lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20251213120601.GQ3911114@noisy.programming.kicks-ass.net>
Date: Sat, 13 Dec 2025 13:06:01 +0100
From: Peter Zijlstra <peterz@...radead.org>
To: linux-kernel@...r.kernel.org
Cc: linux-tip-commits@...r.kernel.org, kitta <kitta@...ux.alibaba.com>,
	Evan Li <evan.li@...ux.alibaba.com>, Ingo Molnar <mingo@...nel.org>,
	x86@...nel.org
Subject: Re: [tip: perf/urgent] perf/x86/intel: Fix NULL event dereference
 crash in handle_pmi_common()

On Fri, Dec 12, 2025 at 09:04:41AM -0000, tip-bot2 for Evan Li wrote:
> The following commit has been merged into the perf/urgent branch of tip:
> 
> Commit-ID:     9415f749d34b926b9e4853da1462f4d941f89a0d
> Gitweb:        https://git.kernel.org/tip/9415f749d34b926b9e4853da1462f4d941f89a0d
> Author:        Evan Li <evan.li@...ux.alibaba.com>
> AuthorDate:    Fri, 12 Dec 2025 16:49:43 +08:00
> Committer:     Ingo Molnar <mingo@...nel.org>
> CommitterDate: Fri, 12 Dec 2025 09:57:39 +01:00
> 
> perf/x86/intel: Fix NULL event dereference crash in handle_pmi_common()
> 
> handle_pmi_common() may observe an active bit set in cpuc->active_mask
> while the corresponding cpuc->events[] entry has already been cleared,
> which leads to a NULL pointer dereference.
> 
> This can happen when interrupt throttling stops all events in a group
> while PEBS processing is still in progress. perf_event_overflow() can
> trigger perf_event_throttle_group(), which stops the group and clears
> the cpuc->events[] entry, but the active bit may still be set when
> handle_pmi_common() iterates over the events.
> 
> The following recent fix:
> 
>   7e772a93eb61 ("perf/x86: Fix NULL event access and potential PEBS record loss")
> 
> moved the cpuc->events[] clearing from x86_pmu_stop() to x86_pmu_del() and
> relied on cpuc->active_mask/pebs_enabled checks. However,
> handle_pmi_common() can still encounter a NULL cpuc->events[] entry
> despite the active bit being set.
> 
> Add an explicit NULL check on the event pointer before using it,
> to cover this legitimate scenario and avoid the NULL dereference crash.
> 
> Fixes: 7e772a93eb61 ("perf/x86: Fix NULL event access and potential PEBS record loss")
> Reported-by: kitta <kitta@...ux.alibaba.com>
> Co-developed-by: kitta <kitta@...ux.alibaba.com>
> Signed-off-by: Evan Li <evan.li@...ux.alibaba.com>
> Signed-off-by: Ingo Molnar <mingo@...nel.org>
> Link: https://patch.msgid.link/20251212084943.2124787-1-evan.li@linux.alibaba.com
> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220855
> ---
>  arch/x86/events/intel/core.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c
> index 853fe07..bdf3f0d 100644
> --- a/arch/x86/events/intel/core.c
> +++ b/arch/x86/events/intel/core.c
> @@ -3378,6 +3378,9 @@ static int handle_pmi_common(struct pt_regs *regs, u64 status)
>  
>  		if (!test_bit(bit, cpuc->active_mask))
>  			continue;
> +		/* Event may have already been cleared: */
> +		if (!event)
> +			continue;

I still hate this commit -- it doesn't actually explain anything, at
best it papers over an issue elsewhere :-(

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ