From: Namhyung Kim Date: Mon, 17 Mar 2025 16:37:55 +0000 (-0700) Subject: perf/x86: Check data address for IBS software filter X-Git-Tag: nvme-6.15-2025-04-02~192^2~1 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=65a99264f5e5a2bcc8c905f7b2d633e8991672ac;p=nvme.git perf/x86: Check data address for IBS software filter The IBS software filter is filtering kernel samples for regular users in the PMI handler. It checks the instruction address in the IBS register to determine if it was in kernel mode or not. But it turns out that it's possible to report a kernel data address even if the instruction address belongs to user-space. Matteo Rizzo found that when an instruction raises an exception, IBS can report some kernel data addresses like IDT while holding the faulting instruction's RIP. To prevent an information leak, it should double check if the data address in PERF_SAMPLE_DATA is in the kernel space as well. [ mingo: Clarified the changelog ] Suggested-by: Matteo Rizzo Signed-off-by: Namhyung Kim Signed-off-by: Ingo Molnar Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20250317163755.1842589-1-namhyung@kernel.org --- diff --git a/arch/x86/events/amd/ibs.c b/arch/x86/events/amd/ibs.c index e7a8b8758e08..c46500592002 100644 --- a/arch/x86/events/amd/ibs.c +++ b/arch/x86/events/amd/ibs.c @@ -1128,8 +1128,13 @@ fail: regs.flags |= PERF_EFLAGS_EXACT; } + if (perf_ibs == &perf_ibs_op) + perf_ibs_parse_ld_st_data(event->attr.sample_type, &ibs_data, &data); + if ((event->attr.config2 & IBS_SW_FILTER_MASK) && - perf_exclude_event(event, ®s)) { + (perf_exclude_event(event, ®s) || + ((data.sample_flags & PERF_SAMPLE_ADDR) && + event->attr.exclude_kernel && kernel_ip(data.addr)))) { throttle = perf_event_account_interrupt(event); goto out; } @@ -1144,9 +1149,6 @@ fail: perf_sample_save_raw_data(&data, event, &raw); } - if (perf_ibs == &perf_ibs_op) - perf_ibs_parse_ld_st_data(event->attr.sample_type, &ibs_data, &data); - /* * rip recorded by IbsOpRip will not be consistent with rsp and rbp * recorded as part of interrupt regs. Thus we need to use rip from