From: Peter Zijlstra <peterz@infradead.org>
To: Dapeng Mi <dapeng1.mi@linux.intel.com>
Cc: Ingo Molnar <mingo@redhat.com>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
Namhyung Kim <namhyung@kernel.org>,
Ian Rogers <irogers@google.com>,
Adrian Hunter <adrian.hunter@intel.com>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Andi Kleen <ak@linux.intel.com>,
Eranian Stephane <eranian@google.com>,
linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org,
Dapeng Mi <dapeng1.mi@intel.com>, Zide Chen <zide.chen@intel.com>,
Falcon Thomas <thomas.falcon@intel.com>,
Xudong Hao <xudong.hao@intel.com>,
Mark Rutland <mark.rutland@arm.com>
Subject: Re: [Patch v2 8/9] perf/core: Fix kernel register info leak via hardware skid
Date: Wed, 10 Jun 2026 11:16:25 +0200 [thread overview]
Message-ID: <20260610091625.GE48970@noisy.programming.kicks-ass.net> (raw)
In-Reply-To: <20260609050222.2458129-9-dapeng1.mi@linux.intel.com>
On Tue, Jun 09, 2026 at 01:02:21PM +0800, Dapeng Mi wrote:
> An unprivileged hardware perf event using exclude_kernel=1 can leak kernel
> register data to user space via PERF_SAMPLE_REGS_INTR or PERF_SAMPLE_IP.
> Due to hardware skid, a PMI may trigger after the CPU has already entered
> kernel space (Ring 0), bypassing the perf_allow_kernel() privilege
> barrier.
>
> This security vulnerability is severely exacerbated by upcoming support
> for SIMD register sampling via XSAVES, which could expose sensitive kernel
> FPU states (such as active cryptographic keys).
>
> Fix this by ensuring that sampled register data is dropped if the event's
> exclude_kernel attribute is set but the PMI catches the CPU in kernel mode.
There is history here, see for example:
https://lore.kernel.org/r/CAP045Ap8cMx6mzSgcQ3n3bnh_8GJuCp7_KZe_5ZTCR_K6cPTLw@mail.gmail.com
So your earlier patches also sanitize the branch stack, but not in
generic code.
PHYS_ADDR already requires privileges
ADDR comes from PEBS on Intel, and IBS on AMD (iirc) and should be
reliable.
So yeah, I suppose IP and REGS_INTR are the big ones.
next prev parent reply other threads:[~2026-06-10 9:16 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-09 5:02 [Patch v2 0/9] perf/x86: Miscellaneous PMU bug fixes Dapeng Mi
2026-06-09 5:02 ` [Patch v2 1/9] perf/x86/intel: Remove anythread_deprecated bit from perf_capabilities Dapeng Mi
2026-06-09 5:02 ` [Patch v2 2/9] perf/x86: Introduce is_x86_pmu() helper Dapeng Mi
2026-06-09 5:02 ` [Patch v2 3/9] perf/x86: Update cap_user_rdpmc base on rdpmc user disable state Dapeng Mi
2026-06-09 14:48 ` Peter Zijlstra
2026-06-10 1:47 ` Mi, Dapeng
2026-06-09 5:02 ` [Patch v2 4/9] perf/x86/intel: Fallback to sw branch type decoding if no hw decoding Dapeng Mi
2026-06-09 5:24 ` sashiko-bot
2026-06-09 10:04 ` Mi, Dapeng
2026-06-09 14:49 ` Peter Zijlstra
2026-06-10 1:53 ` Mi, Dapeng
2026-06-09 5:02 ` [Patch v2 5/9] perf/x86/intel: Drop LBR entries whose privilege level mismatches br_sel Dapeng Mi
2026-06-09 5:21 ` sashiko-bot
2026-06-09 9:40 ` Mi, Dapeng
2026-06-09 14:52 ` Peter Zijlstra
2026-06-10 1:57 ` Mi, Dapeng
2026-06-09 5:02 ` [Patch v2 6/9] perf/x86/intel: Validate return value of intel_pmu_init_hybrid() Dapeng Mi
2026-06-09 5:25 ` sashiko-bot
2026-06-09 9:44 ` Mi, Dapeng
2026-06-10 8:16 ` Peter Zijlstra
2026-06-10 8:34 ` Mi, Dapeng
2026-06-09 5:02 ` [Patch v2 7/9] perf/x86/intel: Drop fixed-counter PEBS constraints for baseline PEBS Dapeng Mi
2026-06-10 8:20 ` Peter Zijlstra
2026-06-10 8:23 ` Peter Zijlstra
2026-06-10 8:50 ` Mi, Dapeng
2026-06-10 11:21 ` Peter Zijlstra
2026-06-10 11:42 ` Mi, Dapeng
2026-06-09 5:02 ` [Patch v2 8/9] perf/core: Fix kernel register info leak via hardware skid Dapeng Mi
2026-06-10 9:16 ` Peter Zijlstra [this message]
2026-06-09 5:02 ` [Patch v2 9/9] perf/core: Check kernel access when kernel callchains are requested Dapeng Mi
2026-06-09 5:24 ` sashiko-bot
2026-06-09 9:49 ` Mi, Dapeng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260610091625.GE48970@noisy.programming.kicks-ass.net \
--to=peterz@infradead.org \
--cc=acme@kernel.org \
--cc=adrian.hunter@intel.com \
--cc=ak@linux.intel.com \
--cc=alexander.shishkin@linux.intel.com \
--cc=dapeng1.mi@intel.com \
--cc=dapeng1.mi@linux.intel.com \
--cc=eranian@google.com \
--cc=irogers@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=mingo@redhat.com \
--cc=namhyung@kernel.org \
--cc=thomas.falcon@intel.com \
--cc=xudong.hao@intel.com \
--cc=zide.chen@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox