Re: [LKP] [ima] 8eb613c0b8: stress-ng.icache.ops_per_sec -84.2% regression
On 6/11/2020 6:53 PM, Mimi Zohar wrote: On Thu, 2020-06-11 at 15:10 +0800, Xing Zhengjun wrote: On 6/10/2020 9:53 PM, Mimi Zohar wrote: ucode: 0x52c Does the following change resolve it? diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index c44414a7f82e..78e1dfc8a3f2 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -426,7 +426,8 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot) int pcr; /* Is mprotect making an mmap'ed file executable? */ - if (!vma->vm_file || !(prot & PROT_EXEC) || (vma->vm_flags & VM_EXEC)) + if (!(ima_policy_flag & IMA_APPRAISE) || !vma->vm_file || + !(prot & PROT_EXEC) || (vma->vm_flags & VM_EXEC)) return 0; security_task_getsecid(current, ); Thanks. I test the change, it can resolve the regression. Thanks! Can I get your "Tested-by" tag? Mimi Sure. -- Zhengjun Xing
Re: [LKP] [ima] 8eb613c0b8: stress-ng.icache.ops_per_sec -84.2% regression
On Thu, 2020-06-11 at 15:10 +0800, Xing Zhengjun wrote: > On 6/10/2020 9:53 PM, Mimi Zohar wrote: > ucode: 0x52c > > > > Does the following change resolve it? > > > > diff --git a/security/integrity/ima/ima_main.c > > b/security/integrity/ima/ima_main.c > > index c44414a7f82e..78e1dfc8a3f2 100644 > > --- a/security/integrity/ima/ima_main.c > > +++ b/security/integrity/ima/ima_main.c > > @@ -426,7 +426,8 @@ int ima_file_mprotect(struct vm_area_struct *vma, > > unsigned long prot) > > int pcr; > > > > /* Is mprotect making an mmap'ed file executable? */ > > - if (!vma->vm_file || !(prot & PROT_EXEC) || (vma->vm_flags & VM_EXEC)) > > + if (!(ima_policy_flag & IMA_APPRAISE) || !vma->vm_file || > > + !(prot & PROT_EXEC) || (vma->vm_flags & VM_EXEC)) > > return 0; > > > > security_task_getsecid(current, ); > > > Thanks. I test the change, it can resolve the regression. Thanks! Can I get your "Tested-by" tag? Mimi
Re: [LKP] [ima] 8eb613c0b8: stress-ng.icache.ops_per_sec -84.2% regression
On 6/10/2020 9:53 PM, Mimi Zohar wrote:
Hi Xing,
On Wed, 2020-06-10 at 11:21 +0800, Xing Zhengjun wrote:
Hi Mimi,
Do you have time to take a look at this? we noticed a 3.7%
regression of boot-time.dhcp and a 84.2% regression of
stress-ng.icache.ops_per_sec. Thanks.
On 6/3/2020 5:11 PM, kernel test robot wrote:
Greeting,
FYI, we noticed a 3.7% regression of boot-time.dhcp due to commit:
commit: 8eb613c0b8f19627ba1846dcf78bb2c85edbe8dd ("ima: verify mprotect change is
consistent with mmap policy")
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
in testcase: stress-ng
on test machine: 96 threads Intel(R) Xeon(R) Gold 6252 CPU @ 2.10GHz with 192G
memory
with following parameters:
nr_threads: 100%
disk: 1HDD
testtime: 30s
class: cpu-cache
cpufreq_governor: performance
ucode: 0x52c
Does the following change resolve it?
diff --git a/security/integrity/ima/ima_main.c
b/security/integrity/ima/ima_main.c
index c44414a7f82e..78e1dfc8a3f2 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -426,7 +426,8 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned
long prot)
int pcr;
/* Is mprotect making an mmap'ed file executable? */
- if (!vma->vm_file || !(prot & PROT_EXEC) || (vma->vm_flags & VM_EXEC))
+ if (!(ima_policy_flag & IMA_APPRAISE) || !vma->vm_file ||
+ !(prot & PROT_EXEC) || (vma->vm_flags & VM_EXEC))
return 0;
security_task_getsecid(current, );
Thanks. I test the change, it can resolve the regression.
=
tbox_group/testcase/rootfs/kconfig/compiler/debug-setup/nr_threads/disk/testtime/class/cpufreq_governor/ucode:
lkp-csl-2sp5/stress-ng/debian-x86_64-20191114.cgz/x86_64-rhel-7.6/gcc-9/test/100%/1HDD/30s/cpu-cache/performance/0x52c
commit:
0c4395fb2aa77341269ea619c5419ea48171883f
8eb613c0b8f19627ba1846dcf78bb2c85edbe8dd
8745d6eb3a493b1d324eeb9edefec5d23c16cba9 (fix for the regression)
0c4395fb2aa77341 8eb613c0b8f19627ba1846dcf78 8745d6eb3a493b1d324eeb9edef
--- ---
%stddev %change %stddev %change %stddev
\ |\ |\
884.33 ± 4% +4.6% 924.67 +45.1% 1283 ±
3% stress-ng.cache.ops
29.47 ± 4% +4.6% 30.82 +45.1% 42.76 ±
3% stress-ng.cache.ops_per_sec
1245720 -84.3% 195648-0.8%1235416
stress-ng.icache.ops
41522 -84.3% 6520-0.8% 41179
stress-ng.icache.ops_per_sec
--
Zhengjun Xing
Re: [LKP] [ima] 8eb613c0b8: stress-ng.icache.ops_per_sec -84.2% regression
Hi Xing,
On Wed, 2020-06-10 at 11:21 +0800, Xing Zhengjun wrote:
> Hi Mimi,
>
> Do you have time to take a look at this? we noticed a 3.7%
> regression of boot-time.dhcp and a 84.2% regression of
> stress-ng.icache.ops_per_sec. Thanks.
>
> On 6/3/2020 5:11 PM, kernel test robot wrote:
> > Greeting,
> >
> > FYI, we noticed a 3.7% regression of boot-time.dhcp due to commit:
> >
> >
> > commit: 8eb613c0b8f19627ba1846dcf78bb2c85edbe8dd ("ima: verify mprotect
> > change is consistent with mmap policy")
> > https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
> >
> > in testcase: stress-ng
> > on test machine: 96 threads Intel(R) Xeon(R) Gold 6252 CPU @ 2.10GHz with
> > 192G memory
> > with following parameters:
> >
> > nr_threads: 100%
> > disk: 1HDD
> > testtime: 30s
> > class: cpu-cache
> > cpufreq_governor: performance
> > ucode: 0x52c
Does the following change resolve it?
diff --git a/security/integrity/ima/ima_main.c
b/security/integrity/ima/ima_main.c
index c44414a7f82e..78e1dfc8a3f2 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -426,7 +426,8 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned
long prot)
int pcr;
/* Is mprotect making an mmap'ed file executable? */
- if (!vma->vm_file || !(prot & PROT_EXEC) || (vma->vm_flags & VM_EXEC))
+ if (!(ima_policy_flag & IMA_APPRAISE) || !vma->vm_file ||
+ !(prot & PROT_EXEC) || (vma->vm_flags & VM_EXEC))
return 0;
security_task_getsecid(current, );
Re: [LKP] [ima] 8eb613c0b8: stress-ng.icache.ops_per_sec -84.2% regression
Hi Mimi,
Do you have time to take a look at this? we noticed a 3.7%
regression of boot-time.dhcp and a 84.2% regression of
stress-ng.icache.ops_per_sec. Thanks.
On 6/3/2020 5:11 PM, kernel test robot wrote:
Greeting,
FYI, we noticed a 3.7% regression of boot-time.dhcp due to commit:
commit: 8eb613c0b8f19627ba1846dcf78bb2c85edbe8dd ("ima: verify mprotect change is
consistent with mmap policy")
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
in testcase: stress-ng
on test machine: 96 threads Intel(R) Xeon(R) Gold 6252 CPU @ 2.10GHz with 192G
memory
with following parameters:
nr_threads: 100%
disk: 1HDD
testtime: 30s
class: cpu-cache
cpufreq_governor: performance
ucode: 0x52c
If you fix the issue, kindly add following tag
Reported-by: kernel test robot
Details are as below:
-->
To reproduce:
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp install job.yaml # job file is attached in this email
bin/lkp run job.yaml
=
class/compiler/cpufreq_governor/disk/kconfig/nr_threads/rootfs/tbox_group/testcase/testtime/ucode:
cpu-cache/gcc-9/performance/1HDD/x86_64-rhel-7.6/100%/debian-x86_64-20191114.cgz/lkp-csl-2sp5/stress-ng/30s/0x52c
commit:
0c4395fb2a ("evm: Fix possible memory leak in evm_calc_hmac_or_hash()")
8eb613c0b8 ("ima: verify mprotect change is consistent with mmap policy")
0c4395fb2aa77341 8eb613c0b8f19627ba1846dcf78
---
fail:runs %reproductionfail:runs
| | |
:4 25% 1:4
dmesg.WARNING:at#for_ip_interrupt_entry/0x
0:43% 0:4
perf-profile.children.cycles-pp.error_entry
%stddev %change %stddev
\ |\
1245570 -84.2% 197151stress-ng.icache.ops
41517 -84.2% 6570stress-ng.icache.ops_per_sec
1.306e+09 -82.1% 2.338e+08stress-ng.time.minor_page_faults
2985 +13.5% 3387stress-ng.time.system_time
4.28 +13.1% 4.85iostat.cpu.system
4.18+0.64.73mpstat.cpu.all.sys%
10121+9.6% 11096 ± 3% softirqs.CPU67.SCHED
203299-4.2% 194854 ± 5% vmstat.system.in
26.91+2.8% 27.67 ± 3% boot-time.boot
16.34+3.7% 16.94 ± 2% boot-time.dhcp
2183 ± 3% +3.7% 2263boot-time.idle
1042938 ± 80% +8208.2% 86649242 ±156% cpuidle.C1.time
48428 ±114% +1842.4% 940677 ±151% cpuidle.C1.usage
15748 ± 28%+301.0% 63144 ± 79% cpuidle.POLL.usage
61300 ± 4% +82.8% 112033 ± 11% numa-vmstat.node1.nr_active_anon
47060 ± 3%+106.8% 97323 ± 12% numa-vmstat.node1.nr_anon_pages
42.67 ± 2%+217.0% 135.25 ± 14%
numa-vmstat.node1.nr_anon_transparent_hugepages
61301 ± 4% +82.8% 112032 ± 11%
numa-vmstat.node1.nr_zone_active_anon
3816 ± 2% +3.0% 3931proc-vmstat.nr_page_table_pages
35216541+2.9% 36244047proc-vmstat.pgalloc_normal
1.308e+09 -82.0% 2.356e+08proc-vmstat.pgfault
35173363+2.8% 36173843proc-vmstat.pgfree
248171 ± 5% +82.5% 452893 ± 11% numa-meminfo.node1.Active
244812 ± 4% +83.5% 449116 ± 11% numa-meminfo.node1.Active(anon)
88290 ± 3%+214.4% 277591 ± 15% numa-meminfo.node1.AnonHugePages
187940 ± 3%+107.8% 390486 ± 12% numa-meminfo.node1.AnonPages
1366813 ± 3% +12.0%1530428 ± 6% numa-meminfo.node1.MemUsed
571.00 ± 8% +10.4% 630.50 ± 8% slabinfo.UDP.active_objs
571.00 ± 8% +10.4% 630.50 ± 8% slabinfo.UDP.num_objs
300.00 ± 5% +20.0% 360.00 ± 10% slabinfo.kmem_cache.active_objs
300.00 ± 5% +20.0% 360.00 ± 10% slabinfo.kmem_cache.num_objs
606.33 ± 4% +17.6% 713.00 ± 8%
slabinfo.kmem_cache_node.active_objs
661.33 ± 4% +16.1% 768.00 ± 8% slabinfo.kmem_cache_node.num_objs
114561 ± 23% -34.3% 75239 ± 7% sched_debug.cfs_rq:/.load.max
14869 ± 22% -36.6% 9424 ± 8% sched_debug.cfs_rq:/.load.stddev
4040842 ± 5% +18.0%4767515 ± 13% sched_debug.cpu.avg_idle.max
2019061 ± 8% +25.5%2534134 ± 14%
sched_debug.cpu.max_idle_balance_cost.max
378044 ± 3% +22.5% 463135 ± 8%
sched_debug.cpu.max_idle_balance_cost.stddev
41605 +12.6% 46852 ± 2%
