lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1716990659-2427-1-git-send-email-george.kennedy@oracle.com>
Date: Wed, 29 May 2024 08:50:59 -0500
From: George Kennedy <george.kennedy@...cle.com>
To: peterz@...radead.org, mingo@...hat.com, acme@...nel.org,
        namhyung@...nel.org, mark.rutland@....com,
        alexander.shishkin@...ux.intel.com, jolsa@...nel.org,
        irogers@...gle.com, adrian.hunter@...el.com, kan.liang@...ux.intel.com,
        tglx@...utronix.de, bp@...en8.de, dave.hansen@...ux.intel.com,
        x86@...nel.org, hpa@...or.com, linux-perf-users@...r.kernel.org,
        linux-kernel@...r.kernel.org
Cc: george.kennedy@...cle.com, harshit.m.mogalapalli@...cle.com
Subject: [PATCH] perf/x86/amd: check event before enable to avoid GPF

Events can be deleted and the entry can be NULL.
Check event for NULL in amd_pmu_enable_all() before enable to avoid a GPF.
This appears to be an AMD only issue.

Syzkaller reported a GPF in amd_pmu_enable_all.

INFO: NMI handler (perf_event_nmi_handler) took too long to run: 13.170
    msecs
perf: interrupt took too long (191950 > 156435), lowering
    kernel.perf_event_max_sample_rate to 1000
Oops: general protection fault, probably for non-canonical address
    0xdffffc0000000034: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x00000000000001a0-0x00000000000001a7]

Call Trace:
 <IRQ>
amd_pmu_enable_all (arch/x86/events/amd/core.c:1341)
x86_pmu_enable (arch/x86/events/core.c:1276 arch/x86/events/core.c:1335)
__pmu_ctx_sched_out (kernel/events/core.c:8314 (discriminator 1))
ctx_sched_out (kernel/events/core.c:8328)
__perf_install_in_context (kernel/events/core.c:6235)
remote_function (./arch/x86/include/asm/atomic64_64.h:20)
__flush_smp_call_function_queue (kernel/smp.c:189 (discriminator 20)
    kernel/smp.c:197 (discriminator 20) kernel/smp.c:540 (discriminator 20))
__sysvec_call_function_single (arch/x86/kernel/smp.c:193 (discriminator 1))
sysvec_call_function_single (lib/maple_tree.c:3155 (discriminator 2))
asm_sysvec_call_function_single (./arch/x86/include/asm/idtentry.h:709)

Reported-by: syzkaller <syzkaller@...glegroups.com>
Signed-off-by: George Kennedy <george.kennedy@...cle.com>
---
 arch/x86/events/amd/core.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/x86/events/amd/core.c b/arch/x86/events/amd/core.c
index 1fc4ce44e743..0ead72d3e206 100644
--- a/arch/x86/events/amd/core.c
+++ b/arch/x86/events/amd/core.c
@@ -760,7 +760,8 @@ static void amd_pmu_enable_all(int added)
 		if (!test_bit(idx, cpuc->active_mask))
 			continue;
 
-		amd_pmu_enable_event(cpuc->events[idx]);
+		if (cpuc->events[idx])
+			amd_pmu_enable_event(cpuc->events[idx]);
 	}
 }
 
-- 
2.39.3


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ