Re: [Patch v4 4/8] perf/x86/intel: Fix kernel address leakages in LBR stack

Linux Perf Users
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Dapeng Mi" <dapeng1.mi@linux.intel.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [Patch v4 4/8] perf/x86/intel: Fix kernel address leakages in LBR stack
Date: Tue, 16 Jun 2026 05:03:53 +0000	[thread overview]
Message-ID: <20260616050353.E31FA1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260616044654.3468742-5-dapeng1.mi@linux.intel.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] The kernel address leak fixed in Intel LBR is also present in the AMD LBR and AMD BRS implementations.
--

commit 6e58211ef4792cdee63b678a385b927eb7214af9
Author: Dapeng Mi <dapeng1.mi@linux.intel.com>

perf/x86/intel: Fix kernel address leakages in LBR stack

This commit fixes an information leak in Intel LBR where the software filter
failed to validate the from address. By validating both the from and to
addresses against the requested privilege mask, it prevents kernel addresses
from leaking into user-only branch stacks.

> diff --git a/arch/x86/events/intel/lbr.c b/arch/x86/events/intel/lbr.c
> index e2657f791e507..16eef15378166 100644
> --- a/arch/x86/events/intel/lbr.c
> +++ b/arch/x86/events/intel/lbr.c

[ ... ]

> @@ -1244,8 +1244,14 @@ intel_pmu_lbr_filter(struct cpu_hw_events *cpuc)
>  				type |= X86_BR_NO_TX;
>  		}
>  
> -		/* if type does not correspond, then discard */
> -		if (type == X86_BR_NONE || (br_sel & type) != type) {
> +		from_plm = kernel_ip(from) ? X86_BR_KERNEL : X86_BR_USER;
> +		/*
> +		 * If type does not correspond, then discard.
> +		 * Specifically reject entries whose from address is in
> +		 * kernel space when only X86_BR_USER is requested.
> +		 */
> +		if (type == X86_BR_NONE || (br_sel & type) != type ||
> +		    (!(br_sel & X86_BR_KERNEL) && (from_plm & X86_BR_KERNEL))) {

[Severity: High]
This isn't a bug introduced by this patch, but does the same kernel address
leak exist in the AMD LBR and BRS implementations?

Looking at arch/x86/events/amd/lbr.c, the software filter sets the branch
privilege strictly based on the target address. Kernel-to-user branches might
bypass the filter and leak the kernel from address:

arch/x86/events/amd/lbr.c:amd_pmu_lbr_filter() {
    ...
    type = branch_type_fused(from, to, 0, &offset);

    /* If type does not correspond, then discard */
    if (type == X86_BR_NONE || (br_sel & type) != type) {
    ...
}

Similarly, in arch/x86/events/amd/brs.c, the privilege filter only evaluates
the target address against the requested privilege mask:

arch/x86/events/amd/brs.c:amd_brs_match_plm() {
    ...
    if (!(type & plm_k) && kernel_ip(to))
        return 0;

    if (!(type & plm_u) && !kernel_ip(to))
        return 0;

    return 1;
}

Because the hardware PMU natively records branches going from kernel space to
user space, could unprivileged users requesting user-only branches still
sample kernel addresses on AMD through these paths?

>  			cpuc->lbr_entries[i].from = 0;
>  			compress = true;
>  		}

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260616044654.3468742-1-dapeng1.mi@linux.intel.com?part=4

next prev parent reply	other threads:[~2026-06-16  5:03 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-16  4:46 [Patch v4 0/8] perf/x86: Miscellaneous PMU bug fixes Dapeng Mi
2026-06-16  4:46 ` [Patch v4 1/8] perf/x86/intel: Remove anythread_deprecated bit from perf_capabilities Dapeng Mi
2026-06-16  4:46 ` [Patch v4 2/8] perf/x86/intel: Keep cap_user_rdpmc in sync with RDPMC user-disable state Dapeng Mi
2026-06-16  4:46 ` [Patch v4 3/8] perf/x86/intel: Fallback to sw branch type decoding if no hw decoding Dapeng Mi
2026-06-16  5:03   ` sashiko-bot
2026-06-16  4:46 ` [Patch v4 4/8] perf/x86/intel: Fix kernel address leakages in LBR stack Dapeng Mi
2026-06-16  5:03   ` sashiko-bot [this message]
2026-06-16  4:46 ` [Patch v4 5/8] perf/x86/intel: Validate the return value of intel_pmu_init_hybrid() Dapeng Mi
2026-06-16  4:46 ` [Patch v4 6/8] perf/x86/intel: Drop fixed-counter PEBS constraints for baseline PEBS Dapeng Mi
2026-06-16  4:46 ` [Patch v4 7/8] perf/core: Fix kernel register info leak via hardware skid Dapeng Mi
2026-06-16  4:46 ` [Patch v4 8/8] perf/core: Check kernel access when kernel callchains are requested Dapeng Mi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260616050353.E31FA1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=dapeng1.mi@linux.intel.com \
    --cc=linux-perf-users@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox