Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp3965984imw; Mon, 11 Jul 2022 21:24:43 -0700 (PDT) X-Google-Smtp-Source: AGRyM1uLex4WYXdR/x4M5H0Xr/45g2oL4gCGIiOTbu8GIVARNmA0iTct+lgqCbuu0xmDW7IphSe8 X-Received: by 2002:a63:1009:0:b0:415:d29d:eadd with SMTP id f9-20020a631009000000b00415d29deaddmr13884175pgl.195.1657599882981; Mon, 11 Jul 2022 21:24:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1657599882; cv=none; d=google.com; s=arc-20160816; b=0Ac/CpLKFlVf6cOpS9bIkK8sC6T4r624Tm1/eyqhNFJwyX2ARsefNkDRYT+IPf20e9 yy644KVLo3h/aR2L/5hT78BRRSi0l1CP+1JG3t76jBTwoHN8BGXLkHQN0EJTCN6fs/ac 0J0/pz2a7SZDXzWAN/YiJE8wLA8ty9h947cWvPes7v540thkuC5TFpV2Qk749gjv66Oz /SMStf32vE5hQbQU2I3sn1YgYYAGhkrp4lbFHquq5jPcflDuy4IHqQWAnQGuHlCA2Jfx 8BmHt8NAFCpnHmtDuBAOjEMI15r7xJuN8Gw+lEVhh6HWKVL/u5pMCMLqxlyNEeUjl5YS 9Ylw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=SerALkoKkILFqR40xrtVLu7qCXWoTY5YVNTXw341g5M=; b=Wp7GhhN3a3whTjRL0yb2++1uwcGU4sFsA2/CdEppa9bVoyVY6CfPTp5Mryuk2V76Vq cXnpuH+N6rRJtaLx/7a1T751CUv4QgBTOSC+LJHf+6Z9vwpjNAW2mUrkRx5YqsXo+pgO 2fbLoGNHa/Xj0YMLJvUaeOCyCv5V1xGpzsox2wuIyv0tC60NiBY80M9YHpkMW8dFkWYO TO5LrEWpJ7ktjOVCpQt9g7hjtVgIpyH+fqLgEcCSinyvRsPvLbkuO2A/8y8I983GRxmP FAT1hY0L0MJojmJ2DVtSZ5X5HDtPks2S0E/IfJfaO+5m6bWF5QT8z0oCelwLX4piWA91 48dQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=bombadil.20210309 header.b=JkhW4IaW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p11-20020a654bcb000000b0039d9d404482si12669557pgr.570.2022.07.11.21.24.30; Mon, 11 Jul 2022 21:24:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=bombadil.20210309 header.b=JkhW4IaW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230310AbiGLETe (ORCPT + 99 others); Tue, 12 Jul 2022 00:19:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41264 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230232AbiGLET1 (ORCPT ); Tue, 12 Jul 2022 00:19:27 -0400 Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EA389DFB0; Mon, 11 Jul 2022 21:19:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20210309; h=Sender:In-Reply-To:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=SerALkoKkILFqR40xrtVLu7qCXWoTY5YVNTXw341g5M=; b=JkhW4IaWbotUT+4T1nlgzM0/mi 3J3G0B15QqJw92tXicvjFX6bv3jehp952EXaLwVjeebCGVdpLpConV5X701ky4yIA7uumUmU5Qojp Wozqu6yfxwiAWzMq8k1OlYJ7cvJZgEJ0EfXTGYguP0AWJfaM4TIAx0jNv7t7NJ+oWvMP1HgGuPpo0 DOpDBd1oyAAMtm/1XazxcAluYMFd0RAabjzuruTfRmH1HHTpN6OO8nSM+qLQ4Oiul40pqW6NFlDvF Y8YkaXgIRV96VHMeNj8TeJq075TJrolZCBNb39XVqmf12EDm4CVIP5fTg+Ly4Bu+q4I1fX9FknKNH q9/k/bjw==; Received: from mcgrof by bombadil.infradead.org with local (Exim 4.94.2 #2 (Red Hat Linux)) id 1oB7ML-007GZm-C7; Tue, 12 Jul 2022 04:18:53 +0000 Date: Mon, 11 Jul 2022 21:18:53 -0700 From: Luis Chamberlain To: Song Liu , Peter Zijlstra , Steven Rostedt , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Masami Hiramatsu , "Naveen N. Rao" , "David S. Miller" , Anil S Keshavamurthy , Kees Cook Cc: Song Liu , bpf , Christoph Hellwig , Davidlohr Bueso , lkml , Linux-MM , Daniel Borkmann , Kernel Team , "x86@kernel.org" , "dave.hansen@linux.intel.com" , "rick.p.edgecombe@intel.com" , "linux-modules@vger.kernel.org" Subject: Re: [PATCH v6 bpf-next 0/5] bpf_prog_pack followup Message-ID: References: <20220707223546.4124919-1-song@kernel.org> <863A2D5B-976D-4724-AEB1-B2A494AD2BDB@fb.com> <6214B9C9-557B-4DC0-BFDE-77EAC425E577@fb.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6214B9C9-557B-4DC0-BFDE-77EAC425E577@fb.com> Sender: Luis Chamberlain X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Jul 09, 2022 at 01:14:23AM +0000, Song Liu wrote: > > On Jul 8, 2022, at 3:24 PM, Luis Chamberlain wrote: > > > >> 1) Rename module_alloc_huge as module_alloc_text_huge(); > > > > module_alloc_text_huge() is too long, but I've suggested names before > > which are short and generic, and also suggested that if modules are > > not the only users this needs to go outside of modules and so > > vmalloc_text_huge() or whatever. > > > > To do this right it begs the question why we don't do that for the > > existing module_alloc(), as the users of this code is well outside of > > modules now. Last time a similar generic name was used all the special > > arch stuff was left to be done by the module code still, but still > > non-modules were still using that allocator. From my perspective the > > right thing to do is to deal with all the arch stuff as well in the > > generic handler, and have the module code *and* the other users which > > use module_alloc() to use that new caller as well. > > The key difference between module_alloc() and the new API is that the > API will return RO+X memory, and the user need text-poke like API to > modify this buffer. Archs that do not support text-poke will not be > able to use the new API. Does this sound like a reasonable design? I'm adding kprobe + ftrace folks. I can't see why we need to *require* text_poke for just a module_alloc_huge(). Enhancements on module_alloc() are just enhancements, not requirements. So we have these for instance: ``` from arch/Kconfig config ARCH_OPTIONAL_KERNEL_RWX def_bool n config ARCH_OPTIONAL_KERNEL_RWX_DEFAULT def_bool n config ARCH_HAS_STRICT_KERNEL_RWX def_bool n config STRICT_KERNEL_RWX bool "Make kernel text and rodata read-only" if ARCH_OPTIONAL_KERNEL_RWX depends on ARCH_HAS_STRICT_KERNEL_RWX default !ARCH_OPTIONAL_KERNEL_RWX || ARCH_OPTIONAL_KERNEL_RWX_DEFAULT help If this is set, kernel text and rodata memory will be made read-only, and non-text memory will be made non-executable. This provides protection against certain security exploits (e.g. executing the heap or modifying text) These features are considered standard security practice these days. You should say Y here in almost all cases. config ARCH_HAS_STRICT_MODULE_RWX def_bool n config STRICT_MODULE_RWX bool "Set loadable kernel module data as NX and text as RO" if ARCH_OPTIONAL_KERNEL_RWX depends on ARCH_HAS_STRICT_MODULE_RWX && MODULES default !ARCH_OPTIONAL_KERNEL_RWX || ARCH_OPTIONAL_KERNEL_RWX_DEFAULT help If this is set, module text and rodata memory will be made read-only, and non-text memory will be made non-executable. This provides protection against certain security exploits (e.g. writing to text) ``` With module_alloc() we have the above symbols to tell us when we *can* support strict module rwx. So the way the kernel's modules are allocated and used is: for each module section: module_alloc() module_enable_ro() module_enable_nx() module_enable_x() The above can be read in the code as: load_module() --> layout_and_allocate() complete_formation() Then there is the consideration of set_vm_flush_reset_perms() for freeing. On the module code we use this fore the RO+X stuff (core_layout, init_layout), but now that is a bit obfuscated due to the placement of the call. It would seem the other users use it for the same: * ebpf * kprobes * ftrace I believe you are mentioning requiring text_poke() because the way eBPF code uses the module_alloc() is different. Correct me if I'm wrong, but from what I gather is you use the text_poke_copy() as the data is already RO+X, contrary module_alloc() use cases. You do this since your bpf_prog_pack_alloc() calls set_memory_ro() and set_memory_x() after module_alloc() and before you can use this memory. This is a different type of allocator. And, again please correct me if I'm wrong but now you want to share *one* 2 MiB huge-page for multiple BPF programs to help with the impact of TLB misses. A vmalloc_ro_exec() by definition would imply a text_poke(). Can kprobes, ftrace and modules use it too? It would be nice so to not have to deal with the loose semantics on the user to have to use set_vm_flush_reset_perms() on ro+x later, but I think this can be addressed separately on a case by case basis. But a vmalloc_ro_exec() with a respective free can remove the requirement to do set_vm_flush_reset_perms(). Luis