From: sashiko-bot@kernel.org
To: "Dapeng Mi" <dapeng1.mi@linux.intel.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [Patch v8 07/23] x86/fpu/xstate: Add xsaves_nmi() helper
Date: Fri, 29 May 2026 08:56:13 +0000 [thread overview]
Message-ID: <20260529085613.CCAFB1F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260529075645.580362-8-dapeng1.mi@linux.intel.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Executing XSAVES blindly from an NMI context captures in-flight kernel FPU state, leading to a severe information leak via perf REGS_INTR.
--
commit d34a5f4e0fb88fb36d75fc06f907af1f26922ffe
Author: Kan Liang <kan.liang@linux.intel.com>
x86/fpu/xstate: Add xsaves_nmi() helper
This commit introduces the xsaves_nmi() function to allow saving supported
xsave states directly from an NMI handler. It is currently intended for use
by the perf subsystem to snapshot SIMD and APX eGPRs registers.
> diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
> index a7b6524a9dea2..4394091c47910 100644
> --- a/arch/x86/kernel/fpu/xstate.c
> +++ b/arch/x86/kernel/fpu/xstate.c
[ ... ]
> @@ -1474,6 +1474,29 @@ void xrstors(struct xregs_state *xstate, u64 mask)
> WARN_ON_ONCE(err);
> }
>
> +/**
> + * xsaves_nmi - Save selected components to a kernel xstate buffer in NMI
> + * @xstate: Pointer to the buffer
> + * @mask: Feature mask to select the components to save
> + *
> + * This function is similar to xsaves(), but should only be called within
> + * a NMI handler. This function returns the actual register contents at
> + * the moment the NMI occurs.
> + *
> + * Currently, the perf subsystem is the sole user of this helper. It uses
> + * the function to snapshot SIMD (XMM/YMM/ZMM) and APX eGPRs registers.
> + */
> +void xsaves_nmi(struct xregs_state *xstate, u64 mask)
> +{
> + int err;
> +
> + if (!in_nmi())
> + return;
> +
> + XSTATE_OP(XSAVES, xstate, (u32)mask, (u32)(mask >> 32), err);
[Severity: High]
Could executing XSAVES directly from an NMI context capture in-flight kernel
FPU state and lead to an information leak via perf REGS_INTR?
If an unprivileged user creates a hardware perf event with exclude_kernel=1
and requests PERF_SAMPLE_REGS_INTR, they bypass the perf_allow_kernel()
privilege check. Due to hardware skid, a PMI might be delivered after the CPU
has already transitioned into kernel space.
If the interrupted kernel context is actively using the FPU (for example,
inside kernel_fpu_begin() for cryptographic operations), the hardware FPU
registers would contain kernel data.
Since this helper captures the hardware FPU state unconditionally, and the
perf subsystem does not discard or filter REGS_INTR samples based on
privilege when a skid into kernel mode occurs, will this export sensitive
kernel SIMD registers to the unprivileged user's ring buffer?
> + WARN_ON_ONCE(err);
> +}
> +
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260529075645.580362-1-dapeng1.mi@linux.intel.com?part=7
next prev parent reply other threads:[~2026-05-29 8:56 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-29 7:56 [Patch v8 00/23] Support SIMD/eGPRs/SSP registers sampling for perf Dapeng Mi
2026-05-29 7:56 ` [Patch v8 01/23] perf/x86/intel: Validate return value of intel_pmu_init_hybrid() Dapeng Mi
2026-05-29 8:53 ` sashiko-bot
2026-05-29 11:11 ` Peter Zijlstra
2026-06-01 1:02 ` Mi, Dapeng
2026-05-29 7:56 ` [Patch v8 02/23] perf/x86: Move hybrid PMU initialization before x86_pmu_starting_cpu() Dapeng Mi
2026-05-29 8:51 ` sashiko-bot
2026-06-01 1:40 ` Mi, Dapeng
2026-05-29 7:56 ` [Patch v8 03/23] perf/x86/intel: Enable large PEBS sampling for XMMs Dapeng Mi
2026-05-29 7:56 ` [Patch v8 04/23] perf/x86/intel: Convert x86_perf_regs to per-cpu variables Dapeng Mi
2026-05-29 7:56 ` [Patch v8 05/23] perf: Eliminate duplicate arch-specific functions definations Dapeng Mi
2026-05-29 7:56 ` [Patch v8 06/23] perf/x86: Use x86_perf_regs in the x86 nmi handlers Dapeng Mi
2026-05-29 7:56 ` [Patch v8 07/23] x86/fpu/xstate: Add xsaves_nmi() helper Dapeng Mi
2026-05-29 8:56 ` sashiko-bot [this message]
2026-05-29 11:32 ` Peter Zijlstra
2026-06-01 2:31 ` Mi, Dapeng
2026-06-01 8:28 ` Peter Zijlstra
2026-05-29 7:56 ` [Patch v8 08/23] x86/fpu: Ensure TIF_NEED_FPU_LOAD is set after saving FPU state Dapeng Mi
2026-05-29 7:56 ` [Patch v8 09/23] perf: Move and enhance has_extended_regs() for arch-specific use Dapeng Mi
2026-05-29 7:56 ` [Patch v8 10/23] perf/x86: Enable XMM Register Sampling for Non-PEBS Events Dapeng Mi
2026-05-29 9:02 ` sashiko-bot
2026-06-01 3:11 ` Mi, Dapeng
2026-05-29 11:38 ` Peter Zijlstra
2026-06-01 3:04 ` Mi, Dapeng
2026-05-29 7:56 ` [Patch v8 11/23] perf/x86: Enable XMM register sampling for REGS_USER case Dapeng Mi
2026-05-29 9:24 ` sashiko-bot
2026-06-01 5:57 ` Mi, Dapeng
2026-05-29 11:42 ` Peter Zijlstra
2026-06-01 5:53 ` Mi, Dapeng
2026-05-29 7:56 ` [Patch v8 12/23] perf: Add sampling support for SIMD registers Dapeng Mi
2026-05-29 8:36 ` sashiko-bot
2026-06-01 6:44 ` Mi, Dapeng
2026-05-29 7:56 ` [Patch v8 13/23] perf/x86: Support XMM sampling using sample_simd_vec_reg_* fields Dapeng Mi
2026-05-29 8:49 ` sashiko-bot
2026-06-01 6:57 ` Mi, Dapeng
2026-05-29 7:56 ` [Patch v8 14/23] perf/x86: Support YMM " Dapeng Mi
2026-05-29 8:47 ` sashiko-bot
2026-06-01 7:14 ` Mi, Dapeng
2026-05-29 7:56 ` [Patch v8 15/23] perf/x86: Support ZMM " Dapeng Mi
2026-05-29 7:56 ` [Patch v8 16/23] perf/x86: Support OPMASK sampling using sample_simd_pred_reg_* fields Dapeng Mi
2026-05-29 9:21 ` sashiko-bot
2026-06-01 7:21 ` Mi, Dapeng
2026-05-29 7:56 ` [Patch v8 17/23] perf: Enhance perf_reg_validate() with simd_enabled argument Dapeng Mi
2026-05-29 7:56 ` [Patch v8 18/23] perf/x86: Support eGPRs sampling using sample_regs_* fields Dapeng Mi
2026-05-29 9:31 ` sashiko-bot
2026-06-01 8:20 ` Mi, Dapeng
2026-05-29 7:56 ` [Patch v8 19/23] perf/x86: Support SSP " Dapeng Mi
2026-05-29 10:03 ` sashiko-bot
2026-06-01 8:54 ` Mi, Dapeng
2026-05-29 7:56 ` [Patch v8 20/23] perf/x86/intel: Support arch-PEBS based SIMD/eGPRs/SSP sampling Dapeng Mi
2026-05-29 9:45 ` sashiko-bot
2026-06-01 9:08 ` Mi, Dapeng
2026-05-29 7:56 ` [Patch v8 21/23] perf/x86/intel: Enable PERF_PMU_CAP_SIMD_REGS capability Dapeng Mi
2026-05-29 10:43 ` sashiko-bot
2026-06-01 9:19 ` Mi, Dapeng
2026-05-29 7:56 ` [Patch v8 22/23] perf/x86: Activate back-to-back NMI detection for arch-PEBS induced NMIs Dapeng Mi
2026-05-29 9:34 ` sashiko-bot
2026-06-01 9:23 ` Mi, Dapeng
2026-05-29 7:56 ` [Patch v8 23/23] perf/x86/intel: Add sanity check for PEBS fragment size Dapeng Mi
2026-05-29 9:54 ` sashiko-bot
2026-06-01 9:42 ` Mi, Dapeng
2026-05-29 8:32 ` [Patch v8 00/23] Support SIMD/eGPRs/SSP registers sampling for perf Mi, Dapeng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260529085613.CCAFB1F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dapeng1.mi@linux.intel.com \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.