From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755272AbaIBVru (ORCPT ); Tue, 2 Sep 2014 17:47:50 -0400 Received: from mx1.redhat.com ([209.132.183.28]:28503 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751633AbaIBVrt (ORCPT ); Tue, 2 Sep 2014 17:47:49 -0400 Message-ID: <54063AF1.4020907@redhat.com> Date: Tue, 02 Sep 2014 23:47:29 +0200 From: Daniel Borkmann User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/17.0 Thunderbird/17.0 MIME-Version: 1.0 To: Alexei Starovoitov CC: Hannes Frederic Sowa , Network Development , LKML , Brad Spengler , Kees Cook Subject: Re: [PATCH net-next v2] net: bpf: make eBPF interpreter images read-only References: <2bf2e54282097642db88e2b596b06a9ac3742883.1409690849.git.hannes@stressinduktion.org> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 09/02/2014 11:31 PM, Alexei Starovoitov wrote: ... >> +#ifdef CONFIG_DEBUG_SET_MODULE_RONX >> +static inline void bpf_prog_lock_ro(struct bpf_prog *fp) >> +{ >> + set_memory_ro((unsigned long)fp, fp->pages); > > since ronx are ifdef checked together, > would probably make sense to set nx too? In case of JITs, for example, we request pages that are PAGE_KERNEL_EXEC via module_alloc(), but here we only need PAGE_KERNEL. At least on x86_64, PAGE_NX is then set already.