Received: by 2002:a05:7412:b130:b0:e2:908c:2ebd with SMTP id az48csp2524217rdb; Mon, 20 Nov 2023 13:22:27 -0800 (PST) X-Google-Smtp-Source: AGHT+IF8Hj9bTQlHEdho2U0IvyqS35JTp5SNmRTknBUXjYbHpemfMGWgtj8hsX6eTRLbGYmDGdU4 X-Received: by 2002:a17:90b:3807:b0:285:34a5:1889 with SMTP id mq7-20020a17090b380700b0028534a51889mr2206897pjb.15.1700515346828; Mon, 20 Nov 2023 13:22:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700515346; cv=none; d=google.com; s=arc-20160816; b=gqLK4+mzPfQ8c6DFsQsG3yj73quZI5AhYw3PTrlEfyG4rnm0/N860eLUPFZghGt9rd NbKbsHC+jVqOjgghq+kDYhibEvdGZz7DDYK0rTJftahhE/LgvIXBaarW6U3fTBFMltmq mx+M9e09vBABojQThxg9rQ8qkfIF2k2SfszXTd4HsKHBi+BxjGGq8EZS3hI36GHMNwqK JZfylAhvnM5923/DA5HxLckrQgGXK1agbu/nhLNws1DNcUWASs32FtPBDlQJTbp8tpi6 It41yKz8Ox0lml1Xf7GAqCXAy4gagAO1yGo2SYR7Z0giDnzzMHMUNq6nnErTIVelid9I Ex5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=GasRjn14TqxNjLg/enw2jExJw6Xcf8DwZ25l7w/N+LE=; fh=EvKn6y4UvaSDKBMb4qepDuTEpoPRVduOv0bXOHA8jF0=; b=a/rAXS0RgsxHdU2usAPVGV8R4NnLKPLQo2ZENCy+bppATBbskualVPqTFg5P5C3p3P ATAFuBf1QeITBO5jsmkvSAerG0b2al7ybPGGVPZ0K8AmlMoDg8VdoDH+HCRYxs8pChg8 lXSvUzUmKDT4RPNtkw+HVqg0bsVPMFAQRgkUPq4Rt87XjirkRLvedxVs3Rxg+L2//aDo jyWneeANzNB7j0iIUj3I/OFO/l8OjAZtODiyQeChIjTn3xxdXV2H/TCrK8++Q+mFwItm QWvrb0krSACXJJnttqlvqaekSB2mBn+vK8gJhfne9PiR5ea4gyw7Z3EIRgMyjjCFJWun 8fjA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=iJ0gN0oW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from groat.vger.email (groat.vger.email. [2620:137:e000::3:5]) by mx.google.com with ESMTPS id lk4-20020a17090b33c400b00277453e82fesi9421751pjb.87.2023.11.20.13.22.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Nov 2023 13:22:26 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) client-ip=2620:137:e000::3:5; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=iJ0gN0oW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id B629680752AB; Mon, 20 Nov 2023 13:22:23 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229637AbjKTVWQ (ORCPT + 99 others); Mon, 20 Nov 2023 16:22:16 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36554 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232453AbjKTVWH (ORCPT ); Mon, 20 Nov 2023 16:22:07 -0500 Received: from mgamail.intel.com (mgamail.intel.com [192.55.52.115]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6641E1AA for ; Mon, 20 Nov 2023 13:22:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1700515322; x=1732051322; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=j8B1ITWEeAkXv6+ECAk3eA35WeV+XBuBQ2iHt/ZPIRE=; b=iJ0gN0oWB9eydN3czY0ij9jfkKK8/z7zo4nciTqWHVR5zXGBIPqW9SlE o27c/4Q2pOpfONftDF6jEovVaoxMLWx/U4xcy5F4sbvCGMJhgAfpUhBwY 7uLjGxuWoZI02xbkjQp7G90AS6kJFAw2gBmVU0laKL6USmLhFr/2hdZvh HhXz2HQSwp46DjPqiihswQEqhWdYS6TzZXO93KPu1gdKiq3qR80RpIDmw o7QVezJsH327GPODA+2IWZ3pFC6+MvK21QyPYNqMXM9aSKDTpK/bf/v// DVltEKHHaKC7VMk7DQmvj7vx6hIsvb22j0k5V2fDT8D50KFjFLxmA1/jJ Q==; X-IronPort-AV: E=McAfee;i="6600,9927,10900"; a="391488628" X-IronPort-AV: E=Sophos;i="6.04,214,1695711600"; d="scan'208";a="391488628" Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 20 Nov 2023 13:22:02 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10900"; a="832403594" X-IronPort-AV: E=Sophos;i="6.04,214,1695711600"; d="scan'208";a="832403594" Received: from linux.intel.com ([10.54.29.200]) by fmsmga008.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 20 Nov 2023 13:22:01 -0800 Received: from [10.213.161.18] (kliang2-mobl1.ccr.corp.intel.com [10.213.161.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by linux.intel.com (Postfix) with ESMTPS id 183AC580D93; Mon, 20 Nov 2023 13:22:00 -0800 (PST) Message-ID: <7caf86b8-f050-4d0f-8aba-e2d725a0ab64@linux.intel.com> Date: Mon, 20 Nov 2023 16:21:59 -0500 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] perf/x86/intel/uncore: Fix NULL pointer dereference issue in upi_fill_topology() Content-Language: en-US To: Alexander Antonov , peterz@infradead.org, linux-kernel@vger.kernel.org Cc: kyle.meyer@hpe.com, alexey.v.bayduraev@linux.intel.com References: <20231115151327.1874060-1-alexander.antonov@linux.intel.com> <50ce6fce-c2fc-4392-b405-5c9a7a93f061@linux.intel.com> From: "Liang, Kan" In-Reply-To: <50ce6fce-c2fc-4392-b405-5c9a7a93f061@linux.intel.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Mon, 20 Nov 2023 13:22:23 -0800 (PST) On 2023-11-20 2:49 p.m., Alexander Antonov wrote: > > On 11/15/2023 8:00 PM, Liang, Kan wrote: >> >> On 2023-11-15 10:13 a.m., alexander.antonov@linux.intel.com wrote: >>> From: Alexander Antonov >>> >>> The NULL dereference happens inside upi_fill_topology() procedure in >>> case of disabling one of the sockets on the system. >>> >>> For example, if you disable the 2nd socket on a 4-socket system then >>> uncore_max_dies() returns 3 and inside pmu_alloc_topology() memory will >>> be allocated only for 3 sockets and stored in type->topology. >>> In discover_upi_topology() memory is accessed by socket id from >>> CPUNODEID >>> registers which contain physical ids (from 0 to 3) and on the line: >>> >>>      upi = &type->topology[nid][idx]; >>> >>> out-of-bound access will happen and the 'upi' pointer will be passed to >>> upi_fill_topology() where it will be dereferenced. >>> >>> To avoid this issue update the code to convert physical socket id to >>> logical socket id in discover_upi_topology() before accessing memory. >>> >>> Fixes: f680b6e6062e ("perf/x86/intel/uncore: Enable UPI topology >>> discovery for Icelake Server") >>> Reported-by: Kyle Meyer >>> Tested-by: Kyle Meyer >>> Signed-off-by: Alexander Antonov >>> --- >>>   arch/x86/events/intel/uncore_snbep.c | 10 ++++++++-- >>>   1 file changed, 8 insertions(+), 2 deletions(-) >>> >>> diff --git a/arch/x86/events/intel/uncore_snbep.c >>> b/arch/x86/events/intel/uncore_snbep.c >>> index 8250f0f59c2b..49bc27ab26ad 100644 >>> --- a/arch/x86/events/intel/uncore_snbep.c >>> +++ b/arch/x86/events/intel/uncore_snbep.c >>> @@ -5596,7 +5596,7 @@ static int discover_upi_topology(struct >>> intel_uncore_type *type, int ubox_did, i >>>       struct pci_dev *ubox = NULL; >>>       struct pci_dev *dev = NULL; >>>       u32 nid, gid; >>> -    int i, idx, ret = -EPERM; >>> +    int i, idx, lgc_pkg, ret = -EPERM; >>>       struct intel_uncore_topology *upi; >>>       unsigned int devfn; >>>   @@ -5614,8 +5614,13 @@ static int discover_upi_topology(struct >>> intel_uncore_type *type, int ubox_did, i >>>           for (i = 0; i < 8; i++) { >>>               if (nid != GIDNIDMAP(gid, i)) >>>                   continue; >>> +            lgc_pkg = topology_phys_to_logical_pkg(i); >>> +            if (lgc_pkg < 0) { >>> +                ret = -EPERM; >>> +                goto err; >>> +            } >> In the snbep_pci2phy_map_init(), there are similar codes to find the >> logical die id. Can we factor a common function for both of them? >> >> Thanks, >> Kan > Hi Kan, > > Thank you for your comment. > Yes, I think we can factor out the common loop where GIDNIDMAP is being > checked. > But inside snbep_pci2phy_map_init() we have a bit different procedure which > also does the following: > > if (topology_max_die_per_package() > 1) >     die_id = i; > > I think that having this code, at least, in our case could bring us to the > same issue which we are trying to fix. But of course we could > parametrize this checking. The topology_max_die_per_package() > 1 means there are more that 1 die in a socket. AFAIK, it only happens on the Cascade Lake AP. Did you observe it in the ICX? Thanks, Kan > > What do you think? > > Thanks, > Alexander >> >>>               for (idx = 0; idx < type->num_boxes; idx++) { >>> -                upi = &type->topology[nid][idx]; >>> +                upi = &type->topology[lgc_pkg][idx]; >>>                   devfn = PCI_DEVFN(dev_link0 + idx, >>> ICX_UPI_REGS_ADDR_FUNCTION); >>>                   dev = >>> pci_get_domain_bus_and_slot(pci_domain_nr(ubox->bus), >>>                                     ubox->bus->number, >>> @@ -5626,6 +5631,7 @@ static int discover_upi_topology(struct >>> intel_uncore_type *type, int ubox_did, i >>>                           goto err; >>>                   } >>>               } >>> +            break; >>>           } >>>       } >>>   err: >>> >>> base-commit: 9bacdd8996c77c42ca004440be610692275ff9d0