[Patch v3 8/8] perf/core: Check kernel access when kernel callchains are requested

Next message: Krzysztof Kozlowski: "Re: [PATCH v2 2/3] dt-bindings: iio: st,st-sensors: remove lis302dl and lis3lv02d from deprecated list"
Previous message: Takashi Iwai: "Re: [PATCH] ALSA: usb-audio: qcom: Guard sideband endpoint removal"
In reply to: Dapeng Mi: "[Patch v3 7/8] perf/core: Fix kernel register info leak via hardware skid"
Next in thread: Dapeng Mi: "[Patch v3 5/8] perf/x86/intel: Validate the return value of intel_pmu_init_hybrid()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dapeng Mi

Date: Fri Jun 12 2026 - 05:09:15 EST

perf_event_open() currently gates perf_allow_kernel() only on
!attr.exclude_kernel.

However, users can still request kernel callchain collection with
attr.exclude_callchain_kernel == 0 even when attr.exclude_kernel == 1.
That still requires kernel profiling privilege, but the existing check
does not enforce it.

Update the permission check to call perf_allow_kernel() when either
kernel sampling is requested or kernel callchains are requested.

This keeps permission checks aligned with requested data and prevents
unprivileged use of kernel callchain capture.

Cc: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
Cc: Ingo Molnar <mingo@xxxxxxxxxx>
Cc: Mark Rutland <mark.rutland@xxxxxxx>
Cc: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>
Cc: Namhyung Kim <namhyung@xxxxxxxxxx>
Cc: Ian Rogers <irogers@xxxxxxxxxx>
Signed-off-by: Dapeng Mi <dapeng1.mi@xxxxxxxxxxxxxxx>
---
kernel/events/core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 89f6c9ffb964..bbd260d9d5b5 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -13924,7 +13924,9 @@ SYSCALL_DEFINE5(perf_event_open,
if (err)
return err;

- if (!attr.exclude_kernel) {
+ if (!attr.exclude_kernel ||
+ ((attr.sample_type & PERF_SAMPLE_CALLCHAIN) &&
+ !attr.exclude_callchain_kernel)) {
err = perf_allow_kernel();
if (err)
return err;
--
2.34.1