Commit 9f5b4009 authored by Sami Tolvanen's avatar Sami Tolvanen Committed by Kees Cook
Browse files

bpf: disable CFI in dispatcher functions 



BPF dispatcher functions are patched at runtime to perform direct
instead of indirect calls. Disable CFI for the dispatcher functions to
avoid conflicts.

Signed-off-by: default avatarSami Tolvanen <samitolvanen@google.com>
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
Tested-by: default avatarNathan Chancellor <nathan@kernel.org>
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20210408182843.1754385-9-samitolvanen@google.com
parent 8b8e6b5d

include/linux/bpf.h

+2 −2
Original line number Diff line number Diff line
@@ -650,7 +650,7 @@ struct bpf_dispatcher { 
	struct bpf_ksym ksym;

};



static __always_inline unsigned int bpf_dispatcher_nop_func(

static __always_inline __nocfi unsigned int bpf_dispatcher_nop_func(

	const void *ctx,

	const struct bpf_insn *insnsi,

	unsigned int (*bpf_func)(const void *,
@@ -678,7 +678,7 @@ void bpf_trampoline_put(struct bpf_trampoline *tr); 
}



#define DEFINE_BPF_DISPATCHER(name)					\

	noinline unsigned int bpf_dispatcher_##name##_func(		\

	noinline __nocfi unsigned int bpf_dispatcher_##name##_func(	\

		const void *ctx,					\

		const struct bpf_insn *insnsi,				\

		unsigned int (*bpf_func)(const void *,			\