From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, "Björn Töpel" <bjorn@rivosinc.com>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"Sasha Levin" <sashal@kernel.org>
Subject: [PATCH 5.15 029/102] riscv, bpf: Sign-extend return values
Date: Mon, 16 Oct 2023 10:40:28 +0200 [thread overview]
Message-ID: <20231016083954.479433491@linuxfoundation.org> (raw)
In-Reply-To: <20231016083953.689300946@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Björn Töpel <bjorn@rivosinc.com>
[ Upstream commit 2f1b0d3d733169eb11680bfa97c266ae5e757148 ]
The RISC-V architecture does not expose sub-registers, and hold all
32-bit values in a sign-extended format [1] [2]:
| The compiler and calling convention maintain an invariant that all
| 32-bit values are held in a sign-extended format in 64-bit
| registers. Even 32-bit unsigned integers extend bit 31 into bits
| 63 through 32. Consequently, conversion between unsigned and
| signed 32-bit integers is a no-op, as is conversion from a signed
| 32-bit integer to a signed 64-bit integer.
While BPF, on the other hand, exposes sub-registers, and use
zero-extension (similar to arm64/x86).
This has led to some subtle bugs, where a BPF JITted program has not
sign-extended the a0 register (return value in RISC-V land), passed
the return value up the kernel, e.g.:
| int from_bpf(void);
|
| long foo(void)
| {
| return from_bpf();
| }
Here, a0 would be 0xffff_ffff, instead of the expected
0xffff_ffff_ffff_ffff.
Internally, the RISC-V JIT uses a5 as a dedicated register for BPF
return values.
Keep a5 zero-extended, but explicitly sign-extend a0 (which is used
outside BPF land). Now that a0 (RISC-V ABI) and a5 (BPF ABI) differs,
a0 is only moved to a5 for non-BPF native calls (BPF_PSEUDO_CALL).
Fixes: 2353ecc6f91f ("bpf, riscv: add BPF JIT for RV64G")
Signed-off-by: Björn Töpel <bjorn@rivosinc.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://github.com/riscv/riscv-isa-manual/releases/download/riscv-isa-release-056b6ff-2023-10-02/unpriv-isa-asciidoc.pdf # [2]
Link: https://github.com/riscv-non-isa/riscv-elf-psabi-doc/releases/download/draft-20230929-e5c800e661a53efe3c2678d71a306323b60eb13b/riscv-abi.pdf # [2]
Link: https://lore.kernel.org/bpf/20231004120706.52848-2-bjorn@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/riscv/net/bpf_jit_comp64.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/arch/riscv/net/bpf_jit_comp64.c b/arch/riscv/net/bpf_jit_comp64.c
index 5fc1386bf311d..3f471884816af 100644
--- a/arch/riscv/net/bpf_jit_comp64.c
+++ b/arch/riscv/net/bpf_jit_comp64.c
@@ -220,7 +220,7 @@ static void __build_epilogue(bool is_tail_call, struct rv_jit_context *ctx)
emit_addi(RV_REG_SP, RV_REG_SP, stack_adjust, ctx);
/* Set return value. */
if (!is_tail_call)
- emit_mv(RV_REG_A0, RV_REG_A5, ctx);
+ emit_addiw(RV_REG_A0, RV_REG_A5, 0, ctx);
emit_jalr(RV_REG_ZERO, is_tail_call ? RV_REG_T3 : RV_REG_RA,
is_tail_call ? 4 : 0, /* skip TCC init */
ctx);
@@ -875,7 +875,8 @@ int bpf_jit_emit_insn(const struct bpf_insn *insn, struct rv_jit_context *ctx,
if (ret)
return ret;
- emit_mv(bpf_to_rv_reg(BPF_REG_0, ctx), RV_REG_A0, ctx);
+ if (insn->src_reg != BPF_PSEUDO_CALL)
+ emit_mv(bpf_to_rv_reg(BPF_REG_0, ctx), RV_REG_A0, ctx);
break;
}
/* tail call */
--
2.40.1
next prev parent reply other threads:[~2023-10-16 8:46 UTC|newest]
Thread overview: 124+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-16 8:39 [PATCH 5.15 000/102] 5.15.136-rc1 review Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 001/102] iommu/vt-d: Avoid memory allocation in iommu_suspend() Greg Kroah-Hartman
2023-10-16 8:40 ` Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 002/102] scsi: core: Use a structure member to track the SCSI command submitter Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 003/102] scsi: core: Rename scsi_mq_done() into scsi_done() and export it Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 004/102] scsi: ib_srp: Call scsi_done() directly Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 005/102] RDMA/srp: Do not call scsi_done() from srp_abort() Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 006/102] RDMA/cxgb4: Check skb value for failure to allocate Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 007/102] perf/arm-cmn: Fix the unhandled overflow status of counter 4 to 7 Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 008/102] of: overlay: Reorder struct fragment fields kerneldoc Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 009/102] platform/x86: think-lmi: Fix reference leak Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 010/102] platform/x86: hp-wmi:: Mark driver struct with __refdata to prevent section mismatch warning Greg Kroah-Hartman
2023-10-16 21:36 ` Uwe Kleine-König
2023-10-16 8:40 ` [PATCH 5.15 011/102] lib/test_meminit: fix off-by-one error in test_pages() Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 012/102] HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 013/102] quota: Fix slow quotaoff Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 014/102] net: prevent address rewrite in kernel_bind() Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 015/102] ALSA: usb-audio: Fix microphone sound on Opencomm2 Headset Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 016/102] KEYS: trusted: allow use of kernel RNG for key material Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 017/102] KEYS: trusted: Remove redundant static calls usage Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 018/102] drm/msm/dp: do not reinitialize phy unless retry during link training Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 019/102] drm/msm/dsi: skip the wait for video mode done if not applicable Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 020/102] drm/msm/dsi: fix irq_of_parse_and_map() error checking Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 021/102] drm/msm/dpu: change _dpu_plane_calc_bw() to use u64 to avoid overflow Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 022/102] ravb: Fix up dma_free_coherent() call in ravb_remove() Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 023/102] ravb: Fix use-after-free issue in ravb_tx_timeout_work() Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 024/102] ieee802154: ca8210: Fix a potential UAF in ca8210_probe Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 025/102] mlxsw: fix mlxsw_sp2_nve_vxlan_learning_set() return type Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 026/102] eth: remove copies of the NAPI_POLL_WEIGHT define Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 027/102] xen-netback: use default TX queue size for vifs Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 028/102] riscv, bpf: Factor out emit_call for kernel and bpf context Greg Kroah-Hartman
2023-10-16 8:40 ` Greg Kroah-Hartman [this message]
2023-10-16 8:40 ` [PATCH 5.15 030/102] drm/vmwgfx: fix typo of sizeof argument Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 031/102] bpf: Fix verifier log for async callback return values Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 032/102] net: macsec: indicate next pn update when offloading Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 033/102] net: phy: mscc: macsec: reject PN update requests Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 034/102] ixgbe: fix crash with empty VF macvlan list Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 035/102] net/mlx5e: Again mutually exclude RX-FCS and RX-port-timestamp Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 036/102] net: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn() Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 037/102] ethtool: Fix mod state of verbose no_mask bitset Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 038/102] net/smc: Fix pos miscalculation in statistics Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 039/102] pinctrl: renesas: rzn1: Enable missing PINMUX Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 040/102] nfc: nci: assert requested protocol is valid Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 041/102] workqueue: Override implicit ordered attribute in workqueue_apply_unbound_cpumask() Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 042/102] perf inject: Fix GEN_ELF_TEXT_OFFSET for jit Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 043/102] net: add sysctl accept_ra_min_rtr_lft Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 044/102] net: change accept_ra_min_rtr_lft to affect all RA lifetimes Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 045/102] net: release reference to inet6_dev pointer Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 046/102] media: mtk-jpeg: Fix use after free bug due to uncanceled work Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 047/102] dmaengine: stm32-mdma: abort resume if no ongoing transfer Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 048/102] xhci: Keep interrupt disabled in initialization until host is running Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 049/102] usb: xhci: xhci-ring: Use sysdev for mapping bounce buffer Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 050/102] net: usb: dm9601: fix uninitialized variable use in dm9601_mdio_read Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 051/102] usb: dwc3: Soft reset phy on probe for host Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 052/102] usb: cdns3: Modify the return value of cdns_set_active () to void when CONFIG_PM_SLEEP is disabled Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 053/102] usb: musb: Get the musb_qh poniter after musb_giveback Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 054/102] usb: musb: Modify the "HWVers" register address Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 055/102] iio: pressure: bmp280: Fix NULL pointer exception Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 056/102] iio: pressure: dps310: Adjust Timeout Settings Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 057/102] iio: pressure: ms5611: ms5611_prom_is_valid false negative bug Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 058/102] drm/amdgpu: add missing NULL check Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 059/102] drm/amd/display: Dont set dpms_off for seamless boot Greg Kroah-Hartman
2023-10-16 8:40 ` [PATCH 5.15 060/102] ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CBA Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 061/102] x86/cpu: Fix AMD erratum #1485 on Zen4-based CPUs Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 062/102] mcb: remove is_added flag from mcb_device struct Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 063/102] thunderbolt: Workaround an IOMMU fault on certain systems with Intel Maple Ridge Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 064/102] thunderbolt: Check that lane 1 is in CL0 before enabling lane bonding Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 065/102] libceph: use kernel_connect() Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 066/102] ceph: fix incorrect revoked caps assert in ceph_fill_file_size() Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 067/102] ceph: fix type promotion bug on 32bit systems Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 068/102] Input: powermate - fix use-after-free in powermate_config_complete Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 069/102] Input: psmouse - fix fast_reconnect function for PS/2 mode Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 070/102] Input: xpad - add PXN V900 support Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 071/102] Input: i8042 - add Fujitsu Lifebook E5411 to i8042 quirk table Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 072/102] Input: goodix - ensure int GPIO is in input for gpio_count == 1 && gpio_int_idx == 0 case Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 073/102] tee: amdtee: fix use-after-free vulnerability in amdtee_close_session Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 074/102] cgroup: Remove duplicates in cgroup v1 tasks file Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 075/102] pinctrl: avoid unsafe code pattern in find_pinctrl() Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 076/102] counter: microchip-tcb-capture: Fix the use of internal GCLK logic Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 077/102] usb: gadget: udc-xilinx: replace memcpy with memcpy_toio Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 078/102] usb: gadget: ncm: Handle decoding of multiple NTBs in unwrap call Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 079/102] usb: cdnsp: Fixes issue with dequeuing not queued requests Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 080/102] x86/alternatives: Disable KASAN in apply_alternatives() Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 081/102] dmaengine: idxd: use spin_lock_irqsave before wait_event_lock_irq Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 082/102] dmaengine: mediatek: Fix deadlock caused by synchronize_irq() Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 083/102] powerpc/8xx: Fix pte_access_permitted() for PAGE_NONE Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 084/102] powerpc/64e: Fix wrong test in __ptep_test_and_clear_young() Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 085/102] arm64: report EL1 UNDEFs better Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 086/102] arm64: die(): pass err as long Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 087/102] arm64: consistently pass ESR_ELx to die() Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 088/102] arm64: rework FPAC exception handling Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 089/102] arm64: rework BTI " Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 090/102] arm64: allow kprobes on EL0 handlers Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 091/102] arm64: split EL0/EL1 UNDEF handlers Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 092/102] arm64: factor out EL1 SSBS emulation hook Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 093/102] arm64: factor insn read out of call_undef_hook() Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 094/102] arm64: rework EL0 MRS emulation Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 095/102] arm64: armv8_deprecated: fold ops into insn_emulation Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 096/102] arm64: armv8_deprecated move emulation functions Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 097/102] arm64: armv8_deprecated: move aarch32 helper earlier Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 098/102] arm64: armv8_deprecated: rework deprected instruction handling Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 099/102] arm64: armv8_deprecated: fix unused-function error Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 100/102] Revert "kernel/sched: Modify initial boot task idle setup" Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 101/102] usb: hub: Guard against accesses to uninitialized BOS descriptors Greg Kroah-Hartman
2023-10-16 8:41 ` [PATCH 5.15 102/102] eth: remove remaining copies of the NAPI_POLL_WEIGHT define Greg Kroah-Hartman
2023-10-16 11:45 ` [PATCH 5.15 000/102] 5.15.136-rc1 review Ricardo B. Marliere
2023-10-16 12:54 ` Jon Hunter
2023-10-16 13:36 ` Harshit Mogalapalli
2023-10-16 15:14 ` Greg Kroah-Hartman
2023-10-16 15:53 ` Harshit Mogalapalli
2023-10-16 16:58 ` Greg Kroah-Hartman
2023-10-17 8:58 ` Vegard Nossum
2023-10-17 13:57 ` Greg Kroah-Hartman
2023-10-17 14:08 ` Greg Kroah-Hartman
2023-10-17 15:09 ` Vegard Nossum
2023-10-17 16:29 ` Greg Kroah-Hartman
2023-10-17 17:01 ` Daniel Díaz
2023-10-19 5:53 ` Harshit Mogalapalli
2023-10-16 17:57 ` Florian Fainelli
2023-10-16 18:35 ` SeongJae Park
2023-10-16 21:33 ` Shuah Khan
2023-10-17 7:43 ` Ron Economos
2023-10-17 9:37 ` Naresh Kamboju
2023-10-25 19:09 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231016083954.479433491@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=bjorn@rivosinc.com \
--cc=daniel@iogearbox.net \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.