| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5e0926df-053e-4217-9141-5b1107363a89@linaro.org>
Date: Mon, 8 Sep 2025 15:48:19 +0100
From: James Clark <james.clark@...aro.org>
To: Alexandru Elisei <alexandru.elisei@....com>, Will Deacon <will@...nel.org>
Cc: Will Deacon <will@...nel.org>, Mark Rutland <mark.rutland@....com>,
Catalin Marinas <catalin.marinas@....com>,
Anshuman Khandual <Anshuman.Khandual@....com>,
Rob Herring <Rob.Herring@....com>, Suzuki Poulose <Suzuki.Poulose@....com>,
Robin Murphy <Robin.Murphy@....com>, linux-arm-kernel@...ts.infradead.org,
linux-perf-users@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/3] perf: arm_spe: Add barrier before enabling profiling
buffer
On 08/07/2025 3:40 pm, Alexandru Elisei wrote:
> Hi James,
>
> On Tue, Jul 01, 2025 at 04:31:57PM +0100, James Clark wrote:
>> DEN0154 states that PMBPTR_EL1 must not be modified while the profiling
>> buffer is enabled. Ensure that enabling the buffer comes after setting
>> PMBPTR_EL1 by inserting an isb().
>>
>> This only applies to guests for now, but in future versions of the
>> architecture the PE will be allowed to behave in the same way.
>>
>> Fixes: d5d9696b0380 ("drivers/perf: Add support for ARMv8.2 Statistical Profiling Extension")
>
> A note on why I think this is a fix.
>
> The write to PMBLIMITR_EL1 serves two purposes: to enable the buffer and to set
> the limit for the new buffer. The statistical profiling unit (I'm calling it
> SPU) performs indirect reads of the registers. Without the ISB between the
> buffer pointer write and the write that enables + sets limit for the buffer, I
> think it's possible for the SPU to observe the PMBLIMITR_EL1 write before the
> PMBPTR_EL1 write. During this time, from the point of view of the SPU, the
> buffer is incorrectly programmed, and potentially the old PMBPTR_EL1.PTR > new
> PMBLIMITR_EL1.Limit.
>
> arm_spe_perf_aux_output_begin() can be called after sampling has been enabled
> (PMSCR_EL1.E1SPE = 1).
>
> Putting it all together, this means that we have all the conditions to break the
> restrictions on the current write pointer and the behaviour is UNPREDICTABLE, as
> per section D17.7.1, ARM DDI 0487L. I think it's worth pointing out that the SPU
> can do any of the folling in this situation: writing to any writable virtual
> address in the current owning translation regime (!), generate a profiling
> management event, discard all data or don't enable profiling.
D17.7.1, ARM DDI 0487L only states this is an issue at the point of
enabling, not writing:
"When profiling becomes enabled, all the following must be true..."
I think Will has a point that it's not enabled at this point and it only
gets enabled after some existing isb()s. This is only an issue if we're
following DEN0154 which seems to be more strict.
>
> Thanks,
> Alex
>
>> Signed-off-by: James Clark <james.clark@...aro.org>
>> ---
>> drivers/perf/arm_spe_pmu.c | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/drivers/perf/arm_spe_pmu.c b/drivers/perf/arm_spe_pmu.c
>> index 3efed8839a4e..6235ca7ecd48 100644
>> --- a/drivers/perf/arm_spe_pmu.c
>> +++ b/drivers/perf/arm_spe_pmu.c
>> @@ -537,6 +537,7 @@ static void arm_spe_perf_aux_output_begin(struct perf_output_handle *handle,
>> limit += (u64)buf->base;
>> base = (u64)buf->base + PERF_IDX2OFF(handle->head, buf);
>> write_sysreg_s(base, SYS_PMBPTR_EL1);
>> + isb();
>>
>> out_write_limit:
>> write_sysreg_s(limit, SYS_PMBLIMITR_EL1);
>>
>> --
>> 2.34.1
>>
Powered by blists - more mailing lists