Re: [PATCH v2 16/16] perf annotate-arm64: Support 'mrs' instruction to track 'current' pointer

[Tengda Wu]

On 2026/4/10 14:52, Namhyung Kim wrote:
> On Fri, Apr 03, 2026 at 09:48:00AM +0000, Tengda Wu wrote:
>> Extend update_insn_state() for arm64 to handle the 'mrs' instruction,
>> enabling the tracking of the 'current' task pointer in the kernel.
>>
>> On arm64, the kernel uses the 'sp_el0' system register to store the
>> address of the currently executing 'struct task_struct'. This is
>> typically accessed via the 'get_current()' inline function, resulting
>> in the instruction 'mrs xN, sp_el0'.
>>
>> To resolve the data type of the target register, first verify the
>> access is to 'sp_el0' within a kernel DSO. Then, locate the
>> 'get_current()' inline function's DWARF Die at the current PC and
>> extract its return type (which is 'struct task_struct *').
>>
>> Introduce a global 'task_struct_off' cache to store the DWARF offset
>> of this type. This is particularly important because the compiler-generated
>> stack canary check code (which loads from 'current') often exists in
>> code sections or leaf functions where the local Compilation Unit (CU)
>> lacks a full 'struct task_struct' definition. Caching the offset allows
>> 'perf annotate' to consistently resolve task-related fields across the
>> entire kernel binary.
>>
>> A real-world example is shown below:
>>
>>   ffff8000800deee8 <kthread_blkcg>:
>>   ffff8000800deef0:  mrs  x0, sp_el0    // x0 = current
>>   ffff8000800deef4:  ldr  w1, [x0, #44] // Access task_struct member
>>
>> Before this commit, the type flow starts with no information:
>>
>>   chk [c] reg0 offset=0x2c ok=0 kind=0 cfa : no type information
>>   final result: no type information
>>
>> After this commit, the tracker identifies the 'current' pointer
>> from the system register:
>>
>>   mrs [8] sp_el0 -> reg0 type='struct task_struct*'
>>   chk [c] reg0 offset=0x2c ok=1 kind=1 (struct task_struct*) : Good!
>>   found by insn track: 0x2c(reg0) type-offset=0x2c
>>   final result: type='struct task_struct'
>>
>> Signed-off-by: Li Huafei <lihuafei1@xxxxxxxxxx>
>> Signed-off-by: Tengda Wu <wutengda@xxxxxxxxxxxxxxx>
>> ---
>>  .../perf/util/annotate-arch/annotate-arm64.c  | 53 +++++++++++++++++++
>>  1 file changed, 53 insertions(+)
>>
>> diff --git a/tools/perf/util/annotate-arch/annotate-arm64.c b/tools/perf/util/annotate-arch/annotate-arm64.c
>> index 89b6b596f984..b03b12594260 100644
>> --- a/tools/perf/util/annotate-arch/annotate-arm64.c
>> +++ b/tools/perf/util/annotate-arch/annotate-arm64.c
>> @@ -14,6 +14,7 @@
>>  #include "../debug.h"
>>  #include "../map.h"
>>  #include "../symbol.h"
>> +#include "../dso.h"
>>  
>>  struct arch_arm64 {
>>  	struct arch arch;
>> @@ -289,6 +290,8 @@ static void adjust_reg_index_state(struct type_state *state, int reg,
>>  	pr_debug_type_name(&tsr->type, tsr->kind);
>>  }
>>  
>> +static Dwarf_Off task_struct_off;
>> +
>>  static void update_insn_state_arm64(struct type_state *state,
>>  				    struct data_loc_info *dloc, Dwarf_Die *cu_die,
>>  				    struct disasm_line *dl)
>> @@ -309,6 +312,56 @@ static void update_insn_state_arm64(struct type_state *state,
>>  	sreg = src->reg1;
>>  	dreg = dst->reg1;
>>  
>> +	if (!strcmp(dl->ins.name, "mrs")) {
>> +		Dwarf_Die func_die;
>> +		Dwarf_Attribute attr;
>> +		u64 ip, pc;
>> +
>> +		if (!has_reg_type(state, sreg))
>> +			return;
>> +
>> +		/* Handle case difference: LLVM (SP_EL0) vs objdump (sp_el0) */
>> +		if (!dso__kernel(map__dso(dloc->ms->map)) ||
>> +		    strcasecmp(dl->ops.target.raw, "sp_el0"))
>> +			return;
>> +
>> +		ip = dloc->ms->sym->start + dl->al.offset;
>> +		pc = map__rip_2objdump(dloc->ms->map, ip);
>> +
>> +		if (!task_struct_off ||
>> +		    !dwarf_offdie(dloc->di->dbg, task_struct_off, &type_die)) {
>> +			/*
>> +			 * Find the inline function 'get_current()' Dwarf_Die
>> +			 * and obtain its return value data type, which should
>> +			 * be 'struct task_struct *'.
>> +			 */
>> +			if (!die_find_inlinefunc(cu_die, pc, &func_die) ||
>> +			    !dwarf_attr_integrate(&func_die, DW_AT_type, &attr) ||
>> +			    !dwarf_formref_die(&attr, &type_die))
>> +				return;
> 
> I think it's better to verify if it's really the function and type we
> want.
> 
> Thanks,
> Namhyung
> 

Agreed.

-- Tengda

>> +
>> +			/*
>> +			 * Cache the 'struct task_struct *' die offset globally.
>> +			 * This allows us to resolve stack canary accesses even
>> +			 * in CUs that lack a full task_struct definition (e.g.,
>> +			 * compiler-generated entry/exit code).
>> +			 */
>> +			task_struct_off = dwarf_dieoffset(&type_die);
>> +		}
>> +
>> +		tsr = &state->regs[sreg];
>> +		tsr->copied_from = -1;
>> +		tsr->type = type_die;
>> +		tsr->kind = TSR_KIND_TYPE;
>> +		tsr->offset = 0;
>> +		tsr->addr = 0;
>> +		tsr->ok = true;
>> +
>> +		pr_debug_dtp("mrs [%x] sp_el0 -> reg%d", insn_offset, sreg);
>> +		pr_debug_type_name(&type_die, tsr->kind);
>> +		return;
>> +	}
>> +
>>  	if (!strcmp(dl->ins.name, "adrp")) {
>>  		if (!has_reg_type(state, sreg) || !dl->ops.target.addr)
>>  			return;
>> -- 
>> 2.34.1
>>