Received: by 10.223.176.5 with SMTP id f5csp3370743wra;
        Mon, 29 Jan 2018 12:16:02 -0800 (PST)
X-Google-Smtp-Source: AH8x225kEoUVD8Y6WV9gIojPNKhxIF1Iw66wI3BtnDuMPBqeRmVILFmxkEEiqg9GRvSr79Wl7qrh
X-Received: by 10.99.115.16 with SMTP id o16mr22515595pgc.362.1517256962238;
        Mon, 29 Jan 2018 12:16:02 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517256962; cv=none;
        d=google.com; s=arc-20160816;
        b=GRpeRZHs8p/4Z3epBS3LHHDZq+Mh+PrIIziXOHDwfrcup6MQE1BShe/l7LpskZMDX3
         4KXM4aDlepr2SvVjfF1W6CGkmOd8uadoeOtnUhICH1LkhMady+K84rQVkdpOPtJaDUEt
         /XgZAAFwoqjhNtmXIupS8xlWq1ad64FsqqXSQ6E4nJkUeHLkHqCcJkLrkzBbJfSWGZp6
         qvsZ1BzII5xexgsuekHwCG4cjH3k7uspDCVWZdsj925JBUopUBs1LPr35VuE4i9a1Y4e
         qQAH4BQE3pBhM6eXd8ObvfPfQnpEgGpcb9QQktBZgPKG8Q48u5Jt0j2X9bSExO3gdJnm
         /Xjw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=2vRSZyT21A8HY3hv4Gw5phWDywxLITeSxketk0WNAxw=;
        b=wc15cJdl7FNUUMiIFHPEYN2hY7X/WbHC6w+hqMkiI7sgOZL5nzznyrHwKNCzAJvvV9
         VeUw7Mf4RHnPKy1FRsL9QxNfl5t5cBXe4FIHMO5SQLG93lp9DVFeOVK6DUxMbazWAGx8
         q+77mtPz27uNldY/SzFm8VUrJj+iSiQHG7kKrcnXVFVDS8ivGuWb64c7a6sId0FrTBqX
         V4ZyZuhG9G5iqlK358GiVGJu4We+O6bNsODZOZyF/bkKdlQ1NtJx+5XYtHSr1eVNZaS8
         GqTnfFXNO4v6UIG1AUBwUvnCEKUnINcg+qtuZUNJxfg9jKUuiCYpZnjtRcgqYB7Vlmf9
         2tNQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g12-v6si224772pln.6.2018.01.29.12.15.48;
        Mon, 29 Jan 2018 12:16:02 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932200AbeA2UOO (ORCPT <rfc822;vladislav.valtchev@gmail.com>
        + 99 others); Mon, 29 Jan 2018 15:14:14 -0500
Received: from mail.linuxfoundation.org ([140.211.169.12]:39718 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753982AbeA2UOL (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 29 Jan 2018 15:14:11 -0500
Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id E499D2FEB;
        Mon, 29 Jan 2018 13:08:19 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Russell King <rmk+kernel@armlinux.org.uk>
Subject: [PATCH 4.14 20/71] ARM: net: bpf: fix LDX instructions
Date:   Mon, 29 Jan 2018 13:56:48 +0100
Message-Id: <20180129123828.642934967@linuxfoundation.org>
X-Mailer: git-send-email 2.16.1
In-Reply-To: <20180129123827.271171825@linuxfoundation.org>
References: <20180129123827.271171825@linuxfoundation.org>
User-Agent: quilt/0.65
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Russell King <rmk+kernel@armlinux.org.uk>

commit ec19e02b343db991d2d1610c409efefebf4e2ca9 upstream.

When the source and destination register are identical, our JIT does not
generate correct code, which leads to kernel oopses.

Fix this by (a) generating more efficient code, and (b) making use of
the temporary earlier if we will overwrite the address register.

Fixes: 39c13c204bb1 ("arm: eBPF JIT compiler")
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/net/bpf_jit_32.c |   61 ++++++++++++++++++++++++----------------------
 1 file changed, 33 insertions(+), 28 deletions(-)

--- a/arch/arm/net/bpf_jit_32.c
+++ b/arch/arm/net/bpf_jit_32.c
@@ -913,33 +913,53 @@ static inline void emit_str_r(const u8 d
 }
 
 /* dst = *(size*)(src + off) */
-static inline void emit_ldx_r(const u8 dst, const u8 src, bool dstk,
-			      const s32 off, struct jit_ctx *ctx, const u8 sz){
+static inline void emit_ldx_r(const u8 dst[], const u8 src, bool dstk,
+			      s32 off, struct jit_ctx *ctx, const u8 sz){
 	const u8 *tmp = bpf2a32[TMP_REG_1];
-	u8 rd = dstk ? tmp[1] : dst;
+	const u8 *rd = dstk ? tmp : dst;
 	u8 rm = src;
+	s32 off_max;
 
-	if (off) {
+	if (sz == BPF_H)
+		off_max = 0xff;
+	else
+		off_max = 0xfff;
+
+	if (off < 0 || off > off_max) {
 		emit_a32_mov_i(tmp[0], off, false, ctx);
 		emit(ARM_ADD_R(tmp[0], tmp[0], src), ctx);
 		rm = tmp[0];
+		off = 0;
+	} else if (rd[1] == rm) {
+		emit(ARM_MOV_R(tmp[0], rm), ctx);
+		rm = tmp[0];
 	}
 	switch (sz) {
-	case BPF_W:
-		/* Load a Word */
-		emit(ARM_LDR_I(rd, rm, 0), ctx);
+	case BPF_B:
+		/* Load a Byte */
+		emit(ARM_LDRB_I(rd[1], rm, off), ctx);
+		emit_a32_mov_i(dst[0], 0, dstk, ctx);
 		break;
 	case BPF_H:
 		/* Load a HalfWord */
-		emit(ARM_LDRH_I(rd, rm, 0), ctx);
+		emit(ARM_LDRH_I(rd[1], rm, off), ctx);
+		emit_a32_mov_i(dst[0], 0, dstk, ctx);
 		break;
-	case BPF_B:
-		/* Load a Byte */
-		emit(ARM_LDRB_I(rd, rm, 0), ctx);
+	case BPF_W:
+		/* Load a Word */
+		emit(ARM_LDR_I(rd[1], rm, off), ctx);
+		emit_a32_mov_i(dst[0], 0, dstk, ctx);
+		break;
+	case BPF_DW:
+		/* Load a Double Word */
+		emit(ARM_LDR_I(rd[1], rm, off), ctx);
+		emit(ARM_LDR_I(rd[0], rm, off + 4), ctx);
 		break;
 	}
 	if (dstk)
-		emit(ARM_STR_I(rd, ARM_SP, STACK_VAR(dst)), ctx);
+		emit(ARM_STR_I(rd[1], ARM_SP, STACK_VAR(dst[1])), ctx);
+	if (dstk && sz == BPF_DW)
+		emit(ARM_STR_I(rd[0], ARM_SP, STACK_VAR(dst[0])), ctx);
 }
 
 /* Arithmatic Operation */
@@ -1440,22 +1460,7 @@ exit:
 		rn = sstk ? tmp2[1] : src_lo;
 		if (sstk)
 			emit(ARM_LDR_I(rn, ARM_SP, STACK_VAR(src_lo)), ctx);
-		switch (BPF_SIZE(code)) {
-		case BPF_W:
-			/* Load a Word */
-		case BPF_H:
-			/* Load a Half-Word */
-		case BPF_B:
-			/* Load a Byte */
-			emit_ldx_r(dst_lo, rn, dstk, off, ctx, BPF_SIZE(code));
-			emit_a32_mov_i(dst_hi, 0, dstk, ctx);
-			break;
-		case BPF_DW:
-			/* Load a double word */
-			emit_ldx_r(dst_lo, rn, dstk, off, ctx, BPF_W);
-			emit_ldx_r(dst_hi, rn, dstk, off+4, ctx, BPF_W);
-			break;
-		}
+		emit_ldx_r(dst, rn, dstk, off, ctx, BPF_SIZE(code));
 		break;
 	/* R0 = ntohx(*(size *)(((struct sk_buff *)R6)->data + imm)) */
 	case BPF_LD | BPF_ABS | BPF_W: