* [PATCH] perf/x86/uncore: avoid null-ptr-deref on error in pmu_alloc_topology
@ 2024-02-04 13:48 Fedor Pchelkin
2024-02-05 15:08 ` Liang, Kan
2024-12-12 14:35 ` Fedor Pchelkin
0 siblings, 2 replies; 5+ messages in thread
From: Fedor Pchelkin @ 2024-02-04 13:48 UTC (permalink / raw)
To: Peter Zijlstra, Ingo Molnar
Cc: Fedor Pchelkin, Arnaldo Carvalho de Melo, x86, Alexander Antonov,
Kan Liang, linux-perf-users, linux-kernel, lvc-project
If topology[die] array allocation fails then topology[die][idx] elements
can't be accessed on error path.
Checking this on the error path probably looks more readable than
decrementing the counter in the allocation loop.
Found by Linux Verification Center (linuxtesting.org).
Fixes: 4d13be8ab5d4 ("perf/x86/intel/uncore: Generalize IIO topology support")
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
---
arch/x86/events/intel/uncore_snbep.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c
index a96496bef678..7d4deb9126be 100644
--- a/arch/x86/events/intel/uncore_snbep.c
+++ b/arch/x86/events/intel/uncore_snbep.c
@@ -3831,9 +3831,11 @@ static int pmu_alloc_topology(struct intel_uncore_type *type, int topology_type)
return 0;
clear:
for (; die >= 0; die--) {
- for (idx = 0; idx < type->num_boxes; idx++)
- kfree(topology[die][idx].untyped);
- kfree(topology[die]);
+ if (topology[die]) {
+ for (idx = 0; idx < type->num_boxes; idx++)
+ kfree(topology[die][idx].untyped);
+ kfree(topology[die]);
+ }
}
kfree(topology);
err:
--
2.39.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] perf/x86/uncore: avoid null-ptr-deref on error in pmu_alloc_topology
2024-02-04 13:48 [PATCH] perf/x86/uncore: avoid null-ptr-deref on error in pmu_alloc_topology Fedor Pchelkin
@ 2024-02-05 15:08 ` Liang, Kan
2024-02-05 15:18 ` Fedor Pchelkin
2024-12-12 14:35 ` Fedor Pchelkin
1 sibling, 1 reply; 5+ messages in thread
From: Liang, Kan @ 2024-02-05 15:08 UTC (permalink / raw)
To: Fedor Pchelkin, Peter Zijlstra, Ingo Molnar
Cc: Arnaldo Carvalho de Melo, x86, Alexander Antonov,
linux-perf-users, linux-kernel, lvc-project
On 2024-02-04 8:48 a.m., Fedor Pchelkin wrote:
> If topology[die] array allocation fails then topology[die][idx] elements
> can't be accessed on error path.
>
> Checking this on the error path probably looks more readable than
> decrementing the counter in the allocation loop.
>
> Found by Linux Verification Center (linuxtesting.org).
>
> Fixes: 4d13be8ab5d4 ("perf/x86/intel/uncore: Generalize IIO topology support")
> Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
> ---
It seems the code just jumps to the wrong kfree on the error path.
Does the below patch work?
diff --git a/arch/x86/events/intel/uncore_snbep.c
b/arch/x86/events/intel/uncore_snbep.c
index 8250f0f59c2b..5481fd00d861 100644
--- a/arch/x86/events/intel/uncore_snbep.c
+++ b/arch/x86/events/intel/uncore_snbep.c
@@ -3808,7 +3808,7 @@ static int pmu_alloc_topology(struct
intel_uncore_type *type, int topology_type)
for (die = 0; die < uncore_max_dies(); die++) {
topology[die] = kcalloc(type->num_boxes, sizeof(**topology), GFP_KERNEL);
if (!topology[die])
- goto clear;
+ goto free_topology;
for (idx = 0; idx < type->num_boxes; idx++) {
topology[die][idx].untyped = kcalloc(type->num_boxes,
topology_size[topology_type],
@@ -3827,6 +3827,7 @@ static int pmu_alloc_topology(struct
intel_uncore_type *type, int topology_type)
kfree(topology[die][idx].untyped);
kfree(topology[die]);
}
+free_topology:
kfree(topology);
err:
return -ENOMEM;
Thanks,
Kan
> arch/x86/events/intel/uncore_snbep.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c
> index a96496bef678..7d4deb9126be 100644
> --- a/arch/x86/events/intel/uncore_snbep.c
> +++ b/arch/x86/events/intel/uncore_snbep.c
> @@ -3831,9 +3831,11 @@ static int pmu_alloc_topology(struct intel_uncore_type *type, int topology_type)
> return 0;
> clear:
> for (; die >= 0; die--) {
> - for (idx = 0; idx < type->num_boxes; idx++)
> - kfree(topology[die][idx].untyped);
> - kfree(topology[die]);
> + if (topology[die]) {
> + for (idx = 0; idx < type->num_boxes; idx++)
> + kfree(topology[die][idx].untyped);
> + kfree(topology[die]);
> + }
> }
> kfree(topology);
> err:
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: Re: [PATCH] perf/x86/uncore: avoid null-ptr-deref on error in pmu_alloc_topology
2024-02-05 15:08 ` Liang, Kan
@ 2024-02-05 15:18 ` Fedor Pchelkin
2024-02-05 15:32 ` Liang, Kan
0 siblings, 1 reply; 5+ messages in thread
From: Fedor Pchelkin @ 2024-02-05 15:18 UTC (permalink / raw)
To: Liang, Kan
Cc: Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo, x86,
Alexander Antonov, linux-perf-users, linux-kernel, lvc-project
Hello,
On 24/02/05 10:08AM, Liang, Kan wrote:
>
>
> On 2024-02-04 8:48 a.m., Fedor Pchelkin wrote:
> > If topology[die] array allocation fails then topology[die][idx] elements
> > can't be accessed on error path.
> >
> > Checking this on the error path probably looks more readable than
> > decrementing the counter in the allocation loop.
> >
> > Found by Linux Verification Center (linuxtesting.org).
> >
> > Fixes: 4d13be8ab5d4 ("perf/x86/intel/uncore: Generalize IIO topology support")
> > Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
> > ---
>
> It seems the code just jumps to the wrong kfree on the error path.
> Does the below patch work?
>
> diff --git a/arch/x86/events/intel/uncore_snbep.c
> b/arch/x86/events/intel/uncore_snbep.c
> index 8250f0f59c2b..5481fd00d861 100644
> --- a/arch/x86/events/intel/uncore_snbep.c
> +++ b/arch/x86/events/intel/uncore_snbep.c
> @@ -3808,7 +3808,7 @@ static int pmu_alloc_topology(struct
> intel_uncore_type *type, int topology_type)
> for (die = 0; die < uncore_max_dies(); die++) {
> topology[die] = kcalloc(type->num_boxes, sizeof(**topology), GFP_KERNEL);
> if (!topology[die])
> - goto clear;
> + goto free_topology;
> for (idx = 0; idx < type->num_boxes; idx++) {
> topology[die][idx].untyped = kcalloc(type->num_boxes,
> topology_size[topology_type],
> @@ -3827,6 +3827,7 @@ static int pmu_alloc_topology(struct
> intel_uncore_type *type, int topology_type)
> kfree(topology[die][idx].untyped);
> kfree(topology[die]);
> }
> +free_topology:
> kfree(topology);
> err:
> return -ENOMEM;
>
> Thanks,
> Kan
>
In this way the already allocated topology[die] elements won't be freed.
--
Fedor
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] perf/x86/uncore: avoid null-ptr-deref on error in pmu_alloc_topology
2024-02-05 15:18 ` Fedor Pchelkin
@ 2024-02-05 15:32 ` Liang, Kan
0 siblings, 0 replies; 5+ messages in thread
From: Liang, Kan @ 2024-02-05 15:32 UTC (permalink / raw)
To: Fedor Pchelkin
Cc: Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo, x86,
Alexander Antonov, linux-perf-users, linux-kernel, lvc-project
On 2024-02-05 10:18 a.m., Fedor Pchelkin wrote:
> Hello,
>
> On 24/02/05 10:08AM, Liang, Kan wrote:
>>
>>
>> On 2024-02-04 8:48 a.m., Fedor Pchelkin wrote:
>>> If topology[die] array allocation fails then topology[die][idx] elements
>>> can't be accessed on error path.
>>>
>>> Checking this on the error path probably looks more readable than
>>> decrementing the counter in the allocation loop.
>>>
>>> Found by Linux Verification Center (linuxtesting.org).
>>>
>>> Fixes: 4d13be8ab5d4 ("perf/x86/intel/uncore: Generalize IIO topology support")
>>> Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
>>> ---
>>
>> It seems the code just jumps to the wrong kfree on the error path.
>> Does the below patch work?
>>
>> diff --git a/arch/x86/events/intel/uncore_snbep.c
>> b/arch/x86/events/intel/uncore_snbep.c
>> index 8250f0f59c2b..5481fd00d861 100644
>> --- a/arch/x86/events/intel/uncore_snbep.c
>> +++ b/arch/x86/events/intel/uncore_snbep.c
>> @@ -3808,7 +3808,7 @@ static int pmu_alloc_topology(struct
>> intel_uncore_type *type, int topology_type)
>> for (die = 0; die < uncore_max_dies(); die++) {
>> topology[die] = kcalloc(type->num_boxes, sizeof(**topology), GFP_KERNEL);
>> if (!topology[die])
>> - goto clear;
>> + goto free_topology;
>> for (idx = 0; idx < type->num_boxes; idx++) {
>> topology[die][idx].untyped = kcalloc(type->num_boxes,
>> topology_size[topology_type],
>> @@ -3827,6 +3827,7 @@ static int pmu_alloc_topology(struct
>> intel_uncore_type *type, int topology_type)
>> kfree(topology[die][idx].untyped);
>> kfree(topology[die]);
>> }
>> +free_topology:
>> kfree(topology);
>> err:
>> return -ENOMEM;
>>
>> Thanks,
>> Kan
>>
>
> In this way the already allocated topology[die] elements won't be freed.
>
Ah, right. The patch looks good to me.
Reviewed-by: Kan Liang <kan.liang@linux.intel.com>
Thanks,
Kan
> --
> Fedor
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] perf/x86/uncore: avoid null-ptr-deref on error in pmu_alloc_topology
2024-02-04 13:48 [PATCH] perf/x86/uncore: avoid null-ptr-deref on error in pmu_alloc_topology Fedor Pchelkin
2024-02-05 15:08 ` Liang, Kan
@ 2024-12-12 14:35 ` Fedor Pchelkin
1 sibling, 0 replies; 5+ messages in thread
From: Fedor Pchelkin @ 2024-12-12 14:35 UTC (permalink / raw)
To: Peter Zijlstra, Ingo Molnar
Cc: Arnaldo Carvalho de Melo, x86, Alexander Antonov, Kan Liang,
linux-perf-users, linux-kernel, lvc-project
On Sun, 04. Feb 16:48, Fedor Pchelkin wrote:
> If topology[die] array allocation fails then topology[die][idx] elements
> can't be accessed on error path.
>
> Checking this on the error path probably looks more readable than
> decrementing the counter in the allocation loop.
>
> Found by Linux Verification Center (linuxtesting.org).
>
> Fixes: 4d13be8ab5d4 ("perf/x86/intel/uncore: Generalize IIO topology support")
> Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Hi,
ping as the patch seems to have been missed. FWIW, it's still applicable to
the mainline.
--
Thanks,
Fedor
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-12-12 14:36 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-02-04 13:48 [PATCH] perf/x86/uncore: avoid null-ptr-deref on error in pmu_alloc_topology Fedor Pchelkin
2024-02-05 15:08 ` Liang, Kan
2024-02-05 15:18 ` Fedor Pchelkin
2024-02-05 15:32 ` Liang, Kan
2024-12-12 14:35 ` Fedor Pchelkin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).