Linux Perf Users
 help / color / mirror / Atom feed
From: Peter Zijlstra <peterz@infradead.org>
To: Ravi Bangoria <ravi.bangoria@amd.com>
Cc: Ondrej Mosnacek <omosnace@redhat.com>,
	Ingo Molnar <mingo@redhat.com>,
	Arnaldo Carvalho de Melo <acme@kernel.org>,
	Namhyung Kim <namhyung@kernel.org>,
	Mark Rutland <mark.rutland@arm.com>,
	Alexander Shishkin <alexander.shishkin@linux.intel.com>,
	Jiri Olsa <jolsa@kernel.org>, Ian Rogers <irogers@google.com>,
	Adrian Hunter <adrian.hunter@intel.com>,
	James Clark <james.clark@linaro.org>,
	linux-perf-users@vger.kernel.org, selinux@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] perf test amd ibs: avoid using executable heap
Date: Thu, 2 Jul 2026 12:17:04 +0200	[thread overview]
Message-ID: <20260702101704.GG751831@noisy.programming.kicks-ass.net> (raw)
In-Reply-To: <43dd9d9f-2348-43c0-8af5-77ef260c64a3@amd.com>

On Wed, Jul 01, 2026 at 10:29:04PM +0530, Ravi Bangoria wrote:
> Hi Peter, Ondrej,
> 
> >> permission under SELinux (things like JIT or regex compilation need it
> >> as well). mmap() with MAP_ANONYMOUS will give us a zeroed mapping that
> >> begins on a page boundary, so the result is equivalent to the original
> >> code even without a memset() or the page-alignment dance.
> > 
> > I would argue that having RWX is a problem, you really want RW->RO->RX
> > transitions, so even with mmap() you want to combine with mprotect().
> 
> My original intent for using RWX was to generate sufficient Icache miss
> samples for the IBS Fetch unit by overwriting the code prior to execution.
> I am wondering whether it would be possible to achieve the same result
> by using CLFLUSH with RX permissions. Something like below (build tested
> only).

So for a test it is fine to have RWX, my comments were mostly aimed at
the IMO insane SELinux policies.

CLFLUSH+MB, and on AMD MB is serializing. Thus CLFLUSH will flush the
I-cache and MB will flush decode / ucode buffers IIRC. So yeah,
CLFLUSH+MB should work fine; if you want to go that route.

> --- a/tools/perf/arch/x86/tests/amd-ibs-period.c
> +++ b/tools/perf/arch/x86/tests/amd-ibs-period.c
> @@ -25,6 +25,7 @@ static int page_size;
>  #define PERF_MMAP_TOTAL_PAGES   (PERF_MMAP_DATA_PAGES + 1)
>  #define PERF_MMAP_TOTAL_SIZE    (PERF_MMAP_TOTAL_PAGES * page_size)
>  
> +#define mb()			asm volatile("mfence":::"memory")
>  #define rmb()                   asm volatile("lfence":::"memory")
>  
>  enum {
> @@ -41,10 +42,16 @@ struct perf_pmu *fetch_pmu;
>  struct perf_pmu *op_pmu;
>  unsigned int perf_event_max_sample_rate;
>  
> +static inline void clflush(const volatile void *p)
> +{
> +	asm volatile("clflush (%0)" :: "r"(p) : "memory");
> +}
> +
>  /* Dummy workload to generate IBS samples. */
>  static int dummy_workload_1(unsigned long count)
>  {
> -	int (*func)(void);
> +	int (*func1)(void);
> +	int (*func2)(void);
>  	int ret = 0;
>  	char *p;
>  	char insn1[] = {
> @@ -59,33 +66,42 @@ static int dummy_workload_1(unsigned long count)
>  		0xcc, /* int 3 */
>  	};
>  
> -	p = calloc(2, page_size);
> -	if (!p) {
> -		printf("malloc() failed. %m");
> +
> +	p = mmap(NULL, page_size, PROT_READ | PROT_WRITE,
> +		 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

RW

> +	if (p == MAP_FAILED) {
> +		printf("mmap() failed. %m");
>  		return 1;
>  	}
>  
> -	func = (void *)((unsigned long)(p + page_size - 1) & ~(page_size - 1));
> +	memcpy(p, insn1, sizeof(insn1));
> +	memcpy(p + 128, insn2, sizeof(insn2));
>  
> -	ret = mprotect(func, page_size, PROT_READ | PROT_WRITE | PROT_EXEC);
> +	ret = mprotect(p, page_size, PROT_READ | PROT_EXEC);

RX

You really need an RO step in between IIRC, otherwise, depending on arch
details and mprotect implementation details, it is possible to have WX
overlap.

Notably, you want to have a TLB flush between removing W and adding X.

But again, this isn't relevant for simple test cases, but does matter
for JITs, esp. when they're embedded into applications with lots of user
input.

The thing you want to avoid at all cost is things like buffer overflows
(write primitives) to escalate into random code execution, which if
there are RWX buffers around, is almost trivial.

  parent reply	other threads:[~2026-07-02 10:17 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-01  6:23 [PATCH v2] perf test amd ibs: avoid using executable heap Ondrej Mosnacek
2026-07-01  6:33 ` sashiko-bot
2026-07-01  6:43 ` Peter Zijlstra
2026-07-01 16:59   ` Ravi Bangoria
2026-07-01 18:54     ` Ian Rogers
2026-07-02 10:17     ` Peter Zijlstra [this message]
2026-07-02 11:11       ` Ravi Bangoria
2026-07-02 11:12 ` Ravi Bangoria

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260702101704.GG751831@noisy.programming.kicks-ass.net \
    --to=peterz@infradead.org \
    --cc=acme@kernel.org \
    --cc=adrian.hunter@intel.com \
    --cc=alexander.shishkin@linux.intel.com \
    --cc=irogers@google.com \
    --cc=james.clark@linaro.org \
    --cc=jolsa@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-perf-users@vger.kernel.org \
    --cc=mark.rutland@arm.com \
    --cc=mingo@redhat.com \
    --cc=namhyung@kernel.org \
    --cc=omosnace@redhat.com \
    --cc=ravi.bangoria@amd.com \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox