| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20241216122204.GB374@redhat.com> Date: Mon, 16 Dec 2024 13:22:05 +0100 From: Oleg Nesterov <oleg@...hat.com> To: David Laight <David.Laight@...LAB.COM> Cc: "linux-mm@...ck.org" <linux-mm@...ck.org>, 'Jiri Olsa' <olsajiri@...il.com>, Peter Zijlstra <peterz@...radead.org>, Andrii Nakryiko <andrii@...nel.org>, "bpf@...r.kernel.org" <bpf@...r.kernel.org>, Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>, John Fastabend <john.fastabend@...il.com>, Hao Luo <haoluo@...gle.com>, Steven Rostedt <rostedt@...dmis.org>, Masami Hiramatsu <mhiramat@...nel.org>, Alan Maguire <alan.maguire@...cle.com>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "linux-trace-kernel@...r.kernel.org" <linux-trace-kernel@...r.kernel.org> Subject: Re: [PATCH bpf-next 08/13] uprobes/x86: Add support to optimize uprobes OK, thanks, I am starting to share your concerns... Oleg. On 12/16, David Laight wrote: > > From: Oleg Nesterov > > Sent: 16 December 2024 10:13 > > > > David, > > > > let me say first that my understanding of this magic is very limited, > > please correct me. > > I only (half) understand what the 'magic' has to accomplish and > some of the pitfalls. > > I've copied linux-mm - someone there might know more. > > > On 12/16, David Laight wrote: > > > > > > It all depends on how hard __replace_page() tries to be atomic. > > > The page has to change from one backed by the executable to a private > > > one backed by swap - otherwise you can't write to it. > > > > This is what uprobe_write_opcode() does, > > And will be enough for single byte changes - they'll be picked up > at some point after the change. > > > > But the problems arise when the instruction prefetch unit has read > > > part of the 5-byte instruction (it might even only read half a cache > > > line at a time). > > > I'm not sure how long the pipeline can sit in that state - but I > > > can do a memory read of a PCIe address that takes ~3000 clocks. > > > (And a misaligned AVX-512 read is probably eight 8-byte transfers.) > > > > > > So I think you need to force an interrupt while the PTE is invalid. > > > And that need to be simultaneous on all cpu running that process. > > > > __replace_page() does ptep_get_and_clear(old_pte) + flush_tlb_page(). > > > > That's not enough? > > I doubt it. As I understand it. > The hardware page tables will be shared by all the threads of a process. > So unless you hard synchronise all the cpu (and flush the TLB) while the > PTE is being changed there is always the possibility of a cpu picking up > the new PTE before the IPI that (I presume) flush_tlb_page() generates > is processed. > If that happens when the instruction you are patching is part-read into > the instruction decode buffer then you'll execute a mismatch of the two > instructions. > > I can't remember the outcome of discussions about live-patching kernel > code - and I'm sure that was aligned 32bit writes. > > > > > > Stopping the process using ptrace would do it. > > > > Not an option :/ > > Thought you'd say that. > > David > > > > > Oleg. > > - > Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK > Registration No: 1397386 (Wales) >
Powered by blists - more mailing lists