> On Nov 27, 2018, at 4:07 PM, Rick Edgecombe <rick.p.edgeco...@intel.com> > wrote: > > Sometimes when memory is freed via the module subsystem, an executable > permissioned TLB entry can remain to a freed page. If the page is re-used to > back an address that will receive data from userspace, it can result in user > data being mapped as executable in the kernel. The root of this behavior is > vfree lazily flushing the TLB, but not lazily freeing the underlying pages. > > There are sort of three categories of this which show up across modules, bpf, > kprobes and ftrace: > > 1. When executable memory is touched and then immediatly freed > > This shows up in a couple error conditions in the module loader and BPF JIT > compiler.
Interesting! Note that this may cause conflict with "x86: avoid W^X being broken during modules loading”, which I recently submitted.
