diff mbox series

[v3,bpf-next] bpf: Use non-executable memfds for maps

Message ID 2NK63_D3A4XK54XvOAywlNwXaq6bq2I2nc2nU9g-YVdEkYaPPKcbcQ3RI0yRDc65N2LmtEx1e2aWDKXS0BabHqkihS2gtXBcghhwM5TfDeE=@proton.me (mailing list archive)
State Changes Requested
Delegated to: BPF
Headers show
Series [v3,bpf-next] bpf: Use non-executable memfds for maps | expand

Checks

Context Check Description
bpf/vmtest-bpf-next-PR success PR summary
bpf/vmtest-bpf-next-VM_Test-0 success Logs for Lint
bpf/vmtest-bpf-next-VM_Test-1 success Logs for ShellCheck
bpf/vmtest-bpf-next-VM_Test-2 success Logs for Unittests
bpf/vmtest-bpf-next-VM_Test-5 success Logs for aarch64-gcc / build-release
bpf/vmtest-bpf-next-VM_Test-4 success Logs for aarch64-gcc / build / build for aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-3 success Logs for Validate matrix.py
bpf/vmtest-bpf-next-VM_Test-9 success Logs for aarch64-gcc / test (test_verifier, false, 360) / test_verifier on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-10 success Logs for aarch64-gcc / veristat-kernel
bpf/vmtest-bpf-next-VM_Test-11 success Logs for aarch64-gcc / veristat-meta
bpf/vmtest-bpf-next-VM_Test-12 success Logs for s390x-gcc / build / build for s390x with gcc
bpf/vmtest-bpf-next-VM_Test-13 success Logs for s390x-gcc / build-release
bpf/vmtest-bpf-next-VM_Test-16 success Logs for s390x-gcc / test (test_verifier, false, 360) / test_verifier on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-17 success Logs for s390x-gcc / veristat-kernel
bpf/vmtest-bpf-next-VM_Test-18 success Logs for s390x-gcc / veristat-meta
bpf/vmtest-bpf-next-VM_Test-19 success Logs for set-matrix
bpf/vmtest-bpf-next-VM_Test-20 success Logs for x86_64-gcc / build / build for x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-21 success Logs for x86_64-gcc / build-release
bpf/vmtest-bpf-next-VM_Test-22 success Logs for x86_64-gcc / test (test_maps, false, 360) / test_maps on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-27 success Logs for x86_64-gcc / test (test_verifier, false, 360) / test_verifier on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-28 success Logs for x86_64-gcc / veristat-kernel / x86_64-gcc veristat_kernel
bpf/vmtest-bpf-next-VM_Test-29 success Logs for x86_64-gcc / veristat-meta / x86_64-gcc veristat_meta
bpf/vmtest-bpf-next-VM_Test-30 success Logs for x86_64-llvm-17 / build / build for x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-31 success Logs for x86_64-llvm-17 / build-release / build for x86_64 with llvm-17-O2
bpf/vmtest-bpf-next-VM_Test-32 success Logs for x86_64-llvm-17 / test (test_maps, false, 360) / test_maps on x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-36 success Logs for x86_64-llvm-17 / veristat-kernel
bpf/vmtest-bpf-next-VM_Test-35 success Logs for x86_64-llvm-17 / test (test_verifier, false, 360) / test_verifier on x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-38 success Logs for x86_64-llvm-18 / build / build for x86_64 with llvm-18
bpf/vmtest-bpf-next-VM_Test-37 success Logs for x86_64-llvm-17 / veristat-meta
bpf/vmtest-bpf-next-VM_Test-40 success Logs for x86_64-llvm-18 / test (test_maps, false, 360) / test_maps on x86_64 with llvm-18
bpf/vmtest-bpf-next-VM_Test-39 success Logs for x86_64-llvm-18 / build-release / build for x86_64 with llvm-18-O2
bpf/vmtest-bpf-next-VM_Test-44 success Logs for x86_64-llvm-18 / test (test_verifier, false, 360) / test_verifier on x86_64 with llvm-18
bpf/vmtest-bpf-next-VM_Test-45 success Logs for x86_64-llvm-18 / veristat-kernel
bpf/vmtest-bpf-next-VM_Test-46 success Logs for x86_64-llvm-18 / veristat-meta
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for bpf-next
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/build_tools success Errors and warnings before: 2 (+0) this patch: 2 (+0)
netdev/cc_maintainers fail 12 maintainers not CCed: jolsa@kernel.org john.fastabend@gmail.com ast@kernel.org daniel@iogearbox.net martin.lau@linux.dev yonghong.song@linux.dev eddyz87@gmail.com andrii@kernel.org song@kernel.org sdf@fomichev.me kpsingh@kernel.org haoluo@google.com
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/verify_signedoff fail author Signed-off-by missing
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/checkpatch warning WARNING: line length of 97 exceeds 80 columns
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
bpf/vmtest-bpf-next-VM_Test-6 success Logs for aarch64-gcc / test (test_maps, false, 360) / test_maps on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-8 success Logs for aarch64-gcc / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-7 success Logs for aarch64-gcc / test (test_progs, false, 360) / test_progs on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-14 success Logs for s390x-gcc / test (test_progs, false, 360) / test_progs on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-15 success Logs for s390x-gcc / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-24 success Logs for x86_64-gcc / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-23 success Logs for x86_64-gcc / test (test_progs, false, 360) / test_progs on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-25 success Logs for x86_64-gcc / test (test_progs_no_alu32_parallel, true, 30) / test_progs_no_alu32_parallel on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-33 success Logs for x86_64-llvm-17 / test (test_progs, false, 360) / test_progs on x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-26 success Logs for x86_64-gcc / test (test_progs_parallel, true, 30) / test_progs_parallel on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-34 success Logs for x86_64-llvm-17 / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-41 success Logs for x86_64-llvm-18 / test (test_progs, false, 360) / test_progs on x86_64 with llvm-18
bpf/vmtest-bpf-next-VM_Test-42 success Logs for x86_64-llvm-18 / test (test_progs_cpuv4, false, 360) / test_progs_cpuv4 on x86_64 with llvm-18
bpf/vmtest-bpf-next-VM_Test-43 success Logs for x86_64-llvm-18 / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on x86_64 with llvm-18

Commit Message

Andrei Enache Dec. 30, 2024, 5:18 p.m. UTC 
This patch enables use of non-executable memfds for bpf maps. [1]
As this is a recent kernel feature, the code checks at runtime to make sure it is available.
---
Changes in v3:
- Check return value before checking errno
- Update newline style
- Link to v2: https://lore.kernel.org/bpf/Z3LHcCgqY7kHs08S@krava/T/

[1] https://lwn.net/Articles/918106/

Signed-off-by: Andrei Enache <andreien@proton.me>
---
 tools/lib/bpf/libbpf.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

--
2.47.1

Comments

Jiri Olsa Dec. 30, 2024, 6:02 p.m. UTC | #1 
On Mon, Dec 30, 2024 at 05:18:31PM +0000, Andrei Enache wrote:
> This patch enables use of non-executable memfds for bpf maps. [1]
> As this is a recent kernel feature, the code checks at runtime to make sure it is available.
> ---
> Changes in v3:
> - Check return value before checking errno
> - Update newline style
> - Link to v2: https://lore.kernel.org/bpf/Z3LHcCgqY7kHs08S@krava/T/
> 
> [1] https://lwn.net/Articles/918106/
> 
> Signed-off-by: Andrei Enache <andreien@proton.me>
> ---
>  tools/lib/bpf/libbpf.c | 13 ++++++++++++-
>  1 file changed, 12 insertions(+), 1 deletion(-)
> 
> diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
> index 66173ddb5..3a30c094d 100644
> --- a/tools/lib/bpf/libbpf.c
> +++ b/tools/lib/bpf/libbpf.c
> @@ -1732,11 +1732,22 @@ static int sys_memfd_create(const char *name, unsigned flags)
>  #define MFD_CLOEXEC 0x0001U
>  #endif
> 
> +#ifndef MFD_NOEXEC_SEAL
> +#define MFD_NOEXEC_SEAL 0x0008U
> +#endif
> +
>  static int create_placeholder_fd(void)
>  {
>  	int fd;
> +	int memfd;
> +
> +	memfd = sys_memfd_create("libbpf-placeholder-fd", MFD_CLOEXEC);
> +
> +	/* MFD_NOEXEC_SEAL is missing from older kernels */
> +	if (memfd < 0 && errno == EINVAL)
> +		memfd = sys_memfd_create("libbpf-placeholder-fd", MFD_CLOEXEC | MFD_NOEXEC_SEAL);

hum, you need to try 'MFD_CLOEXEC | MFD_NOEXEC_SEAL' first, right?

jirka

> 
> -	fd = ensure_good_fd(sys_memfd_create("libbpf-placeholder-fd", MFD_CLOEXEC));
> +	fd = ensure_good_fd(memfd);
>  	if (fd < 0)
>  		return -errno;
>  	return fd;
> --
> 2.47.1
Alexei Starovoitov Dec. 30, 2024, 7:13 p.m. UTC | #2 
On Mon, Dec 30, 2024 at 10:02 AM Jiri Olsa <olsajiri@gmail.com> wrote:
>
> On Mon, Dec 30, 2024 at 05:18:31PM +0000, Andrei Enache wrote:
> > This patch enables use of non-executable memfds for bpf maps. [1]
> > As this is a recent kernel feature, the code checks at runtime to make sure it is available.
> > ---
> > Changes in v3:
> > - Check return value before checking errno
> > - Update newline style
> > - Link to v2: https://lore.kernel.org/bpf/Z3LHcCgqY7kHs08S@krava/T/
> >
> > [1] https://lwn.net/Articles/918106/
> >
> > Signed-off-by: Andrei Enache <andreien@proton.me>
> > ---
> >  tools/lib/bpf/libbpf.c | 13 ++++++++++++-
> >  1 file changed, 12 insertions(+), 1 deletion(-)
> >
> > diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
> > index 66173ddb5..3a30c094d 100644
> > --- a/tools/lib/bpf/libbpf.c
> > +++ b/tools/lib/bpf/libbpf.c
> > @@ -1732,11 +1732,22 @@ static int sys_memfd_create(const char *name, unsigned flags)
> >  #define MFD_CLOEXEC 0x0001U
> >  #endif
> >
> > +#ifndef MFD_NOEXEC_SEAL
> > +#define MFD_NOEXEC_SEAL 0x0008U
> > +#endif
> > +
> >  static int create_placeholder_fd(void)
> >  {
> >       int fd;
> > +     int memfd;
> > +
> > +     memfd = sys_memfd_create("libbpf-placeholder-fd", MFD_CLOEXEC);
> > +
> > +     /* MFD_NOEXEC_SEAL is missing from older kernels */
> > +     if (memfd < 0 && errno == EINVAL)
> > +             memfd = sys_memfd_create("libbpf-placeholder-fd", MFD_CLOEXEC | MFD_NOEXEC_SEAL);
>
> hum, you need to try 'MFD_CLOEXEC | MFD_NOEXEC_SEAL' first, right?
>
> jirka

I think Daniel's fix is further along while this one is still buggy.
diff mbox series

Patch

diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
index 66173ddb5..3a30c094d 100644
--- a/tools/lib/bpf/libbpf.c
+++ b/tools/lib/bpf/libbpf.c
@@ -1732,11 +1732,22 @@  static int sys_memfd_create(const char *name, unsigned flags)
 #define MFD_CLOEXEC 0x0001U
 #endif

+#ifndef MFD_NOEXEC_SEAL
+#define MFD_NOEXEC_SEAL 0x0008U
+#endif
+
 static int create_placeholder_fd(void)
 {
 	int fd;
+	int memfd;
+
+	memfd = sys_memfd_create("libbpf-placeholder-fd", MFD_CLOEXEC);
+
+	/* MFD_NOEXEC_SEAL is missing from older kernels */
+	if (memfd < 0 && errno == EINVAL)
+		memfd = sys_memfd_create("libbpf-placeholder-fd", MFD_CLOEXEC | MFD_NOEXEC_SEAL);

-	fd = ensure_good_fd(sys_memfd_create("libbpf-placeholder-fd", MFD_CLOEXEC));
+	fd = ensure_good_fd(memfd);
 	if (fd < 0)
 		return -errno;
 	return fd;