| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 30 Nov 2015 10:28:43 +0100 From: Peter Zijlstra <peterz@...radead.org> To: Ingo Molnar <mingo@...nel.org> Cc: "Wangnan (F)" <wangnan0@...wei.com>, Jiri Olsa <jolsa@...nel.org>, Arnaldo Carvalho de Melo <acme@...nel.org>, David Ahern <dsahern@...il.com>, Milian Wolff <milian.wolff@...b.com>, linux-kernel@...r.kernel.org, pi3orama <pi3orama@....com>, lizefan 00213767 <lizefan@...wei.com> Subject: Re: [BUG REPORT] perf tools: x86_64: Broken calllchain when sampling taken at 'callq' instruction On Fri, Nov 27, 2015 at 09:38:11AM +0100, Ingo Molnar wrote: > > * Peter Zijlstra <peterz@...radead.org> wrote: > > > On Thu, Nov 19, 2015 at 11:23:00AM +0100, Ingo Molnar wrote: > > > PEBS is an asynchronous hardware tracing mechanism, when batched PEBS is used it > > > might not even result in any interruption of execution. The 'pt_regs' does not > > > necessarily correspond to an interrupted, restartable context - we take the RIP > > > from the PEBS machinery and also use LBR and disassembly to determine the previous > > > instruction, before reporting it to user-space. > > > > Note that modern PEBS hardware (hsw+) does the rollback in hardware. > > Prior to that we indeed to it manually using the LBR. > > > > As to pt_regs, we construct a franken pt_regs based on the actual PEBS > > buffer overflow PMI and bits from the PEBS record (which also includes > > some register state). See > > arch/x86/kernel/cpu/perf_event_intel_ds.c:setup_pebs_sample_data(). > > > > We always copy the flags, ip, bp and sp from the PEBS record into the > > interrupt pt_regs. > > > > And note that the PEBS record is constructed at instruction retirement, > > so it shows the state _after_ the instruction, with exception of the > > (hsw+) real_ip field. > > > > So the unwinder will have to be taught that if the IP points at a stack > > altering instruction (call, push, etc.) it will have to 'undo' the > > effects on the actual stack (I appreciate this might be 'interesting' > > for things like: pop, ret, etc.). > > So do we dump both the 'real' and the actual RIP, to not force tooling into having > to decode instructions and such? Nope, we only expose the corrected one. > (Which is pretty hard and fragile and not always > possible with instructions that destroy the original RIP, like JMP, etc.) Not sure what you're getting at here. We don't need the uncorrected instruction. But the problem here is that we rewind the instruction stream, but not the stack. And the stack unwinder is (obviously) interested in the stack state. I'm not sure we want (or need) to go undo the specific instruction's stack effect in-kernel. If the !DWARF unwinders are similarly confused we might need to put it in kernel (expensive *groan*). If its only the DWARF muck then its something that can be done in userspace just fine, although we might need to copy slightly more of the stack than SP is pointing at, such that we can undo RET/POP etc. which would have data beyond the head of stack. The easiest solution might be to figure out the biggest stack offset for any instruction and always capture that much over the head of stack. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists