Re: [Patch v2 8/9] perf/core: Fix kernel register info leak via hardware skid

Next message: Xuyang Dong: "Re: Re: [PATCH v7 1/2] dt-bindings: pwm: dwc: Add eswin compatible and resets property"
Previous message: Liu Ying: "[PATCH v3 2/3] arm64: dts: imx93: Add LVDS Display Bridge support"
In reply to: Dapeng Mi: "[Patch v2 8/9] perf/core: Fix kernel register info leak via hardware skid"
Next in thread: Mi, Dapeng: "Re: [Patch v2 8/9] perf/core: Fix kernel register info leak via hardware skid"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Peter Zijlstra

Date: Wed Jun 10 2026 - 05:25:52 EST

On Tue, Jun 09, 2026 at 01:02:21PM +0800, Dapeng Mi wrote:
> An unprivileged hardware perf event using exclude_kernel=1 can leak kernel
> register data to user space via PERF_SAMPLE_REGS_INTR or PERF_SAMPLE_IP.
> Due to hardware skid, a PMI may trigger after the CPU has already entered
> kernel space (Ring 0), bypassing the perf_allow_kernel() privilege
> barrier.
>
> This security vulnerability is severely exacerbated by upcoming support
> for SIMD register sampling via XSAVES, which could expose sensitive kernel
> FPU states (such as active cryptographic keys).
>
> Fix this by ensuring that sampled register data is dropped if the event's
> exclude_kernel attribute is set but the PMI catches the CPU in kernel mode.

There is history here, see for example:

https://lore.kernel.org/r/CAP045Ap8cMx6mzSgcQ3n3bnh_8GJuCp7_KZe_5ZTCR_K6cPTLw@xxxxxxxxxxxxxx

So your earlier patches also sanitize the branch stack, but not in
generic code.

PHYS_ADDR already requires privileges
ADDR comes from PEBS on Intel, and IBS on AMD (iirc) and should be
reliable.

So yeah, I suppose IP and REGS_INTR are the big ones.