Re: [Patch v7 14/24] perf/x86: Enable XMM sampling using sample_simd_vec_reg_* fields
From: Mi, Dapeng
Date: Wed Mar 25 2026 - 05:01:42 EST
On 3/24/2026 8:41 AM, Dapeng Mi wrote:
> From: Kan Liang <kan.liang@xxxxxxxxxxxxxxx>
>
> This patch adds support for sampling XMM registers using the
> sample_simd_vec_reg_* fields.
>
> When sample_simd_regs_enabled is set, the original XMM space in the
> sample_regs_* field is treated as reserved. An INVAL error will be
> reported to user space if any bit is set in the original XMM space while
> sample_simd_regs_enabled is set.
>
> The perf_reg_value function requires ABI information to understand the
> layout of sample_regs. To accommodate this, a new abi field is introduced
> in the struct x86_perf_regs to represent ABI information.
>
> Additionally, the X86-specific perf_simd_reg_value function is implemented
> to retrieve the XMM register values.
>
> Signed-off-by: Kan Liang <kan.liang@xxxxxxxxxxxxxxx>
> Co-developed-by: Dapeng Mi <dapeng1.mi@xxxxxxxxxxxxxxx>
> Signed-off-by: Dapeng Mi <dapeng1.mi@xxxxxxxxxxxxxxx>
> ---
> arch/x86/events/core.c | 89 +++++++++++++++++++++++++--
> arch/x86/events/intel/ds.c | 2 +-
> arch/x86/events/perf_event.h | 12 ++++
> arch/x86/include/asm/perf_event.h | 1 +
> arch/x86/include/uapi/asm/perf_regs.h | 13 ++++
> arch/x86/kernel/perf_regs.c | 51 ++++++++++++++-
> 6 files changed, 161 insertions(+), 7 deletions(-)
>
> diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
> index a5643c875190..3c9b79b46a66 100644
> --- a/arch/x86/events/core.c
> +++ b/arch/x86/events/core.c
> @@ -704,6 +704,22 @@ int x86_pmu_hw_config(struct perf_event *event)
> if (event_has_extended_regs(event)) {
> if (!(event->pmu->capabilities & PERF_PMU_CAP_EXTENDED_REGS))
> return -EINVAL;
> + if (event->attr.sample_simd_regs_enabled)
> + return -EINVAL;
> + }
> +
> + if (event_has_simd_regs(event)) {
> + if (!(event->pmu->capabilities & PERF_PMU_CAP_SIMD_REGS))
> + return -EINVAL;
> + /* Not require any vector registers but set width */
> + if (event->attr.sample_simd_vec_reg_qwords &&
> + !event->attr.sample_simd_vec_reg_intr &&
> + !event->attr.sample_simd_vec_reg_user)
> + return -EINVAL;
> + /* The vector registers set is not supported */
> + if (event_needs_xmm(event) &&
> + !(x86_pmu.ext_regs_mask & XFEATURE_MASK_SSE))
> + return -EINVAL;
> }
> }
>
> @@ -1749,6 +1765,7 @@ static void x86_pmu_perf_get_regs_user(struct perf_sample_data *data,
> struct x86_perf_regs *x86_regs_user = this_cpu_ptr(&x86_user_regs);
> struct perf_regs regs_user;
>
> + x86_regs_user->abi = PERF_SAMPLE_REGS_ABI_NONE;
> perf_get_regs_user(®s_user, regs);
> data->regs_user.abi = regs_user.abi;
> if (regs_user.regs) {
> @@ -1758,12 +1775,26 @@ static void x86_pmu_perf_get_regs_user(struct perf_sample_data *data,
> data->regs_user.regs = NULL;
> }
>
> +static inline void
> +x86_pmu_update_xregs_size(struct perf_event_attr *attr,
> + struct perf_sample_data *data,
> + struct pt_regs *regs,
> + u64 mask, u64 pred_mask)
> +{
> + u16 pred_qwords = attr->sample_simd_pred_reg_qwords;
> + u16 vec_qwords = attr->sample_simd_vec_reg_qwords;
> +
> + data->dyn_size += (hweight64(mask) * vec_qwords +
> + hweight64(pred_mask) * pred_qwords) * sizeof(u64);
> +}
> +
> static void x86_pmu_setup_gpregs_data(struct perf_event *event,
> struct perf_sample_data *data,
> struct pt_regs *regs)
> {
> struct perf_event_attr *attr = &event->attr;
> u64 sample_type = attr->sample_type;
> + struct x86_perf_regs *perf_regs;
>
> if (sample_type & PERF_SAMPLE_REGS_USER) {
> if (user_mode(regs)) {
> @@ -1783,8 +1814,13 @@ static void x86_pmu_setup_gpregs_data(struct perf_event *event,
> data->regs_user.regs = NULL;
> }
> data->dyn_size += sizeof(u64);
> - if (data->regs_user.regs)
> - data->dyn_size += hweight64(attr->sample_regs_user) * sizeof(u64);
> + if (data->regs_user.regs) {
> + data->dyn_size +=
> + hweight64(attr->sample_regs_user) * sizeof(u64);
> + perf_regs = container_of(data->regs_user.regs,
> + struct x86_perf_regs, regs);
> + perf_regs->abi = data->regs_user.abi;
> + }
> data->sample_flags |= PERF_SAMPLE_REGS_USER;
> }
>
> @@ -1792,8 +1828,13 @@ static void x86_pmu_setup_gpregs_data(struct perf_event *event,
> data->regs_intr.regs = regs;
> data->regs_intr.abi = perf_reg_abi(current);
> data->dyn_size += sizeof(u64);
> - if (data->regs_intr.regs)
> - data->dyn_size += hweight64(attr->sample_regs_intr) * sizeof(u64);
> + if (data->regs_intr.regs) {
> + data->dyn_size +=
> + hweight64(attr->sample_regs_intr) * sizeof(u64);
> + perf_regs = container_of(data->regs_intr.regs,
> + struct x86_perf_regs, regs);
> + perf_regs->abi = data->regs_intr.abi;
> + }
> data->sample_flags |= PERF_SAMPLE_REGS_INTR;
> }
> }
> @@ -1871,7 +1912,7 @@ static void x86_pmu_sample_xregs(struct perf_event *event,
> if (WARN_ON_ONCE(!xsave))
> return;
>
> - if (event_has_extended_regs(event))
> + if (event_needs_xmm(event))
> mask |= XFEATURE_MASK_SSE;
>
> mask &= x86_pmu.ext_regs_mask;
> @@ -1899,6 +1940,43 @@ static void x86_pmu_sample_xregs(struct perf_event *event,
> }
> }
>
> +static void x86_pmu_setup_xregs_data(struct perf_event *event,
> + struct perf_sample_data *data)
> +{
> + struct perf_event_attr *attr = &event->attr;
> + u64 sample_type = attr->sample_type;
> + struct x86_perf_regs *perf_regs;
> +
> + if (!attr->sample_simd_regs_enabled)
> + return;
> +
> + if (sample_type & PERF_SAMPLE_REGS_USER && data->regs_user.abi) {
> + perf_regs = container_of(data->regs_user.regs,
> + struct x86_perf_regs, regs);
> + perf_regs->abi |= PERF_SAMPLE_REGS_ABI_SIMD;
> +
> + /* num and qwords of vector and pred registers */
> + data->dyn_size += sizeof(u64);
> + data->regs_user.abi |= PERF_SAMPLE_REGS_ABI_SIMD;
> + x86_pmu_update_xregs_size(attr, data, data->regs_user.regs,
> + attr->sample_simd_vec_reg_user,
> + attr->sample_simd_pred_reg_user);
> + }
> +
> + if (sample_type & PERF_SAMPLE_REGS_INTR && data->regs_intr.abi) {
> + perf_regs = container_of(data->regs_intr.regs,
> + struct x86_perf_regs, regs);
> + perf_regs->abi |= PERF_SAMPLE_REGS_ABI_SIMD;
> +
> + /* num and qwords of vector and pred registers */
> + data->dyn_size += sizeof(u64);
> + data->regs_intr.abi |= PERF_SAMPLE_REGS_ABI_SIMD;
> + x86_pmu_update_xregs_size(attr, data, data->regs_intr.regs,
> + attr->sample_simd_vec_reg_intr,
> + attr->sample_simd_pred_reg_intr);
> + }
> +}
> +
> void x86_pmu_setup_regs_data(struct perf_event *event,
> struct perf_sample_data *data,
> struct pt_regs *regs,
> @@ -1910,6 +1988,7 @@ void x86_pmu_setup_regs_data(struct perf_event *event,
> * which are unnecessary to sample again.
> */
> x86_pmu_sample_xregs(event, data, ignore_mask);
> + x86_pmu_setup_xregs_data(event, data);
> }
>
> int x86_pmu_handle_irq(struct pt_regs *regs)
> diff --git a/arch/x86/events/intel/ds.c b/arch/x86/events/intel/ds.c
> index 74a41dae8a62..ac9a1c2f0177 100644
> --- a/arch/x86/events/intel/ds.c
> +++ b/arch/x86/events/intel/ds.c
> @@ -1743,7 +1743,7 @@ static u64 pebs_update_adaptive_cfg(struct perf_event *event)
> if (gprs || (attr->precise_ip < 2) || tsx_weight)
> pebs_data_cfg |= PEBS_DATACFG_GP;
>
> - if (event_has_extended_regs(event))
> + if (event_needs_xmm(event))
> pebs_data_cfg |= PEBS_DATACFG_XMMS;
>
> if (sample_type & PERF_SAMPLE_BRANCH_STACK) {
> diff --git a/arch/x86/events/perf_event.h b/arch/x86/events/perf_event.h
> index a5e5bffb711e..26d162794a36 100644
> --- a/arch/x86/events/perf_event.h
> +++ b/arch/x86/events/perf_event.h
> @@ -137,6 +137,18 @@ static inline bool is_acr_event_group(struct perf_event *event)
> return check_leader_group(event->group_leader, PERF_X86_EVENT_ACR);
> }
>
> +static inline bool event_needs_xmm(struct perf_event *event)
> +{
> + if (event->attr.sample_simd_regs_enabled &&
> + event->attr.sample_simd_vec_reg_qwords >= PERF_X86_XMM_QWORDS)
> + return true;
> +
> + if (!event->attr.sample_simd_regs_enabled &&
> + event_has_extended_regs(event))
> + return true;
> + return false;
> +}
> +
> struct amd_nb {
> int nb_id; /* NorthBridge id */
> int refcnt; /* reference count */
> diff --git a/arch/x86/include/asm/perf_event.h b/arch/x86/include/asm/perf_event.h
> index e47a963a7cf0..e54d21c13494 100644
> --- a/arch/x86/include/asm/perf_event.h
> +++ b/arch/x86/include/asm/perf_event.h
> @@ -726,6 +726,7 @@ extern void perf_events_lapic_init(void);
> struct pt_regs;
> struct x86_perf_regs {
> struct pt_regs regs;
> + u64 abi;
> union {
> u64 *xmm_regs;
> u32 *xmm_space; /* for xsaves */
> diff --git a/arch/x86/include/uapi/asm/perf_regs.h b/arch/x86/include/uapi/asm/perf_regs.h
> index 7c9d2bb3833b..c5c1b3930df1 100644
> --- a/arch/x86/include/uapi/asm/perf_regs.h
> +++ b/arch/x86/include/uapi/asm/perf_regs.h
> @@ -55,4 +55,17 @@ enum perf_event_x86_regs {
>
> #define PERF_REG_EXTENDED_MASK (~((1ULL << PERF_REG_X86_XMM0) - 1))
>
> +enum {
> + PERF_X86_SIMD_XMM_REGS = 16,
> + PERF_X86_SIMD_VEC_REGS_MAX = PERF_X86_SIMD_XMM_REGS,
> +};
> +
> +#define PERF_X86_SIMD_VEC_MASK GENMASK_ULL(PERF_X86_SIMD_VEC_REGS_MAX - 1, 0)
> +
> +enum {
> + /* 1 qword = 8 bytes */
> + PERF_X86_XMM_QWORDS = 2,
> + PERF_X86_SIMD_QWORDS_MAX = PERF_X86_XMM_QWORDS,
> +};
> +
> #endif /* _ASM_X86_PERF_REGS_H */
> diff --git a/arch/x86/kernel/perf_regs.c b/arch/x86/kernel/perf_regs.c
> index 81204cb7f723..9947a6b5c260 100644
> --- a/arch/x86/kernel/perf_regs.c
> +++ b/arch/x86/kernel/perf_regs.c
> @@ -63,6 +63,9 @@ u64 perf_reg_value(struct pt_regs *regs, int idx)
>
> if (idx >= PERF_REG_X86_XMM0 && idx < PERF_REG_X86_XMM_MAX) {
> perf_regs = container_of(regs, struct x86_perf_regs, regs);
> + /* SIMD registers are moved to dedicated sample_simd_vec_reg */
> + if (perf_regs->abi & PERF_SAMPLE_REGS_ABI_SIMD)
> + return 0;
> if (!perf_regs->xmm_regs)
> return 0;
> return perf_regs->xmm_regs[idx - PERF_REG_X86_XMM0];
> @@ -74,6 +77,51 @@ u64 perf_reg_value(struct pt_regs *regs, int idx)
> return regs_get_register(regs, pt_regs_offset[idx]);
> }
>
> +u64 perf_simd_reg_value(struct pt_regs *regs, int idx,
> + u16 qwords_idx, bool pred)
> +{
> + struct x86_perf_regs *perf_regs =
> + container_of(regs, struct x86_perf_regs, regs);
> +
> + if (pred)
> + return 0;
> +
> + if (WARN_ON_ONCE(idx >= PERF_X86_SIMD_VEC_REGS_MAX ||
> + qwords_idx >= PERF_X86_SIMD_QWORDS_MAX))
> + return 0;
> +
> + if (qwords_idx < PERF_X86_XMM_QWORDS) {
> + if (!perf_regs->xmm_regs)
> + return 0;
> + return perf_regs->xmm_regs[idx * PERF_X86_XMM_QWORDS +
> + qwords_idx];
> + }
> +
> + return 0;
> +}
> +
> +int perf_simd_reg_validate(u16 vec_qwords, u64 vec_mask,
> + u16 pred_qwords, u32 pred_mask)
> +{
> + /* pred_qwords implies sample_simd_{pred,vec}_reg_* are supported */
> + if (!pred_qwords)
> + return 0;
Sashiko comments
"
Does this early return completely bypass validation for vector registers
when pred_qwords is 0?
Since x86 does not require predicate registers for standard XMM sampling, it
appears an unprivileged user can set sample_simd_pred_reg_qwords to 0 while
supplying arbitrarily large values for sample_simd_vec_reg_qwords and
sample_simd_vec_reg_user.
Could this bypass bounds checks and lead to a massive dyn_size calculation
during a perf NMI, causing ring buffer corruption or an NMI watchdog hard
lockup?
"
It partly makes sense. Would enhance the perf_simd_reg_validate() to cover
more cases.
> +
> + if (!vec_qwords) {
> + if (vec_mask)
> + return -EINVAL;
> + } else {
> + if (vec_qwords != PERF_X86_XMM_QWORDS)
> + return -EINVAL;
> + if (vec_mask & ~PERF_X86_SIMD_VEC_MASK)
> + return -EINVAL;
> + }
> + if (pred_mask)
> + return -EINVAL;
> +
> + return 0;
> +}
> +
> #define PERF_REG_X86_RESERVED (((1ULL << PERF_REG_X86_XMM0) - 1) & \
> ~((1ULL << PERF_REG_X86_MAX) - 1))
>
> @@ -108,7 +156,8 @@ u64 perf_reg_abi(struct task_struct *task)
>
> int perf_reg_validate(u64 mask)
> {
> - if (!mask || (mask & (REG_NOSUPPORT | PERF_REG_X86_RESERVED)))
> + /* The mask could be 0 if only the SIMD registers are interested */
> + if (mask & (REG_NOSUPPORT | PERF_REG_X86_RESERVED))
> return -EINVAL;
>
> return 0;