Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp3322831pxf;
        Mon, 15 Mar 2021 07:07:48 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzgx6ZxQkUmLRt3+MYNrLUd8+Wsp42O8/ZH8mf281IbvIQer5NOK0RxEDq1ibndk5MPBb59
X-Received: by 2002:aa7:d492:: with SMTP id b18mr29971385edr.381.1615817268438;
        Mon, 15 Mar 2021 07:07:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1615817268; cv=none;
        d=google.com; s=arc-20160816;
        b=NAs7dfOxy3sQuniSzi5G7kYU6fLTmw0Ox36donOTrc8t4k3o1oon1s+23bhHNNpxGA
         CUp3Jyd2EAC7zW83LGBmwgATENYqoMGMfyjDMIkvfGe4A6PLE3NhVyWIz3jP1heu3SKt
         dSDu8Q4UEkuc1ZsNTJxcrIgQGnxgGUtipq2ul+vskyy1c+cnOqnWPt5ZmUdD34gsTZXj
         /LMtx9pu89P4R7IZ8w/WjPlDkOflUuQd2h79+62NV1gOZXxiCRb3KJTAcHYByqN+AZ2n
         r4s5I6vPsky8Yt9yX3X1JR6GMyYO2Tqdq0BZyqMXr2KRwku9zzyeI4sAL7BGmmaABrsp
         20mw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=ib5JIygW4RvV1JMSLzwG7/G8gaxOo0hWyNaHzG6C0b8=;
        b=1EU4z/zyYzQS/pZUcLEWk+Ae8reygJ2BBSGJp67++PkteDhae+1RQP1QbocpO/Ys4U
         XelN0S8qu06YQmp7hycPRB5mpfBuNa0ldhmCL5Ihv1ifGx9m7NWtxuczrYw4rv7WIqbP
         BbyBVPKB/V3rzxz7Jk3mI5mheMxcsYcBg4LyfEAkxnTa9b9lRAFgoIpC5mqdi4v1RJXf
         zoUPsbM1klq4oxc1xslelse6XGoD/5z4fj8Skg2MMvCcytBqmgpdDy4pwkO2rONQwC1x
         nL0qqQ8tHg/6eSMC7mK9cXvdWdJDS83dgpCwzCESXagK1qnchm7qWoo+gm82NypQGG63
         BWAg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=GErHTz4n;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id hq26si10539044ejc.213.2021.03.15.07.07.25;
        Mon, 15 Mar 2021 07:07:48 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=GErHTz4n;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231925AbhCOOAo (ORCPT <rfc822;maagaton03@gmail.com> + 99 others);
        Mon, 15 Mar 2021 10:00:44 -0400
Received: from mail.kernel.org ([198.145.29.99]:33034 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S231913AbhCON4V (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 15 Mar 2021 09:56:21 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id BFC7464EED;
        Mon, 15 Mar 2021 13:56:19 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1615816581;
        bh=StBBSV6AP0vwuLHnC9FhZptQWuyAQmN3bb/ttQvpVQ8=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=GErHTz4n7NaotomHw0+uv8bQFAF2O0vwH1yUQ9A2FetASC/21L9nH75mykmFc2TGY
         Y4YLtJqzt+yr1rfBRhhNGaRoIea2G7cLwjm2mKilSIeAfOI5rRICgG1h7DlOVwBjR8
         jU+HkewMP6CQ7eWaiGsrmx38dMgqrv4Kx5/+xDFg=
From:   gregkh@linuxfoundation.org
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Michael Ellerman <mpe@ellerman.id.au>,
        Athira Rajeev <atrajeev@linux.vnet.ibm.com>,
        "Peter Zijlstra (Intel)" <peterz@infradead.org>
Subject: [PATCH 5.11 003/306] powerpc/perf: Fix handling of privilege level checks in perf interrupt context
Date:   Mon, 15 Mar 2021 14:51:06 +0100
Message-Id: <20210315135507.737329349@linuxfoundation.org>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20210315135507.611436477@linuxfoundation.org>
References: <20210315135507.611436477@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

From: Athira Rajeev <atrajeev@linux.vnet.ibm.com>

commit 5ae5fbd2107959b68ac69a8b75412208663aea88 upstream.

Running "perf mem record" in powerpc platforms with selinux enabled
resulted in soft lockup's. Below call-trace was seen in the logs:

  CPU: 58 PID: 3751 Comm: sssd_nss Not tainted 5.11.0-rc7+ #2
  NIP:  c000000000dff3d4 LR: c000000000dff3d0 CTR: 0000000000000000
  REGS: c000007fffab7d60 TRAP: 0100   Not tainted  (5.11.0-rc7+)
  ...
  NIP _raw_spin_lock_irqsave+0x94/0x120
  LR  _raw_spin_lock_irqsave+0x90/0x120
  Call Trace:
    0xc00000000fd47260 (unreliable)
    skb_queue_tail+0x3c/0x90
    audit_log_end+0x6c/0x180
    common_lsm_audit+0xb0/0xe0
    slow_avc_audit+0xa4/0x110
    avc_has_perm+0x1c4/0x260
    selinux_perf_event_open+0x74/0xd0
    security_perf_event_open+0x68/0xc0
    record_and_restart+0x6e8/0x7f0
    perf_event_interrupt+0x22c/0x560
    performance_monitor_exception0x4c/0x60
    performance_monitor_common_virt+0x1c8/0x1d0
  interrupt: f00 at _raw_spin_lock_irqsave+0x38/0x120
  NIP:  c000000000dff378 LR: c000000000b5fbbc CTR: c0000000007d47f0
  REGS: c00000000fd47860 TRAP: 0f00   Not tainted  (5.11.0-rc7+)
  ...
  NIP _raw_spin_lock_irqsave+0x38/0x120
  LR  skb_queue_tail+0x3c/0x90
  interrupt: f00
    0x38 (unreliable)
    0xc00000000aae6200
    audit_log_end+0x6c/0x180
    audit_log_exit+0x344/0xf80
    __audit_syscall_exit+0x2c0/0x320
    do_syscall_trace_leave+0x148/0x200
    syscall_exit_prepare+0x324/0x390
    system_call_common+0xfc/0x27c

The above trace shows that while the CPU was handling a performance
monitor exception, there was a call to security_perf_event_open()
function. In powerpc core-book3s, this function is called from
perf_allow_kernel() check during recording of data address in the
sample via perf_get_data_addr().

Commit da97e18458fb ("perf_event: Add support for LSM and SELinux
checks") introduced security enhancements to perf. As part of this
commit, the new security hook for perf_event_open() was added in all
places where perf paranoid check was previously used. In powerpc
core-book3s code, originally had paranoid checks in
perf_get_data_addr() and power_pmu_bhrb_read(). So
perf_paranoid_kernel() checks were replaced with perf_allow_kernel()
in these PMU helper functions as well.

The intention of paranoid checks in core-book3s was to verify
privilege access before capturing some of the sample data. Along with
paranoid checks, perf_allow_kernel() also does a
security_perf_event_open(). Since these functions are accessed while
recording a sample, we end up calling selinux_perf_event_open() in PMI
context. Some of the security functions use spinlock like
sidtab_sid2str_put(). If a perf interrupt hits under a spin lock and
if we end up in calling selinux hook functions in PMI handler, this
could cause a dead lock.

Since the purpose of this security hook is to control access to
perf_event_open(), it is not right to call this in interrupt context.

The paranoid checks in powerpc core-book3s were done at interrupt time
which is also not correct.

Reference commits:
  Commit cd1231d7035f ("powerpc/perf: Prevent kernel address leak via perf_get_data_addr()")
  Commit bb19af816025 ("powerpc/perf: Prevent kernel address leak to userspace via BHRB buffer")

We only allow creation of events that have already passed the
privilege checks in perf_event_open(). So these paranoid checks are
not needed at event time. As a fix, patch uses
'event->attr.exclude_kernel' check to prevent exposing kernel address
for userspace only sampling.

Fixes: cd1231d7035f ("powerpc/perf: Prevent kernel address leak via perf_get_data_addr()")
Cc: stable@vger.kernel.org # v4.17+
Suggested-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/1614247839-1428-1-git-send-email-atrajeev@linux.vnet.ibm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/perf/core-book3s.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/powerpc/perf/core-book3s.c
+++ b/arch/powerpc/perf/core-book3s.c
@@ -212,7 +212,7 @@ static inline void perf_get_data_addr(st
 	if (!(mmcra & MMCRA_SAMPLE_ENABLE) || sdar_valid)
 		*addrp = mfspr(SPRN_SDAR);
 
-	if (is_kernel_addr(mfspr(SPRN_SDAR)) && perf_allow_kernel(&event->attr) != 0)
+	if (is_kernel_addr(mfspr(SPRN_SDAR)) && event->attr.exclude_kernel)
 		*addrp = 0;
 }
 
@@ -506,7 +506,7 @@ static void power_pmu_bhrb_read(struct p
 			 * addresses, hence include a check before filtering code
 			 */
 			if (!(ppmu->flags & PPMU_ARCH_31) &&
-				is_kernel_addr(addr) && perf_allow_kernel(&event->attr) != 0)
+			    is_kernel_addr(addr) && event->attr.exclude_kernel)
 				continue;
 
 			/* Branches are read most recent first (ie. mfbhrb 0 is