| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260109153420.32181-1-leon.hwang@linux.dev>
Date: Fri, 9 Jan 2026 23:34:17 +0800
From: Leon Hwang <leon.hwang@...ux.dev>
To: bpf@...r.kernel.org
Cc: Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Andrii Nakryiko <andrii@...nel.org>,
Martin KaFai Lau <martin.lau@...ux.dev>,
Eduard Zingerman <eddyz87@...il.com>,
Song Liu <song@...nel.org>,
Yonghong Song <yonghong.song@...ux.dev>,
John Fastabend <john.fastabend@...il.com>,
KP Singh <kpsingh@...nel.org>,
Stanislav Fomichev <sdf@...ichev.me>,
Hao Luo <haoluo@...gle.com>,
Jiri Olsa <jolsa@...nel.org>,
"David S . Miller" <davem@...emloft.net>,
David Ahern <dsahern@...nel.org>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>,
Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>,
x86@...nel.org,
"H . Peter Anvin" <hpa@...or.com>,
Matt Bobrowski <mattbobrowski@...gle.com>,
Steven Rostedt <rostedt@...dmis.org>,
Masami Hiramatsu <mhiramat@...nel.org>,
Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
Shuah Khan <shuah@...nel.org>,
Leon Hwang <leon.hwang@...ux.dev>,
netdev@...r.kernel.org,
linux-kernel@...r.kernel.org,
linux-trace-kernel@...r.kernel.org,
linux-kselftest@...r.kernel.org,
kernel-patches-bot@...com
Subject: [PATCH bpf-next 0/3] bpf: Introduce BPF_BRANCH_SNAPSHOT_F_COPY flag for bpf_get_branch_snapshot helper
When the PMU LBR is running in branch-sensitive mode,
'perf_snapshot_branch_stack()' may capture branch entries from the
trampoline entry up to the call site inside a BPF program. These branch
entries are not useful for analyzing the control flow of the tracee.
To eliminate such noise for tracing programs, the branch snapshot should
be taken as early as possible:
* Call 'perf_snapshot_branch_stack()' at the very beginning of the
trampoline for fentry programs.
* Call 'perf_snapshot_branch_stack()' immediately after invoking the
tracee for fexit programs.
With this change, LBR snapshots remain meaningful even when multiple BPF
programs execute before the one requesting LBR data.
In addition, more relevant branch entries can be captured on AMD CPUs,
which provide a 16-entry-deep LBR stack.
Testing
The series was tested in a VM configured with LBR enabled:
vmtest --kvm-cpu-args 'host,pmu=on,lbr-fmt=0x5' -k $(make -s image_name) -
Branch records were verified using bpfsnoop [1]:
/path/to/bpfsnoop -k '(l)icmp_rcv' -E 1 -v \
--kernel-vmlinux /path/to/kernel/vmlinux
For comparison, the following command was used without
BPF_BRANCH_SNAPSHOT_F_COPY:
/path/to/bpfsnoop -k '(l)icmp_rcv' -E 1 -v \
--force-get-branch-snapshot --kernel-vmlinux /path/to/kernel/vmlinux
Without BPF_BRANCH_SNAPSHOT_F_COPY, no branch records related to the
tracee are captured. With it enabled, 17 branch records from the tracee
are observed.
Detailed verification results are available in the gist [2].
With this series applied, retsnoop [3] can benefit from improved LBR
support when using the '--lbr --fentries' options.
Links:
[1] https://github.com/bpfsnoop/bpfsnoop
[2] https://gist.github.com/Asphaltt/cffdeb4b2f2db4c3c42f91a59109f9e7
[3] https://github.com/anakryiko/retsnoop
Leon Hwang (3):
bpf, x64: Call perf_snapshot_branch_stack in trampoline
bpf: Introduce BPF_BRANCH_SNAPSHOT_F_COPY flag for
bpf_get_branch_snapshot helper
selftests/bpf: Add BPF_BRANCH_SNAPSHOT_F_COPY test
arch/x86/net/bpf_jit_comp.c | 66 +++++++++++++++++++
include/linux/bpf.h | 18 ++++-
include/linux/bpf_verifier.h | 1 +
kernel/bpf/verifier.c | 30 +++++++++
kernel/trace/bpf_trace.c | 17 ++++-
.../bpf/prog_tests/get_branch_snapshot.c | 26 +++++++-
.../selftests/bpf/progs/get_branch_snapshot.c | 3 +-
7 files changed, 153 insertions(+), 8 deletions(-)
--
2.52.0
Powered by blists - more mailing lists