On Tue, May 26, 2026 at 10:58:27PM +0200, Jiri Olsa wrote: > hi, > Andrii reported an issue with optimized uprobes [1] that can clobber > redzone area with call instruction storing return address on stack > where user code may keep temporary data without adjusting rsp. > > Fixing this by moving the optimized uprobes on top of 10-bytes nop > instruction, so we can squeeze another instruction to escape the > redzone area before doing the call. > > Note we need upstream update first for patch 3 (github.com/libbpf/usdt), > if we decide to take this change. > > thanks, > jirka > > > v1: https://lore.kernel.org/bpf/[email protected]/ > v2: https://lore.kernel.org/bpf/[email protected]/ > v3: https://lore.kernel.org/bpf/[email protected]/ > > v4 changes: > - do not use 2nd int3 (ont +5 offset) because the call instruction > is allways the same for the given nop10 address [Andrii/Peter] > - unmap unused trampoline vma after unsuccesfull optimization [sashiko] > - small change to patch#2 moved user_64bit_mode earlier in the path > and pass/use mm_struct pointer directly from arch_uprobe_optimize > instead of gettting current->mm > Andrii, keeping your ack, please shout otherwise
hi, I think bots did not find anything substantial, I have just small selftests changes queued for v5 any other feedback/review would be great thanks, jirka > > v3 changes: > - use nop10 update suggested by Peter in [2] > - remove struct uprobe_trampoline object, use vma objects directly instead > - selftests fixes [sashiko] > - ack from Andrii > > v2 changes: > - several selftest fixes [sashiko] > - consolidate is_lea_insn and is_call_insn insto single check [Jakub Sitnicki] > - use proper mm_struct object in __in_uprobe_trampoline check [sashiko] > - allow to copy uprobe trampolines vma objects on fork [sashiko] > - change uprobe syscall detection error from -ENXIO to -EPROTO [Andrii] > - added fork/clone tests > - I kept the selftest changes and nop5->nop10 changes in separate > commits for easier review, we can squash them later if we want to keep > bisect working properly > > > [1] https://lore.kernel.org/bpf/[email protected]/ > [2] > https://lore.kernel.org/bpf/[email protected]/#t > --- > Andrii Nakryiko (1): > selftests/bpf: Add tests for uprobe nop10 red zone clobbering > > Jiri Olsa (12): > uprobes/x86: Use proper mm_struct in __in_uprobe_trampoline > uprobes/x86: Remove struct uprobe_trampoline object > uprobes/x86: Allow to copy uprobe trampolines on fork > uprobes/x86: Unmap trampoline vma object in case it's unused > uprobes/x86: Move optimized uprobe from nop5 to nop10 > libbpf: Change has_nop_combo to work on top of nop10 > libbpf: Detect uprobe syscall with new error > selftests/bpf: Emit nop,nop10 instructions combo for x86_64 arch > selftests/bpf: Change uprobe syscall tests to use nop10 > selftests/bpf: Change uprobe/usdt trigger bench code to use nop10 > selftests/bpf: Add reattach tests for uprobe syscall > selftests/bpf: Add tests for forked/cloned optimized uprobes > > arch/x86/kernel/uprobes.c | 379 > +++++++++++++++++++++++++++++++++++++++++++----------------------------- > include/linux/uprobes.h | 5 - > kernel/events/uprobes.c | 10 -- > kernel/fork.c | 1 - > tools/lib/bpf/features.c | 4 +- > tools/lib/bpf/usdt.c | 16 +-- > tools/testing/selftests/bpf/bench.c | 20 ++-- > tools/testing/selftests/bpf/benchs/bench_trigger.c | 38 ++++---- > tools/testing/selftests/bpf/benchs/run_bench_uprobes.sh | 2 +- > tools/testing/selftests/bpf/prog_tests/uprobe_syscall.c | 307 > +++++++++++++++++++++++++++++++++++++++++++++++++++++----- > tools/testing/selftests/bpf/prog_tests/usdt.c | 74 ++++++++++++-- > tools/testing/selftests/bpf/progs/test_usdt.c | 25 +++++ > tools/testing/selftests/bpf/usdt.h | 2 +- > tools/testing/selftests/bpf/usdt_2.c | 15 ++- > 14 files changed, 653 insertions(+), 245 deletions(-)
