Jordan Niethe <jniet...@gmail.com> writes:
> On Wed, Mar 31, 2021 at 9:37 PM Michael Ellerman <m...@ellerman.id.au> wrote:
>>
>> Jordan Niethe <jniet...@gmail.com> writes:
>>
>> > Once CONFIG_STRICT_MODULE_RWX is enabled there will be no need to
>> > override bpf_jit_free() because it is now possible to set images
>> > read-only. So use the default implementation.
>> >
>> > Also add the necessary call to bpf_jit_binary_lock_ro() which will
>> > remove write protection and add exec protection to the JIT image after
>> > it has finished being written.
>> >
>> > Signed-off-by: Jordan Niethe <jniet...@gmail.com>
>> > ---
>> > v10: New to series
>> > ---
>> > arch/powerpc/net/bpf_jit_comp.c | 5 ++++-
>> > arch/powerpc/net/bpf_jit_comp64.c | 4 ++++
>> > 2 files changed, 8 insertions(+), 1 deletion(-)
>> >
>> > diff --git a/arch/powerpc/net/bpf_jit_comp.c
>> > b/arch/powerpc/net/bpf_jit_comp.c
>> > index e809cb5a1631..8015e4a7d2d4 100644
>> > --- a/arch/powerpc/net/bpf_jit_comp.c
>> > +++ b/arch/powerpc/net/bpf_jit_comp.c
>> > @@ -659,12 +659,15 @@ void bpf_jit_compile(struct bpf_prog *fp)
>> > bpf_jit_dump(flen, proglen, pass, code_base);
>> >
>> > bpf_flush_icache(code_base, code_base + (proglen/4));
>> > -
>> > #ifdef CONFIG_PPC64
>> > /* Function descriptor nastiness: Address + TOC */
>> > ((u64 *)image)[0] = (u64)code_base;
>> > ((u64 *)image)[1] = local_paca->kernel_toc;
>> > #endif
>> > + if (IS_ENABLED(CONFIG_STRICT_MODULE_RWX)) {
>> > + set_memory_ro((unsigned long)image, alloclen >> PAGE_SHIFT);
>> > + set_memory_x((unsigned long)image, alloclen >> PAGE_SHIFT);
>> > + }
>>
>> You don't need to check the ifdef in a caller, there are stubs that
>> compile to nothing when CONFIG_ARCH_HAS_SET_MEMORY=n.
> As Christophe pointed out we could have !CONFIG_STRICT_MODULE_RWX and
> CONFIG_ARCH_HAS_SET_MEMORY which would then be wrong here.
> Probably we could make CONFIG_ARCH_HAS_SET_MEMORY depend on
> CONFIG_STRICT_MODULE_RWX?
I thought it already did depend on it :)
That seems a reasonable dependency to me.
cheers
