* [PATCH v4 0/2] bpf: permit JIT allocations to be served outside the module region @ 2018-11-23 22:18 Ard Biesheuvel 2018-11-23 22:18 ` [PATCH v4 1/2] bpf: add __weak hook for allocating executable memory Ard Biesheuvel 2018-11-23 22:18 ` [PATCH v4 2/2] arm64/bpf: don't allocate BPF JIT programs in module memory Ard Biesheuvel 0 siblings, 2 replies; 12+ messages in thread From: Ard Biesheuvel @ 2018-11-23 22:18 UTC (permalink / raw) To: linux-kernel Cc: Ard Biesheuvel, Daniel Borkmann, Alexei Starovoitov, Rick Edgecombe, Eric Dumazet, Jann Horn, Kees Cook, Jessica Yu, Arnd Bergmann, Catalin Marinas, Will Deacon, Mark Rutland, David S. Miller, linux-arm-kernel, netdev On arm64, modules are allocated from a 128 MB window which is close to the core kernel, so that relative direct branches are guaranteed to be in range (except in some KASLR configurations). Also, module_alloc() is in charge of allocating KASAN shadow memory when running with KASAN enabled. This means that the way BPF reuses module_alloc()/module_memfree() is undesirable on arm64 (and potentially other architectures as well), and so this series refactors BPF's use of those functions to permit architectures to change this behavior. Patch #1 breaks out the module_alloc() and module_memfree() calls into __weak functions so they can be overridden. Patch #2 implements the new alloc/free overrides for arm64 Changes since v3: - drop 'const' modifier for free() hook void* argument - move the dedicated BPF region to before the module region, putting it within 4GB of the module and kernel regions on non-KASLR kernels Changes since v2: - properly build time and runtime tested this time (log after the diffstat) - create a dedicated 128 MB region at the top of the vmalloc space for BPF programs, ensuring that the programs will be in branching range of each other (which we currently rely upon) but at an arbitrary distance from the kernel and modules (which we don't care about) Changes since v1: - Drop misguided attempt to 'fix' and refactor the free path. Instead, just add another __weak wrapper for the invocation of module_memfree() Cc: Daniel Borkmann <daniel@iogearbox.net> Cc: Alexei Starovoitov <ast@kernel.org> Cc: Rick Edgecombe <rick.p.edgecombe@intel.com> Cc: Eric Dumazet <eric.dumazet@gmail.com> Cc: Jann Horn <jannh@google.com> Cc: Kees Cook <keescook@chromium.org> Cc: Jessica Yu <jeyu@kernel.org> Cc: Arnd Bergmann <arnd@arndb.de> Cc: Catalin Marinas <catalin.marinas@arm.com> Cc: Will Deacon <will.deacon@arm.com> Cc: Mark Rutland <mark.rutland@arm.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: linux-arm-kernel@lists.infradead.org Cc: linux-kernel@vger.kernel.org Cc: netdev@vger.kernel.org Ard Biesheuvel (2): bpf: add __weak hook for allocating executable memory arm64/bpf: don't allocate BPF JIT programs in module memory arch/arm64/include/asm/memory.h | 5 ++++- arch/arm64/net/bpf_jit_comp.c | 13 +++++++++++++ kernel/bpf/core.c | 14 ++++++++++++-- 3 files changed, 29 insertions(+), 3 deletions(-) -- 2.19.1 ^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH v4 1/2] bpf: add __weak hook for allocating executable memory 2018-11-23 22:18 [PATCH v4 0/2] bpf: permit JIT allocations to be served outside the module region Ard Biesheuvel @ 2018-11-23 22:18 ` Ard Biesheuvel 2018-11-26 17:02 ` Edgecombe, Rick P 2018-11-23 22:18 ` [PATCH v4 2/2] arm64/bpf: don't allocate BPF JIT programs in module memory Ard Biesheuvel 1 sibling, 1 reply; 12+ messages in thread From: Ard Biesheuvel @ 2018-11-23 22:18 UTC (permalink / raw) To: linux-kernel Cc: Ard Biesheuvel, Daniel Borkmann, Alexei Starovoitov, Rick Edgecombe, Eric Dumazet, Jann Horn, Kees Cook, Jessica Yu, Arnd Bergmann, Catalin Marinas, Will Deacon, Mark Rutland, David S. Miller, linux-arm-kernel, netdev By default, BPF uses module_alloc() to allocate executable memory, but this is not necessary on all arches and potentially undesirable on some of them. So break out the module_alloc() and module_memfree() calls into __weak functions to allow them to be overridden in arch code. Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> --- kernel/bpf/core.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c index 1a796e0799ec..78e9b76201b3 100644 --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -609,6 +609,16 @@ static void bpf_jit_uncharge_modmem(u32 pages) atomic_long_sub(pages, &bpf_jit_current); } +void *__weak bpf_jit_alloc_exec(unsigned long size) +{ + return module_alloc(size); +} + +void __weak bpf_jit_free_exec(void *addr) +{ + module_memfree(addr); +} + struct bpf_binary_header * bpf_jit_binary_alloc(unsigned int proglen, u8 **image_ptr, unsigned int alignment, @@ -626,7 +636,7 @@ bpf_jit_binary_alloc(unsigned int proglen, u8 **image_ptr, if (bpf_jit_charge_modmem(pages)) return NULL; - hdr = module_alloc(size); + hdr = bpf_jit_alloc_exec(size); if (!hdr) { bpf_jit_uncharge_modmem(pages); return NULL; @@ -650,7 +660,7 @@ void bpf_jit_binary_free(struct bpf_binary_header *hdr) { u32 pages = hdr->pages; - module_memfree(hdr); + bpf_jit_free_exec(hdr); bpf_jit_uncharge_modmem(pages); } -- 2.19.1 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [PATCH v4 1/2] bpf: add __weak hook for allocating executable memory 2018-11-23 22:18 ` [PATCH v4 1/2] bpf: add __weak hook for allocating executable memory Ard Biesheuvel @ 2018-11-26 17:02 ` Edgecombe, Rick P 2018-12-05 23:37 ` Kees Cook 0 siblings, 1 reply; 12+ messages in thread From: Edgecombe, Rick P @ 2018-11-26 17:02 UTC (permalink / raw) To: linux-kernel@vger.kernel.org, ard.biesheuvel@linaro.org Cc: daniel@iogearbox.net, keescook@chromium.org, jeyu@kernel.org, jannh@google.com, ast@kernel.org, mark.rutland@arm.com, catalin.marinas@arm.com, will.deacon@arm.com, linux-arm-kernel@lists.infradead.org, netdev@vger.kernel.org, eric.dumazet@gmail.com, davem@davemloft.net, arnd@arndb.de On Fri, 2018-11-23 at 23:18 +0100, Ard Biesheuvel wrote: > By default, BPF uses module_alloc() to allocate executable memory, > but this is not necessary on all arches and potentially undesirable > on some of them. > > So break out the module_alloc() and module_memfree() calls into __weak > functions to allow them to be overridden in arch code. > > Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> > --- It looks like some of the architectures call module_alloc directly in their bpf_jit_compile implementations as well. Rick ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH v4 1/2] bpf: add __weak hook for allocating executable memory 2018-11-26 17:02 ` Edgecombe, Rick P @ 2018-12-05 23:37 ` Kees Cook 0 siblings, 0 replies; 12+ messages in thread From: Kees Cook @ 2018-12-05 23:37 UTC (permalink / raw) To: Rick Edgecombe Cc: LKML, Ard Biesheuvel, Daniel Borkmann, Jessica Yu, Jann Horn, Alexei Starovoitov, Mark Rutland, Catalin Marinas, Will Deacon, linux-arm-kernel, Network Development, Eric Dumazet, David S. Miller, Arnd Bergmann On Mon, Nov 26, 2018 at 9:02 AM Edgecombe, Rick P <rick.p.edgecombe@intel.com> wrote: > > On Fri, 2018-11-23 at 23:18 +0100, Ard Biesheuvel wrote: > > By default, BPF uses module_alloc() to allocate executable memory, > > but this is not necessary on all arches and potentially undesirable > > on some of them. > > > > So break out the module_alloc() and module_memfree() calls into __weak > > functions to allow them to be overridden in arch code. > > > > Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> > > --- > > It looks like some of the architectures call module_alloc directly in their > bpf_jit_compile implementations as well. Ew, good catch. :P -- Kees Cook ^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH v4 2/2] arm64/bpf: don't allocate BPF JIT programs in module memory 2018-11-23 22:18 [PATCH v4 0/2] bpf: permit JIT allocations to be served outside the module region Ard Biesheuvel 2018-11-23 22:18 ` [PATCH v4 1/2] bpf: add __weak hook for allocating executable memory Ard Biesheuvel @ 2018-11-23 22:18 ` Ard Biesheuvel 2018-11-30 18:26 ` Will Deacon 1 sibling, 1 reply; 12+ messages in thread From: Ard Biesheuvel @ 2018-11-23 22:18 UTC (permalink / raw) To: linux-kernel Cc: Ard Biesheuvel, Daniel Borkmann, Alexei Starovoitov, Rick Edgecombe, Eric Dumazet, Jann Horn, Kees Cook, Jessica Yu, Arnd Bergmann, Catalin Marinas, Will Deacon, Mark Rutland, David S. Miller, linux-arm-kernel, netdev The arm64 module region is a 128 MB region that is kept close to the core kernel, in order to ensure that relative branches are always in range. So using the same region for programs that do not have this restriction is wasteful, and preferably avoided. Now that the core BPF JIT code permits the alloc/free routines to be overridden, implement them by vmalloc()/vfree() calls from a dedicated 128 MB region set aside for BPF programs. This ensures that BPF programs are still in branching range of each other, which is something the JIT currently depends upon (and is not guaranteed when using module_alloc() on KASLR kernels like we do currently). It also ensures that placement of BPF programs does not correlate with the placement of the core kernel or modules, making it less likely that leaking the former will reveal the latter. This also solves an issue under KASAN, where shadow memory is needlessly allocated for all BPF programs (which don't require KASAN shadow pages since they are not KASAN instrumented) Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> --- arch/arm64/include/asm/memory.h | 5 ++++- arch/arm64/net/bpf_jit_comp.c | 13 +++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/arch/arm64/include/asm/memory.h b/arch/arm64/include/asm/memory.h index b96442960aea..ee20fc63899c 100644 --- a/arch/arm64/include/asm/memory.h +++ b/arch/arm64/include/asm/memory.h @@ -62,8 +62,11 @@ #define PAGE_OFFSET (UL(0xffffffffffffffff) - \ (UL(1) << (VA_BITS - 1)) + 1) #define KIMAGE_VADDR (MODULES_END) +#define BPF_JIT_REGION_START (VA_START + KASAN_SHADOW_SIZE) +#define BPF_JIT_REGION_SIZE (SZ_128M) +#define BPF_JIT_REGION_END (BPF_JIT_REGION_START + BPF_JIT_REGION_SIZE) #define MODULES_END (MODULES_VADDR + MODULES_VSIZE) -#define MODULES_VADDR (VA_START + KASAN_SHADOW_SIZE) +#define MODULES_VADDR (BPF_JIT_REGION_END) #define MODULES_VSIZE (SZ_128M) #define VMEMMAP_START (PAGE_OFFSET - VMEMMAP_SIZE) #define PCI_IO_END (VMEMMAP_START - SZ_2M) diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c index a6fdaea07c63..76c2ab40c02d 100644 --- a/arch/arm64/net/bpf_jit_comp.c +++ b/arch/arm64/net/bpf_jit_comp.c @@ -940,3 +940,16 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) tmp : orig_prog); return prog; } + +void *bpf_jit_alloc_exec(unsigned long size) +{ + return __vmalloc_node_range(size, PAGE_SIZE, BPF_JIT_REGION_START, + BPF_JIT_REGION_END, GFP_KERNEL, + PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE, + __builtin_return_address(0)); +} + +void bpf_jit_free_exec(void *addr) +{ + return vfree(addr); +} -- 2.19.1 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [PATCH v4 2/2] arm64/bpf: don't allocate BPF JIT programs in module memory 2018-11-23 22:18 ` [PATCH v4 2/2] arm64/bpf: don't allocate BPF JIT programs in module memory Ard Biesheuvel @ 2018-11-30 18:26 ` Will Deacon 2018-11-30 19:20 ` Ard Biesheuvel 0 siblings, 1 reply; 12+ messages in thread From: Will Deacon @ 2018-11-30 18:26 UTC (permalink / raw) To: Ard Biesheuvel Cc: linux-kernel, Daniel Borkmann, Alexei Starovoitov, Rick Edgecombe, Eric Dumazet, Jann Horn, Kees Cook, Jessica Yu, Arnd Bergmann, Catalin Marinas, Mark Rutland, David S. Miller, linux-arm-kernel, netdev On Fri, Nov 23, 2018 at 11:18:04PM +0100, Ard Biesheuvel wrote: > The arm64 module region is a 128 MB region that is kept close to > the core kernel, in order to ensure that relative branches are > always in range. So using the same region for programs that do > not have this restriction is wasteful, and preferably avoided. > > Now that the core BPF JIT code permits the alloc/free routines to > be overridden, implement them by vmalloc()/vfree() calls from a > dedicated 128 MB region set aside for BPF programs. This ensures > that BPF programs are still in branching range of each other, which > is something the JIT currently depends upon (and is not guaranteed > when using module_alloc() on KASLR kernels like we do currently). > It also ensures that placement of BPF programs does not correlate > with the placement of the core kernel or modules, making it less > likely that leaking the former will reveal the latter. > > This also solves an issue under KASAN, where shadow memory is > needlessly allocated for all BPF programs (which don't require KASAN > shadow pages since they are not KASAN instrumented) > > Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> > --- > arch/arm64/include/asm/memory.h | 5 ++++- > arch/arm64/net/bpf_jit_comp.c | 13 +++++++++++++ > 2 files changed, 17 insertions(+), 1 deletion(-) > > diff --git a/arch/arm64/include/asm/memory.h b/arch/arm64/include/asm/memory.h > index b96442960aea..ee20fc63899c 100644 > --- a/arch/arm64/include/asm/memory.h > +++ b/arch/arm64/include/asm/memory.h > @@ -62,8 +62,11 @@ > #define PAGE_OFFSET (UL(0xffffffffffffffff) - \ > (UL(1) << (VA_BITS - 1)) + 1) > #define KIMAGE_VADDR (MODULES_END) > +#define BPF_JIT_REGION_START (VA_START + KASAN_SHADOW_SIZE) > +#define BPF_JIT_REGION_SIZE (SZ_128M) > +#define BPF_JIT_REGION_END (BPF_JIT_REGION_START + BPF_JIT_REGION_SIZE) > #define MODULES_END (MODULES_VADDR + MODULES_VSIZE) > -#define MODULES_VADDR (VA_START + KASAN_SHADOW_SIZE) > +#define MODULES_VADDR (BPF_JIT_REGION_END) > #define MODULES_VSIZE (SZ_128M) > #define VMEMMAP_START (PAGE_OFFSET - VMEMMAP_SIZE) > #define PCI_IO_END (VMEMMAP_START - SZ_2M) > diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c > index a6fdaea07c63..76c2ab40c02d 100644 > --- a/arch/arm64/net/bpf_jit_comp.c > +++ b/arch/arm64/net/bpf_jit_comp.c > @@ -940,3 +940,16 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) > tmp : orig_prog); > return prog; > } > + > +void *bpf_jit_alloc_exec(unsigned long size) > +{ > + return __vmalloc_node_range(size, PAGE_SIZE, BPF_JIT_REGION_START, > + BPF_JIT_REGION_END, GFP_KERNEL, > + PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE, > + __builtin_return_address(0)); I guess we'll want VM_IMMEDIATE_UNMAP here if Rich gets that merged. In the meantime, I wonder if it's worth zeroing the region in bpf_jit_free_exec()? (although we'd need the size information...). Will ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH v4 2/2] arm64/bpf: don't allocate BPF JIT programs in module memory 2018-11-30 18:26 ` Will Deacon @ 2018-11-30 19:20 ` Ard Biesheuvel 2018-12-03 12:49 ` Will Deacon 0 siblings, 1 reply; 12+ messages in thread From: Ard Biesheuvel @ 2018-11-30 19:20 UTC (permalink / raw) To: Will Deacon Cc: Linux Kernel Mailing List, Daniel Borkmann, Alexei Starovoitov, Rick Edgecombe, Eric Dumazet, Jann Horn, Kees Cook, Jessica Yu, Arnd Bergmann, Catalin Marinas, Mark Rutland, David S. Miller, linux-arm-kernel, <netdev@vger.kernel.org> On Fri, 30 Nov 2018 at 19:26, Will Deacon <will.deacon@arm.com> wrote: > > On Fri, Nov 23, 2018 at 11:18:04PM +0100, Ard Biesheuvel wrote: > > The arm64 module region is a 128 MB region that is kept close to > > the core kernel, in order to ensure that relative branches are > > always in range. So using the same region for programs that do > > not have this restriction is wasteful, and preferably avoided. > > > > Now that the core BPF JIT code permits the alloc/free routines to > > be overridden, implement them by vmalloc()/vfree() calls from a > > dedicated 128 MB region set aside for BPF programs. This ensures > > that BPF programs are still in branching range of each other, which > > is something the JIT currently depends upon (and is not guaranteed > > when using module_alloc() on KASLR kernels like we do currently). > > It also ensures that placement of BPF programs does not correlate > > with the placement of the core kernel or modules, making it less > > likely that leaking the former will reveal the latter. > > > > This also solves an issue under KASAN, where shadow memory is > > needlessly allocated for all BPF programs (which don't require KASAN > > shadow pages since they are not KASAN instrumented) > > > > Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> > > --- > > arch/arm64/include/asm/memory.h | 5 ++++- > > arch/arm64/net/bpf_jit_comp.c | 13 +++++++++++++ > > 2 files changed, 17 insertions(+), 1 deletion(-) > > > > diff --git a/arch/arm64/include/asm/memory.h b/arch/arm64/include/asm/memory.h > > index b96442960aea..ee20fc63899c 100644 > > --- a/arch/arm64/include/asm/memory.h > > +++ b/arch/arm64/include/asm/memory.h > > @@ -62,8 +62,11 @@ > > #define PAGE_OFFSET (UL(0xffffffffffffffff) - \ > > (UL(1) << (VA_BITS - 1)) + 1) > > #define KIMAGE_VADDR (MODULES_END) > > +#define BPF_JIT_REGION_START (VA_START + KASAN_SHADOW_SIZE) > > +#define BPF_JIT_REGION_SIZE (SZ_128M) > > +#define BPF_JIT_REGION_END (BPF_JIT_REGION_START + BPF_JIT_REGION_SIZE) > > #define MODULES_END (MODULES_VADDR + MODULES_VSIZE) > > -#define MODULES_VADDR (VA_START + KASAN_SHADOW_SIZE) > > +#define MODULES_VADDR (BPF_JIT_REGION_END) > > #define MODULES_VSIZE (SZ_128M) > > #define VMEMMAP_START (PAGE_OFFSET - VMEMMAP_SIZE) > > #define PCI_IO_END (VMEMMAP_START - SZ_2M) > > diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c > > index a6fdaea07c63..76c2ab40c02d 100644 > > --- a/arch/arm64/net/bpf_jit_comp.c > > +++ b/arch/arm64/net/bpf_jit_comp.c > > @@ -940,3 +940,16 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) > > tmp : orig_prog); > > return prog; > > } > > + > > +void *bpf_jit_alloc_exec(unsigned long size) > > +{ > > + return __vmalloc_node_range(size, PAGE_SIZE, BPF_JIT_REGION_START, > > + BPF_JIT_REGION_END, GFP_KERNEL, > > + PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE, > > + __builtin_return_address(0)); > > I guess we'll want VM_IMMEDIATE_UNMAP here if Rich gets that merged. I think akpm already queued up that patch. > In the > meantime, I wonder if it's worth zeroing the region in bpf_jit_free_exec()? > (although we'd need the size information...). > Not sure. What exactly would that achieve? ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH v4 2/2] arm64/bpf: don't allocate BPF JIT programs in module memory 2018-11-30 19:20 ` Ard Biesheuvel @ 2018-12-03 12:49 ` Will Deacon 2018-12-04 15:45 ` Ard Biesheuvel 0 siblings, 1 reply; 12+ messages in thread From: Will Deacon @ 2018-12-03 12:49 UTC (permalink / raw) To: Ard Biesheuvel Cc: Linux Kernel Mailing List, Daniel Borkmann, Alexei Starovoitov, Rick Edgecombe, Eric Dumazet, Jann Horn, Kees Cook, Jessica Yu, Arnd Bergmann, Catalin Marinas, Mark Rutland, David S. Miller, linux-arm-kernel, <netdev@vger.kernel.org> On Fri, Nov 30, 2018 at 08:20:06PM +0100, Ard Biesheuvel wrote: > On Fri, 30 Nov 2018 at 19:26, Will Deacon <will.deacon@arm.com> wrote: > > > > On Fri, Nov 23, 2018 at 11:18:04PM +0100, Ard Biesheuvel wrote: > > > The arm64 module region is a 128 MB region that is kept close to > > > the core kernel, in order to ensure that relative branches are > > > always in range. So using the same region for programs that do > > > not have this restriction is wasteful, and preferably avoided. > > > > > > Now that the core BPF JIT code permits the alloc/free routines to > > > be overridden, implement them by vmalloc()/vfree() calls from a > > > dedicated 128 MB region set aside for BPF programs. This ensures > > > that BPF programs are still in branching range of each other, which > > > is something the JIT currently depends upon (and is not guaranteed > > > when using module_alloc() on KASLR kernels like we do currently). > > > It also ensures that placement of BPF programs does not correlate > > > with the placement of the core kernel or modules, making it less > > > likely that leaking the former will reveal the latter. > > > > > > This also solves an issue under KASAN, where shadow memory is > > > needlessly allocated for all BPF programs (which don't require KASAN > > > shadow pages since they are not KASAN instrumented) > > > > > > Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> > > > --- > > > arch/arm64/include/asm/memory.h | 5 ++++- > > > arch/arm64/net/bpf_jit_comp.c | 13 +++++++++++++ > > > 2 files changed, 17 insertions(+), 1 deletion(-) > > > > > > diff --git a/arch/arm64/include/asm/memory.h b/arch/arm64/include/asm/memory.h > > > index b96442960aea..ee20fc63899c 100644 > > > --- a/arch/arm64/include/asm/memory.h > > > +++ b/arch/arm64/include/asm/memory.h > > > @@ -62,8 +62,11 @@ > > > #define PAGE_OFFSET (UL(0xffffffffffffffff) - \ > > > (UL(1) << (VA_BITS - 1)) + 1) > > > #define KIMAGE_VADDR (MODULES_END) > > > +#define BPF_JIT_REGION_START (VA_START + KASAN_SHADOW_SIZE) > > > +#define BPF_JIT_REGION_SIZE (SZ_128M) > > > +#define BPF_JIT_REGION_END (BPF_JIT_REGION_START + BPF_JIT_REGION_SIZE) > > > #define MODULES_END (MODULES_VADDR + MODULES_VSIZE) > > > -#define MODULES_VADDR (VA_START + KASAN_SHADOW_SIZE) > > > +#define MODULES_VADDR (BPF_JIT_REGION_END) > > > #define MODULES_VSIZE (SZ_128M) > > > #define VMEMMAP_START (PAGE_OFFSET - VMEMMAP_SIZE) > > > #define PCI_IO_END (VMEMMAP_START - SZ_2M) > > > diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c > > > index a6fdaea07c63..76c2ab40c02d 100644 > > > --- a/arch/arm64/net/bpf_jit_comp.c > > > +++ b/arch/arm64/net/bpf_jit_comp.c > > > @@ -940,3 +940,16 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) > > > tmp : orig_prog); > > > return prog; > > > } > > > + > > > +void *bpf_jit_alloc_exec(unsigned long size) > > > +{ > > > + return __vmalloc_node_range(size, PAGE_SIZE, BPF_JIT_REGION_START, > > > + BPF_JIT_REGION_END, GFP_KERNEL, > > > + PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE, > > > + __builtin_return_address(0)); > > > > I guess we'll want VM_IMMEDIATE_UNMAP here if Rich gets that merged. > > I think akpm already queued up that patch. > > > In the > > meantime, I wonder if it's worth zeroing the region in bpf_jit_free_exec()? > > (although we'd need the size information...). > > > > Not sure. What exactly would that achieve? I think the zero encoding is guaranteed to be undefined, so it would limit the usefulness of any stale, executable TLB entries. However, we'd also need cache maintenance to make that stuff visible to the I side, so it's probably not worth it, especially if akpm has queued the stuff from Rich. Maybe just add an: /* FIXME: Remove this when VM_IMMEDIATE_UNMAP is supported */ #ifndef VM_IMMEDIATE_UNMAP #define VM_IMMEDIATE_UNMAP 0 #endif so we remember to come back and sort this out? Up to you. Will ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH v4 2/2] arm64/bpf: don't allocate BPF JIT programs in module memory 2018-12-03 12:49 ` Will Deacon @ 2018-12-04 15:45 ` Ard Biesheuvel 2018-12-05 12:24 ` Daniel Borkmann 0 siblings, 1 reply; 12+ messages in thread From: Ard Biesheuvel @ 2018-12-04 15:45 UTC (permalink / raw) To: Will Deacon Cc: Linux Kernel Mailing List, Daniel Borkmann, Alexei Starovoitov, Rick Edgecombe, Eric Dumazet, Jann Horn, Kees Cook, Jessica Yu, Arnd Bergmann, Catalin Marinas, Mark Rutland, David S. Miller, linux-arm-kernel, <netdev@vger.kernel.org> On Mon, 3 Dec 2018 at 13:49, Will Deacon <will.deacon@arm.com> wrote: > > On Fri, Nov 30, 2018 at 08:20:06PM +0100, Ard Biesheuvel wrote: > > On Fri, 30 Nov 2018 at 19:26, Will Deacon <will.deacon@arm.com> wrote: > > > > > > On Fri, Nov 23, 2018 at 11:18:04PM +0100, Ard Biesheuvel wrote: > > > > The arm64 module region is a 128 MB region that is kept close to > > > > the core kernel, in order to ensure that relative branches are > > > > always in range. So using the same region for programs that do > > > > not have this restriction is wasteful, and preferably avoided. > > > > > > > > Now that the core BPF JIT code permits the alloc/free routines to > > > > be overridden, implement them by vmalloc()/vfree() calls from a > > > > dedicated 128 MB region set aside for BPF programs. This ensures > > > > that BPF programs are still in branching range of each other, which > > > > is something the JIT currently depends upon (and is not guaranteed > > > > when using module_alloc() on KASLR kernels like we do currently). > > > > It also ensures that placement of BPF programs does not correlate > > > > with the placement of the core kernel or modules, making it less > > > > likely that leaking the former will reveal the latter. > > > > > > > > This also solves an issue under KASAN, where shadow memory is > > > > needlessly allocated for all BPF programs (which don't require KASAN > > > > shadow pages since they are not KASAN instrumented) > > > > > > > > Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> > > > > --- > > > > arch/arm64/include/asm/memory.h | 5 ++++- > > > > arch/arm64/net/bpf_jit_comp.c | 13 +++++++++++++ > > > > 2 files changed, 17 insertions(+), 1 deletion(-) > > > > > > > > diff --git a/arch/arm64/include/asm/memory.h b/arch/arm64/include/asm/memory.h > > > > index b96442960aea..ee20fc63899c 100644 > > > > --- a/arch/arm64/include/asm/memory.h > > > > +++ b/arch/arm64/include/asm/memory.h > > > > @@ -62,8 +62,11 @@ > > > > #define PAGE_OFFSET (UL(0xffffffffffffffff) - \ > > > > (UL(1) << (VA_BITS - 1)) + 1) > > > > #define KIMAGE_VADDR (MODULES_END) > > > > +#define BPF_JIT_REGION_START (VA_START + KASAN_SHADOW_SIZE) > > > > +#define BPF_JIT_REGION_SIZE (SZ_128M) > > > > +#define BPF_JIT_REGION_END (BPF_JIT_REGION_START + BPF_JIT_REGION_SIZE) > > > > #define MODULES_END (MODULES_VADDR + MODULES_VSIZE) > > > > -#define MODULES_VADDR (VA_START + KASAN_SHADOW_SIZE) > > > > +#define MODULES_VADDR (BPF_JIT_REGION_END) > > > > #define MODULES_VSIZE (SZ_128M) > > > > #define VMEMMAP_START (PAGE_OFFSET - VMEMMAP_SIZE) > > > > #define PCI_IO_END (VMEMMAP_START - SZ_2M) > > > > diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c > > > > index a6fdaea07c63..76c2ab40c02d 100644 > > > > --- a/arch/arm64/net/bpf_jit_comp.c > > > > +++ b/arch/arm64/net/bpf_jit_comp.c > > > > @@ -940,3 +940,16 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) > > > > tmp : orig_prog); > > > > return prog; > > > > } > > > > + > > > > +void *bpf_jit_alloc_exec(unsigned long size) > > > > +{ > > > > + return __vmalloc_node_range(size, PAGE_SIZE, BPF_JIT_REGION_START, > > > > + BPF_JIT_REGION_END, GFP_KERNEL, > > > > + PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE, > > > > + __builtin_return_address(0)); > > > > > > I guess we'll want VM_IMMEDIATE_UNMAP here if Rich gets that merged. > > > > I think akpm already queued up that patch. > > > > > In the > > > meantime, I wonder if it's worth zeroing the region in bpf_jit_free_exec()? > > > (although we'd need the size information...). > > > > > > > Not sure. What exactly would that achieve? > > I think the zero encoding is guaranteed to be undefined, so it would limit > the usefulness of any stale, executable TLB entries. However, we'd also need > cache maintenance to make that stuff visible to the I side, so it's probably > not worth it, especially if akpm has queued the stuff from Rich. > > Maybe just add an: > > /* FIXME: Remove this when VM_IMMEDIATE_UNMAP is supported */ > #ifndef VM_IMMEDIATE_UNMAP > #define VM_IMMEDIATE_UNMAP 0 > #endif > > so we remember to come back and sort this out? Up to you. > I'll just make a note to send out that patch once the definition lands via -akpm ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH v4 2/2] arm64/bpf: don't allocate BPF JIT programs in module memory 2018-12-04 15:45 ` Ard Biesheuvel @ 2018-12-05 12:24 ` Daniel Borkmann 2018-12-05 13:24 ` Will Deacon 0 siblings, 1 reply; 12+ messages in thread From: Daniel Borkmann @ 2018-12-05 12:24 UTC (permalink / raw) To: Ard Biesheuvel, Will Deacon Cc: Linux Kernel Mailing List, Alexei Starovoitov, Rick Edgecombe, Eric Dumazet, Jann Horn, Kees Cook, Jessica Yu, Arnd Bergmann, Catalin Marinas, Mark Rutland, David S. Miller, linux-arm-kernel, <netdev@vger.kernel.org> Hi Will, On 12/04/2018 04:45 PM, Ard Biesheuvel wrote: > On Mon, 3 Dec 2018 at 13:49, Will Deacon <will.deacon@arm.com> wrote: >> On Fri, Nov 30, 2018 at 08:20:06PM +0100, Ard Biesheuvel wrote: >>> On Fri, 30 Nov 2018 at 19:26, Will Deacon <will.deacon@arm.com> wrote: >>>> On Fri, Nov 23, 2018 at 11:18:04PM +0100, Ard Biesheuvel wrote: >>>>> The arm64 module region is a 128 MB region that is kept close to >>>>> the core kernel, in order to ensure that relative branches are >>>>> always in range. So using the same region for programs that do >>>>> not have this restriction is wasteful, and preferably avoided. >>>>> >>>>> Now that the core BPF JIT code permits the alloc/free routines to >>>>> be overridden, implement them by vmalloc()/vfree() calls from a >>>>> dedicated 128 MB region set aside for BPF programs. This ensures >>>>> that BPF programs are still in branching range of each other, which >>>>> is something the JIT currently depends upon (and is not guaranteed >>>>> when using module_alloc() on KASLR kernels like we do currently). >>>>> It also ensures that placement of BPF programs does not correlate >>>>> with the placement of the core kernel or modules, making it less >>>>> likely that leaking the former will reveal the latter. >>>>> >>>>> This also solves an issue under KASAN, where shadow memory is >>>>> needlessly allocated for all BPF programs (which don't require KASAN >>>>> shadow pages since they are not KASAN instrumented) >>>>> >>>>> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> >>>>> --- >>>>> arch/arm64/include/asm/memory.h | 5 ++++- >>>>> arch/arm64/net/bpf_jit_comp.c | 13 +++++++++++++ >>>>> 2 files changed, 17 insertions(+), 1 deletion(-) >>>>> >>>>> diff --git a/arch/arm64/include/asm/memory.h b/arch/arm64/include/asm/memory.h >>>>> index b96442960aea..ee20fc63899c 100644 >>>>> --- a/arch/arm64/include/asm/memory.h >>>>> +++ b/arch/arm64/include/asm/memory.h >>>>> @@ -62,8 +62,11 @@ >>>>> #define PAGE_OFFSET (UL(0xffffffffffffffff) - \ >>>>> (UL(1) << (VA_BITS - 1)) + 1) >>>>> #define KIMAGE_VADDR (MODULES_END) >>>>> +#define BPF_JIT_REGION_START (VA_START + KASAN_SHADOW_SIZE) >>>>> +#define BPF_JIT_REGION_SIZE (SZ_128M) >>>>> +#define BPF_JIT_REGION_END (BPF_JIT_REGION_START + BPF_JIT_REGION_SIZE) >>>>> #define MODULES_END (MODULES_VADDR + MODULES_VSIZE) >>>>> -#define MODULES_VADDR (VA_START + KASAN_SHADOW_SIZE) >>>>> +#define MODULES_VADDR (BPF_JIT_REGION_END) >>>>> #define MODULES_VSIZE (SZ_128M) >>>>> #define VMEMMAP_START (PAGE_OFFSET - VMEMMAP_SIZE) >>>>> #define PCI_IO_END (VMEMMAP_START - SZ_2M) >>>>> diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c >>>>> index a6fdaea07c63..76c2ab40c02d 100644 >>>>> --- a/arch/arm64/net/bpf_jit_comp.c >>>>> +++ b/arch/arm64/net/bpf_jit_comp.c >>>>> @@ -940,3 +940,16 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) >>>>> tmp : orig_prog); >>>>> return prog; >>>>> } >>>>> + >>>>> +void *bpf_jit_alloc_exec(unsigned long size) >>>>> +{ >>>>> + return __vmalloc_node_range(size, PAGE_SIZE, BPF_JIT_REGION_START, >>>>> + BPF_JIT_REGION_END, GFP_KERNEL, >>>>> + PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE, >>>>> + __builtin_return_address(0)); >>>> >>>> I guess we'll want VM_IMMEDIATE_UNMAP here if Rich gets that merged. >>> >>> I think akpm already queued up that patch. >>> >>>> In the >>>> meantime, I wonder if it's worth zeroing the region in bpf_jit_free_exec()? >>>> (although we'd need the size information...). >>>> >>> >>> Not sure. What exactly would that achieve? >> >> I think the zero encoding is guaranteed to be undefined, so it would limit >> the usefulness of any stale, executable TLB entries. However, we'd also need >> cache maintenance to make that stuff visible to the I side, so it's probably >> not worth it, especially if akpm has queued the stuff from Rich. >> >> Maybe just add an: >> >> /* FIXME: Remove this when VM_IMMEDIATE_UNMAP is supported */ >> #ifndef VM_IMMEDIATE_UNMAP >> #define VM_IMMEDIATE_UNMAP 0 >> #endif >> >> so we remember to come back and sort this out? Up to you. > > I'll just make a note to send out that patch once the definition lands via -akpm Could I get an ACK from you for this patch, then I'd take the series into bpf-next. Thanks, Daniel ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH v4 2/2] arm64/bpf: don't allocate BPF JIT programs in module memory 2018-12-05 12:24 ` Daniel Borkmann @ 2018-12-05 13:24 ` Will Deacon 2018-12-05 15:40 ` Daniel Borkmann 0 siblings, 1 reply; 12+ messages in thread From: Will Deacon @ 2018-12-05 13:24 UTC (permalink / raw) To: Daniel Borkmann Cc: Ard Biesheuvel, Linux Kernel Mailing List, Alexei Starovoitov, Rick Edgecombe, Eric Dumazet, Jann Horn, Kees Cook, Jessica Yu, Arnd Bergmann, Catalin Marinas, Mark Rutland, David S. Miller, linux-arm-kernel, <netdev@vger.kernel.org> On Wed, Dec 05, 2018 at 01:24:17PM +0100, Daniel Borkmann wrote: > On 12/04/2018 04:45 PM, Ard Biesheuvel wrote: > > On Mon, 3 Dec 2018 at 13:49, Will Deacon <will.deacon@arm.com> wrote: > >> On Fri, Nov 30, 2018 at 08:20:06PM +0100, Ard Biesheuvel wrote: > >>> On Fri, 30 Nov 2018 at 19:26, Will Deacon <will.deacon@arm.com> wrote: > >>>> On Fri, Nov 23, 2018 at 11:18:04PM +0100, Ard Biesheuvel wrote: > >>>>> diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c > >>>>> index a6fdaea07c63..76c2ab40c02d 100644 > >>>>> --- a/arch/arm64/net/bpf_jit_comp.c > >>>>> +++ b/arch/arm64/net/bpf_jit_comp.c > >>>>> @@ -940,3 +940,16 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) > >>>>> tmp : orig_prog); > >>>>> return prog; > >>>>> } > >>>>> + > >>>>> +void *bpf_jit_alloc_exec(unsigned long size) > >>>>> +{ > >>>>> + return __vmalloc_node_range(size, PAGE_SIZE, BPF_JIT_REGION_START, > >>>>> + BPF_JIT_REGION_END, GFP_KERNEL, > >>>>> + PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE, > >>>>> + __builtin_return_address(0)); > >>>> > >>>> I guess we'll want VM_IMMEDIATE_UNMAP here if Rich gets that merged. > >>> > >>> I think akpm already queued up that patch. > >>> > >>>> In the > >>>> meantime, I wonder if it's worth zeroing the region in bpf_jit_free_exec()? > >>>> (although we'd need the size information...). > >>>> > >>> > >>> Not sure. What exactly would that achieve? > >> > >> I think the zero encoding is guaranteed to be undefined, so it would limit > >> the usefulness of any stale, executable TLB entries. However, we'd also need > >> cache maintenance to make that stuff visible to the I side, so it's probably > >> not worth it, especially if akpm has queued the stuff from Rich. > >> > >> Maybe just add an: > >> > >> /* FIXME: Remove this when VM_IMMEDIATE_UNMAP is supported */ > >> #ifndef VM_IMMEDIATE_UNMAP > >> #define VM_IMMEDIATE_UNMAP 0 > >> #endif > >> > >> so we remember to come back and sort this out? Up to you. > > > > I'll just make a note to send out that patch once the definition lands via -akpm > > Could I get an ACK from you for this patch, then I'd take the series into bpf-next. Gah, thanks for the ping: I thought I acked this initially, but turns out I didn't. Acked-by: Will Deacon <will.deacon@arm.com> Will ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH v4 2/2] arm64/bpf: don't allocate BPF JIT programs in module memory 2018-12-05 13:24 ` Will Deacon @ 2018-12-05 15:40 ` Daniel Borkmann 0 siblings, 0 replies; 12+ messages in thread From: Daniel Borkmann @ 2018-12-05 15:40 UTC (permalink / raw) To: Will Deacon Cc: Ard Biesheuvel, Linux Kernel Mailing List, Alexei Starovoitov, Rick Edgecombe, Eric Dumazet, Jann Horn, Kees Cook, Jessica Yu, Arnd Bergmann, Catalin Marinas, Mark Rutland, David S. Miller, linux-arm-kernel, <netdev@vger.kernel.org> On 12/05/2018 02:24 PM, Will Deacon wrote: > On Wed, Dec 05, 2018 at 01:24:17PM +0100, Daniel Borkmann wrote: >> On 12/04/2018 04:45 PM, Ard Biesheuvel wrote: >>> On Mon, 3 Dec 2018 at 13:49, Will Deacon <will.deacon@arm.com> wrote: >>>> On Fri, Nov 30, 2018 at 08:20:06PM +0100, Ard Biesheuvel wrote: >>>>> On Fri, 30 Nov 2018 at 19:26, Will Deacon <will.deacon@arm.com> wrote: >>>>>> On Fri, Nov 23, 2018 at 11:18:04PM +0100, Ard Biesheuvel wrote: >>>>>>> diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c >>>>>>> index a6fdaea07c63..76c2ab40c02d 100644 >>>>>>> --- a/arch/arm64/net/bpf_jit_comp.c >>>>>>> +++ b/arch/arm64/net/bpf_jit_comp.c >>>>>>> @@ -940,3 +940,16 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) >>>>>>> tmp : orig_prog); >>>>>>> return prog; >>>>>>> } >>>>>>> + >>>>>>> +void *bpf_jit_alloc_exec(unsigned long size) >>>>>>> +{ >>>>>>> + return __vmalloc_node_range(size, PAGE_SIZE, BPF_JIT_REGION_START, >>>>>>> + BPF_JIT_REGION_END, GFP_KERNEL, >>>>>>> + PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE, >>>>>>> + __builtin_return_address(0)); >>>>>> >>>>>> I guess we'll want VM_IMMEDIATE_UNMAP here if Rich gets that merged. >>>>> >>>>> I think akpm already queued up that patch. >>>>> >>>>>> In the >>>>>> meantime, I wonder if it's worth zeroing the region in bpf_jit_free_exec()? >>>>>> (although we'd need the size information...). >>>>>> >>>>> >>>>> Not sure. What exactly would that achieve? >>>> >>>> I think the zero encoding is guaranteed to be undefined, so it would limit >>>> the usefulness of any stale, executable TLB entries. However, we'd also need >>>> cache maintenance to make that stuff visible to the I side, so it's probably >>>> not worth it, especially if akpm has queued the stuff from Rich. >>>> >>>> Maybe just add an: >>>> >>>> /* FIXME: Remove this when VM_IMMEDIATE_UNMAP is supported */ >>>> #ifndef VM_IMMEDIATE_UNMAP >>>> #define VM_IMMEDIATE_UNMAP 0 >>>> #endif >>>> >>>> so we remember to come back and sort this out? Up to you. >>> >>> I'll just make a note to send out that patch once the definition lands via -akpm >> >> Could I get an ACK from you for this patch, then I'd take the series into bpf-next. > > Gah, thanks for the ping: I thought I acked this initially, but turns out I > didn't. > > Acked-by: Will Deacon <will.deacon@arm.com> Applied, thanks everyone! ^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2018-12-05 23:37 UTC | newest] Thread overview: 12+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2018-11-23 22:18 [PATCH v4 0/2] bpf: permit JIT allocations to be served outside the module region Ard Biesheuvel 2018-11-23 22:18 ` [PATCH v4 1/2] bpf: add __weak hook for allocating executable memory Ard Biesheuvel 2018-11-26 17:02 ` Edgecombe, Rick P 2018-12-05 23:37 ` Kees Cook 2018-11-23 22:18 ` [PATCH v4 2/2] arm64/bpf: don't allocate BPF JIT programs in module memory Ard Biesheuvel 2018-11-30 18:26 ` Will Deacon 2018-11-30 19:20 ` Ard Biesheuvel 2018-12-03 12:49 ` Will Deacon 2018-12-04 15:45 ` Ard Biesheuvel 2018-12-05 12:24 ` Daniel Borkmann 2018-12-05 13:24 ` Will Deacon 2018-12-05 15:40 ` Daniel Borkmann
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).