Re: drivers/perf/riscv_pmu_sbi.c:464 pmu_sbi_get_ctrinfo() warn: potentially one past the end of array 'pmu_ctr_list[i]'
From: Palmer Dabbelt
Date: Wed Apr 20 2022 - 18:38:17 EST
On Wed, 20 Apr 2022 02:31:33 PDT (-0700), dan.carpenter@xxxxxxxxxx wrote:
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 59250f8a7f3a60a2661b84cbafc1e0eb5d05ec9b
commit: e9991434596f5373dfd75857b445eb92a9253c56 RISC-V: Add perf platform driver based on SBI PMU extension
config: riscv-randconfig-m031-20220416 (https://download.01.org/0day-ci/archive/20220416/202204161940.BrRZvzdD-lkp@xxxxxxxxx/config)
compiler: riscv32-linux-gcc (GCC) 11.2.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@xxxxxxxxx>
Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
smatch warnings:
drivers/perf/riscv_pmu_sbi.c:464 pmu_sbi_get_ctrinfo() warn: potentially one past the end of array 'pmu_ctr_list[i]'
drivers/perf/riscv_pmu_sbi.c:464 pmu_sbi_get_ctrinfo() warn: potentially one past the end of array 'pmu_ctr_list[i]'
vim +464 drivers/perf/riscv_pmu_sbi.c
e9991434596f53 Atish Patra 2022-02-18 444 static int pmu_sbi_get_ctrinfo(int nctr)
e9991434596f53 Atish Patra 2022-02-18 445 {
e9991434596f53 Atish Patra 2022-02-18 446 struct sbiret ret;
e9991434596f53 Atish Patra 2022-02-18 447 int i, num_hw_ctr = 0, num_fw_ctr = 0;
e9991434596f53 Atish Patra 2022-02-18 448 union sbi_pmu_ctr_info cinfo;
e9991434596f53 Atish Patra 2022-02-18 449
e9991434596f53 Atish Patra 2022-02-18 450 pmu_ctr_list = kcalloc(nctr, sizeof(*pmu_ctr_list), GFP_KERNEL);
^^^^
e9991434596f53 Atish Patra 2022-02-18 451 if (!pmu_ctr_list)
e9991434596f53 Atish Patra 2022-02-18 452 return -ENOMEM;
e9991434596f53 Atish Patra 2022-02-18 453
e9991434596f53 Atish Patra 2022-02-18 454 for (i = 0; i <= nctr; i++) {
^^^^^^^^^
The <= should be <
e9991434596f53 Atish Patra 2022-02-18 455 ret = sbi_ecall(SBI_EXT_PMU, SBI_EXT_PMU_COUNTER_GET_INFO, i, 0, 0, 0, 0, 0);
e9991434596f53 Atish Patra 2022-02-18 456 if (ret.error)
e9991434596f53 Atish Patra 2022-02-18 457 /* The logical counter ids are not expected to be contiguous */
e9991434596f53 Atish Patra 2022-02-18 458 continue;
e9991434596f53 Atish Patra 2022-02-18 459 cinfo.value = ret.value;
e9991434596f53 Atish Patra 2022-02-18 460 if (cinfo.type == SBI_PMU_CTR_TYPE_FW)
e9991434596f53 Atish Patra 2022-02-18 461 num_fw_ctr++;
e9991434596f53 Atish Patra 2022-02-18 462 else
e9991434596f53 Atish Patra 2022-02-18 463 num_hw_ctr++;
e9991434596f53 Atish Patra 2022-02-18 @464 pmu_ctr_list[i].value = cinfo.value;
^^^^^^^^^^^^^^^
Off by one
e9991434596f53 Atish Patra 2022-02-18 465 }
e9991434596f53 Atish Patra 2022-02-18 466
e9991434596f53 Atish Patra 2022-02-18 467 pr_info("%d firmware and %d hardware counters\n", num_fw_ctr, num_hw_ctr);
e9991434596f53 Atish Patra 2022-02-18 468
e9991434596f53 Atish Patra 2022-02-18 469 return 0;
e9991434596f53 Atish Patra 2022-02-18 470 }
I think this should do it
diff --git a/drivers/perf/riscv_pmu_sbi.c b/drivers/perf/riscv_pmu_sbi.c
index a1317a483512..50394ef1adef 100644
--- a/drivers/perf/riscv_pmu_sbi.c
+++ b/drivers/perf/riscv_pmu_sbi.c
@@ -457,7 +457,7 @@ static int pmu_sbi_get_ctrinfo(int nctr)
if (!pmu_ctr_list)
return -ENOMEM;
- for (i = 0; i <= nctr; i++) {
+ for (i = 0; i < nctr; i++) {
ret = sbi_ecall(SBI_EXT_PMU, SBI_EXT_PMU_COUNTER_GET_INFO, i, 0, 0, 0, 0, 0);
if (ret.error)
/* The logical counter ids are not expected to be contiguous */
but I'm not super familiar with the perf code and there's frequently this
pattern of "0 is reserved as a special value" in the RISC-V specs (interrupt
numbers, for example) so I may be wrong here. IIUC none of that is going on
here, as these are all indirect/non-contiguous, but I'll let Atish take a look.
Thanks!