| Message ID | 20240204134841.80003-1-pchelkin@ispras.ru |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel+bounces-51680-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7301:168b:b0:106:860b:bbdd with SMTP id
ma11csp359623dyb;
Sun, 4 Feb 2024 05:49:32 -0800 (PST)
X-Google-Smtp-Source:
AGHT+IHUK/0hoTaFtoQt3wsKEzVNExmU8/7oFUE5j/HlP1IW48jYsHcs43oFGwA9Tk4NBu/ThwBN
X-Received: by 2002:a0c:f2c5:0:b0:68c:5e33:dc9 with SMTP id
c5-20020a0cf2c5000000b0068c5e330dc9mr4177345qvm.34.1707054571924;
Sun, 04 Feb 2024 05:49:31 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1707054571; cv=pass;
d=google.com; s=arc-20160816;
b=eByoW4aGTibdlGlyQK18Krgn1Q2CXDD9JsA5KnO6EvGV55fvpbkoDbq3kfC1+dO8Iu
UhV/l4tLjXDLft3U/79KrdJfemmORyswGfYV00PyUDQtejkD4zTV9vOqAGKIgAuRyuux
5GNnEIygEgDqE8TNfQs1RUs9nEWQ325S4FzTj64cYLK7YLeOhvByhg1pBR8gt4prVJU9
DRewu3xT3NZVOYR14Gj0abOD+I5ZuWyJBT0OtKRlq0ND9WXQ/EuO6NfYm+V56FYVF5mJ
ebP1JMEseI0nY9XUDLCR86+VEYQRa8bsBbw3+OM+ZXQI12Dz6eY7hA/IZP+zAg2EgFlA
umuQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=content-transfer-encoding:mime-version:list-unsubscribe
:list-subscribe:list-id:precedence:message-id:date:subject:cc:to
:from:dkim-signature:dkim-filter;
bh=TRbuuNKODNr0ZF9osYOg1TOt2Lw0Gxq1svVXRYqAlxE=;
fh=wYyXjehr7Glbf341eSPUEhyIN682EPNRatocyWA2OeY=;
b=G8n4rWC2j6f6PM3kuBGUHfKpqkk8rY8DD66RPKsqNPy+aw0wQpeqqxqYGed34T/xnX
46+f0Pxjs/P4Z3JcaHfP9QOYNqnWsYpkG6IFq3GxSaymY+W343XSOr0JSJXgB7u5ul3f
FyxI/EjwNk+Kjg+lOR3+sEA8LpiIuojwbg85ArZeF07MGrwm1cyB8gxGmzfMYCJNnxxD
eHmua5WqhgM8KpOVUPF+Q+Jh7Bjr8yaM7Qi7bDxNlZyPog9/92zmrVuhnFhNw/pk6nHI
+nWzTT4FFvV8zEhhIfDYGbUOFMT1x2chldc2K79aIdMALFzQ0CLo+8TU+9K0EL1MizYv
Durw==;
dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
dkim=pass header.i=@ispras.ru header.s=default header.b=MH57cDeK;
arc=pass (i=1 spf=pass spfdomain=ispras.ru dkim=pass dkdomain=ispras.ru
dmarc=pass fromdomain=ispras.ru);
spf=pass (google.com: domain of
linux-kernel+bounces-51680-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:45d1:ec00::1 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-51680-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru
X-Forwarded-Encrypted: i=1;
AJvYcCXv3YtvPyo+ZODWOogU97cBWC5cHFtP7YAzO8HaDU+O9wD2dkuBkvSG0Jj8CL//yeJcEr1vNt+KzjLK2U24ZCX2YmBa6g==
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org.
[2604:1380:45d1:ec00::1])
by mx.google.com with ESMTPS id
n10-20020a0cfbca000000b0068c48fd444fsi6426359qvp.558.2024.02.04.05.49.31
for <ouuuleilei@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Sun, 04 Feb 2024 05:49:31 -0800 (PST)
Received-SPF: pass (google.com: domain of
linux-kernel+bounces-51680-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Authentication-Results: mx.google.com;
dkim=pass header.i=@ispras.ru header.s=default header.b=MH57cDeK;
arc=pass (i=1 spf=pass spfdomain=ispras.ru dkim=pass dkdomain=ispras.ru
dmarc=pass fromdomain=ispras.ru);
spf=pass (google.com: domain of
linux-kernel+bounces-51680-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:45d1:ec00::1 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-51680-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
[52.25.139.140])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ny.mirrors.kernel.org (Postfix) with ESMTPS id A0DAE1C213E1
for <ouuuleilei@gmail.com>; Sun, 4 Feb 2024 13:49:31 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by smtp.subspace.kernel.org (Postfix) with ESMTP id 19EF9225D6;
Sun, 4 Feb 2024 13:49:15 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
dkim=pass (1024-bit key) header.d=ispras.ru header.i=@ispras.ru
header.b="MH57cDeK"
Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84])
(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by smtp.subspace.kernel.org (Postfix) with ESMTPS id 41089224D5;
Sun, 4 Feb 2024 13:49:08 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
arc=none smtp.client-ip=83.149.199.84
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
t=1707054552; cv=none;
b=ox8qRW0sU9aR+0v8s1S+R7U559YpLhexqPuk3dY4EpcjwE5Ca2PHQwuJwV1cABKc923LjwSH7bOSRPQaUJUZH6XkWU7U+lfqNSqh4tjui02Rf/4K+3cBJhh3qhzxQ1VPSNM+J3Oa9bCEeFen7B6cOlo04+g8FU1X5RaxztOhfiM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
s=arc-20240116; t=1707054552; c=relaxed/simple;
bh=PBAj8pYVayUNKv2kDcL/faNAsbTdiZimmpd85dfB2ZI=;
h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
b=MPyXq2lO+4CcYCL0dKC5PTBWq/VKrZ/J26pcRyXiz2VtBVr2H1kB6ZWvQqGSBkjogdZwTDKUl5TQ4KBGrshjJyZWWZMolc0af7ZLWC+czco4ien8t/pc5yQrHTPyNvpyGujX4qZ3GzvGqiqxZDMw4yxzJv297BbhSz+jtfO3WLg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
dmarc=pass (p=none dis=none) header.from=ispras.ru;
spf=pass smtp.mailfrom=ispras.ru;
dkim=pass (1024-bit key) header.d=ispras.ru header.i=@ispras.ru
header.b=MH57cDeK; arc=none smtp.client-ip=83.149.199.84
Authentication-Results: smtp.subspace.kernel.org;
dmarc=pass (p=none dis=none) header.from=ispras.ru
Authentication-Results: smtp.subspace.kernel.org;
spf=pass smtp.mailfrom=ispras.ru
Received: from fpc.intra.ispras.ru (unknown [10.10.165.4])
by mail.ispras.ru (Postfix) with ESMTPSA id 5DE6C40F1DC7;
Sun, 4 Feb 2024 13:49:06 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru 5DE6C40F1DC7
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru;
s=default; t=1707054546;
bh=TRbuuNKODNr0ZF9osYOg1TOt2Lw0Gxq1svVXRYqAlxE=;
h=From:To:Cc:Subject:Date:From;
b=MH57cDeKZyKtqOiF4JcYFV5LKdyE1Xj8W3l2U6ibIoBbwLR0r8StuM88Vg/CGKo60
I5Rrb/lnpkvbvnwOvlnpm54OApiu7w4CHwWr8Tk7nC7jtS5hyWPTjmqUrlgMEyJr1g
2/tPQDc+0doFPjNAgd3QYbKFXuVruhkEpKshEZX4=
From: Fedor Pchelkin <pchelkin@ispras.ru>
To: Peter Zijlstra <peterz@infradead.org>,
Ingo Molnar <mingo@redhat.com>
Cc: Fedor Pchelkin <pchelkin@ispras.ru>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
x86@kernel.org,
Alexander Antonov <alexander.antonov@linux.intel.com>,
Kan Liang <kan.liang@linux.intel.com>,
linux-perf-users@vger.kernel.org,
linux-kernel@vger.kernel.org,
lvc-project@linuxtesting.org
Subject: [PATCH] perf/x86/uncore: avoid null-ptr-deref on error in
pmu_alloc_topology
Date: Sun, 4 Feb 2024 16:48:41 +0300
Message-Id: <20240204134841.80003-1-pchelkin@ispras.ru>
X-Mailer: git-send-email 2.39.2
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1789976454772121701
X-GMAIL-MSGID: 1789976454772121701
|
| Series |
perf/x86/uncore: avoid null-ptr-deref on error in pmu_alloc_topology
|
|
Commit Message
Fedor Pchelkin
Feb. 4, 2024, 1:48 p.m. UTC
If topology[die] array allocation fails then topology[die][idx] elements
can't be accessed on error path.
Checking this on the error path probably looks more readable than
decrementing the counter in the allocation loop.
Found by Linux Verification Center (linuxtesting.org).
Fixes: 4d13be8ab5d4 ("perf/x86/intel/uncore: Generalize IIO topology support")
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
---
arch/x86/events/intel/uncore_snbep.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
Comments
On 2024-02-04 8:48 a.m., Fedor Pchelkin wrote: > If topology[die] array allocation fails then topology[die][idx] elements > can't be accessed on error path. > > Checking this on the error path probably looks more readable than > decrementing the counter in the allocation loop. > > Found by Linux Verification Center (linuxtesting.org). > > Fixes: 4d13be8ab5d4 ("perf/x86/intel/uncore: Generalize IIO topology support") > Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru> > --- It seems the code just jumps to the wrong kfree on the error path. Does the below patch work? diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c index 8250f0f59c2b..5481fd00d861 100644 --- a/arch/x86/events/intel/uncore_snbep.c +++ b/arch/x86/events/intel/uncore_snbep.c @@ -3808,7 +3808,7 @@ static int pmu_alloc_topology(struct intel_uncore_type *type, int topology_type) for (die = 0; die < uncore_max_dies(); die++) { topology[die] = kcalloc(type->num_boxes, sizeof(**topology), GFP_KERNEL); if (!topology[die]) - goto clear; + goto free_topology; for (idx = 0; idx < type->num_boxes; idx++) { topology[die][idx].untyped = kcalloc(type->num_boxes, topology_size[topology_type], @@ -3827,6 +3827,7 @@ static int pmu_alloc_topology(struct intel_uncore_type *type, int topology_type) kfree(topology[die][idx].untyped); kfree(topology[die]); } +free_topology: kfree(topology); err: return -ENOMEM; Thanks, Kan > arch/x86/events/intel/uncore_snbep.c | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > > diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c > index a96496bef678..7d4deb9126be 100644 > --- a/arch/x86/events/intel/uncore_snbep.c > +++ b/arch/x86/events/intel/uncore_snbep.c > @@ -3831,9 +3831,11 @@ static int pmu_alloc_topology(struct intel_uncore_type *type, int topology_type) > return 0; > clear: > for (; die >= 0; die--) { > - for (idx = 0; idx < type->num_boxes; idx++) > - kfree(topology[die][idx].untyped); > - kfree(topology[die]); > + if (topology[die]) { > + for (idx = 0; idx < type->num_boxes; idx++) > + kfree(topology[die][idx].untyped); > + kfree(topology[die]); > + } > } > kfree(topology); > err:
Hello, On 24/02/05 10:08AM, Liang, Kan wrote: > > > On 2024-02-04 8:48 a.m., Fedor Pchelkin wrote: > > If topology[die] array allocation fails then topology[die][idx] elements > > can't be accessed on error path. > > > > Checking this on the error path probably looks more readable than > > decrementing the counter in the allocation loop. > > > > Found by Linux Verification Center (linuxtesting.org). > > > > Fixes: 4d13be8ab5d4 ("perf/x86/intel/uncore: Generalize IIO topology support") > > Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru> > > --- > > It seems the code just jumps to the wrong kfree on the error path. > Does the below patch work? > > diff --git a/arch/x86/events/intel/uncore_snbep.c > b/arch/x86/events/intel/uncore_snbep.c > index 8250f0f59c2b..5481fd00d861 100644 > --- a/arch/x86/events/intel/uncore_snbep.c > +++ b/arch/x86/events/intel/uncore_snbep.c > @@ -3808,7 +3808,7 @@ static int pmu_alloc_topology(struct > intel_uncore_type *type, int topology_type) > for (die = 0; die < uncore_max_dies(); die++) { > topology[die] = kcalloc(type->num_boxes, sizeof(**topology), GFP_KERNEL); > if (!topology[die]) > - goto clear; > + goto free_topology; > for (idx = 0; idx < type->num_boxes; idx++) { > topology[die][idx].untyped = kcalloc(type->num_boxes, > topology_size[topology_type], > @@ -3827,6 +3827,7 @@ static int pmu_alloc_topology(struct > intel_uncore_type *type, int topology_type) > kfree(topology[die][idx].untyped); > kfree(topology[die]); > } > +free_topology: > kfree(topology); > err: > return -ENOMEM; > > Thanks, > Kan > In this way the already allocated topology[die] elements won't be freed. -- Fedor
On 2024-02-05 10:18 a.m., Fedor Pchelkin wrote: > Hello, > > On 24/02/05 10:08AM, Liang, Kan wrote: >> >> >> On 2024-02-04 8:48 a.m., Fedor Pchelkin wrote: >>> If topology[die] array allocation fails then topology[die][idx] elements >>> can't be accessed on error path. >>> >>> Checking this on the error path probably looks more readable than >>> decrementing the counter in the allocation loop. >>> >>> Found by Linux Verification Center (linuxtesting.org). >>> >>> Fixes: 4d13be8ab5d4 ("perf/x86/intel/uncore: Generalize IIO topology support") >>> Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru> >>> --- >> >> It seems the code just jumps to the wrong kfree on the error path. >> Does the below patch work? >> >> diff --git a/arch/x86/events/intel/uncore_snbep.c >> b/arch/x86/events/intel/uncore_snbep.c >> index 8250f0f59c2b..5481fd00d861 100644 >> --- a/arch/x86/events/intel/uncore_snbep.c >> +++ b/arch/x86/events/intel/uncore_snbep.c >> @@ -3808,7 +3808,7 @@ static int pmu_alloc_topology(struct >> intel_uncore_type *type, int topology_type) >> for (die = 0; die < uncore_max_dies(); die++) { >> topology[die] = kcalloc(type->num_boxes, sizeof(**topology), GFP_KERNEL); >> if (!topology[die]) >> - goto clear; >> + goto free_topology; >> for (idx = 0; idx < type->num_boxes; idx++) { >> topology[die][idx].untyped = kcalloc(type->num_boxes, >> topology_size[topology_type], >> @@ -3827,6 +3827,7 @@ static int pmu_alloc_topology(struct >> intel_uncore_type *type, int topology_type) >> kfree(topology[die][idx].untyped); >> kfree(topology[die]); >> } >> +free_topology: >> kfree(topology); >> err: >> return -ENOMEM; >> >> Thanks, >> Kan >> > > In this way the already allocated topology[die] elements won't be freed. > Ah, right. The patch looks good to me. Reviewed-by: Kan Liang <kan.liang@linux.intel.com> Thanks, Kan > -- > Fedor >
diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c index a96496bef678..7d4deb9126be 100644 --- a/arch/x86/events/intel/uncore_snbep.c +++ b/arch/x86/events/intel/uncore_snbep.c @@ -3831,9 +3831,11 @@ static int pmu_alloc_topology(struct intel_uncore_type *type, int topology_type) return 0; clear: for (; die >= 0; die--) { - for (idx = 0; idx < type->num_boxes; idx++) - kfree(topology[die][idx].untyped); - kfree(topology[die]); + if (topology[die]) { + for (idx = 0; idx < type->num_boxes; idx++) + kfree(topology[die][idx].untyped); + kfree(topology[die]); + } } kfree(topology); err: