From: sashiko-bot@kernel.org
To: "Zide Chen" <zide.chen@intel.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH 4/7] perf/x86/intel/uncore: Factor out box setup code
Date: Thu, 14 May 2026 03:34:30 +0000 [thread overview]
Message-ID: <20260514033430.B4425C19425@smtp.kernel.org> (raw)
In-Reply-To: <20260512233048.9577-5-zide.chen@intel.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Fatal NULL pointer dereference in uncore_bus_notify() on removal of unbound PCI devices.
--
commit 6a9ba5cde2aa109e895cd057ed9fdc789f5590c7
Author: Zide Chen <zide.chen@intel.com>
perf/x86/intel/uncore: Factor out box setup code
This commit factors the lazy registration management of the PCI uncore PMU
path into a shared helper function. This allows the same code to be reused
by the MSR and MMIO paths in future changes.
> diff --git a/arch/x86/events/intel/uncore.c b/arch/x86/events/intel/uncore.c
> index 65e9d0c64f8f9..617a68c1d76c3 100644
> --- a/arch/x86/events/intel/uncore.c
> +++ b/arch/x86/events/intel/uncore.c
[ ... ]
> @@ -1154,19 +1177,13 @@ static int uncore_pci_pmu_register(struct pci_dev *pdev,
> box->dieid = die;
> box->pci_dev = pdev;
> box->pmu = pmu;
> - uncore_box_init(box);
> -
> - pmu->boxes[die] = box;
> - if (atomic_inc_return(&pmu->die_refcnt) > 1)
> - return 0;
>
> - /* First active box registers the pmu */
> - ret = uncore_pmu_register(pmu);
> - if (ret) {
> - pmu->boxes[die] = NULL;
> - uncore_box_exit(box);
> + ret = uncore_box_setup(pmu, box);
> + if (!ret)
> + pmu->boxes[die] = box;
> + else
> kfree(box);
This isn't a bug introduced by your patch, but can this cause a NULL pointer
dereference if the device is later removed?
If uncore_box_setup() fails, pmu->boxes[die] remains NULL while the device
remains on the PCI bus without a bound driver. If this device is later
removed, uncore_bus_notify() fires for BUS_NOTIFY_DEL_DEVICE:
uncore_bus_notify() {
...
if (action != BUS_NOTIFY_DEL_DEVICE)
return NOTIFY_DONE;
pmu = uncore_pci_find_dev_pmu(pdev, ids);
...
uncore_pci_pmu_unregister(pmu, die);
}
This identifies the PMU via PCI IDs and unconditionally calls
uncore_pci_pmu_unregister(), without checking if the driver actually
bound to the device.
uncore_pci_pmu_unregister() {
struct intel_uncore_box *box = pmu->boxes[die];
...
uncore_box_exit(box);
kfree(box);
}
Since box is NULL here, will uncore_box_exit() dereference the NULL pointer
when it calls test_and_clear_bit(UNCORE_BOX_FLAG_INITIALIZED, &box->flags)?
> +
> return ret;
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260512233048.9577-1-zide.chen@intel.com?part=4
next prev parent reply other threads:[~2026-05-14 3:34 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-12 23:30 [PATCH 0/7] perf/x86/intel/uncore: PMU setup robustness fixes Zide Chen
2026-05-12 23:30 ` [PATCH 1/7] perf/x86/intel/uncore: Rename refcount fields and other cleanups Zide Chen
2026-05-13 0:26 ` Ian Rogers
2026-05-14 0:58 ` sashiko-bot
2026-05-12 23:30 ` [PATCH 2/7] perf/x86/intel/uncore: Let init_box() callback report failures Zide Chen
2026-05-13 0:23 ` Ian Rogers
2026-05-14 2:14 ` sashiko-bot
2026-05-12 23:30 ` [PATCH 3/7] perf/x86/intel/uncore: Keep PCI PMUs working when MMIO/MSR setup fails Zide Chen
2026-05-13 0:30 ` Ian Rogers
2026-05-12 23:30 ` [PATCH 4/7] perf/x86/intel/uncore: Factor out box setup code Zide Chen
2026-05-13 0:27 ` Ian Rogers
2026-05-14 3:34 ` sashiko-bot [this message]
2026-05-12 23:30 ` [PATCH 5/7] perf/x86/intel/uncore: Introduce PMU flags and broken state Zide Chen
2026-05-13 0:28 ` Ian Rogers
2026-05-14 4:27 ` sashiko-bot
2026-05-12 23:30 ` [PATCH 6/7] perf/x86/intel/uncore: Fix uncore_box ref/unref ordering on CPU hotplug Zide Chen
2026-05-13 0:32 ` Ian Rogers
2026-05-13 8:59 ` Mi, Dapeng
2026-05-13 18:43 ` Chen, Zide
2026-05-14 5:12 ` sashiko-bot
2026-05-12 23:30 ` [PATCH 7/7] perf/x86/intel/uncore: Implement lazy setup for MSR/MMIO PMU Zide Chen
2026-05-13 0:34 ` Ian Rogers
2026-05-13 9:03 ` Mi, Dapeng
2026-05-13 16:47 ` Chen, Zide
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260514033430.B4425C19425@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=zide.chen@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox