From: sashiko-bot@kernel.org
To: "Aviv Bakal" <avivb@amazon.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH v5 1/2] perf/arm-cmn: Move DTM index data out of hw_perf_event
Date: Wed, 03 Jun 2026 15:21:46 +0000 [thread overview]
Message-ID: <20260603152146.92EA61F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260603150025.30980-2-avivb@amazon.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [Critical] Type confusion in `arm_cmn_validate_group` allows arbitrary kernel memory read and out-of-bounds heap write via mixed PMU event groups.
--
commit 5cf0bca45fce2ef5c66d58f875b8d4b3f7c015e0
Author: Robin Murphy <robin.murphy@arm.com>
perf/arm-cmn: Move DTM index data out of hw_perf_event
This commit moves the DTM index arrays and watchpoint tracking out of
hw_perf_event into separate dynamically allocated memory structures. This
change is intended to accommodate growing CMN configurations without exceeding
the limits of hw_perf_event.
> diff --git a/drivers/perf/arm-cmn.c b/drivers/perf/arm-cmn.c
> index f5305c8fdca43..f1978a53d1c19 100644
> --- a/drivers/perf/arm-cmn.c
> +++ b/drivers/perf/arm-cmn.c
[ ... ]
> @@ -1787,6 +1809,11 @@ static int arm_cmn_event_init(struct perf_event *event)
> if (type == CMN_TYPE_DTC)
> return arm_cmn_validate_group(cmn, event);
>
[Severity: Critical]
This isn't a bug introduced by this patch, but could this lead to a type
confusion and out-of-bounds write when validating groups with mixed PMU events?
When arm_cmn_validate_group() iterates over the group's siblings, it doesn't
verify that sibling->pmu == event->pmu. If a sibling is a hardware event from
a different PMU, it passes it to arm_cmn_val_add_event():
drivers/perf/arm-cmn.c:arm_cmn_validate_group() {
...
for_each_sibling_event(sibling, leader)
arm_cmn_val_add_event(cmn, val, sibling);
...
}
Inside arm_cmn_val_add_event(), it casts the sibling's hw_perf_event to an
arm_cmn_hw_event. Since userspace controls attr.config, it can overlap with
the hw->dn pointer, allowing arbitrary kernel memory reads:
drivers/perf/arm-cmn.c:arm_cmn_val_add_event() {
...
for_each_hw_dn(hw, dn, i) {
int wp_idx, dtm = dn->dtm, sel = hw->filter_sel;
val->dtm_count[dtm]++;
...
}
Because the read byte dtm can be up to 255 and the array bounds are
CMN_MAX_DTMS (188), does this enable a controllable out-of-bounds write on
the kernel heap?
> + event->destroy = arm_cmn_event_destroy;
> + hw->dtm_idx = arm_cmn_alloc_dtm_idx();
> + if (!hw->dtm_idx)
> + return -ENOMEM;
> +
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260603150025.30980-1-avivb@amazon.com?part=1
next prev parent reply other threads:[~2026-06-03 15:21 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-03 15:51 [PATCH] perf/arm-cmn: Add workarounds for CMN-S3 on Graviton5 Aviv Bakal
2026-05-03 16:20 ` sashiko-bot
2026-05-04 13:37 ` Aviv Bakal
2026-05-04 13:39 ` [PATCH v2] " Aviv Bakal
2026-05-04 19:38 ` sashiko-bot
2026-05-05 2:31 ` kernel test robot
2026-05-21 16:02 ` Robin Murphy
2026-05-24 15:38 ` [PATCH v3 0/2] " Aviv Bakal
2026-05-24 15:38 ` [PATCH v3 1/2] perf/arm-cmn: Move struct arm_cmn_hw_event into struct hw_perf_event Aviv Bakal
2026-05-24 16:13 ` sashiko-bot
2026-05-29 16:44 ` Robin Murphy
2026-05-24 15:38 ` [PATCH v3 2/2] perf/arm-cmn: Add workarounds for CMN-S3 on Graviton5 Aviv Bakal
2026-05-24 16:40 ` sashiko-bot
2026-05-31 11:04 ` [PATCH v4 0/2] " Aviv Bakal
2026-05-31 11:04 ` [PATCH v4 1/2] perf/arm-cmn: Move DTM index data out of hw_perf_event Aviv Bakal
2026-06-01 18:23 ` Robin Murphy
2026-06-02 5:49 ` Ilkka Koskinen
2026-05-31 11:04 ` [PATCH v4 2/2] perf/arm-cmn: Add workarounds for CMN-S3 on Graviton5 Aviv Bakal
2026-05-31 11:32 ` sashiko-bot
2026-06-01 17:45 ` Robin Murphy
2026-06-03 14:57 ` Aviv Bakal
2026-06-01 17:48 ` Robin Murphy
2026-06-02 5:55 ` Ilkka Koskinen
2026-06-03 15:00 ` [PATCH v5 0/2] " Aviv Bakal
2026-06-03 15:00 ` [PATCH v5 1/2] perf/arm-cmn: Move DTM index data out of hw_perf_event Aviv Bakal
2026-06-03 15:21 ` sashiko-bot [this message]
2026-06-03 15:00 ` [PATCH v5 2/2] perf/arm-cmn: Add workarounds for CMN-S3 on Graviton5 Aviv Bakal
2026-06-03 15:53 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260603152146.92EA61F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=avivb@amazon.com \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.