Re: [PATCH v14 6/9] powerpc/bpf: Write protect JIT code
On Mon, May 17, 2021 at 4:40 PM Christophe Leroy wrote: > > > > Le 17/05/2021 à 05:28, Jordan Niethe a écrit : > > Add the necessary call to bpf_jit_binary_lock_ro() to remove write and > > add exec permissions to the JIT image after it has finished being > > written. > > > > Without CONFIG_STRICT_MODULE_RWX the image will be writable and > > executable until the call to bpf_jit_binary_lock_ro(). > > And _with_ CONFIG_STRICT_MODULE_RWX what will happen ? It will be _writable_ > but not _executable_ ? That's right. With CONFIG_STRICT_MODULE_RWX the image will initially be PAGE_KERNEL from bpf_jit_alloc_exec() calling module_alloc(). So not executable. bpf_jit_binary_lock_ro() will then remove write and add executable. Without CONFIG_STRICT_MODULE_RWX the image will initially be PAGE_KERNEL_EXEC from module_alloc(). bpf_jit_binary_lock_ro() will remove write, but until that point it will have been write + exec. > > > > > Reviewed-by: Christophe Leroy > > Signed-off-by: Jordan Niethe > > --- > > v10: New to series > > v11: Remove CONFIG_STRICT_MODULE_RWX conditional > > --- > > arch/powerpc/net/bpf_jit_comp.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/arch/powerpc/net/bpf_jit_comp.c > > b/arch/powerpc/net/bpf_jit_comp.c > > index 6c8c268e4fe8..53aefee3fe70 100644 > > --- a/arch/powerpc/net/bpf_jit_comp.c > > +++ b/arch/powerpc/net/bpf_jit_comp.c > > @@ -237,6 +237,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog > > *fp) > > fp->jited_len = alloclen; > > > > bpf_flush_icache(bpf_hdr, (u8 *)bpf_hdr + (bpf_hdr->pages * > > PAGE_SIZE)); > > + bpf_jit_binary_lock_ro(bpf_hdr); > > if (!fp->is_func || extra_pass) { > > bpf_prog_fill_jited_linfo(fp, addrs); > > out_addrs: > >
Re: [PATCH v14 6/9] powerpc/bpf: Write protect JIT code
Le 17/05/2021 à 05:28, Jordan Niethe a écrit : Add the necessary call to bpf_jit_binary_lock_ro() to remove write and add exec permissions to the JIT image after it has finished being written. Without CONFIG_STRICT_MODULE_RWX the image will be writable and executable until the call to bpf_jit_binary_lock_ro(). And _with_ CONFIG_STRICT_MODULE_RWX what will happen ? It will be _writable_ but not _executable_ ? Reviewed-by: Christophe Leroy Signed-off-by: Jordan Niethe --- v10: New to series v11: Remove CONFIG_STRICT_MODULE_RWX conditional --- arch/powerpc/net/bpf_jit_comp.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/powerpc/net/bpf_jit_comp.c b/arch/powerpc/net/bpf_jit_comp.c index 6c8c268e4fe8..53aefee3fe70 100644 --- a/arch/powerpc/net/bpf_jit_comp.c +++ b/arch/powerpc/net/bpf_jit_comp.c @@ -237,6 +237,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *fp) fp->jited_len = alloclen; bpf_flush_icache(bpf_hdr, (u8 *)bpf_hdr + (bpf_hdr->pages * PAGE_SIZE)); + bpf_jit_binary_lock_ro(bpf_hdr); if (!fp->is_func || extra_pass) { bpf_prog_fill_jited_linfo(fp, addrs); out_addrs:
[PATCH v14 6/9] powerpc/bpf: Write protect JIT code
Add the necessary call to bpf_jit_binary_lock_ro() to remove write and add exec permissions to the JIT image after it has finished being written. Without CONFIG_STRICT_MODULE_RWX the image will be writable and executable until the call to bpf_jit_binary_lock_ro(). Reviewed-by: Christophe Leroy Signed-off-by: Jordan Niethe --- v10: New to series v11: Remove CONFIG_STRICT_MODULE_RWX conditional --- arch/powerpc/net/bpf_jit_comp.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/powerpc/net/bpf_jit_comp.c b/arch/powerpc/net/bpf_jit_comp.c index 6c8c268e4fe8..53aefee3fe70 100644 --- a/arch/powerpc/net/bpf_jit_comp.c +++ b/arch/powerpc/net/bpf_jit_comp.c @@ -237,6 +237,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *fp) fp->jited_len = alloclen; bpf_flush_icache(bpf_hdr, (u8 *)bpf_hdr + (bpf_hdr->pages * PAGE_SIZE)); + bpf_jit_binary_lock_ro(bpf_hdr); if (!fp->is_func || extra_pass) { bpf_prog_fill_jited_linfo(fp, addrs); out_addrs: -- 2.25.1