Re: [PATCH 2/2] perf/x86: Update cap_user_rdpmc base on rdpmc user disable state

["Mi, Dapeng" <dapeng1.mi@linux.intel.com>]

On 3/12/2026 1:04 PM, Ian Rogers wrote:
> On Wed, Mar 11, 2026 at 9:44 PM Ian Rogers <irogers@google.com> wrote:
>> On Wed, Mar 11, 2026 at 12:56 AM Dapeng Mi <dapeng1.mi@linux.intel.com> wrote:
>>> After introducing the RDPMC user disable feature, user-space RDPMC may
>>> return 0 instead of the actual event count. This creates an inconsistency
>>> with cap_user_rdpmc, where cap_user_rdpmc is set, but user-space RDPMC
>>> only returns 0.
>>>
>>> To accurately represent the user-space RDPMC capability, update
>>> cap_user_rdpmc based on the RDPMC user disable state. If RDPMC user
>>> disable is enabled, cap_user_rdpmc is set to false, allowing user-space
>>> programs to fall back to the read() syscall to obtain the real event
>>> count.
>>>
>>> Fixes: 59af95e028d4 ("perf/x86/intel: Add support for rdpmc user disable feature")
>>> Signed-off-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
>>> ---
>>>  arch/x86/events/core.c | 3 +++
>>>  1 file changed, 3 insertions(+)
>>>
>>> diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
>>> index 03ce1bc7ef2e..0266a11d7ec9 100644
>>> --- a/arch/x86/events/core.c
>>> +++ b/arch/x86/events/core.c
>>> @@ -2807,6 +2807,9 @@ void arch_perf_update_userpage(struct perf_event *event,
>>>         userpg->cap_user_time_zero = 0;
>>>         userpg->cap_user_rdpmc =
>>>                 !!(event->hw.flags & PERF_EVENT_FLAG_USER_READ_CNT);
>>> +       if (x86_pmu_has_rdpmc_user_disable(event->pmu) &&
>> With the AI's help the following bug was spotted:
>>
>> Places like cpu_clock_event_add call perf_event_update_userpage with a
>> software event:
>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/events/core.c#n12314
>> This then calls arch_perf_update_userpage:
>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/events/core.c#n6870
>> In x86_pmu_has_rdpmc_user_disable:
>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/events/perf_event.h#n1336
>> ```
>> static inline bool x86_pmu_has_rdpmc_user_disable(struct pmu *pmu)
>> {
>> return !!(hybrid(pmu, config_mask) &
>> ARCH_PERFMON_EVENTSEL_RDPMC_USER_DISABLE);
>> }
>> ```
>> The hybrid call does a call to hybrid_pmu:
>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/events/perf_event.h#n793
>> and that does a container_of:
>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/events/perf_event.h#n782
>> ```
>> static __always_inline struct x86_hybrid_pmu *hybrid_pmu(struct pmu *pmu)
>> {
>> return container_of(pmu, struct x86_hybrid_pmu, pmu);
>> }
>> ```
>> In the case that the event's pmu is a software PMU the container_of
>> should be invalid and this will lead to an out-of-bounds read of the
>> config_mask on hybrid systems.
>>
>> Unfortunately checking the event is x86 doesn't cover the hybrid case:
>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/events/core.c#n780
>> and it seems this bug may exist elsewhere. It'd be nice if in the
>> hybrid_pmu function there were a `BUG_ON(!is_x86_pmu(pmu))`, but
>> unfortunately that'd only get exposed on hybrid systems.
> Actually  is_x86_event does work for hybrid, so making this:
> ```
> if (is_x86_event(event) && x86_pmu_has_rdpmc_user_disable(event->pmu) && ...
> ```
> Should fix the issue.

Yes, I'd like move the check is_x86_event(event) into
x86_pmu_has_rdpmc_user_disable(), then the check "is_x86_event(event)"
won't be missed in next call for x86_pmu_has_rdpmc_user_disable(). Thanks.


>
> Thanks,
> Ian
>
>> Thanks,
>> Ian
>>
>>> +           event->hw.config & ARCH_PERFMON_EVENTSEL_RDPMC_USER_DISABLE)
>>> +               userpg->cap_user_rdpmc = 0;
>>>         userpg->pmc_width = x86_pmu.cntval_bits;
>>>
>>>         if (!using_native_sched_clock() || !sched_clock_stable())
>>> --
>>> 2.34.1
>>>