From: Sasha Levin <sashal@kernel.org>
To: patches@lists.linux.dev, stable@vger.kernel.org
Cc: Yicong Yang <yangyicong@hisilicon.com>,
Jonathan Cameron <jonathan.cameron@huawei.com>,
Yushan Wang <wangyushan12@huawei.com>,
Will Deacon <will@kernel.org>, Sasha Levin <sashal@kernel.org>,
zhangshaokun@hisilicon.com
Subject: [PATCH AUTOSEL 6.17-6.6] drivers/perf: hisi: Relax the event ID check in the framework
Date: Thu, 2 Oct 2025 11:30:14 -0400 [thread overview]
Message-ID: <20251002153025.2209281-27-sashal@kernel.org> (raw)
In-Reply-To: <20251002153025.2209281-1-sashal@kernel.org>
From: Yicong Yang <yangyicong@hisilicon.com>
[ Upstream commit 43de0ac332b815cf56dbdce63687de9acfd35d49 ]
Event ID is only using the attr::config bit [7, 0] but we check the
event range using the whole 64bit field. It blocks the usage of the
rest field of attr::config. Relax the check by only using the
bit [7, 0].
Acked-by: Jonathan Cameron <jonathan.cameron@huawei.com>
Signed-off-by: Yicong Yang <yangyicong@hisilicon.com>
Signed-off-by: Yushan Wang <wangyushan12@huawei.com>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
LLM Generated explanations, may be completely bogus:
## Backport Analysis: HiSilicon PMU Event ID Check Fix
**Backport Recommendation: YES**
### Detailed Analysis
#### Bug Being Fixed
The commit fixes an overly restrictive validation bug in
`hisi_uncore_pmu_event_init()` at
**drivers/perf/hisilicon/hisi_uncore_pmu.c:237**.
**Original code:**
```c
if (event->attr.config > hisi_pmu->check_event)
return -EINVAL;
```
**Fixed code:**
```c
if ((event->attr.config & HISI_EVENTID_MASK) > hisi_pmu->check_event)
return -EINVAL;
```
Where `HISI_EVENTID_MASK = GENMASK(7, 0) = 0xFF`.
#### Root Cause Analysis
1. **Event ID Layout:** HiSilicon uncore PMUs use only bits [7:0] of
`attr.config` for the event ID. This is evident from format
attributes across all drivers:
- `hisi_uncore_l3c_pmu.c:386`: `"config:0-7"`
- `hisi_uncore_hha_pmu.c:336`: `"config:0-7"`
- `hisi_uncore_pa_pmu.c:304`: `"config:0-7"`
- `hisi_uncore_sllc_pmu.c:368`: `"config:0-7"`
- `hisi_uncore_uc_pmu.c:402`: `"config:0-7"`
- `hisi_uncore_ddrc_pmu.c:272`: `"config:0-4"` (V1) and
`"config:0-7"` (V2)
- `hisi_uncore_cpa_pmu.c:205`: `"config:0-15"` (exception)
2. **Incorrect Validation:** The validation was comparing the entire
64-bit `attr.config` value against `check_event` (typically 0xFF for
8-bit event IDs), which would incorrectly reject valid event
configurations if any upper bits were set.
3. **Blocking Future Extensions:** The commit message explicitly states:
"It blocks the usage of the rest field of attr::config." This
indicates that upper bits of `attr.config` may be needed for
additional configuration parameters beyond the base event ID.
#### Scope of Impact
This fix affects all HiSilicon uncore PMU drivers that use the shared
`hisi_pmu_init()` function, which sets `pmu->event_init =
hisi_uncore_pmu_event_init` (at **hisi_uncore_pmu.c:610**):
- L3C PMU (L3 Cache)
- HHA PMU (Hydra Home Agent)
- DDRC PMU (DDR Controller)
- PA PMU (Protocol Adapter)
- SLLC PMU (Super L3 Cache)
- UC PMU (Uncore)
- CPA PMU (Coherent Protocol Agent)
#### Code Changes Analysis
**File 1: drivers/perf/hisilicon/hisi_uncore_pmu.c**
- **Line 237:** Mask `attr.config` with `HISI_EVENTID_MASK` before
comparison
- **Impact:** Only validates event ID bits [7:0], allowing upper bits
for other purposes
**File 2: drivers/perf/hisilicon/hisi_uncore_pmu.h**
- **Line 46:** Define `HISI_EVENTID_MASK` as `GENMASK(7, 0)`
- **Line 47:** Update `HISI_GET_EVENTID` macro to use the new mask
(consistency improvement)
- **Impact:** Provides centralized, self-documenting definition of event
ID field
#### Backport Suitability Assessment
**Positive Factors:**
1. ✅ **Fixes a clear bug:** Incorrect validation logic blocking
legitimate use cases
2. ✅ **Small and contained:** Only 5 lines changed across 2 files
3. ✅ **Low regression risk:** The change makes validation less strict,
not more strict
4. ✅ **Well-reviewed:** Acked by Jonathan Cameron (prominent kernel
maintainer)
5. ✅ **No dependencies:** Self-contained fix with no related commits
6. ✅ **Driver-level fix:** Affects only HiSilicon PMU drivers, not core
kernel
7. ✅ **Minimal side effects:** Only affects event validation path during
initialization
**Risk Assessment:**
- **Regression risk:** Very low - relaxing validation cannot break
working configurations
- **Functional risk:** None - the fix enables correct behavior
- **Architectural risk:** None - no architectural changes
- **Dependency risk:** None - no follow-up fixes or related patches
required
**Follows Stable Tree Rules:**
- ✅ Fixes an important bug affecting users of HiSilicon hardware
- ✅ Small, obvious, and correct change
- ✅ No new features introduced
- ✅ Minimal risk of regression
- ✅ Confined to specific driver subsystem
### Conclusion
This commit is an **excellent candidate for backporting** to stable
kernel trees. It fixes a genuine validation bug that prevents legitimate
usage of the perf event configuration interface on HiSilicon hardware.
The fix is minimal, well-contained, properly reviewed, and carries
virtually no regression risk.
drivers/perf/hisilicon/hisi_uncore_pmu.c | 2 +-
drivers/perf/hisilicon/hisi_uncore_pmu.h | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/perf/hisilicon/hisi_uncore_pmu.c b/drivers/perf/hisilicon/hisi_uncore_pmu.c
index a449651f79c9f..6594d64b03a9e 100644
--- a/drivers/perf/hisilicon/hisi_uncore_pmu.c
+++ b/drivers/perf/hisilicon/hisi_uncore_pmu.c
@@ -234,7 +234,7 @@ int hisi_uncore_pmu_event_init(struct perf_event *event)
return -EINVAL;
hisi_pmu = to_hisi_pmu(event->pmu);
- if (event->attr.config > hisi_pmu->check_event)
+ if ((event->attr.config & HISI_EVENTID_MASK) > hisi_pmu->check_event)
return -EINVAL;
if (hisi_pmu->on_cpu == -1)
diff --git a/drivers/perf/hisilicon/hisi_uncore_pmu.h b/drivers/perf/hisilicon/hisi_uncore_pmu.h
index 777675838b808..e69660f72be67 100644
--- a/drivers/perf/hisilicon/hisi_uncore_pmu.h
+++ b/drivers/perf/hisilicon/hisi_uncore_pmu.h
@@ -43,7 +43,8 @@
return FIELD_GET(GENMASK_ULL(hi, lo), event->attr.config); \
}
-#define HISI_GET_EVENTID(ev) (ev->hw.config_base & 0xff)
+#define HISI_EVENTID_MASK GENMASK(7, 0)
+#define HISI_GET_EVENTID(ev) ((ev)->hw.config_base & HISI_EVENTID_MASK)
#define HISI_PMU_EVTYPE_BITS 8
#define HISI_PMU_EVTYPE_SHIFT(idx) ((idx) % 4 * HISI_PMU_EVTYPE_BITS)
--
2.51.0
next prev parent reply other threads:[~2025-10-02 15:31 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-02 15:29 [PATCH AUTOSEL 6.17-5.4] hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits() Sasha Levin
2025-10-02 15:29 ` [PATCH AUTOSEL 6.17-6.12] arm64: sysreg: Correct sign definitions for EIESB and DoubleLock Sasha Levin
2025-10-02 15:29 ` [PATCH AUTOSEL 6.17-5.4] hfs: clear offset and space out of valid records in b-tree node Sasha Levin
2025-10-02 15:29 ` [PATCH AUTOSEL 6.17-5.4] hfsplus: return EIO when type of hidden directory mismatch in hfsplus_fill_super() Sasha Levin
2025-10-02 15:29 ` [PATCH AUTOSEL 6.17-6.1] powerpc/32: Remove PAGE_KERNEL_TEXT to fix startup failure Sasha Levin
2025-10-02 15:29 ` [PATCH AUTOSEL 6.17-5.4] m68k: bitops: Fix find_*_bit() signatures Sasha Levin
2025-10-02 15:29 ` [PATCH AUTOSEL 6.17] smb: client: make use of ib_wc_status_msg() and skip IB_WC_WR_FLUSH_ERR logging Sasha Levin
2025-10-02 15:29 ` [PATCH AUTOSEL 6.17-6.16] arm64: realm: ioremap: Allow mapping memory as encrypted Sasha Levin
2025-10-02 16:43 ` Suzuki K Poulose
2025-10-21 15:38 ` Sasha Levin
2025-10-02 15:29 ` [PATCH AUTOSEL 6.17-6.12] gfs2: Fix unlikely race in gdlm_put_lock Sasha Levin
2025-10-02 15:29 ` [PATCH AUTOSEL 6.17-6.1] smb: server: let smb_direct_flush_send_list() invalidate a remote key first Sasha Levin
2025-10-02 15:29 ` [PATCH AUTOSEL 6.17-5.15] nios2: ensure that memblock.current_limit is set when setting pfn limits Sasha Levin
2025-10-02 15:29 ` [PATCH AUTOSEL 6.17-6.12] s390/mm: Use __GFP_ACCOUNT for user page table allocations Sasha Levin
2025-10-02 15:30 ` [PATCH AUTOSEL 6.17-6.16] riscv: mm: Return intended SATP mode for noXlvl options Sasha Levin
2025-10-02 15:30 ` [PATCH AUTOSEL 6.17-6.16] gfs2: Fix LM_FLAG_TRY* logic in add_to_queue Sasha Levin
2025-10-02 15:30 ` [PATCH AUTOSEL 6.17-6.16] dlm: move to rinfo for all middle conversion cases Sasha Levin
2025-10-02 15:30 ` [PATCH AUTOSEL 6.17-5.4] hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat() Sasha Levin
2025-10-02 15:30 ` [PATCH AUTOSEL 6.17-5.4] exec: Fix incorrect type for ret Sasha Levin
2025-10-02 15:30 ` [PATCH AUTOSEL 6.17-5.4] hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent() Sasha Levin
2025-10-02 15:30 ` [PATCH AUTOSEL 6.17-6.1] lkdtm: fortify: Fix potential NULL dereference on kmalloc failure Sasha Levin
2025-10-02 15:30 ` [PATCH AUTOSEL 6.17-6.16] riscv: mm: Use mmu-type from FDT to limit SATP mode Sasha Levin
2025-10-02 15:30 ` [PATCH AUTOSEL 6.17-6.6] Unbreak 'make tools/*' for user-space targets Sasha Levin
2025-10-02 15:30 ` [PATCH AUTOSEL 6.17-5.4] hfs: make proper initalization of struct hfs_find_data Sasha Levin
2025-10-02 15:30 ` [PATCH AUTOSEL 6.17-5.4] hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() Sasha Levin
2025-10-02 15:30 ` [PATCH AUTOSEL 6.17-6.16] riscv: cpufeature: add validation for zfa, zfh and zfhmin Sasha Levin
2025-10-02 15:30 ` [PATCH AUTOSEL 6.17-6.12] PCI: Test for bit underflow in pcie_set_readrq() Sasha Levin
2025-10-02 15:30 ` [PATCH AUTOSEL 6.17-6.16] s390/pkey: Forward keygenflags to ep11_unwrapkey Sasha Levin
2025-10-02 15:30 ` Sasha Levin [this message]
2025-10-02 15:30 ` [PATCH AUTOSEL 6.17-5.4] hfs: validate record offset in hfsplus_bmap_alloc Sasha Levin
2025-10-02 15:30 ` [PATCH AUTOSEL 6.17] smb: client: limit the range of info->receive_credit_target Sasha Levin
2025-10-02 15:30 ` [PATCH AUTOSEL 6.17-5.4] dlm: check for defined force value in dlm_lockspace_release Sasha Levin
2025-10-02 15:30 ` [PATCH AUTOSEL 6.17-6.12] binfmt_elf: preserve original ELF e_flags for core dumps Sasha Levin
2025-10-02 15:58 ` Kees Cook
2025-10-02 15:30 ` [PATCH AUTOSEL 6.17-6.16] arm64: errata: Apply workarounds for Neoverse-V3AE Sasha Levin
2025-10-02 15:30 ` [PATCH AUTOSEL 6.17-6.16] smb: client: queue post_recv_credits_work also if the peer raises the credit target Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251002153025.2209281-27-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=jonathan.cameron@huawei.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=wangyushan12@huawei.com \
--cc=will@kernel.org \
--cc=yangyicong@hisilicon.com \
--cc=zhangshaokun@hisilicon.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).