CVE-2022-50118

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/perf: Optimize clearing the pending PMI and remove WARN_ON for PMI check in power_pmu_disable<br /> <br /> commit 2c9ac51b850d ("powerpc/perf: Fix PMU callbacks to clear<br /> pending PMI before resetting an overflown PMC") added a new<br /> function "pmi_irq_pending" in hw_irq.h. This function is to check<br /> if there is a PMI marked as pending in Paca (PACA_IRQ_PMI).This is<br /> used in power_pmu_disable in a WARN_ON. The intention here is to<br /> provide a warning if there is PMI pending, but no counter is found<br /> overflown.<br /> <br /> During some of the perf runs, below warning is hit:<br /> <br /> WARNING: CPU: 36 PID: 0 at arch/powerpc/perf/core-book3s.c:1332 power_pmu_disable+0x25c/0x2c0<br /> Modules linked in:<br /> -----<br /> <br /> NIP [c000000000141c3c] power_pmu_disable+0x25c/0x2c0<br /> LR [c000000000141c8c] power_pmu_disable+0x2ac/0x2c0<br /> Call Trace:<br /> [c000000baffcfb90] [c000000000141c8c] power_pmu_disable+0x2ac/0x2c0 (unreliable)<br /> [c000000baffcfc10] [c0000000003e2f8c] perf_pmu_disable+0x4c/0x60<br /> [c000000baffcfc30] [c0000000003e3344] group_sched_out.part.124+0x44/0x100<br /> [c000000baffcfc80] [c0000000003e353c] __perf_event_disable+0x13c/0x240<br /> [c000000baffcfcd0] [c0000000003dd334] event_function+0xc4/0x140<br /> [c000000baffcfd20] [c0000000003d855c] remote_function+0x7c/0xa0<br /> [c000000baffcfd50] [c00000000026c394] flush_smp_call_function_queue+0xd4/0x300<br /> [c000000baffcfde0] [c000000000065b24] smp_ipi_demux_relaxed+0xa4/0x100<br /> [c000000baffcfe20] [c0000000000cb2b0] xive_muxed_ipi_action+0x20/0x40<br /> [c000000baffcfe40] [c000000000207c3c] __handle_irq_event_percpu+0x8c/0x250<br /> [c000000baffcfee0] [c000000000207e2c] handle_irq_event_percpu+0x2c/0xa0<br /> [c000000baffcff10] [c000000000210a04] handle_percpu_irq+0x84/0xc0<br /> [c000000baffcff40] [c000000000205f14] generic_handle_irq+0x54/0x80<br /> [c000000baffcff60] [c000000000015740] __do_irq+0x90/0x1d0<br /> [c000000baffcff90] [c000000000016990] __do_IRQ+0xc0/0x140<br /> [c0000009732f3940] [c000000bafceaca8] 0xc000000bafceaca8<br /> [c0000009732f39d0] [c000000000016b78] do_IRQ+0x168/0x1c0<br /> [c0000009732f3a00] [c0000000000090c8] hardware_interrupt_common_virt+0x218/0x220<br /> <br /> This means that there is no PMC overflown among the active events<br /> in the PMU, but there is a PMU pending in Paca. The function<br /> "any_pmc_overflown" checks the PMCs on active events in<br /> cpuhw-&gt;n_events. Code snippet:<br /> <br /> <br /> if (any_pmc_overflown(cpuhw))<br /> clear_pmi_irq_pending();<br /> else<br /> WARN_ON(pmi_irq_pending());<br /> <br /> <br /> Here the PMC overflown is not from active event. Example: When we do<br /> perf record, default cycles and instructions will be running on PMC6<br /> and PMC5 respectively. It could happen that overflowed event is currently<br /> not active and pending PMI is for the inactive event. Debug logs from<br /> trace_printk:<br /> <br /> <br /> any_pmc_overflown: idx is 5: pmc value is 0xd9a<br /> power_pmu_disable: PMC1: 0x0, PMC2: 0x0, PMC3: 0x0, PMC4: 0x0, PMC5: 0xd9a, PMC6: 0x80002011<br /> <br /> <br /> Here active PMC (from idx) is PMC5 , but overflown PMC is PMC6(0x80002011).<br /> When we handle PMI interrupt for such cases, if the PMC overflown is<br /> from inactive event, it will be ignored. Reference commit:<br /> commit bc09c219b2e6 ("powerpc/perf: Fix finding overflowed PMC in interrupt")<br /> <br /> Patch addresses two changes:<br /> 1) Fix 1 : Removal of warning ( WARN_ON(pmi_irq_pending()); )<br /> We were printing warning if no PMC is found overflown among active PMU<br /> events, but PMI pending in PACA. But this could happen in cases where<br /> PMC overflown is not in active PMC. An inactive event could have caused<br /> the overflow. Hence the warning is not needed. To know pending PMI is<br /> from an inactive event, we need to loop through all PMC&amp;#39;s which will<br /> cause more SPR reads via mfspr and increase in context switch. Also in<br /> existing function: perf_event_interrupt, already we ignore PMI&amp;#39;s<br /> overflown when it is from an inactive PMC.<br /> <br /> 2) Fix 2: optimization in clearing pending PMI.<br /> Currently we check for any active PMC overflown before clearing PMI<br /> pending in Paca. This is causing additional SP<br /> ---truncated---