Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756237Ab3D1BVh (ORCPT ); Sat, 27 Apr 2013 21:21:37 -0400 Received: from mail-da0-f46.google.com ([209.85.210.46]:61880 "EHLO mail-da0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753030Ab3D1BVf (ORCPT ); Sat, 27 Apr 2013 21:21:35 -0400 Message-ID: <1367112092.8964.294.camel@edumazet-glaptop> Subject: Re: [PATCH v2 net-next 2/3] x86: bpf_jit_comp: support BPF_S_ANC_SECCOMP_LD_W instruction From: Eric Dumazet To: Xi Wang Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Daniel Borkmann , Heiko Carstens , Will Drewry , Eric Dumazet , Russell King , David Laight , "David S. Miller" , Andrew Morton , Nicolas Schichan Date: Sat, 27 Apr 2013 18:21:32 -0700 In-Reply-To: <1367029047-14830-3-git-send-email-xi.wang@gmail.com> References: <1367029047-14830-1-git-send-email-xi.wang@gmail.com> <1367029047-14830-3-git-send-email-xi.wang@gmail.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.2.3-0ubuntu6 Content-Transfer-Encoding: 7bit Mime-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2277 Lines: 69 On Fri, 2013-04-26 at 22:17 -0400, Xi Wang wrote: > This patch implements the seccomp BPF_S_ANC_SECCOMP_LD_W instruction > in x86 JIT. > > Signed-off-by: Xi Wang > Cc: Daniel Borkmann > Cc: Heiko Carstens > Cc: Will Drewry > Cc: Eric Dumazet > Cc: Russell King > Cc: David Laight > Cc: "David S. Miller" > Cc: Andrew Morton > Cc: Nicolas Schichan > --- > arch/x86/net/bpf_jit_comp.c | 11 +++++++++++ > 1 file changed, 11 insertions(+) > > diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c > index 8898680..5f1dafb 100644 > --- a/arch/x86/net/bpf_jit_comp.c > +++ b/arch/x86/net/bpf_jit_comp.c > @@ -683,6 +683,17 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; > } > EMIT_COND_JMP(f_op, f_offset); > break; > +#ifdef CONFIG_SECCOMP_FILTER > + case BPF_S_ANC_SECCOMP_LD_W: I would feel more comfortable if you added : if (seen & SEEN_DATAREF) { pr_err_once("SECCOMP_LD_W assertion failed\n"): goto out; } This way, if BPF is changed in the future, but not the x86 JIT, we can have a working kernel. Ideally, we should add a SEEN_SKBREF to make sure rdi value can be scratched, or you just push %rdi/pop %rdi, its only one byte instructions. Or completely optimize the thing and not call seccomp_bpf_load() at all. (current would be loaded once in r9, task_pt_regs() would be loaded once in r8) > + func = (u8 *)seccomp_bpf_load; > + t_offset = func - (image + addrs[i]); > + /* seccomp filters don't use %rdi, %r8, %r9 > + * it is safe to not save these registers > + */ > + EMIT1_off32(0xbf, K); /* mov imm32,%edi */ > + EMIT1_off32(0xe8, t_offset); /* call seccomp_bpf_load */ > + break; > +#endif > default: > /* hmm, too complex filter, give up with jit compiler */ > goto out; -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/