lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <52E8E487.2090007@hitachi.com>
Date:	Wed, 29 Jan 2014 20:22:47 +0900
From:	Masami Hiramatsu <masami.hiramatsu.pt@...achi.com>
To:	Ingo Molnar <mingo@...nel.org>
Cc:	"Frank Ch. Eigler" <fche@...hat.com>, linux-arch@...r.kernel.org,
	Ananth N Mavinakayanahalli <ananth@...ibm.com>,
	Sandeepa Prabhu <sandeepa.prabhu@...aro.org>, x86@...nel.org,
	lkml <linux-kernel@...r.kernel.org>,
	"Steven Rostedt (Red Hat)" <rostedt@...dmis.org>,
	systemtap@...rceware.org, "David S. Miller" <davem@...emloft.net>
Subject: Re: [PATCH -tip v6 00/22] kprobes: introduce NOKPROBE_SYMBOL(), cleanup
 and fixes crash bugs

Hi Ingo,

(2013/12/20 19:46), Ingo Molnar wrote:
> 
> * Masami Hiramatsu <masami.hiramatsu.pt@...achi.com> wrote:
> 
>> (2013/12/20 17:20), Ingo Molnar wrote:
>>>
>>> * Masami Hiramatsu <masami.hiramatsu.pt@...achi.com> wrote:
>>>
>>>>>  But a closer look indicates that the insertion of kprobes is 
>>>>> taking about three (!!) orders of magnitude longer than before, as 
>>>>> judged by the rate of increase of 'wc -l 
>>>>> /sys/kernel/debug/kprobes/list'.
>>>>
>>>> Right, because kprobes are not designed for thousands of probes.
>>>
>>> Then this needs to be fixed, because right now this bug is making it 
>>> near impossible to properly test kprobes robustness.
>>>
>>> For example a hash table (hashed by probe address) could be used in 
>>> addition to the list, to speed up basic operations.
>>
>> kprobe itself is already using hlist (6bits hash table).
>> Maybe we'd better expand the table bits. However, the iteration
>> of the list on debugfs is just doing seq_printf()s. I'm not exactly
>> sure what Frank complaints about...
> 
> Well, Frank reported that the test he performed takes hours to finish, 
> and he mentioned a specific script line he used to produce that:
> 
>   # stap -te "probe kprobe.function("*") {}"
> 
> I suspect an equivalent perf probe sequence would be something like:
> 
>   # for FUNC in $(grep -iw t /proc/kallsyms | cut -d' ' -f3); do date; perf probe -a $FUNC; done
> 
> (totally untested.)
> 
> Can you reproduce that slowdown, using his method?

OK, when I used ftrace interface, it didn't slows things down at all
(at this point :))
  ----
  # time (grep -iw t /proc/kallsyms | awk '{print "p:"$3,"0x"$1}' | xargs --max-lines=1 echo >> /sys/kernel/debug/tracing/kprobe_events )

  real    0m36.303s
  user    0m0.420s
  sys     0m2.428s

  # wc -l /sys/kernel/debug/tracing/kprobe_events
  26980 /sys/kernel/debug/tracing/kprobe_events

  # time cat /sys/kernel/debug/tracing/kprobe_events > /dev/null

  real    0m0.054s
  user    0m0.000s
  sys     0m0.052s
  ----

This is because of two reasons:
 - ftrace interface doesn't access any files, it just parses the event
   and sets it up.
 - ftrace (and perf probe) doesn't enable the event while setting.

I guess the second reason is why the stap takes so long time to set
probes. stap tries to register kprobes without disabled flag, that
means we enables thousands of probes (overheads).

So the similar thing happens when we enables events as below;

  # for i in /sys/kernel/debug/tracing/events/kprobes/* ; do date; echo 1 > $i; done
  Wed Jan 29 10:44:50 UTC 2014
  ...

I tried it and canceled after 4 min passed. It enabled about 17k events
and slowed down my system very much(I almost got hang check timer).

I think we should have some performance statistics (hit count?) and
if it goes over a threshold, we should stop enabling other events.
(Note that kprobes and other events take a time, one event may just
 consume a small amount of time, usually less than 0.5usec. but what
 happens if it hits 1,000,000 times per 1 sec...?)


> I can reproduce one weirdness, with just 13 probes added, 'perf probe 
> -l' [which should really be 'perf probe list'!] executes very slowly:
> 
>  # perf stat --null --repeat 3 perf probe -l
> 
>  Performance counter stats for 'perf probe -l' (3 runs):
> 
>        0.763640098 seconds time elapsed                                          ( +-  1.61% )
> 
> 0.7 seconds is ridiculously long.

As you can see, listing up the probes via ftrace interface just
takes 0.05sec/26980probes. Perf probe may take a time for
list up events because it tries to find symbols/lines from
kallsyms or debuginfo.

Thank you,

-- 
Masami HIRAMATSU
IT Management Research Dept. Linux Technology Center
Hitachi, Ltd., Yokohama Research Laboratory
E-mail: masami.hiramatsu.pt@...achi.com


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ