Re: [PATCH 2/8] bpf: Recover arena kernel faults with scratch page

Next message: David Hildenbrand (Arm): "Re: [PATCH 0/3] vmsplice: make vmsplice a trivial wrapper for preadv2/pwritev2"
Previous message: Ilpo J&#xE4;rvinen: "Re: [PATCH 1/1] counter: intel-qep: Use devm_mutex_init()"
In reply to: Tejun Heo: "Re: [PATCH 2/8] bpf: Recover arena kernel faults with scratch page"
Next in thread: Alexei Starovoitov: "Re: [PATCH 2/8] bpf: Recover arena kernel faults with scratch page"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: David Hildenbrand (Arm)

Date: Sun May 31 2026 - 14:59:14 EST

On 5/31/26 19:47, Tejun Heo wrote:
> Hello,
>
> I posted the check removal [1], and Sashiko's review flagged a
> break-before-make problem with it [2] that I think is real.

Yeah, and as I raised previously, this is very questionable locking design :)

Either everybody works with atomics or nobody.

>
> The scratch page is a present PAGE_KERNEL mapping, so having
> apply_range_set_cb() overwrite it via set_pte_at() during
> bpf_arena_alloc_pages() is a valid->valid PFN change. I'm not familiar with
> arm at all. David, my understanding is that's a break-before-make violation
> on arm64, and that on any arch the stale TLB entry keeps resolving to the
> shared scratch page until it's flushed, so a later access can hit scratch
> instead of the new page. Is that what you were worried about?
>
> So instead of just dropping the check, the install should route through an
> invalid entry rather than overwrite in place:
>
> while (!ptep_try_set(pte, mk_pte(page, PAGE_KERNEL))) {
> old = ptep_get(pte);
> if (pte_none(old))
> continue;
> if (WARN_ON_ONCE(pte_page(old) != arena->scratch_page))
> return -EBUSY;
> ptep_get_and_clear(&init_mm, addr, pte);
> broke_scratch = true;
> }

We have to handle architectures where ptep_try_set() is not implemented (as I
tried with my variant).

--
Cheers,

David