From patchwork Fri Nov 23 09:41:52 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 151851 Delivered-To: patch@linaro.org Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp1852755ljp; Fri, 23 Nov 2018 01:42:17 -0800 (PST) X-Google-Smtp-Source: AFSGD/V8cKoAx6xlAQ/MDn3NK16da6nXay2J5r9+tte+hy5F/RagGC14jI4eEyw5ogVeByjeOHX7 X-Received: by 2002:a63:561b:: with SMTP id k27mr13410408pgb.271.1542966137032; Fri, 23 Nov 2018 01:42:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542966137; cv=none; d=google.com; s=arc-20160816; b=TVMwXwUPI2SI1dZfQVP4dC+YmQvhDJYgzwWCI7B8k9Rp0yMLCoJlG+jFli7KJHuS7Z AvHbFaYqbvo8UrMpeTRmVzIsvxxgCMVGhCCYcnj/78w3NdGSwLaRr368ojYEQ4EjzsEk uQXXxXcAHsBqfGt4aXloGir1SYv7omwtrq+CC0+9xSi0KjHiXJyu6TyUmVdvuj+h1Sm6 seB43VU+9xvgZ2/4VWs/fzLLMQcweo/UkILdd/ki+odoFBq5pH7E47vSuc28ghb8tP7y 4bbYfJgNzpuN5agMbugDeqdzEvRcA5OpwknmYybR9b2mQeyD3bi/ttjcGn5PXFF1G1WI uUUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature; bh=FZtp+WXIrWPYt8EjDM1rtXxepFRMgUFwF+TZbJBkLuY=; b=F8d+8ryfqLuoFLAMXUiq5BU/j9yzdov694I0eLPxf+B7jLGY89KjwGI2vI5Xb0jUSf ddOEz9jLuw2Oh+nhjjuC4ZloVB/47VjcMZMaYXazR4F0GsT67P5k1D3/VpZmdOi5a4t4 gApvR+oHmKpwXjdqUKDY6VkpSuBLZbQJC1rUpbJ6bQvB/EJXkhCeVSU37W2B7sAC0+F/ QG7xn6t4gnaieQC+Kixi5OSqcBwKCojdSnluueBvCPPuqx6xBNJPiTYqHxmKsHva7ujz RDfT5vFdFcDXbSqn8WUoUm5E1pEIT50X9Hyrj/uourtIgNo67zOWTdnsc1CnCcCI4yyh O7nA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Pu760xFI; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u16si25373335plk.192.2018.11.23.01.42.16; Fri, 23 Nov 2018 01:42:17 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Pu760xFI; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2502946AbeKWUZo (ORCPT + 32 others); Fri, 23 Nov 2018 15:25:44 -0500 Received: from mail-wr1-f68.google.com ([209.85.221.68]:35488 "EHLO mail-wr1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2502909AbeKWUZm (ORCPT ); Fri, 23 Nov 2018 15:25:42 -0500 Received: by mail-wr1-f68.google.com with SMTP id 96so11696441wrb.2 for ; Fri, 23 Nov 2018 01:42:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=FZtp+WXIrWPYt8EjDM1rtXxepFRMgUFwF+TZbJBkLuY=; b=Pu760xFIdN/tXkp+smjkn0yaErdBYOCiDJ6RqziXPEQhRdsBdUQ8pULamUlIUj22C7 9dPTBQCuCo1J1XKzg6vCWn7MN4Os+Vleo6veNmejfirWF2uKmuYM++V1Ja6IvV4dgQno HTXu10ci/RLgxmigtL6038I1vN5AYImEmSgXk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=FZtp+WXIrWPYt8EjDM1rtXxepFRMgUFwF+TZbJBkLuY=; b=syjsGwobRT2zuIsY5VgI8/Xi2Hu8N0LGucXc0msbofyvGbgmRatFKSogD8S15IG5EJ KyHPnpVHGguPXUJ+LXgscX0dyGrA1zv/wSzXocJbVjjCoWu0XRJIBgPaP2H7xKQuPQjO KLK2tp9OTXnxCnosdZnu+b5zWi3UBBXXzidMegKE+Xp0WZtyD2gVC33Kb28DHZ74SPqi HwlwGeUZ4lxAu7sE6B3I6kKTVNz7j6BVuiorsf8rlZUT3//+5oxQv/1/Z15bk0WlVp9T vrg9HpJ91RTxeCjNqORzxDn/AO9lmaxW9NdwwRi+QZ2Ho7ulviarug2XDPxhqnbeuVOH cjIg== X-Gm-Message-State: AA+aEWYdEAU6Nm1/ecWk3xQhndYvR7cClxXuzv/n+ome9DUcSnVXqNTx aOImOziJJCyY8Tfcq5/EcN/dqjZrpxh3tg== X-Received: by 2002:a5d:43d0:: with SMTP id v16mr13937475wrr.67.1542966130787; Fri, 23 Nov 2018 01:42:10 -0800 (PST) Received: from mba13.wifi.ns.nl (33.153.69.91.rev.sfr.net. [91.69.153.33]) by smtp.gmail.com with ESMTPSA id k7sm35489897wrl.51.2018.11.23.01.42.09 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 23 Nov 2018 01:42:10 -0800 (PST) From: Ard Biesheuvel To: linux-kernel@vger.kernel.org Cc: Ard Biesheuvel , Daniel Borkmann , Alexei Starovoitov , Rick Edgecombe , Eric Dumazet , Jann Horn , Kees Cook , Jessica Yu , Arnd Bergmann , Catalin Marinas , Will Deacon , Mark Rutland , "David S. Miller" , linux-arm-kernel@lists.infradead.org, netdev@vger.kernel.org Subject: [PATCH v3 2/2] arm64/bpf: don't allocate BPF JIT programs in module memory Date: Fri, 23 Nov 2018 10:41:52 +0100 Message-Id: <20181123094152.21368-3-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181123094152.21368-1-ard.biesheuvel@linaro.org> References: <20181123094152.21368-1-ard.biesheuvel@linaro.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The arm64 module region is a 128 MB region that is kept close to the core kernel, in order to ensure that relative branches are always in range. So using the same region for programs that do not have this restriction is wasteful, and preferably avoided. Now that the core BPF JIT code permits the alloc/free routines to be overridden, implement them by vmalloc()/vfree() calls from a dedicated 128 MB region set aside for BPF programs. This ensures that BPF programs are still in branching range of each other, which is something the JIT currently depends upon (and is not guaranteed when using module_alloc() on KASLR kernels like we do currently). It also ensures that placement of BPF programs does not correlate with the placement of the core kernel or modules, making it less likely that leaking the former will reveal the latter. This also solves an issue under KASAN, where shadow memory is needlessly allocated for all BPF programs (which don't require KASAN shadow pages since they are not KASAN instrumented) Signed-off-by: Ard Biesheuvel --- arch/arm64/include/asm/memory.h | 3 +++ arch/arm64/include/asm/pgtable.h | 2 +- arch/arm64/net/bpf_jit_comp.c | 13 +++++++++++++ 3 files changed, 17 insertions(+), 1 deletion(-) -- 2.17.1 diff --git a/arch/arm64/include/asm/memory.h b/arch/arm64/include/asm/memory.h index b96442960aea..506e319da98f 100644 --- a/arch/arm64/include/asm/memory.h +++ b/arch/arm64/include/asm/memory.h @@ -69,6 +69,9 @@ #define PCI_IO_END (VMEMMAP_START - SZ_2M) #define PCI_IO_START (PCI_IO_END - PCI_IO_SIZE) #define FIXADDR_TOP (PCI_IO_START - SZ_2M) +#define BPF_JIT_REGION_BASE (VMALLOC_END) +#define BPF_JIT_REGION_SIZE (SZ_128M) +#define BPF_JIT_REGION_END (BPF_JIT_REGION_BASE + BPF_JIT_REGION_SIZE) #define KERNEL_START _text #define KERNEL_END _end diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h index 50b1ef8584c0..9db98a4cd9b4 100644 --- a/arch/arm64/include/asm/pgtable.h +++ b/arch/arm64/include/asm/pgtable.h @@ -31,7 +31,7 @@ * and fixed mappings */ #define VMALLOC_START (MODULES_END) -#define VMALLOC_END (PAGE_OFFSET - PUD_SIZE - VMEMMAP_SIZE - SZ_64K) +#define VMALLOC_END (PAGE_OFFSET - PUD_SIZE - VMEMMAP_SIZE - BPF_JIT_REGION_SIZE - SZ_64K) #define vmemmap ((struct page *)VMEMMAP_START - (memstart_addr >> PAGE_SHIFT)) diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c index a6fdaea07c63..298beba29fa5 100644 --- a/arch/arm64/net/bpf_jit_comp.c +++ b/arch/arm64/net/bpf_jit_comp.c @@ -940,3 +940,16 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) tmp : orig_prog); return prog; } + +void *bpf_jit_alloc_exec(unsigned long size) +{ + return __vmalloc_node_range(size, PAGE_SIZE, BPF_JIT_REGION_BASE, + BPF_JIT_REGION_END, GFP_KERNEL, + PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE, + __builtin_return_address(0)); +} + +void bpf_jit_free_exec(const void *addr) +{ + return vfree(addr); +}