> Note as explained in [2] we need to use following nop10: > PF1 PF2 ESC NOPL MOD SIB DISP32 > NOP10: 0x66, 0x2e, 0x0f, 0x1f, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00 -- cs nopw > 0x00000000(%rax,%rax,1) > > which means we need to allow 0x2e prefix which maps to INAT_PFX_CS > attribute in is_prefix_bad function.
This isn't a bug, but could the changelog be updated to describe the approach actually taken? The patch bypasses uprobe_init_insn() (and therefore is_prefix_bad()) entirely when can_optimize() is true for the nop10. The is_prefix_bad() function itself remains unchanged and still returns true for the CS prefix. > Unoptimize path (int3_update_unoptimize): > > 1) Initial optimized state: > 48 8d 64 24 80 e8 d0 d1 d2 d3 > Same as 3) above. > > 2) Trap new entries before restoring the NOP bytes: > [cc] 8d 64 24 80 e8 d0 d1 d2 d3 > > From offset 0 this traps. A thread that had already executed the > LEA can still reach the intact CALL at offset 5. > > 3) Restore bytes 1..4 of the original NOP while keeping byte 0 trapped > and byte 5 as CALL. > cc [2e 0f 1f 84] e8 d0 d1 d2 d3 > > From offset 0 this still traps. Offset 5 is still the CALL for any > thread that was already past the first LEA byte. > > 4) Publish the first byte of the original NOP: > [66] 2e 0f 1f 84 e8 d0 d1 d2 d3 > > From offset 0 this is the restored 10-byte NOP; the CALL opcode and > displacement are now only NOP operands. Offset 5 still decodes as > CALL for a thread that was already there. > > Tthere is only a single target uprobe-trampoline for the given nop10 > instruction address, so the CALL instruction will not be changed across > unoptimization/optimization cycles. This isn't a bug, but there's a typo: "Tthere is only a single target" should be "There is only a single target". --- AI reviewed your patch. Please fix the bug or email reply why it's not a bug. See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md CI run summary: https://github.com/kernel-patches/bpf/actions/runs/28514315910
