[PATCH] perf/x86/intel/uncore: Fix reference leak in discover_upi

Linux Perf Users
 help / color / mirror / Atom feed

* [PATCH] perf/x86/intel/uncore: Fix reference leak in discover_upi_topology()
@ 2026-06-25  7:53 Wentao Liang
  2026-06-26  1:12 ` Mi, Dapeng
  0 siblings, 1 reply; 2+ messages in thread
From: Wentao Liang @ 2026-06-25  7:53 UTC (permalink / raw)
  To: peterz, mingo, acme, namhyung, tglx, bp, dave.hansen, x86
  Cc: mark.rutland, alexander.shishkin, jolsa, irogers, adrian.hunter,
	james.clark, hpa, linux-perf-users, linux-kernel, Wentao Liang,
	stable

In discover_upi_topology(), pci_get_domain_bus_and_slot() returns a PCI
device with its reference count incremented. The caller must call
pci_dev_put() after use.

However, the inner loop overwrites dev without releasing the previous
reference, causing leaks:
  - Between inner loop iterations within the same outer loop iteration.
  - Between outer loop iterations (dev from a previous ubox's inner
    loop is overwritten at the start of the next inner loop).
  - On the normal exit path from the while loop (the last dev is never
    put before falling through to err:).

Fix by calling pci_dev_put(dev) and clearing dev after upi_fill_topology()
succeeds, so each reference is released immediately after use. The error
path (goto err) already calls pci_dev_put(dev) and remains correct since
dev is set to NULL after release, making the subsequent put a no-op.

The similar sad_cfg_iio_topology() function does not have this problem
because it uses a single pci_get_device() loop and releases the last
reference correctly in all exit paths.

Cc: stable@vger.kernel.org
Fixes: fdd041028f22 ("perf/x86/intel/uncore: Factor out topology_gidnid_map()")
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
---
 arch/x86/events/intel/uncore_snbep.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c
index 215d33e260ed..1561bda43835 100644
--- a/arch/x86/events/intel/uncore_snbep.c
+++ b/arch/x86/events/intel/uncore_snbep.c
@@ -5499,6 +5499,8 @@ static int discover_upi_topology(struct intel_uncore_type *type, int ubox_did, i
 							  devfn);
 			if (dev) {
 				ret = upi_fill_topology(dev, upi, idx);
+				pci_dev_put(dev);
+				dev = NULL;
 				if (ret)
 					goto err;
 			}
-- 
2.39.5 (Apple Git-154)


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] perf/x86/intel/uncore: Fix reference leak in discover_upi_topology()
  2026-06-25  7:53 [PATCH] perf/x86/intel/uncore: Fix reference leak in discover_upi_topology() Wentao Liang
@ 2026-06-26  1:12 ` Mi, Dapeng
  0 siblings, 0 replies; 2+ messages in thread
From: Mi, Dapeng @ 2026-06-26  1:12 UTC (permalink / raw)
  To: Wentao Liang, peterz, mingo, acme, namhyung, tglx, bp,
	dave.hansen, x86
  Cc: mark.rutland, alexander.shishkin, jolsa, irogers, adrian.hunter,
	james.clark, hpa, linux-perf-users, linux-kernel, stable


On 6/25/2026 3:53 PM, Wentao Liang wrote:
> In discover_upi_topology(), pci_get_domain_bus_and_slot() returns a PCI
> device with its reference count incremented. The caller must call
> pci_dev_put() after use.
>
> However, the inner loop overwrites dev without releasing the previous
> reference, causing leaks:
>   - Between inner loop iterations within the same outer loop iteration.
>   - Between outer loop iterations (dev from a previous ubox's inner
>     loop is overwritten at the start of the next inner loop).
>   - On the normal exit path from the while loop (the last dev is never
>     put before falling through to err:).
>
> Fix by calling pci_dev_put(dev) and clearing dev after upi_fill_topology()
> succeeds, so each reference is released immediately after use. The error
> path (goto err) already calls pci_dev_put(dev) and remains correct since
> dev is set to NULL after release, making the subsequent put a no-op.
>
> The similar sad_cfg_iio_topology() function does not have this problem
> because it uses a single pci_get_device() loop and releases the last
> reference correctly in all exit paths.
>
> Cc: stable@vger.kernel.org
> Fixes: fdd041028f22 ("perf/x86/intel/uncore: Factor out topology_gidnid_map()")
> Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
> ---
>  arch/x86/events/intel/uncore_snbep.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c
> index 215d33e260ed..1561bda43835 100644
> --- a/arch/x86/events/intel/uncore_snbep.c
> +++ b/arch/x86/events/intel/uncore_snbep.c
> @@ -5499,6 +5499,8 @@ static int discover_upi_topology(struct intel_uncore_type *type, int ubox_did, i
>  							  devfn);
>  			if (dev) {
>  				ret = upi_fill_topology(dev, upi, idx);
> +				pci_dev_put(dev);
> +				dev = NULL;
>  				if (ret)
>  					goto err;
>  			}

Thanks for fixing this issue, but it looks this issue has been fixed by
this patch
https://lore.kernel.org/all/20260602144908.263680-4-zide.chen@intel.com/. :)



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-06-26  1:12 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-25  7:53 [PATCH] perf/x86/intel/uncore: Fix reference leak in discover_upi_topology() Wentao Liang
2026-06-26  1:12 ` Mi, Dapeng

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox