[PATCH v8 0/4] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes

[Ian Rogers <irogers@google.com>]

This patch series introduces the new 'perf inject --aslr' feature to
remap virtual memory addresses or drop physical memory event leaks
when profile record data is shared between machines. Bundled with this
feature is a critical bug fix inside the core map tracking tool that
hardens perf session analysis against concurrent lookup data races.

Core Feature: 'perf inject --aslr' (Patches 2, 3, and 4)

Transferring perf.data files across environments introduces a
potential leak of virtual address footprints, weakening Address Space
Layout Randomization (ASLR) on the originating machine. To mitigate
this, we introduce the --aslr flag into perf inject. Unknown or
unhandled events are dropped conservatively, while handled samples and
branch loops undergo systematic virtual memory offset obfuscation.

Events carrying virtual memory layouts are conservatively
remap-processed or dropped, while zero-address-risk lifecycle metadata
records (such as namespaces, cgroups, and BPF program info) are
intentionally delegated to preserve comprehensive downstream trace
tool analysis compatibility.

The ASLR tracking tool virtualizes process and machine namespaces
using 'struct machines' to safely isolate host mappings from
unprivileged KVM guest address spaces. Memory space layouts are
tracked globally per process context to ensure linear, continuous
space allocations across successive mapping runs.  The topological
invariant coordinate dso + invariant (start - pgoff) is tracked to
uniquely index binary section frameworks, providing complete
collision safety against separate overlapping shared-invariant libraries
while remaining perfectly immune to boundary shifts or split
fragmentations.

To remain strictly conservative and guarantee security, the tool
scrubs breakpoint addresses (bp_addr) from all synthesized stream
headers, completely drops PERF_RECORD_TEXT_POKE events to prevent
absolute immediate pointer operands leaks, and drops unsupported
complex payloads (such as user register stacks, raw tracepoints, and
hardware AUX tracing frames).

Verification is reinforced in Patch 3 with a comprehensive POSIX shell
suite ('inject_aslr.sh'), hardened against SIGPIPE signal exits with
stream consuming awk loops and robust 'set -o pipefail'
assertions. The suite utilizes a highly dense, system-call intensive
VFS byte block loop workload (dd count=500) to guarantee deterministic
hardware timer interrupts sampling streams inside kernel privilege
states.

Prerequisite Bug Fix (Patch 1)

During development, a core map indexing issue was identified and
resolved to prevent concurrent lookup data races during session
analysis:

1. perf symbols: Patch 1 replaces old remove-reinsert map boundary
   update cycles with a high-performance, thread-safe transactional
   framework maps__mutate_mapping() that enforces write semaphore lock
   closures around all in-place virtual address mutations and sorting
   invalidations, completely closing concurrent lookup race condition
   windows. It explicitly executes DWARF address space cache
   invalidation (libdw__invalidate_dwfl()) to keep debugger unwinding
   frames perfectly synchronized.

Changes since v7:

- Minor nits cleaned up.

- Concurrency & Locking (Patch 1): Add a detailed doc comment block
  above maps__mutate_mapping() documenting the recursive down_write()
  deadlock risk during lazy symbol loading. Harden maps__load_maps() to
  return immediately when nr_maps == 0, avoiding spurious -ENOMEM
  returns.

- Deadlock-Free Preloading (Patch 2): Replace upfront preloading with
  dynamic, discovery-driven preloading of host and guest kernel/module
  maps using machine->priv tracking in util/aslr.c, completely
  bypassing lazy symbol loading deadlock risks during event loops.

- Symbol Offset Preservation (Patch 2): Fix the address translation
  offset truncation bug inside aslr_tool__findnew_mapping() to perfectly
  preserve the internal symbol address offset relative to map__start(),
  fully resolving relocation symbol truncations.

- Trace Ingestion Decoupling (Patch 4): Decouple attributes stripping
  from trace ingestion parsing. Keep evsel->core.attr completely
  unmodified in-memory during ingestion, and apply format stripping
  dynamically inside pipe repiping and post-processing file header
  serialization. Implement temporary sample size and attributes overrides
  inside aslr_tool__process_sample() to safely parse repacked events
  via evsel__parse_sample().

Ian Rogers (4):
  perf maps: Add maps__mutate_mapping
  perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses
  perf test: Add inject ASLR test
  perf aslr: Strip sample registers

 tools/perf/builtin-inject.c           |   70 +-
 tools/perf/tests/shell/inject_aslr.sh |  518 ++++++++++
 tools/perf/util/Build                 |    1 +
 tools/perf/util/aslr.c                | 1248 +++++++++++++++++++++++++
 tools/perf/util/aslr.h                |   38 +
 tools/perf/util/machine.c             |   32 +-
 tools/perf/util/maps.c                |   76 ++
 tools/perf/util/maps.h                |    3 +
 tools/perf/util/symbol-elf.c          |   41 +-
 tools/perf/util/symbol.c              |   17 +-
 10 files changed, 2012 insertions(+), 32 deletions(-)
 create mode 100755 tools/perf/tests/shell/inject_aslr.sh
 create mode 100644 tools/perf/util/aslr.c
 create mode 100644 tools/perf/util/aslr.h

-- 
2.54.0.631.ge1b05301d1-goog