Received: by 2002:a05:7412:bbc7:b0:fc:a2b0:25d7 with SMTP id kh7csp2461261rdb;
        Mon, 5 Feb 2024 07:19:10 -0800 (PST)
X-Google-Smtp-Source: AGHT+IHRT1+G0o2E2uvQmr0vOfBHxktBcqw//0YPxvP0hz2pEjAaV+I1I8xl5RDomP9BIDD2mqc7
X-Received: by 2002:a17:907:7784:b0:a37:2bb3:819c with SMTP id ky4-20020a170907778400b00a372bb3819cmr4796390ejc.19.1707146350729;
        Mon, 05 Feb 2024 07:19:10 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1707146350; cv=pass;
        d=google.com; s=arc-20160816;
        b=ucuhvx+UDMwNW5NVZ3ZPip+4e8o7Js49MpiN2ZC6FPg4ly4ht3KWCn27ELLfGC3TZ/
         NtCb2FgkhoHM9zY1Ds5YNShwSMRmVaZHvcpTfCKWt0BufaNvLt4Y99PBZOjY9YGFwhvd
         PHjbU68SpPQjcjnmiaE34ax8QZmJ0ToBRUpdLRXIinVkn7Z8NnalL65yE8kR+eoDdiDp
         q50IafP6ehd0v7y8Hmb8ZegiqDwY8LL44KMNzW0LzWOFyPT5Bj5wzaZ6O3UGhCvlXfXa
         7vj072YEcd28yuaKsYeKJp7O3s5qhmEL7SqN49kg2SjnkCVqTIYmoisapwkkZ9Fi+iDV
         oyvQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-disposition:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:message-id:subject:cc
         :to:from:date:dkim-signature:dkim-filter;
        bh=zLU8L9M1HzCeEuXoR+1c7zl0qLtECLfP/n7spRh3ewM=;
        fh=gf+mq+nLaKTG61y9gEgDIHKH90g/YiRHV/8qjozzTG8=;
        b=nEBjv0+0QEFb6tT9eQcQP/qUOTnzREpAtM8g4sqxtDs1sGKEk/uxcvh9DS5GYn/nVR
         IzctP3EUt9CINwmQShAC/dzMAPoZNDBtgaQoQGqZfqCETzYps9T44K2VxB+Mhq2TCSpU
         fuhdhPabkBpOpqstOVrH43IXf9qCkHzPhbQhVQFnJSky+tXEJz//6/pzS/9w74bInO2V
         lsPNmvKkjauWbB/VfdMQXaj+mJ1EMnFHtK2FmjZvShXXOz8U6Jd+mbh0RIBrNWd6SNt4
         W7X1uLFYR50K08HbmjZcARnbyWX9cDKSc1cNjLsMszq+XZ/N1Pmk6Rb4oiEMe2Sd71cq
         D94Q==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@ispras.ru header.s=default header.b=eya33dR4;
       arc=pass (i=1 spf=pass spfdomain=ispras.ru dkim=pass dkdomain=ispras.ru dmarc=pass fromdomain=ispras.ru);
       spf=pass (google.com: domain of linux-kernel+bounces-52884-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-52884-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru
X-Forwarded-Encrypted: i=1; AJvYcCWX0SdAoIJiO8ZP29nzQGBfCbEv7F8h3RwFoMiQ1Y/q56qHsdReMuGwPD7Y0tpijpdQVfE6RfdTEIKN9sHDXOK1SBcZr3i1vvDk1ThUmQ==
Return-Path: <linux-kernel+bounces-52884-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3])
        by mx.google.com with ESMTPS id pk7-20020a170906d7a700b00a36c41d19ddsi3978161ejb.916.2024.02.05.07.19.10
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 05 Feb 2024 07:19:10 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-52884-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ispras.ru header.s=default header.b=eya33dR4;
       arc=pass (i=1 spf=pass spfdomain=ispras.ru dkim=pass dkdomain=ispras.ru dmarc=pass fromdomain=ispras.ru);
       spf=pass (google.com: domain of linux-kernel+bounces-52884-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-52884-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 79A391F217E8
	for <linux.lists.archive@gmail.com>; Mon,  5 Feb 2024 15:19:10 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 130762C86A;
	Mon,  5 Feb 2024 15:19:02 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=ispras.ru header.i=@ispras.ru header.b="eya33dR4"
Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 18AF52C861;
	Mon,  5 Feb 2024 15:18:58 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=83.149.199.84
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1707146341; cv=none; b=DEmEGDWgDaigcHoJW9B8iFUy3OZPThZfrsk4i9Zka5avzJQb9tLahyD/MKIHhPKRdMCXZzJa3iaKEoDkWeKVoIt3lLyCs/0c3OqTtjtUDxU0QHwmYV5XHdvcgd8PlpBnVNbZntGpA5mlOUsIW3p42rUs4bAsev/PbnypcjNDA6s=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1707146341; c=relaxed/simple;
	bh=/oDW4VkCzBttrAvBPA7G49GfJJ6qlbRu0FSR1olVBxo=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=K98gRf9iVTACCxuOetiC8k/cP4obGjzCNOxoDi/swyjPybO+9nfigjSL84HtsCMndpBlPPghhOIEiBn+B1CeDtO8JiUrOgx28A5Tb0x6k2L/rxLqE5734tMYEbq+acsbmZTPFUF1bcJYgd2+1C2z39CcdIfsNfyrAqMZ5SBXFWc=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=ispras.ru; spf=pass smtp.mailfrom=ispras.ru; dkim=pass (1024-bit key) header.d=ispras.ru header.i=@ispras.ru header.b=eya33dR4; arc=none smtp.client-ip=83.149.199.84
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=ispras.ru
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=ispras.ru
Received: from localhost (unknown [10.10.165.6])
	by mail.ispras.ru (Postfix) with ESMTPSA id AA50C4017243;
	Mon,  5 Feb 2024 15:18:56 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru AA50C4017243
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru;
	s=default; t=1707146336;
	bh=zLU8L9M1HzCeEuXoR+1c7zl0qLtECLfP/n7spRh3ewM=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=eya33dR4PSlpytfdtydfdJpDJY9s0lP7QUrwuZgSPvkZC5plV2BRqLrBUPvQdBgwK
	 9fZBGYFeo3/Yn5jqt9C/YqB0mgo53ZAsKdRNSSaNlQJGeLstcIyrAB6e9rIVfOlrl+
	 PHYlkCPz2RpWLsA5JTXu1a/eLWDMWvcsmSljEVic=
Date: Mon, 5 Feb 2024 18:18:56 +0300
From: Fedor Pchelkin <pchelkin@ispras.ru>
To: "Liang, Kan" <kan.liang@linux.intel.com>
Cc: Peter Zijlstra <peterz@infradead.org>, Ingo Molnar <mingo@redhat.com>, 
	Arnaldo Carvalho de Melo <acme@kernel.org>, x86@kernel.org, 
	Alexander Antonov <alexander.antonov@linux.intel.com>, linux-perf-users@vger.kernel.org, linux-kernel@vger.kernel.org, 
	lvc-project@linuxtesting.org
Subject: Re: Re: [PATCH] perf/x86/uncore: avoid null-ptr-deref on error in
 pmu_alloc_topology
Message-ID: <2b5c4fbc-67c8-42f6-84a0-2adb4fbb0a2a-pchelkin@ispras.ru>
References: <20240204134841.80003-1-pchelkin@ispras.ru>
 <a5e8e3fe-a8c2-45e7-9139-84967cba06eb@linux.intel.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <a5e8e3fe-a8c2-45e7-9139-84967cba06eb@linux.intel.com>

Hello,

On 24/02/05 10:08AM, Liang, Kan wrote:
> 
> 
> On 2024-02-04 8:48 a.m., Fedor Pchelkin wrote:
> > If topology[die] array allocation fails then topology[die][idx] elements
> > can't be accessed on error path.
> > 
> > Checking this on the error path probably looks more readable than
> > decrementing the counter in the allocation loop.
> > 
> > Found by Linux Verification Center (linuxtesting.org).
> > 
> > Fixes: 4d13be8ab5d4 ("perf/x86/intel/uncore: Generalize IIO topology support")
> > Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
> > ---
> 
> It seems the code just jumps to the wrong kfree on the error path.
> Does the below patch work?
> 
> diff --git a/arch/x86/events/intel/uncore_snbep.c
> b/arch/x86/events/intel/uncore_snbep.c
> index 8250f0f59c2b..5481fd00d861 100644
> --- a/arch/x86/events/intel/uncore_snbep.c
> +++ b/arch/x86/events/intel/uncore_snbep.c
> @@ -3808,7 +3808,7 @@ static int pmu_alloc_topology(struct
> intel_uncore_type *type, int topology_type)
>  	for (die = 0; die < uncore_max_dies(); die++) {
>  		topology[die] = kcalloc(type->num_boxes, sizeof(**topology), GFP_KERNEL);
>  		if (!topology[die])
> -			goto clear;
> +			goto free_topology;
>  		for (idx = 0; idx < type->num_boxes; idx++) {
>  			topology[die][idx].untyped = kcalloc(type->num_boxes,
>  							     topology_size[topology_type],
> @@ -3827,6 +3827,7 @@ static int pmu_alloc_topology(struct
> intel_uncore_type *type, int topology_type)
>  			kfree(topology[die][idx].untyped);
>  		kfree(topology[die]);
>  	}
> +free_topology:
>  	kfree(topology);
>  err:
>  	return -ENOMEM;
> 
> Thanks,
> Kan
> 

In this way the already allocated topology[die] elements won't be freed.

--
Fedor