On Mon, Sep 23, 2024 at 09:57:14AM +0800, Liao, Chang wrote: > 在 2024/9/20 23:32, Catalin Marinas 写道: > > On Fri, Sep 20, 2024 at 04:58:31PM +0800, Liao, Chang wrote: > >> 在 2024/9/19 22:18, Oleg Nesterov 写道: > >>> On 09/19, Liao Chang wrote: > >>>> --- a/arch/arm64/kernel/probes/uprobes.c > >>>> +++ b/arch/arm64/kernel/probes/uprobes.c > >>>> @@ -17,12 +17,16 @@ void arch_uprobe_copy_ixol(struct page *page, > >>>> unsigned long vaddr, > >>>> void *xol_page_kaddr = kmap_atomic(page); > >>>> void *dst = xol_page_kaddr + (vaddr & ~PAGE_MASK); > >>>> > >>>> + if (!memcmp(dst, src, len)) > >>>> + goto done; > >>> > >>> can't really comment, I know nothing about arm64... > >>> > >>> but don't we need to change __create_xol_area() > >>> > >>> - area->page = alloc_page(GFP_HIGHUSER); > >>> + area->page = alloc_page(GFP_HIGHUSER | __GFP_ZERO); > >>> > >>> to avoid the false positives? > >> > >> Indeed, it would be safer. > >> > >> Could we tolerate these false positives? Even if the page are not reset > >> to zero bits, if the existing bits are the same as the instruction being > >> copied, it still can execute the correct instruction. > > > > Not if the I-cache has stale data. If alloc_page() returns a page with > > some random data that resembles a valid instruction but there was never > > a cache flush (sync_icache_aliases() on arm64), it's irrelevant whether > > the compare (on the D-cache side) succeeds or not. > > Absolutly right, I overlooked the comparsion is still performed in the > D-cache. > However, the most important thing is ensuring the I-cache sees the accurate > bits, > which is why a cache flush in necessary for each xol slot. > > > > > I think using __GFP_ZERO should do the trick. All 0s is a permanently > > undefined instruction, not something we'd use with xol. > > Unfortunately, the comparison assumes the D-cache and I-cache are already > in sync for the slot being copied. But this assumption is flawed if we start > with a page with some random bits and D-cache has not been sychronized with > I-cache. So, besides __GFP_ZERO, should we have a additional cache flush > after page allocation?
No, I think Oleg's right. The initial cache maintenance will happen when the executable pte is installed. However, we should use __GFP_ZERO anyway because I don't think it's a good idea to map an uninitialised page into userspace. Will
