From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.10])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6E7791862A;
	Wed, 27 May 2026 03:34:04 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.10
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779852846; cv=none; b=hVH/fce9JoYZlz2ehZyWECD5i5ChPBUEkBorBZ/SkXW9Ngtt/+p1252TZKKb3X38P3NHIYsMYxhhv7P06CGiuCKYCywADQLeYTXdTlmz7dfBLlti2lqt1ef/wD+ipyBN/bELK1pa7SDmvhanRuuPu6mFSd7eoC5zzRqIBlJyTMg=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779852846; c=relaxed/simple;
	bh=Xg+jpuWxBJsIgKU+PoycC+A4G4DfXt+9HRYl3XzOBKA=;
	h=Date:Message-ID:From:To:Cc:Subject:In-Reply-To:References:
	 MIME-Version:Content-Type; b=r1Nrf710CXBu0tpg/vs8ZbdXeHGUGgFsK2sqQCvlr0kXIEBo8cCPDeiPZEPLnQ7CK8sIhYRvnqRuKeTz9DzI8Iazt4n2snP3tIT/UE/fAQ6ri3AB5du9scg3aNlp2LzJMFfIlwEZpnB7zp7Sanby5rfBR44p3PORgJn/Z0/k9Hs=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=TziMoQHP; arc=none smtp.client-ip=198.175.65.10
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="TziMoQHP"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1779852844; x=1811388844;
  h=date:message-id:from:to:cc:subject:in-reply-to:
   references:mime-version;
  bh=Xg+jpuWxBJsIgKU+PoycC+A4G4DfXt+9HRYl3XzOBKA=;
  b=TziMoQHPxLT8W1VUMRQDWh2qX3LzJuQG3O7kinzBWDnzXx0Y7GWl9JhD
   NjVeIN97bSmO0Tp8xISe2kcKXy7wrxPkLZuPagPsHIF7jbq/d6PBZhFZP
   ri7Ax7IcKYXxxlhhMUGEMYrdSOto7WZvRl4EiwQVVfL0PVSAs8odIgm90
   /ETJ8o8QrgYRbawsWqjqrM+TOVnqOo1dw7s5egYdaVbw/o1ALsFWtp2US
   vA3FSwfEO0+4L4M5EKT9V4094BqP9Bk7HN5DlCCQg37QVrTZFFWk2R9vR
   EMKwYmlJZPgKoql/mbAUcQGkPBxzRXfBTVVl7GUyQjlI3U0/e1Ha1+b8k
   A==;
X-CSE-ConnectionGUID: B8c+CVRQQwi+bCrE1dBFTg==
X-CSE-MsgGUID: 9oX2dTvWTyu67Y0M47grQA==
X-IronPort-AV: E=McAfee;i="6800,10657,11798"; a="98101392"
X-IronPort-AV: E=Sophos;i="6.24,170,1774335600"; 
   d="scan'208";a="98101392"
Received: from orviesa006.jf.intel.com ([10.64.159.146])
  by orvoesa102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 May 2026 20:34:04 -0700
X-CSE-ConnectionGUID: JA7eEmN3RZWfa2B3E3513g==
X-CSE-MsgGUID: 5azddSvaQ52aSUGQwBRXuA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.24,170,1774335600"; 
   d="scan'208";a="241065576"
Received: from gauravga-mobl1.amr.corp.intel.com (HELO adixit-MOBL3.intel.com) ([10.125.67.21])
  by orviesa006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 May 2026 20:34:03 -0700
Date: Tue, 26 May 2026 20:34:02 -0700
Message-ID: <87h5ntv845.wl-ashutosh.dixit@intel.com>
From: "Dixit, Ashutosh" <ashutosh.dixit@intel.com>
To: John Hubbard <jhubbard@nvidia.com>
Cc: Matthew Brost <matthew.brost@intel.com>, Thomas =?ISO-8859-1?Q?Hellstr?=
 =?ISO-8859-1?Q?=F6m?= <thomas.hellstrom@linux.intel.com>, Rodrigo Vivi
 <rodrigo.vivi@intel.com>, David Airlie <airlied@gmail.com>, Simona Vetter
 <simona@ffwll.ch>, Peter Zijlstra <peterz@infradead.org>, "Ingo Molnar"
 <mingo@redhat.com>, Arnaldo Carvalho de Melo <acme@kernel.org>, Namhyung
 Kim <namhyung@kernel.org>, Mark Rutland <mark.rutland@arm.com>, Alexander
 Shishkin <alexander.shishkin@linux.intel.com>, Jiri Olsa
 <jolsa@kernel.org>, "Ian Rogers" <irogers@google.com>, Adrian Hunter
 <adrian.hunter@intel.com>, "James Clark"
 <james.clark@linaro.org>,<intel-xe@lists.freedesktop.org>,
 <dri-devel@lists.freedesktop.org>,<linux-perf-users@vger.kernel.org>, LKML
 <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v2 2/2] drm/xe: gate observation streams with perf_allow_cpu()
In-Reply-To: <20260523013326.129491-3-jhubbard@nvidia.com>
References: <20260523013326.129491-1-jhubbard@nvidia.com>	<20260523013326.129491-3-jhubbard@nvidia.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue)
 FLIM-LB/1.14.9 (=?ISO-8859-4?Q?Goj=F2?=) APEL-LB/10.8 EasyPG/1.0.0
 Emacs/30.2 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO)
Precedence: bulk
X-Mailing-List: linux-perf-users@vger.kernel.org
List-Id: <linux-perf-users.vger.kernel.org>
List-Subscribe: <mailto:linux-perf-users+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-perf-users+unsubscribe@vger.kernel.org>
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII

On Fri, 22 May 2026 18:33:26 -0700, John Hubbard wrote:
>
> xe OA and EU-stall paths open-code a partial copy of the system-wide
> perf CPU-event permission check:
>
>     if (xe_observation_paranoid && !perfmon_capable())
>             return -EACCES;
>
> This open-coded check skips two things perf_allow_cpu() handles: the
> graduated kernel.perf_event_paranoid policy that an administrator
> may have tuned, and the security_perf_event_open() LSM hook.
>
> Introduce xe_observation_paranoid_check() to wrap perf_allow_cpu(),
> and convert the open-coded sites in xe_oa.c and xe_eu_stall.c. The
> dev.xe.observation_paranoid sysctl still acts as an escape hatch
> when cleared.
>
> xe observation now consults kernel.perf_event_paranoid and the LSM
> perf hook on every open. Sites that have already configured an LSM
> perf policy or tuned the paranoid sysctl will see those settings
> extend to xe.
>
> Signed-off-by: John Hubbard <jhubbard@nvidia.com>

LGTM:

Reviewed-by: Ashutosh Dixit <ashutosh.dixit@intel.com>

> ---
>  drivers/gpu/drm/xe/xe_eu_stall.c    |  5 +++--
>  drivers/gpu/drm/xe/xe_oa.c          | 25 +++++++++++++---------
>  drivers/gpu/drm/xe/xe_observation.c | 32 ++++++++++++++++++++++++-----
>  drivers/gpu/drm/xe/xe_observation.h |  3 +--
>  4 files changed, 46 insertions(+), 19 deletions(-)
>
> diff --git a/drivers/gpu/drm/xe/xe_eu_stall.c b/drivers/gpu/drm/xe/xe_eu_stall.c
> index dddcdd0bb7a3..ede8e3c98b2b 100644
> --- a/drivers/gpu/drm/xe/xe_eu_stall.c
> +++ b/drivers/gpu/drm/xe/xe_eu_stall.c
> @@ -963,9 +963,10 @@ int xe_eu_stall_stream_open(struct drm_device *dev, u64 data, struct drm_file *f
>		return -ENODEV;
>	}
>
> -	if (xe_observation_paranoid && !perfmon_capable()) {
> +	ret = xe_observation_paranoid_check();
> +	if (ret) {
>		drm_dbg(&xe->drm,  "Insufficient privileges for EU stall monitoring\n");
> -		return -EACCES;
> +		return ret;
>	}
>
>	/* Initialize and set default values */
> diff --git a/drivers/gpu/drm/xe/xe_oa.c b/drivers/gpu/drm/xe/xe_oa.c
> index d908f4e03906..f3dcff66b336 100644
> --- a/drivers/gpu/drm/xe/xe_oa.c
> +++ b/drivers/gpu/drm/xe/xe_oa.c
> @@ -1676,9 +1676,10 @@ static int xe_oa_mmap(struct file *file, struct vm_area_struct *vma)
>	unsigned long start = vma->vm_start;
>	int i, ret;
>
> -	if (xe_observation_paranoid && !perfmon_capable()) {
> +	ret = xe_observation_paranoid_check();
> +	if (ret) {
>		drm_dbg(&stream->oa->xe->drm, "Insufficient privilege to map OA buffer\n");
> -		return -EACCES;
> +		return ret;
>	}
>
>	/* Can mmap the entire OA buffer or nothing (no partial OA buffer mmaps) */
> @@ -2054,10 +2055,12 @@ int xe_oa_stream_open_ioctl(struct drm_device *dev, u64 data, struct drm_file *f
>		privileged_op = true;
>	}
>
> -	if (privileged_op && xe_observation_paranoid && !perfmon_capable()) {
> -		drm_dbg(&oa->xe->drm, "Insufficient privileges to open xe OA stream\n");
> -		ret = -EACCES;
> -		goto err_exec_q;
> +	if (privileged_op) {
> +		ret = xe_observation_paranoid_check();
> +		if (ret) {
> +			drm_dbg(&oa->xe->drm, "Insufficient privileges to open xe OA stream\n");
> +			goto err_exec_q;
> +		}
>	}
>
>	if (!param.exec_q && !param.sample) {
> @@ -2336,9 +2339,10 @@ int xe_oa_add_config_ioctl(struct drm_device *dev, u64 data, struct drm_file *fi
>		return -ENODEV;
>	}
>
> -	if (xe_observation_paranoid && !perfmon_capable()) {
> +	err = xe_observation_paranoid_check();
> +	if (err) {
>		drm_dbg(&oa->xe->drm, "Insufficient privileges to add xe OA config\n");
> -		return -EACCES;
> +		return err;
>	}
>
>	err = copy_from_user(&param, u64_to_user_ptr(data), sizeof(param));
> @@ -2438,9 +2442,10 @@ int xe_oa_remove_config_ioctl(struct drm_device *dev, u64 data, struct drm_file
>		return -ENODEV;
>	}
>
> -	if (xe_observation_paranoid && !perfmon_capable()) {
> +	ret = xe_observation_paranoid_check();
> +	if (ret) {
>		drm_dbg(&oa->xe->drm, "Insufficient privileges to remove xe OA config\n");
> -		return -EACCES;
> +		return ret;
>	}
>
>	ret = get_user(arg, ptr);
> diff --git a/drivers/gpu/drm/xe/xe_observation.c b/drivers/gpu/drm/xe/xe_observation.c
> index e3f9b546207e..39e05b9131a7 100644
> --- a/drivers/gpu/drm/xe/xe_observation.c
> +++ b/drivers/gpu/drm/xe/xe_observation.c
> @@ -4,6 +4,7 @@
>   */
>
>  #include <linux/errno.h>
> +#include <linux/perf_event.h>
>  #include <linux/sysctl.h>
>
>  #include <uapi/drm/xe_drm.h>
> @@ -12,9 +13,28 @@
>  #include "xe_oa.h"
>  #include "xe_observation.h"
>
> -u32 xe_observation_paranoid = true;
> +static u32 xe_observation_paranoid = true;
>  static struct ctl_table_header *sysctl_header;
>
> +/**
> + * xe_observation_paranoid_check - Gate access to xe observation streams.
> + *
> + * When the xe-specific observation_paranoid sysctl is enabled (the
> + * default), defer to perf_allow_cpu() so that access is governed by the
> + * same policy as system-wide perf CPU events: kernel.perf_event_paranoid
> + * plus the security_perf_event_open() LSM hook. When the sysctl has been
> + * cleared by a privileged user, observation is open to all callers.
> + *
> + * Return: 0 if access is permitted, a negative errno otherwise.
> + */
> +int xe_observation_paranoid_check(void)
> +{
> +	if (!xe_observation_paranoid)
> +		return 0;
> +
> +	return perf_allow_cpu();
> +}
> +
>  static int xe_oa_ioctl(struct drm_device *dev, struct drm_xe_observation_param *arg,
>		       struct drm_file *file)
>  {
> @@ -83,11 +103,13 @@ static const struct ctl_table observation_ctl_table[] = {
>  };
>
>  /**
> - * xe_observation_sysctl_register - Register xe_observation_paranoid sysctl
> + * xe_observation_sysctl_register - Register the observation_paranoid sysctl
>   *
> - * Normally only superuser/root can access observation stream
> - * data. However, superuser can set xe_observation_paranoid sysctl to 0 to
> - * allow non-privileged users to also access observation data.
> + * When dev.xe.observation_paranoid is set (the default), access to
> + * observation streams follows the system-wide perf_allow_cpu() policy:
> + * kernel.perf_event_paranoid plus the security_perf_event_open() LSM
> + * hook. A privileged user can clear the sysctl to bypass that gate and
> + * allow unprivileged access to observation data.
>   *
>   * Return: always returns 0
>   */
> diff --git a/drivers/gpu/drm/xe/xe_observation.h b/drivers/gpu/drm/xe/xe_observation.h
> index 17816998e966..73a03e03c96a 100644
> --- a/drivers/gpu/drm/xe/xe_observation.h
> +++ b/drivers/gpu/drm/xe/xe_observation.h
> @@ -11,8 +11,7 @@
>  struct drm_device;
>  struct drm_file;
>
> -extern u32 xe_observation_paranoid;
> -
> +int xe_observation_paranoid_check(void);
>  int xe_observation_ioctl(struct drm_device *dev, void *data, struct drm_file *file);
>  int xe_observation_sysctl_register(void);
>  void xe_observation_sysctl_unregister(void);
> --
> 2.54.0
>