Received: by 10.213.65.68 with SMTP id h4csp1722657imn; Mon, 19 Mar 2018 11:27:23 -0700 (PDT) X-Google-Smtp-Source: AG47ELvJvReo1tfEUlolqWhYyb6T7lRRlurWbsiXsz1btO7KzzNBgbdtwO4VgAAMoPKFxATVa3ZT X-Received: by 10.99.160.25 with SMTP id r25mr6590100pge.95.1521484043688; Mon, 19 Mar 2018 11:27:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521484043; cv=none; d=google.com; s=arc-20160816; b=Ru43Q0y9k+cjC6BRLYRjJGAJ05qh0RRTYVRs5J3iALmZ9Z/tDX2HKmP6SuGtyBXxoZ sn/dBwka/YeNJ63049GDFhWYj2PkUNb0lsDnY3GcbAingdo/1KiNj5eSGsTCVzy8bNGy lGn/KgoWrz/4+B5y2fDF8JcyTL5pH5RUBMunpyh/Rb6OlTAvfkvnoKLkvibZqnYRxH+0 Rdoqf7Qmm0/XbgR21MWm6B+CVz61nK34Hs+AU6RXoRNrID1fLE4HiMZFAIJG5W5smC7h TAV+ipVCRM5r0Qw013v5CGWeJW7EgbyUmycksmtDmPRfq2f/tcYlREep/t0L8Il41MiO 40zg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=mLoY1D6E8XOoVTGEEDrQdo+idb5ZkNy/i9ZXFPm1fBo=; b=LiO2/GVqd1uy+8UPfKDoh7pYQcXeKiznrMyLUkZgA7O8pE2S3iksQwic3JXeKK6BUE 1GyFBmiUi4PZWqx3JUd6AmrcMqa4oICssyNyjmJ1x4uzMcxEUslan3m+gniQeUYsKsRl NDRYscrIIAUKMZxl8j3hMNhVMA9EEmWvyEO0HLNZJC0Qb9LkETTw1KvCRskDKG9jVdAL zF97tAh68/cxXC55hTjjIYBvGgxiHaUNB3vFSFO//FaGoJaoccTOQaqSDTC768wnE240 ibon3RWI06auhjUMT4MwDHU5xftowxXtvvAwcT5b+oSbiFdmxxaKbWrKKU/b5EK/R+Iu So3g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m70si308378pfk.344.2018.03.19.11.27.09; Mon, 19 Mar 2018 11:27:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1031500AbeCSSXu (ORCPT + 99 others); Mon, 19 Mar 2018 14:23:50 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:49616 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1031429AbeCSSXo (ORCPT ); Mon, 19 Mar 2018 14:23:44 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 4CF42D09; Mon, 19 Mar 2018 18:23:43 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, David Daney , James Hogan , Alexei Starovoitov , "Steven J. Hill" , linux-mips@linux-mips.org, netdev@vger.kernel.org, Ralf Baechle , Sasha Levin Subject: [PATCH 4.9 129/241] MIPS: BPF: Quit clobbering callee saved registers in JIT code. Date: Mon, 19 Mar 2018 19:06:34 +0100 Message-Id: <20180319180756.537482734@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180319180751.172155436@linuxfoundation.org> References: <20180319180751.172155436@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: David Daney [ Upstream commit 1ef0910cfd681f0bd0b81f8809935b2006e9cfb9 ] If bpf_needs_clear_a() returns true, only actually clear it if it is ever used. If it is not used, we don't save and restore it, so the clearing has the nasty side effect of clobbering caller state. Also, don't emit stack pointer adjustment instructions if the adjustment amount is zero. Signed-off-by: David Daney Cc: James Hogan Cc: Alexei Starovoitov Cc: Steven J. Hill Cc: linux-mips@linux-mips.org Cc: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/15745/ Signed-off-by: Ralf Baechle Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- arch/mips/net/bpf_jit.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) --- a/arch/mips/net/bpf_jit.c +++ b/arch/mips/net/bpf_jit.c @@ -526,7 +526,8 @@ static void save_bpf_jit_regs(struct jit u32 sflags, tmp_flags; /* Adjust the stack pointer */ - emit_stack_offset(-align_sp(offset), ctx); + if (offset) + emit_stack_offset(-align_sp(offset), ctx); tmp_flags = sflags = ctx->flags >> SEEN_SREG_SFT; /* sflags is essentially a bitmap */ @@ -578,7 +579,8 @@ static void restore_bpf_jit_regs(struct emit_load_stack_reg(r_ra, r_sp, real_off, ctx); /* Restore the sp and discard the scrach memory */ - emit_stack_offset(align_sp(offset), ctx); + if (offset) + emit_stack_offset(align_sp(offset), ctx); } static unsigned int get_stack_depth(struct jit_ctx *ctx) @@ -625,8 +627,14 @@ static void build_prologue(struct jit_ct if (ctx->flags & SEEN_X) emit_jit_reg_move(r_X, r_zero, ctx); - /* Do not leak kernel data to userspace */ - if (bpf_needs_clear_a(&ctx->skf->insns[0])) + /* + * Do not leak kernel data to userspace, we only need to clear + * r_A if it is ever used. In fact if it is never used, we + * will not save/restore it, so clearing it in this case would + * corrupt the state of the caller. + */ + if (bpf_needs_clear_a(&ctx->skf->insns[0]) && + (ctx->flags & SEEN_A)) emit_jit_reg_move(r_A, r_zero, ctx); }