[PATCH] RISC-V: restore U-mode counter access (scounteren)
Atish Patra
atish.patra at linux.dev
Fri Mar 27 20:48:15 PDT 2026
On 3/27/26 7:21 AM, Manfred Schlaegl wrote:
>
>
> On 3/26/26 23:27, Andrew Jones wrote:
>> On Thu, Mar 26, 2026 at 12:17:13PM +0100, Manfred SCHLAEGL wrote:
>>> In commit 5bc409786752 ("RISC-V: KVM: Remove scounteren initialization")
>>> the initialization of scounteren was moved from the hypervisor (KVM) to
>>> the supervisor -- a well-argued change. However, the same change also
>>> restricted access to performance counters without comment: previously,
>>> scounteren was set to 0x7 (0b111), allowing U-mode (userspace) access
>>> to instret (IR), cycle (CY), and time (TM). After the change,
>>> scounteren is set to 0x2 (0b010), which allows access only to time (TM)
>>> and prohibits access to instret (IR) and cycle (CY). This breaks user-
>>> space programs that directly use these performance counters.
>>>
>>> This change restores the prior behavior: scounteren is set to 0x7,
>>> which re-enables U-mode (userspace) access to instret (IR), cycle (CY),
>>> and time (TM).
>>>
This is not an accepted behavior from the user space due to security
concerns and misleading data. This has been discussed many times in the
past and agreed upon behavior. Other architecture also doesn't allow
direct access to CY or IR directly. RISC-V is no different.
TLDR; If you need it for debugging purpose, you should opt in for legacy
usage sysctl parameter. If your user space library is affected, it
should be fixed.
here are some references:
Here was the previous discussion around this[1].
Most of the legacy user applications using rdcycle should use rdtime
instead as they just want to record the time
elapsed. Allowing rdcycle/rdinstret to be read from user space can
lead to very deterministic attacks[2].
Any user application that really requires to read rdcycle directly can
use this new perf interface to do that without any latency.
[1]
https://groups.google.com/a/groups.riscv.org/g/sw-dev/c/REWcwYnzsKE?pli=1
[2]
https://www.youtube.com/watch?v=3-c4C_L2PRQ&ab_channel=IEEESymposiumonSecurityandPrivacy
[3]
https://lore.kernel.org/lkml/Y7wLa7I2hlz3rKw%2F@hirez.programming.kicks-ass.net/T/
[4]
https://lore.kernel.org/linux-riscv/20260131112440.2915-1-cp0613@linux.alibaba.com/
>>> Fixes: 5bc409786752 ("RISC-V: KVM: Remove scounteren initialization")
>>> Signed-off-by: Manfred SCHLAEGL <manfred.schlaegl at gmx.at>
>>> ---
>>> arch/riscv/kernel/head.S | 8 ++++----
>>> 1 file changed, 4 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/arch/riscv/kernel/head.S b/arch/riscv/kernel/head.S
>>> index 9c99c5ad6fe8..5ad5e12a8299 100644
>>> --- a/arch/riscv/kernel/head.S
>>> +++ b/arch/riscv/kernel/head.S
>>> @@ -133,8 +133,8 @@ secondary_start_sbi:
>>> csrw CSR_IP, zero
>>>
>>> #ifndef CONFIG_RISCV_M_MODE
>>> - /* Enable time CSR */
>>> - li t0, 0x2
>>> + /* Enable CY, TM, and IR counters in U mode */
>>> + li t0, 0x7
>>> csrw CSR_SCOUNTEREN, t0
>>> #endif
>>>
>>> @@ -247,8 +247,8 @@ SYM_CODE_START(_start_kernel)
>>> */
>>> csrr a0, CSR_MHARTID
>>> #else
>>> - /* Enable time CSR */
>>> - li t0, 0x2
>>> + /* Enable CY, TM, and IR counters in U mode */
>>> + li t0, 0x7
>>> csrw CSR_SCOUNTEREN, t0
>>> #endif /* CONFIG_RISCV_M_MODE */
>>>
>>> --
>>> 2.47.3
>>>
>>
>> 5bc409786752 should have explained that change by referencing the
>> same links as commit cc4c07c89aad ("drivers: perf: Implement perf
>> event mmap support in the SBI backend") does.
>
> Ahhh, I see :-)
> Thanks for the clarification!
>
>>
>> Thanks,
>> drew
>
> Best regards,
> Manfred
>
>
> _______________________________________________
> linux-riscv mailing list
> linux-riscv at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-riscv
More information about the linux-riscv
mailing list