From: sashiko-bot@kernel.org
To: "Sandipan Das" <sandipan.das@amd.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH] perf/x86/amd/lbr: Fix kernel address leakage
Date: Fri, 10 Jul 2026 11:02:34 +0000 [thread overview]
Message-ID: <20260710110235.F3FD81F000E9@smtp.kernel.org> (raw)
In-Reply-To: <a898a29725f6b2f30518354cdc2e432db66c43cf.1783680119.git.sandipan.das@amd.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
Pre-existing issues:
- [High] AMD's Branch Record Sampling (BRS) software filter shares the exact same logic flaw as AMD LBR V2, exposing kernel addresses when PERF_SAMPLE_BRANCH_USER is requested.
- [High] The Intel LBR software filter shares the same logic flaw, exposing kernel addresses on Intel CPUs that rely on software filtering.
--
--- Patch [1]: [PATCH] perf/x86/amd/lbr: Fix kernel address leakage ---
commit f8aba9338ad1990ca06ee1ac10089bd82793534b
Author: Sandipan Das <sandipan.das@amd.com>
perf/x86/amd/lbr: Fix kernel address leakage
A user-only branch stack can contain branches that originate from the kernel,
exposing kernel addresses to user space even when PERF_SAMPLE_BRANCH_USER
is requested. This commit extends software filtering on AMD processors
supporting X86_FEATURE_AMD_LBR_V2 to validate branch-from addresses against
the requested branch selection, dropping entries with kernel branch-from
addresses.
> diff --git a/arch/x86/events/amd/lbr.c b/arch/x86/events/amd/lbr.c
> index d24da377df776..b9722e60d8bc7 100644
> --- a/arch/x86/events/amd/lbr.c
> +++ b/arch/x86/events/amd/lbr.c
> @@ -125,7 +125,8 @@ static void amd_pmu_lbr_filter(void)
> }
>
> /* If type does not correspond, then discard */
> - if (type == X86_BR_NONE || (br_sel & type) != type) {
> + if (type == X86_BR_NONE || (br_sel & type) != type ||
> + (!(br_sel & X86_BR_KERNEL) && kernel_ip(cpuc->lbr_entries[i].from))) {
[Severity: High]
This isn't a bug introduced by this patch, but does the AMD Branch Record
Sampling (BRS) software filter share this exact same logic flaw?
Looking at arch/x86/events/amd/brs.c:amd_brs_match_plm():
if (!(type & plm_k) && kernel_ip(to))
return false;
The software privilege filter evaluates only the target address (to) but
fails to validate the source address (from). When amd_brs_drain() reads
the unfiltered kernel 'from' address:
rdmsrq(brs_from(brs_idx), from);
Could this allow kernel-to-user transitions to pass and leak kernel addresses
when PERF_SAMPLE_BRANCH_USER is requested?
[Severity: High]
This is also a pre-existing issue not introduced by this patch, but does the
Intel LBR software filter have the same vulnerability?
Looking at arch/x86/events/intel/lbr.c:intel_pmu_lbr_filter():
to_plm = kernel_ip(to) ? X86_BR_KERNEL : X86_BR_USER;
type = arch_lbr_br_type_map[type] | to_plm;
The branch type's privilege level is determined exclusively by the target
address (to), ignoring the source address (from). When it checks the type
later in the same function:
if (type == X86_BR_NONE || (br_sel & type) != type) {
cpuc->lbr_entries[i].from = 0;
compress = true;
}
It seems this would also fail to filter out kernel-to-user branches when
PERF_SAMPLE_BRANCH_USER is requested. Should similar software filtering
be applied there to validate the branch-from addresses?
> cpuc->lbr_entries[i].from = 0; /* mark invalid */
> compress = true;
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/a898a29725f6b2f30518354cdc2e432db66c43cf.1783680119.git.sandipan.das@amd.com?part=1
prev parent reply other threads:[~2026-07-10 11:02 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-10 10:45 [PATCH] perf/x86/amd/lbr: Fix kernel address leakage Sandipan Das
2026-07-10 11:02 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260710110235.F3FD81F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=sandipan.das@amd.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox