[PATCH] perf/x86/intel/uncore: Re-register PMU on PCI device hot-add

[PATCH] perf/x86/intel/uncore: Re-register PMU on PCI device hot-add

[Guixin Liu]

When an uncore PCI device is removed and then rescanned back, the PMU
and its associated box are unregistered during removal but never
re-registered during the rescan. This causes a NULL pointer dereference
(on box) when the device is removed again.

Reproduction steps:
1. Boot the system with uncore PCI devices enumerated
2. Remove an uncore PCI device (e.g., via sysfs or physical removal)
   - BUS_NOTIFY_DEL_DEVICE triggers uncore_pci_pmu_unregister()
   - pmu->boxes[die] is set to NULL and the box is freed
3. Rescan the PCI bus to re-enumerate the device
   - The PCI device appears again, but uncore does not re-register
     the PMU/box because uncore_pci_pmus_register() only runs during
     module initialization, not on PCI hotplug events
4. Remove the device again
   - BUS_NOTIFY_DEL_DEVICE triggers uncore_pci_pmu_unregister()
   - box = pmu->boxes[die] returns NULL → BUG() / crash

Root cause:
The uncore subsystem only registers PMUs and boxes during module
initialization (uncore_pci_pmus_register). It does not handle PCI
hotplug/rescan events to re-register PMUs when devices reappear.

Fix:
Extend the uncore PCI bus notifier to handle BUS_NOTIFY_ADD_DEVICE
events. When a previously-registered uncore PCI device is re-added,
call uncore_pci_pmu_register() to recreate the box and restore the
PMU state. This ensures that subsequent removal operations work
correctly.

Fixes: 42839ef4a20a ("perf/x86/intel/uncore: Generic support for the PCI type of uncore blocks")
Signed-off-by: Guixin Liu <kanie@linux.alibaba.com>
---
 arch/x86/events/intel/uncore.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/arch/x86/events/intel/uncore.c b/arch/x86/events/intel/uncore.c
index 786bd51a0d89..211318733a35 100644
--- a/arch/x86/events/intel/uncore.c
+++ b/arch/x86/events/intel/uncore.c
@@ -1272,8 +1272,7 @@ static int uncore_bus_notify(struct notifier_block *nb,
 	struct intel_uncore_pmu *pmu;
 	int die;
 
-	/* Unregister the PMU when the device is going to be deleted. */
-	if (action != BUS_NOTIFY_DEL_DEVICE)
+	if (action != BUS_NOTIFY_DEL_DEVICE && action != BUS_NOTIFY_ADD_DEVICE)
 		return NOTIFY_DONE;
 
 	pmu = uncore_pci_find_dev_pmu(pdev, ids);
@@ -1283,7 +1282,16 @@ static int uncore_bus_notify(struct notifier_block *nb,
 	if (uncore_pci_get_dev_die_info(pdev, &die))
 		return NOTIFY_DONE;
 
-	uncore_pci_pmu_unregister(pmu, die);
+	switch (action) {
+	case BUS_NOTIFY_DEL_DEVICE:
+		uncore_pci_pmu_unregister(pmu, die);
+		break;
+	case BUS_NOTIFY_ADD_DEVICE:
+		uncore_pci_pmu_register(pdev, pmu->type, pmu, die);
+		break;
+	default:
+		return NOTIFY_DONE;
+	}
 
 	return NOTIFY_OK;
 }
-- 
2.32.0.3.g01195cf9f

Re: [PATCH] perf/x86/intel/uncore: Re-register PMU on PCI device hot-add

[sashiko-bot]

Sashiko AI review found 3 potential issue(s):
- [Critical] The patch does not fully resolve the NULL pointer dereference because it ignores registration failures during hot-add, leaving the unregister function vulnerable.
- [Critical] Pre-existing Use-After-Free and state corruption when removing unregistered alias PCI devices.
- [Critical] Pre-existing Use-After-Free due to uncore box being freed while hrtimer and performance events are active.
--

commit d861b5908dfa0b5575cf18dc6c31bb0673e86c3a
Author: Guixin Liu <kanie@linux.alibaba.com>

perf/x86/intel/uncore: Re-register PMU on PCI device hot-add

This commit extends the uncore PCI bus notifier to handle
BUS_NOTIFY_ADD_DEVICE events. When a previously-registered uncore PCI device
is re-added, it calls uncore_pci_pmu_register to recreate the box and
restore the PMU state.

> diff --git a/arch/x86/events/intel/uncore.c b/arch/x86/events/intel/uncore.c
> index e228e564b15ea..4a8fec0590465 100644
> --- a/arch/x86/events/intel/uncore.c
> +++ b/arch/x86/events/intel/uncore.c

[ ... ]

> @@ -1284,7 +1283,16 @@ static int uncore_bus_notify(struct notifier_block *nb,
>  	if (uncore_pci_get_dev_die_info(pdev, &die))
>  		return NOTIFY_DONE;
>  
> -	uncore_pci_pmu_unregister(pmu, die);
> +	switch (action) {
> +	case BUS_NOTIFY_DEL_DEVICE:
> +		uncore_pci_pmu_unregister(pmu, die);

Are there pre-existing issues with uncore_pci_pmu_unregister during
device removal?

If a duplicate or alias PCI device mapping to the same PMU and die is
hotplugged, uncore_pci_pmu_register safely rejects it. However, if that
rejected device is later removed, could uncore_pci_pmu_unregister wrongfully
free the legitimate box belonging to the original active device, since it does
not verify device ownership?

Also, could calling uncore_pci_pmu_unregister here cause a use-after-free
if the uncore box is freed while the hrtimer and performance events are
still active?

> +		break;
> +	case BUS_NOTIFY_ADD_DEVICE:
> +		uncore_pci_pmu_register(pdev, pmu->type, pmu, die);

What happens if uncore_pci_pmu_register fails during a hot-add event, such
as when uncore_alloc_box returns -ENOMEM?

The notifier currently ignores the return value, which would leave the box
uninitialized. If the device is subsequently removed, BUS_NOTIFY_DEL_DEVICE
would unconditionally call uncore_pci_pmu_unregister.

Could this lead to a NULL pointer dereference when uncore_pci_pmu_unregister
retrieves the missing box and passes it to uncore_box_exit? Would adding a
check for a missing box in uncore_pci_pmu_unregister help prevent this?

> +		break;
> +	default:
> +		return NOTIFY_DONE;
> +	}
>  
>  	return NOTIFY_OK;
>  }

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260416054549.45585-1-kanie@linux.alibaba.com?part=1