| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251009071217.GB4067720@noisy.programming.kicks-ass.net> Date: Thu, 9 Oct 2025 09:12:17 +0200 From: Peter Zijlstra <peterz@...radead.org> To: Ravi Bangoria <ravi.bangoria@....com> Cc: George Kennedy <george.kennedy@...cle.com>, mingo@...hat.com, harshit.m.mogalapalli@...cle.com, acme@...nel.org, namhyung@...nel.org, mark.rutland@....com, alexander.shishkin@...ux.intel.com, jolsa@...nel.org, irogers@...gle.com, adrian.hunter@...el.com, kan.liang@...ux.intel.com, tglx@...utronix.de, bp@...en8.de, dave.hansen@...ux.intel.com, x86@...nel.org, hpa@...or.com, linux-perf-users@...r.kernel.org, linux-kernel@...r.kernel.org, dongli.zhang@...cle.com Subject: Re: [PATCH] [PATCH v2] perf/x86/amd: check event before enable to avoid GPF On Mon, Oct 07, 2024 at 12:13:56PM +0530, Ravi Bangoria wrote: > On 01-Oct-24 1:22 AM, George Kennedy wrote: > > On AMD machines cpuc->events[idx] can become NULL in a subtle race > > condition with NMI->throttle->x86_pmu_stop(). > > > > Check event for NULL in amd_pmu_enable_all() before enable to avoid a GPF. > > This appears to be an AMD only issue. > > > > Syzkaller reported a GPF in amd_pmu_enable_all. > > > > INFO: NMI handler (perf_event_nmi_handler) took too long to run: 13.143 > > msecs > > Oops: general protection fault, probably for non-canonical address > > 0xdffffc0000000034: 0000 PREEMPT SMP KASAN NOPTI > > KASAN: null-ptr-deref in range [0x00000000000001a0-0x00000000000001a7] > > CPU: 0 UID: 0 PID: 328415 Comm: repro_36674776 Not tainted 6.12.0-rc1-syzk > > RIP: 0010:x86_pmu_enable_event (arch/x86/events/perf_event.h:1195 > > arch/x86/events/core.c:1430) > > RSP: 0018:ffff888118009d60 EFLAGS: 00010012 > > RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 > > RDX: 0000000000000034 RSI: 0000000000000000 RDI: 00000000000001a0 > > RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 > > R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002 > > R13: ffff88811802a440 R14: ffff88811802a240 R15: ffff8881132d8601 > > FS: 00007f097dfaa700(0000) GS:ffff888118000000(0000) GS:0000000000000000 > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > CR2: 00000000200001c0 CR3: 0000000103d56000 CR4: 00000000000006f0 > > Call Trace: > > <IRQ> > > amd_pmu_enable_all (arch/x86/events/amd/core.c:760 (discriminator 2)) > > x86_pmu_enable (arch/x86/events/core.c:1360) > > event_sched_out (kernel/events/core.c:1191 kernel/events/core.c:1186 > > kernel/events/core.c:2346) > > __perf_remove_from_context (kernel/events/core.c:2435) > > event_function (kernel/events/core.c:259) > > remote_function (kernel/events/core.c:92 (discriminator 1) > > kernel/events/core.c:72 (discriminator 1)) > > __flush_smp_call_function_queue (./arch/x86/include/asm/jump_label.h:27 > > ./include/linux/jump_label.h:207 ./include/trace/events/csd.h:64 > > kernel/smp.c:135 kernel/smp.c:540) > > __sysvec_call_function_single (./arch/x86/include/asm/jump_label.h:27 > > ./include/linux/jump_label.h:207 > > ./arch/x86/include/asm/trace/irq_vectors.h:99 arch/x86/kernel/smp.c:272) > > sysvec_call_function_single (arch/x86/kernel/smp.c:266 (discriminator 47) > > arch/x86/kernel/smp.c:266 (discriminator 47)) > > </IRQ> > > > > Reported-by: syzkaller <syzkaller@...glegroups.com> > > Signed-off-by: George Kennedy <george.kennedy@...cle.com> > > Peter, Ingo, > > I've been blocking this for quite some time without acting on it. Since > the patch is trivial and harmless, I'm giving an Ack here. However, the > underlying race condition is still unknown, so I will get back to it. > > Acked-by: Ravi Bangoria <ravi.bangoria@....com> Does this want a Fixes tag? If so, please reply to the v3 patch.
Powered by blists - more mailing lists