From 2ff446fc4d73111db7a023d33875ae1b3e113f6f Mon Sep 17 00:00:00 2001 From: Kuan-Ying Lee Date: Mon, 22 Feb 2021 16:35:21 +0800 Subject: [PATCH] ANDROID: bpf: Add vendor hook Add vendor hook for bpf, so we can get memory type and use it to do memory type check for architecture dependent page table setting. Bug: 181639260 Signed-off-by: Kuan-Ying Lee Change-Id: Icac325a040fb88c7f6b04b2409029b623bd8515f --- arch/arm64/net/bpf_jit_comp.c | 3 +++ drivers/android/vendor_hooks.c | 5 +++++ include/trace/hooks/memory.h | 32 ++++++++++++++++++++++++++++++++ kernel/bpf/bpf_struct_ops.c | 5 +++++ kernel/bpf/core.c | 5 +++++ kernel/bpf/trampoline.c | 3 +++ 6 files changed, 53 insertions(+) create mode 100644 include/trace/hooks/memory.h diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c index ef9f1d5e989d..af75d5909a0f 100644 --- a/arch/arm64/net/bpf_jit_comp.c +++ b/arch/arm64/net/bpf_jit_comp.c @@ -17,6 +17,7 @@ #include #include #include +#include #include "bpf_jit.h" @@ -1098,6 +1099,8 @@ skip_init_ctx: goto out_off; } bpf_jit_binary_lock_ro(header); + trace_android_vh_set_memory_ro((unsigned long)header, header->pages); + trace_android_vh_set_memory_x((unsigned long)header, header->pages); } else { jit_data->ctx = ctx; jit_data->image = image_ptr; diff --git a/drivers/android/vendor_hooks.c b/drivers/android/vendor_hooks.c index 6540cbf458c8..369ad757d040 100644 --- a/drivers/android/vendor_hooks.c +++ b/drivers/android/vendor_hooks.c @@ -43,6 +43,7 @@ #include #include #include +#include /* * Export tracepoints that act as a bare tracehook (ie: have no trace event @@ -193,3 +194,7 @@ EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_commit_creds); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_exit_creds); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_override_creds); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_revert_creds); +EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_set_memory_x); +EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_set_memory_nx); +EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_set_memory_ro); +EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_set_memory_rw); diff --git a/include/trace/hooks/memory.h b/include/trace/hooks/memory.h new file mode 100644 index 000000000000..4b3f77a72d82 --- /dev/null +++ b/include/trace/hooks/memory.h @@ -0,0 +1,32 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#undef TRACE_SYSTEM +#define TRACE_SYSTEM memory + +#define TRACE_INCLUDE_PATH trace/hooks +#if !defined(_TRACE_HOOK_MEMORY_H) || defined(TRACE_HEADER_MULTI_READ) +#define _TRACE_HOOK_MEMORY_H +#include +#include +/* + * Following tracepoints are not exported in tracefs and provide a + * mechanism for vendor modules to hook and extend functionality + */ +DECLARE_HOOK(android_vh_set_memory_x, + TP_PROTO(unsigned long addr, int nr_pages), + TP_ARGS(addr, nr_pages)); + +DECLARE_HOOK(android_vh_set_memory_nx, + TP_PROTO(unsigned long addr, int nr_pages), + TP_ARGS(addr, nr_pages)); + +DECLARE_HOOK(android_vh_set_memory_ro, + TP_PROTO(unsigned long addr, int nr_pages), + TP_ARGS(addr, nr_pages)); + +DECLARE_HOOK(android_vh_set_memory_rw, + TP_PROTO(unsigned long addr, int nr_pages), + TP_ARGS(addr, nr_pages)); + +#endif /* _TRACE_HOOK_MEMORY_H */ +/* This part must be outside protection */ +#include diff --git a/kernel/bpf/bpf_struct_ops.c b/kernel/bpf/bpf_struct_ops.c index 4c3b543bb33b..94d832e571d9 100644 --- a/kernel/bpf/bpf_struct_ops.c +++ b/kernel/bpf/bpf_struct_ops.c @@ -10,6 +10,7 @@ #include #include #include +#include enum bpf_struct_ops_state { BPF_STRUCT_OPS_STATE_INIT, @@ -448,7 +449,9 @@ static int bpf_struct_ops_map_update_elem(struct bpf_map *map, void *key, bpf_map_inc(map); set_memory_ro((long)st_map->image, 1); + trace_android_vh_set_memory_ro((unsigned long)st_map->image, 1); set_memory_x((long)st_map->image, 1); + trace_android_vh_set_memory_x((unsigned long)st_map->image, 1); err = st_ops->reg(kdata); if (likely(!err)) { /* Pair with smp_load_acquire() during lookup_elem(). @@ -532,6 +535,8 @@ static void bpf_struct_ops_map_free(struct bpf_map *map) if (st_map->progs) bpf_struct_ops_map_put_progs(st_map); bpf_map_area_free(st_map->progs); + trace_android_vh_set_memory_rw((unsigned long)st_map->image, 1); + trace_android_vh_set_memory_nx((unsigned long)st_map->image, 1); bpf_jit_free_exec(st_map->image); bpf_map_area_free(st_map->uvalue); bpf_map_area_free(st_map); diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c index 55454d2278b1..a9f8bb65420e 100644 --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -34,6 +34,8 @@ #include #include +#include + /* Registers */ #define BPF_R0 regs[BPF_REG_0] #define BPF_R1 regs[BPF_REG_1] @@ -897,6 +899,8 @@ void bpf_jit_binary_free(struct bpf_binary_header *hdr) { u32 pages = hdr->pages; + trace_android_vh_set_memory_rw((unsigned long)hdr, pages); + trace_android_vh_set_memory_nx((unsigned long)hdr, pages); bpf_jit_free_exec(hdr); bpf_jit_uncharge_modmem(pages); } @@ -2294,6 +2298,7 @@ DEFINE_STATIC_KEY_FALSE(bpf_stats_enabled_key); EXPORT_SYMBOL(bpf_stats_enabled_key); /* All definitions of tracepoints related to BPF. */ +#undef TRACE_INCLUDE_PATH #define CREATE_TRACE_POINTS #include diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c index 35c5887d82ff..e73fdf278fb5 100644 --- a/kernel/bpf/trampoline.c +++ b/kernel/bpf/trampoline.c @@ -9,6 +9,7 @@ #include #include #include +#include /* dummy _ops. The verifier will operate on target program's ops. */ const struct bpf_verifier_ops bpf_extension_verifier_ops = { @@ -38,6 +39,7 @@ void *bpf_jit_alloc_exec_page(void) * everytime new program is attached or detached. */ set_memory_x((long)image, 1); + trace_android_vh_set_memory_x((unsigned long)image, 1); return image; } @@ -374,6 +376,7 @@ void bpf_trampoline_put(struct bpf_trampoline *tr) * for tasks to get out of trampoline code before freeing it. */ synchronize_rcu_tasks(); + trace_android_vh_set_memory_nx((unsigned long)tr->image, 1); bpf_jit_free_exec(tr->image); hlist_del(&tr->hlist); kfree(tr);