* [PATCH bpf] bpf, arm64: fix trampoline for BPF_TRAMP_F_CALL_ORIG
@ 2024-07-11 15:18 ` Puranjay Mohan
2024-07-11 16:00 ` patchwork-bot+netdevbpf
2024-08-17 22:44 ` Michael
0 siblings, 2 replies; 3+ messages in thread
From: Puranjay Mohan @ 2024-07-11 15:18 UTC (permalink / raw)
To: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
Martin KaFai Lau, Eduard Zingerman, Song Liu, Yonghong Song,
John Fastabend, KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa,
Puranjay Mohan, Xu Kuohai, Catalin Marinas, Will Deacon,
Jean-Philippe Brucker, bpf, linux-arm-kernel, linux-kernel
When BPF_TRAMP_F_CALL_ORIG is set, the trampoline calls
__bpf_tramp_enter() and __bpf_tramp_exit() functions, passing them the
struct bpf_tramp_image *im pointer as an argument in R0.
The trampoline generation code uses emit_addr_mov_i64() to emit
instructions for moving the bpf_tramp_image address into R0, but
emit_addr_mov_i64() assumes the address to be in the vmalloc() space and
uses only 48 bits. Because bpf_tramp_image is allocated using kzalloc(),
its address can use more than 48-bits, in this case the trampoline
will pass an invalid address to __bpf_tramp_enter/exit() causing a
kernel crash.
Fix this by using emit_a64_mov_i64() in place of emit_addr_mov_i64() as
it can work with addresses that are greater than 48-bits.
Fixes: efc9909fdce0 ("bpf, arm64: Add bpf trampoline for arm64")
Closes: https://lore.kernel.org/all/SJ0PR15MB461564D3F7E7A763498CA6A8CBDB2@SJ0PR15MB4615.namprd15.prod.outlook.com/
Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
---
arch/arm64/net/bpf_jit_comp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
index 720336d28856..1bf483ec971d 100644
--- a/arch/arm64/net/bpf_jit_comp.c
+++ b/arch/arm64/net/bpf_jit_comp.c
@@ -2141,7 +2141,7 @@ static int prepare_trampoline(struct jit_ctx *ctx, struct bpf_tramp_image *im,
emit(A64_STR64I(A64_R(20), A64_SP, regs_off + 8), ctx);
if (flags & BPF_TRAMP_F_CALL_ORIG) {
- emit_addr_mov_i64(A64_R(0), (const u64)im, ctx);
+ emit_a64_mov_i64(A64_R(0), (const u64)im, ctx);
emit_call((const u64)__bpf_tramp_enter, ctx);
}
@@ -2185,7 +2185,7 @@ static int prepare_trampoline(struct jit_ctx *ctx, struct bpf_tramp_image *im,
if (flags & BPF_TRAMP_F_CALL_ORIG) {
im->ip_epilogue = ctx->ro_image + ctx->idx;
- emit_addr_mov_i64(A64_R(0), (const u64)im, ctx);
+ emit_a64_mov_i64(A64_R(0), (const u64)im, ctx);
emit_call((const u64)__bpf_tramp_exit, ctx);
}
--
2.40.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH bpf] bpf, arm64: fix trampoline for BPF_TRAMP_F_CALL_ORIG
2024-07-11 15:18 ` [PATCH bpf] bpf, arm64: fix trampoline for BPF_TRAMP_F_CALL_ORIG Puranjay Mohan
@ 2024-07-11 16:00 ` patchwork-bot+netdevbpf
2024-08-17 22:44 ` Michael
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2024-07-11 16:00 UTC (permalink / raw)
To: Puranjay Mohan
Cc: ast, daniel, andrii, martin.lau, eddyz87, song, yonghong.song,
john.fastabend, kpsingh, sdf, haoluo, jolsa, puranjay12, xukuohai,
catalin.marinas, will, jean-philippe, bpf, linux-arm-kernel,
linux-kernel
Hello:
This patch was applied to bpf/bpf-next.git (master)
by Daniel Borkmann <daniel@iogearbox.net>:
On Thu, 11 Jul 2024 15:18:38 +0000 you wrote:
> When BPF_TRAMP_F_CALL_ORIG is set, the trampoline calls
> __bpf_tramp_enter() and __bpf_tramp_exit() functions, passing them the
> struct bpf_tramp_image *im pointer as an argument in R0.
>
> The trampoline generation code uses emit_addr_mov_i64() to emit
> instructions for moving the bpf_tramp_image address into R0, but
> emit_addr_mov_i64() assumes the address to be in the vmalloc() space and
> uses only 48 bits. Because bpf_tramp_image is allocated using kzalloc(),
> its address can use more than 48-bits, in this case the trampoline
> will pass an invalid address to __bpf_tramp_enter/exit() causing a
> kernel crash.
>
> [...]
Here is the summary with links:
- [bpf] bpf, arm64: fix trampoline for BPF_TRAMP_F_CALL_ORIG
https://git.kernel.org/bpf/bpf-next/c/19d3c179a377
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH bpf] bpf, arm64: fix trampoline for BPF_TRAMP_F_CALL_ORIG
2024-07-11 15:18 ` [PATCH bpf] bpf, arm64: fix trampoline for BPF_TRAMP_F_CALL_ORIG Puranjay Mohan
2024-07-11 16:00 ` patchwork-bot+netdevbpf
@ 2024-08-17 22:44 ` Michael
1 sibling, 0 replies; 3+ messages in thread
From: Michael @ 2024-08-17 22:44 UTC (permalink / raw)
To: puranjay
Cc: andrii, ast, bpf, catalin.marinas, daniel, eddyz87, haoluo,
jean-philippe, john.fastabend, jolsa, kpsingh, linux-arm-kernel,
linux-kernel, martin.lau, puranjay12, sdf, song, will, xukuohai,
yonghong.song
git send-email \
--in-reply-to=20240711151838.43469-1-puranjay@kernel.org \
--to=puranjay@kernel.org \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=catalin.marinas@arm.com \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=jean-philippe@linaro.org \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=puranjay12@gmail.com \
--cc=sdf@fomichev.me \
--cc=song@kernel.org \
--cc=will@kernel.org \
--cc=xukuohai@huaweicloud.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-08-17 22:54 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <8624599b-0431-4e37-8e12-5bbacc046c49.ref@yahoo.com>
2024-07-11 15:18 ` [PATCH bpf] bpf, arm64: fix trampoline for BPF_TRAMP_F_CALL_ORIG Puranjay Mohan
2024-07-11 16:00 ` patchwork-bot+netdevbpf
2024-08-17 22:44 ` Michael
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox