_uncore_find_discovery_unit() before accessing hardware box control
addresses. It prevents potential faults when a CPU die is offline during
uncore enumeration.
> diff --git a/arch/x86/events/intel/uncore_discovery.c b/arch/x86/events/intel/uncore_discovery.c
> index 60e1200c4691d..af2217b44a814 100644
> --- a/arch/x86/events/intel/uncore_discovery.c
> +++ b/arch/x86/events/intel/uncore_discovery.c
[ ... ]
> @@ -549,6 +560,10 @@ bool intel_generic_uncore_assign_hw_event(struct perf_event *event,
>
> if (box->pci_dev) {
> box_ctl = UNCORE_DISCOVERY_PCI_BOX_CTRL(box_ctl);
> +
> + if (!box_ctl)
> + return false;
> +
[Severity: High]
This is a pre-existing issue, but does returning false here when box_ctl is
invalid still leave us vulnerable to hardware access faults during event
execution?
When intel_generic_uncore_assign_hw_event() returns false, the caller
uncore_assign_hw_event() unconditionally falls back to legacy offset
calculations using uncore_event_ctl(). For discovery PMUs, this results in
hwc->config_base being set to a small relative offset like 0x0.
Later, when a user schedules a perf event on this box, the event startup
routines execute blindly using this base:
intel_generic_uncore_msr_enable_event()
wrmsrq(hwc->config_base, hwc->config);
Could this result in a fatal #GP fault by executing wrmsrq(0, ...), or
corrupt PCI configuration space by overwriting the Vendor or Device ID at
offset 0x0?
While this patch successfully prevents faults during boot or hotplug box
initialization, could it leave the crash accessible through user-controlled
perf execution?
> hwc->config_base = box_ctl + uncore_pci_event_ctl(box, hwc->idx);
> hwc->event_base = box_ctl + uncore_pci_perf_ctr(box, hwc->idx);
> return true;
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260527151154.130505-1-zide.chen@intel.com?part=2
next prev parent reply other threads:[~2026-05-27 17:28 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-27 15:11 [PATCH V2 1/7] perf/x86/intel/uncore: Fix discovery unit lookup for multi-die systems Zide Chen
2026-05-27 15:11 ` [PATCH V2 2/7] perf/x86/intel/uncore: Guard against invalid box control address Zide Chen
2026-05-27 17:28 ` sashiko-bot [this message]
2026-05-29 18:30 ` Chen, Zide
2026-05-28 6:03 ` Mi, Dapeng
2026-05-27 15:11 ` [PATCH V2 3/7] perf/x86/intel/uncore: Fix PCI device refcount leak in UPI discovery Zide Chen
2026-05-28 6:34 ` Mi, Dapeng
2026-05-27 15:11 ` [PATCH V2 4/7] perf/x86/intel/uncore: Defer ADL global PMON enable to enable_box() Zide Chen
2026-05-27 18:17 ` sashiko-bot
2026-05-28 6:35 ` Mi, Dapeng
2026-05-28 18:07 ` Chen, Zide
2026-05-27 15:11 ` [PATCH V2 5/7] perf/x86/intel/uncore: Move die_to_cpu() to uncore.c Zide Chen
2026-05-28 6:36 ` Mi, Dapeng
2026-05-29 10:54 ` Peter Zijlstra
2026-05-27 15:11 ` [PATCH V2 6/7] perf/x86/intel/uncore: Fix uncore_die_to_cpu() for offline dies Zide Chen
2026-05-27 19:56 ` sashiko-bot
2026-05-28 6:38 ` Mi, Dapeng
2026-05-27 15:11 ` [PATCH V2 7/7] perf/x86/intel/uncore: Implement global init callback for GNR uncore Zide Chen
2026-05-27 20:45 ` sashiko-bot
2026-05-29 18:30 ` Chen, Zide
2026-05-28 6:46 ` Mi, Dapeng
2026-05-28 18:14 ` Chen, Zide
2026-05-29 8:47 ` Mi, Dapeng
2026-05-29 10:55 ` Peter Zijlstra
2026-05-29 15:03 ` Chen, Zide
2026-05-27 15:45 ` [PATCH V2 1/7] perf/x86/intel/uncore: Fix discovery unit lookup for multi-die systems sashiko-bot
2026-05-29 18:31 ` Chen, Zide
2026-05-28 6:01 ` Mi, Dapeng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260527172840.399211F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=zide.chen@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.