| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250707153710.GB2182465@e132581.arm.com>
Date: Mon, 7 Jul 2025 16:37:10 +0100
From: Leo Yan <leo.yan@....com>
To: James Clark <james.clark@...aro.org>
Cc: Will Deacon <will@...nel.org>, Mark Rutland <mark.rutland@....com>,
Catalin Marinas <catalin.marinas@....com>,
Alexandru Elisei <Alexandru.Elisei@....com>,
Anshuman Khandual <Anshuman.Khandual@....com>,
Rob Herring <Rob.Herring@....com>,
Suzuki Poulose <Suzuki.Poulose@....com>,
Robin Murphy <Robin.Murphy@....com>,
linux-arm-kernel@...ts.infradead.org,
linux-perf-users@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/3] perf: arm_spe: Disable buffer before writing to
PMBPTR_EL1 or PMBSR_EL1
On Mon, Jul 07, 2025 at 12:39:57PM +0100, James Clark wrote:
[...]
> > > @@ -661,16 +666,24 @@ static irqreturn_t arm_spe_pmu_irq_handler(int irq, void *dev)
> > > */
> > > irq_work_run();
> > > + /*
> > > + * arm_spe_pmu_buf_get_fault_act() already drained, and PMBSR_EL1.S == 1
> > > + * means that StatisticalProfilingEnabled() == false. So now we can
> > > + * safely disable the buffer.
> > > + */
> > > + write_sysreg_s(0, SYS_PMBLIMITR_EL1);
> > > + isb();
> > > +
> > > + /* Status can be cleared now that PMBLIMITR_EL1.E == 0 */
> > > + write_sysreg_s(0, SYS_PMBSR_EL1);
> > > +
> >
> > An important thing is about sequence:
> > As described in arm_spe_pmu_disable_and_drain_local(), should we always
> > clear ELs bits in PMSCR_EL1 before clear PMBLIMITR_EL1.E bit? As a
> > reference, we could see TRBE always clear ELx bits before disable trace
> > buffer.
> >
> > And a trivial flaw:
> >
> > If the TRUNCATED flag has been set, the irq_work_run() above runs the
> > IRQ work to invoke the arm_spe_pmu_stop() to disable trace buffer, which
> > clear SYS_PMBLIMITR_EL1.E bit. This is why the current code does not
> > explictly clear SYS_PMBLIMITR_EL1.E bit.
> >
> > With this patch, the interrupt handler will clear SYS_PMBLIMITR_EL1.E
> > bit twice for a trunacated case.
>
> I suppose that's a rarer case that we don't necessarily have to optimize
> for. I don't think it will do any harm, but is it even possible to avoid?
>
> There are already some other duplications in the driver, for example in
> arm_spe_pmu_stop() we call arm_spe_pmu_disable_and_drain_local() which
> drains, and then arm_spe_pmu_buf_get_fault_act() which also drains again.
If we don't need to worry about duplicated operations in the truncated
case, then for easier maintenance and better readability, I'm wondering
if we could simplify the interrupt handler as follows:
arm_spe_pmu_irq_handler()
{
...
act = arm_spe_pmu_buf_get_fault_act(handle);
if (act == SPE_PMU_BUF_FAULT_ACT_SPURIOUS)
return IRQ_NONE;
arm_spe_pmu_disable_and_drain_local();
/* Status can be cleared now that PMBLIMITR_EL1.E == 0 */
write_sysreg_s(0, SYS_PMBSR_EL1);
isb();
switch (act) {
...
}
}
This approach complies with DEN0154 - we must clear PMBLIMITR_EL1.E
before writing to other SPE system registers (e.g., PMBSR).
The reason for using arm_spe_pmu_disable_and_drain_local() is that we
first need to disable profiling instructions by clearing PMSCR_EL1/EL2,
and then is it safe to disable the profiling buffer.
[...]
> > > case SPE_PMU_BUF_FAULT_ACT_OK:
> > > /*
> > > @@ -679,18 +692,14 @@ static irqreturn_t arm_spe_pmu_irq_handler(int irq, void *dev)
> > > * PMBPTR might be misaligned, but we'll burn that bridge
> > > * when we get to it.
> > > */
> > > - if (!(handle->aux_flags & PERF_AUX_FLAG_TRUNCATED)) {
> > > + if (!(handle->aux_flags & PERF_AUX_FLAG_TRUNCATED))
> > > arm_spe_perf_aux_output_begin(handle, event);
> > > - isb();
> >
> > I am a bit suspecious we can remove this isb().
> >
> > As a reference to the software usage PKLXF in Arm ARM (DDI 0487 L.a),
> > after enable TRBE trace unit, an ISB is mandatory. Maybe check a bit
> > for this?
>
> Wasn't this isb() to separate the programming of the registers with the
> status register clear at the end of this function to enable profiling?
Enabling profiling buffer followed an isb() is not only for separating
other register programming.
As described in section D17.9, Synchronization and Statistical Profiling
in Arm ARM:
"A Context Synchronization event guarantees that a direct write to a
System register made by the PE in program order before the Context
synchronization event are observable by indirect reads and indirect
writes of the same System register made by a profiling operation
relating to a sampled operation in program order after the Context
synchronization event."
My understanding is: after the ARM SPE profiling is enabled, the
followed ISB is a Synchronization to make sure the system register
values are observed by SPE. And we cannot rely on ERET, especially if
we are tracing the kernel mode.
Thanks,
Leo
> But now we enable profiling with the write to PMBLIMITR_EL1 in
> arm_spe_perf_aux_output_begin() and the last thing here is the ERET. That's
> specifically mentioned as enough synchronization in PKLXF:
>
> In the common case, this is an ERET instruction that returns to a
> different Exception level where tracing is allowed.
>
> > > - }
> > > break;
> > > case SPE_PMU_BUF_FAULT_ACT_SPURIOUS:
> > > /* We've seen you before, but GCC has the memory of a sieve. */
> > > break;
> > > }
> > > - /* The buffer pointers are now sane, so resume profiling. */
> > > - write_sysreg_s(0, SYS_PMBSR_EL1);
> > > return IRQ_HANDLED;
> > > }
> > >
> > > --
> > > 2.34.1
> > >
> > >
>
Powered by blists - more mailing lists