Re: [Patch v2 5/9] perf/x86/intel: Drop LBR entries whose privilege level mismatches br_sel

Linux Perf Users
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Dapeng Mi" <dapeng1.mi@linux.intel.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [Patch v2 5/9] perf/x86/intel: Drop LBR entries whose privilege level mismatches br_sel
Date: Tue, 09 Jun 2026 05:21:27 +0000	[thread overview]
Message-ID: <20260609052128.811C51F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260609050222.2458129-6-dapeng1.mi@linux.intel.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] The kernel address leak in LBR stacks fixed here for Intel PMUs still exists in AMD PMUs (both AMD LBR and AMD BRS), allowing KASLR bypass.
--

commit 955fb4f61b3305a8e4972ee94bb41e752a3dd25c
Author: Dapeng Mi <dapeng1.mi@linux.intel.com>

perf/x86/intel: Drop LBR entries whose privilege level mismatches br_sel

This commit fixes an issue where kernel branch addresses could be exposed
to user space in user-only branch stacks. It extends the software filter
in intel_pmu_lbr_filter() to validate both the from and to addresses
against the requested branch privilege filter.

> diff --git a/arch/x86/events/intel/lbr.c b/arch/x86/events/intel/lbr.c
> index 171fdf1962ade..9a63209cc7878 100644
> --- a/arch/x86/events/intel/lbr.c
> +++ b/arch/x86/events/intel/lbr.c

[ ... ]

> @@ -1246,8 +1246,16 @@ intel_pmu_lbr_filter(struct cpu_hw_events *cpuc)
>  				type |= X86_BR_NO_TX;
>  		}
>  
> -		/* if type does not correspond, then discard */
> -		if (type == X86_BR_NONE || (br_sel & type) != type) {
> +		from_plm = kernel_ip(from) ? X86_BR_KERNEL : X86_BR_USER;
> +		/*
> +		 * If type does not correspond, then discard.
> +		 * Especially filter out the entries whose from or to address is
> +		 * a kernel address while only X86_BR_USER is set. This prevents
> +		 * kernel address from being leaked into a user-space-only LBR stack.
> +		 */
> +		if (type == X86_BR_NONE || (br_sel & type) != type ||
> +		    (!(br_sel & X86_BR_KERNEL) && (from_plm & X86_BR_KERNEL)) ||
> +		    (!(br_sel & X86_BR_USER) && (from_plm & X86_BR_USER))) {
>  			cpuc->lbr_entries[i].from = 0;
>  			compress = true;
>  		}

[Severity: High]
This is a pre-existing issue, but does the AMD PMU code suffer from this
same vulnerability?

Looking at the AMD LBR software filter, it appears to only check the
target privilege level and is missing the from_plm privilege validation:

arch/x86/events/amd/lbr.c:amd_pmu_lbr_filter() {
    ...
    /* If type does not correspond, then discard */
    if (type == X86_BR_NONE || (br_sel & type) != type) {
        cpuc->lbr_entries[i].from = 0;  /* mark invalid */
    ...
}

Similarly, the AMD BRS filter explicitly only validates the to address
and ignores the from address:

arch/x86/events/amd/brs.c:amd_brs_match_plm() {
    ...
    if (!(type & plm_k) && kernel_ip(to))
        return 0;

    if (!(type & plm_u) && !kernel_ip(to))
        return 0;

    return 1;
}

Could kernel addresses from kernel-to-user branches leak into user-space
LBR stacks on AMD systems through these paths, bypassing KASLR in the
same way?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260609050222.2458129-1-dapeng1.mi@linux.intel.com?part=5

next prev parent reply	other threads:[~2026-06-09  5:21 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-09  5:02 [Patch v2 0/9] perf/x86: Miscellaneous PMU bug fixes Dapeng Mi
2026-06-09  5:02 ` [Patch v2 1/9] perf/x86/intel: Remove anythread_deprecated bit from perf_capabilities Dapeng Mi
2026-06-09  5:02 ` [Patch v2 2/9] perf/x86: Introduce is_x86_pmu() helper Dapeng Mi
2026-06-09  5:02 ` [Patch v2 3/9] perf/x86: Update cap_user_rdpmc base on rdpmc user disable state Dapeng Mi
2026-06-09  5:02 ` [Patch v2 4/9] perf/x86/intel: Fallback to sw branch type decoding if no hw decoding Dapeng Mi
2026-06-09  5:24   ` sashiko-bot
2026-06-09  5:02 ` [Patch v2 5/9] perf/x86/intel: Drop LBR entries whose privilege level mismatches br_sel Dapeng Mi
2026-06-09  5:21   ` sashiko-bot [this message]
2026-06-09  5:02 ` [Patch v2 6/9] perf/x86/intel: Validate return value of intel_pmu_init_hybrid() Dapeng Mi
2026-06-09  5:25   ` sashiko-bot
2026-06-09  5:02 ` [Patch v2 7/9] perf/x86/intel: Drop fixed-counter PEBS constraints for baseline PEBS Dapeng Mi
2026-06-09  5:02 ` [Patch v2 8/9] perf/core: Fix kernel register info leak via hardware skid Dapeng Mi
2026-06-09  5:02 ` [Patch v2 9/9] perf/core: Check kernel access when kernel callchains are requested Dapeng Mi
2026-06-09  5:24   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260609052128.811C51F00893@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=dapeng1.mi@linux.intel.com \
    --cc=linux-perf-users@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox