Some details
pmu stored in tree pmu_idr and synced with mutex pmus_lock. and as usually can be used to blind EBPF. How? Lets see:
We interested in point 4 - enabling of the perf event involves calling of pmu->event_init & pmu->add methods. And worse - all pmu structures located in .data section and thus writable. So I add today some code to dump them:General speaking there are usually four steps involved to attach an eBPF program to a perf event:
- Open the perf event
- Load the eBPF program
- Set the eBPF program on the perf event
- Enable the perf event
lkmem -c -t -d
pmus at 0xffffffffb4a081b0: 6
[0] type 2 capabilities 0 at 0xffffffffb43c2a20 - kernel!perf_tracepoint
pmu_enable: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
pmu_disable: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
event_init: 0xffffffffb2639e50 - kernel!perf_tp_event_init
add: 0xffffffffb25d3600 - kernel!perf_trace_add
del: 0xffffffffb25d3680 - kernel!perf_trace_del
start: 0xffffffffb2639340 - kernel!perf_swevent_start
stop: 0xffffffffb2639350 - kernel!perf_swevent_stop
read: 0xffffffffb2639300 - kernel!perf_swevent_read
start_txn: 0xffffffffb2639360 - kernel!perf_pmu_nop_txn
commit_txn: 0xffffffffb2639370 - kernel!perf_pmu_nop_int
cancel_txn: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
event_idx: 0xffffffffb263d200 - kernel!perf_event_idx_default
check_period: 0xffffffffb2639380 - kernel!perf_event_nop_int
[1] type 5 capabilities 0 at 0xffffffffb43c2da0 - kernel!perf_breakpoint
pmu_enable: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
pmu_disable: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
event_init: 0xffffffffb264e010 - kernel!hw_breakpoint_event_init
add: 0xffffffffb264d810 - kernel!hw_breakpoint_add
del: 0xffffffffb264d800 - kernel!hw_breakpoint_del
start: 0xffffffffb264d7c0 - kernel!hw_breakpoint_start
stop: 0xffffffffb264d7e0 - kernel!hw_breakpoint_stop
read: 0xffffffffb2440e10 - kernel!hw_breakpoint_pmu_read
start_txn: 0xffffffffb2639360 - kernel!perf_pmu_nop_txn
commit_txn: 0xffffffffb2639370 - kernel!perf_pmu_nop_int
cancel_txn: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
event_idx: 0xffffffffb263d200 - kernel!perf_event_idx_default
check_period: 0xffffffffb2639380 - kernel!perf_event_nop_int
[2] type 6 capabilities 0 at 0xffffffffb43c2880 - kernel!perf_kprobe
pmu_enable: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
pmu_disable: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
event_init: 0xffffffffb263db00 - kernel!perf_kprobe_event_init
add: 0xffffffffb25d3600 - kernel!perf_trace_add
del: 0xffffffffb25d3680 - kernel!perf_trace_del
start: 0xffffffffb2639340 - kernel!perf_swevent_start
stop: 0xffffffffb2639350 - kernel!perf_swevent_stop
read: 0xffffffffb2639300 - kernel!perf_swevent_read
start_txn: 0xffffffffb2639360 - kernel!perf_pmu_nop_txn
commit_txn: 0xffffffffb2639370 - kernel!perf_pmu_nop_int
cancel_txn: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
event_idx: 0xffffffffb263d200 - kernel!perf_event_idx_default
check_period: 0xffffffffb2639380 - kernel!perf_event_nop_int
[3] type 7 capabilities 0 at 0xffffffffb43c26c0 - kernel!perf_uprobe
pmu_enable: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
pmu_disable: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
event_init: 0xffffffffb263db80 - kernel!perf_uprobe_event_init
add: 0xffffffffb25d3600 - kernel!perf_trace_add
del: 0xffffffffb25d3680 - kernel!perf_trace_del
start: 0xffffffffb2639340 - kernel!perf_swevent_start
stop: 0xffffffffb2639350 - kernel!perf_swevent_stop
read: 0xffffffffb2639300 - kernel!perf_swevent_read
start_txn: 0xffffffffb2639360 - kernel!perf_pmu_nop_txn
commit_txn: 0xffffffffb2639370 - kernel!perf_pmu_nop_int
cancel_txn: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
event_idx: 0xffffffffb263d200 - kernel!perf_event_idx_default
check_period: 0xffffffffb2639380 - kernel!perf_event_nop_int
[4] type 8 capabilities 81 at 0xffffffffb421f740 - kernel!pmu_msr
pmu_enable: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
pmu_disable: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
event_init: 0xffffffffb240c3e0 - kernel!msr_event_init
add: 0xffffffffb240c550 - kernel!msr_event_add
del: 0xffffffffb240c670 - kernel!msr_event_del
start: 0xffffffffb240c680 - kernel!msr_event_start
stop: 0xffffffffb240c660 - kernel!msr_event_stop
read: 0xffffffffb240c5a0 - kernel!msr_event_update
start_txn: 0xffffffffb2639360 - kernel!perf_pmu_nop_txn
commit_txn: 0xffffffffb2639370 - kernel!perf_pmu_nop_int
cancel_txn: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
event_idx: 0xffffffffb263d200 - kernel!perf_event_idx_default
check_period: 0xffffffffb2639380 - kernel!perf_event_nop_int
[5] type 9 capabilities 80 at 0xffff8ccc42814400 UNKNOWN
pmu_enable: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
pmu_disable: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
event_init: 0xffffffffc0587000 - rapl
add: 0xffffffffc0587390 - rapl
del: 0xffffffffc0587290 - rapl
start: 0xffffffffc0587340 - rapl
stop: 0xffffffffc05871c0 - rapl
read: 0xffffffffc05871b0 - rapl
start_txn: 0xffffffffb2639360 - kernel!perf_pmu_nop_txn
commit_txn: 0xffffffffb2639370 - kernel!perf_pmu_nop_int
cancel_txn: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
event_idx: 0xffffffffb263d200 - kernel!perf_event_idx_default
check_period: 0xffffffffb2639380 - kernel!perf_event_nop_int