On Sun, Sep 25, 2022 at 9:44 AM Dave Hansen <dave.hansen@xxxxxxxxx> wrote: > > On 9/25/22 04:18, syzbot wrote: > > ------------[ cut here ]------------ > > CPA refuse W^X violation: 8000000000000163 -> 0000000000000163 range: 0xffffffffa0401000 - 0xffffffffa0401fff PFN 7d8d5 > > WARNING: CPU: 0 PID: 3607 at arch/x86/mm/pat/set_memory.c:600 verify_rwx arch/x86/mm/pat/set_memory.c:600 [inline] > > WARNING: CPU: 0 PID: 3607 at arch/x86/mm/pat/set_memory.c:600 __change_page_attr arch/x86/mm/pat/set_memory.c:1569 [inline] > > WARNING: CPU: 0 PID: 3607 at arch/x86/mm/pat/set_memory.c:600 __change_page_attr_set_clr+0x1f40/0x2020 arch/x86/mm/pat/set_memory.c:1691 > > Modules linked in: > > Yay, one of these that isn't due to wonky 32-bit kernels! > > This one looks to be naughty intentionally: > > > void *bpf_jit_alloc_exec_page(void) > > { > ... > > /* Keep image as writeable. The alternative is to keep flipping ro/rw > > * every time new program is attached or detached. > > */ > > set_memory_x((long)image, 1); > > return image; > > } > > For STRICT_KERNEL_RWX kernels, I think we would really rather that this > code *did* flip ro/rw every time a new BPF program is attached or detached. Steven Rostedt noticed that comment around the middle of August and told you and Peter about it. Then Peter added a WARN_ONCE in commit https://lore.kernel.org/all/YwySW3ROc21hN7g9@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/ to explicitly trigger that known issue. Sure enough the fedora fails to boot on linux-next since then, because systemd is loading bpf programs that use bpf trampoline. The boot issue was was reported 3 days ago: https://lore.kernel.org/bpf/c84cc27c1a5031a003039748c3c099732a718aec.camel@xxxxxxxxxx/T/#u Now we're trying to urgently address it with: https://lore.kernel.org/bpf/20220923211837.3044723-1-song@xxxxxxxxxx/ So instead of pinging us with your w^x concern you've decided to fail hard in -next to force the issue and now acting like this is something surprising to you?! This is Code of Conduct "worthy" behavior demonstrated by a newly elected member of the Technical Advisory Board. Please consider resigning. A TAB member should be better than this. As far as this w^x issue... we've communicated back in May 2022 (sorry I cannot find the link to that discussion) that bpf_prog_pack is targeting to be used by everything bpf. Currently by bpf progs only. bpf trampoline and bpf dispatcher were next on the list. But then folks expressed the desire to generalize bpf_prog_pack for everything: bpf, modules and all other trampolines. We've posted multiple revisions and kept pinging for feedback. The last one on Aug 24: https://lkml.org/lkml/2022/8/24/857 If/when the generic vmalloc_exec lands we can finally close the issue for modules, bpf progs, and trampolines of all kinds. Make them fast by using large pages and w^x compliant. And, sorry, "flip ro/rw every time" is not a good idea from security pov. There is a much better solution that stalled on the code review. In the meantime we'll land a quick fix to re-enable boot in -next in the coming days.