bpf: improve read-only handling

borkmann · davem330 · commit 65869a47f348 · 2017-03-12T23:51:34.000-07:00
Improve bpf_{prog,jit_binary}_{un,}lock_ro() by throwing a
one-time warning in case of an error when the image couldn't
be set read-only, and also mark struct bpf_prog as locked when
bpf_prog_lock_ro() was called.

Reason for the latter is that bpf_prog_unlock_ro() is called from
various places including error paths, and we shouldn't mess with
page attributes when really not needed.

For bpf_jit_binary_unlock_ro() this is not needed as jited flag
implicitly indicates this, thus for archs with ARCH_HAS_SET_MEMORY
we're guaranteed to have a previously locked image. Overall, this
should also help us to identify any further potential issues with
set_memory_*() helpers.

Signed-off-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Acked-by: Alexei Starovoitov &lt;ast@kernel.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
diff --git a/include/linux/filter.h b/include/linux/filter.h
@@ -409,6 +409,7 @@ struct bpf_prog {
 	u16			pages;		/* Number of allocated pages */
 	kmemcheck_bitfield_begin(meta);
 	u16			jited:1,	/* Is our filter JIT'ed? */
+				locked:1,	/* Program image locked? */
 				gpl_compatible:1, /* Is filter GPL compatible? */
 				cb_access:1,	/* Is control block accessed? */
 				dst_needed:1,	/* Do we need dst entry? */
@@ -554,22 +555,29 @@ static inline bool bpf_prog_was_classic(const struct bpf_prog *prog)
 #ifdef CONFIG_ARCH_HAS_SET_MEMORY
 static inline void bpf_prog_lock_ro(struct bpf_prog *fp)
 {
-	set_memory_ro((unsigned long)fp, fp->pages);
+	fp->locked = 1;
+	WARN_ON_ONCE(set_memory_ro((unsigned long)fp, fp->pages));
 }
 
 static inline void bpf_prog_unlock_ro(struct bpf_prog *fp)
 {
-	set_memory_rw((unsigned long)fp, fp->pages);
+	if (fp->locked) {
+		WARN_ON_ONCE(set_memory_rw((unsigned long)fp, fp->pages));
+		/* In case set_memory_rw() fails, we want to be the first
+		 * to crash here instead of some random place later on.
+		 */
+		fp->locked = 0;
+	}
 }
 
 static inline void bpf_jit_binary_lock_ro(struct bpf_binary_header *hdr)
 {
-	set_memory_ro((unsigned long)hdr, hdr->pages);
+	WARN_ON_ONCE(set_memory_ro((unsigned long)hdr, hdr->pages));
 }
 
 static inline void bpf_jit_binary_unlock_ro(struct bpf_binary_header *hdr)
 {
-	set_memory_rw((unsigned long)hdr, hdr->pages);
+	WARN_ON_ONCE(set_memory_rw((unsigned long)hdr, hdr->pages));
 }
 #else
 static inline void bpf_prog_lock_ro(struct bpf_prog *fp)

Original file line number	Diff line number	Diff line change
`@@ -409,6 +409,7 @@ struct bpf_prog {`
`409`	`409`	`u16 pages; /* Number of allocated pages */`
`410`	`410`	`kmemcheck_bitfield_begin(meta);`
`411`	`411`	`u16 jited:1, /* Is our filter JIT'ed? */`
	`412`	`+ locked:1, /* Program image locked? */`
`412`	`413`	`gpl_compatible:1, /* Is filter GPL compatible? */`
`413`	`414`	`cb_access:1, /* Is control block accessed? */`
`414`	`415`	`dst_needed:1, /* Do we need dst entry? */`
`@@ -554,22 +555,29 @@ static inline bool bpf_prog_was_classic(const struct bpf_prog *prog)`
`554`	`555`	`#ifdef CONFIG_ARCH_HAS_SET_MEMORY`
`555`	`556`	`static inline void bpf_prog_lock_ro(struct bpf_prog *fp)`
`556`	`557`	`{`
`557`		`- set_memory_ro((unsigned long)fp, fp->pages);`
	`558`	`+ fp->locked = 1;`
	`559`	`+ WARN_ON_ONCE(set_memory_ro((unsigned long)fp, fp->pages));`
`558`	`560`	`}`
`559`	`561`
`560`	`562`	`static inline void bpf_prog_unlock_ro(struct bpf_prog *fp)`
`561`	`563`	`{`
`562`		`- set_memory_rw((unsigned long)fp, fp->pages);`
	`564`	`+ if (fp->locked) {`
	`565`	`+ WARN_ON_ONCE(set_memory_rw((unsigned long)fp, fp->pages));`
	`566`	`+ /* In case set_memory_rw() fails, we want to be the first`
	`567`	`+ * to crash here instead of some random place later on.`
	`568`	`+ */`
	`569`	`+ fp->locked = 0;`
	`570`	`+ }`
`563`	`571`	`}`
`564`	`572`
`565`	`573`	`static inline void bpf_jit_binary_lock_ro(struct bpf_binary_header *hdr)`
`566`	`574`	`{`
`567`		`- set_memory_ro((unsigned long)hdr, hdr->pages);`
	`575`	`+ WARN_ON_ONCE(set_memory_ro((unsigned long)hdr, hdr->pages));`
`568`	`576`	`}`
`569`	`577`
`570`	`578`	`static inline void bpf_jit_binary_unlock_ro(struct bpf_binary_header *hdr)`
`571`	`579`	`{`
`572`		`- set_memory_rw((unsigned long)hdr, hdr->pages);`
	`580`	`+ WARN_ON_ONCE(set_memory_rw((unsigned long)hdr, hdr->pages));`
`573`	`581`	`}`
`574`	`582`	`#else`
`575`	`583`	`static inline void bpf_prog_lock_ro(struct bpf_prog *fp)`