cacheflush completely broken, suspecting PAN+LPAE
Michał Pecio
michal.pecio at gmail.com
Tue Nov 12 02:16:29 PST 2024
Regarding test programs, I also wrote and tried this one yesterday.
It's based on a similar demo released by ARM, but much simplified.
It both triggers the bug and confirms the necessity of cacheflush in
JIT compilers on my CPU when it works normally (prints: 1, 1, 2).
On the buggy kernel, it usually segfaults on the first attempt to call
*code, but sometimes both __clear_cache() appear to take effect despite
the syscall returning EFAULT (according to strace), not sure why.
#include <stdio.h>
#include <string.h>
#include <sys/mman.h>
int f1() {
return 1;
}
int f2() {
return 2;
}
int main() {
puts("start");
char *code = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE | PROT_EXEC,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
int x;
memcpy(code, f1, 0x100);
__builtin___clear_cache(code, code + 0x100);
x = ((int(*)())code)();
printf("%x\n", x);
memcpy(code, f2, 0x100);
x = ((int(*)())code)();
printf("%x\n", x);
__builtin___clear_cache(code, code + 0x100);
x = ((int(*)())code)();
printf("%x\n", x);
}
More information about the linux-arm-kernel
mailing list