From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id E0808C433EF for ; Tue, 12 Jul 2022 04:19:29 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 3E3EA940043; Tue, 12 Jul 2022 00:19:29 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 39385940033; Tue, 12 Jul 2022 00:19:29 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 25AC6940043; Tue, 12 Jul 2022 00:19:29 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 15AA2940033 for ; Tue, 12 Jul 2022 00:19:29 -0400 (EDT) Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay13.hostedemail.com (Postfix) with ESMTP id E134160398 for ; Tue, 12 Jul 2022 04:19:28 +0000 (UTC) X-FDA: 79677143616.13.88A0694 Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) by imf14.hostedemail.com (Postfix) with ESMTP id 2F19A10005E for ; Tue, 12 Jul 2022 04:19:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20210309; h=Sender:In-Reply-To:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=SerALkoKkILFqR40xrtVLu7qCXWoTY5YVNTXw341g5M=; b=JkhW4IaWbotUT+4T1nlgzM0/mi 3J3G0B15QqJw92tXicvjFX6bv3jehp952EXaLwVjeebCGVdpLpConV5X701ky4yIA7uumUmU5Qojp Wozqu6yfxwiAWzMq8k1OlYJ7cvJZgEJ0EfXTGYguP0AWJfaM4TIAx0jNv7t7NJ+oWvMP1HgGuPpo0 DOpDBd1oyAAMtm/1XazxcAluYMFd0RAabjzuruTfRmH1HHTpN6OO8nSM+qLQ4Oiul40pqW6NFlDvF Y8YkaXgIRV96VHMeNj8TeJq075TJrolZCBNb39XVqmf12EDm4CVIP5fTg+Ly4Bu+q4I1fX9FknKNH q9/k/bjw==; Received: from mcgrof by bombadil.infradead.org with local (Exim 4.94.2 #2 (Red Hat Linux)) id 1oB7ML-007GZm-C7; Tue, 12 Jul 2022 04:18:53 +0000 Date: Mon, 11 Jul 2022 21:18:53 -0700 From: Luis Chamberlain To: Song Liu , Peter Zijlstra , Steven Rostedt , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Masami Hiramatsu , "Naveen N. Rao" , "David S. Miller" , Anil S Keshavamurthy , Kees Cook Cc: Song Liu , bpf , Christoph Hellwig , Davidlohr Bueso , lkml , Linux-MM , Daniel Borkmann , Kernel Team , "x86@kernel.org" , "dave.hansen@linux.intel.com" , "rick.p.edgecombe@intel.com" , "linux-modules@vger.kernel.org" Subject: Re: [PATCH v6 bpf-next 0/5] bpf_prog_pack followup Message-ID: References: <20220707223546.4124919-1-song@kernel.org> <863A2D5B-976D-4724-AEB1-B2A494AD2BDB@fb.com> <6214B9C9-557B-4DC0-BFDE-77EAC425E577@fb.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6214B9C9-557B-4DC0-BFDE-77EAC425E577@fb.com> ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1657599568; a=rsa-sha256; cv=none; b=eIqM6GXGAmENHQ35uTot1NqqZW1YPhQ9W8QETBV1JgQ6sOroYrZjsHGjDCbJqVYr6hEv/x YMRtZkCrBJsYOo+fdpCaa5QHuE0e3aUaGxK9Vcv7VOIONIVrnGCyGD6xIIUZf5D6Fk/jIy wjc17KY5q2wek6MFltMqRgGbIGzPWmU= ARC-Authentication-Results: i=1; imf14.hostedemail.com; dkim=pass header.d=infradead.org header.s=bombadil.20210309 header.b=JkhW4IaW; dmarc=fail reason="No valid SPF, DKIM not aligned (relaxed)" header.from=kernel.org (policy=none); spf=none (imf14.hostedemail.com: domain of mcgrof@infradead.org has no SPF policy when checking 198.137.202.133) smtp.mailfrom=mcgrof@infradead.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1657599568; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=SerALkoKkILFqR40xrtVLu7qCXWoTY5YVNTXw341g5M=; b=vyg95xC+JjuHNkAw4HViDGjkftCW9jLz6hDzbfCnR4FeN97oKFZIlZwjBYJ5m1MWvBsWWa HS3Y9oBieCyCsN+cmd/Ffs+sPxlWSp5TQ7eTZjcULuTg1TPzSD4X1FsxDLYJ8rYZo+Y8Vk R4TmIV0H0i5pZ9N/EI1EuAzT2EUSwJg= X-Stat-Signature: hhkdodhid1zk933mt73e61zqk4h8ehhk Authentication-Results: imf14.hostedemail.com; dkim=pass header.d=infradead.org header.s=bombadil.20210309 header.b=JkhW4IaW; dmarc=fail reason="No valid SPF, DKIM not aligned (relaxed)" header.from=kernel.org (policy=none); spf=none (imf14.hostedemail.com: domain of mcgrof@infradead.org has no SPF policy when checking 198.137.202.133) smtp.mailfrom=mcgrof@infradead.org X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: 2F19A10005E X-Rspam-User: X-HE-Tag: 1657599567-851390 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Sat, Jul 09, 2022 at 01:14:23AM +0000, Song Liu wrote: > > On Jul 8, 2022, at 3:24 PM, Luis Chamberlain wrote: > > > >> 1) Rename module_alloc_huge as module_alloc_text_huge(); > > > > module_alloc_text_huge() is too long, but I've suggested names before > > which are short and generic, and also suggested that if modules are > > not the only users this needs to go outside of modules and so > > vmalloc_text_huge() or whatever. > > > > To do this right it begs the question why we don't do that for the > > existing module_alloc(), as the users of this code is well outside of > > modules now. Last time a similar generic name was used all the special > > arch stuff was left to be done by the module code still, but still > > non-modules were still using that allocator. From my perspective the > > right thing to do is to deal with all the arch stuff as well in the > > generic handler, and have the module code *and* the other users which > > use module_alloc() to use that new caller as well. > > The key difference between module_alloc() and the new API is that the > API will return RO+X memory, and the user need text-poke like API to > modify this buffer. Archs that do not support text-poke will not be > able to use the new API. Does this sound like a reasonable design? I'm adding kprobe + ftrace folks. I can't see why we need to *require* text_poke for just a module_alloc_huge(). Enhancements on module_alloc() are just enhancements, not requirements. So we have these for instance: ``` from arch/Kconfig config ARCH_OPTIONAL_KERNEL_RWX def_bool n config ARCH_OPTIONAL_KERNEL_RWX_DEFAULT def_bool n config ARCH_HAS_STRICT_KERNEL_RWX def_bool n config STRICT_KERNEL_RWX bool "Make kernel text and rodata read-only" if ARCH_OPTIONAL_KERNEL_RWX depends on ARCH_HAS_STRICT_KERNEL_RWX default !ARCH_OPTIONAL_KERNEL_RWX || ARCH_OPTIONAL_KERNEL_RWX_DEFAULT help If this is set, kernel text and rodata memory will be made read-only, and non-text memory will be made non-executable. This provides protection against certain security exploits (e.g. executing the heap or modifying text) These features are considered standard security practice these days. You should say Y here in almost all cases. config ARCH_HAS_STRICT_MODULE_RWX def_bool n config STRICT_MODULE_RWX bool "Set loadable kernel module data as NX and text as RO" if ARCH_OPTIONAL_KERNEL_RWX depends on ARCH_HAS_STRICT_MODULE_RWX && MODULES default !ARCH_OPTIONAL_KERNEL_RWX || ARCH_OPTIONAL_KERNEL_RWX_DEFAULT help If this is set, module text and rodata memory will be made read-only, and non-text memory will be made non-executable. This provides protection against certain security exploits (e.g. writing to text) ``` With module_alloc() we have the above symbols to tell us when we *can* support strict module rwx. So the way the kernel's modules are allocated and used is: for each module section: module_alloc() module_enable_ro() module_enable_nx() module_enable_x() The above can be read in the code as: load_module() --> layout_and_allocate() complete_formation() Then there is the consideration of set_vm_flush_reset_perms() for freeing. On the module code we use this fore the RO+X stuff (core_layout, init_layout), but now that is a bit obfuscated due to the placement of the call. It would seem the other users use it for the same: * ebpf * kprobes * ftrace I believe you are mentioning requiring text_poke() because the way eBPF code uses the module_alloc() is different. Correct me if I'm wrong, but from what I gather is you use the text_poke_copy() as the data is already RO+X, contrary module_alloc() use cases. You do this since your bpf_prog_pack_alloc() calls set_memory_ro() and set_memory_x() after module_alloc() and before you can use this memory. This is a different type of allocator. And, again please correct me if I'm wrong but now you want to share *one* 2 MiB huge-page for multiple BPF programs to help with the impact of TLB misses. A vmalloc_ro_exec() by definition would imply a text_poke(). Can kprobes, ftrace and modules use it too? It would be nice so to not have to deal with the loose semantics on the user to have to use set_vm_flush_reset_perms() on ro+x later, but I think this can be addressed separately on a case by case basis. But a vmalloc_ro_exec() with a respective free can remove the requirement to do set_vm_flush_reset_perms(). Luis