Received: by 2002:ac0:950c:0:0:0:0:0 with SMTP id f12csp3825123imc; Thu, 14 Mar 2019 06:15:07 -0700 (PDT) X-Google-Smtp-Source: APXvYqyddKt2PvQzFhsR+74DTSTDffGvVG0KKeYZF3haGiJpoPUgosLdDYxte+8WeWsOuZJaUedB X-Received: by 2002:a62:788e:: with SMTP id t136mr2088046pfc.249.1552569307547; Thu, 14 Mar 2019 06:15:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1552569307; cv=none; d=google.com; s=arc-20160816; b=MJZcLFiBzCAGBYlx6TB4NtrMe7Y+dchIztGapKZojQhMSoR1azOLA8Y9Shz3akK0o5 /H5tGBAukCB1InckCXQ1M/6s5jfgTTbR0XA6c9KxLwoWGqXxOtjqj9wM/CZuysDFSC0e X4cqfo+f+hEK9ztDt652e0a3Z5F4EolW3RBUFKgn9EDpr44lNwRG8jd4kuUAJzSXZFwp mkiLpmhF3opus2NjKoA0XBou+G2cpg6VJ/CpZ9ba86N+83Zut7s1fLm6zaulWWqgcyQl GAsmQxxqfgABWcP5Pe57EG2wknZaJDmI53BQvpj/KwehVhTDOGcED0gfW3o2rKqC8Ein 76ew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:references:subject:cc:to :from:date:user-agent:message-id:dkim-signature; bh=CWClUfB4EkQ8R7fzpQHpQ2PkYzxt8Y3iRDBnue64lb4=; b=d59HLBU8RMKV3z9fX7YXQdqd8fMCAYf5txIy41WDmPD6vIeOX60Ez9l+oAjLTrp7Rv mhRe+g4PVp8ARit+xa0jpYPdylQntPW1aUQayljla4x4hrABb83evL83UQlBEHreb9PO Pnaovtrf3ZsHGV03wS2WMRQKINj3MibSFM69tdge65RYYxypaUsC0P3B7hFKpZ3FLWbM Pei1BIwabUc4bYttgPPfeAWdV2g3ZXQHab6XmUwIEbeH76+qARnWdqgbnZqVR7mEOf31 AIy2uT+pvNjt9bF8p2GS3HBg3QcPDG3KcH/upJ5nHPXucU/rH9DDgDYgP6nB3dqXyElp AzoQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=hkRusnoO; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v17si3018344pff.214.2019.03.14.06.14.52; Thu, 14 Mar 2019 06:15:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=hkRusnoO; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727615AbfCNNMF (ORCPT + 99 others); Thu, 14 Mar 2019 09:12:05 -0400 Received: from merlin.infradead.org ([205.233.59.134]:59856 "EHLO merlin.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727456AbfCNNLn (ORCPT ); Thu, 14 Mar 2019 09:11:43 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=merlin.20170209; h=Content-Type:MIME-Version:References: Subject:Cc:To:From:Date:Message-Id:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=CWClUfB4EkQ8R7fzpQHpQ2PkYzxt8Y3iRDBnue64lb4=; b=hkRusnoOh0ptbrXP4EKNwXXOst CJvGhM5gsxk8Piuw3s7IyyD8MB+Uln8tk7MSX+N5ALVC6XV4BB2OKnrly661HPaTkj9IxBlLL/juj PAz4sd4DZrlVeiesOWFEjt4UN3aaOGTYEpwI4m3Je6w2c1VNBhyZ78HGRlTRw+lOcGYyylNXwIqvm WZfzyujzOGv2Mg601VJe64BwLvABv/+nWI7+kzRh5YPow/uPP4SKYNuyy/Bes9IfpHb6HD5K/RYK8 Y5RR3SNRkz8g4cERLMmTfdgSfBHDabPkYW7uYwC95Tgc574Zuua7i3MX2vGL8fF29z9AzqLlVLINZ NNuAZ3/A==; Received: from j217100.upc-j.chello.nl ([24.132.217.100] helo=hirez.programming.kicks-ass.net) by merlin.infradead.org with esmtpsa (Exim 4.90_1 #2 (Red Hat Linux)) id 1h4Q8u-0005RJ-KP; Thu, 14 Mar 2019 13:11:28 +0000 Received: by hirez.programming.kicks-ass.net (Postfix, from userid 0) id 4501A2029E072; Thu, 14 Mar 2019 14:11:27 +0100 (CET) Message-Id: <20190314130705.441549378@infradead.org> User-Agent: quilt/0.65 Date: Thu, 14 Mar 2019 14:01:14 +0100 From: Peter Zijlstra To: mingo@kernel.org, eranian@google.com, jolsa@redhat.com Cc: linux-kernel@vger.kernel.org, tonyj@suse.com, nelson.dsouza@intel.com, peterz@infradead.org Subject: [PATCH 1/8] perf/x86/intel: Fix memory corruption References: <20190314130113.919278615@infradead.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Through: validate_event() x86_pmu.get_event_constraints(.idx=-1) tfa_get_event_constraints() dyn_constraint() We use cpuc->constraint_list[-1], which is an obvious out-of-bound access. In this case, simply skip the TFA constraint code, there is no event constraint with just PMC3, therefore the code will never result in the empty set. Reported-by: Tony Jones Reported-by: "DSouza, Nelson" Tested-by: Tony Jones Tested-by: "DSouza, Nelson" Cc: stable@kernel.org Fixes: 400816f60c54 ("perf/x86/intel: Implement support for TSX Force Abort") Signed-off-by: Peter Zijlstra (Intel) --- arch/x86/events/intel/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/x86/events/intel/core.c +++ b/arch/x86/events/intel/core.c @@ -3410,7 +3410,7 @@ tfa_get_event_constraints(struct cpu_hw_ /* * Without TFA we must not use PMC3. */ - if (!allow_tsx_force_abort && test_bit(3, c->idxmsk)) { + if (!allow_tsx_force_abort && test_bit(3, c->idxmsk) && idx >= 0) { c = dyn_constraint(cpuc, c, idx); c->idxmsk64 &= ~(1ULL << 3); c->weight--;