From: Daniel Borkmann <dborkman@redhat.com>
To: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: davem@davemloft.net, ast@plumgrid.com, netdev@vger.kernel.org,
Eric Dumazet <edumazet@google.com>,
Martin Schwidefsky <schwidefsky@de.ibm.com>
Subject: Re: [PATCH net-next 1/3] net: bpf: consolidate JIT binary allocator
Date: Mon, 08 Sep 2014 10:12:27 +0200 [thread overview]
Message-ID: <540D64EB.1000609@redhat.com> (raw)
In-Reply-To: <20140908061744.GA4193@osiris>
On 09/08/2014 08:17 AM, Heiko Carstens wrote:
> On Sat, Sep 06, 2014 at 11:42:45AM +0200, Daniel Borkmann wrote:
>> Introduced in commit 314beb9bcabf ("x86: bpf_jit_comp: secure bpf jit
>> against spraying attacks") and later on replicated in aa2d2c73c21f
>> ("s390/bpf,jit: address randomize and write protect jit code") for
>> s390 architecture, write protection for BPF JIT images got added and
>> a random start address of the JIT code, so that it's not on a page
>> boundary anymore.
>>
>> Since both use a very similar allocator for the BPF binary header,
>> we can consolidate this code into the BPF core as it's mostly JIT
>> independant anyway.
>>
>> This will also allow for future archs that support DEBUG_SET_MODULE_RONX
>> to just reuse instead of reimplementing it.
>>
>> While reviewing the code, I think on s390, the alignment masking
>> seems not to be correct in it's current form, that is, we make sure
>> the first instruction starts at an even address as stated by commit
>> aa2d2c73c21f but masks the start with '& -2' while 2 byte-alignment
>> should rather be '& ~1'.
>>
>> JIT tested on x86_64 and s390x with BPF test suite.
>>
>> Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
>> Acked-by: Alexei Starovoitov <ast@plumgrid.com>
>> Cc: Eric Dumazet <edumazet@google.com>
>> Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
>> Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
>> ---
>> arch/s390/net/bpf_jit_comp.c | 45 ++++++++-------------------------------
>> arch/x86/net/bpf_jit_comp.c | 50 ++++++++++----------------------------------
>> include/linux/filter.h | 13 ++++++++++++
>> kernel/bpf/core.c | 39 ++++++++++++++++++++++++++++++++++
>> 4 files changed, 72 insertions(+), 75 deletions(-)
>
> Looks good to me (except for the comment about s390 ;).
Yes, sorry for that. I guess I had too much coffee. :) I have already
updated the commit message and resent the set.
> Acked-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Thanks a lot,
Daniel
next prev parent reply other threads:[~2014-09-08 8:12 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-06 9:42 [PATCH net-next 0/3] BPF updates Daniel Borkmann
2014-09-06 9:42 ` [PATCH net-next 1/3] net: bpf: consolidate JIT binary allocator Daniel Borkmann
2014-09-07 23:15 ` David Miller
2014-09-08 0:17 ` Alexei Starovoitov
2014-09-08 6:09 ` Daniel Borkmann
2014-09-08 6:17 ` Heiko Carstens
2014-09-08 8:12 ` Daniel Borkmann [this message]
2014-09-06 9:42 ` [PATCH net-next 2/3] net: bpf: arm: address randomize and write protect JIT code Daniel Borkmann
2014-09-06 17:36 ` Mircea Gherzan
2014-09-06 9:42 ` [PATCH net-next 3/3] net: bpf: be friendly to kmemcheck Daniel Borkmann
2014-09-06 16:09 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=540D64EB.1000609@redhat.com \
--to=dborkman@redhat.com \
--cc=ast@plumgrid.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=heiko.carstens@de.ibm.com \
--cc=netdev@vger.kernel.org \
--cc=schwidefsky@de.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.