From: sashiko-bot@kernel.org
To: "Qi Liu" <liuqi@hygon.cn>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [RFC PATCH 2/3] perf/x86/amd/uncore: Convert AMD driver to common PMU helpers
Date: Tue, 19 May 2026 04:37:26 +0000 [thread overview]
Message-ID: <20260519043727.3737AC2BCB3@smtp.kernel.org> (raw)
In-Reply-To: <20260519033225.1479907-3-liuqi@hygon.cn>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Failure in module initialization leaves registered PMUs active with dangling pointers to freed module memory.
--
commit 1da22dd6a76f69c0499311126ce80bcfeb22b09d
Author: Qi Liu <liuqi@hygon.cn>
perf/x86/amd/uncore: Convert AMD driver to common PMU helpers
Use the common uncore PMU helpers for AMD uncore event handling and
per-CPU context management. The AMD-specific DF, L3 and UMC discovery,
event encoding and PMU setup logic remains in the AMD driver.
> diff --git a/arch/x86/events/amd/uncore.c b/arch/x86/events/amd/uncore.c
> --- a/arch/x86/events/amd/uncore.c
> +++ b/arch/x86/events/amd/uncore.c
[ ... ]
> @@ -1137,7 +702,7 @@ static int __init amd_uncore_init(void)
> BUG_ON(!uncore->move);
> BUG_ON(!uncore->free);
>
> - uncore->info = alloc_percpu(union amd_uncore_info);
> + uncore->info = alloc_percpu(union uncore_common_info);
> if (!uncore->info) {
> ret = -ENOMEM;
> goto fail;
This isn't a bug introduced by this patch, but could this error path leave
registered PMUs active with dangling pointers to freed module memory?
If initialization fails later during the setup, such as if
cpuhp_setup_state() fails, the error handling path rolls back the hotplug
states and amd_uncore_cpu_dead() frees the per-CPU context memory.
However, the fail cleanup block doesn't appear to unregister the PMUs
via perf_pmu_unregister() or free the uncore->pmus allocation:
amd_uncore_init() {
...
fail:
for (i = 0; i < UNCORE_TYPE_MAX; i++) {
uncore = &uncores[i];
if (uncore->info) {
free_percpu(uncore->info);
uncore->info = NULL;
}
}
return ret;
}
Since the module initialization fails and the module memory is unloaded,
would any subsequent access to these PMUs from user-space (e.g. via
perf_event_open()) dereference pointers to the unloaded module's functions
like .event_init, .start, and .read, resulting in a use-after-free?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260519033225.1479907-1-liuqi@hygon.cn?part=2
next prev parent reply other threads:[~2026-05-19 4:37 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-19 3:32 [RFC PATCH 0/3] perf/x86/amd/uncore: Add common helpers and Hygon support Qi Liu
2026-05-19 3:32 ` [RFC PATCH 1/3] perf/x86/amd/uncore: Add common PMU helper functions Qi Liu
2026-05-19 4:07 ` sashiko-bot
2026-05-19 3:32 ` [RFC PATCH 2/3] perf/x86/amd/uncore: Convert AMD driver to common PMU helpers Qi Liu
2026-05-19 4:37 ` sashiko-bot [this message]
2026-05-19 3:32 ` [RFC PATCH 3/3] perf/x86/amd/uncore: Add Hygon uncore PMU support Qi Liu
2026-05-19 5:11 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260519043727.3737AC2BCB3@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=liuqi@hygon.cn \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox