Received: by 2002:a05:6358:bb9e:b0:b9:5105:a5b4 with SMTP id df30csp5358560rwb; Wed, 7 Sep 2022 01:17:48 -0700 (PDT) X-Google-Smtp-Source: AA6agR6BpFbKxpmjS2pJgO13YYrl3MM6Fnfep+EdMHaUvBHGKHgNJv/KnRPciKd1R4z7OmOaLwe5 X-Received: by 2002:a63:d16:0:b0:41d:fe52:1d2f with SMTP id c22-20020a630d16000000b0041dfe521d2fmr2454049pgl.416.1662538668113; Wed, 07 Sep 2022 01:17:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1662538668; cv=none; d=google.com; s=arc-20160816; b=eRnt62OrXNItHnUWzmb39ooNTTRx3TVV6M21O3nSGZqfK/UPlYQQ5ZxtGqlzoEfEwb 1fKtHGSHNqyCJgvsQNEy6CI9U/Nkiq21EqC2JBPHkZY8j7BwfOPJgqJ/1JAq3iO5RjE2 KWbvLYHukJ/5qshmpxgVSlthpa78Xmz8+nox2vhZ6cWjm39FKCPxIg5JWEQB20/hrYu4 wh/tmjAP+C/OINWNs4exOK2biu30CZpIihjDeQkCr1qi3bg/UNWPS5UueH2tSzYmdW/Q PdbqWJ7FLXvgJL+bsXWhICFXYowRyilZSpjreZjgRY9LS1a9hQaKFpTazAD2CTZlo9R7 jf4w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=E9pidXGct5S8ms/KlIXlwMVVLVf0nTiLM3OKPd0GOQQ=; b=SmNkNHiawF58oMRlJTaPNwiEKSIPNJHxviJWc+r3OW4by2RG58Ag2Dnf4ozLDDGkZc CKlNWPwdVn915qtr7BfUE9J1xsEHPxdwmrkj+fRHCa7BtT5P7EXED2ivKMTI4h2mWEkE 7gJZXt3PErLXYoIIkPW56OT3j/IAF8aRSXZqm4/AaJaFj99Rz2uYLqQG2pMPIugcUALm iFqF2DbXLNQCsMvvwWxRiTXkeXrigXx86EaJL+GT0mNnCPJE3ivM2PThOcjKiV7ckZ8L lDYwwFhJACWlKyqjLpJQ/1YFxqT8hOGw5Lre7hqICR0qJjxMUShPk/Gh1SDyqxuXfMFM kllg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=LvMU6mMR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t189-20020a6381c6000000b0042b40076dbcsi15623946pgd.576.2022.09.07.01.17.35; Wed, 07 Sep 2022 01:17:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=LvMU6mMR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229540AbiIGHlc (ORCPT + 99 others); Wed, 7 Sep 2022 03:41:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58722 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229661AbiIGHla (ORCPT ); Wed, 7 Sep 2022 03:41:30 -0400 Received: from mail-yw1-x112b.google.com (mail-yw1-x112b.google.com [IPv6:2607:f8b0:4864:20::112b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6A86A9C2F1 for ; Wed, 7 Sep 2022 00:41:23 -0700 (PDT) Received: by mail-yw1-x112b.google.com with SMTP id 00721157ae682-333a4a5d495so118420807b3.10 for ; Wed, 07 Sep 2022 00:41:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=E9pidXGct5S8ms/KlIXlwMVVLVf0nTiLM3OKPd0GOQQ=; b=LvMU6mMR4G7KAw4ms+Dn8YY0BzPYr2ExRSYSvnMAgFXp31eKl0gSX0c53Rl/omK57F qf3BYWYtcgfo5w4nLUWiMesc+YLh40LiueVANSnVv0645gEojyH3KSDdGlOiBpGkz3Hx COxgkQssBWSG0K8ON6B7odRQ7k5PrG2kXqbN7z4P7e3p5KAE7r+a+wy85K/9DIRGYnYl ZWFNQFsC6p4qyPv5n+KbsVV9Eaf+kh6AOiZkF+gb3wQAWChOykNIdVCdH1KJbzHSSb8L Yh/iGvX1n0PwrO2gic1Qy1jGetWHDp/43VJck32Sy5gKH4Vli06x8/gm6euTLcVt47W8 H7pw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=E9pidXGct5S8ms/KlIXlwMVVLVf0nTiLM3OKPd0GOQQ=; b=wwMG2bQ5f940ym0TcgoSWURwj05Fcjd7rowrGsL89yMc/XVVICXiltcAjXudIz3H7K jFU6MAtZLJldKjVuHsT1HqHrG95OMClIRzfbory9tsD2N2wQu8BZk1q6AT/F7zbEcp+y Xp6YSV3Bhm/h+SFCN0M70Lka1vhFWRN3sB4hRaxnyDCn+A4fIFHsjgKuwG+qXnHOYV3r JKocM/lNkJIj89kyCnuAKLCHoM0BADqmgLm5ipxWi9H8Ag4+jCj+x6Gn5f4msjH+7zBI LvIkgvKzqESKxflRWYJI/uO22y+bJA91KED520UXdCNivdIbyy4XgXG2Nw4xNhjSr9BC DgZw== X-Gm-Message-State: ACgBeo1lX1twOjm02Ii/Q5sZAFQl6mtEekR6IHmxJl3DSy+uL+lH1/Ub LiwpWz/SLCLb6NjrzlfVwXqxNv4Z3p8f9zuLMSchkw== X-Received: by 2002:a81:a16:0:b0:345:afa:5961 with SMTP id 22-20020a810a16000000b003450afa5961mr1953865ywk.11.1662536482427; Wed, 07 Sep 2022 00:41:22 -0700 (PDT) MIME-Version: 1.0 References: <20220902100057.404817-1-elver@google.com> In-Reply-To: From: Marco Elver Date: Wed, 7 Sep 2022 09:40:46 +0200 Message-ID: Subject: Re: [PATCH] perf: Allow restricted kernel breakpoints on user addresses To: Peter Zijlstra Cc: Ingo Molnar , Arnaldo Carvalho de Melo , Mark Rutland , Alexander Shishkin , Jiri Olsa , Namhyung Kim , linux-perf-users@vger.kernel.org, linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, Dmitry Vyukov , Jann Horn , Thomas Gleixner Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 6 Sept 2022 at 22:38, Peter Zijlstra wrote: > > On Fri, Sep 02, 2022 at 12:00:57PM +0200, Marco Elver wrote: > > Allow the creation of restricted breakpoint perf events that also fire > > in the kernel (!exclude_kernel), if: > > > > 1. No sample information is requested; samples may contain IPs, > > registers, or other information that may disclose kernel addresses. > > > > 2. The breakpoint (viz. data watchpoint) is on a user address. > > > > The rules constrain the allowable perf events such that no sensitive > > kernel information can be disclosed. > > > > Despite no explicit kernel information disclosure, the following > > questions may need answers: > > > > 1. Is obtaining information that the kernel accessed a particular > > user's known memory location revealing new information? > > Given the kernel's user space ABI, there should be no "surprise > > accesses" to user space memory in the first place. > > > > 2. Does causing breakpoints on user memory accesses by the kernel > > potentially impact timing in a sensitive way? > > Since hardware breakpoints trigger regardless of the state of > > perf_event_attr::exclude_kernel, but are filtered in the perf > > subsystem, this possibility already exists independent of the > > proposed change. > > > > Changelog forgot to tell us why you want this :-) Oops. > I don't see any immediate concerns, but it's late so who knows.. Similar to motivation as https://lore.kernel.org/all/20210408103605.1676875-1-elver@google.com/: Low-overhead error detectors that rely on detecting memory access via breakpoints/watchpoints. For example for race detection, but also things like data flow tracking. By allowing in-kernel breakpoints on user addresses, we can detect bugs that involve kernel accesses (e.g. for race detector, racy read/write vs. syscall somewhere; or tracking data flow through kernel). Shall I go and send v2 with some motivation? Thanks, -- Marco