[tip: perf/urgent] perf/x86: Check data address for IBS software filter

From: tip-bot2 for Namhyung Kim
Date: Mon Mar 17 2025 - 18:51:26 EST

Next message: Heiko Stübner: "Re: linux-next: duplicate patch in the mfd tree"
Previous message: Sandro Pischinger: "[bug report, net-next] lo.disable_ipv6=1 allows ::1 dst packet to take a default route"
In reply to: Namhyung Kim: "[PATCH v2] perf/x86: Check data address for IBS software filter"
Next in thread: Ravi Bangoria: "Re: [PATCH v2] perf/x86: Check data address for IBS software filter"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The following commit has been merged into the perf/urgent branch of tip:

Commit-ID: 65a99264f5e5a2bcc8c905f7b2d633e8991672ac
Gitweb: https://git.kernel.org/tip/65a99264f5e5a2bcc8c905f7b2d633e8991672ac
Author: Namhyung Kim <namhyung@xxxxxxxxxx>
AuthorDate: Mon, 17 Mar 2025 09:37:55 -07:00
Committer: Ingo Molnar <mingo@xxxxxxxxxx>
CommitterDate: Mon, 17 Mar 2025 23:37:31 +01:00

perf/x86: Check data address for IBS software filter

The IBS software filter is filtering kernel samples for regular users in
the PMI handler. It checks the instruction address in the IBS register to
determine if it was in kernel mode or not.

But it turns out that it's possible to report a kernel data address even
if the instruction address belongs to user-space. Matteo Rizzo
found that when an instruction raises an exception, IBS can report some
kernel data addresses like IDT while holding the faulting instruction's
RIP. To prevent an information leak, it should double check if the data
address in PERF_SAMPLE_DATA is in the kernel space as well.

[ mingo: Clarified the changelog ]

Suggested-by: Matteo Rizzo <matteorizzo@xxxxxxxxxx>
Signed-off-by: Namhyung Kim <namhyung@xxxxxxxxxx>
Signed-off-by: Ingo Molnar <mingo@xxxxxxxxxx>
Cc: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
Link: https://lore.kernel.org/r/20250317163755.1842589-1-namhyung@xxxxxxxxxx
---
arch/x86/events/amd/ibs.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/arch/x86/events/amd/ibs.c b/arch/x86/events/amd/ibs.c
index e7a8b87..c465005 100644
--- a/arch/x86/events/amd/ibs.c
+++ b/arch/x86/events/amd/ibs.c
@@ -1128,8 +1128,13 @@ fail:
regs.flags |= PERF_EFLAGS_EXACT;
}

+ if (perf_ibs == &perf_ibs_op)
+ perf_ibs_parse_ld_st_data(event->attr.sample_type, &ibs_data, &data);
+
if ((event->attr.config2 & IBS_SW_FILTER_MASK) &&
- perf_exclude_event(event, &regs)) {
+ (perf_exclude_event(event, &regs) ||
+ ((data.sample_flags & PERF_SAMPLE_ADDR) &&
+ event->attr.exclude_kernel && kernel_ip(data.addr)))) {
throttle = perf_event_account_interrupt(event);
goto out;
}
@@ -1144,9 +1149,6 @@ fail:
perf_sample_save_raw_data(&data, event, &raw);
}

- if (perf_ibs == &perf_ibs_op)
- perf_ibs_parse_ld_st_data(event->attr.sample_type, &ibs_data, &data);
-
/*
* rip recorded by IbsOpRip will not be consistent with rsp and rbp
* recorded as part of interrupt regs. Thus we need to use rip from

Next message: Heiko Stübner: "Re: linux-next: duplicate patch in the mfd tree"
Previous message: Sandro Pischinger: "[bug report, net-next] lo.disable_ipv6=1 allows ::1 dst packet to take a default route"
In reply to: Namhyung Kim: "[PATCH v2] perf/x86: Check data address for IBS software filter"
Next in thread: Ravi Bangoria: "Re: [PATCH v2] perf/x86: Check data address for IBS software filter"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]