| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <0a0ed9d4-6511-4f0b-868f-22a3f95697f8@intel.com>
Date: Tue, 5 Aug 2025 22:16:29 +0300
From: Adrian Hunter <adrian.hunter@...el.com>
To: Leo Yan <leo.yan@....com>
CC: Peter Zijlstra <peterz@...radead.org>, Ingo Molnar <mingo@...hat.com>,
Arnaldo Carvalho de Melo <acme@...nel.org>, Namhyung Kim
<namhyung@...nel.org>, Jiri Olsa <jolsa@...nel.org>, Ian Rogers
<irogers@...gle.com>, KP Singh <kpsingh@...nel.org>, Matt Bobrowski
<mattbobrowski@...gle.com>, Song Liu <song@...nel.org>, Alexei Starovoitov
<ast@...nel.org>, Daniel Borkmann <daniel@...earbox.net>, Andrii Nakryiko
<andrii@...nel.org>, Martin KaFai Lau <martin.lau@...ux.dev>, "Eduard
Zingerman" <eddyz87@...il.com>, Yonghong Song <yonghong.song@...ux.dev>,
"John Fastabend" <john.fastabend@...il.com>, Stanislav Fomichev
<sdf@...ichev.me>, Hao Luo <haoluo@...gle.com>, Steven Rostedt
<rostedt@...dmis.org>, "Masami Hiramatsu" <mhiramat@...nel.org>, Mathieu
Desnoyers <mathieu.desnoyers@...icios.com>, James Clark
<james.clark@...aro.org>, Suzuki K Poulose <suzuki.poulose@....com>, Mike
Leach <mike.leach@...aro.org>, <linux-perf-users@...r.kernel.org>,
<linux-kernel@...r.kernel.org>, <bpf@...r.kernel.org>,
<linux-trace-kernel@...r.kernel.org>
Subject: Re: [PATCH v3 0/6] perf auxtrace: Support AUX pause and resume with
BPF
On 30/07/2025 21:26, Leo Yan wrote:
> Hi Adrian,
>
> On Mon, Jul 28, 2025 at 08:02:51PM +0300, Adrian Hunter wrote:
>> On 25/07/2025 12:59, Leo Yan wrote:
>>> This series extends Perf for fine-grained tracing by using BPF program
>>> to pause and resume AUX tracing. The BPF program can be attached to
>>> tracepoints (including ftrace tracepoints and dynamic tracepoints, like
>>> kprobe, kretprobe, uprobe and uretprobe).
>>
>> Using eBPF to pause/resume AUX tracing seems like a great idea.
>>
>> AFAICT with this patch set, there is just support for pause/resume
>> much like what could be done directly without eBPF, so I wonder if you
>> could share a bit more on how you see this evolving, and what your
>> future plans are?
>
> IIUC, here you mean the tool can use `perf probe` to firstly create
> probes, then enable tracepoints as PMU event for AUX pause and resume.
Yes, like:
$ sudo perf probe 'do_sys_openat2 how->flags how->mode'
Added new event:
probe:do_sys_openat2 (on do_sys_openat2 with flags=how->flags mode=how->mode)
You can now use it in all perf tools, such as:
perf record -e probe:do_sys_openat2 -aR sleep 1
$ sudo perf probe do_sys_openat2%return
Added new event:
probe:do_sys_openat2__return (on do_sys_openat2%return)
You can now use it in all perf tools, such as:
perf record -e probe:do_sys_openat2__return -aR sleep 1
$ sudo perf record --kcore -e intel_pt/aux-action=start-paused/k -e probe:do_sys_openat2/aux-action=resume/ --filter='flags==0x98800' -e probe:do_sys_openat2__return/aux-action=pause/ -- ls
arch certs CREDITS cscope.out drivers fs include io_uring Kbuild kernel LICENSES Makefile mm perf.data README samples security tools virt
block COPYING crypto Documentation init ipc Kconfig lib MAINTAINERS net rust scripts sound usr
[ perf record: Woken up 2 times to write data ]
[ perf record: Captured and wrote 0.067 MB perf.data ]
$ sudo perf script --itrace=qi | grep -B1 instructions ls 37607 [003] 36109.137560: probe:do_sys_openat2: (ffffffff9d2276a0) flags=0x98800 mode=0x0
ls 37607 [003] 36109.137562: 1 instructions:k: ffffffff9cdc3834 native_write_msr+0x4 ([kernel.kallsyms])
ls 37607 [003] 36109.137562: 1 instructions:k: ffffffff9cdc3836 native_write_msr+0x6 ([kernel.kallsyms])
ls 37607 [003] 36109.137562: 1 instructions:k: ffffffff9cd26728 pt_config_start+0x58 ([kernel.kallsyms])
ls 37607 [003] 36109.137562: 1 instructions:k: ffffffff9cd27727 pt_event_start+0x107 ([kernel.kallsyms])
ls 37607 [003] 36109.137562: 1 instructions:k: ffffffff9d0d5a04 perf_event_aux_pause+0x114 ([kernel.kallsyms])
ls 37607 [003] 36109.137562: 1 instructions:k: ffffffff9d0d80f7 __perf_event_overflow+0x197 ([kernel.kallsyms])
ls 37607 [003] 36109.137562: 1 instructions:k: ffffffff9d0d844d perf_swevent_event+0x12d ([kernel.kallsyms])
ls 37607 [003] 36109.137562: 1 instructions:k: ffffffff9d0d8738 perf_tp_event+0x188 ([kernel.kallsyms])
ls 37607 [003] 36109.137562: 1 instructions:k: ffffffff9d00fad6 kprobe_perf_func+0x256 ([kernel.kallsyms])
ls 37607 [003] 36109.137562: 1 instructions:k: ffffffff9d00fbbd kprobe_dispatcher+0x6d ([kernel.kallsyms])
ls 37607 [003] 36109.137562: 1 instructions:k: ffffffff9cf80582 aggr_pre_handler+0x42 ([kernel.kallsyms])
ls 37607 [003] 36109.137562: 1 instructions:k: ffffffff9cdbcbb2 kprobe_ftrace_handler+0x152 ([kernel.kallsyms])
ls 37607 [003] 36109.137562: 1 instructions:k: ffffffffc12440f5 ftrace_trampoline+0xf5 ([kernel.kallsyms])
ls 37607 [003] 36109.137562: 1 instructions:k: ffffffff9d2276a5 do_sys_openat2+0x5 ([kernel.kallsyms])
ls 37607 [003] 36109.137563: 1 instructions:k: ffffffff9d4c3d60 hook_file_alloc_security+0x0 ([kernel.kallsyms])
ls 37607 [003] 36109.137564: 1 instructions:k: ffffffff9d4a5050 apparmor_file_alloc_security+0x0 ([kernel.kallsyms])
ls 37607 [003] 36109.137565: 1 instructions:k: ffffffff9d42d400 cap_capable+0x0 ([kernel.kallsyms])
ls 37607 [003] 36109.137565: 1 instructions:k: ffffffff9d4a4b70 apparmor_capable+0x0 ([kernel.kallsyms])
ls 37607 [003] 36109.137566: 1 instructions:k: ffffffff9d42d400 cap_capable+0x0 ([kernel.kallsyms])
ls 37607 [003] 36109.137566: 1 instructions:k: ffffffff9d4a4b70 apparmor_capable+0x0 ([kernel.kallsyms])
ls 37607 [003] 36109.137567: 1 instructions:k: ffffffff9d4c4e80 hook_file_open+0x0 ([kernel.kallsyms])
ls 37607 [003] 36109.137567: 1 instructions:k: ffffffff9d4a5aa0 apparmor_file_open+0x0 ([kernel.kallsyms])
ls 37607 [003] 36109.137567: 1 instructions:k: ffffffff9d31fb10 ext4_dir_open+0x0 ([kernel.kallsyms])
ls 37607 [003] 36109.137567: 1 instructions:k: ffffffff9d4cc740 ima_file_check+0x0 ([kernel.kallsyms])
ls 37607 [003] 36109.137567: 1 instructions:k: ffffffff9d4a5960 apparmor_current_getlsmprop_subj+0x0 ([kernel.kallsyms])
ls 37607 [003] 36109.137568: 1 instructions:k: ffffffff9cdb76c0 arch_rethook_trampoline+0x0 ([kernel.kallsyms])
ls 37607 [003] 36109.137568: 1 instructions:k: ffffffff9cf80670 kretprobe_rethook_handler+0x0 ([kernel.kallsyms])
ls 37607 [003] 36109.137568: 1 instructions:k: ffffffff9d00fe90 kretprobe_dispatcher+0x0 ([kernel.kallsyms])
ls 37607 [003] 36109.137568: 1 instructions:k: ffffffff9cd282c0 pt_event_stop+0x0 ([kernel.kallsyms])
ls 37607 [003] 36109.137569: 1 instructions:k: ffffffff9cdc3834 native_write_msr+0x4 ([kernel.kallsyms])
>
> I would say a benefit from this series is users can use a single
> command to create probes and bind eBPF program for AUX pause and
> resume in one go.
>
> To be honest, at current stage, I don't have clear idea for expanding
> this feature. But a clear requirement is: AUX trace data usually is
> quite huge, after initial analysis, developers might want to focus
> on specific function profiling (based on function entry and exit) or
> specific period (E.g., start tracing when hit a tracepoing and stop when
> hit another tracepoint).
>
> eBPF program is powerful. Basically, we can extend it in two different
> dimensions. One direction is we can easily attach the eBPF program to more
> kernel modules, like networking, storage, etc. Another direction is to
> improve the eBPF program itself as a filter for better fine-grained
> tracing, so far we only support limited filtering based on CPU ID or PID,
> we also can extend the filtering based on time, event types, etc.
Powered by blists - more mailing lists