| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aG4_uYJgpMXo3QHQ@raptor>
Date: Wed, 9 Jul 2025 11:08:57 +0100
From: Alexandru Elisei <alexandru.elisei@....com>
To: Leo Yan <leo.yan@....com>
Cc: James Clark <james.clark@...aro.org>, Will Deacon <will@...nel.org>,
Mark Rutland <mark.rutland@....com>,
Catalin Marinas <catalin.marinas@....com>,
Anshuman Khandual <Anshuman.Khandual@....com>,
Rob Herring <Rob.Herring@....com>,
Suzuki Poulose <Suzuki.Poulose@....com>,
Robin Murphy <Robin.Murphy@....com>,
linux-arm-kernel@...ts.infradead.org,
linux-perf-users@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/3] perf: arm_spe: Disable buffer before writing to
PMBPTR_EL1 or PMBSR_EL1
Hi Leo, James,
On Mon, Jul 07, 2025 at 04:37:10PM +0100, Leo Yan wrote:
> On Mon, Jul 07, 2025 at 12:39:57PM +0100, James Clark wrote:
>
> [...]
>
> > > > @@ -661,16 +666,24 @@ static irqreturn_t arm_spe_pmu_irq_handler(int irq, void *dev)
> > > > */
> > > > irq_work_run();
> > > > + /*
> > > > + * arm_spe_pmu_buf_get_fault_act() already drained, and PMBSR_EL1.S == 1
> > > > + * means that StatisticalProfilingEnabled() == false. So now we can
> > > > + * safely disable the buffer.
> > > > + */
> > > > + write_sysreg_s(0, SYS_PMBLIMITR_EL1);
> > > > + isb();
> > > > +
> > > > + /* Status can be cleared now that PMBLIMITR_EL1.E == 0 */
> > > > + write_sysreg_s(0, SYS_PMBSR_EL1);
> > > > +
> > >
> > > An important thing is about sequence:
> > > As described in arm_spe_pmu_disable_and_drain_local(), should we always
> > > clear ELs bits in PMSCR_EL1 before clear PMBLIMITR_EL1.E bit? As a
> > > reference, we could see TRBE always clear ELx bits before disable trace
> > > buffer.
> > >
> > > And a trivial flaw:
> > >
> > > If the TRUNCATED flag has been set, the irq_work_run() above runs the
> > > IRQ work to invoke the arm_spe_pmu_stop() to disable trace buffer, which
> > > clear SYS_PMBLIMITR_EL1.E bit. This is why the current code does not
> > > explictly clear SYS_PMBLIMITR_EL1.E bit.
> > >
> > > With this patch, the interrupt handler will clear SYS_PMBLIMITR_EL1.E
> > > bit twice for a trunacated case.
> >
> > I suppose that's a rarer case that we don't necessarily have to optimize
> > for. I don't think it will do any harm, but is it even possible to avoid?
> >
> > There are already some other duplications in the driver, for example in
> > arm_spe_pmu_stop() we call arm_spe_pmu_disable_and_drain_local() which
> > drains, and then arm_spe_pmu_buf_get_fault_act() which also drains again.
>
> If we don't need to worry about duplicated operations in the truncated
> case, then for easier maintenance and better readability, I'm wondering
> if we could simplify the interrupt handler as follows:
>
> arm_spe_pmu_irq_handler()
> {
> ...
>
> act = arm_spe_pmu_buf_get_fault_act(handle);
> if (act == SPE_PMU_BUF_FAULT_ACT_SPURIOUS)
> return IRQ_NONE;
>
> arm_spe_pmu_disable_and_drain_local();
>
> /* Status can be cleared now that PMBLIMITR_EL1.E == 0 */
> write_sysreg_s(0, SYS_PMBSR_EL1);
> isb();
>
> switch (act) {
> ...
> }
> }
>
> This approach complies with DEN0154 - we must clear PMBLIMITR_EL1.E
> before writing to other SPE system registers (e.g., PMBSR).
>
> The reason for using arm_spe_pmu_disable_and_drain_local() is that we
> first need to disable profiling instructions by clearing PMSCR_EL1/EL2,
> and then is it safe to disable the profiling buffer.
>
> [...]
>
> > > > case SPE_PMU_BUF_FAULT_ACT_OK:
> > > > /*
> > > > @@ -679,18 +692,14 @@ static irqreturn_t arm_spe_pmu_irq_handler(int irq, void *dev)
> > > > * PMBPTR might be misaligned, but we'll burn that bridge
> > > > * when we get to it.
> > > > */
> > > > - if (!(handle->aux_flags & PERF_AUX_FLAG_TRUNCATED)) {
> > > > + if (!(handle->aux_flags & PERF_AUX_FLAG_TRUNCATED))
> > > > arm_spe_perf_aux_output_begin(handle, event);
> > > > - isb();
> > >
> > > I am a bit suspecious we can remove this isb().
> > >
> > > As a reference to the software usage PKLXF in Arm ARM (DDI 0487 L.a),
> > > after enable TRBE trace unit, an ISB is mandatory. Maybe check a bit
> > > for this?
> >
> > Wasn't this isb() to separate the programming of the registers with the
> > status register clear at the end of this function to enable profiling?
>
> Enabling profiling buffer followed an isb() is not only for separating
> other register programming.
>
> As described in section D17.9, Synchronization and Statistical Profiling
> in Arm ARM:
>
> "A Context Synchronization event guarantees that a direct write to a
> System register made by the PE in program order before the Context
> synchronization event are observable by indirect reads and indirect
> writes of the same System register made by a profiling operation
> relating to a sampled operation in program order after the Context
> synchronization event."
>
> My understanding is: after the ARM SPE profiling is enabled, the
> followed ISB is a Synchronization to make sure the system register
> values are observed by SPE. And we cannot rely on ERET, especially if
> we are tracing the kernel mode.
Thought about this some more.
Before:
arm_spe_pmu_buf_get_fault_act:
<drain buffer>
ISB
arm_spe_perf_aux_output_begin:
PMBLIMITR_EL1.E = 1
ISB
PMBSR_EL1.S = 0
ERET
Now:
PMBLIMITR_EL1 = 0
ISB
PMBSR_EL1.S = 0
arm_spe_perf_aux_output_begin:
ISB
PMBLIMITR_EL1.E = 1
ERET
I don't see much of a difference between the two sequences - the point after
which we can be sure that profiling is enabled remains the ERET from the
exception return. The only difference is that, before this change, the ERET
synchronized clearing the PMBSR_EL1.S bit, now it synchronizes setting the
PMBLIMITR_EL1.E bit.
Thoughts?
Thanks,
Alex
Powered by blists - more mailing lists