From: Maxwell Bland <mbland@motorola.com>
To: linux-arm-kernel@lists.infradead.org
Cc: mark.rutland@arm.com, linux-efi@vger.kernel.org,
david@redhat.com, catalin.marinas@arm.com,
dave.hansen@linux.intel.com, ast@kernel.org,
linux@armlinux.org.uk, linux-mm@kvack.org,
ryabinin.a.a@gmail.com, glider@google.com,
kasan-dev@googlegroups.com, yonghong.song@linux.dev,
wuqiang.matt@bytedance.com, agordeev@linux.ibm.com,
vincenzo.frascino@arm.com, will@kernel.org, ardb@kernel.org,
michael.christie@oracle.com, quic_nprakash@quicinc.com,
linux-arch@vger.kernel.org, hch@infradead.org, gor@linux.ibm.com,
daniel@iogearbox.net, mst@redhat.com, john.fastabend@gmail.com,
andrii@kernel.org, aneesh.kumar@kernel.org, urezki@gmail.com,
samitolvanen@google.com, zlim.lnx@gmail.com,
naveen.n.rao@linux.ibm.com, dennis@kernel.org,
borntraeger@linux.ibm.com, cl@linux.com, aou@eecs.berkeley.edu,
ryan.roberts@arm.com, arnd@arndb.de, linux-s390@vger.kernel.org,
hca@linux.ibm.com, mbland@motorola.com, npiggin@gmail.com,
kpsingh@kernel.org, meted@linux.ibm.com,
quic_pkondeti@quicinc.com, paul.walm sley@sifive.com,
surenb@google.com, akpm@linux-foundation.org, dvyukov@google.com,
andreyknvl@gmail.com, haoluo@google.com, brauner@kernel.org,
mjguzik@gmail.com, lstoakes@gmail.com, song@kernel.org,
gregkh@linuxfoundation.org, muchun.song@linux.dev,
linux-kernel@vger.kernel.org, awheeler@motorola.com,
martin.lau@linux.dev, linux-riscv@lists.infradead.org,
palmer@dabbelt.com, svens@linux.ibm.com, jolsa@kernel.org,
tj@kernel.org, guoren@kernel.org, bpf@vger.kernel.org,
rick.p.edgecombe@intel.com, linuxppc-dev@lists.ozlabs.org,
sdf@google.com
Subject: [PATCH 3/4] arm64: separate code and data virtual memory allocation
Date: Tue, 20 Feb 2024 14:32:55 -0600 [thread overview]
Message-ID: <20240220203256.31153-4-mbland@motorola.com> (raw)
In-Reply-To: <20240220203256.31153-1-mbland@motorola.com>
Current BPF and kprobe instruction allocation interfaces do not match
the base kernel and intermingle code and data pages within the same
sections. In the case of BPF, this appears to be a result of code
duplication between the kernel's JIT compiler and arm64's JIT. However,
This is no longer necessary given the possibility of overriding vmalloc
wrapper functions.
arm64's vmalloc_node routines now include a layer of indirection which
splits the vmalloc region into two segments surrounding the middle
module_alloc region determined by ASLR. To support this,
code_region_start and code_region_end are defined to match the 2GB
boundary chosen by the kernel module ASLR initialization routine.
The result is a large benefits to overall kernel security, as code pages
now remain protected by this ASLR routine and protections can be defined
linearly for code regions rather than through PTE-level tracking.
Signed-off-by: Maxwell Bland <mbland@motorola.com>
---
arch/arm64/include/asm/vmalloc.h | 3 ++
arch/arm64/kernel/module.c | 7 ++++
arch/arm64/kernel/probes/kprobes.c | 2 +-
arch/arm64/mm/Makefile | 3 +-
arch/arm64/mm/vmalloc.c | 57 ++++++++++++++++++++++++++++++
arch/arm64/net/bpf_jit_comp.c | 5 +--
6 files changed, 73 insertions(+), 4 deletions(-)
create mode 100644 arch/arm64/mm/vmalloc.c
diff --git a/arch/arm64/include/asm/vmalloc.h b/arch/arm64/include/asm/vmalloc.h
index 38fafffe699f..dbcf8ad20265 100644
--- a/arch/arm64/include/asm/vmalloc.h
+++ b/arch/arm64/include/asm/vmalloc.h
@@ -31,4 +31,7 @@ static inline pgprot_t arch_vmap_pgprot_tagged(pgprot_t prot)
return pgprot_tagged(prot);
}
+extern unsigned long code_region_start __ro_after_init;
+extern unsigned long code_region_end __ro_after_init;
+
#endif /* _ASM_ARM64_VMALLOC_H */
diff --git a/arch/arm64/kernel/module.c b/arch/arm64/kernel/module.c
index dd851297596e..c4fe753a71a9 100644
--- a/arch/arm64/kernel/module.c
+++ b/arch/arm64/kernel/module.c
@@ -29,6 +29,10 @@
static u64 module_direct_base __ro_after_init = 0;
static u64 module_plt_base __ro_after_init = 0;
+/* For pre-init vmalloc, assume the worst-case code range */
+unsigned long code_region_start __ro_after_init = (u64) (_end - SZ_2G);
+unsigned long code_region_end __ro_after_init = (u64) (_text + SZ_2G);
+
/*
* Choose a random page-aligned base address for a window of 'size' bytes which
* entirely contains the interval [start, end - 1].
@@ -101,6 +105,9 @@ static int __init module_init_limits(void)
module_plt_base = random_bounding_box(SZ_2G, min, max);
}
+ code_region_start = module_plt_base;
+ code_region_end = module_plt_base + SZ_2G;
+
pr_info("%llu pages in range for non-PLT usage",
module_direct_base ? (SZ_128M - kernel_size) / PAGE_SIZE : 0);
pr_info("%llu pages in range for PLT usage",
diff --git a/arch/arm64/kernel/probes/kprobes.c b/arch/arm64/kernel/probes/kprobes.c
index 70b91a8c6bb3..c9e109d6c8bc 100644
--- a/arch/arm64/kernel/probes/kprobes.c
+++ b/arch/arm64/kernel/probes/kprobes.c
@@ -131,7 +131,7 @@ int __kprobes arch_prepare_kprobe(struct kprobe *p)
void *alloc_insn_page(void)
{
- return __vmalloc_node_range(PAGE_SIZE, 1, VMALLOC_START, VMALLOC_END,
+ return __vmalloc_node_range(PAGE_SIZE, 1, code_region_start, code_region_end,
GFP_KERNEL, PAGE_KERNEL_ROX, VM_FLUSH_RESET_PERMS,
NUMA_NO_NODE, __builtin_return_address(0));
}
diff --git a/arch/arm64/mm/Makefile b/arch/arm64/mm/Makefile
index dbd1bc95967d..730b805d8388 100644
--- a/arch/arm64/mm/Makefile
+++ b/arch/arm64/mm/Makefile
@@ -2,7 +2,8 @@
obj-y := dma-mapping.o extable.o fault.o init.o \
cache.o copypage.o flush.o \
ioremap.o mmap.o pgd.o mmu.o \
- context.o proc.o pageattr.o fixmap.o
+ context.o proc.o pageattr.o fixmap.o \
+ vmalloc.o
obj-$(CONFIG_HUGETLB_PAGE) += hugetlbpage.o
obj-$(CONFIG_PTDUMP_CORE) += ptdump.o
obj-$(CONFIG_PTDUMP_DEBUGFS) += ptdump_debugfs.o
diff --git a/arch/arm64/mm/vmalloc.c b/arch/arm64/mm/vmalloc.c
new file mode 100644
index 000000000000..b6d2fa841f90
--- /dev/null
+++ b/arch/arm64/mm/vmalloc.c
@@ -0,0 +1,57 @@
+// SPDX-License-Identifier: GPL-2.0-only
+
+#include <linux/vmalloc.h>
+#include <linux/mm.h>
+
+static void *__vmalloc_node_range_split(unsigned long size, unsigned long align,
+ unsigned long start, unsigned long end,
+ unsigned long exclusion_start, unsigned long exclusion_end, gfp_t gfp_mask,
+ pgprot_t prot, unsigned long vm_flags, int node,
+ const void *caller)
+{
+ void *res = NULL;
+
+ res = __vmalloc_node_range(size, align, start, exclusion_start,
+ gfp_mask, prot, vm_flags, node, caller);
+ if (!res)
+ res = __vmalloc_node_range(size, align, exclusion_end, end,
+ gfp_mask, prot, vm_flags, node, caller);
+
+ return res;
+}
+
+void *__vmalloc_node(unsigned long size, unsigned long align,
+ gfp_t gfp_mask, unsigned long vm_flags, int node,
+ const void *caller)
+{
+ return __vmalloc_node_range_split(size, align, VMALLOC_START,
+ VMALLOC_END, code_region_start, code_region_end,
+ gfp_mask, PAGE_KERNEL, vm_flags, node, caller);
+}
+
+void *vmalloc_huge(unsigned long size, gfp_t gfp_mask)
+{
+ return __vmalloc_node_range_split(size, 1, VMALLOC_START, VMALLOC_END,
+ code_region_start, code_region_end,
+ gfp_mask, PAGE_KERNEL, VM_ALLOW_HUGE_VMAP,
+ NUMA_NO_NODE, __builtin_return_address(0));
+}
+
+void *vmalloc_user(unsigned long size)
+{
+ return __vmalloc_node_range_split(size, SHMLBA, VMALLOC_START, VMALLOC_END,
+ code_region_start, code_region_end,
+ GFP_KERNEL | __GFP_ZERO, PAGE_KERNEL,
+ VM_USERMAP, NUMA_NO_NODE,
+ __builtin_return_address(0));
+}
+
+void *vmalloc_32_user(unsigned long size)
+{
+ return __vmalloc_node_range_split(size, SHMLBA, VMALLOC_START, VMALLOC_END,
+ code_region_start, code_region_end,
+ GFP_VMALLOC32 | __GFP_ZERO, PAGE_KERNEL,
+ VM_USERMAP, NUMA_NO_NODE,
+ __builtin_return_address(0));
+}
+
diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
index 8955da5c47cf..40426f3a9bdf 100644
--- a/arch/arm64/net/bpf_jit_comp.c
+++ b/arch/arm64/net/bpf_jit_comp.c
@@ -13,6 +13,7 @@
#include <linux/memory.h>
#include <linux/printk.h>
#include <linux/slab.h>
+#include <linux/moduleloader.h>
#include <asm/asm-extable.h>
#include <asm/byteorder.h>
@@ -1690,12 +1691,12 @@ u64 bpf_jit_alloc_exec_limit(void)
void *bpf_jit_alloc_exec(unsigned long size)
{
/* Memory is intended to be executable, reset the pointer tag. */
- return kasan_reset_tag(vmalloc(size));
+ return kasan_reset_tag(module_alloc(size));
}
void bpf_jit_free_exec(void *addr)
{
- return vfree(addr);
+ return module_memfree(addr);
}
/* Indicate the JIT backend supports mixing bpf2bpf and tailcalls. */
--
2.39.2
next prev parent reply other threads:[~2024-02-20 22:26 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-20 20:32 [PATCH 0/4] arm64: mm: support dynamic vmalloc/pmd configuration Maxwell Bland
2024-02-20 20:32 ` [PATCH 1/4] mm/vmalloc: allow arch-specific vmalloc_node overrides Maxwell Bland
2024-02-21 5:43 ` Christoph Hellwig
2024-02-21 7:38 ` Christophe Leroy
2024-02-21 6:59 ` Christophe Leroy
2024-02-21 17:19 ` Maxwell Bland
2024-02-20 20:32 ` [PATCH 2/4] mm: pgalloc: support address-conditional pmd allocation Maxwell Bland
2024-02-21 7:13 ` Christophe Leroy
2024-02-21 9:27 ` David Hildenbrand
2024-02-21 15:54 ` [External] " Maxwell Bland
2024-02-20 20:32 ` Maxwell Bland [this message]
2024-02-21 7:20 ` [PATCH 3/4] arm64: separate code and data virtual memory allocation Christophe Leroy
2024-02-20 20:32 ` [PATCH 4/4] arm64: dynamic enforcement of pmd-level PXNTable Maxwell Bland
2024-02-21 7:32 ` [PATCH 0/4] arm64: mm: support dynamic vmalloc/pmd configuration Christophe Leroy
2024-02-21 17:57 ` Maxwell Bland
2024-02-21 14:50 ` Conor Dooley
2024-02-21 15:42 ` [External] " Maxwell Bland
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240220203256.31153-4-mbland@motorola.com \
--to=mbland@motorola.com \
--cc=agordeev@linux.ibm.com \
--cc=andrii@kernel.org \
--cc=aneesh.kumar@kernel.org \
--cc=aou@eecs.berkeley.edu \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=ast@kernel.org \
--cc=borntraeger@linux.ibm.com \
--cc=catalin.marinas@arm.com \
--cc=cl@linux.com \
--cc=daniel@iogearbox.net \
--cc=dave.hansen@linux.intel.com \
--cc=david@redhat.com \
--cc=dennis@kernel.org \
--cc=glider@google.com \
--cc=gor@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=hch@infradead.org \
--cc=john.fastabend@gmail.com \
--cc=kasan-dev@googlegroups.com \
--cc=kpsingh@kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=mark.rutland@arm.com \
--cc=meted@linux.ibm.com \
--cc=michael.christie@oracle.com \
--cc=mst@redhat.com \
--cc=naveen.n.rao@linux.ibm.com \
--cc=npiggin@gmail.com \
--cc=quic_nprakash@quicinc.com \
--cc=quic_pkondeti@quicinc.com \
--cc=ryabinin.a.a@gmail.com \
--cc=ryan.roberts@arm.com \
--cc=samitolvanen@google.com \
--cc=urezki@gmail.com \
--cc=vincenzo.frascino@arm.com \
--cc=will@kernel.org \
--cc=wuqiang.matt@bytedance.com \
--cc=yonghong.song@linux.dev \
--cc=zlim.lnx@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).