Linux Perf Users
 help / color / mirror / Atom feed
* [PATCH v2] perf test amd ibs: avoid using executable heap
@ 2026-07-01  6:23 Ondrej Mosnacek
  2026-07-01  6:33 ` sashiko-bot
                   ` (2 more replies)
  0 siblings, 3 replies; 8+ messages in thread
From: Ondrej Mosnacek @ 2026-07-01  6:23 UTC (permalink / raw)
  To: Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo,
	Namhyung Kim
  Cc: Mark Rutland, Alexander Shishkin, Jiri Olsa, Ian Rogers,
	Adrian Hunter, James Clark, Ravi Bangoria, linux-perf-users,
	selinux, linux-kernel

Making [parts of] the heap executable is dangerous and is blocked by
SELinux on Fedora/RHEL even for an unconfined user. Replace the malloc()
+ mprotect() combo with just mmap(), creating a private anonymous rwx
mapping, which only requires the more commonly allowed "execmem"
permission under SELinux (things like JIT or regex compilation need it
as well). mmap() with MAP_ANONYMOUS will give us a zeroed mapping that
begins on a page boundary, so the result is equivalent to the original
code even without a memset() or the page-alignment dance.

Verified that the test still passes on a machine with an AMD CPU that
has the "ibs" CPU flag.

Fixes: 35db59fa8ea2 ("perf test amd ibs: Add sample period unit test")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---

v2: fix mmap() failure check (found by sashiko-bot)

 tools/perf/arch/x86/tests/amd-ibs-period.c | 20 ++++++--------------
 1 file changed, 6 insertions(+), 14 deletions(-)

diff --git a/tools/perf/arch/x86/tests/amd-ibs-period.c b/tools/perf/arch/x86/tests/amd-ibs-period.c
index 6a92b3a23ed7a..32713f8fcd5c8 100644
--- a/tools/perf/arch/x86/tests/amd-ibs-period.c
+++ b/tools/perf/arch/x86/tests/amd-ibs-period.c
@@ -46,7 +46,6 @@ static int dummy_workload_1(unsigned long count)
 {
 	int (*func)(void);
 	int ret = 0;
-	char *p;
 	char insn1[] = {
 		0xb8, 0x01, 0x00, 0x00, 0x00, /* mov 1,%eax */
 		0xc3, /* ret */
@@ -59,18 +58,11 @@ static int dummy_workload_1(unsigned long count)
 		0xcc, /* int 3 */
 	};
 
-	p = calloc(2, page_size);
-	if (!p) {
-		printf("malloc() failed. %m");
-		return 1;
-	}
-
-	func = (void *)((unsigned long)(p + page_size - 1) & ~(page_size - 1));
-
-	ret = mprotect(func, page_size, PROT_READ | PROT_WRITE | PROT_EXEC);
-	if (ret) {
-		printf("mprotect() failed. %m");
-		goto out;
+	func = mmap(NULL, page_size, PROT_READ | PROT_WRITE | PROT_EXEC,
+		    MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+	if (func == MAP_FAILED) {
+		pr_debug("mmap() failed. %m\n");
+		return -1;
 	}
 
 	if (count < 100000)
@@ -93,7 +85,7 @@ static int dummy_workload_1(unsigned long count)
 	}
 
 out:
-	free(p);
+	munmap(func, page_size);
 	return ret;
 }
 
-- 
2.54.0


^ permalink raw reply related	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] perf test amd ibs: avoid using executable heap
  2026-07-01  6:23 [PATCH v2] perf test amd ibs: avoid using executable heap Ondrej Mosnacek
@ 2026-07-01  6:33 ` sashiko-bot
  2026-07-01  6:43 ` Peter Zijlstra
  2026-07-02 11:12 ` Ravi Bangoria
  2 siblings, 0 replies; 8+ messages in thread
From: sashiko-bot @ 2026-07-01  6:33 UTC (permalink / raw)
  To: Ondrej Mosnacek; +Cc: selinux, linux-perf-users

> Making [parts of] the heap executable is dangerous and is blocked by
> SELinux on Fedora/RHEL even for an unconfined user. Replace the malloc()
> + mprotect() combo with just mmap(), creating a private anonymous rwx
> mapping, which only requires the more commonly allowed "execmem"
> permission under SELinux (things like JIT or regex compilation need it
> as well). mmap() with MAP_ANONYMOUS will give us a zeroed mapping that
> begins on a page boundary, so the result is equivalent to the original
> code even without a memset() or the page-alignment dance.
> 
> Verified that the test still passes on a machine with an AMD CPU that
> has the "ibs" CPU flag.
> 
> Fixes: 35db59fa8ea2 ("perf test amd ibs: Add sample period unit test")
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>

Sashiko has reviewed this patch and found no issues. It looks great!

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260701062321.517351-1-omosnace@redhat.com?part=1


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] perf test amd ibs: avoid using executable heap
  2026-07-01  6:23 [PATCH v2] perf test amd ibs: avoid using executable heap Ondrej Mosnacek
  2026-07-01  6:33 ` sashiko-bot
@ 2026-07-01  6:43 ` Peter Zijlstra
  2026-07-01 16:59   ` Ravi Bangoria
  2026-07-02 11:12 ` Ravi Bangoria
  2 siblings, 1 reply; 8+ messages in thread
From: Peter Zijlstra @ 2026-07-01  6:43 UTC (permalink / raw)
  To: Ondrej Mosnacek
  Cc: Ingo Molnar, Arnaldo Carvalho de Melo, Namhyung Kim, Mark Rutland,
	Alexander Shishkin, Jiri Olsa, Ian Rogers, Adrian Hunter,
	James Clark, Ravi Bangoria, linux-perf-users, selinux,
	linux-kernel

On Wed, Jul 01, 2026 at 08:23:21AM +0200, Ondrej Mosnacek wrote:
> Making [parts of] the heap executable is dangerous and is blocked by
> SELinux on Fedora/RHEL even for an unconfined user. Replace the malloc()
> + mprotect() combo with just mmap(), creating a private anonymous rwx
> mapping, which only requires the more commonly allowed "execmem"

I do not understand. Ultimately malloc() will have to use mmap() to get
the memory too. So how is malloc() + mprotect() considered more
dangerous?

> permission under SELinux (things like JIT or regex compilation need it
> as well). mmap() with MAP_ANONYMOUS will give us a zeroed mapping that
> begins on a page boundary, so the result is equivalent to the original
> code even without a memset() or the page-alignment dance.

I would argue that having RWX is a problem, you really want RW->RO->RX
transitions, so even with mmap() you want to combine with mprotect().

Obviously this doesn't matter for this test case, but any halfway sane
JIT should really avoid keeping RWX mappings around.

> Verified that the test still passes on a machine with an AMD CPU that
> has the "ibs" CPU flag.
> 
> Fixes: 35db59fa8ea2 ("perf test amd ibs: Add sample period unit test")
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>

The patch is obviously good, simpler is more better and all that. But
the justification really smells.

Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>

If and when we get AMD to support IBT, this thing will need more
changes, but alas.

> ---
> 
> v2: fix mmap() failure check (found by sashiko-bot)
> 
>  tools/perf/arch/x86/tests/amd-ibs-period.c | 20 ++++++--------------
>  1 file changed, 6 insertions(+), 14 deletions(-)
> 
> diff --git a/tools/perf/arch/x86/tests/amd-ibs-period.c b/tools/perf/arch/x86/tests/amd-ibs-period.c
> index 6a92b3a23ed7a..32713f8fcd5c8 100644
> --- a/tools/perf/arch/x86/tests/amd-ibs-period.c
> +++ b/tools/perf/arch/x86/tests/amd-ibs-period.c
> @@ -46,7 +46,6 @@ static int dummy_workload_1(unsigned long count)
>  {
>  	int (*func)(void);
>  	int ret = 0;
> -	char *p;
>  	char insn1[] = {
>  		0xb8, 0x01, 0x00, 0x00, 0x00, /* mov 1,%eax */
>  		0xc3, /* ret */
> @@ -59,18 +58,11 @@ static int dummy_workload_1(unsigned long count)
>  		0xcc, /* int 3 */
>  	};
>  
> -	p = calloc(2, page_size);
> -	if (!p) {
> -		printf("malloc() failed. %m");
> -		return 1;
> -	}
> -
> -	func = (void *)((unsigned long)(p + page_size - 1) & ~(page_size - 1));
> -
> -	ret = mprotect(func, page_size, PROT_READ | PROT_WRITE | PROT_EXEC);
> -	if (ret) {
> -		printf("mprotect() failed. %m");
> -		goto out;
> +	func = mmap(NULL, page_size, PROT_READ | PROT_WRITE | PROT_EXEC,
> +		    MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
> +	if (func == MAP_FAILED) {
> +		pr_debug("mmap() failed. %m\n");
> +		return -1;
>  	}
>  
>  	if (count < 100000)
> @@ -93,7 +85,7 @@ static int dummy_workload_1(unsigned long count)
>  	}
>  
>  out:
> -	free(p);
> +	munmap(func, page_size);
>  	return ret;
>  }
>  
> -- 
> 2.54.0
> 

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] perf test amd ibs: avoid using executable heap
  2026-07-01  6:43 ` Peter Zijlstra
@ 2026-07-01 16:59   ` Ravi Bangoria
  2026-07-01 18:54     ` Ian Rogers
  2026-07-02 10:17     ` Peter Zijlstra
  0 siblings, 2 replies; 8+ messages in thread
From: Ravi Bangoria @ 2026-07-01 16:59 UTC (permalink / raw)
  To: Peter Zijlstra, Ondrej Mosnacek
  Cc: Ingo Molnar, Arnaldo Carvalho de Melo, Namhyung Kim, Mark Rutland,
	Alexander Shishkin, Jiri Olsa, Ian Rogers, Adrian Hunter,
	James Clark, linux-perf-users, selinux, linux-kernel,
	Ravi Bangoria

Hi Peter, Ondrej,

>> permission under SELinux (things like JIT or regex compilation need it
>> as well). mmap() with MAP_ANONYMOUS will give us a zeroed mapping that
>> begins on a page boundary, so the result is equivalent to the original
>> code even without a memset() or the page-alignment dance.
> 
> I would argue that having RWX is a problem, you really want RW->RO->RX
> transitions, so even with mmap() you want to combine with mprotect().

My original intent for using RWX was to generate sufficient Icache miss
samples for the IBS Fetch unit by overwriting the code prior to execution.
I am wondering whether it would be possible to achieve the same result
by using CLFLUSH with RX permissions. Something like below (build tested
only).

--- a/tools/perf/arch/x86/tests/amd-ibs-period.c
+++ b/tools/perf/arch/x86/tests/amd-ibs-period.c
@@ -25,6 +25,7 @@ static int page_size;
 #define PERF_MMAP_TOTAL_PAGES   (PERF_MMAP_DATA_PAGES + 1)
 #define PERF_MMAP_TOTAL_SIZE    (PERF_MMAP_TOTAL_PAGES * page_size)
 
+#define mb()			asm volatile("mfence":::"memory")
 #define rmb()                   asm volatile("lfence":::"memory")
 
 enum {
@@ -41,10 +42,16 @@ struct perf_pmu *fetch_pmu;
 struct perf_pmu *op_pmu;
 unsigned int perf_event_max_sample_rate;
 
+static inline void clflush(const volatile void *p)
+{
+	asm volatile("clflush (%0)" :: "r"(p) : "memory");
+}
+
 /* Dummy workload to generate IBS samples. */
 static int dummy_workload_1(unsigned long count)
 {
-	int (*func)(void);
+	int (*func1)(void);
+	int (*func2)(void);
 	int ret = 0;
 	char *p;
 	char insn1[] = {
@@ -59,33 +66,42 @@ static int dummy_workload_1(unsigned long count)
 		0xcc, /* int 3 */
 	};
 
-	p = calloc(2, page_size);
-	if (!p) {
-		printf("malloc() failed. %m");
+
+	p = mmap(NULL, page_size, PROT_READ | PROT_WRITE,
+		 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+	if (p == MAP_FAILED) {
+		printf("mmap() failed. %m");
 		return 1;
 	}
 
-	func = (void *)((unsigned long)(p + page_size - 1) & ~(page_size - 1));
+	memcpy(p, insn1, sizeof(insn1));
+	memcpy(p + 128, insn2, sizeof(insn2));
 
-	ret = mprotect(func, page_size, PROT_READ | PROT_WRITE | PROT_EXEC);
+	ret = mprotect(p, page_size, PROT_READ | PROT_EXEC);
 	if (ret) {
 		printf("mprotect() failed. %m");
 		goto out;
 	}
 
+	func1 = (void *)(p);
+	func2 = (void *)(p + 128);
+
 	if (count < 100000)
 		count = 100000;
 	else if (count > 10000000)
 		count = 10000000;
 	while (count--) {
-		memcpy((void *)func, insn1, sizeof(insn1));
-		if (func() != 1) {
+		clflush(func1);
+		mb();
+		if (func1() != 1) {
 			pr_debug("ERROR insn1\n");
 			ret = -1;
 			goto out;
 		}
-		memcpy((void *)func, insn2, sizeof(insn2));
-		if (func() != 2) {
+
+		clflush(func2);
+		mb();
+		if (func2() != 2) {
 			pr_debug("ERROR insn2\n");
 			ret = -1;
 			goto out;
@@ -93,7 +109,7 @@ static int dummy_workload_1(unsigned long count)
 	}
 
 out:
-	free(p);
+	munmap(p, page_size);
 	return ret;
 }
 
---

Thanks,
Ravi

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] perf test amd ibs: avoid using executable heap
  2026-07-01 16:59   ` Ravi Bangoria
@ 2026-07-01 18:54     ` Ian Rogers
  2026-07-02 10:17     ` Peter Zijlstra
  1 sibling, 0 replies; 8+ messages in thread
From: Ian Rogers @ 2026-07-01 18:54 UTC (permalink / raw)
  To: Ravi Bangoria
  Cc: Peter Zijlstra, Ondrej Mosnacek, Ingo Molnar,
	Arnaldo Carvalho de Melo, Namhyung Kim, Mark Rutland,
	Alexander Shishkin, Jiri Olsa, Adrian Hunter, James Clark,
	linux-perf-users, selinux, linux-kernel

On Wed, Jul 1, 2026 at 9:59 AM Ravi Bangoria <ravi.bangoria@amd.com> wrote:
>
> Hi Peter, Ondrej,
>
> >> permission under SELinux (things like JIT or regex compilation need it
> >> as well). mmap() with MAP_ANONYMOUS will give us a zeroed mapping that
> >> begins on a page boundary, so the result is equivalent to the original
> >> code even without a memset() or the page-alignment dance.
> >
> > I would argue that having RWX is a problem, you really want RW->RO->RX
> > transitions, so even with mmap() you want to combine with mprotect().
>
> My original intent for using RWX was to generate sufficient Icache miss
> samples for the IBS Fetch unit by overwriting the code prior to execution.
> I am wondering whether it would be possible to achieve the same result
> by using CLFLUSH with RX permissions. Something like below (build tested
> only).

(Minor 2 cents) To make the code more canonical JIT code it should
probably use memory protection keys for permissions.

Thanks,
Ian

> --- a/tools/perf/arch/x86/tests/amd-ibs-period.c
> +++ b/tools/perf/arch/x86/tests/amd-ibs-period.c
> @@ -25,6 +25,7 @@ static int page_size;
>  #define PERF_MMAP_TOTAL_PAGES   (PERF_MMAP_DATA_PAGES + 1)
>  #define PERF_MMAP_TOTAL_SIZE    (PERF_MMAP_TOTAL_PAGES * page_size)
>
> +#define mb()                   asm volatile("mfence":::"memory")
>  #define rmb()                   asm volatile("lfence":::"memory")
>
>  enum {
> @@ -41,10 +42,16 @@ struct perf_pmu *fetch_pmu;
>  struct perf_pmu *op_pmu;
>  unsigned int perf_event_max_sample_rate;
>
> +static inline void clflush(const volatile void *p)
> +{
> +       asm volatile("clflush (%0)" :: "r"(p) : "memory");
> +}
> +
>  /* Dummy workload to generate IBS samples. */
>  static int dummy_workload_1(unsigned long count)
>  {
> -       int (*func)(void);
> +       int (*func1)(void);
> +       int (*func2)(void);
>         int ret = 0;
>         char *p;
>         char insn1[] = {
> @@ -59,33 +66,42 @@ static int dummy_workload_1(unsigned long count)
>                 0xcc, /* int 3 */
>         };
>
> -       p = calloc(2, page_size);
> -       if (!p) {
> -               printf("malloc() failed. %m");
> +
> +       p = mmap(NULL, page_size, PROT_READ | PROT_WRITE,
> +                MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
> +       if (p == MAP_FAILED) {
> +               printf("mmap() failed. %m");
>                 return 1;
>         }
>
> -       func = (void *)((unsigned long)(p + page_size - 1) & ~(page_size - 1));
> +       memcpy(p, insn1, sizeof(insn1));
> +       memcpy(p + 128, insn2, sizeof(insn2));
>
> -       ret = mprotect(func, page_size, PROT_READ | PROT_WRITE | PROT_EXEC);
> +       ret = mprotect(p, page_size, PROT_READ | PROT_EXEC);
>         if (ret) {
>                 printf("mprotect() failed. %m");
>                 goto out;
>         }
>
> +       func1 = (void *)(p);
> +       func2 = (void *)(p + 128);
> +
>         if (count < 100000)
>                 count = 100000;
>         else if (count > 10000000)
>                 count = 10000000;
>         while (count--) {
> -               memcpy((void *)func, insn1, sizeof(insn1));
> -               if (func() != 1) {
> +               clflush(func1);
> +               mb();
> +               if (func1() != 1) {
>                         pr_debug("ERROR insn1\n");
>                         ret = -1;
>                         goto out;
>                 }
> -               memcpy((void *)func, insn2, sizeof(insn2));
> -               if (func() != 2) {
> +
> +               clflush(func2);
> +               mb();
> +               if (func2() != 2) {
>                         pr_debug("ERROR insn2\n");
>                         ret = -1;
>                         goto out;
> @@ -93,7 +109,7 @@ static int dummy_workload_1(unsigned long count)
>         }
>
>  out:
> -       free(p);
> +       munmap(p, page_size);
>         return ret;
>  }
>
> ---
>
> Thanks,
> Ravi

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] perf test amd ibs: avoid using executable heap
  2026-07-01 16:59   ` Ravi Bangoria
  2026-07-01 18:54     ` Ian Rogers
@ 2026-07-02 10:17     ` Peter Zijlstra
  2026-07-02 11:11       ` Ravi Bangoria
  1 sibling, 1 reply; 8+ messages in thread
From: Peter Zijlstra @ 2026-07-02 10:17 UTC (permalink / raw)
  To: Ravi Bangoria
  Cc: Ondrej Mosnacek, Ingo Molnar, Arnaldo Carvalho de Melo,
	Namhyung Kim, Mark Rutland, Alexander Shishkin, Jiri Olsa,
	Ian Rogers, Adrian Hunter, James Clark, linux-perf-users, selinux,
	linux-kernel

On Wed, Jul 01, 2026 at 10:29:04PM +0530, Ravi Bangoria wrote:
> Hi Peter, Ondrej,
> 
> >> permission under SELinux (things like JIT or regex compilation need it
> >> as well). mmap() with MAP_ANONYMOUS will give us a zeroed mapping that
> >> begins on a page boundary, so the result is equivalent to the original
> >> code even without a memset() or the page-alignment dance.
> > 
> > I would argue that having RWX is a problem, you really want RW->RO->RX
> > transitions, so even with mmap() you want to combine with mprotect().
> 
> My original intent for using RWX was to generate sufficient Icache miss
> samples for the IBS Fetch unit by overwriting the code prior to execution.
> I am wondering whether it would be possible to achieve the same result
> by using CLFLUSH with RX permissions. Something like below (build tested
> only).

So for a test it is fine to have RWX, my comments were mostly aimed at
the IMO insane SELinux policies.

CLFLUSH+MB, and on AMD MB is serializing. Thus CLFLUSH will flush the
I-cache and MB will flush decode / ucode buffers IIRC. So yeah,
CLFLUSH+MB should work fine; if you want to go that route.

> --- a/tools/perf/arch/x86/tests/amd-ibs-period.c
> +++ b/tools/perf/arch/x86/tests/amd-ibs-period.c
> @@ -25,6 +25,7 @@ static int page_size;
>  #define PERF_MMAP_TOTAL_PAGES   (PERF_MMAP_DATA_PAGES + 1)
>  #define PERF_MMAP_TOTAL_SIZE    (PERF_MMAP_TOTAL_PAGES * page_size)
>  
> +#define mb()			asm volatile("mfence":::"memory")
>  #define rmb()                   asm volatile("lfence":::"memory")
>  
>  enum {
> @@ -41,10 +42,16 @@ struct perf_pmu *fetch_pmu;
>  struct perf_pmu *op_pmu;
>  unsigned int perf_event_max_sample_rate;
>  
> +static inline void clflush(const volatile void *p)
> +{
> +	asm volatile("clflush (%0)" :: "r"(p) : "memory");
> +}
> +
>  /* Dummy workload to generate IBS samples. */
>  static int dummy_workload_1(unsigned long count)
>  {
> -	int (*func)(void);
> +	int (*func1)(void);
> +	int (*func2)(void);
>  	int ret = 0;
>  	char *p;
>  	char insn1[] = {
> @@ -59,33 +66,42 @@ static int dummy_workload_1(unsigned long count)
>  		0xcc, /* int 3 */
>  	};
>  
> -	p = calloc(2, page_size);
> -	if (!p) {
> -		printf("malloc() failed. %m");
> +
> +	p = mmap(NULL, page_size, PROT_READ | PROT_WRITE,
> +		 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

RW

> +	if (p == MAP_FAILED) {
> +		printf("mmap() failed. %m");
>  		return 1;
>  	}
>  
> -	func = (void *)((unsigned long)(p + page_size - 1) & ~(page_size - 1));
> +	memcpy(p, insn1, sizeof(insn1));
> +	memcpy(p + 128, insn2, sizeof(insn2));
>  
> -	ret = mprotect(func, page_size, PROT_READ | PROT_WRITE | PROT_EXEC);
> +	ret = mprotect(p, page_size, PROT_READ | PROT_EXEC);

RX

You really need an RO step in between IIRC, otherwise, depending on arch
details and mprotect implementation details, it is possible to have WX
overlap.

Notably, you want to have a TLB flush between removing W and adding X.

But again, this isn't relevant for simple test cases, but does matter
for JITs, esp. when they're embedded into applications with lots of user
input.

The thing you want to avoid at all cost is things like buffer overflows
(write primitives) to escalate into random code execution, which if
there are RWX buffers around, is almost trivial.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] perf test amd ibs: avoid using executable heap
  2026-07-02 10:17     ` Peter Zijlstra
@ 2026-07-02 11:11       ` Ravi Bangoria
  0 siblings, 0 replies; 8+ messages in thread
From: Ravi Bangoria @ 2026-07-02 11:11 UTC (permalink / raw)
  To: Peter Zijlstra
  Cc: Ondrej Mosnacek, Ingo Molnar, Arnaldo Carvalho de Melo,
	Namhyung Kim, Mark Rutland, Alexander Shishkin, Jiri Olsa,
	Ian Rogers, Adrian Hunter, James Clark, linux-perf-users, selinux,
	linux-kernel, Ravi Bangoria

>>>> permission under SELinux (things like JIT or regex compilation need it
>>>> as well). mmap() with MAP_ANONYMOUS will give us a zeroed mapping that
>>>> begins on a page boundary, so the result is equivalent to the original
>>>> code even without a memset() or the page-alignment dance.
>>>
>>> I would argue that having RWX is a problem, you really want RW->RO->RX
>>> transitions, so even with mmap() you want to combine with mprotect().
>>
>> My original intent for using RWX was to generate sufficient Icache miss
>> samples for the IBS Fetch unit by overwriting the code prior to execution.
>> I am wondering whether it would be possible to achieve the same result
>> by using CLFLUSH with RX permissions. Something like below (build tested
>> only).
> 
> So for a test it is fine to have RWX

Sure, makes sense.

Thanks,
Ravi

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] perf test amd ibs: avoid using executable heap
  2026-07-01  6:23 [PATCH v2] perf test amd ibs: avoid using executable heap Ondrej Mosnacek
  2026-07-01  6:33 ` sashiko-bot
  2026-07-01  6:43 ` Peter Zijlstra
@ 2026-07-02 11:12 ` Ravi Bangoria
  2 siblings, 0 replies; 8+ messages in thread
From: Ravi Bangoria @ 2026-07-02 11:12 UTC (permalink / raw)
  To: Ondrej Mosnacek, Peter Zijlstra, Ingo Molnar,
	Arnaldo Carvalho de Melo, Namhyung Kim
  Cc: Mark Rutland, Alexander Shishkin, Jiri Olsa, Ian Rogers,
	Adrian Hunter, James Clark, linux-perf-users, selinux,
	linux-kernel, Ravi Bangoria

> Making [parts of] the heap executable is dangerous and is blocked by
> SELinux on Fedora/RHEL even for an unconfined user. Replace the malloc()
> + mprotect() combo with just mmap(), creating a private anonymous rwx
> mapping, which only requires the more commonly allowed "execmem"
> permission under SELinux (things like JIT or regex compilation need it
> as well). mmap() with MAP_ANONYMOUS will give us a zeroed mapping that
> begins on a page boundary, so the result is equivalent to the original
> code even without a memset() or the page-alignment dance.
> 
> Verified that the test still passes on a machine with an AMD CPU that
> has the "ibs" CPU flag.
> 
> Fixes: 35db59fa8ea2 ("perf test amd ibs: Add sample period unit test")
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>

Reviewed-by: Ravi Bangoria <ravi.bangoria@amd.com>

Thanks,
Ravi

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2026-07-02 11:13 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-01  6:23 [PATCH v2] perf test amd ibs: avoid using executable heap Ondrej Mosnacek
2026-07-01  6:33 ` sashiko-bot
2026-07-01  6:43 ` Peter Zijlstra
2026-07-01 16:59   ` Ravi Bangoria
2026-07-01 18:54     ` Ian Rogers
2026-07-02 10:17     ` Peter Zijlstra
2026-07-02 11:11       ` Ravi Bangoria
2026-07-02 11:12 ` Ravi Bangoria

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox