[thirdparty/kernel/stable-queue.git] / releases / 4.20.17 / perf-x86-intel-fix-memory-corruption.patch

From ede271b059463731cbd6dffe55ffd70d7dbe8392 Mon Sep 17 00:00:00 2001
From: Peter Zijlstra <peterz@infradead.org>
Date: Thu, 14 Mar 2019 14:01:14 +0100
Subject: perf/x86/intel: Fix memory corruption

From: Peter Zijlstra <peterz@infradead.org>

commit ede271b059463731cbd6dffe55ffd70d7dbe8392 upstream.

Through:

  validate_event()
    x86_pmu.get_event_constraints(.idx=-1)
      tfa_get_event_constraints()
        dyn_constraint()

cpuc->constraint_list[-1] is used, which is an obvious out-of-bound access.

In this case, simply skip the TFA constraint code, there is no event
constraint with just PMC3, therefore the code will never result in the
empty set.

Fixes: 400816f60c54 ("perf/x86/intel: Implement support for TSX Force Abort")
Reported-by: Tony Jones <tonyj@suse.com>
Reported-by: "DSouza, Nelson" <nelson.dsouza@intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Tony Jones <tonyj@suse.com>
Tested-by: "DSouza, Nelson" <nelson.dsouza@intel.com>
Cc: eranian@google.com
Cc: jolsa@redhat.com
Cc: stable@kernel.org
Link: https://lkml.kernel.org/r/20190314130705.441549378@infradead.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/events/intel/core.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/events/intel/core.c
+++ b/arch/x86/events/intel/core.c
@@ -3398,7 +3398,7 @@ tfa_get_event_constraints(struct cpu_hw_
 	/*
 	 * Without TFA we must not use PMC3.
 	 */
-	if (!allow_tsx_force_abort && test_bit(3, c->idxmsk)) {
+	if (!allow_tsx_force_abort && test_bit(3, c->idxmsk) && idx >= 0) {
 		c = dyn_constraint(cpuc, c, idx);
 		c->idxmsk64 &= ~(1ULL << 3);
 		c->weight--;
Commit	Line	Data
95777e06 GKH	1	From ede271b059463731cbd6dffe55ffd70d7dbe8392 Mon Sep 17 00:00:00 2001
	2	From: Peter Zijlstra <peterz@infradead.org>
	3	Date: Thu, 14 Mar 2019 14:01:14 +0100
	4	Subject: perf/x86/intel: Fix memory corruption
	5
	6	From: Peter Zijlstra <peterz@infradead.org>
	7
	8	commit ede271b059463731cbd6dffe55ffd70d7dbe8392 upstream.
	9
	10	Through:
	11
	12	validate_event()
	13	x86_pmu.get_event_constraints(.idx=-1)
	14	tfa_get_event_constraints()
	15	dyn_constraint()
	16
	17	cpuc->constraint_list[-1] is used, which is an obvious out-of-bound access.
	18
	19	In this case, simply skip the TFA constraint code, there is no event
	20	constraint with just PMC3, therefore the code will never result in the
	21	empty set.
	22
	23	Fixes: 400816f60c54 ("perf/x86/intel: Implement support for TSX Force Abort")
	24	Reported-by: Tony Jones <tonyj@suse.com>
	25	Reported-by: "DSouza, Nelson" <nelson.dsouza@intel.com>
	26	Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
	27	Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
	28	Tested-by: Tony Jones <tonyj@suse.com>
	29	Tested-by: "DSouza, Nelson" <nelson.dsouza@intel.com>
	30	Cc: eranian@google.com
	31	Cc: jolsa@redhat.com
	32	Cc: stable@kernel.org
	33	Link: https://lkml.kernel.org/r/20190314130705.441549378@infradead.org
	34	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	35
	36	---
	37	arch/x86/events/intel/core.c \| 2 +-
	38	1 file changed, 1 insertion(+), 1 deletion(-)
	39
	40	--- a/arch/x86/events/intel/core.c
	41	+++ b/arch/x86/events/intel/core.c
	42	@@ -3398,7 +3398,7 @@ tfa_get_event_constraints(struct cpu_hw_
	43	/*
	44	* Without TFA we must not use PMC3.
	45	*/
	46	- if (!allow_tsx_force_abort && test_bit(3, c->idxmsk)) {
	47	+ if (!allow_tsx_force_abort && test_bit(3, c->idxmsk) && idx >= 0) {
	48	c = dyn_constraint(cpuc, c, idx);
	49	c->idxmsk64 &= ~(1ULL << 3);
	50	c->weight--;