Received: by 10.223.185.116 with SMTP id b49csp6359232wrg; Wed, 28 Feb 2018 08:08:22 -0800 (PST) X-Google-Smtp-Source: AH8x225ndOd9KumDSWhfkp5Gkwv05FAmPO5NPBTc8TmKCSWul8pKcNVeOfe1zyLudXqgMRxm2sGP X-Received: by 2002:a17:902:bc41:: with SMTP id t1-v6mr18783945plz.436.1519834101950; Wed, 28 Feb 2018 08:08:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519834101; cv=none; d=google.com; s=arc-20160816; b=hA+9HEWpYcGob8Yep0Om05xoIldE9Q8lAalyGGejbfKWwzCwWVoKvMnt9OkEggTH+N ztaZHPdLXMKAJjkRrrjWkZPj9A2Tvx4wEm/fT6xxIAbTk6crgDrepqbyeOYwAhDz1h// KCpv8UP5c9VK4jsoY35K47lxOJlE2ETpxDugKRN05DzaLPtDaOoolDKCwK2Ru5dOFq80 R/+VhRYfQue56gvpVO+20vjRtgjos0Fzf6gn+10zLpM4DJc8+na9wehhhAOKDnpQd8oK 2/gu3ZOARetR0qdXOrcH0nGCh9CUXYDQmbLO3WqJh0zajI/9PXLElAeOuFf3AC+iN3g4 C0ZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=y/Tg+m9rR6zlDkBgTDDCrA5wnh/dWcD1eQDqtDw6Xis=; b=0rX9Ni8R5GUKCWau/t4c5Ybt2f4IvTz4TOnL/5w72o5S1OcN9Vv9o9I3aglhk0Rd0A 7jAemKs+BbkQM5EhJ+t7e5LvWgUICuBgaj6juOyUg0Lf1sEzKXLEc1YoRdtBLVzjzIrU 85ivJTIyF2G8ehoaSuKAx4FiSsFC1KtF8025qG4VZ/xcbYawMBLDuVfLQ+Lff916fBjJ o38eUzZPrxv7nmWhBlxVeH6zHWWt70cg3+mJ6Xk8sV8YC/ZeiaLkn+1hK4DHdke+BL2H ZjVbLBTiFrnVe4wQe0ixSd/nqQUed8D6bztYZ4WCfu5VWhAqRalag4pWCj74AI9F68sx DQ4A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d1si1158045pgn.661.2018.02.28.08.08.07; Wed, 28 Feb 2018 08:08:21 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934500AbeB1QFZ (ORCPT + 99 others); Wed, 28 Feb 2018 11:05:25 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:34880 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934460AbeB1QFT (ORCPT ); Wed, 28 Feb 2018 11:05:19 -0500 Received: from [2a02:8011:400e:2:6f00:88c8:c921:d332] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1er3Ys-0006Xg-GK; Wed, 28 Feb 2018 15:22:30 +0000 Received: from ben by deadeye with local (Exim 4.90_1) (envelope-from ) id 1er3Yg-00005m-Kf; Wed, 28 Feb 2018 15:22:18 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Michael Ellerman" , "Ravi Bangoria" , "Naveen N. Rao" Date: Wed, 28 Feb 2018 15:20:18 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 111/254] powerpc/perf: Dereference BHRB entries safely In-Reply-To: X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.55-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Ravi Bangoria commit f41d84dddc66b164ac16acf3f584c276146f1c48 upstream. It's theoretically possible that branch instructions recorded in BHRB (Branch History Rolling Buffer) entries have already been unmapped before they are processed by the kernel. Hence, trying to dereference such memory location will result in a crash. eg: Unable to handle kernel paging request for data at address 0xd000000019c41764 Faulting instruction address: 0xc000000000084a14 NIP [c000000000084a14] branch_target+0x4/0x70 LR [c0000000000eb828] record_and_restart+0x568/0x5c0 Call Trace: [c0000000000eb3b4] record_and_restart+0xf4/0x5c0 (unreliable) [c0000000000ec378] perf_event_interrupt+0x298/0x460 [c000000000027964] performance_monitor_exception+0x54/0x70 [c000000000009ba4] performance_monitor_common+0x114/0x120 Fix it by deferefencing the addresses safely. Fixes: 691231846ceb ("powerpc/perf: Fix setting of "to" addresses for BHRB") Suggested-by: Naveen N. Rao Signed-off-by: Ravi Bangoria Reviewed-by: Naveen N. Rao [mpe: Use probe_kernel_read() which is clearer, tweak change log] Signed-off-by: Michael Ellerman Signed-off-by: Ben Hutchings --- arch/powerpc/perf/core-book3s.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- a/arch/powerpc/perf/core-book3s.c +++ b/arch/powerpc/perf/core-book3s.c @@ -391,8 +391,12 @@ static __u64 power_pmu_bhrb_to(u64 addr) int ret; __u64 target; - if (is_kernel_addr(addr)) - return branch_target((unsigned int *)addr); + if (is_kernel_addr(addr)) { + if (probe_kernel_read(&instr, (void *)addr, sizeof(instr))) + return 0; + + return branch_target(&instr); + } /* Userspace: need copy instruction here then translate it */ pagefault_disable();