ANDROID: bpf: Add vendor hook

Add vendor hook for bpf, so we can get memory type and
use it to do memory type check for architecture
dependent page table setting.

Bug: 181639260

Signed-off-by: Kuan-Ying Lee <Kuan-Ying.Lee@mediatek.com>
Change-Id: Icac325a040fb88c7f6b04b2409029b623bd8515f

arch/arm64/net/bpf_jit_comp.c

@@ -17,6 +17,7 @@
 #include <asm/cacheflush.h>
 #include <asm/debug-monitors.h>
 #include <asm/set_memory.h>
+#include <trace/hooks/memory.h>
 
 #include "bpf_jit.h"
 
@@ -1098,6 +1099,8 @@ skip_init_ctx:
 			goto out_off;
 		}
 		bpf_jit_binary_lock_ro(header);
+		trace_android_vh_set_memory_ro((unsigned long)header, header->pages);
+		trace_android_vh_set_memory_x((unsigned long)header, header->pages);
 	} else {
 		jit_data->ctx = ctx;
 		jit_data->image = image_ptr;

drivers/android/vendor_hooks.c

@@ -43,6 +43,7 @@
 #include <trace/hooks/traps.h>
 #include <trace/hooks/avc.h>
 #include <trace/hooks/creds.h>
+#include <trace/hooks/memory.h>
 
 /*
  * Export tracepoints that act as a bare tracehook (ie: have no trace event
@@ -193,3 +194,7 @@ EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_commit_creds);
 EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_exit_creds);
 EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_override_creds);
 EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_revert_creds);
+EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_set_memory_x);
+EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_set_memory_nx);
+EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_set_memory_ro);
+EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_set_memory_rw);

include/trace/hooks/memory.h

@@ -0,0 +1,32 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#undef TRACE_SYSTEM
+#define TRACE_SYSTEM memory
+
+#define TRACE_INCLUDE_PATH trace/hooks
+#if !defined(_TRACE_HOOK_MEMORY_H) || defined(TRACE_HEADER_MULTI_READ)
+#define _TRACE_HOOK_MEMORY_H
+#include <linux/tracepoint.h>
+#include <trace/hooks/vendor_hooks.h>
+/*
+ * Following tracepoints are not exported in tracefs and provide a
+ * mechanism for vendor modules to hook and extend functionality
+ */
+DECLARE_HOOK(android_vh_set_memory_x,
+	TP_PROTO(unsigned long addr, int nr_pages),
+	TP_ARGS(addr, nr_pages));
+
+DECLARE_HOOK(android_vh_set_memory_nx,
+	TP_PROTO(unsigned long addr, int nr_pages),
+	TP_ARGS(addr, nr_pages));
+
+DECLARE_HOOK(android_vh_set_memory_ro,
+	TP_PROTO(unsigned long addr, int nr_pages),
+	TP_ARGS(addr, nr_pages));
+
+DECLARE_HOOK(android_vh_set_memory_rw,
+	TP_PROTO(unsigned long addr, int nr_pages),
+	TP_ARGS(addr, nr_pages));
+
+#endif /* _TRACE_HOOK_MEMORY_H */
+/* This part must be outside protection */
+#include <trace/define_trace.h>

kernel/bpf/bpf_struct_ops.c

@@ -10,6 +10,7 @@
 #include <linux/seq_file.h>
 #include <linux/refcount.h>
 #include <linux/mutex.h>
+#include <trace/hooks/memory.h>
 
 enum bpf_struct_ops_state {
 	BPF_STRUCT_OPS_STATE_INIT,
@@ -448,7 +449,9 @@ static int bpf_struct_ops_map_update_elem(struct bpf_map *map, void *key,
 	bpf_map_inc(map);
 
 	set_memory_ro((long)st_map->image, 1);
+	trace_android_vh_set_memory_ro((unsigned long)st_map->image, 1);
 	set_memory_x((long)st_map->image, 1);
+	trace_android_vh_set_memory_x((unsigned long)st_map->image, 1);
 	err = st_ops->reg(kdata);
 	if (likely(!err)) {
 		/* Pair with smp_load_acquire() during lookup_elem().
@@ -532,6 +535,8 @@ static void bpf_struct_ops_map_free(struct bpf_map *map)
 	if (st_map->progs)
 		bpf_struct_ops_map_put_progs(st_map);
 	bpf_map_area_free(st_map->progs);
+	trace_android_vh_set_memory_rw((unsigned long)st_map->image, 1);
+	trace_android_vh_set_memory_nx((unsigned long)st_map->image, 1);
 	bpf_jit_free_exec(st_map->image);
 	bpf_map_area_free(st_map->uvalue);
 	bpf_map_area_free(st_map);

kernel/bpf/core.c

@@ -34,6 +34,8 @@
 #include <linux/log2.h>
 #include <asm/unaligned.h>
 
+#include <trace/hooks/memory.h>
+
 /* Registers */
 #define BPF_R0	regs[BPF_REG_0]
 #define BPF_R1	regs[BPF_REG_1]
@@ -897,6 +899,8 @@ void bpf_jit_binary_free(struct bpf_binary_header *hdr)
 {
 	u32 pages = hdr->pages;
 
+	trace_android_vh_set_memory_rw((unsigned long)hdr, pages);
+	trace_android_vh_set_memory_nx((unsigned long)hdr, pages);
 	bpf_jit_free_exec(hdr);
 	bpf_jit_uncharge_modmem(pages);
 }
@@ -2294,6 +2298,7 @@ DEFINE_STATIC_KEY_FALSE(bpf_stats_enabled_key);
 EXPORT_SYMBOL(bpf_stats_enabled_key);
 
 /* All definitions of tracepoints related to BPF. */
+#undef TRACE_INCLUDE_PATH
 #define CREATE_TRACE_POINTS
 #include <linux/bpf_trace.h>
 

kernel/bpf/trampoline.c

@@ -9,6 +9,7 @@
 #include <linux/btf.h>
 #include <linux/rcupdate_trace.h>
 #include <linux/rcupdate_wait.h>
+#include <trace/hooks/memory.h>
 
 /* dummy _ops. The verifier will operate on target program's ops. */
 const struct bpf_verifier_ops bpf_extension_verifier_ops = {
@@ -38,6 +39,7 @@ void *bpf_jit_alloc_exec_page(void)
 	 * everytime new program is attached or detached.
 	 */
 	set_memory_x((long)image, 1);
+	trace_android_vh_set_memory_x((unsigned long)image, 1);
 	return image;
 }
 
@@ -374,6 +376,7 @@ void bpf_trampoline_put(struct bpf_trampoline *tr)
 	 * for tasks to get out of trampoline code before freeing it.
 	 */
 	synchronize_rcu_tasks();
+	trace_android_vh_set_memory_nx((unsigned long)tr->image, 1);
 	bpf_jit_free_exec(tr->image);
 	hlist_del(&tr->hlist);
 	kfree(tr);