From: Mark Rutland <mark.rutland@arm.com> To: Will Deacon <will@kernel.org> Cc: Rob Herring <robh@kernel.org>, Catalin Marinas <catalin.marinas@arm.com>, Peter Zijlstra <peterz@infradead.org>, Ingo Molnar <mingo@redhat.com>, Arnaldo Carvalho de Melo <acme@kernel.org>, Jiri Olsa <jolsa@redhat.com>, Ian Rogers <irogers@google.com>, Alexander Shishkin <alexander.shishkin@linux.intel.com>, Honnappa Nagarahalli <honnappa.nagarahalli@arm.com>, Zachary.Leaf@arm.com, Raphael Gault <raphael.gault@arm.com>, Jonathan Cameron <Jonathan.Cameron@huawei.com>, Namhyung Kim <namhyung@kernel.org>, Itaru Kitayama <itaru.kitayama@gmail.com>, linux-arm-kernel <linux-arm-kernel@lists.infradead.org>, "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org> Subject: Re: [PATCH v6 02/10] arm64: perf: Enable PMU counter direct access for perf event Date: Thu, 8 Apr 2021 12:08:15 +0100 [thread overview] Message-ID: <20210408110800.GA32792@C02TD0UTHF1T.local> (raw) In-Reply-To: <20210407124437.GA15622@willie-the-truck> On Wed, Apr 07, 2021 at 01:44:37PM +0100, Will Deacon wrote: > [Moving Mark to To: since I'd like his view on this] > > On Thu, Apr 01, 2021 at 02:45:21PM -0500, Rob Herring wrote: > > On Wed, Mar 31, 2021 at 11:01 AM Will Deacon <will@kernel.org> wrote: > > > > > > On Tue, Mar 30, 2021 at 12:09:38PM -0500, Rob Herring wrote: > > > > On Tue, Mar 30, 2021 at 10:31 AM Will Deacon <will@kernel.org> wrote: > > > > > > > > > > On Wed, Mar 10, 2021 at 05:08:29PM -0700, Rob Herring wrote: > > > > > > From: Raphael Gault <raphael.gault@arm.com> > > > > > > +static void armv8pmu_event_unmapped(struct perf_event *event, struct mm_struct *mm) > > > > > > +{ > > > > > > + struct arm_pmu *armpmu = to_arm_pmu(event->pmu); > > > > > > + > > > > > > + if (!(event->hw.flags & ARMPMU_EL0_RD_CNTR)) > > > > > > + return; > > > > > > + > > > > > > + if (atomic_dec_and_test(&mm->context.pmu_direct_access)) > > > > > > + on_each_cpu_mask(&armpmu->supported_cpus, refresh_pmuserenr, mm, 1); > > > > > > > > > > Given that the pmu_direct_access field is global per-mm, won't this go > > > > > wrong if multiple PMUs are opened by the same process but only a subset > > > > > are exposed to EL0? Perhaps pmu_direct_access should be treated as a mask > > > > > rather than a counter, so that we can 'and' it with the supported_cpus for > > > > > the PMU we're dealing with. > > > > > > > > It needs to be a count to support multiple events on the same PMU. If > > > > the event is not enabled for EL0, then we'd exit out on the > > > > ARMPMU_EL0_RD_CNTR check. So I think we're fine. > > > > > > I'm still not convinced; pmu_direct_access is shared between PMUs, so > > > testing the result of atomic_dec_and_test() just doesn't make sense to > > > me, as another PMU could be playing with the count. > > > > How is that a problem? Let's make a concrete example: > > > > map PMU1:event2 -> pmu_direct_access = 1 -> enable access > > map PMU2:event3 -> pmu_direct_access = 2 > > map PMU1:event4 -> pmu_direct_access = 3 > > unmap PMU2:event3 -> pmu_direct_access = 2 > > unmap PMU1:event2 -> pmu_direct_access = 1 > > unmap PMU1:event4 -> pmu_direct_access = 0 -> disable access > > > > The only issue I can see is PMU2 remains enabled for user access until > > the last unmap. But we're sharing the mm, so who cares? Also, in this > > scenario it is the user's problem to pin themselves to cores sharing a > > PMU. If the user doesn't do that, they get to keep the pieces. > > I guess I'm just worried about exposing the counters to userspace after > the PMU driver (or perf core?) thinks that they're no longer exposed in > case we leak other events. IMO that's not practically different from the single-PMU case (i.e. multi-PMU isn't material, either we have a concern with leaking or we don't); more on that below. While it looks odd to place this on the mm, I don't think it's the end of the world. > However, I'm not sure how this is supposed to work normally: what > happens if e.g. a privileged user has a per-cpu counter for a kernel > event while a task has a counter with direct access -- can that task > read the kernel event out of the PMU registers from userspace? Yes -- userspace could go read any counters even though it isn't supposed to, and could potentially infer information from those. It won't have access to the config registers or kernel data structures, so it isn't guaranteed to know what the even is or when it is context-switched/reprogrammed/etc. If we believe that's a problem, then it's difficult to do anything robust other than denying userspace access entirely, since disabling userspace access while in use would surprise applications, and denying privileged events would need some global state that we consult at event creation time (in addition to being an inversion of privilege). IIRC there was some fuss about this a while back on x86; I'll go dig and see what I can find, unless Peter has a memory... Thanks, Mark.
WARNING: multiple messages have this Message-ID (diff)
From: Mark Rutland <mark.rutland@arm.com> To: Will Deacon <will@kernel.org> Cc: Rob Herring <robh@kernel.org>, Catalin Marinas <catalin.marinas@arm.com>, Peter Zijlstra <peterz@infradead.org>, Ingo Molnar <mingo@redhat.com>, Arnaldo Carvalho de Melo <acme@kernel.org>, Jiri Olsa <jolsa@redhat.com>, Ian Rogers <irogers@google.com>, Alexander Shishkin <alexander.shishkin@linux.intel.com>, Honnappa Nagarahalli <honnappa.nagarahalli@arm.com>, Zachary.Leaf@arm.com, Raphael Gault <raphael.gault@arm.com>, Jonathan Cameron <Jonathan.Cameron@huawei.com>, Namhyung Kim <namhyung@kernel.org>, Itaru Kitayama <itaru.kitayama@gmail.com>, linux-arm-kernel <linux-arm-kernel@lists.infradead.org>, "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org> Subject: Re: [PATCH v6 02/10] arm64: perf: Enable PMU counter direct access for perf event Date: Thu, 8 Apr 2021 12:08:15 +0100 [thread overview] Message-ID: <20210408110800.GA32792@C02TD0UTHF1T.local> (raw) In-Reply-To: <20210407124437.GA15622@willie-the-truck> On Wed, Apr 07, 2021 at 01:44:37PM +0100, Will Deacon wrote: > [Moving Mark to To: since I'd like his view on this] > > On Thu, Apr 01, 2021 at 02:45:21PM -0500, Rob Herring wrote: > > On Wed, Mar 31, 2021 at 11:01 AM Will Deacon <will@kernel.org> wrote: > > > > > > On Tue, Mar 30, 2021 at 12:09:38PM -0500, Rob Herring wrote: > > > > On Tue, Mar 30, 2021 at 10:31 AM Will Deacon <will@kernel.org> wrote: > > > > > > > > > > On Wed, Mar 10, 2021 at 05:08:29PM -0700, Rob Herring wrote: > > > > > > From: Raphael Gault <raphael.gault@arm.com> > > > > > > +static void armv8pmu_event_unmapped(struct perf_event *event, struct mm_struct *mm) > > > > > > +{ > > > > > > + struct arm_pmu *armpmu = to_arm_pmu(event->pmu); > > > > > > + > > > > > > + if (!(event->hw.flags & ARMPMU_EL0_RD_CNTR)) > > > > > > + return; > > > > > > + > > > > > > + if (atomic_dec_and_test(&mm->context.pmu_direct_access)) > > > > > > + on_each_cpu_mask(&armpmu->supported_cpus, refresh_pmuserenr, mm, 1); > > > > > > > > > > Given that the pmu_direct_access field is global per-mm, won't this go > > > > > wrong if multiple PMUs are opened by the same process but only a subset > > > > > are exposed to EL0? Perhaps pmu_direct_access should be treated as a mask > > > > > rather than a counter, so that we can 'and' it with the supported_cpus for > > > > > the PMU we're dealing with. > > > > > > > > It needs to be a count to support multiple events on the same PMU. If > > > > the event is not enabled for EL0, then we'd exit out on the > > > > ARMPMU_EL0_RD_CNTR check. So I think we're fine. > > > > > > I'm still not convinced; pmu_direct_access is shared between PMUs, so > > > testing the result of atomic_dec_and_test() just doesn't make sense to > > > me, as another PMU could be playing with the count. > > > > How is that a problem? Let's make a concrete example: > > > > map PMU1:event2 -> pmu_direct_access = 1 -> enable access > > map PMU2:event3 -> pmu_direct_access = 2 > > map PMU1:event4 -> pmu_direct_access = 3 > > unmap PMU2:event3 -> pmu_direct_access = 2 > > unmap PMU1:event2 -> pmu_direct_access = 1 > > unmap PMU1:event4 -> pmu_direct_access = 0 -> disable access > > > > The only issue I can see is PMU2 remains enabled for user access until > > the last unmap. But we're sharing the mm, so who cares? Also, in this > > scenario it is the user's problem to pin themselves to cores sharing a > > PMU. If the user doesn't do that, they get to keep the pieces. > > I guess I'm just worried about exposing the counters to userspace after > the PMU driver (or perf core?) thinks that they're no longer exposed in > case we leak other events. IMO that's not practically different from the single-PMU case (i.e. multi-PMU isn't material, either we have a concern with leaking or we don't); more on that below. While it looks odd to place this on the mm, I don't think it's the end of the world. > However, I'm not sure how this is supposed to work normally: what > happens if e.g. a privileged user has a per-cpu counter for a kernel > event while a task has a counter with direct access -- can that task > read the kernel event out of the PMU registers from userspace? Yes -- userspace could go read any counters even though it isn't supposed to, and could potentially infer information from those. It won't have access to the config registers or kernel data structures, so it isn't guaranteed to know what the even is or when it is context-switched/reprogrammed/etc. If we believe that's a problem, then it's difficult to do anything robust other than denying userspace access entirely, since disabling userspace access while in use would surprise applications, and denying privileged events would need some global state that we consult at event creation time (in addition to being an inversion of privilege). IIRC there was some fuss about this a while back on x86; I'll go dig and see what I can find, unless Peter has a memory... Thanks, Mark. _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2021-04-08 11:08 UTC|newest] Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-03-11 0:08 [PATCH v6 00/10] libperf and arm64 userspace counter access support Rob Herring 2021-03-11 0:08 ` Rob Herring 2021-03-11 0:08 ` [PATCH v6 01/10] arm64: pmu: Add function implementation to update event index in userpage Rob Herring 2021-03-11 0:08 ` Rob Herring 2021-03-30 15:30 ` Will Deacon 2021-03-30 15:30 ` Will Deacon 2021-03-11 0:08 ` [PATCH v6 02/10] arm64: perf: Enable PMU counter direct access for perf event Rob Herring 2021-03-11 0:08 ` Rob Herring 2021-03-30 11:30 ` Zachary Leaf 2021-03-30 11:30 ` Zachary Leaf 2021-03-30 15:31 ` Will Deacon 2021-03-30 15:31 ` Will Deacon 2021-03-30 17:09 ` Rob Herring 2021-03-30 17:09 ` Rob Herring 2021-03-30 21:08 ` Rob Herring 2021-03-30 21:08 ` Rob Herring 2021-03-31 15:38 ` Will Deacon 2021-03-31 15:38 ` Will Deacon 2021-03-31 17:52 ` Rob Herring 2021-03-31 17:52 ` Rob Herring 2021-04-01 9:04 ` Will Deacon 2021-04-01 9:04 ` Will Deacon 2021-03-31 16:00 ` Will Deacon 2021-03-31 16:00 ` Will Deacon 2021-04-01 19:45 ` Rob Herring 2021-04-01 19:45 ` Rob Herring 2021-04-07 12:44 ` Will Deacon 2021-04-07 12:44 ` Will Deacon 2021-04-08 11:08 ` Mark Rutland [this message] 2021-04-08 11:08 ` Mark Rutland 2021-04-08 18:38 ` Rob Herring 2021-04-08 18:38 ` Rob Herring 2021-04-19 16:14 ` Will Deacon 2021-04-19 16:14 ` Will Deacon 2021-04-19 19:00 ` Rob Herring 2021-04-19 19:00 ` Rob Herring 2021-03-11 0:08 ` [PATCH v6 03/10] tools/include: Add an initial math64.h Rob Herring 2021-03-11 0:08 ` Rob Herring 2021-03-11 0:08 ` [PATCH v6 04/10] libperf: Add evsel mmap support Rob Herring 2021-03-11 0:08 ` Rob Herring 2021-03-12 13:58 ` Jiri Olsa 2021-03-12 13:58 ` Jiri Olsa 2021-03-12 14:34 ` Rob Herring 2021-03-12 14:34 ` Rob Herring 2021-03-12 18:29 ` Jiri Olsa 2021-03-12 18:29 ` Jiri Olsa 2021-03-31 22:06 ` Rob Herring 2021-03-31 22:06 ` Rob Herring 2021-03-11 0:08 ` [PATCH v6 05/10] libperf: tests: Add support for verbose printing Rob Herring 2021-03-11 0:08 ` Rob Herring 2021-03-11 0:08 ` [PATCH v6 06/10] libperf: Add support for user space counter access Rob Herring 2021-03-11 0:08 ` Rob Herring 2021-05-04 21:40 ` Ian Rogers 2021-05-04 21:40 ` Ian Rogers 2021-05-05 2:12 ` Rob Herring 2021-05-05 2:12 ` Rob Herring 2021-03-11 0:08 ` [PATCH v6 07/10] libperf: Add arm64 support to perf_mmap__read_self() Rob Herring 2021-03-11 0:08 ` Rob Herring 2021-03-11 0:08 ` [PATCH v6 08/10] perf: arm64: Add test for userspace counter access on heterogeneous systems Rob Herring 2021-03-11 0:08 ` Rob Herring 2021-03-15 16:09 ` Masayoshi Mizuma 2021-03-15 16:09 ` Masayoshi Mizuma 2021-03-11 0:08 ` [PATCH v6 09/10] perf: arm64: Add tests for 32-bit and 64-bit counter size userspace access Rob Herring 2021-03-11 0:08 ` Rob Herring 2021-03-11 0:08 ` [PATCH v6 10/10] Documentation: arm64: Document PMU counters access from userspace Rob Herring 2021-03-11 0:08 ` Rob Herring 2021-03-31 16:00 ` Will Deacon 2021-03-31 16:00 ` Will Deacon 2021-03-30 11:31 ` [PATCH v6 00/10] libperf and arm64 userspace counter access support Zachary Leaf 2021-03-30 11:31 ` Zachary Leaf
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20210408110800.GA32792@C02TD0UTHF1T.local \ --to=mark.rutland@arm.com \ --cc=Jonathan.Cameron@huawei.com \ --cc=Zachary.Leaf@arm.com \ --cc=acme@kernel.org \ --cc=alexander.shishkin@linux.intel.com \ --cc=catalin.marinas@arm.com \ --cc=honnappa.nagarahalli@arm.com \ --cc=irogers@google.com \ --cc=itaru.kitayama@gmail.com \ --cc=jolsa@redhat.com \ --cc=linux-arm-kernel@lists.infradead.org \ --cc=linux-kernel@vger.kernel.org \ --cc=mingo@redhat.com \ --cc=namhyung@kernel.org \ --cc=peterz@infradead.org \ --cc=raphael.gault@arm.com \ --cc=robh@kernel.org \ --cc=will@kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.