* [PATCH v1 0/3] perf/x86/intel/pt: Address filtering fixes for perf/urgent
@ 2016-09-15 15:13 Alexander Shishkin
2016-09-15 15:13 ` [PATCH v1 1/3] perf/x86/intel/pt: Fix an off-by-one in address filter configuration Alexander Shishkin
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Alexander Shishkin @ 2016-09-15 15:13 UTC (permalink / raw)
To: Peter Zijlstra
Cc: Ingo Molnar, linux-kernel, vince, eranian,
Arnaldo Carvalho de Melo, Alexander Shishkin
Hi again,
Apologies for the botched recipient list in the previous one. So I
moved the virt_addr_valid() inside pt.c as well to save cycles in the
LBR code.
These are 3 bugs that Adrian found; all 3 seem like good -stable
candidates.
Alexander Shishkin (3):
perf/x86/intel/pt: Fix an off-by-one in address filter configuration
perf/x86/intel/pt: Fix kernel address filter's offset validation
perf/x86/intel/pt: Do validate the size of a kernel address filter
arch/x86/events/intel/pt.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
--
2.9.3
^ permalink raw reply [flat|nested] 7+ messages in thread* [PATCH v1 1/3] perf/x86/intel/pt: Fix an off-by-one in address filter configuration 2016-09-15 15:13 [PATCH v1 0/3] perf/x86/intel/pt: Address filtering fixes for perf/urgent Alexander Shishkin @ 2016-09-15 15:13 ` Alexander Shishkin 2016-09-16 11:58 ` [tip:perf/urgent] " tip-bot for Alexander Shishkin 2016-09-15 15:13 ` [PATCH v1 2/3] perf/x86/intel/pt: Fix kernel address filter's offset validation Alexander Shishkin 2016-09-15 15:13 ` [PATCH v1 3/3] perf/x86/intel/pt: Do validate the size of a kernel address filter Alexander Shishkin 2 siblings, 1 reply; 7+ messages in thread From: Alexander Shishkin @ 2016-09-15 15:13 UTC (permalink / raw) To: Peter Zijlstra Cc: Ingo Molnar, linux-kernel, vince, eranian, Arnaldo Carvalho de Melo, Alexander Shishkin, stable PT address filter configuration requires that a range is specified by its first and last address, but at the moment we're obtaining the end of the range by adding user specified size to its start, which is off by one from what it actually needs to be. Fix this and make sure that zero-sized filters don't pass the filter validation. Cc: stable@vger.kernel.org # v4.7 Reported-by: Adrian Hunter <adrian.hunter@intel.com> Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com> --- arch/x86/events/intel/pt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/events/intel/pt.c b/arch/x86/events/intel/pt.c index 04bb5fb5a8..5ec0100e3f 100644 --- a/arch/x86/events/intel/pt.c +++ b/arch/x86/events/intel/pt.c @@ -1081,7 +1081,7 @@ static int pt_event_addr_filters_validate(struct list_head *filters) list_for_each_entry(filter, filters, entry) { /* PT doesn't support single address triggers */ - if (!filter->range) + if (!filter->range || !filter->size) return -EOPNOTSUPP; if (!filter->inode && !kernel_ip(filter->offset)) @@ -1111,7 +1111,7 @@ static void pt_event_addr_filters_sync(struct perf_event *event) } else { /* apply the offset */ msr_a = filter->offset + offs[range]; - msr_b = filter->size + msr_a; + msr_b = filter->size + msr_a - 1; } filters->filter[range].msr_a = msr_a; -- 2.9.3 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [tip:perf/urgent] perf/x86/intel/pt: Fix an off-by-one in address filter configuration 2016-09-15 15:13 ` [PATCH v1 1/3] perf/x86/intel/pt: Fix an off-by-one in address filter configuration Alexander Shishkin @ 2016-09-16 11:58 ` tip-bot for Alexander Shishkin 0 siblings, 0 replies; 7+ messages in thread From: tip-bot for Alexander Shishkin @ 2016-09-16 11:58 UTC (permalink / raw) To: linux-tip-commits Cc: eranian, mingo, acme, a.p.zijlstra, tglx, adrian.hunter, hpa, vincent.weaver, alexander.shishkin, torvalds, peterz, acme, linux-kernel, jolsa Commit-ID: 95f60084acbcee6c466256cf26eb52191fad9edc Gitweb: http://git.kernel.org/tip/95f60084acbcee6c466256cf26eb52191fad9edc Author: Alexander Shishkin <alexander.shishkin@linux.intel.com> AuthorDate: Thu, 15 Sep 2016 18:13:50 +0300 Committer: Ingo Molnar <mingo@kernel.org> CommitDate: Fri, 16 Sep 2016 11:14:16 +0200 perf/x86/intel/pt: Fix an off-by-one in address filter configuration PT address filter configuration requires that a range is specified by its first and last address, but at the moment we're obtaining the end of the range by adding user specified size to its start, which is off by one from what it actually needs to be. Fix this and make sure that zero-sized filters don't pass the filter validation. Reported-by: Adrian Hunter <adrian.hunter@intel.com> Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com> Acked-by: Peter Zijlstra <peterz@infradead.org> Cc: Arnaldo Carvalho de Melo <acme@infradead.org> Cc: Arnaldo Carvalho de Melo <acme@redhat.com> Cc: Jiri Olsa <jolsa@redhat.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Stephane Eranian <eranian@google.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Vince Weaver <vincent.weaver@maine.edu> Cc: stable@vger.kernel.org # v4.7 Cc: stable@vger.kernel.org#v4.7 Cc: vince@deater.net Link: http://lkml.kernel.org/r/20160915151352.21306-2-alexander.shishkin@linux.intel.com Signed-off-by: Ingo Molnar <mingo@kernel.org> --- arch/x86/events/intel/pt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/events/intel/pt.c b/arch/x86/events/intel/pt.c index 04bb5fb..5ec0100 100644 --- a/arch/x86/events/intel/pt.c +++ b/arch/x86/events/intel/pt.c @@ -1081,7 +1081,7 @@ static int pt_event_addr_filters_validate(struct list_head *filters) list_for_each_entry(filter, filters, entry) { /* PT doesn't support single address triggers */ - if (!filter->range) + if (!filter->range || !filter->size) return -EOPNOTSUPP; if (!filter->inode && !kernel_ip(filter->offset)) @@ -1111,7 +1111,7 @@ static void pt_event_addr_filters_sync(struct perf_event *event) } else { /* apply the offset */ msr_a = filter->offset + offs[range]; - msr_b = filter->size + msr_a; + msr_b = filter->size + msr_a - 1; } filters->filter[range].msr_a = msr_a; ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH v1 2/3] perf/x86/intel/pt: Fix kernel address filter's offset validation 2016-09-15 15:13 [PATCH v1 0/3] perf/x86/intel/pt: Address filtering fixes for perf/urgent Alexander Shishkin 2016-09-15 15:13 ` [PATCH v1 1/3] perf/x86/intel/pt: Fix an off-by-one in address filter configuration Alexander Shishkin @ 2016-09-15 15:13 ` Alexander Shishkin 2016-09-16 11:58 ` [tip:perf/urgent] " tip-bot for Alexander Shishkin 2016-09-15 15:13 ` [PATCH v1 3/3] perf/x86/intel/pt: Do validate the size of a kernel address filter Alexander Shishkin 2 siblings, 1 reply; 7+ messages in thread From: Alexander Shishkin @ 2016-09-15 15:13 UTC (permalink / raw) To: Peter Zijlstra Cc: Ingo Molnar, linux-kernel, vince, eranian, Arnaldo Carvalho de Melo, Alexander Shishkin, stable The kernel_ip() filter is used mostly by the DS/LBR code to look at the branch addresses, but Intel PT also uses it to validate the address filter offsets for kernel addresses, for which it is not sufficient: supplying something in bits 64:48 that's not a sign extension of the lower address bits (like 0xf00d000000000000) throws a #GP. This patch adds address validation for the user supplied kernel filters. Cc: stable@vger.kernel.org # v4.7 Reported-by: Adrian Hunter <adrian.hunter@intel.com> Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com> --- arch/x86/events/intel/pt.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/arch/x86/events/intel/pt.c b/arch/x86/events/intel/pt.c index 5ec0100e3f..1f94963a28 100644 --- a/arch/x86/events/intel/pt.c +++ b/arch/x86/events/intel/pt.c @@ -1074,6 +1074,11 @@ static void pt_addr_filters_fini(struct perf_event *event) event->hw.addr_filters = NULL; } +static inline bool valid_kernel_ip(unsigned long ip) +{ + return virt_addr_valid(ip) && kernel_ip(ip); +} + static int pt_event_addr_filters_validate(struct list_head *filters) { struct perf_addr_filter *filter; @@ -1084,7 +1089,7 @@ static int pt_event_addr_filters_validate(struct list_head *filters) if (!filter->range || !filter->size) return -EOPNOTSUPP; - if (!filter->inode && !kernel_ip(filter->offset)) + if (!filter->inode && !valid_kernel_ip(filter->offset)) return -EINVAL; if (++range > pt_cap_get(PT_CAP_num_address_ranges)) -- 2.9.3 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [tip:perf/urgent] perf/x86/intel/pt: Fix kernel address filter's offset validation 2016-09-15 15:13 ` [PATCH v1 2/3] perf/x86/intel/pt: Fix kernel address filter's offset validation Alexander Shishkin @ 2016-09-16 11:58 ` tip-bot for Alexander Shishkin 0 siblings, 0 replies; 7+ messages in thread From: tip-bot for Alexander Shishkin @ 2016-09-16 11:58 UTC (permalink / raw) To: linux-tip-commits Cc: linux-kernel, acme, tglx, jolsa, hpa, a.p.zijlstra, peterz, eranian, acme, vincent.weaver, alexander.shishkin, torvalds, adrian.hunter, mingo Commit-ID: ddfdad991e55b65c1cc4ee29502f6dceee04455a Gitweb: http://git.kernel.org/tip/ddfdad991e55b65c1cc4ee29502f6dceee04455a Author: Alexander Shishkin <alexander.shishkin@linux.intel.com> AuthorDate: Thu, 15 Sep 2016 18:13:51 +0300 Committer: Ingo Molnar <mingo@kernel.org> CommitDate: Fri, 16 Sep 2016 11:14:16 +0200 perf/x86/intel/pt: Fix kernel address filter's offset validation The kernel_ip() filter is used mostly by the DS/LBR code to look at the branch addresses, but Intel PT also uses it to validate the address filter offsets for kernel addresses, for which it is not sufficient: supplying something in bits 64:48 that's not a sign extension of the lower address bits (like 0xf00d000000000000) throws a #GP. This patch adds address validation for the user supplied kernel filters. Reported-by: Adrian Hunter <adrian.hunter@intel.com> Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com> Acked-by: Peter Zijlstra <peterz@infradead.org> Cc: Arnaldo Carvalho de Melo <acme@infradead.org> Cc: Arnaldo Carvalho de Melo <acme@redhat.com> Cc: Jiri Olsa <jolsa@redhat.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Stephane Eranian <eranian@google.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Vince Weaver <vincent.weaver@maine.edu> Cc: stable@vger.kernel.org # v4.7 Cc: stable@vger.kernel.org#v4.7 Cc: vince@deater.net Link: http://lkml.kernel.org/r/20160915151352.21306-3-alexander.shishkin@linux.intel.com Signed-off-by: Ingo Molnar <mingo@kernel.org> --- arch/x86/events/intel/pt.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/arch/x86/events/intel/pt.c b/arch/x86/events/intel/pt.c index 5ec0100..1f94963 100644 --- a/arch/x86/events/intel/pt.c +++ b/arch/x86/events/intel/pt.c @@ -1074,6 +1074,11 @@ static void pt_addr_filters_fini(struct perf_event *event) event->hw.addr_filters = NULL; } +static inline bool valid_kernel_ip(unsigned long ip) +{ + return virt_addr_valid(ip) && kernel_ip(ip); +} + static int pt_event_addr_filters_validate(struct list_head *filters) { struct perf_addr_filter *filter; @@ -1084,7 +1089,7 @@ static int pt_event_addr_filters_validate(struct list_head *filters) if (!filter->range || !filter->size) return -EOPNOTSUPP; - if (!filter->inode && !kernel_ip(filter->offset)) + if (!filter->inode && !valid_kernel_ip(filter->offset)) return -EINVAL; if (++range > pt_cap_get(PT_CAP_num_address_ranges)) ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH v1 3/3] perf/x86/intel/pt: Do validate the size of a kernel address filter 2016-09-15 15:13 [PATCH v1 0/3] perf/x86/intel/pt: Address filtering fixes for perf/urgent Alexander Shishkin 2016-09-15 15:13 ` [PATCH v1 1/3] perf/x86/intel/pt: Fix an off-by-one in address filter configuration Alexander Shishkin 2016-09-15 15:13 ` [PATCH v1 2/3] perf/x86/intel/pt: Fix kernel address filter's offset validation Alexander Shishkin @ 2016-09-15 15:13 ` Alexander Shishkin 2016-09-16 11:58 ` [tip:perf/urgent] " tip-bot for Alexander Shishkin 2 siblings, 1 reply; 7+ messages in thread From: Alexander Shishkin @ 2016-09-15 15:13 UTC (permalink / raw) To: Peter Zijlstra Cc: Ingo Molnar, linux-kernel, vince, eranian, Arnaldo Carvalho de Melo, Alexander Shishkin, stable Right now, the kernel address filters in PT are prone to integer overflow that may happen in adding filter's size to its offset to obtain the end of the range. Such an overflow would also throw a #GP in the PT event configuration path. Fix this by explicitly validating the result of this calculation. Cc: stable@vger.kernel.org # v4.7 Reported-by: Adrian Hunter <adrian.hunter@intel.com> Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com> --- arch/x86/events/intel/pt.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/arch/x86/events/intel/pt.c b/arch/x86/events/intel/pt.c index 1f94963a28..861a7d9cb6 100644 --- a/arch/x86/events/intel/pt.c +++ b/arch/x86/events/intel/pt.c @@ -1089,8 +1089,13 @@ static int pt_event_addr_filters_validate(struct list_head *filters) if (!filter->range || !filter->size) return -EOPNOTSUPP; - if (!filter->inode && !valid_kernel_ip(filter->offset)) - return -EINVAL; + if (!filter->inode) { + if (!valid_kernel_ip(filter->offset)) + return -EINVAL; + + if (!valid_kernel_ip(filter->offset + filter->size)) + return -EINVAL; + } if (++range > pt_cap_get(PT_CAP_num_address_ranges)) return -EOPNOTSUPP; -- 2.9.3 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [tip:perf/urgent] perf/x86/intel/pt: Do validate the size of a kernel address filter 2016-09-15 15:13 ` [PATCH v1 3/3] perf/x86/intel/pt: Do validate the size of a kernel address filter Alexander Shishkin @ 2016-09-16 11:58 ` tip-bot for Alexander Shishkin 0 siblings, 0 replies; 7+ messages in thread From: tip-bot for Alexander Shishkin @ 2016-09-16 11:58 UTC (permalink / raw) To: linux-tip-commits Cc: linux-kernel, jolsa, eranian, hpa, mingo, acme, a.p.zijlstra, alexander.shishkin, peterz, vincent.weaver, adrian.hunter, torvalds, tglx, acme Commit-ID: 1155bafcb79208abc6ae234c6e135ac70607755c Gitweb: http://git.kernel.org/tip/1155bafcb79208abc6ae234c6e135ac70607755c Author: Alexander Shishkin <alexander.shishkin@linux.intel.com> AuthorDate: Thu, 15 Sep 2016 18:13:52 +0300 Committer: Ingo Molnar <mingo@kernel.org> CommitDate: Fri, 16 Sep 2016 11:14:16 +0200 perf/x86/intel/pt: Do validate the size of a kernel address filter Right now, the kernel address filters in PT are prone to integer overflow that may happen in adding filter's size to its offset to obtain the end of the range. Such an overflow would also throw a #GP in the PT event configuration path. Fix this by explicitly validating the result of this calculation. Reported-by: Adrian Hunter <adrian.hunter@intel.com> Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com> Acked-by: Peter Zijlstra <peterz@infradead.org> Cc: Arnaldo Carvalho de Melo <acme@infradead.org> Cc: Arnaldo Carvalho de Melo <acme@redhat.com> Cc: Jiri Olsa <jolsa@redhat.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Stephane Eranian <eranian@google.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Vince Weaver <vincent.weaver@maine.edu> Cc: stable@vger.kernel.org # v4.7 Cc: stable@vger.kernel.org#v4.7 Cc: vince@deater.net Link: http://lkml.kernel.org/r/20160915151352.21306-4-alexander.shishkin@linux.intel.com Signed-off-by: Ingo Molnar <mingo@kernel.org> --- arch/x86/events/intel/pt.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/arch/x86/events/intel/pt.c b/arch/x86/events/intel/pt.c index 1f94963..861a7d9 100644 --- a/arch/x86/events/intel/pt.c +++ b/arch/x86/events/intel/pt.c @@ -1089,8 +1089,13 @@ static int pt_event_addr_filters_validate(struct list_head *filters) if (!filter->range || !filter->size) return -EOPNOTSUPP; - if (!filter->inode && !valid_kernel_ip(filter->offset)) - return -EINVAL; + if (!filter->inode) { + if (!valid_kernel_ip(filter->offset)) + return -EINVAL; + + if (!valid_kernel_ip(filter->offset + filter->size)) + return -EINVAL; + } if (++range > pt_cap_get(PT_CAP_num_address_ranges)) return -EOPNOTSUPP; ^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2016-09-16 11:59 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-09-15 15:13 [PATCH v1 0/3] perf/x86/intel/pt: Address filtering fixes for perf/urgent Alexander Shishkin 2016-09-15 15:13 ` [PATCH v1 1/3] perf/x86/intel/pt: Fix an off-by-one in address filter configuration Alexander Shishkin 2016-09-16 11:58 ` [tip:perf/urgent] " tip-bot for Alexander Shishkin 2016-09-15 15:13 ` [PATCH v1 2/3] perf/x86/intel/pt: Fix kernel address filter's offset validation Alexander Shishkin 2016-09-16 11:58 ` [tip:perf/urgent] " tip-bot for Alexander Shishkin 2016-09-15 15:13 ` [PATCH v1 3/3] perf/x86/intel/pt: Do validate the size of a kernel address filter Alexander Shishkin 2016-09-16 11:58 ` [tip:perf/urgent] " tip-bot for Alexander Shishkin
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox