• Paul Burton's avatar
    MIPS: eBPF: Fix icache flush end address · 9f77e4cb
    Paul Burton authored
    commit d1a2930d upstream.
    
    The MIPS eBPF JIT calls flush_icache_range() in order to ensure the
    icache observes the code that we just wrote. Unfortunately it gets the
    end address calculation wrong due to some bad pointer arithmetic.
    
    The struct jit_ctx target field is of type pointer to u32, and as such
    adding one to it will increment the address being pointed to by 4 bytes.
    Therefore in order to find the address of the end of the code we simply
    need to add the number of 4 byte instructions emitted, but we mistakenly
    add the number of instructions multiplied by 4. This results in the call
    to flush_icache_range() operating on a memory region 4x larger than
    intended, which is always wasteful and can cause crashes if we overrun
    into an unmapped page.
    
    Fix this by correcting the pointer arithmetic to remove the bogus
    multiplication, and use braces to remove the need for a set of brackets
    whilst also making it obvious that the target field is a pointer.
    Signed-off-by: default avatarPaul Burton <paul.burton@mips.com>
    Fixes: b6bd53f9 ("MIPS: Add missing file for eBPF JIT.")
    Cc: Alexei Starovoitov <ast@kernel.org>
    Cc: Daniel Borkmann <daniel@iogearbox.net>
    Cc: Martin KaFai Lau <kafai@fb.com>
    Cc: Song Liu <songliubraving@fb.com>
    Cc: Yonghong Song <yhs@fb.com>
    Cc: netdev@vger.kernel.org
    Cc: bpf@vger.kernel.org
    Cc: linux-mips@vger.kernel.org
    Cc: stable@vger.kernel.org # v4.13+
    Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    9f77e4cb
ebpf_jit.c 49.7 KB