Received: by 2002:a05:6a10:d5a5:0:0:0:0 with SMTP id gn37csp3797488pxb; Mon, 4 Oct 2021 09:48:21 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxm/+qbHwwf3PxxeZ4Ml39hzIjo3bDvD7ID5H83xuuajT1aRV7bNZN4MEIxjYQ6xzOc8REd X-Received: by 2002:a63:1e60:: with SMTP id p32mr11645827pgm.234.1633366101165; Mon, 04 Oct 2021 09:48:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633366101; cv=none; d=google.com; s=arc-20160816; b=0Lh/4FToJDnRjbWXbBEuLIj2vmkSl8xuEJlWrBbPGLJq4dfEA3eaLBDzFISr1BHz9m iVGnQKwGnh0GHG/XJlKvzuPYdooJHG69WrE5d2v8Yk4hzPwYNCp/cwHX1mA4QeNEp/gU dHgN0w/JMjRgcePTHreY6bHVvUFjS8rfvp6yYT4ckszTNA4NIDNp9A/zHluDnDwIu02n jM/D0eUgBIvHB99tsLu2drl18AvYg+UoFytrEc7H7+OSCw7caPtIODQQqHXS7bG7HVnp sz6wLFoh0T/FxB41B/Mvc+9nagwdjXLMNeIJNuWHiaQv0ueVbFa48rcvfCN/ffaqJJEM Y1uw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=JWQioGecium9zYKp1ESsIZXpN1ouvqitalRNcvwmlxk=; b=AVm6qUZ2VrFIKSzJzeXhD1FQFaMRBRYdCPwKi4Tpu9LjCLdvwn42Hbny9hPKHPkkvu paEzf9+K89EVI1Z2MKoVZlyIlKTe2CGigbUBqVguNbzW4jy6k54bt9XDWuarREhRwg8O o1iz1LlWI9AU92Zc/H3UxJY5bZI3j6mSZdP29Iy/oeebLZtIuov+MYH3DETlw5V2uFJW 2H3d7gqN18aDlf3X9qMfo7jSpenM8N5NLPTMaen4hjd9JRa+yOZUH91bdo0Rz/4WJs5y Qffgdk3JPXqYw7RSumEb+h72Yk5xGT5VgB758OxnME+gbsvvp9EcmJDcLdn0//m3SLcW RL3g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=QrnvIwxa; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t63si17047218pgd.638.2021.10.04.09.48.07; Mon, 04 Oct 2021 09:48:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=QrnvIwxa; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237770AbhJDNjL (ORCPT + 99 others); Mon, 4 Oct 2021 09:39:11 -0400 Received: from mail.kernel.org ([198.145.29.99]:52272 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237896AbhJDNh2 (ORCPT ); Mon, 4 Oct 2021 09:37:28 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id A9B026137C; Mon, 4 Oct 2021 13:16:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1633353413; bh=okpSI5uHUsz6apGwzSIq0jUtOZdruxPoDtTAu0pt6N4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QrnvIwxaTSkn2bzYHgU8FkLICXckJaVLbR3lgH/yZ7fEdhRSyvzouEOeurEIjreQE NvWzX+I2ge8dNnOSFOMt8D/uhDJr4LBEdDlV3+7SB+4fByY9Pil7SxzHIShctSBo03 bdL1O5any2LCVDD8g21yKl0kLb7KXRDWbGTgrszE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Johan Almbladh , Daniel Borkmann , Brendan Jackman , Alexei Starovoitov , Sasha Levin Subject: [PATCH 5.14 118/172] bpf, x86: Fix bpf mapping of atomic fetch implementation Date: Mon, 4 Oct 2021 14:52:48 +0200 Message-Id: <20211004125048.790393291@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211004125044.945314266@linuxfoundation.org> References: <20211004125044.945314266@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johan Almbladh [ Upstream commit ced185824c89b60e65b5a2606954c098320cdfb8 ] Fix the case where the dst register maps to %rax as otherwise this produces an incorrect mapping with the implementation in 981f94c3e921 ("bpf: Add bitwise atomic instructions") as %rax is clobbered given it's part of the cmpxchg as operand. The issue is similar to b29dd96b905f ("bpf, x86: Fix BPF_FETCH atomic and/or/ xor with r0 as src") just that the case of dst register was missed. Before, dst=r0 (%rax) src=r2 (%rsi): [...] c5: mov %rax,%r10 c8: mov 0x0(%rax),%rax <---+ (broken) cc: mov %rax,%r11 | cf: and %rsi,%r11 | d2: lock cmpxchg %r11,0x0(%rax) <---+ d8: jne 0x00000000000000c8 | da: mov %rax,%rsi | dd: mov %r10,%rax | [...] | | After, dst=r0 (%rax) src=r2 (%rsi): | | [...] | da: mov %rax,%r10 | dd: mov 0x0(%r10),%rax <---+ (fixed) e1: mov %rax,%r11 | e4: and %rsi,%r11 | e7: lock cmpxchg %r11,0x0(%r10) <---+ ed: jne 0x00000000000000dd ef: mov %rax,%rsi f2: mov %r10,%rax [...] The remaining combinations were fine as-is though: After, dst=r9 (%r15) src=r0 (%rax): [...] dc: mov %rax,%r10 df: mov 0x0(%r15),%rax e3: mov %rax,%r11 e6: and %r10,%r11 e9: lock cmpxchg %r11,0x0(%r15) ef: jne 0x00000000000000df _ f1: mov %rax,%r10 | (unneeded, but f4: mov %r10,%rax _| not a problem) [...] After, dst=r9 (%r15) src=r4 (%rcx): [...] de: mov %rax,%r10 e1: mov 0x0(%r15),%rax e5: mov %rax,%r11 e8: and %rcx,%r11 eb: lock cmpxchg %r11,0x0(%r15) f1: jne 0x00000000000000e1 f3: mov %rax,%rcx f6: mov %r10,%rax [...] The case of dst == src register is rejected by the verifier and therefore not supported, but x86 JIT also handles this case just fine. After, dst=r0 (%rax) src=r0 (%rax): [...] eb: mov %rax,%r10 ee: mov 0x0(%r10),%rax f2: mov %rax,%r11 f5: and %r10,%r11 f8: lock cmpxchg %r11,0x0(%r10) fe: jne 0x00000000000000ee 100: mov %rax,%r10 103: mov %r10,%rax [...] Fixes: 981f94c3e921 ("bpf: Add bitwise atomic instructions") Reported-by: Johan Almbladh Signed-off-by: Johan Almbladh Co-developed-by: Daniel Borkmann Signed-off-by: Daniel Borkmann Reviewed-by: Brendan Jackman Acked-by: Alexei Starovoitov Signed-off-by: Sasha Levin --- arch/x86/net/bpf_jit_comp.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c index 47780844598a..ffcc4d29ad50 100644 --- a/arch/x86/net/bpf_jit_comp.c +++ b/arch/x86/net/bpf_jit_comp.c @@ -1341,9 +1341,10 @@ st: if (is_imm8(insn->off)) if (insn->imm == (BPF_AND | BPF_FETCH) || insn->imm == (BPF_OR | BPF_FETCH) || insn->imm == (BPF_XOR | BPF_FETCH)) { - u8 *branch_target; bool is64 = BPF_SIZE(insn->code) == BPF_DW; u32 real_src_reg = src_reg; + u32 real_dst_reg = dst_reg; + u8 *branch_target; /* * Can't be implemented with a single x86 insn. @@ -1354,11 +1355,13 @@ st: if (is_imm8(insn->off)) emit_mov_reg(&prog, true, BPF_REG_AX, BPF_REG_0); if (src_reg == BPF_REG_0) real_src_reg = BPF_REG_AX; + if (dst_reg == BPF_REG_0) + real_dst_reg = BPF_REG_AX; branch_target = prog; /* Load old value */ emit_ldx(&prog, BPF_SIZE(insn->code), - BPF_REG_0, dst_reg, insn->off); + BPF_REG_0, real_dst_reg, insn->off); /* * Perform the (commutative) operation locally, * put the result in the AUX_REG. @@ -1369,7 +1372,8 @@ st: if (is_imm8(insn->off)) add_2reg(0xC0, AUX_REG, real_src_reg)); /* Attempt to swap in new value */ err = emit_atomic(&prog, BPF_CMPXCHG, - dst_reg, AUX_REG, insn->off, + real_dst_reg, AUX_REG, + insn->off, BPF_SIZE(insn->code)); if (WARN_ON(err)) return err; @@ -1383,11 +1387,10 @@ st: if (is_imm8(insn->off)) /* Restore R0 after clobbering RAX */ emit_mov_reg(&prog, true, BPF_REG_0, BPF_REG_AX); break; - } err = emit_atomic(&prog, insn->imm, dst_reg, src_reg, - insn->off, BPF_SIZE(insn->code)); + insn->off, BPF_SIZE(insn->code)); if (err) return err; break; -- 2.33.0