From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.4 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE, SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7E73BC4363A for ; Fri, 23 Oct 2020 12:56:53 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2BAA72168B for ; Fri, 23 Oct 2020 12:56:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S464113AbgJWM4w (ORCPT ); Fri, 23 Oct 2020 08:56:52 -0400 Received: from foss.arm.com ([217.140.110.172]:51958 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S464052AbgJWM4w (ORCPT ); Fri, 23 Oct 2020 08:56:52 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 607361FB; Fri, 23 Oct 2020 05:56:51 -0700 (PDT) Received: from [10.57.13.45] (unknown [10.57.13.45]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id EDB7B3F66B; Fri, 23 Oct 2020 05:56:47 -0700 (PDT) Subject: Re: [PATCHv2 2/4] coresight: tmc-etf: Fix NULL ptr dereference in tmc_enable_etf_sink_perf() To: Peter Zijlstra Cc: Mathieu Poirier , Sai Prakash Ranjan , Mike Leach , Ingo Molnar , Arnaldo Carvalho de Melo , Mark Rutland , Alexander Shishkin , Jiri Olsa , Namhyung Kim , coresight@lists.linaro.org, Stephen Boyd , linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org References: <20201022113214.GD2611@hirez.programming.kicks-ass.net> <20201022150609.GI2611@hirez.programming.kicks-ass.net> <788706f2-0670-b7b6-a153-3ec6f16e0f2e@arm.com> <20201022212033.GA646497@xps15> <20201023073905.GM2611@hirez.programming.kicks-ass.net> <174e6461-4d46-cb65-c094-c06ee3b21568@arm.com> <20201023094115.GR2611@hirez.programming.kicks-ass.net> <20201023105431.GM2594@hirez.programming.kicks-ass.net> From: Suzuki Poulose Message-ID: <2457de8f-8bc3-b350-fdc7-61276da31ce6@arm.com> Date: Fri, 23 Oct 2020 13:56:47 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.3.2 MIME-Version: 1.0 In-Reply-To: <20201023105431.GM2594@hirez.programming.kicks-ass.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-arm-msm@vger.kernel.org On 10/23/20 11:54 AM, Peter Zijlstra wrote: > On Fri, Oct 23, 2020 at 11:34:32AM +0100, Suzuki Poulose wrote: >> On 10/23/20 10:41 AM, Peter Zijlstra wrote: >>> On Fri, Oct 23, 2020 at 09:49:53AM +0100, Suzuki Poulose wrote: >>>> On 10/23/20 8:39 AM, Peter Zijlstra wrote: >>> >>>>> So then I don't understand the !->owner issue, that only happens when >>>>> the task dies, which cannot be concurrent with event creation. Are you >>>> >>>> Part of the patch from Sai, fixes this by avoiding the dereferencing >>>> after event creation (by caching it). But the kernel events needs >>>> fixing. >>> >>> I'm fundamentally failing here. Creating a link to the sink is strictly >>> event-creation time. Why would you ever need it again later? Later you >>> already have the sink setup. >>> >> >> Sorry for the lack of clarity here, and you are not alone unless you >> have drowned in the CoreSight topologies ;-) >> >> Typically current generation of systems have the following topology : >> >> CPU0 >> etm0 \ >> \ ________ >> / \ >> CPU1 / \ >> etm1 \ >> \ >> /------- sink0 >> CPU2 / >> etm2 \ / >> \ ________ / >> / >> CPU3 / >> etm3 >> >> >> i.e, Multiple ETMs share a sink. [for the sake of simplicity, I have >> used one sink. Even though there could be potential sinks (of different >> types), none of them are private to the ETMs. So, in a nutshell, a sink >> can be reached by multiple ETMs. ] >> >> Now, for a session : >> >> perf record -e cs_etm/sinkid=sink0/u workload >> >> We create an event per CPU (say eventN, which are scheduled based on the >> threads that could execute on the CPU. At this point we have finalized >> the sink0, and have allocated necessary buffer for the sink0. >> >> Now, when the threads are scheduled on the CPUs, we start the >> appropriate events for the CPUs. >> >> e.g, >> CPU0 sched -> workload:0 - > etm0->event0_start -> Turns all >> the components upto sink0, starting the trace collection in the buffer. >> >> Now, if another CPU, CPU1 starts tracing event1 for workload:1 thread, >> it will eventually try to turn ON the sink0.Since sink0 is already >> active tracing event0, we could allow this to go through and collect >> the trace in the *same hardware buffer* (which can be demuxed from the >> single AUX record using the TraceID in the packets). Please note that >> we do double buffering and hardware buffer is copied only when the sink0 >> is stopped (see below). >> >> But, if the event scheduled on CPU1 doesn't belong to the above session, but >> belongs to different perf session >> (say, perf record -e cs_etm/sinkid=sink0/u benchmark), >> >> we can't allow this to succeed and mix the trace data in to that of workload >> and thus fail the operation. >> >> In a nutshell, since the sinks are shared, we start the sink on the >> first event and keeps sharing the sink buffer with any event that >> belongs to the same session (using refcounts). The sink is only released >> for other sessions, when there are no more events in the session tracing >> on any of the ETMs. >> >> I know this is fundamentally a topology issue, but that is not something >> we can fix. But the situation is changing and we are starting to see >> systems with per-CPU sinks. >> >> Hope this helps. > > I think I'm more confused now :-/ > > Where do we use ->owner after event creation? The moment you create your > eventN you create the link to sink0. That link either succeeds (same > 'cookie') or fails. The event->sink link is established at creation. At event::add(), we check the sink is free (i.e, it is inactive) or is used by an event of the same session (this is where the owner field *was* required. But this is not needed anymore, as we cache the "owner" read pid in the handle->rb->aux_priv for each event and this is compared against the pid from the handle currently driving the hardware) > > If it fails, event creation fails, the end. > > On success, we have the sink pointer in our event and we never ever need > to look at ->owner ever again. Correct, we don't need it after the event creation "one part of the patch" as explained above. > > I'm also not seeing why exactly we need ->owner in the first place. > > Suppose we make the sink0 device return -EBUSY on open() when it is > active. Then a perf session can open the sink0 device, create perf > events and attach them to the sink0 device using > perf_event_attr::config2. The events will attach to sink0 and increment > its usage count, such that any further open() will fail. Thats where we are diverging. The sink device doesn't have any fops. It is all managed by the coresight driver transparent to the perf tool. All the perf tool does is, specifying which sink to use (btw, we now have automatic sink selection support which gets rid of this, and uses the best possible sink e.g, in case of per-CPU sinks). > > Once the events are created, the perf tool close()s the sink0 device, > which is now will in-use by the events. No other events can be attached > to it. > > Or are you doing the event->sink mapping every time you do: pmu::add()? > That sounds insane. Sink is already mapped at event create. But yes, the refcount on the sink is managed at start/stop. Thats when we need to make sure that the event being scheduled belongs to the same owner as the one already driving the sink. That way another session could use the same sink if it is free. i.e perf record -e cs_etm/@sink0/u --per-thread app1 and perf record -e cs_etm/@sink0/u --per-thread app2 both can work as long as the sink is not used by the other session. Suzuki From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.4 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 62878C4363A for ; Fri, 23 Oct 2020 12:58:28 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id DC76820E65 for ; Fri, 23 Oct 2020 12:58:27 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="XKIYbfX1" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org DC76820E65 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=arm.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Type: Content-Transfer-Encoding:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:Date:Message-ID:From: References:To:Subject:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=LqB0bRKJV9ewNyMoB7iCxN56aZ7FozF3tkczNIbAUm4=; b=XKIYbfX1zfBdbDgdC2lZVLMD5 pxnjscGQUjnJVupengeAmFHlvYjzLvC7Twj4jM9jNdPVB7VMab64gx+8oAGBO+Yp7A97urGAb9nyv EAa5eCIBj9SNpHpRvZJgvKHN+TFbT0Tc8c+ZB0rATN9SpNV2jjPLGkMYnNZgq0+9vsjJhppQRBZjU RN5hYaes7tuea4BZTxhcwyaakqsXskw9jq+ArPOv+RYQiM62G/Whx505IT4EzzTRVVRpl8aNS6EQU HvMGoi8x6CCjG+oF49VfntQfVqoS2ZUP1iof5rMI3mGPC8WLnh4plEJOg+qRHzzWeQ0mORWsZoIGD if3JXaeow==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kVwcs-0007Y8-Sx; Fri, 23 Oct 2020 12:56:58 +0000 Received: from foss.arm.com ([217.140.110.172]) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kVwcq-0007XI-Fw for linux-arm-kernel@lists.infradead.org; Fri, 23 Oct 2020 12:56:57 +0000 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 607361FB; Fri, 23 Oct 2020 05:56:51 -0700 (PDT) Received: from [10.57.13.45] (unknown [10.57.13.45]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id EDB7B3F66B; Fri, 23 Oct 2020 05:56:47 -0700 (PDT) Subject: Re: [PATCHv2 2/4] coresight: tmc-etf: Fix NULL ptr dereference in tmc_enable_etf_sink_perf() To: Peter Zijlstra References: <20201022113214.GD2611@hirez.programming.kicks-ass.net> <20201022150609.GI2611@hirez.programming.kicks-ass.net> <788706f2-0670-b7b6-a153-3ec6f16e0f2e@arm.com> <20201022212033.GA646497@xps15> <20201023073905.GM2611@hirez.programming.kicks-ass.net> <174e6461-4d46-cb65-c094-c06ee3b21568@arm.com> <20201023094115.GR2611@hirez.programming.kicks-ass.net> <20201023105431.GM2594@hirez.programming.kicks-ass.net> From: Suzuki Poulose Message-ID: <2457de8f-8bc3-b350-fdc7-61276da31ce6@arm.com> Date: Fri, 23 Oct 2020 13:56:47 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.3.2 MIME-Version: 1.0 In-Reply-To: <20201023105431.GM2594@hirez.programming.kicks-ass.net> Content-Language: en-GB X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201023_085656_657394_A7E0557D X-CRM114-Status: GOOD ( 38.96 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mark Rutland , Sai Prakash Ranjan , Mathieu Poirier , Alexander Shishkin , linux-arm-msm@vger.kernel.org, coresight@lists.linaro.org, linux-kernel@vger.kernel.org, Arnaldo Carvalho de Melo , Stephen Boyd , Ingo Molnar , Namhyung Kim , Jiri Olsa , linux-arm-kernel@lists.infradead.org, Mike Leach Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On 10/23/20 11:54 AM, Peter Zijlstra wrote: > On Fri, Oct 23, 2020 at 11:34:32AM +0100, Suzuki Poulose wrote: >> On 10/23/20 10:41 AM, Peter Zijlstra wrote: >>> On Fri, Oct 23, 2020 at 09:49:53AM +0100, Suzuki Poulose wrote: >>>> On 10/23/20 8:39 AM, Peter Zijlstra wrote: >>> >>>>> So then I don't understand the !->owner issue, that only happens when >>>>> the task dies, which cannot be concurrent with event creation. Are you >>>> >>>> Part of the patch from Sai, fixes this by avoiding the dereferencing >>>> after event creation (by caching it). But the kernel events needs >>>> fixing. >>> >>> I'm fundamentally failing here. Creating a link to the sink is strictly >>> event-creation time. Why would you ever need it again later? Later you >>> already have the sink setup. >>> >> >> Sorry for the lack of clarity here, and you are not alone unless you >> have drowned in the CoreSight topologies ;-) >> >> Typically current generation of systems have the following topology : >> >> CPU0 >> etm0 \ >> \ ________ >> / \ >> CPU1 / \ >> etm1 \ >> \ >> /------- sink0 >> CPU2 / >> etm2 \ / >> \ ________ / >> / >> CPU3 / >> etm3 >> >> >> i.e, Multiple ETMs share a sink. [for the sake of simplicity, I have >> used one sink. Even though there could be potential sinks (of different >> types), none of them are private to the ETMs. So, in a nutshell, a sink >> can be reached by multiple ETMs. ] >> >> Now, for a session : >> >> perf record -e cs_etm/sinkid=sink0/u workload >> >> We create an event per CPU (say eventN, which are scheduled based on the >> threads that could execute on the CPU. At this point we have finalized >> the sink0, and have allocated necessary buffer for the sink0. >> >> Now, when the threads are scheduled on the CPUs, we start the >> appropriate events for the CPUs. >> >> e.g, >> CPU0 sched -> workload:0 - > etm0->event0_start -> Turns all >> the components upto sink0, starting the trace collection in the buffer. >> >> Now, if another CPU, CPU1 starts tracing event1 for workload:1 thread, >> it will eventually try to turn ON the sink0.Since sink0 is already >> active tracing event0, we could allow this to go through and collect >> the trace in the *same hardware buffer* (which can be demuxed from the >> single AUX record using the TraceID in the packets). Please note that >> we do double buffering and hardware buffer is copied only when the sink0 >> is stopped (see below). >> >> But, if the event scheduled on CPU1 doesn't belong to the above session, but >> belongs to different perf session >> (say, perf record -e cs_etm/sinkid=sink0/u benchmark), >> >> we can't allow this to succeed and mix the trace data in to that of workload >> and thus fail the operation. >> >> In a nutshell, since the sinks are shared, we start the sink on the >> first event and keeps sharing the sink buffer with any event that >> belongs to the same session (using refcounts). The sink is only released >> for other sessions, when there are no more events in the session tracing >> on any of the ETMs. >> >> I know this is fundamentally a topology issue, but that is not something >> we can fix. But the situation is changing and we are starting to see >> systems with per-CPU sinks. >> >> Hope this helps. > > I think I'm more confused now :-/ > > Where do we use ->owner after event creation? The moment you create your > eventN you create the link to sink0. That link either succeeds (same > 'cookie') or fails. The event->sink link is established at creation. At event::add(), we check the sink is free (i.e, it is inactive) or is used by an event of the same session (this is where the owner field *was* required. But this is not needed anymore, as we cache the "owner" read pid in the handle->rb->aux_priv for each event and this is compared against the pid from the handle currently driving the hardware) > > If it fails, event creation fails, the end. > > On success, we have the sink pointer in our event and we never ever need > to look at ->owner ever again. Correct, we don't need it after the event creation "one part of the patch" as explained above. > > I'm also not seeing why exactly we need ->owner in the first place. > > Suppose we make the sink0 device return -EBUSY on open() when it is > active. Then a perf session can open the sink0 device, create perf > events and attach them to the sink0 device using > perf_event_attr::config2. The events will attach to sink0 and increment > its usage count, such that any further open() will fail. Thats where we are diverging. The sink device doesn't have any fops. It is all managed by the coresight driver transparent to the perf tool. All the perf tool does is, specifying which sink to use (btw, we now have automatic sink selection support which gets rid of this, and uses the best possible sink e.g, in case of per-CPU sinks). > > Once the events are created, the perf tool close()s the sink0 device, > which is now will in-use by the events. No other events can be attached > to it. > > Or are you doing the event->sink mapping every time you do: pmu::add()? > That sounds insane. Sink is already mapped at event create. But yes, the refcount on the sink is managed at start/stop. Thats when we need to make sure that the event being scheduled belongs to the same owner as the one already driving the sink. That way another session could use the same sink if it is free. i.e perf record -e cs_etm/@sink0/u --per-thread app1 and perf record -e cs_etm/@sink0/u --per-thread app2 both can work as long as the sink is not used by the other session. Suzuki _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel