--- v11
+++ v12
@@ -1,30 +1,72 @@
-Add the necessary call to bpf_jit_binary_lock_ro() to remove write and
-add exec permissions to the JIT image after it has finished being
-written.
+From: Russell Currey <ruscur@russell.cc>
 
-Without CONFIG_STRICT_MODULE_RWX the image will be writable and
-executable until the call to bpf_jit_binary_lock_ro().
+To enable strict module RWX on powerpc, set:
 
+    CONFIG_STRICT_MODULE_RWX=y
+
+You should also have CONFIG_STRICT_KERNEL_RWX=y set to have any real
+security benefit.
+
+ARCH_HAS_STRICT_MODULE_RWX is set to require ARCH_HAS_STRICT_KERNEL_RWX.
+This is due to a quirk in arch/Kconfig and arch/powerpc/Kconfig that
+makes STRICT_MODULE_RWX *on by default* in configurations where
+STRICT_KERNEL_RWX is *unavailable*.
+
+Since this doesn't make much sense, and module RWX without kernel RWX
+doesn't make much sense, having the same dependencies as kernel RWX
+works around this problem.
+
+With STRICT_MODULE_RWX, now make module_alloc() allocate pages with
+KERNEL_PAGE protection rather than KERNEL_PAGE_EXEC.
+
+Book32s/32 processors with a hash mmu (i.e. 604 core) can not set memory
+protection on a page by page basis so do not enable.
+
+Signed-off-by: Russell Currey <ruscur@russell.cc>
+[jpn: - predicate on !PPC_BOOK3S_604
+      - make module_alloc() use PAGE_KERNEL protection]
 Signed-off-by: Jordan Niethe <jniethe5@gmail.com>
 ---
-v10: New to series
-v11: Remove CONFIG_STRICT_MODULE_RWX conditional
+v10: - Predicate on !PPC_BOOK3S_604
+     - Make module_alloc() use PAGE_KERNEL protection
+v11: - Neaten up
 ---
- arch/powerpc/net/bpf_jit_comp.c | 1 +
- 1 file changed, 1 insertion(+)
+ arch/powerpc/Kconfig         | 1 +
+ arch/powerpc/kernel/module.c | 4 +++-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
 
-diff --git a/arch/powerpc/net/bpf_jit_comp.c b/arch/powerpc/net/bpf_jit_comp.c
-index 6c8c268e4fe8..53aefee3fe70 100644
---- a/arch/powerpc/net/bpf_jit_comp.c
-+++ b/arch/powerpc/net/bpf_jit_comp.c
-@@ -237,6 +237,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *fp)
- 	fp->jited_len = alloclen;
- 
- 	bpf_flush_icache(bpf_hdr, (u8 *)bpf_hdr + (bpf_hdr->pages * PAGE_SIZE));
-+	bpf_jit_binary_lock_ro(bpf_hdr);
- 	if (!fp->is_func || extra_pass) {
- 		bpf_prog_fill_jited_linfo(fp, addrs);
- out_addrs:
+diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
+index cce0a137b046..cb5d9d862c35 100644
+--- a/arch/powerpc/Kconfig
++++ b/arch/powerpc/Kconfig
+@@ -140,6 +140,7 @@ config PPC
+ 	select ARCH_HAS_SCALED_CPUTIME		if VIRT_CPU_ACCOUNTING_NATIVE && PPC_BOOK3S_64
+ 	select ARCH_HAS_SET_MEMORY
+ 	select ARCH_HAS_STRICT_KERNEL_RWX	if ((PPC_BOOK3S_64 || PPC32) && !HIBERNATION)
++	select ARCH_HAS_STRICT_MODULE_RWX	if ARCH_HAS_STRICT_KERNEL_RWX && !PPC_BOOK3S_604
+ 	select ARCH_HAS_TICK_BROADCAST		if GENERIC_CLOCKEVENTS_BROADCAST
+ 	select ARCH_HAS_UACCESS_FLUSHCACHE
+ 	select ARCH_HAS_COPY_MC			if PPC64
+diff --git a/arch/powerpc/kernel/module.c b/arch/powerpc/kernel/module.c
+index 3f35c8d20be7..33e4011228b0 100644
+--- a/arch/powerpc/kernel/module.c
++++ b/arch/powerpc/kernel/module.c
+@@ -92,12 +92,14 @@ int module_finalize(const Elf_Ehdr *hdr,
+ static __always_inline void *
+ __module_alloc(unsigned long size, unsigned long start, unsigned long end)
+ {
++	pgprot_t prot = IS_ENABLED(CONFIG_STRICT_MODULE_RWX) ? PAGE_KERNEL :
++							       PAGE_KERNEL_EXEC;
+ 	/*
+ 	 * Don't do huge page allocations for modules yet until more testing
+ 	 * is done. STRICT_MODULE_RWX may require extra work to support this
+ 	 * too.
+ 	 */
+-	return __vmalloc_node_range(size, 1, start, end, GFP_KERNEL, PAGE_KERNEL_EXEC,
++	return __vmalloc_node_range(size, 1, start, end, GFP_KERNEL, prot,
+ 				    VM_FLUSH_RESET_PERMS | VM_NO_HUGE_VMAP,
+ 				    NUMA_NO_NODE, __builtin_return_address(0));
+ }
 -- 
 2.25.1