Re: [PATCH 2/2] perf/x86: Update cap_user_rdpmc base on rdpmc user disable state

[Ian Rogers]

On Wed, Mar 11, 2026 at 12:56 AM Dapeng Mi <dapeng1.mi@xxxxxxxxxxxxxxx> wrote:
>
> After introducing the RDPMC user disable feature, user-space RDPMC may
> return 0 instead of the actual event count. This creates an inconsistency
> with cap_user_rdpmc, where cap_user_rdpmc is set, but user-space RDPMC
> only returns 0.
>
> To accurately represent the user-space RDPMC capability, update
> cap_user_rdpmc based on the RDPMC user disable state. If RDPMC user
> disable is enabled, cap_user_rdpmc is set to false, allowing user-space
> programs to fall back to the read() syscall to obtain the real event
> count.
>
> Fixes: 59af95e028d4 ("perf/x86/intel: Add support for rdpmc user disable feature")
> Signed-off-by: Dapeng Mi <dapeng1.mi@xxxxxxxxxxxxxxx>
> ---
>  arch/x86/events/core.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
> index 03ce1bc7ef2e..0266a11d7ec9 100644
> --- a/arch/x86/events/core.c
> +++ b/arch/x86/events/core.c
> @@ -2807,6 +2807,9 @@ void arch_perf_update_userpage(struct perf_event *event,
>         userpg->cap_user_time_zero = 0;
>         userpg->cap_user_rdpmc =
>                 !!(event->hw.flags & PERF_EVENT_FLAG_USER_READ_CNT);
> +       if (x86_pmu_has_rdpmc_user_disable(event->pmu) &&

With the AI's help the following bug was spotted:

Places like cpu_clock_event_add call perf_event_update_userpage with a
software event:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/events/core.c#n12314
This then calls arch_perf_update_userpage:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/events/core.c#n6870
In x86_pmu_has_rdpmc_user_disable:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/events/perf_event.h#n1336
```
static inline bool x86_pmu_has_rdpmc_user_disable(struct pmu *pmu)
{
return !!(hybrid(pmu, config_mask) &
ARCH_PERFMON_EVENTSEL_RDPMC_USER_DISABLE);
}
```
The hybrid call does a call to hybrid_pmu:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/events/perf_event.h#n793
and that does a container_of:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/events/perf_event.h#n782
```
static __always_inline struct x86_hybrid_pmu *hybrid_pmu(struct pmu *pmu)
{
return container_of(pmu, struct x86_hybrid_pmu, pmu);
}
```
In the case that the event's pmu is a software PMU the container_of
should be invalid and this will lead to an out-of-bounds read of the
config_mask on hybrid systems.

Unfortunately checking the event is x86 doesn't cover the hybrid case:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/events/core.c#n780
and it seems this bug may exist elsewhere. It'd be nice if in the
hybrid_pmu function there were a `BUG_ON(!is_x86_pmu(pmu))`, but
unfortunately that'd only get exposed on hybrid systems.

Thanks,
Ian

> +           event->hw.config & ARCH_PERFMON_EVENTSEL_RDPMC_USER_DISABLE)
> +               userpg->cap_user_rdpmc = 0;
>         userpg->pmc_width = x86_pmu.cntval_bits;
>
>         if (!using_native_sched_clock() || !sched_clock_stable())
> --
> 2.34.1
>