Re: [PATCH 2/2] perf/x86: Update cap_user_rdpmc base on rdpmc user disable state

[Ian Rogers]

On Wed, Mar 11, 2026 at 9:44 PM Ian Rogers <irogers@xxxxxxxxxx> wrote:
>
> On Wed, Mar 11, 2026 at 12:56 AM Dapeng Mi <dapeng1.mi@xxxxxxxxxxxxxxx> wrote:
> >
> > After introducing the RDPMC user disable feature, user-space RDPMC may
> > return 0 instead of the actual event count. This creates an inconsistency
> > with cap_user_rdpmc, where cap_user_rdpmc is set, but user-space RDPMC
> > only returns 0.
> >
> > To accurately represent the user-space RDPMC capability, update
> > cap_user_rdpmc based on the RDPMC user disable state. If RDPMC user
> > disable is enabled, cap_user_rdpmc is set to false, allowing user-space
> > programs to fall back to the read() syscall to obtain the real event
> > count.
> >
> > Fixes: 59af95e028d4 ("perf/x86/intel: Add support for rdpmc user disable feature")
> > Signed-off-by: Dapeng Mi <dapeng1.mi@xxxxxxxxxxxxxxx>
> > ---
> >  arch/x86/events/core.c | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
> > index 03ce1bc7ef2e..0266a11d7ec9 100644
> > --- a/arch/x86/events/core.c
> > +++ b/arch/x86/events/core.c
> > @@ -2807,6 +2807,9 @@ void arch_perf_update_userpage(struct perf_event *event,
> >         userpg->cap_user_time_zero = 0;
> >         userpg->cap_user_rdpmc =
> >                 !!(event->hw.flags & PERF_EVENT_FLAG_USER_READ_CNT);
> > +       if (x86_pmu_has_rdpmc_user_disable(event->pmu) &&
>
> With the AI's help the following bug was spotted:
>
> Places like cpu_clock_event_add call perf_event_update_userpage with a
> software event:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/events/core.c#n12314
> This then calls arch_perf_update_userpage:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/events/core.c#n6870
> In x86_pmu_has_rdpmc_user_disable:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/events/perf_event.h#n1336
> ```
> static inline bool x86_pmu_has_rdpmc_user_disable(struct pmu *pmu)
> {
> return !!(hybrid(pmu, config_mask) &
> ARCH_PERFMON_EVENTSEL_RDPMC_USER_DISABLE);
> }
> ```
> The hybrid call does a call to hybrid_pmu:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/events/perf_event.h#n793
> and that does a container_of:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/events/perf_event.h#n782
> ```
> static __always_inline struct x86_hybrid_pmu *hybrid_pmu(struct pmu *pmu)
> {
> return container_of(pmu, struct x86_hybrid_pmu, pmu);
> }
> ```
> In the case that the event's pmu is a software PMU the container_of
> should be invalid and this will lead to an out-of-bounds read of the
> config_mask on hybrid systems.
>
> Unfortunately checking the event is x86 doesn't cover the hybrid case:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/events/core.c#n780
> and it seems this bug may exist elsewhere. It'd be nice if in the
> hybrid_pmu function there were a `BUG_ON(!is_x86_pmu(pmu))`, but
> unfortunately that'd only get exposed on hybrid systems.

Actually  is_x86_event does work for hybrid, so making this:
```
if (is_x86_event(event) && x86_pmu_has_rdpmc_user_disable(event->pmu) && ...
```
Should fix the issue.

Thanks,
Ian

> Thanks,
> Ian
>
> > +           event->hw.config & ARCH_PERFMON_EVENTSEL_RDPMC_USER_DISABLE)
> > +               userpg->cap_user_rdpmc = 0;
> >         userpg->pmc_width = x86_pmu.cntval_bits;
> >
> >         if (!using_native_sched_clock() || !sched_clock_stable())
> > --
> > 2.34.1
> >