[PATCH v2 0/2] complete perf_allow_* trio and use in drm/xe

[PATCH v2 0/2] complete perf_allow_* trio and use in drm/xe

[John Hubbard]

perf_allow_cpu() and perf_allow_tracepoint() are static inline and
reach into a non-exported sysctl, so modular drivers that want the
same permission model as system-wide perf end up writing partial
copies of this code. Let's instead export these properly so that modules
can call them.

Commit 5e9629d0ae97 ("drivers/perf: arm_spe: Use perf_allow_kernel()
for permissions") already moved perf_allow_kernel() out of line and
exported it. Patch 1 does the same for the other two, and provides
!CONFIG_PERF_EVENTS stubs so the helpers stay callable when perf is
compiled out.

Patch 2 converts drm/xe's OA and EU stall paths to call
perf_allow_cpu(), so xe observation now respects the system
perf_event_paranoid policy and consults the LSM hook. Sites that have
already configured an LSM perf policy or tuned the paranoid sysctl will
now see those settings honored on xe as well.

Changes since v1:

* Patch 1: add !CONFIG_PERF_EVENTS stubs that fall back to
  perfmon_capable() so the helpers remain callable when perf is
  compiled out. The sashiko-bot AI review caught that the v1 code
  would otherwise fail to build with PERF_EVENTS=n.

John Hubbard (2):
  perf/core: out-of-line and export perf_allow_cpu/tracepoint()
  drm/xe: gate observation streams with perf_allow_cpu()

 drivers/gpu/drm/xe/xe_eu_stall.c    |  5 +++--
 drivers/gpu/drm/xe/xe_oa.c          | 25 +++++++++++++---------
 drivers/gpu/drm/xe/xe_observation.c | 32 ++++++++++++++++++++++++-----
 drivers/gpu/drm/xe/xe_observation.h |  3 +--
 include/linux/perf_event.h          | 31 ++++++++++++++--------------
 kernel/events/core.c                | 18 ++++++++++++++++
 6 files changed, 79 insertions(+), 35 deletions(-)


base-commit: 79bd2dded182b1d458b18e62684b7f82ffc682e5
-- 
2.54.0

[PATCH v2 1/2] perf/core: out-of-line and export perf_allow_cpu/tracepoint()

[John Hubbard]

These helpers are static inline in <linux/perf_event.h> and reach
into sysctl_perf_event_paranoid and security_perf_event_open(),
neither of which is itself exported. The perf_allow_* trio is
therefore asymmetric: built-in callers can use any of the three, but
modular code can only call perf_allow_kernel().

Move both bodies into kernel/events/core.c next to perf_allow_kernel()
and export them with EXPORT_SYMBOL_GPL, following the shape of
commit 5e9629d0ae97 ("drivers/perf: arm_spe: Use perf_allow_kernel()
for permissions"). Existing in-tree callers live in built-in arch and
tracing code, so the change is invisible to them.

Provide !CONFIG_PERF_EVENTS stubs that fall back to perfmon_capable(),
so the helpers stay callable when perf is compiled out.

Signed-off-by: John Hubbard <jhubbard@nvidia.com>
---
 include/linux/perf_event.h | 31 +++++++++++++++----------------
 kernel/events/core.c       | 18 ++++++++++++++++++
 2 files changed, 33 insertions(+), 16 deletions(-)

diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
index 48d851fbd8ea..5842552294c1 100644
--- a/include/linux/perf_event.h
+++ b/include/linux/perf_event.h
@@ -1791,22 +1791,8 @@ static inline int perf_is_paranoid(void)
 }
 
 extern int perf_allow_kernel(void);
-
-static inline int perf_allow_cpu(void)
-{
-	if (sysctl_perf_event_paranoid > 0 && !perfmon_capable())
-		return -EACCES;
-
-	return security_perf_event_open(PERF_SECURITY_CPU);
-}
-
-static inline int perf_allow_tracepoint(void)
-{
-	if (sysctl_perf_event_paranoid > -1 && !perfmon_capable())
-		return -EPERM;
-
-	return security_perf_event_open(PERF_SECURITY_TRACEPOINT);
-}
+extern int perf_allow_cpu(void);
+extern int perf_allow_tracepoint(void);
 
 extern int perf_exclude_event(struct perf_event *event, struct pt_regs *regs);
 
@@ -2023,6 +2009,19 @@ perf_event_pause(struct perf_event *event, bool reset)			{ return 0; }
 static inline int
 perf_exclude_event(struct perf_event *event, struct pt_regs *regs)	{ return 0; }
 
+static inline int perf_allow_kernel(void)
+{
+	return perfmon_capable() ? 0 : -EACCES;
+}
+static inline int perf_allow_cpu(void)
+{
+	return perfmon_capable() ? 0 : -EACCES;
+}
+static inline int perf_allow_tracepoint(void)
+{
+	return perfmon_capable() ? 0 : -EPERM;
+}
+
 #endif /* !CONFIG_PERF_EVENTS */
 
 #if defined(CONFIG_PERF_EVENTS) && defined(CONFIG_CPU_SUP_INTEL)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 7935d5663944..cb13f3ad11a3 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -14731,6 +14731,24 @@ int perf_allow_kernel(void)
 }
 EXPORT_SYMBOL_GPL(perf_allow_kernel);
 
+int perf_allow_cpu(void)
+{
+	if (sysctl_perf_event_paranoid > 0 && !perfmon_capable())
+		return -EACCES;
+
+	return security_perf_event_open(PERF_SECURITY_CPU);
+}
+EXPORT_SYMBOL_GPL(perf_allow_cpu);
+
+int perf_allow_tracepoint(void)
+{
+	if (sysctl_perf_event_paranoid > -1 && !perfmon_capable())
+		return -EPERM;
+
+	return security_perf_event_open(PERF_SECURITY_TRACEPOINT);
+}
+EXPORT_SYMBOL_GPL(perf_allow_tracepoint);
+
 /*
  * Inherit an event from parent task to child task.
  *
-- 
2.54.0

Re: [PATCH v2 1/2] perf/core: out-of-line and export perf_allow_cpu/tracepoint()

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] The variable `v` used to store the event index is inadvertently overwritten by the return value of `perf_allow_cpu()`.
--

commit 4a1ba4712c8f6d5b5cbf8536fff7c0deb0a5c8b7
Author: John Hubbard <jhubbard@nvidia.com>

perf/core: out-of-line and export perf_allow_cpu/tracepoint()

This commit moves perf_allow_cpu() and perf_allow_tracepoint() out of
the perf_event.h header and into kernel/events/core.c. It exports them 
with EXPORT_SYMBOL_GPL to allow modular code to access these permissions 
checks, matching the behavior of perf_allow_kernel(). It also provides 
stubs for when CONFIG_PERF_EVENTS is disabled.

> diff --git a/kernel/events/core.c b/kernel/events/core.c
> index 6d1f8bad7e1c5..735e502beb966 100644
> --- a/kernel/events/core.c
> +++ b/kernel/events/core.c

[ ... ]

> @@ -14691,6 +14691,24 @@ int perf_allow_kernel(void)
>  }
>  EXPORT_SYMBOL_GPL(perf_allow_kernel);
>  
> +int perf_allow_cpu(void)
> +{
> +	if (sysctl_perf_event_paranoid > 0 && !perfmon_capable())
> +		return -EACCES;
> +
> +	return security_perf_event_open(PERF_SECURITY_CPU);
> +}

[Severity: High]
This isn't a bug introduced by this patch, but while reviewing the usage
of perf_allow_cpu(), I noticed a pre-existing issue in the p4 PMU code.

Does this overwrite the event index v? Looking at p4_validate_raw_event()
in arch/x86/events/intel/p4.c, v is used to index into p4_event_bind_map,
but it appears to be overwritten by the return value of perf_allow_cpu():

arch/x86/events/intel/p4.c:p4_validate_raw_event() {
    ...
	if (p4_ht_active() && p4_event_bind_map[v].shared) {
		v = perf_allow_cpu();
		if (v)
			return v;
	}

	/* ESCR EventMask bits may be invalid */
	emask = p4_config_unpack_escr(event->attr.config) & P4_ESCR_EVENTMASK_MASK;
	if (emask & ~p4_event_bind_map[v].escr_emask)
		return -EINVAL;
    ...
}

If perf_allow_cpu() returns 0 for success, does this mean v becomes 0, and
the subsequent check uses p4_event_bind_map[0].escr_emask instead of the
intended event mask?

Could this allow users to bypass proper event mask checks and program invalid
hardware ESCR bits?

> +EXPORT_SYMBOL_GPL(perf_allow_cpu);

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260523013326.129491-1-jhubbard@nvidia.com?part=1

Re: [PATCH v2 1/2] perf/core: out-of-line and export perf_allow_cpu/tracepoint()

[John Hubbard]

On 5/22/26 6:51 PM, sashiko-bot@kernel.org wrote:
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
> 
> Pre-existing issues:
> - [High] The variable `v` used to store the event index is inadvertently overwritten by the return value of `perf_allow_cpu()`.
> --
> 
> commit 4a1ba4712c8f6d5b5cbf8536fff7c0deb0a5c8b7
> Author: John Hubbard <jhubbard@nvidia.com>
> 
> perf/core: out-of-line and export perf_allow_cpu/tracepoint()
> 
> This commit moves perf_allow_cpu() and perf_allow_tracepoint() out of
> the perf_event.h header and into kernel/events/core.c. It exports them 
> with EXPORT_SYMBOL_GPL to allow modular code to access these permissions 
> checks, matching the behavior of perf_allow_kernel(). It also provides 
> stubs for when CONFIG_PERF_EVENTS is disabled.
> 
>> diff --git a/kernel/events/core.c b/kernel/events/core.c
>> index 6d1f8bad7e1c5..735e502beb966 100644
>> --- a/kernel/events/core.c
>> +++ b/kernel/events/core.c
> 
> [ ... ]
> 
>> @@ -14691,6 +14691,24 @@ int perf_allow_kernel(void)
>>  }
>>  EXPORT_SYMBOL_GPL(perf_allow_kernel);
>>  
>> +int perf_allow_cpu(void)
>> +{
>> +	if (sysctl_perf_event_paranoid > 0 && !perfmon_capable())
>> +		return -EACCES;
>> +
>> +	return security_perf_event_open(PERF_SECURITY_CPU);
>> +}
> 
> [Severity: High]
> This isn't a bug introduced by this patch, but while reviewing the usage
> of perf_allow_cpu(), I noticed a pre-existing issue in the p4 PMU code.
> 

And just as with v1 of this patchset, the response is the same:
pre-existing bugs such as that are out of scope for this series.


thanks,
-- 
John Hubbard

> Does this overwrite the event index v? Looking at p4_validate_raw_event()
> in arch/x86/events/intel/p4.c, v is used to index into p4_event_bind_map,
> but it appears to be overwritten by the return value of perf_allow_cpu():
> 
> arch/x86/events/intel/p4.c:p4_validate_raw_event() {
>     ...
> 	if (p4_ht_active() && p4_event_bind_map[v].shared) {
> 		v = perf_allow_cpu();
> 		if (v)
> 			return v;
> 	}
> 
> 	/* ESCR EventMask bits may be invalid */
> 	emask = p4_config_unpack_escr(event->attr.config) & P4_ESCR_EVENTMASK_MASK;
> 	if (emask & ~p4_event_bind_map[v].escr_emask)
> 		return -EINVAL;
>     ...
> }
> 
> If perf_allow_cpu() returns 0 for success, does this mean v becomes 0, and
> the subsequent check uses p4_event_bind_map[0].escr_emask instead of the
> intended event mask?
> 
> Could this allow users to bypass proper event mask checks and program invalid
> hardware ESCR bits?
> 
>> +EXPORT_SYMBOL_GPL(perf_allow_cpu);
> 

Re: [PATCH v2 1/2] perf/core: out-of-line and export perf_allow_cpu/tracepoint()

[Dixit, Ashutosh]

On Fri, 22 May 2026 18:33:25 -0700, John Hubbard wrote:
>
> These helpers are static inline in <linux/perf_event.h> and reach
> into sysctl_perf_event_paranoid and security_perf_event_open(),
> neither of which is itself exported. The perf_allow_* trio is
> therefore asymmetric: built-in callers can use any of the three, but
> modular code can only call perf_allow_kernel().
>
> Move both bodies into kernel/events/core.c next to perf_allow_kernel()
> and export them with EXPORT_SYMBOL_GPL, following the shape of
> commit 5e9629d0ae97 ("drivers/perf: arm_spe: Use perf_allow_kernel()
> for permissions"). Existing in-tree callers live in built-in arch and
> tracing code, so the change is invisible to them.
>
> Provide !CONFIG_PERF_EVENTS stubs that fall back to perfmon_capable(),
> so the helpers stay callable when perf is compiled out.
>
> Signed-off-by: John Hubbard <jhubbard@nvidia.com>

Reviewed-by: Ashutosh Dixit <ashutosh.dixit@intel.com>

> ---
>  include/linux/perf_event.h | 31 +++++++++++++++----------------
>  kernel/events/core.c       | 18 ++++++++++++++++++
>  2 files changed, 33 insertions(+), 16 deletions(-)
>
> diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
> index 48d851fbd8ea..5842552294c1 100644
> --- a/include/linux/perf_event.h
> +++ b/include/linux/perf_event.h
> @@ -1791,22 +1791,8 @@ static inline int perf_is_paranoid(void)
>  }
>
>  extern int perf_allow_kernel(void);
> -
> -static inline int perf_allow_cpu(void)
> -{
> -	if (sysctl_perf_event_paranoid > 0 && !perfmon_capable())
> -		return -EACCES;
> -
> -	return security_perf_event_open(PERF_SECURITY_CPU);
> -}
> -
> -static inline int perf_allow_tracepoint(void)
> -{
> -	if (sysctl_perf_event_paranoid > -1 && !perfmon_capable())
> -		return -EPERM;
> -
> -	return security_perf_event_open(PERF_SECURITY_TRACEPOINT);
> -}
> +extern int perf_allow_cpu(void);
> +extern int perf_allow_tracepoint(void);
>
>  extern int perf_exclude_event(struct perf_event *event, struct pt_regs *regs);
>
> @@ -2023,6 +2009,19 @@ perf_event_pause(struct perf_event *event, bool reset)			{ return 0; }
>  static inline int
>  perf_exclude_event(struct perf_event *event, struct pt_regs *regs)	{ return 0; }
>
> +static inline int perf_allow_kernel(void)
> +{
> +	return perfmon_capable() ? 0 : -EACCES;
> +}
> +static inline int perf_allow_cpu(void)
> +{
> +	return perfmon_capable() ? 0 : -EACCES;
> +}
> +static inline int perf_allow_tracepoint(void)
> +{
> +	return perfmon_capable() ? 0 : -EPERM;
> +}
> +
>  #endif /* !CONFIG_PERF_EVENTS */
>
>  #if defined(CONFIG_PERF_EVENTS) && defined(CONFIG_CPU_SUP_INTEL)
> diff --git a/kernel/events/core.c b/kernel/events/core.c
> index 7935d5663944..cb13f3ad11a3 100644
> --- a/kernel/events/core.c
> +++ b/kernel/events/core.c
> @@ -14731,6 +14731,24 @@ int perf_allow_kernel(void)
>  }
>  EXPORT_SYMBOL_GPL(perf_allow_kernel);
>
> +int perf_allow_cpu(void)
> +{
> +	if (sysctl_perf_event_paranoid > 0 && !perfmon_capable())
> +		return -EACCES;
> +
> +	return security_perf_event_open(PERF_SECURITY_CPU);
> +}
> +EXPORT_SYMBOL_GPL(perf_allow_cpu);
> +
> +int perf_allow_tracepoint(void)
> +{
> +	if (sysctl_perf_event_paranoid > -1 && !perfmon_capable())
> +		return -EPERM;
> +
> +	return security_perf_event_open(PERF_SECURITY_TRACEPOINT);
> +}
> +EXPORT_SYMBOL_GPL(perf_allow_tracepoint);
> +
>  /*
>   * Inherit an event from parent task to child task.
>   *
> --
> 2.54.0
>

[PATCH v2 2/2] drm/xe: gate observation streams with perf_allow_cpu()

[John Hubbard]

xe OA and EU-stall paths open-code a partial copy of the system-wide
perf CPU-event permission check:

    if (xe_observation_paranoid && !perfmon_capable())
            return -EACCES;

This open-coded check skips two things perf_allow_cpu() handles: the
graduated kernel.perf_event_paranoid policy that an administrator
may have tuned, and the security_perf_event_open() LSM hook.

Introduce xe_observation_paranoid_check() to wrap perf_allow_cpu(),
and convert the open-coded sites in xe_oa.c and xe_eu_stall.c. The
dev.xe.observation_paranoid sysctl still acts as an escape hatch
when cleared.

xe observation now consults kernel.perf_event_paranoid and the LSM
perf hook on every open. Sites that have already configured an LSM
perf policy or tuned the paranoid sysctl will see those settings
extend to xe.

Signed-off-by: John Hubbard <jhubbard@nvidia.com>
---
 drivers/gpu/drm/xe/xe_eu_stall.c    |  5 +++--
 drivers/gpu/drm/xe/xe_oa.c          | 25 +++++++++++++---------
 drivers/gpu/drm/xe/xe_observation.c | 32 ++++++++++++++++++++++++-----
 drivers/gpu/drm/xe/xe_observation.h |  3 +--
 4 files changed, 46 insertions(+), 19 deletions(-)

diff --git a/drivers/gpu/drm/xe/xe_eu_stall.c b/drivers/gpu/drm/xe/xe_eu_stall.c
index dddcdd0bb7a3..ede8e3c98b2b 100644
--- a/drivers/gpu/drm/xe/xe_eu_stall.c
+++ b/drivers/gpu/drm/xe/xe_eu_stall.c
@@ -963,9 +963,10 @@ int xe_eu_stall_stream_open(struct drm_device *dev, u64 data, struct drm_file *f
 		return -ENODEV;
 	}
 
-	if (xe_observation_paranoid && !perfmon_capable()) {
+	ret = xe_observation_paranoid_check();
+	if (ret) {
 		drm_dbg(&xe->drm,  "Insufficient privileges for EU stall monitoring\n");
-		return -EACCES;
+		return ret;
 	}
 
 	/* Initialize and set default values */
diff --git a/drivers/gpu/drm/xe/xe_oa.c b/drivers/gpu/drm/xe/xe_oa.c
index d908f4e03906..f3dcff66b336 100644
--- a/drivers/gpu/drm/xe/xe_oa.c
+++ b/drivers/gpu/drm/xe/xe_oa.c
@@ -1676,9 +1676,10 @@ static int xe_oa_mmap(struct file *file, struct vm_area_struct *vma)
 	unsigned long start = vma->vm_start;
 	int i, ret;
 
-	if (xe_observation_paranoid && !perfmon_capable()) {
+	ret = xe_observation_paranoid_check();
+	if (ret) {
 		drm_dbg(&stream->oa->xe->drm, "Insufficient privilege to map OA buffer\n");
-		return -EACCES;
+		return ret;
 	}
 
 	/* Can mmap the entire OA buffer or nothing (no partial OA buffer mmaps) */
@@ -2054,10 +2055,12 @@ int xe_oa_stream_open_ioctl(struct drm_device *dev, u64 data, struct drm_file *f
 		privileged_op = true;
 	}
 
-	if (privileged_op && xe_observation_paranoid && !perfmon_capable()) {
-		drm_dbg(&oa->xe->drm, "Insufficient privileges to open xe OA stream\n");
-		ret = -EACCES;
-		goto err_exec_q;
+	if (privileged_op) {
+		ret = xe_observation_paranoid_check();
+		if (ret) {
+			drm_dbg(&oa->xe->drm, "Insufficient privileges to open xe OA stream\n");
+			goto err_exec_q;
+		}
 	}
 
 	if (!param.exec_q && !param.sample) {
@@ -2336,9 +2339,10 @@ int xe_oa_add_config_ioctl(struct drm_device *dev, u64 data, struct drm_file *fi
 		return -ENODEV;
 	}
 
-	if (xe_observation_paranoid && !perfmon_capable()) {
+	err = xe_observation_paranoid_check();
+	if (err) {
 		drm_dbg(&oa->xe->drm, "Insufficient privileges to add xe OA config\n");
-		return -EACCES;
+		return err;
 	}
 
 	err = copy_from_user(&param, u64_to_user_ptr(data), sizeof(param));
@@ -2438,9 +2442,10 @@ int xe_oa_remove_config_ioctl(struct drm_device *dev, u64 data, struct drm_file
 		return -ENODEV;
 	}
 
-	if (xe_observation_paranoid && !perfmon_capable()) {
+	ret = xe_observation_paranoid_check();
+	if (ret) {
 		drm_dbg(&oa->xe->drm, "Insufficient privileges to remove xe OA config\n");
-		return -EACCES;
+		return ret;
 	}
 
 	ret = get_user(arg, ptr);
diff --git a/drivers/gpu/drm/xe/xe_observation.c b/drivers/gpu/drm/xe/xe_observation.c
index e3f9b546207e..39e05b9131a7 100644
--- a/drivers/gpu/drm/xe/xe_observation.c
+++ b/drivers/gpu/drm/xe/xe_observation.c
@@ -4,6 +4,7 @@
  */
 
 #include <linux/errno.h>
+#include <linux/perf_event.h>
 #include <linux/sysctl.h>
 
 #include <uapi/drm/xe_drm.h>
@@ -12,9 +13,28 @@
 #include "xe_oa.h"
 #include "xe_observation.h"
 
-u32 xe_observation_paranoid = true;
+static u32 xe_observation_paranoid = true;
 static struct ctl_table_header *sysctl_header;
 
+/**
+ * xe_observation_paranoid_check - Gate access to xe observation streams.
+ *
+ * When the xe-specific observation_paranoid sysctl is enabled (the
+ * default), defer to perf_allow_cpu() so that access is governed by the
+ * same policy as system-wide perf CPU events: kernel.perf_event_paranoid
+ * plus the security_perf_event_open() LSM hook. When the sysctl has been
+ * cleared by a privileged user, observation is open to all callers.
+ *
+ * Return: 0 if access is permitted, a negative errno otherwise.
+ */
+int xe_observation_paranoid_check(void)
+{
+	if (!xe_observation_paranoid)
+		return 0;
+
+	return perf_allow_cpu();
+}
+
 static int xe_oa_ioctl(struct drm_device *dev, struct drm_xe_observation_param *arg,
 		       struct drm_file *file)
 {
@@ -83,11 +103,13 @@ static const struct ctl_table observation_ctl_table[] = {
 };
 
 /**
- * xe_observation_sysctl_register - Register xe_observation_paranoid sysctl
+ * xe_observation_sysctl_register - Register the observation_paranoid sysctl
  *
- * Normally only superuser/root can access observation stream
- * data. However, superuser can set xe_observation_paranoid sysctl to 0 to
- * allow non-privileged users to also access observation data.
+ * When dev.xe.observation_paranoid is set (the default), access to
+ * observation streams follows the system-wide perf_allow_cpu() policy:
+ * kernel.perf_event_paranoid plus the security_perf_event_open() LSM
+ * hook. A privileged user can clear the sysctl to bypass that gate and
+ * allow unprivileged access to observation data.
  *
  * Return: always returns 0
  */
diff --git a/drivers/gpu/drm/xe/xe_observation.h b/drivers/gpu/drm/xe/xe_observation.h
index 17816998e966..73a03e03c96a 100644
--- a/drivers/gpu/drm/xe/xe_observation.h
+++ b/drivers/gpu/drm/xe/xe_observation.h
@@ -11,8 +11,7 @@
 struct drm_device;
 struct drm_file;
 
-extern u32 xe_observation_paranoid;
-
+int xe_observation_paranoid_check(void);
 int xe_observation_ioctl(struct drm_device *dev, void *data, struct drm_file *file);
 int xe_observation_sysctl_register(void);
 void xe_observation_sysctl_unregister(void);
-- 
2.54.0

Re: [PATCH v2 2/2] drm/xe: gate observation streams with perf_allow_cpu()

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:

Pre-existing issues:
- [High] Reference leak of `xe_exec_queue` when the execution queue width is unsupported.
- [High] Failure in `idr_alloc()` leads to a leaked sysfs group and a subsequent Use-After-Free of `oa_config`.
- [High] Exposing file descriptor to user space before acquiring device reference leads to potential Use-After-Free.
--

commit 8e3552a6815565ba8e84e67fba6937312f269a6f
Author: John Hubbard <jhubbard@nvidia.com>
Subject: drm/xe: gate observation streams with perf_allow_cpu()

This commit introduces xe_observation_paranoid_check() to wrap
perf_allow_cpu() and converts the open-coded sites in xe_oa.c and
xe_eu_stall.c. It ensures xe observation consults kernel.perf_event_paranoid
and the LSM perf hook on every open.

> diff --git a/drivers/gpu/drm/xe/xe_eu_stall.c b/drivers/gpu/drm/xe/xe_eu_stall.c
> index c34408cfd292c..a1fd7dace0a61 100644
> --- a/drivers/gpu/drm/xe/xe_eu_stall.c
> +++ b/drivers/gpu/drm/xe/xe_eu_stall.c
[ ... ]
> @@ -963,9 +963,10 @@ int xe_eu_stall_stream_open(struct drm_device *dev, u64 data, struct drm_file *f
>  		return -ENODEV;
>  	}
>  
> -	if (xe_observation_paranoid && !perfmon_capable()) {
> +	ret = xe_observation_paranoid_check();
> +	if (ret) {
>  		drm_dbg(&xe->drm,  "Insufficient privileges for EU stall monitoring\n");
> -		return -EACCES;
> +		return ret;
>  	}
>  
>  	/* Initialize and set default values */

[Severity: High]
This is a pre-existing issue, but is there a potential use-after-free
if anon_inode_getfd() is called before drm_dev_get() in the locked stream
open functions (like xe_eu_stall_stream_open_locked)?

If anon_inode_getfd() exposes the file descriptor to user space, it becomes
immediately visible. If a concurrent thread calls close() on the new fd
before drm_dev_get() increments the device refcount, the release handler
will drop a device reference prematurely.

Could this potentially free the DRM device while the original thread resumes
and calls drm_dev_get()?

> diff --git a/drivers/gpu/drm/xe/xe_oa.c b/drivers/gpu/drm/xe/xe_oa.c
> index 6337e671c97ae..f15847be01bc2 100644
> --- a/drivers/gpu/drm/xe/xe_oa.c
> +++ b/drivers/gpu/drm/xe/xe_oa.c
[ ... ]
> @@ -2052,10 +2053,12 @@ int xe_oa_stream_open_ioctl(struct drm_device *dev, u64 data, struct drm_file *f
>  		privileged_op = true;
>  	}
>  
> -	if (privileged_op && xe_observation_paranoid && !perfmon_capable()) {
> -		drm_dbg(&oa->xe->drm, "Insufficient privileges to open xe OA stream\n");
> -		ret = -EACCES;
> -		goto err_exec_q;
> +	if (privileged_op) {
> +		ret = xe_observation_paranoid_check();
> +		if (ret) {
> +			drm_dbg(&oa->xe->drm, "Insufficient privileges to open xe OA stream\n");
> +			goto err_exec_q;
> +		}
>  	}
>  
>  	if (!param.exec_q && !param.sample) {

[Severity: High]
This is a pre-existing issue, but does this function leak the xe_exec_queue
reference?

Earlier in the function, if param.exec_q->width > 1, it directly returns
-EOPNOTSUPP:

if (param.exec_queue_id > 0) {
    ...
    param.exec_q = xe_exec_queue_lookup(xef, param.exec_queue_id);
    ...
    if (XE_IOCTL_DBG(oa->xe, param.exec_q->width > 1))
        return -EOPNOTSUPP;
}

This bypasses the err_exec_q label which is responsible for calling
xe_exec_queue_put(param.exec_q).

Since this happens before the privilege check, could an unprivileged user
repeatedly trigger this to exhaust kernel memory?

[ ... ]
> @@ -2334,9 +2337,10 @@ int xe_oa_add_config_ioctl(struct drm_device *dev, u64 data, struct drm_file *fi
>  		return -ENODEV;
>  	}
>  
> -	if (xe_observation_paranoid && !perfmon_capable()) {
> +	err = xe_observation_paranoid_check();
> +	if (err) {
>  		drm_dbg(&oa->xe->drm, "Insufficient privileges to add xe OA config\n");
> -		return -EACCES;
> +		return err;
>  	}
>  
>  	err = copy_from_user(&param, u64_to_user_ptr(data), sizeof(param));

[Severity: High]
This is a pre-existing issue, but does a failure in idr_alloc() lead to a
leaked sysfs group and a use-after-free?

Later in this function, create_dynamic_oa_sysfs_entry() creates a sysfs
group linked to oa_config. If the subsequent idr_alloc() fails:

    err = create_dynamic_oa_sysfs_entry(oa, oa_config);
    ...
    oa_config->id = idr_alloc(&oa->metrics_idr, oa_config, 1, 0, GFP_KERNEL);
    if (oa_config->id < 0) {
        ...
        err = oa_config->id;
        goto sysfs_err;
    }

The code jumps to sysfs_err and frees oa_config via xe_oa_config_put(),
but it does not call sysfs_remove_group().

Can user space read the remaining sysfs files to trigger show_dynamic_id(),
dereferencing the freed oa_config?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260523013326.129491-1-jhubbard@nvidia.com?part=2

Re: [PATCH v2 2/2] drm/xe: gate observation streams with perf_allow_cpu()

[John Hubbard]

On 5/22/26 7:20 PM, sashiko-bot@kernel.org wrote:
> Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
> 
> Pre-existing issues:
> - [High] Reference leak of `xe_exec_queue` when the execution queue width is unsupported.
> - [High] Failure in `idr_alloc()` leads to a leaked sysfs group and a subsequent Use-After-Free of `oa_config`.
> - [High] Exposing file descriptor to user space before acquiring device reference leads to potential Use-After-Free.

These are all pre-existing issues, and thus out of scope for this
patchset.

thanks,
-- 
John Hubbard

> --
> 
> commit 8e3552a6815565ba8e84e67fba6937312f269a6f
> Author: John Hubbard <jhubbard@nvidia.com>
> Subject: drm/xe: gate observation streams with perf_allow_cpu()
> 
> This commit introduces xe_observation_paranoid_check() to wrap
> perf_allow_cpu() and converts the open-coded sites in xe_oa.c and
> xe_eu_stall.c. It ensures xe observation consults kernel.perf_event_paranoid
> and the LSM perf hook on every open.
> 
>> diff --git a/drivers/gpu/drm/xe/xe_eu_stall.c b/drivers/gpu/drm/xe/xe_eu_stall.c
>> index c34408cfd292c..a1fd7dace0a61 100644
>> --- a/drivers/gpu/drm/xe/xe_eu_stall.c
>> +++ b/drivers/gpu/drm/xe/xe_eu_stall.c
> [ ... ]
>> @@ -963,9 +963,10 @@ int xe_eu_stall_stream_open(struct drm_device *dev, u64 data, struct drm_file *f
>>  		return -ENODEV;
>>  	}
>>  
>> -	if (xe_observation_paranoid && !perfmon_capable()) {
>> +	ret = xe_observation_paranoid_check();
>> +	if (ret) {
>>  		drm_dbg(&xe->drm,  "Insufficient privileges for EU stall monitoring\n");
>> -		return -EACCES;
>> +		return ret;
>>  	}
>>  
>>  	/* Initialize and set default values */
> 
> [Severity: High]
> This is a pre-existing issue, but is there a potential use-after-free
> if anon_inode_getfd() is called before drm_dev_get() in the locked stream
> open functions (like xe_eu_stall_stream_open_locked)?
> 
> If anon_inode_getfd() exposes the file descriptor to user space, it becomes
> immediately visible. If a concurrent thread calls close() on the new fd
> before drm_dev_get() increments the device refcount, the release handler
> will drop a device reference prematurely.
> 
> Could this potentially free the DRM device while the original thread resumes
> and calls drm_dev_get()?
> 
>> diff --git a/drivers/gpu/drm/xe/xe_oa.c b/drivers/gpu/drm/xe/xe_oa.c
>> index 6337e671c97ae..f15847be01bc2 100644
>> --- a/drivers/gpu/drm/xe/xe_oa.c
>> +++ b/drivers/gpu/drm/xe/xe_oa.c
> [ ... ]
>> @@ -2052,10 +2053,12 @@ int xe_oa_stream_open_ioctl(struct drm_device *dev, u64 data, struct drm_file *f
>>  		privileged_op = true;
>>  	}
>>  
>> -	if (privileged_op && xe_observation_paranoid && !perfmon_capable()) {
>> -		drm_dbg(&oa->xe->drm, "Insufficient privileges to open xe OA stream\n");
>> -		ret = -EACCES;
>> -		goto err_exec_q;
>> +	if (privileged_op) {
>> +		ret = xe_observation_paranoid_check();
>> +		if (ret) {
>> +			drm_dbg(&oa->xe->drm, "Insufficient privileges to open xe OA stream\n");
>> +			goto err_exec_q;
>> +		}
>>  	}
>>  
>>  	if (!param.exec_q && !param.sample) {
> 
> [Severity: High]
> This is a pre-existing issue, but does this function leak the xe_exec_queue
> reference?
> 
> Earlier in the function, if param.exec_q->width > 1, it directly returns
> -EOPNOTSUPP:
> 
> if (param.exec_queue_id > 0) {
>     ...
>     param.exec_q = xe_exec_queue_lookup(xef, param.exec_queue_id);
>     ...
>     if (XE_IOCTL_DBG(oa->xe, param.exec_q->width > 1))
>         return -EOPNOTSUPP;
> }
> 
> This bypasses the err_exec_q label which is responsible for calling
> xe_exec_queue_put(param.exec_q).
> 
> Since this happens before the privilege check, could an unprivileged user
> repeatedly trigger this to exhaust kernel memory?
> 
> [ ... ]
>> @@ -2334,9 +2337,10 @@ int xe_oa_add_config_ioctl(struct drm_device *dev, u64 data, struct drm_file *fi
>>  		return -ENODEV;
>>  	}
>>  
>> -	if (xe_observation_paranoid && !perfmon_capable()) {
>> +	err = xe_observation_paranoid_check();
>> +	if (err) {
>>  		drm_dbg(&oa->xe->drm, "Insufficient privileges to add xe OA config\n");
>> -		return -EACCES;
>> +		return err;
>>  	}
>>  
>>  	err = copy_from_user(&param, u64_to_user_ptr(data), sizeof(param));
> 
> [Severity: High]
> This is a pre-existing issue, but does a failure in idr_alloc() lead to a
> leaked sysfs group and a use-after-free?
> 
> Later in this function, create_dynamic_oa_sysfs_entry() creates a sysfs
> group linked to oa_config. If the subsequent idr_alloc() fails:
> 
>     err = create_dynamic_oa_sysfs_entry(oa, oa_config);
>     ...
>     oa_config->id = idr_alloc(&oa->metrics_idr, oa_config, 1, 0, GFP_KERNEL);
>     if (oa_config->id < 0) {
>         ...
>         err = oa_config->id;
>         goto sysfs_err;
>     }
> 
> The code jumps to sysfs_err and frees oa_config via xe_oa_config_put(),
> but it does not call sysfs_remove_group().
> 
> Can user space read the remaining sysfs files to trigger show_dynamic_id(),
> dereferencing the freed oa_config?
> 

Re: [PATCH v2 2/2] drm/xe: gate observation streams with perf_allow_cpu()

[Dixit, Ashutosh]

On Fri, 22 May 2026 18:33:26 -0700, John Hubbard wrote:
>
> xe OA and EU-stall paths open-code a partial copy of the system-wide
> perf CPU-event permission check:
>
>     if (xe_observation_paranoid && !perfmon_capable())
>             return -EACCES;
>
> This open-coded check skips two things perf_allow_cpu() handles: the
> graduated kernel.perf_event_paranoid policy that an administrator
> may have tuned, and the security_perf_event_open() LSM hook.
>
> Introduce xe_observation_paranoid_check() to wrap perf_allow_cpu(),
> and convert the open-coded sites in xe_oa.c and xe_eu_stall.c. The
> dev.xe.observation_paranoid sysctl still acts as an escape hatch
> when cleared.
>
> xe observation now consults kernel.perf_event_paranoid and the LSM
> perf hook on every open. Sites that have already configured an LSM
> perf policy or tuned the paranoid sysctl will see those settings
> extend to xe.
>
> Signed-off-by: John Hubbard <jhubbard@nvidia.com>

LGTM:

Reviewed-by: Ashutosh Dixit <ashutosh.dixit@intel.com>

> ---
>  drivers/gpu/drm/xe/xe_eu_stall.c    |  5 +++--
>  drivers/gpu/drm/xe/xe_oa.c          | 25 +++++++++++++---------
>  drivers/gpu/drm/xe/xe_observation.c | 32 ++++++++++++++++++++++++-----
>  drivers/gpu/drm/xe/xe_observation.h |  3 +--
>  4 files changed, 46 insertions(+), 19 deletions(-)
>
> diff --git a/drivers/gpu/drm/xe/xe_eu_stall.c b/drivers/gpu/drm/xe/xe_eu_stall.c
> index dddcdd0bb7a3..ede8e3c98b2b 100644
> --- a/drivers/gpu/drm/xe/xe_eu_stall.c
> +++ b/drivers/gpu/drm/xe/xe_eu_stall.c
> @@ -963,9 +963,10 @@ int xe_eu_stall_stream_open(struct drm_device *dev, u64 data, struct drm_file *f
>		return -ENODEV;
>	}
>
> -	if (xe_observation_paranoid && !perfmon_capable()) {
> +	ret = xe_observation_paranoid_check();
> +	if (ret) {
>		drm_dbg(&xe->drm,  "Insufficient privileges for EU stall monitoring\n");
> -		return -EACCES;
> +		return ret;
>	}
>
>	/* Initialize and set default values */
> diff --git a/drivers/gpu/drm/xe/xe_oa.c b/drivers/gpu/drm/xe/xe_oa.c
> index d908f4e03906..f3dcff66b336 100644
> --- a/drivers/gpu/drm/xe/xe_oa.c
> +++ b/drivers/gpu/drm/xe/xe_oa.c
> @@ -1676,9 +1676,10 @@ static int xe_oa_mmap(struct file *file, struct vm_area_struct *vma)
>	unsigned long start = vma->vm_start;
>	int i, ret;
>
> -	if (xe_observation_paranoid && !perfmon_capable()) {
> +	ret = xe_observation_paranoid_check();
> +	if (ret) {
>		drm_dbg(&stream->oa->xe->drm, "Insufficient privilege to map OA buffer\n");
> -		return -EACCES;
> +		return ret;
>	}
>
>	/* Can mmap the entire OA buffer or nothing (no partial OA buffer mmaps) */
> @@ -2054,10 +2055,12 @@ int xe_oa_stream_open_ioctl(struct drm_device *dev, u64 data, struct drm_file *f
>		privileged_op = true;
>	}
>
> -	if (privileged_op && xe_observation_paranoid && !perfmon_capable()) {
> -		drm_dbg(&oa->xe->drm, "Insufficient privileges to open xe OA stream\n");
> -		ret = -EACCES;
> -		goto err_exec_q;
> +	if (privileged_op) {
> +		ret = xe_observation_paranoid_check();
> +		if (ret) {
> +			drm_dbg(&oa->xe->drm, "Insufficient privileges to open xe OA stream\n");
> +			goto err_exec_q;
> +		}
>	}
>
>	if (!param.exec_q && !param.sample) {
> @@ -2336,9 +2339,10 @@ int xe_oa_add_config_ioctl(struct drm_device *dev, u64 data, struct drm_file *fi
>		return -ENODEV;
>	}
>
> -	if (xe_observation_paranoid && !perfmon_capable()) {
> +	err = xe_observation_paranoid_check();
> +	if (err) {
>		drm_dbg(&oa->xe->drm, "Insufficient privileges to add xe OA config\n");
> -		return -EACCES;
> +		return err;
>	}
>
>	err = copy_from_user(&param, u64_to_user_ptr(data), sizeof(param));
> @@ -2438,9 +2442,10 @@ int xe_oa_remove_config_ioctl(struct drm_device *dev, u64 data, struct drm_file
>		return -ENODEV;
>	}
>
> -	if (xe_observation_paranoid && !perfmon_capable()) {
> +	ret = xe_observation_paranoid_check();
> +	if (ret) {
>		drm_dbg(&oa->xe->drm, "Insufficient privileges to remove xe OA config\n");
> -		return -EACCES;
> +		return ret;
>	}
>
>	ret = get_user(arg, ptr);
> diff --git a/drivers/gpu/drm/xe/xe_observation.c b/drivers/gpu/drm/xe/xe_observation.c
> index e3f9b546207e..39e05b9131a7 100644
> --- a/drivers/gpu/drm/xe/xe_observation.c
> +++ b/drivers/gpu/drm/xe/xe_observation.c
> @@ -4,6 +4,7 @@
>   */
>
>  #include <linux/errno.h>
> +#include <linux/perf_event.h>
>  #include <linux/sysctl.h>
>
>  #include <uapi/drm/xe_drm.h>
> @@ -12,9 +13,28 @@
>  #include "xe_oa.h"
>  #include "xe_observation.h"
>
> -u32 xe_observation_paranoid = true;
> +static u32 xe_observation_paranoid = true;
>  static struct ctl_table_header *sysctl_header;
>
> +/**
> + * xe_observation_paranoid_check - Gate access to xe observation streams.
> + *
> + * When the xe-specific observation_paranoid sysctl is enabled (the
> + * default), defer to perf_allow_cpu() so that access is governed by the
> + * same policy as system-wide perf CPU events: kernel.perf_event_paranoid
> + * plus the security_perf_event_open() LSM hook. When the sysctl has been
> + * cleared by a privileged user, observation is open to all callers.
> + *
> + * Return: 0 if access is permitted, a negative errno otherwise.
> + */
> +int xe_observation_paranoid_check(void)
> +{
> +	if (!xe_observation_paranoid)
> +		return 0;
> +
> +	return perf_allow_cpu();
> +}
> +
>  static int xe_oa_ioctl(struct drm_device *dev, struct drm_xe_observation_param *arg,
>		       struct drm_file *file)
>  {
> @@ -83,11 +103,13 @@ static const struct ctl_table observation_ctl_table[] = {
>  };
>
>  /**
> - * xe_observation_sysctl_register - Register xe_observation_paranoid sysctl
> + * xe_observation_sysctl_register - Register the observation_paranoid sysctl
>   *
> - * Normally only superuser/root can access observation stream
> - * data. However, superuser can set xe_observation_paranoid sysctl to 0 to
> - * allow non-privileged users to also access observation data.
> + * When dev.xe.observation_paranoid is set (the default), access to
> + * observation streams follows the system-wide perf_allow_cpu() policy:
> + * kernel.perf_event_paranoid plus the security_perf_event_open() LSM
> + * hook. A privileged user can clear the sysctl to bypass that gate and
> + * allow unprivileged access to observation data.
>   *
>   * Return: always returns 0
>   */
> diff --git a/drivers/gpu/drm/xe/xe_observation.h b/drivers/gpu/drm/xe/xe_observation.h
> index 17816998e966..73a03e03c96a 100644
> --- a/drivers/gpu/drm/xe/xe_observation.h
> +++ b/drivers/gpu/drm/xe/xe_observation.h
> @@ -11,8 +11,7 @@
>  struct drm_device;
>  struct drm_file;
>
> -extern u32 xe_observation_paranoid;
> -
> +int xe_observation_paranoid_check(void);
>  int xe_observation_ioctl(struct drm_device *dev, void *data, struct drm_file *file);
>  int xe_observation_sysctl_register(void);
>  void xe_observation_sysctl_unregister(void);
> --
> 2.54.0
>

Re: [PATCH v2 0/2] complete perf_allow_* trio and use in drm/xe

[Peter Zijlstra]

On Fri, May 22, 2026 at 06:33:24PM -0700, John Hubbard wrote:
> perf_allow_cpu() and perf_allow_tracepoint() are static inline and
> reach into a non-exported sysctl, so modular drivers that want the
> same permission model as system-wide perf end up writing partial
> copies of this code. Let's instead export these properly so that modules
> can call them.
> 
> Commit 5e9629d0ae97 ("drivers/perf: arm_spe: Use perf_allow_kernel()
> for permissions") already moved perf_allow_kernel() out of line and
> exported it. Patch 1 does the same for the other two, and provides
> !CONFIG_PERF_EVENTS stubs so the helpers stay callable when perf is
> compiled out.
> 
> Patch 2 converts drm/xe's OA and EU stall paths to call
> perf_allow_cpu(), so xe observation now respects the system
> perf_event_paranoid policy and consults the LSM hook. Sites that have
> already configured an LSM perf policy or tuned the paranoid sysctl will
> now see those settings honored on xe as well.
> 
> Changes since v1:
> 
> * Patch 1: add !CONFIG_PERF_EVENTS stubs that fall back to
>   perfmon_capable() so the helpers remain callable when perf is
>   compiled out. The sashiko-bot AI review caught that the v1 code
>   would otherwise fail to build with PERF_EVENTS=n.
> 
> John Hubbard (2):
>   perf/core: out-of-line and export perf_allow_cpu/tracepoint()
>   drm/xe: gate observation streams with perf_allow_cpu()
> 
>  drivers/gpu/drm/xe/xe_eu_stall.c    |  5 +++--
>  drivers/gpu/drm/xe/xe_oa.c          | 25 +++++++++++++---------
>  drivers/gpu/drm/xe/xe_observation.c | 32 ++++++++++++++++++++++++-----
>  drivers/gpu/drm/xe/xe_observation.h |  3 +--
>  include/linux/perf_event.h          | 31 ++++++++++++++--------------
>  kernel/events/core.c                | 18 ++++++++++++++++
>  6 files changed, 79 insertions(+), 35 deletions(-)

Sure, works for me. How do you want to route these things, Xe tree or
-tip?

Re: [PATCH v2 0/2] complete perf_allow_* trio and use in drm/xe

[John Hubbard]

On 5/23/26 1:40 AM, Peter Zijlstra wrote:
> On Fri, May 22, 2026 at 06:33:24PM -0700, John Hubbard wrote:
...
>>    perf/core: out-of-line and export perf_allow_cpu/tracepoint()
>>    drm/xe: gate observation streams with perf_allow_cpu()
>>
>>   drivers/gpu/drm/xe/xe_eu_stall.c    |  5 +++--
>>   drivers/gpu/drm/xe/xe_oa.c          | 25 +++++++++++++---------
>>   drivers/gpu/drm/xe/xe_observation.c | 32 ++++++++++++++++++++++++-----
>>   drivers/gpu/drm/xe/xe_observation.h |  3 +--
>>   include/linux/perf_event.h          | 31 ++++++++++++++--------------
>>   kernel/events/core.c                | 18 ++++++++++++++++
>>   6 files changed, 79 insertions(+), 35 deletions(-)
> 
> Sure, works for me. How do you want to route these things, Xe tree or
> -tip?

Hi Peter,

Maybe -tip, but really, either way is perfectly OK with me.

thanks,
-- 
John Hubbard

Re: [PATCH v2 0/2] complete perf_allow_* trio and use in drm/xe

[Dixit, Ashutosh]

On Sat, 23 May 2026 10:52:16 -0700, John Hubbard wrote:
>
> On 5/23/26 1:40 AM, Peter Zijlstra wrote:
> > On Fri, May 22, 2026 at 06:33:24PM -0700, John Hubbard wrote:
> ...
> >>    perf/core: out-of-line and export perf_allow_cpu/tracepoint()
> >>    drm/xe: gate observation streams with perf_allow_cpu()
> >>
> >>   drivers/gpu/drm/xe/xe_eu_stall.c    |  5 +++--
> >>   drivers/gpu/drm/xe/xe_oa.c          | 25 +++++++++++++---------
> >>   drivers/gpu/drm/xe/xe_observation.c | 32 ++++++++++++++++++++++++-----
> >>   drivers/gpu/drm/xe/xe_observation.h |  3 +--
> >>   include/linux/perf_event.h          | 31 ++++++++++++++--------------
> >>   kernel/events/core.c                | 18 ++++++++++++++++
> >>   6 files changed, 79 insertions(+), 35 deletions(-)
> >
> > Sure, works for me. How do you want to route these things, Xe tree or
> > -tip?
>
> Hi Peter,
>
> Maybe -tip, but really, either way is perfectly OK with me.

I've R-b'd both the patches. If you want to merge via Xe tree, let me know
and we can get them merged.

Thanks.
--
Ashutosh

Re: [PATCH v2 0/2] complete perf_allow_* trio and use in drm/xe

[Rodrigo Vivi]

On Tue, May 26, 2026 at 08:34:57PM -0700, Dixit, Ashutosh wrote:
> On Sat, 23 May 2026 10:52:16 -0700, John Hubbard wrote:
> >
> > On 5/23/26 1:40 AM, Peter Zijlstra wrote:
> > > On Fri, May 22, 2026 at 06:33:24PM -0700, John Hubbard wrote:
> > ...
> > >>    perf/core: out-of-line and export perf_allow_cpu/tracepoint()
> > >>    drm/xe: gate observation streams with perf_allow_cpu()
> > >>
> > >>   drivers/gpu/drm/xe/xe_eu_stall.c    |  5 +++--
> > >>   drivers/gpu/drm/xe/xe_oa.c          | 25 +++++++++++++---------
> > >>   drivers/gpu/drm/xe/xe_observation.c | 32 ++++++++++++++++++++++++-----
> > >>   drivers/gpu/drm/xe/xe_observation.h |  3 +--
> > >>   include/linux/perf_event.h          | 31 ++++++++++++++--------------
> > >>   kernel/events/core.c                | 18 ++++++++++++++++
> > >>   6 files changed, 79 insertions(+), 35 deletions(-)
> > >
> > > Sure, works for me. How do you want to route these things, Xe tree or
> > > -tip?
> >
> > Hi Peter,
> >
> > Maybe -tip, but really, either way is perfectly OK with me.
> 
> I've R-b'd both the patches. If you want to merge via Xe tree, let me know
> and we can get them merged.

To get them through drm-xe trees we need ack from performance events subsystem
maintainers.

Peter, Ilgo, anyone, ack here?

Or do you prefer to get this through your trees?
Then,

Acked-by: Rodrigo Vivi <rodrigo.vivi@intel.com>

Thanks,
Rodrigo.

> 
> Thanks.
> --
> Ashutosh

Re: [PATCH v2 0/2] complete perf_allow_* trio and use in drm/xe

[Peter Zijlstra]

On Wed, May 27, 2026 at 11:42:44AM -0400, Rodrigo Vivi wrote:
> On Tue, May 26, 2026 at 08:34:57PM -0700, Dixit, Ashutosh wrote:
> > On Sat, 23 May 2026 10:52:16 -0700, John Hubbard wrote:
> > >
> > > On 5/23/26 1:40 AM, Peter Zijlstra wrote:
> > > > On Fri, May 22, 2026 at 06:33:24PM -0700, John Hubbard wrote:
> > > ...
> > > >>    perf/core: out-of-line and export perf_allow_cpu/tracepoint()
> > > >>    drm/xe: gate observation streams with perf_allow_cpu()
> > > >>
> > > >>   drivers/gpu/drm/xe/xe_eu_stall.c    |  5 +++--
> > > >>   drivers/gpu/drm/xe/xe_oa.c          | 25 +++++++++++++---------
> > > >>   drivers/gpu/drm/xe/xe_observation.c | 32 ++++++++++++++++++++++++-----
> > > >>   drivers/gpu/drm/xe/xe_observation.h |  3 +--
> > > >>   include/linux/perf_event.h          | 31 ++++++++++++++--------------
> > > >>   kernel/events/core.c                | 18 ++++++++++++++++
> > > >>   6 files changed, 79 insertions(+), 35 deletions(-)
> > > >
> > > > Sure, works for me. How do you want to route these things, Xe tree or
> > > > -tip?
> > >
> > > Hi Peter,
> > >
> > > Maybe -tip, but really, either way is perfectly OK with me.
> > 
> > I've R-b'd both the patches. If you want to merge via Xe tree, let me know
> > and we can get them merged.
> 
> To get them through drm-xe trees we need ack from performance events subsystem
> maintainers.
> 
> Peter, Ilgo, anyone, ack here?

Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>