Re: [Patch v2 4/9] perf/x86/intel: Fallback to sw branch type decoding if no hw decoding

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:

New issues:
- [High] The fallback to software branch decoding causes massive NMI overhead and drops valid LBR entries when user memory is paged out.

Pre-existing issues:
- [Critical] Page fault in NMI context due to an out-of-bounds direct memory read into unmapped guard pages during LBR software branch type decoding.
--

commit 11f8cb2dc702b7450f8fbb74de9eaa30a63a9248
Author: Dapeng Mi <dapeng1.mi@linux.intel.com>
Subject: perf/x86/intel: Fallback to sw branch type decoding if no hw decoding

This commit updates intel_pmu_lbr_filter() to use software branch-type
decoding when hardware branch-type decoding is unavailable (i.e.
x86_lbr_type is not enabled). This aims to keep branch classification and
filtering behavior correct across Arch LBR configurations.

> diff --git a/arch/x86/events/intel/lbr.c b/arch/x86/events/intel/lbr.c
> index cae2e02fe6cc4..171fdf1962ade 100644
> --- a/arch/x86/events/intel/lbr.c
> +++ b/arch/x86/events/intel/lbr.c
> @@ -1233,6 +1233,7 @@ intel_pmu_lbr_filter(struct cpu_hw_events *cpuc)
>  		 * OTHER_BRANCH branch type still rely on software decoding.
>  		 */
>  		if (static_cpu_has(X86_FEATURE_ARCH_LBR) &&
> +		    static_branch_likely(&x86_lbr_type) &&

[Severity: High]
When x86_lbr_type is not enabled, this falls back to software decoding via
branch_type(). Because intel_pmu_setup_hw_lbr_filter() unconditionally sets
X86_BR_TYPE_SAVE for Arch LBR CPUs:

arch/x86/events/intel/lbr.c:intel_pmu_setup_hw_lbr_filter() {
    ...
    if (static_cpu_has(X86_FEATURE_ARCH_LBR)) {
        ...
        reg->reg |= X86_BR_TYPE_SAVE;
    ...
}

the early return fast-path in intel_pmu_lbr_filter() is bypassed. Does this
cause intel_pmu_lbr_filter() to iterate over all LBR entries and perform
high-overhead instruction decoding in NMI context even for generic branch
requests?

Additionally, if user memory is paged out, copy_from_user_nmi() will fail,
causing branch_type() to return X86_BR_NONE. Does this result in valid LBR
entries being silently dropped?

[Severity: Critical]
This is a pre-existing issue, but falling back to software decoding exposes
a vulnerability in get_branch_type() when processing LBR entries in NMI context:

arch/x86/events/utils.c:get_branch_type() {
    ...
    if (kernel_text_address(from) && !in_gate_area_no_mm(from)) {
        addr = (void *)from;
        bytes_read = MAX_INSN_SIZE;
    ...
    insn_init(&insn, addr, bytes_read, is64);
    ret = decode_branch_type(&insn);
    ...
}

If the from address (which is controlled by the LBR hardware recording a
faulting RIP) points to the very last byte of a mapped page, bytes_read is
set to 15. The instruction decoder will blindly read past the page boundary
into an unmapped guard page without exception table handlers.

Can this trigger a kernel page fault (#PF) and Oops in NMI context when
processing the PMU interrupt?

>  		    type <= ARCH_LBR_BR_TYPE_KNOWN_MAX) {
>  			to_plm = kernel_ip(to) ? X86_BR_KERNEL : X86_BR_USER;
>  			type = arch_lbr_br_type_map[type] | to_plm;

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260609050222.2458129-1-dapeng1.mi@linux.intel.com?part=4