• Daniel Borkmann's avatar
    bpf, ppc64: fix unexpected r0=0 exit path inside bpf_xadd · b9c1e60e
    Daniel Borkmann authored
    None of the JITs is allowed to implement exit paths from the BPF
    insn mappings other than BPF_JMP | BPF_EXIT. In the BPF core code
    we have a couple of rewrites in eBPF (e.g. LD_ABS / LD_IND) and
    in eBPF to cBPF translation to retain old existing behavior where
    exceptions may occur; they are also tightly controlled by the
    verifier where it disallows some of the features such as BPF to
    BPF calls when legacy LD_ABS / LD_IND ops are present in the BPF
    program. During recent review of all BPF_XADD JIT implementations
    I noticed that the ppc64 one is buggy in that it contains two
    jumps to exit paths. This is problematic as this can bypass verifier
    expectations e.g. pointed out in commit f6b1b3bf ("bpf: fix
    subprog verifier bypass by div/mod by 0 exception"). The first
    exit path is obsoleted by the fix in ca369602 ("bpf: allow xadd
    only on aligned memory") anyway, and for the second one we need to
    do a fetch, add and store loop if the reservation from lwarx/ldarx
    was lost in the meantime.
    
    Fixes: 156d0e29 ("powerpc/ebpf/jit: Implement JIT compiler for extended BPF")
    Reviewed-by: default avatarNaveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
    Reviewed-by: default avatarSandipan Das <sandipan@linux.vnet.ibm.com>
    Tested-by: default avatarSandipan Das <sandipan@linux.vnet.ibm.com>
    Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
    b9c1e60e
bpf_jit_comp64.c 28.4 KB