Received: by 2002:a05:7412:b101:b0:e2:908c:2ebd with SMTP id az1csp2657900rdb; Wed, 15 Nov 2023 07:09:12 -0800 (PST) X-Google-Smtp-Source: AGHT+IHlmkHocvJYirIqBuuAtTe2pc1ztEpFmyJWflMbhesSHt5DlPoEPtJKJD5ZWVu/MWKKcoNB X-Received: by 2002:a05:6a21:1c8a:b0:181:1d71:7e0f with SMTP id sf10-20020a056a211c8a00b001811d717e0fmr11325908pzb.61.1700060952505; Wed, 15 Nov 2023 07:09:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700060952; cv=none; d=google.com; s=arc-20160816; b=W90TDcAXoL/uc+EyZAe+73odVYw8We5PFdpKuP3luzCCU0GD0yIYCyObYx7LxG2hg5 aYnkzYD96yBtG66kJt7TciaICydyfvucZ2ZEmcZG6r7RVMUuGSkr2V6lWg5ojvFAJhjo B0uVQ+D8twD3stGCh+dgMDRBdL+CuiVGOCtU6GK95uJ3MdrqQTksAv4+XrgNP/AGw35A dpjIAfw0V7oQE3VXI/hmYqsTbMbmEtggDeQyAgC3vuXMb+IQaxqK9pJWTPefUXYJWndm cgRDF7FXSdD2H/EdKwqj6d4U4MG3DOntsFCP5YcgdlAj9HkP0fDgS1QcGKtH00dWk0kW AeBg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:subject:from:cc:to :content-language:user-agent:mime-version:date:message-id :dkim-signature; bh=oCxMChdJdvM1ZquRm/sBXD8iHXcr7KRkG8abehrzyMM=; fh=AsA0Au3IRtSrD0r3aEDCd/f4gxlMsgmTj+uGipK8SpU=; b=OdpBHUC4yVTYmZJMmV/AWzNdm5htyG4PBMdwv4Cxqezb7N8MXCPJvGcFE+DckYZiDJ OtKU2JO56Q6havCqy2UGMKvMIAe4TqPR8gafwxYNJj2fDJ77MCDct0U7qroi1UWFMJD/ ZUoC3R50YkNdCSu3Fw+lEBNvPGCfOtyvO15DU3Sl6i2qVHIBK3A9Pfhg/5ctWW8kkxbd c562BV9+n3k/21C06kFt4AfbFfcELYV5reWnaGQVDK8ZJvcE9gqy6pOi5VxMzcOBE5kX OtM+SHOGqCkxAaI1E/rZRuaoVaZf1CUaSpd2X+6EjE5z9Pro2wfNEjX78KF8CWP3wKG+ QM7w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@efficios.com header.s=smtpout1 header.b=Jgta6n9d; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=efficios.com Return-Path: Received: from groat.vger.email (groat.vger.email. [23.128.96.35]) by mx.google.com with ESMTPS id k185-20020a636fc2000000b005ab6142f1besi10521064pgc.169.2023.11.15.07.09.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Nov 2023 07:09:12 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35; Authentication-Results: mx.google.com; dkim=pass header.i=@efficios.com header.s=smtpout1 header.b=Jgta6n9d; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=efficios.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id 32C6A802A36C; Wed, 15 Nov 2023 07:09:09 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344320AbjKOPIw (ORCPT + 99 others); Wed, 15 Nov 2023 10:08:52 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39574 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343952AbjKOPIw (ORCPT ); Wed, 15 Nov 2023 10:08:52 -0500 Received: from smtpout.efficios.com (smtpout.efficios.com [167.114.26.122]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 56EB0101 for ; Wed, 15 Nov 2023 07:08:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=efficios.com; s=smtpout1; t=1700060925; bh=nQkiZfSShLRcObhQIvmnOb1jXWqfzmOANMc2r8jtDMo=; h=Date:To:Cc:From:Subject:From; b=Jgta6n9dwEH7u4TYXxOt0OzJJdlQxj0EEpZxxiGrGHWQnds3R/fcgM/dmbjcMNzG+ g0w/jFadoCRWuGFP5RMb+tVNvAatvnUnLkAHZxZGs4Yzq2GwufrJlo3jSBYT7SLMG1 KMku2un+T41Vn8/SvVqKcI4JHdIcXmUI++pX7V5JosO7gpxxuZClIa7SIHaajo+sCo +RFLN7ner60FzKKviFUAKAd7KIzuP1RhHTGFPUOT0XR3k7RQ2nn5mXx5ONOogLxxNP fINPdKcjIlsjZjN6ER8gTBXHfWu+zu2GFkIyy+LDJtG01BSnYUw9Uy5DcLXiHQe+MP c3Phazpp2oPnw== Received: from [172.25.85.137] (unknown [12.186.190.1]) by smtpout.efficios.com (Postfix) with ESMTPSA id 4SVmlJ4pc9z1cf5; Wed, 15 Nov 2023 10:08:44 -0500 (EST) Message-ID: Date: Wed, 15 Nov 2023 10:09:16 -0500 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US To: rostedt , "Masami Hiramatsu (Google)" , Indu Bhagat Cc: "carlos@redhat.com" , Josh Poimboeuf , "Jose E. Marchesi" , Mark Rutland , Peter Zijlstra , Brian Robbins , Diamon discuss , linux-kernel From: Mathieu Desnoyers Subject: Summary of discussion following LPC2023 sframe talk Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Wed, 15 Nov 2023 07:09:09 -0800 (PST) Hi, [ With lkml and diamon-discuss in CC ] I'm adding the following notes of the hallway track discussion we had immediately after the sframe slot within the tracing MC [1]. I suspect it is relevant (please correct me if I'm wrong or if there are conclusions that are too early to tell): - Handling of shared libraries: - the libc dynamic loader should register/unregister sframe sections explicitly with new prctl(2) options, - The prctl() for registration of the sframe sections can take the section address and size as arguments, - The prctl for unregistration could take the section address as argument, but this would require additional data in the linker map (within libc), which is unwanted. - One alternative would be to provide an additional information to sframe registration/unregistration: a key which is decided by the libc to match registration/unregistration. That key could be either the address of the text section associated with the sframe section, or it could be the address of the linker map entry (at the choice of userspace). - Overall, the prctl(3) sframe register could have the following parameters: { key, sframe address, sframe section length } - The prctl(3) sframe unregister would then take a { key } as parameter. - The kernel backtrace code using the sframe information should consider it hostile: - can be corrupted by the application (by accident or maliciously), - can be corrupted on disk by modification of the ELF binary, either before registration or after (either by accident or maliciously), - can be malformed to contain loops (need to find a way to have upper bounds, sanity checks about the direction of the stack traversal), - It was discussed that the kernel could possibly validate checksums on registration and write-protect the sframe pages. Considering that the kernel still needs to consider the content hostile even with those mechanisms in place, it is unclear whether they are relevant. - Mark Rutland told me that for aarch64 the current sframe content is not sufficient to express how to walk the stack over code area at the beginning of functions before the stack pointer is updated. He plans to discuss this with Indu as a follow up. - Interpreters: - Walking over an interpreter's own stack can be as simple as skipping over the interpreter's runtime functions. This is a first step to allow skipping over interpreters without detailed information about their own stack layout. - JITs: - There are two approaches to skip over JITted code stacks: - If the jitted code has frame pointers, then use this. - If we figure out that some JITs do not have frame pointers, then we would need to design a new kernel ABI that would allow JITs to express sframe-alike information. This will need to be designed with the input of JIT communities because some of them are likely not psABI compliant (e.g. lua has a separate stack). - When we have a good understanding of the JIT requirements in terms of frame description content, the other element that would need to be solved is how to allow JITs to emit frame data in a data structure that can expand. We may need something like a reserved memory area, with a counter of the number of elements which is used to synchronize communication between the JITs (producer) and kernel (consumer). - We would need to figure out if JITs expect to have a single producer per frame description area, or multiple producers. - We would need to figure out if JITs expect to append frame descriptions in sorted function address order (append only for frame description, append only for functions text section as well), or if there needs to be support for unsorted function entries. - We would need information about how JITs reclaim functions, and how it impacts the frame description ABI. For instance, we may want to have a tombstone bit to state that a frame was deleted. - We may have to create frame description areas which content are specific to given JITs. For instance, the frame descriptions for a lua JIT on x86-64 may not follow the x86-64 regular psABI. - As an initial stage, we can focus on handling the sframe section for executable and shared objects, and use frame pointers to skip over JITted code if available. The goal here is to show the usefulness of this kind of information so we get the interest/collaboration needed to get the relevant input from JIT communities as we design the proper ABI for handling JIT frames. Thanks, Mathieu [1] https://lpc.events/event/17/contributions/1467/ (for abstract/slides) -- Mathieu Desnoyers EfficiOS Inc. https://www.efficios.com