AcoSail/kernel_optimize_test
8
0
Fork 0
forked from luck/tmp_suning_uos_patched
Code Pull Requests Activity
cec1680591
kernel_optimize_test/kernel/bpf
History
Daniel Borkmann ede95a63b5 bpf: add bpf_jit_limit knob to restrict unpriv allocations 
Rick reported that the BPF JIT could potentially fill the entire module
space with BPF programs from unprivileged users which would prevent later
attempts to load normal kernel modules or privileged BPF programs, for
example. If JIT was enabled but unsuccessful to generate the image, then
before commit 290af86629 ("bpf: introduce BPF_JIT_ALWAYS_ON config")
we would always fall back to the BPF interpreter. Nowadays in the case
where the CONFIG_BPF_JIT_ALWAYS_ON could be set, then the load will abort
with a failure since the BPF interpreter was compiled out.

Add a global limit and enforce it for unprivileged users such that in case
of BPF interpreter compiled out we fail once the limit has been reached
or we fall back to BPF interpreter earlier w/o using module mem if latter
was compiled in. In a next step, fair share among unprivileged users can
be resolved in particular for the case where we would fail hard once limit
is reached.

Fixes: 290af86629 ("bpf: introduce BPF_JIT_ALWAYS_ON config")
Fixes: 0a14842f5a ("net: filter: Just In Time compiler for x86-64")
Co-Developed-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Jann Horn <jannh@google.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: LKML <linux-kernel@vger.kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2018-10-25 17:11:42 -07:00
..
arraymap.c
bpf_lru_list.c
bpf_lru_list.h
btf.c bpf, btf: fix a missing check bug in btf_parse 2018-10-26 00:42:03 +02:00
cgroup.c bpf: add cg_skb_is_valid_access for BPF_PROG_TYPE_CGROUP_SKB 2018-10-19 13:49:34 -07:00
core.c bpf: add bpf_jit_limit knob to restrict unpriv allocations 2018-10-25 17:11:42 -07:00
cpumap.c
devmap.c bpf: devmap: fix wrong interface selection in notifier_call 2018-10-26 00:32:21 +02:00
disasm.c
disasm.h
hashtab.c
helpers.c bpf: fix direct packet write into pop/peek helpers 2018-10-25 17:02:06 -07:00
inode.c
local_storage.c
lpm_trie.c
Makefile bpf: add queue and stack maps 2018-10-19 13:24:31 -07:00
map_in_map.c
map_in_map.h
offload.c
percpu_freelist.c
percpu_freelist.h
queue_stack_maps.c bpf: fix leaking uninitialized memory on pop/peek helpers 2018-10-25 17:02:06 -07:00
reuseport_array.c
stackmap.c
syscall.c bpf: remove unused variable 2018-10-19 13:52:38 -07:00
tnum.c
verifier.c bpf: make direct packet write unclone more robust 2018-10-25 17:02:06 -07:00
xskmap.c