Linux Perf Users
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Atish Patra" <atish.patra@linux.dev>
Cc: robh@kernel.org, linux-perf-users@vger.kernel.org,
	devicetree@vger.kernel.org, conor+dt@kernel.org
Subject: Re: [PATCH v8 01/22] RISC-V: perf: fix resource cleanup on driver probe failure
Date: Wed, 01 Jul 2026 09:11:57 +0000	[thread overview]
Message-ID: <20260701091157.B36DE1F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260701-counter_delegation-v8-1-7909f863a645@meta.com>

Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:

Pre-existing issues:
- [High] Preexisting race condition and ignored -EBUSY return from perf_pmu_unregister() leads to UAF if events are active during probe failure.
- [High] The global bitmask `cmask` is modified during device probe but not cleared on error paths, leading to a guaranteed NULL pointer dereference in exported functions.
- [High] The static key `sbi_pmu_snapshot_available` is never disabled on probe failure, leading to a potential NULL pointer dereference.
--

commit 4312c8eb8c51217703e557d54647da346fae9bf0
Author: Atish Patra <atishp@meta.com>
Subject: RISC-V: perf: fix resource cleanup on driver probe failure

This commit reorganizes the error handling paths in pmu_sbi_device_probe()
to properly free registered PMUs, per-cpu IRQs, the pmu_ctr_list, and
CPU hotplug states if the probe fails.

> diff --git a/drivers/perf/riscv_pmu_sbi.c b/drivers/perf/riscv_pmu_sbi.c
> index 385af5e6e6d0d..5c8924ce1f387 100644
> --- a/drivers/perf/riscv_pmu_sbi.c
> +++ b/drivers/perf/riscv_pmu_sbi.c
[ ... ]
> @@ -1515,9 +1525,20 @@ static int pmu_sbi_device_probe(struct platform_device *pdev)
>  	return 0;
>  
>  out_unregister:
> +	perf_pmu_unregister(&pmu->pmu);
> +

[Severity: High]
This isn't a bug introduced by this patch, but does this error path ignore a
potential -EBUSY return from perf_pmu_unregister()?

If perf_pmu_register() previously succeeded, an unprivileged user might race
to open an event on it. If a subsequent initialization step fails and triggers
this cleanup path, perf_pmu_unregister() can return -EBUSY and fail to remove
the PMU from the core structures.

Since the return value is ignored, the code will proceed to call kfree(pmu)
below. Can this leave a dangling pointer in the perf subsystem and result in a
use-after-free if those events are still active?

> +out_destroy:
>  	riscv_pmu_destroy(pmu);
> +	if (irq_requested) {
> +		free_percpu_irq(riscv_pmu_irq, pmu->hw_events);
> +		irq_dispose_mapping(riscv_pmu_irq);
> +		riscv_pmu_irq = 0;
> +	}
>  
>  out_free:
> +	free_percpu(pmu->hw_events);
> +	kfree(pmu_ctr_list);
> +	pmu_ctr_list = NULL;

[Severity: High]
This is a pre-existing issue, but does this error path leave the global cmask
variable set when pmu_ctr_list is freed?

During probe, pmu_sbi_get_ctrinfo() populates the global cmask. If the probe
fails and we take this error path, pmu_ctr_list is freed and set to NULL,
but cmask is never cleared.

If a subsequent call to the exported function riscv_pmu_get_hpm_info()
occurs (e.g., triggered by KVM vCPU initialization), could it bypass the
safety check because cmask is non-zero, and dereference the NULL pointer?

drivers/perf/riscv_pmu_sbi.c:riscv_pmu_get_hpm_info() {
    ...
    for_each_set_bit(i, &cmask, RISCV_MAX_COUNTERS) {
        info = &pmu_ctr_list[i];
        if (!info)
            continue;
    ...
}


[Severity: High]
This is also a pre-existing issue, but does this error path need to disable
the sbi_pmu_snapshot_available static key?

Earlier in pmu_sbi_device_probe(), the static key is enabled:

drivers/perf/riscv_pmu_sbi.c:pmu_sbi_device_probe() {
    ...
    static_branch_enable(&sbi_pmu_snapshot_available);
    ...
}

If a subsequent step fails, the probe aborts and frees the snapshot memory,
but the static key remains enabled. If the driver is re-probed and setup
fails on the retry, the probe might continue successfully without snapshot
memory. Could this leave the static key true, causing functions like
pmu_sbi_ctr_read() to dereference a NULL snapshot_addr?

drivers/perf/riscv_pmu_sbi.c:pmu_sbi_ctr_read() {
    ...
    struct riscv_pmu_snapshot_data *sdata = cpu_hw_evt->snapshot_addr;
    ...
    if (sbi_pmu_snapshot_available() && (hwc->state & PERF_HES_STOPPED)) {
        val = sdata->ctr_values[idx];
    ...
}

>  	kfree(pmu);
>  	return ret;
>  }

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260701-counter_delegation-v8-0-7909f863a645@meta.com?part=1

  reply	other threads:[~2026-07-01  9:11 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-01  8:46 [PATCH v8 00/22] Add Counter delegation ISA extension support Atish Patra
2026-07-01  8:46 ` [PATCH v8 01/22] RISC-V: perf: fix resource cleanup on driver probe failure Atish Patra
2026-07-01  9:11   ` sashiko-bot [this message]
2026-07-01  8:46 ` [PATCH v8 02/22] RISC-V: Add Sxcsrind ISA extension CSR definitions Atish Patra
2026-07-01  8:46 ` [PATCH v8 03/22] RISC-V: Add Sxcsrind ISA extension definition and parsing Atish Patra
2026-07-01  8:46 ` [PATCH v8 04/22] dt-bindings: riscv: add Sxcsrind ISA extension description Atish Patra
2026-07-01  8:46 ` [PATCH v8 05/22] RISC-V: Define indirect CSR access helpers Atish Patra
2026-07-01  8:46 ` [PATCH v8 06/22] RISC-V: Add Smcntrpmf extension parsing Atish Patra
2026-07-01  8:46 ` [PATCH v8 07/22] dt-bindings: riscv: add Smcntrpmf ISA extension description Atish Patra
2026-07-01  8:46 ` [PATCH v8 08/22] RISC-V: Add Sscfg extension CSR definition Atish Patra
2026-07-01  8:46 ` [PATCH v8 09/22] RISC-V: Add Ssccfg/Smcdeleg ISA extension definition and parsing Atish Patra
2026-07-01  9:11   ` sashiko-bot
2026-07-01  8:46 ` [PATCH v8 10/22] dt-bindings: riscv: add Counter delegation ISA extensions description Atish Patra
2026-07-01  8:46 ` [PATCH v8 11/22] RISC-V: perf: Restructure the SBI PMU code Atish Patra
2026-07-01  8:47 ` [PATCH v8 12/22] RISC-V: perf: Modify the counter discovery mechanism Atish Patra
2026-07-01  9:20   ` sashiko-bot
2026-07-01  8:47 ` [PATCH v8 13/22] RISC-V: perf: Add a mechanism to defined legacy event encoding Atish Patra
2026-07-01  9:19   ` sashiko-bot
2026-07-01  8:47 ` [PATCH v8 14/22] RISC-V: perf: Implement supervisor counter delegation support Atish Patra
2026-07-01  9:27   ` sashiko-bot
2026-07-01  8:47 ` [PATCH v8 15/22] RISC-V: perf: Skip PMU SBI extension when not implemented Atish Patra
2026-07-01  9:26   ` sashiko-bot
2026-07-01  8:47 ` [PATCH v8 16/22] RISC-V: perf: Use config2/vendor table for event to counter mapping Atish Patra
2026-07-01  9:35   ` sashiko-bot
2026-07-01  8:47 ` [PATCH v8 17/22] RISC-V: perf: Add legacy event encodings via sysfs Atish Patra
2026-07-01  8:47 ` [PATCH v8 18/22] RISC-V: perf: Add Qemu virt machine events Atish Patra
2026-07-01  8:47 ` [PATCH v8 19/22] tools/perf: Support event code for arch standard events Atish Patra
2026-07-01 17:44   ` Ian Rogers
2026-07-01  8:47 ` [PATCH v8 20/22] tools/perf: Add RISC-V CounterIDMask event field Atish Patra
2026-07-01 17:44   ` Ian Rogers
2026-07-01  8:47 ` [PATCH v8 21/22] TEST(do-not-upstream): fake qemu-virt PMU events for cdeleg counter-mask testing Atish Patra
2026-07-01  9:38   ` sashiko-bot
2026-07-01  8:47 ` [PATCH v8 22/22] TEST(do-not-upstream): fake qemu vendor JSON + mapfile entry for CounterIDMask path Atish Patra
2026-07-01  9:34   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260701091157.B36DE1F00A3A@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=atish.patra@linux.dev \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=linux-perf-users@vger.kernel.org \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox