From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jin Yao <yao.jin@linux.intel.com>,
"Peter Zijlstra (Intel)" <peterz@infradead.org>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Arnaldo Carvalho de Melo <acme@redhat.com>,
Jiri Olsa <jolsa@redhat.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Namhyung Kim <namhyung@kernel.org>,
Stephane Eranian <eranian@google.com>,
Thomas Gleixner <tglx@linutronix.de>,
Vince Weaver <vincent.weaver@maine.edu>,
acme@kernel.org, jolsa@kernel.org, kan.liang@intel.com,
mark.rutland@arm.com, will.deacon@arm.com, yao.jin@intel.com,
Ingo Molnar <mingo@kernel.org>
Subject: [PATCH 3.18 32/45] perf/core: Drop kernel samples even though :u is specified
Date: Mon, 12 Jun 2017 17:26:42 +0200 [thread overview]
Message-ID: <20170612152555.121634133@linuxfoundation.org> (raw)
In-Reply-To: <20170612152553.118037974@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jin Yao <yao.jin@linux.intel.com>
commit cc1582c231ea041fbc68861dfaf957eaf902b829 upstream.
When doing sampling, for example:
perf record -e cycles:u ...
On workloads that do a lot of kernel entry/exits we see kernel
samples, even though :u is specified. This is due to skid existing.
This might be a security issue because it can leak kernel addresses even
though kernel sampling support is disabled.
The patch drops the kernel samples if exclude_kernel is specified.
For example, test on Haswell desktop:
perf record -e cycles:u <mgen>
perf report --stdio
Before patch applied:
99.77% mgen mgen [.] buf_read
0.20% mgen mgen [.] rand_buf_init
0.01% mgen [kernel.vmlinux] [k] apic_timer_interrupt
0.00% mgen mgen [.] last_free_elem
0.00% mgen libc-2.23.so [.] __random_r
0.00% mgen libc-2.23.so [.] _int_malloc
0.00% mgen mgen [.] rand_array_init
0.00% mgen [kernel.vmlinux] [k] page_fault
0.00% mgen libc-2.23.so [.] __random
0.00% mgen libc-2.23.so [.] __strcasestr
0.00% mgen ld-2.23.so [.] strcmp
0.00% mgen ld-2.23.so [.] _dl_start
0.00% mgen libc-2.23.so [.] sched_setaffinity@@GLIBC_2.3.4
0.00% mgen ld-2.23.so [.] _start
We can see kernel symbols apic_timer_interrupt and page_fault.
After patch applied:
99.79% mgen mgen [.] buf_read
0.19% mgen mgen [.] rand_buf_init
0.00% mgen libc-2.23.so [.] __random_r
0.00% mgen mgen [.] rand_array_init
0.00% mgen mgen [.] last_free_elem
0.00% mgen libc-2.23.so [.] vfprintf
0.00% mgen libc-2.23.so [.] rand
0.00% mgen libc-2.23.so [.] __random
0.00% mgen libc-2.23.so [.] _int_malloc
0.00% mgen libc-2.23.so [.] _IO_doallocbuf
0.00% mgen ld-2.23.so [.] do_lookup_x
0.00% mgen ld-2.23.so [.] open_verify.constprop.7
0.00% mgen ld-2.23.so [.] _dl_important_hwcaps
0.00% mgen libc-2.23.so [.] sched_setaffinity@@GLIBC_2.3.4
0.00% mgen ld-2.23.so [.] _start
There are only userspace symbols.
Signed-off-by: Jin Yao <yao.jin@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Cc: acme@kernel.org
Cc: jolsa@kernel.org
Cc: kan.liang@intel.com
Cc: mark.rutland@arm.com
Cc: will.deacon@arm.com
Cc: yao.jin@intel.com
Link: http://lkml.kernel.org/r/1495706947-3744-1-git-send-email-yao.jin@linux.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/events/core.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -5761,6 +5761,21 @@ static void perf_log_throttle(struct per
perf_output_end(&handle);
}
+static bool sample_is_allowed(struct perf_event *event, struct pt_regs *regs)
+{
+ /*
+ * Due to interrupt latency (AKA "skid"), we may enter the
+ * kernel before taking an overflow, even if the PMU is only
+ * counting user events.
+ * To avoid leaking information to userspace, we must always
+ * reject kernel samples when exclude_kernel is set.
+ */
+ if (event->attr.exclude_kernel && !user_mode(regs))
+ return false;
+
+ return true;
+}
+
/*
* Generic event overflow handling, sampling.
*/
@@ -5808,6 +5823,12 @@ static int __perf_event_overflow(struct
}
/*
+ * For security, drop the skid kernel samples if necessary.
+ */
+ if (!sample_is_allowed(event, regs))
+ return ret;
+
+ /*
* XXX event_limit might not quite work as expected on inherited
* events
*/
next prev parent reply other threads:[~2017-06-12 15:45 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-12 15:26 [PATCH 3.18 00/45] 3.18.57-stable review Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 01/45] bnx2x: Fix Multi-Cos Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 02/45] ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 03/45] cxgb4: avoid enabling napi twice to the same queue Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 04/45] tcp: disallow cwnd undo when switching congestion control Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 05/45] ipv6: Fix leak in ipv6_gso_segment() Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 06/45] net: ping: do not abuse udp_poll() Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 07/45] net: ethoc: enable NAPI before poll may be scheduled Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 08/45] serial: ifx6x60: fix use-after-free on module unload Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 09/45] KEYS: fix dereferencing NULL payload with nonzero length Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 10/45] KEYS: fix freeing uninitialized memory in key_update() Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 11/45] crypto: gcm - wait for crypto op not signal safe Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 12/45] nfsd4: fix null dereference on replay Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 15/45] arm: KVM: Allow unaligned accesses at HYP Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 16/45] dmaengine: ep93xx: Always start from BASE0 Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 17/45] ext4: fix SEEK_HOLE Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 18/45] ext4: keep existing extra fields when inode expands Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 19/45] usb: gadget: f_mass_storage: Serialize wake and sleep execution Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 20/45] usb: chipidea: udc: fix NULL pointer dereference if udc_start failed Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 21/45] usb: chipidea: debug: check before accessing ci_role Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 22/45] staging/lustre/lov: remove set_fs() call from lov_getstripe() Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 23/45] iio: proximity: as3935: fix AS3935_INT mask Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 24/45] drivers: char: random: add get_random_long() Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 25/45] random: properly align get_random_int_hash Greg Kroah-Hartman
2017-06-12 15:26 ` [kernel-hardening] [PATCH 3.18 26/45] stackprotector: Increase the per-task stack canarys random range from 32 bits to 64 bits on 64-bit platforms Greg Kroah-Hartman
2017-06-12 15:26 ` Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 27/45] btrfs: use correct types for page indices in btrfs_page_exists_in_range Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 28/45] btrfs: fix memory leak in update_space_info failure path Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 29/45] scsi: qla2xxx: dont disable a not previously enabled PCI device Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 30/45] powerpc/eeh: Avoid use after free in eeh_handle_special_event() Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 31/45] powerpc/numa: Fix percpu allocations to be NUMA aware Greg Kroah-Hartman
2017-06-12 15:26 ` Greg Kroah-Hartman [this message]
2017-06-12 15:26 ` [PATCH 3.18 33/45] drm/vmwgfx: Handle vmalloc() failure in vmw_local_fifo_reserve() Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 34/45] drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl() Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 35/45] ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 36/45] ASoC: Fix use-after-free at card unregistration Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 37/45] drivers: char: mem: Fix wraparound check to allow mappings up to the end Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 38/45] serial: sh-sci: Fix panic when serial console and DMA are enabled Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 39/45] arm64: hw_breakpoint: fix watchpoint matching for tagged pointers Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 40/45] arm64: entry: improve data abort handling of " Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 41/45] RDMA/qib,hfi1: Fix MR reference count leak on write with immediate Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 42/45] tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline() Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 43/45] usercopy: Adjust tests to deal with SMAP/PAN Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 44/45] arm64: ensure extension of smp_store_release value Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 45/45] mlx5: stop including <asm-generic/kmap_types.h> Greg Kroah-Hartman
2017-06-12 21:52 ` [PATCH 3.18 00/45] 3.18.57-stable review Guenter Roeck
2017-06-13 0:49 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170612152555.121634133@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=acme@kernel.org \
--cc=acme@redhat.com \
--cc=alexander.shishkin@linux.intel.com \
--cc=eranian@google.com \
--cc=jolsa@kernel.org \
--cc=jolsa@redhat.com \
--cc=kan.liang@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=mingo@kernel.org \
--cc=namhyung@kernel.org \
--cc=peterz@infradead.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=vincent.weaver@maine.edu \
--cc=will.deacon@arm.com \
--cc=yao.jin@intel.com \
--cc=yao.jin@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.