Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp1015765ybx; Wed, 30 Oct 2019 08:36:44 -0700 (PDT) X-Google-Smtp-Source: APXvYqyUByX/yTIPpzvTR1MMRVUVjUmt3tchvK0nmfAGOsFKJ3Zr+aQyvlPUZaXzf7DTa1GFW94V X-Received: by 2002:a50:cd14:: with SMTP id z20mr290295edi.226.1572449804825; Wed, 30 Oct 2019 08:36:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1572449804; cv=none; d=google.com; s=arc-20160816; b=Urlpf0+d4CEZ57OnIjDIz7bkF9KFA+cmfb/5aOpGGuNyx/3lMmGROuwHiVuTGavUUo 0BCHmnKjZoLdWHCKnmKzsWmReujGuM5Cjy7KfWq6v91ihVjQBgtegpSrsDcUOo3es1Ht KbL/82dtWTExHgwH55qraQMmkxtq8dE2l4H/bZSYfEmVyoTQwGr4Pf0Gjsp98iG7tWGU S9GH/7HP+zL3i2uPCFh72s/ELdzEzhQOkFD731f+cOCp3aOC/SXt1FFExbkTvYpngYwD H24Rn5vI3hQ/8eiikgTQSdsRyxS6SyoEsu+tyUd4lQtgeS1eGYTuyDJfniZtzqXgSRPz yUug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=6/cUvxppfvco+q/svBW0l1eTrvr4r1OMCG7AkgiKpcQ=; b=ITbaQIEF20UCNABkPSuuYCc7N85zoXcRkZ+I+cPxPLfR4Vs+NGIDEkZcsxi9fiIYzB CsbkqiLEPCVHnURWLfFDCOShNpI3vtUsAkco+Q5fGa3n26kKg61v4J7iR87PY0aIQTxd 7EsMBvk0Yw1scBrHjaeI4F4juAnWUH71bvxED78jplvh+Y14rcs5Qs06Bj7L6+TVckjp 6OMkMDUn0vVL+XVGV31xPO1G3ZjjL044hPZXkZy81ETS2iGSUYBe/ZC8WZZgxVx8yprr bwpiJ++sUF0QsBHsWs6+W9cZVWNHMApyrt3iFwd10sl82rT29YrUPRyFTJKliVydI94G MEPA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=tR6noo5C; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g10si1388174ejw.424.2019.10.30.08.36.20; Wed, 30 Oct 2019 08:36:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=tR6noo5C; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726636AbfJ3PfZ (ORCPT + 99 others); Wed, 30 Oct 2019 11:35:25 -0400 Received: from mail-lj1-f196.google.com ([209.85.208.196]:39778 "EHLO mail-lj1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726404AbfJ3PfZ (ORCPT ); Wed, 30 Oct 2019 11:35:25 -0400 Received: by mail-lj1-f196.google.com with SMTP id y3so3184934ljj.6; Wed, 30 Oct 2019 08:35:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6/cUvxppfvco+q/svBW0l1eTrvr4r1OMCG7AkgiKpcQ=; b=tR6noo5CwOi34VQIokfGyMdP+tJf/ZPULHPz8KIcLua8ZoHBLlO50xCqeMHaAGvVQa 48WC0IzF8IxRv33JMgEH6NVNXDntgXn7Qbh44b6Itm/zy8iGjwULy02N0bndCfuE2mWn J5Gwpff3AsiQbdxaPgA4+tL1vptqqQI4FjSr8FVKo2VUEXTe05i7hepKReBSN4ewi9tv zbaqlMUmmjqzytwjIcNNu6xS9h9lWk0Eaj0NjvRt2/CJPLu+0YZNb2skTCtzBUyPYFNU 4LvGej/Mi9HNnkRrWKHopWrOtOHpFc32BVA/CVOOxGZuSTldPR3GNZh63N8HGJiB7fSn K3Pg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6/cUvxppfvco+q/svBW0l1eTrvr4r1OMCG7AkgiKpcQ=; b=a7G85NUd3PiSRYyz+PPHcvUPX8XFnp5xRv/fKEIFPBEaTClzadmxu2vw6e7wJlSfaK /8BhwdjhG8RA7hDngdBoUi4STefYxbch3zK4rJmsJLs4xeZ6oEv5WuQOtPXHy1xBXtEI abwQQXErdvqypLwf1Qm3puufAlGwyh+a96OxvcpKr7U2r0iaRZsMFfFvT03kSgua1Xvh VevTTT6xctaJi2Ji954Qu4UtotJisPEnCB1Z1wwJAjUP5vY3ybhGxC0ms4JoqrA6doG+ 6phCen7SOXVc3TYJoav2qwLi5ZgQHee6421/MgTQs5dfVf3P+wuxaSZZOqNGEr/VV8dr cvvQ== X-Gm-Message-State: APjAAAUjf/oa0D64VtIqsqwlegW8iB8kED66rUkEAMUtLHn9uG3g28ro Pwo4rzKn2cNKW8d2T1AkQkTkogdQ0Cx+0w/J90Q= X-Received: by 2002:a2e:2412:: with SMTP id k18mr217604ljk.243.1572449721198; Wed, 30 Oct 2019 08:35:21 -0700 (PDT) MIME-Version: 1.0 References: <1572171452-7958-1-git-send-email-rppt@kernel.org> <1572171452-7958-2-git-send-email-rppt@kernel.org> <20191028123124.ogkk5ogjlamvwc2s@box> <20191028130018.GA7192@rapoport-lnx> <20191028131623.zwuwguhm4v4s5imh@box> <20191028135521.GB4097@hirez.programming.kicks-ass.net> <0a35765f7412937c1775daa05177b20113760aee.camel@intel.com> <20191028210052.GM4643@worktop.programming.kicks-ass.net> <69c57f7fa9a1be145827673b37beff155a3adc3c.camel@intel.com> <20191030100418.GV4097@hirez.programming.kicks-ass.net> In-Reply-To: <20191030100418.GV4097@hirez.programming.kicks-ass.net> From: Alexei Starovoitov Date: Wed, 30 Oct 2019 08:35:09 -0700 Message-ID: Subject: Re: [PATCH RFC] mm: add MAP_EXCLUSIVE to create exclusive user mappings To: Peter Zijlstra Cc: "Edgecombe, Rick P" , "adobriyan@gmail.com" , "linux-kernel@vger.kernel.org" , "rppt@kernel.org" , "rostedt@goodmis.org" , "jejb@linux.ibm.com" , "tglx@linutronix.de" , "linux-mm@kvack.org" , "dave.hansen@linux.intel.com" , "linux-api@vger.kernel.org" , "x86@kernel.org" , "akpm@linux-foundation.org" , "hpa@zytor.com" , "mingo@redhat.com" , "luto@kernel.org" , "kirill@shutemov.name" , "bp@alien8.de" , "rppt@linux.ibm.com" , "arnd@arndb.de" , Daniel Borkmann , bpf Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Oct 30, 2019 at 3:06 AM Peter Zijlstra wrote: > > On Tue, Oct 29, 2019 at 05:27:43PM +0000, Edgecombe, Rick P wrote: > > On Mon, 2019-10-28 at 22:00 +0100, Peter Zijlstra wrote: > > > > That should be limited to the module range. Random data maps could > > > shatter the world. > > > > BPF has one vmalloc space allocation for the byte code and one for the module > > space allocation for the JIT. Both get RO also set on the direct map alias of > > the pages, and reset RW when freed. > > Argh, I didn't know they mapped the bytecode RO; why does it do that? It > can throw out the bytecode once it's JIT'ed. because of endless security "concerns" that some folks had. Like what if something can exploit another bug in the kernel and modify bytecode that was already verified then interpreter will execute that modified bytecode. Sort of similar reasoning why .text is read-only. I think it's not a realistic attack, but I didn't bother to argue back then. The mere presence of interpreter itself is a real security concern. People that care about speculation attacks should have CONFIG_BPF_JIT_ALWAYS_ON=y, so modifying bytecode via another exploit will be pointless. Getting rid of RO for bytecode will save a ton of memory too, since we won't need to allocate full page for each small programs.