lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1401749534.13479.48.camel@ale.ozlabs.ibm.com>
Date:	Tue, 03 Jun 2014 08:52:14 +1000
From:	Michael Neuling <mikey@...ling.org>
To:	Stephane Eranian <eranian@...gle.com>
Cc:	Anshuman Khandual <khandual@...ux.vnet.ibm.com>,
	Linux PPC dev <linuxppc-dev@...abs.org>,
	LKML <linux-kernel@...r.kernel.org>,
	Michael Ellerman <michael@...erman.id.au>,
	"ak@...ux.intel.com" <ak@...ux.intel.com>,
	Arnaldo Carvalho de Melo <acme@...stprotocols.net>,
	Sukadev Bhattiprolu <sukadev@...ux.vnet.ibm.com>,
	Ingo Molnar <mingo@...nel.org>,
	Peter Zijlstra <peterz@...radead.org>
Subject: Re: [V6 00/11] perf: New conditional branch filter

On Mon, 2014-06-02 at 14:59 +0200, Stephane Eranian wrote:
> On Wed, May 28, 2014 at 10:04 AM, Anshuman Khandual
> <khandual@...ux.vnet.ibm.com> wrote:
> > On 05/27/2014 05:39 PM, Stephane Eranian wrote:
> >> I have been looking at those patches and ran some tests.
> >> And I found a few issues so far.
> >>
> >> I am running:
> >> $ perf record -j any_ret -e cycles:u test_program
> >> $ perf report -D
> >>
> >> Most entries are okay and match the filter, however some do not make sense:
> >>
> >> 3642586996762 0x15d0 [0x108]: PERF_RECORD_SAMPLE(IP, 2): 17921/17921:
> >> 0x10001170 period: 613678 addr: 0
> >> .... branch stack: nr:9
> >> .....  0: 00000000100011cc -> 0000000010000e38
> >> .....  1: 0000000010001150 -> 00000000100011bc
> >> .....  2: 0000000010001208 -> 0000000010000e38
> >> .....  3: 0000000010001160 -> 00000000100011f8
> >> .....  4: 00000000100011cc -> 0000000010000e38
> >> .....  5: 0000000010001150 -> 00000000100011bc
> >> .....  6: 0000000010001208 -> 0000000010000e38
> >> .....  7: 0000000010001160 -> 00000000100011f8
> >> .....  8: 0000000000000000 -> 0000000010001160
> >> ^^^^^^
> >> Entry 8 does not make sense, unless 0x0 is a valid return branch
> >> instruction address.
> >> If an address is invalid, the whole entry needs to be eliminated. It
> >> is okay to have
> >> less than the max number of entries supported by HW.
> >
> > Hey Stephane,
> >
> > Okay. The same behaviour is also reflected in the test results what I have
> > shared in the patchset. Here is that section.
> >
> > (3) perf record -j any_ret -e branch-misses:u ./cprog
> >
> > # Overhead  Command  Source Shared Object          Source Symbol  Target Shared Object          Target Symbol
> > # ........  .......  ....................  .....................  ....................  .....................
> > #
> >     15.61%    cprog  [unknown]             [.] 00000000           cprog                 [.] sw_3_1
> >      6.28%    cprog  cprog                 [.] symbol2            cprog                 [.] hw_1_2
> >      6.28%    cprog  cprog                 [.] ctr_addr           cprog                 [.] sw_4_1
> >      6.26%    cprog  cprog                 [.] success_3_1_3      cprog                 [.] sw_3_1
> >      6.24%    cprog  cprog                 [.] symbol1            cprog                 [.] hw_1_1
> >      6.24%    cprog  cprog                 [.] sw_4_2             cprog                 [.] callme
> >      6.21%    cprog  [unknown]             [.] 00000000           cprog                 [.] callme
> >      6.19%    cprog  cprog                 [.] lr_addr            cprog                 [.] sw_4_2
> >      3.16%    cprog  cprog                 [.] hw_1_2             cprog                 [.] callme
> >      3.15%    cprog  cprog                 [.] success_3_1_1      cprog                 [.] sw_3_1
> >      3.15%    cprog  cprog                 [.] sw_4_1             cprog                 [.] callme
> >      3.14%    cprog  cprog                 [.] callme             cprog                 [.] main
> >      3.13%    cprog  cprog                 [.] hw_1_1             cprog                 [.] callme
> >
> > So a lot of samples above have 0x0 as the "from" address. This originates from the code
> > section here inside the function "power_pmu_bhrb_read", where we hit two back to back
> 
> Could you explain the back-to-back case a bit more here?
> Back-to-back returns to me means something like:
> 
> int foo()
> {
>   ...
>    return bar();
> }
> 
> int bar()
> {
>   return 0;
> }
> 
> Not counting the leaf optimization here, bar return to foo which
> immediately returns: 2 back-2-back returns.
> Is that the case you're talking about here?
> 
> > target addresses. So we zero out the from address for the first target address and re-read
> > the second address over again. So thats how we get zero as the from address. This is how the
> > HW capture the samples. I was reluctant to drop these samples but I agree that these kind of
> > samples can be dropped if we need to.
> >
> I think we need to make it as simple as possible for tools, i.e.,
> avoid having to decode the
> disassembly to figure out what happened. Here address 0 is not exploitable.

This was my fault.  I figured if we only had partial information from
the hardware, it was best to at least export that to the tools.  If you
disagree then we can we remove them.  There was a discussion a while
back on this here:
  https://lkml.org/lkml/2013/5/8/543

Because of the way the branch buffer is structured, we can certainly
lose the from address of the oldest branch in the buffer.  I've not seen
the hardware lose the from branches in the middle of the buffer but I
guess it's possible.  We'll have to get back to you on how or why this
would occur (and associated bias) after talking to some hardware folk.

FWIW, there was some discussion on how the POWER8 branch buffer works a
while back here (same thread as before):
  https://lkml.org/lkml/2013/5/8/541

Mikey

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ