Received: by 2002:a25:b323:0:0:0:0:0 with SMTP id l35csp1329056ybj;
        Fri, 20 Sep 2019 08:43:47 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzGxjNlg0OOPUPGAbR08dHj5QvP2NsDZMIaOWfQl/ONxK4WgZubJE/zt84e5POk2hTBeWbi
X-Received: by 2002:a17:906:e297:: with SMTP id gg23mr6793479ejb.47.1568994226912;
        Fri, 20 Sep 2019 08:43:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1568994226; cv=none;
        d=google.com; s=arc-20160816;
        b=xpLcupvBS/RAFdcJYEMpgRJcqge8MGv+9FCIMxNtA8uJ8faFN1PZR+Hg/GrgVqHfrr
         3sXwfEPTbb25RG1ai82RZhEt1qh4ZSG/81pIRuQeuiwiMwhOnyPXpW4mfGy6zilbIS0c
         yrukYsdDqrU6WtJ2cqHt5g4uK/e7EeeWggYs/p28B/1KI7X489HlDRLEoD5B2AswdGAk
         KjpSknPvRvZqqiMqCR4EI+vj4T619qjroPGndRYO1MU/yJRyKaDZKLIYs6Fu3lyfukha
         NIN+WHxOP4D3VXTcqzJ4WZesu9YFyCQMv69D4gYNpJF6Mb4TQfgqtuJ35dUDpMD/SJM/
         KJHg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=2/qZEou0qJOwkktM0B9CDLDL91YeStt7XtOQoq8dcuk=;
        b=DqB6lwYDA8agUWwajHqhoLUGfw38qXyrCadHG0w+eMzMI3Fsoo7nr1Ad05PAymTrbx
         GLzBDwjqOAOOj3MAwtExdVUmRtx9JViwksRD1+JMtrSUuSnjKbaa04xwV2vyeQVxN5hW
         midKURSRVMyOwIWKfC/YfMfjJni8SMLLL4d6AEFh0RlEDQfpbhYijr30pfZSYKw922QV
         MKBuGzXwWrW+nsasqeuusJYU59oIyvsOhz0Ly9mDLNO1bA78fikyLkaLlnUOfdfn65cV
         C2K8VGLQVbi0BMlq70SqaV7II/GDF/R3bFXMwCD+ZaGxzBAq3/Islge+Qmo677QxsL2Q
         nrww==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=pVs0QGEQ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id n19si1528887edo.172.2019.09.20.08.43.22;
        Fri, 20 Sep 2019 08:43:46 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=pVs0QGEQ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2407296AbfISW2H (ORCPT <rfc822;414256we@gmail.com> + 99 others);
        Thu, 19 Sep 2019 18:28:07 -0400
Received: from mail.kernel.org ([198.145.29.99]:33892 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2393961AbfISWUD (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 19 Sep 2019 18:20:03 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 681F721907;
        Thu, 19 Sep 2019 22:20:02 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1568931602;
        bh=MKKCdTpxrjO/8GLYKplTiRHH7UYUIgrAhr+SMn0bOcY=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=pVs0QGEQISfiHNFN1iM4q8g2UZbph3pCoeARM/p3Z8oEbsasWM+FiwYIW1pXV1rrA
         TOALofm7ThZ5y3Hf2BcDuQVBgtaJ0dYML+Trd7VAoxiTzAOFVOsr/VWVLTvO3NhV5l
         4K45hhkX8Mzd5MhWiB3Wf70OhkATL8VAtgbzEXuo=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Yauheni Kaliuta <yauheni.kaliuta@redhat.com>,
        Vasily Gorbik <gor@linux.ibm.com>,
        Ilya Leoshkevich <iii@linux.ibm.com>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.9 47/74] s390/bpf: use 32-bit index for tail calls
Date:   Fri, 20 Sep 2019 00:04:00 +0200
Message-Id: <20190919214809.343520917@linuxfoundation.org>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20190919214800.519074117@linuxfoundation.org>
References: <20190919214800.519074117@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Ilya Leoshkevich <iii@linux.ibm.com>

[ Upstream commit 91b4db5313a2c793aabc2143efb8ed0cf0fdd097 ]

"p runtime/jit: pass > 32bit index to tail_call" fails when
bpf_jit_enable=1, because the tail call is not executed.

This in turn is because the generated code assumes index is 64-bit,
while it must be 32-bit, and as a result prog array bounds check fails,
while it should pass. Even if bounds check would have passed, the code
that follows uses 64-bit index to compute prog array offset.

Fix by using clrj instead of clgrj for comparing index with array size,
and also by using llgfr for truncating index to 32 bits before using it
to compute prog array offset.

Fixes: 6651ee070b31 ("s390/bpf: implement bpf_tail_call() helper")
Reported-by: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
Acked-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/s390/net/bpf_jit_comp.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
index e4616090732a4..9b15a1dc66287 100644
--- a/arch/s390/net/bpf_jit_comp.c
+++ b/arch/s390/net/bpf_jit_comp.c
@@ -1062,8 +1062,8 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, int i
 		/* llgf %w1,map.max_entries(%b2) */
 		EMIT6_DISP_LH(0xe3000000, 0x0016, REG_W1, REG_0, BPF_REG_2,
 			      offsetof(struct bpf_array, map.max_entries));
-		/* clgrj %b3,%w1,0xa,label0: if %b3 >= %w1 goto out */
-		EMIT6_PCREL_LABEL(0xec000000, 0x0065, BPF_REG_3,
+		/* clrj %b3,%w1,0xa,label0: if (u32)%b3 >= (u32)%w1 goto out */
+		EMIT6_PCREL_LABEL(0xec000000, 0x0077, BPF_REG_3,
 				  REG_W1, 0, 0xa);
 
 		/*
@@ -1089,8 +1089,10 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, int i
 		 *         goto out;
 		 */
 
-		/* sllg %r1,%b3,3: %r1 = index * 8 */
-		EMIT6_DISP_LH(0xeb000000, 0x000d, REG_1, BPF_REG_3, REG_0, 3);
+		/* llgfr %r1,%b3: %r1 = (u32) index */
+		EMIT4(0xb9160000, REG_1, BPF_REG_3);
+		/* sllg %r1,%r1,3: %r1 *= 8 */
+		EMIT6_DISP_LH(0xeb000000, 0x000d, REG_1, REG_1, REG_0, 3);
 		/* lg %r1,prog(%b2,%r1) */
 		EMIT6_DISP_LH(0xe3000000, 0x0004, REG_1, BPF_REG_2,
 			      REG_1, offsetof(struct bpf_array, ptrs));
-- 
2.20.1