| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2023-52839: drivers: perf: Do not broadcast to other cpus when starting a counter |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| drivers: perf: Do not broadcast to other cpus when starting a counter |
| |
| This command: |
| |
| $ perf record -e cycles:k -e instructions:k -c 10000 -m 64M dd if=/dev/zero of=/dev/null count=1000 |
| |
| gives rise to this kernel warning: |
| |
| [ 444.364395] WARNING: CPU: 0 PID: 104 at kernel/smp.c:775 smp_call_function_many_cond+0x42c/0x436 |
| [ 444.364515] Modules linked in: |
| [ 444.364657] CPU: 0 PID: 104 Comm: perf-exec Not tainted 6.6.0-rc6-00051-g391df82e8ec3-dirty #73 |
| [ 444.364771] Hardware name: riscv-virtio,qemu (DT) |
| [ 444.364868] epc : smp_call_function_many_cond+0x42c/0x436 |
| [ 444.364917] ra : on_each_cpu_cond_mask+0x20/0x32 |
| [ 444.364948] epc : ffffffff8009f9e0 ra : ffffffff8009fa5a sp : ff20000000003800 |
| [ 444.364966] gp : ffffffff81500aa0 tp : ff60000002b83000 t0 : ff200000000038c0 |
| [ 444.364982] t1 : ffffffff815021f0 t2 : 000000000000001f s0 : ff200000000038b0 |
| [ 444.364998] s1 : ff60000002c54d98 a0 : ff60000002a73940 a1 : 0000000000000000 |
| [ 444.365013] a2 : 0000000000000000 a3 : 0000000000000003 a4 : 0000000000000100 |
| [ 444.365029] a5 : 0000000000010100 a6 : 0000000000f00000 a7 : 0000000000000000 |
| [ 444.365044] s2 : 0000000000000000 s3 : ffffffffffffffff s4 : ff60000002c54d98 |
| [ 444.365060] s5 : ffffffff81539610 s6 : ffffffff80c20c48 s7 : 0000000000000000 |
| [ 444.365075] s8 : 0000000000000000 s9 : 0000000000000001 s10: 0000000000000001 |
| [ 444.365090] s11: ffffffff80099394 t3 : 0000000000000003 t4 : 00000000eac0c6e6 |
| [ 444.365104] t5 : 0000000400000000 t6 : ff60000002e010d0 |
| [ 444.365120] status: 0000000200000100 badaddr: 0000000000000000 cause: 0000000000000003 |
| [ 444.365226] [<ffffffff8009f9e0>] smp_call_function_many_cond+0x42c/0x436 |
| [ 444.365295] [<ffffffff8009fa5a>] on_each_cpu_cond_mask+0x20/0x32 |
| [ 444.365311] [<ffffffff806e90dc>] pmu_sbi_ctr_start+0x7a/0xaa |
| [ 444.365327] [<ffffffff806e880c>] riscv_pmu_start+0x48/0x66 |
| [ 444.365339] [<ffffffff8012111a>] perf_adjust_freq_unthr_context+0x196/0x1ac |
| [ 444.365356] [<ffffffff801237aa>] perf_event_task_tick+0x78/0x8c |
| [ 444.365368] [<ffffffff8003faf4>] scheduler_tick+0xe6/0x25e |
| [ 444.365383] [<ffffffff8008a042>] update_process_times+0x80/0x96 |
| [ 444.365398] [<ffffffff800991ec>] tick_sched_handle+0x26/0x52 |
| [ 444.365410] [<ffffffff800993e4>] tick_sched_timer+0x50/0x98 |
| [ 444.365422] [<ffffffff8008a6aa>] __hrtimer_run_queues+0x126/0x18a |
| [ 444.365433] [<ffffffff8008b350>] hrtimer_interrupt+0xce/0x1da |
| [ 444.365444] [<ffffffff806cdc60>] riscv_timer_interrupt+0x30/0x3a |
| [ 444.365457] [<ffffffff8006afa6>] handle_percpu_devid_irq+0x80/0x114 |
| [ 444.365470] [<ffffffff80065b82>] generic_handle_domain_irq+0x1c/0x2a |
| [ 444.365483] [<ffffffff8045faec>] riscv_intc_irq+0x2e/0x46 |
| [ 444.365497] [<ffffffff808a9c62>] handle_riscv_irq+0x4a/0x74 |
| [ 444.365521] [<ffffffff808aa760>] do_irq+0x7c/0x7e |
| [ 444.365796] ---[ end trace 0000000000000000 ]--- |
| |
| That's because the fix in commit 3fec323339a4 ("drivers: perf: Fix panic |
| in riscv SBI mmap support") was wrong since there is no need to broadcast |
| to other cpus when starting a counter, that's only needed in mmap when |
| the counters could have already been started on other cpus, so simply |
| remove this broadcast. |
| |
| The Linux kernel CVE team has assigned CVE-2023-52839 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 6.6 with commit 3fec323339a4a9801a54e8b282eb571965b67b23 and fixed in 6.6.2 with commit 85be1a73fd298ed3fd060dfce97caef5f9928c57 |
| Issue introduced in 6.6 with commit 3fec323339a4a9801a54e8b282eb571965b67b23 and fixed in 6.7 with commit 61e3d993c8bd3e80f8f1363ed5e04f88ab531b72 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2023-52839 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| drivers/perf/riscv_pmu_sbi.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/85be1a73fd298ed3fd060dfce97caef5f9928c57 |
| https://git.kernel.org/stable/c/61e3d993c8bd3e80f8f1363ed5e04f88ab531b72 |
