> On Nov 17, 2021, at 2:01 PM, Peter Zijlstra <peterz@xxxxxxxxxxxxx> wrote: > > On Wed, Nov 17, 2021 at 09:36:27PM +0000, Song Liu wrote: >> >> >>> On Nov 16, 2021, at 12:00 AM, Peter Zijlstra <peterz@xxxxxxxxxxxxx> wrote: >>> >>> On Mon, Nov 15, 2021 at 11:13:42PM -0800, Song Liu wrote: >>>> These allow setting ro/x for module_alloc() mapping, while leave the >>>> linear mapping rw/nx. >>> >>> This needs a very strong rationale for *why*. How does this not >>> trivially circumvent W^X ? >> >> In this case, we want to have multiple BPF programs sharing the 2MB page. >> When the JIT engine is working on one program, we would rather existing >> BPF programs on the same page stay on RO+X mapping (the module_alloc() >> address). The solution in this version is to let the JIT engine write to >> the page via linear address. >> >> An alternative is to only use the module_alloc() address, and flip the >> read-only bit (of the whole 2MB page) back and forth. However, this >> requires some serialization among different JIT jobs. > > Neither options seem acceptible to me as they both violate W^X. > > Please have a close look at arch/x86/kernel/alternative.c:__text_poke() > for how we modify active text. I think that or something very similar is > the only option. By having an alias in a special (user) address space > that is not accessible by any other CPU, only the poking CPU can expoit > this (temporary) hole, which is a much larger ask than any of the > proposed options. I would agree that __text_poke() is a safer option. But in this case, we will need the temporary hole to be 2MB in size. Also, we will probably hold the temporary mapping for longer time (the whole JITing process). Does this sound reasonable? Thanks, Song
