arch/x86/events/intel/uncore_discovery.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
If domain->global_init() fails in __parse_discovery_table(), the
mapped MMIO region is not released before returning, resulting in
an iounmap() leak.
Reported-by: kernel test robot <lkp@intel.com>
Fixes: b575fc0e3357 ("perf/x86/intel/uncore: Add domain global init callback")
Signed-off-by: Zide Chen <zide.chen@intel.com>
---
arch/x86/events/intel/uncore_discovery.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/arch/x86/events/intel/uncore_discovery.c b/arch/x86/events/intel/uncore_discovery.c
index 0e414cecb6f2..f64661ad56b2 100644
--- a/arch/x86/events/intel/uncore_discovery.c
+++ b/arch/x86/events/intel/uncore_discovery.c
@@ -286,8 +286,10 @@ static int __parse_discovery_table(struct uncore_discovery_domain *domain,
if (!io_addr)
return -ENOMEM;
- if (domain->global_init && domain->global_init(global.ctl))
+ if (domain->global_init && domain->global_init(global.ctl)) {
+ iounmap(io_addr);
return -ENODEV;
+ }
/* Parsing Unit Discovery State */
for (i = 0; i < global.max_units; i++) {
--
2.52.0> If domain->global_init() fails in __parse_discovery_table(), the > mapped MMIO region is not released before returning, resulting in > an iounmap() leak. How do you think about to avoid a bit of duplicate source code here? https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/coding-style.rst?h=v6.19-rc5#n526 See also once more: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.19-rc5#n94 Regards, Markus
On 1/13/2026 8:21 AM, Markus Elfring wrote:
>> If domain->global_init() fails in __parse_discovery_table(), the
>> mapped MMIO region is not released before returning, resulting in
>> an iounmap() leak.
>
> How do you think about to avoid a bit of duplicate source code here?
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/coding-style.rst?h=v6.19-rc5#n526
>
Thank you for the suggestion!
Yes, I agree this is better. In V1 I followed the existing style in this
API.
I will post a v2 with this change:
@@ -264,6 +264,7 @@ static int __parse_discovery_table(struct
uncore_discovery_domain *domain,
struct uncore_unit_discovery unit;
void __iomem *io_addr;
unsigned long size;
+ int ret = 0;
int i;
size = UNCORE_DISCOVERY_GLOBAL_MAP_SIZE;
@@ -273,21 +274,23 @@ static int __parse_discovery_table(struct
uncore_discovery_domain *domain,
/* Read Global Discovery State */
memcpy_fromio(&global, io_addr, sizeof(struct
uncore_global_discovery));
+ iounmap(io_addr);
+
if (uncore_discovery_invalid_unit(global)) {
pr_info("Invalid Global Discovery State: 0x%llx 0x%llx
0x%llx\n",
global.table1, global.ctl, global.table3);
- iounmap(io_addr);
return -EINVAL;
}
- iounmap(io_addr);
size = (1 + global.max_units) * global.stride * 8;
io_addr = ioremap(addr, size);
if (!io_addr)
return -ENOMEM;
- if (domain->global_init && domain->global_init(global.ctl))
- return -ENODEV;
+ if (domain->global_init && domain->global_init(global.ctl)) {
+ ret = -ENODEV;
+ goto out;
+ }
/* Parsing Unit Discovery State */
for (i = 0; i < global.max_units; i++) {
@@ -307,8 +310,10 @@ static int __parse_discovery_table(struct
uncore_discovery_domain *domain,
}
*parsed = true;
+
+out:
iounmap(io_addr);
- return 0;
+ return ret;
}
static int parse_discovery_table(struct uncore_discovery_domain
> See also once more:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.19-rc5#n94
Are you suggesting that I add a Closes tag?
This issue was reported by Intel internal LKP, and there is no public
URL available.
> Regards,
> Markus
>>> If domain->global_init() fails in __parse_discovery_table(), the
>>> mapped MMIO region is not released before returning, resulting in
>>> an iounmap() leak.
>>
>> How do you think about to avoid a bit of duplicate source code here?
>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/coding-style.rst?h=v6.19-rc5#n526
>
> Thank you for the suggestion!
>
> Yes, I agree this is better.
Thanks for this positive feedback.
> In V1 I followed the existing style in this API.
This variant might be nicer for backporting.
> I will post a v2 with this change:
>
> @@ -264,6 +264,7 @@ static int __parse_discovery_table(struct
> uncore_discovery_domain *domain,
> struct uncore_unit_discovery unit;
> void __iomem *io_addr;
> unsigned long size;
> + int ret = 0;
> int i;
Would scope adjustments become helpful for any of these local vartiables?
> size = UNCORE_DISCOVERY_GLOBAL_MAP_SIZE;
> @@ -273,21 +274,23 @@ static int __parse_discovery_table(struct
…
> - if (domain->global_init && domain->global_init(global.ctl))
> - return -ENODEV;
> + if (domain->global_init && domain->global_init(global.ctl)) {
> + ret = -ENODEV;
> + goto out;
> + }
…
> *parsed = true;
> +
> +out:
Would an other label be a bit clearer here?
unmap_io:
> iounmap(io_addr);
> - return 0;
> + return ret;
> }
>
> static int parse_discovery_table(struct uncore_discovery_domain
>
>> See also once more:
>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.19-rc5#n94
Will another imperative wording become helpful for an improved change description?
> Are you suggesting that I add a Closes tag?
It depends …
> This issue was reported by Intel internal LKP, and there is no public
> URL available.
Thanks for such a bit of background information.
Some contributors would appreciate further hints on involved development tools
(and known source code analysis approaches).
Regards,
Markus
On 1/13/2026 11:51 PM, Markus Elfring wrote:
>>>> If domain->global_init() fails in __parse_discovery_table(), the
>>>> mapped MMIO region is not released before returning, resulting in
>>>> an iounmap() leak.
>>>
>>> How do you think about to avoid a bit of duplicate source code here?
>>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/coding-style.rst?h=v6.19-rc5#n526
>>
>> Thank you for the suggestion!
>>
>> Yes, I agree this is better.
>
> Thanks for this positive feedback.
>
>
>> In V1 I followed the existing style in this API.
>
> This variant might be nicer for backporting.
>
>
>> I will post a v2 with this change:
>>
>> @@ -264,6 +264,7 @@ static int __parse_discovery_table(struct
>> uncore_discovery_domain *domain,
>> struct uncore_unit_discovery unit;
>> void __iomem *io_addr;
>> unsigned long size;
>> + int ret = 0;
>> int i;
>
> Would scope adjustments become helpful for any of these local vartiables?
Yes, I agree that moving int i into the for loop would be better, but
I’d prefer to keep this patch focused and leave that change for future
cleanup.
>
>> size = UNCORE_DISCOVERY_GLOBAL_MAP_SIZE;
>> @@ -273,21 +274,23 @@ static int __parse_discovery_table(struct
> …
>> - if (domain->global_init && domain->global_init(global.ctl))
>> - return -ENODEV;
>> + if (domain->global_init && domain->global_init(global.ctl)) {
>> + ret = -ENODEV;
>> + goto out;
>> + }
> …
>> *parsed = true;
>> +
>> +out:
>
> Would an other label be a bit clearer here?
>
> unmap_io:
It seems that the perf driver generally uses simple labels such as done,
out, or err. Additionally, since there is only a single error path
here, I would prefer to keep the label out for style consistency.
>
>> iounmap(io_addr);
>> - return 0;
>> + return ret;
>> }
>>
>> static int parse_discovery_table(struct uncore_discovery_domain
>>
>>> See also once more:
>>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.19-rc5#n94
>
> Will another imperative wording become helpful for an improved change description?
Sure, I’ll try my best to improve the description.
>> Are you suggesting that I add a Closes tag?
>
> It depends …
>
>
>> This issue was reported by Intel internal LKP, and there is no public
>> URL available.
>
> Thanks for such a bit of background information.
> Some contributors would appreciate further hints on involved development tools
> (and known source code analysis approaches).
I may add the following report to the commit message for additional context:
Unverified Error/Warning (likely false positive, kindly check if
interested):
arch/x86/events/intel/uncore_discovery.c:293:2-8:
ERROR: missing iounmap; ioremap on line 288 and execution via
conditional on line 292
> Regards,
> Markus
Am 13.01.26 um 23:04 schrieb Chen, Zide:
>
>
> On 1/13/2026 8:21 AM, Markus Elfring wrote:
>>> If domain->global_init() fails in __parse_discovery_table(), the
>>> mapped MMIO region is not released before returning, resulting in
>>> an iounmap() leak.
>>
>> How do you think about to avoid a bit of duplicate source code here?
>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/coding-style.rst?h=v6.19-rc5#n526
>>
>
> Thank you for the suggestion!
>
> Yes, I agree this is better. In V1 I followed the existing style in this
> API.
>
> I will post a v2 with this change:
>
> @@ -264,6 +264,7 @@ static int __parse_discovery_table(struct
> uncore_discovery_domain *domain,
> struct uncore_unit_discovery unit;
> void __iomem *io_addr;
> unsigned long size;
> + int ret = 0;
> int i;
>
> size = UNCORE_DISCOVERY_GLOBAL_MAP_SIZE;
> @@ -273,21 +274,23 @@ static int __parse_discovery_table(struct
> uncore_discovery_domain *domain,
>
> /* Read Global Discovery State */
> memcpy_fromio(&global, io_addr, sizeof(struct
> uncore_global_discovery));
> + iounmap(io_addr);
> +
> if (uncore_discovery_invalid_unit(global)) {
> pr_info("Invalid Global Discovery State: 0x%llx 0x%llx
> 0x%llx\n",
> global.table1, global.ctl, global.table3);
> - iounmap(io_addr);
> return -EINVAL;
> }
> - iounmap(io_addr);
>
> size = (1 + global.max_units) * global.stride * 8;
> io_addr = ioremap(addr, size);
> if (!io_addr)
> return -ENOMEM;
>
> - if (domain->global_init && domain->global_init(global.ctl))
> - return -ENODEV;
> + if (domain->global_init && domain->global_init(global.ctl)) {
> + ret = -ENODEV;
> + goto out;
> + }
>
> /* Parsing Unit Discovery State */
> for (i = 0; i < global.max_units; i++) {
> @@ -307,8 +310,10 @@ static int __parse_discovery_table(struct
> uncore_discovery_domain *domain,
> }
>
> *parsed = true;
> +
> +out:
> iounmap(io_addr);
> - return 0;
> + return ret;
> }
>
> static int parse_discovery_table(struct uncore_discovery_domain
>
>> See also once more:
>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.19-rc5#n94
>
> Are you suggesting that I add a Closes tag?
> This issue was reported by Intel internal LKP, and there is no public
> URL available.
>
>
>> Regards,
>> Markus
>
On 1/13/2026 8:25 AM, Zide Chen wrote:
> If domain->global_init() fails in __parse_discovery_table(), the
> mapped MMIO region is not released before returning, resulting in
> an iounmap() leak.
>
> Reported-by: kernel test robot <lkp@intel.com>
> Fixes: b575fc0e3357 ("perf/x86/intel/uncore: Add domain global init callback")
> Signed-off-by: Zide Chen <zide.chen@intel.com>
> ---
> arch/x86/events/intel/uncore_discovery.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/events/intel/uncore_discovery.c b/arch/x86/events/intel/uncore_discovery.c
> index 0e414cecb6f2..f64661ad56b2 100644
> --- a/arch/x86/events/intel/uncore_discovery.c
> +++ b/arch/x86/events/intel/uncore_discovery.c
> @@ -286,8 +286,10 @@ static int __parse_discovery_table(struct uncore_discovery_domain *domain,
> if (!io_addr)
> return -ENOMEM;
>
> - if (domain->global_init && domain->global_init(global.ctl))
> + if (domain->global_init && domain->global_init(global.ctl)) {
> + iounmap(io_addr);
> return -ENODEV;
> + }
>
> /* Parsing Unit Discovery State */
> for (i = 0; i < global.max_units; i++) {
Reviewed-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
© 2016 - 2026 Red Hat, Inc.