imer_setup() is not compatible with PaX's RAP

Jason A. Donenfeld Jason at zx2c4.com
Tue Nov 14 10:29:14 CET 2017


On Tue, Nov 14, 2017 at 1:15 AM, PaX Team <pageexec at freemail.hu> wrote:
> oh boy, can't disagree with ugly ;)

The goal is the highest possible density of filth.

>
> --- WireGuard-0.0.20171111.orig/src/compat/compat.h       2017-11-11 04:35:06.000000000 +0100
> +++ WireGuard-0.0.20171111/src/compat/compat.h    2017-11-13 23:21:17.967716768 +0100

I fixed things up here:
https://git.zx2c4.com/WireGuard/commit/?id=df318d1f0526663a2d92439376379e32ebcfef1a

> the KERNEXEC block isn't needed as it was removing KERNEXEC's own define

Wait, but earlier you wrote:

> speaking of PaX support, you recently added some __ro_after_init wrapper
> to wireguard which breaks under KERNEXEC when it's used on ops structs
> (my __read_only has different semantics) so i have to revert it here but
> it'd be nicer if you didn't define it when KERNEXEC is active.

So what exactly should I be fixing? I think in that last patch I
forgot to redefine it to be empty. Would this do what you have in
mind:

#ifdef CONFIG_PAX_KERNEXEC
#include <linux/cache.h>
#undef __ro_after_init
#define __ro_after_init
#endif

Or is there something else?

Jason


More information about the WireGuard mailing list