[v12,5/8] powerpc/bpf: Write protect JIT code

Message ID	20210506023449.3568630-6-jniethe5@gmail.com (mailing list archive)
State	Superseded
Headers	show Return-Path: <linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org> From: Jordan Niethe <jniethe5@gmail.com> To: linuxppc-dev@lists.ozlabs.org Subject: [PATCH v12 5/8] powerpc/bpf: Write protect JIT code Date: Thu, 6 May 2021 12:34:46 +1000 Message-Id: <20210506023449.3568630-6-jniethe5@gmail.com> In-Reply-To: <20210506023449.3568630-1-jniethe5@gmail.com> References: <20210506023449.3568630-1-jniethe5@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Cc: ajd@linux.ibm.com, cmr@codefail.de, npiggin@gmail.com, aneesh.kumar@linux.ibm.com, naveen.n.rao@linux.ibm.com, Jordan Niethe <jniethe5@gmail.com>, dja@axtens.net Errors-To: linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org Sender: "Linuxppc-dev" <linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org>
Series	powerpc: Further Strict RWX support \| expand [v12,0/8] powerpc: Further Strict RWX support [v12,1/8] powerpc/mm: Implement set_memory() routines [v12,2/8] powerpc/lib/code-patching: Set up Strict RWX patching earlier [v12,3/8] powerpc/kprobes: Mark newly allocated probes as ROX [v12,4/8] powerpc/bpf: Remove bpf_jit_free() [v12,5/8] powerpc/bpf: Write protect JIT code [v12,6/8] powerpc: Set ARCH_HAS_STRICT_MODULE_RWX [v12,7/8] powerpc/mm: implement set_memory_attr() [v12,8/8] powerpc/32: use set_memory_attr()
Related	show [v10,05/10] powerpc/bpf: Write protect JIT code [v11,6/9] powerpc/bpf: Write protect JIT code [v13,5/8] powerpc/bpf: Write protect JIT code [v14,6/9] powerpc/bpf: Write protect JIT code [v15,6/9] powerpc/bpf: Write protect JIT code

Message ID

20210506023449.3568630-6-jniethe5@gmail.com (mailing list archive)

State

Superseded

Headers

From: Jordan Niethe <jniethe5@gmail.com>
To: linuxppc-dev@lists.ozlabs.org
Subject: [PATCH v12 5/8] powerpc/bpf: Write protect JIT code
Date: Thu,  6 May 2021 12:34:46 +1000
Message-Id: <20210506023449.3568630-6-jniethe5@gmail.com>
In-Reply-To: <20210506023449.3568630-1-jniethe5@gmail.com>
References: <20210506023449.3568630-1-jniethe5@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: list
Cc: ajd@linux.ibm.com, cmr@codefail.de, npiggin@gmail.com,
 aneesh.kumar@linux.ibm.com, naveen.n.rao@linux.ibm.com,
 Jordan Niethe <jniethe5@gmail.com>, dja@axtens.net
Errors-To: linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org
Sender: "Linuxppc-dev"
 <linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org>

Series

powerpc: Further Strict RWX support | expand

show

Checks

Context	Check	Description
snowpatch_ozlabs/apply_patch	success	Successfully applied on branch powerpc/merge (7619d98e5041d5c25aba5428704dba6121237a9a)
snowpatch_ozlabs/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 7 lines checked
snowpatch_ozlabs/needsstable	success	Patch has no Fixes tags

Context

Check

Description

snowpatch_ozlabs/apply_patch

success

Successfully applied on branch powerpc/merge (7619d98e5041d5c25aba5428704dba6121237a9a)

snowpatch_ozlabs/checkpatch

success

total: 0 errors, 0 warnings, 0 checks, 7 lines checked

snowpatch_ozlabs/needsstable

success

Patch has no Fixes tags

Commit Message

Jordan Niethe May 6, 2021, 2:34 a.m. UTC

Add the necessary call to bpf_jit_binary_lock_ro() to remove write and
add exec permissions to the JIT image after it has finished being
written.

Without CONFIG_STRICT_MODULE_RWX the image will be writable and
executable until the call to bpf_jit_binary_lock_ro().

Signed-off-by: Jordan Niethe <jniethe5@gmail.com>
---
v10: New to series
v11: Remove CONFIG_STRICT_MODULE_RWX conditional
---
 arch/powerpc/net/bpf_jit_comp.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Christophe Leroy May 7, 2021, 5:53 a.m. UTC | #1

Le 06/05/2021 à 04:34, Jordan Niethe a écrit :
> Add the necessary call to bpf_jit_binary_lock_ro() to remove write and
> add exec permissions to the JIT image after it has finished being
> written.
> 
> Without CONFIG_STRICT_MODULE_RWX the image will be writable and
> executable until the call to bpf_jit_binary_lock_ro().
> 
> Signed-off-by: Jordan Niethe <jniethe5@gmail.com>

Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>

> ---
> v10: New to series
> v11: Remove CONFIG_STRICT_MODULE_RWX conditional
> ---
>   arch/powerpc/net/bpf_jit_comp.c | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/arch/powerpc/net/bpf_jit_comp.c b/arch/powerpc/net/bpf_jit_comp.c
> index 6c8c268e4fe8..53aefee3fe70 100644
> --- a/arch/powerpc/net/bpf_jit_comp.c
> +++ b/arch/powerpc/net/bpf_jit_comp.c
> @@ -237,6 +237,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *fp)
>   	fp->jited_len = alloclen;
>   
>   	bpf_flush_icache(bpf_hdr, (u8 *)bpf_hdr + (bpf_hdr->pages * PAGE_SIZE));
> +	bpf_jit_binary_lock_ro(bpf_hdr);
>   	if (!fp->is_func || extra_pass) {
>   		bpf_prog_fill_jited_linfo(fp, addrs);
>   out_addrs:
>

diff --git a/arch/powerpc/net/bpf_jit_comp.c b/arch/powerpc/net/bpf_jit_comp.c
index 6c8c268e4fe8..53aefee3fe70 100644
--- a/arch/powerpc/net/bpf_jit_comp.c
+++ b/arch/powerpc/net/bpf_jit_comp.c
@@ -237,6 +237,7 @@  struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *fp)
 	fp->jited_len = alloclen;
 
 	bpf_flush_icache(bpf_hdr, (u8 *)bpf_hdr + (bpf_hdr->pages * PAGE_SIZE));
+	bpf_jit_binary_lock_ro(bpf_hdr);
 	if (!fp->is_func || extra_pass) {
 		bpf_prog_fill_jited_linfo(fp, addrs);
 out_addrs: