Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp365346imm; Thu, 14 Jun 2018 22:18:38 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLb9qhd30FDFLSKkqvXsng75gnU3uvjhwT/GBaMl3GXxIRf4veU5SfLKlBAUUkWdr72QduB X-Received: by 2002:a17:902:b48f:: with SMTP id y15-v6mr225764plr.261.1529039918763; Thu, 14 Jun 2018 22:18:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529039918; cv=none; d=google.com; s=arc-20160816; b=ASB6fx5V/MSwAbnY61yuejL0gYe4Cr6fKHGvoCmfSYsDmy9wIAmAxyGI1JguWTe0kb YWQ3er8vbDYwmeuy/H6oQ8gPu9c00rjCe2HUGlBR/BUvAXrn5ipcztIp1pl33eubqnlS 8eRYq/tSrXFzsuG0qBDYxuChBo3OsNS4obj1gBNLXbHDoUlLVKQ0wXzQcQcbhVezAt+4 EX6w5qtHMmFgu0J19uLQZaiJmx+EN8iIZxohrDOW+cJBjXP9xSPuHeNTTbbZTwZl33Zg 4zu1mvVU3EB/SdylyIDzTr36ZBr2ME7XggVKYs6e3RQUS5+lDDEcbrfhjtAHg1ghCp7+ KTKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=ZHaapcVCr3b6jxRO7rD75d35Fdl6qU274YEzP5zKe00=; b=gXyiLQv86PNOpvd4vax0x0MhOTwMK8I7P69N+168gYFnL9oJ/I+zaYzqw3pNC44nN4 kl0W8wuevErT/5KFt599CNY8EFW4PM0ywqUQ+mt6DXK1Z0Z0nkvmaY5Hj717e8XfEwXr H2TiWXK3C9PHIEI9gbHjyA2ZOTWNIu5bWnzK+xge57m7Sp4HigtFTfdJED1FHr3LnKYG VXBzTls/mfGQPbyNjwHD3xBaucVfXOPCmby/YAj07P56HC8O7Q8L8owg4fClRC6iW8+0 L+pZntyqFBZ0rf8hxxTowO1QMzocfRINLpzJ9GpK2Q5w1Q0gvAQuJlK6tyfLcshuaKcB jNJg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k5-v6si2027576plt.178.2018.06.14.22.17.54; Thu, 14 Jun 2018 22:18:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755592AbeFOFLv (ORCPT + 99 others); Fri, 15 Jun 2018 01:11:51 -0400 Received: from mga03.intel.com ([134.134.136.65]:13287 "EHLO mga03.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755294AbeFOFLu (ORCPT ); Fri, 15 Jun 2018 01:11:50 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 14 Jun 2018 22:11:49 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.51,225,1526367600"; d="scan'208";a="237346632" Received: from yjin15-mobl.ccr.corp.intel.com (HELO [10.239.161.30]) ([10.239.161.30]) by fmsmga005.fm.intel.com with ESMTP; 14 Jun 2018 22:11:46 -0700 Subject: Re: [PATCH v1 0/2] perf: Drop leaked kernel samples To: Kyle Huey Cc: acme@kernel.org, jolsa@kernel.org, "Peter Zijlstra (Intel)" , Ingo Molnar , Alexander Shishkin , open list , Vince Weaver , Will Deacon , Stephane Eranian , Namhyung Kim , ak@linux.intel.com, kan.liang@intel.com, yao.jin@intel.com, Robert O'Callahan References: <1529057003-2212-1-git-send-email-yao.jin@linux.intel.com> From: "Jin, Yao" Message-ID: <1a442b37-7a97-86f0-11e3-58d940ecfbc9@linux.intel.com> Date: Fri, 15 Jun 2018 13:11:46 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 6/15/2018 11:35 AM, Kyle Huey wrote: > I strongly object to this patch as written. As I said when I > originally reported[0] the regression introduced by the previous > version of this patch a year ago. > > "It seems like this change should, at a bare minimum, be limited to > counters that actually perform sampling of register state when the > interrupt fires. In our case, with the retired conditional branches > counter restricted to counting userspace events only, it makes no > difference that the PMU interrupt happened to be delivered in the > kernel." > > This means identifying which values of `perf_event_attr::sample_type` > are security concerns (presumably PERF_SAMPLE_IP is, and > PERF_SAMPLE_TIME is not, and someone needs to go through and decide on > all of them) and filtering on those values for this new behavior. > > And because rr sets its sample_type to 0, once you do that, the sysctl > will not be necessary. > > - Kyle > Since rr sets sample_type to 0, the easiest way is to add checking like: if (event->attr.sample_type) { if (event->attr.exclude_kernel && !user_mode(regs)) return false; } So the rr doesn't need to be changed and for other use cases the leaked kernel samples will be dropped. But I don't like this is because: 1. It's too specific for rr case. 2. If we create a new sample_type, e.g. PERF_SAMPLE_ALLOW_LEAKAGE, the code will be: if !(event->attr.sample_type & PERF_SAMPLE_ALLOW_LEAKAGE) { if (event->attr.exclude_kernel && !user_mode(regs)) return false; } But rr needs to add PERF_SAMPLE_ALLOW_LEAKAGE to sample_type since by default the bit is not set. 3. Sysctl is a more flexible way. It provides us with an option when we want to see if skid is existing, we can use sysctl to turn on that. Thanks Jin Yao