From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Russell King <rmk+kernel@armlinux.org.uk>
Subject: [PATCH 4.14 15/71] ARM: net: bpf: fix tail call jumps
Date: Mon, 29 Jan 2018 13:56:43 +0100 [thread overview]
Message-ID: <20180129123828.315103969@linuxfoundation.org> (raw)
In-Reply-To: <20180129123827.271171825@linuxfoundation.org>
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Russell King <rmk+kernel@armlinux.org.uk>
commit f4483f2cc1fdc03488c8a1452e545545ae5bda93 upstream.
When a tail call fails, it is documented that the tail call should
continue execution at the following instruction. An example tail call
sequence is:
12: (85) call bpf_tail_call#12
13: (b7) r0 = 0
14: (95) exit
The ARM assembler for the tail call in this case ends up branching to
instruction 14 instead of instruction 13, resulting in the BPF filter
returning a non-zero value:
178: ldr r8, [sp, #588] ; insn 12
17c: ldr r6, [r8, r6]
180: ldr r8, [sp, #580]
184: cmp r8, r6
188: bcs 0x1e8
18c: ldr r6, [sp, #524]
190: ldr r7, [sp, #528]
194: cmp r7, #0
198: cmpeq r6, #32
19c: bhi 0x1e8
1a0: adds r6, r6, #1
1a4: adc r7, r7, #0
1a8: str r6, [sp, #524]
1ac: str r7, [sp, #528]
1b0: mov r6, #104
1b4: ldr r8, [sp, #588]
1b8: add r6, r8, r6
1bc: ldr r8, [sp, #580]
1c0: lsl r7, r8, #2
1c4: ldr r6, [r6, r7]
1c8: cmp r6, #0
1cc: beq 0x1e8
1d0: mov r8, #32
1d4: ldr r6, [r6, r8]
1d8: add r6, r6, #44
1dc: bx r6
1e0: mov r0, #0 ; insn 13
1e4: mov r1, #0
1e8: add sp, sp, #596 ; insn 14
1ec: pop {r4, r5, r6, r7, r8, sl, pc}
For other sequences, the tail call could end up branching midway through
the following BPF instructions, or maybe off the end of the function,
leading to unknown behaviours.
Fixes: 39c13c204bb1 ("arm: eBPF JIT compiler")
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/net/bpf_jit_32.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/net/bpf_jit_32.c
+++ b/arch/arm/net/bpf_jit_32.c
@@ -949,7 +949,7 @@ static int emit_bpf_tail_call(struct jit
const u8 *tcc = bpf2a32[TCALL_CNT];
const int idx0 = ctx->idx;
#define cur_offset (ctx->idx - idx0)
-#define jmp_offset (out_offset - (cur_offset))
+#define jmp_offset (out_offset - (cur_offset) - 2)
u32 off, lo, hi;
/* if (index >= array->map.max_entries)
next prev parent reply other threads:[~2018-01-29 20:15 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-29 12:56 [PATCH 4.14 00/71] 4.14.16-stable review Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.14 01/71] orangefs: use list_for_each_entry_safe in purge_waiting_ops Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.14 02/71] orangefs: initialize op on loop restart in orangefs_devreq_read Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.14 03/71] mm, page_alloc: fix potential false positive in __zone_watermark_ok Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.14 04/71] netfilter: nfnetlink_cthelper: Add missing permission checks Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.14 05/71] netfilter: xt_osf: " Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.14 06/71] xfrm: Fix a race in the xdst pcpu cache Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.14 07/71] Revert "module: Add retpoline tag to VERMAGIC" Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.14 08/71] Input: xpad - add support for PDP Xbox One controllers Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.14 09/71] Input: trackpoint - force 3 buttons if 0 button is reported Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.14 10/71] Input: trackpoint - only expose supported controls for Elan, ALPS and NXP Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.14 11/71] Btrfs: fix stale entries in readdir Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.14 12/71] KVM: s390: add proper locking for CMMA migration bitmap Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.14 13/71] orangefs: fix deadlock; do not write i_size in read_iter Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.14 14/71] ARM: net: bpf: avoid bx instruction on non-Thumb capable CPUs Greg Kroah-Hartman
2018-01-29 12:56 ` Greg Kroah-Hartman [this message]
2018-01-29 12:56 ` [PATCH 4.14 16/71] ARM: net: bpf: fix stack alignment Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.14 17/71] ARM: net: bpf: move stack documentation Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.14 18/71] ARM: net: bpf: correct stack layout documentation Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.14 19/71] ARM: net: bpf: fix register saving Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.14 20/71] ARM: net: bpf: fix LDX instructions Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.14 21/71] ARM: net: bpf: clarify tail_call index Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.14 22/71] drm/vc4: Fix NULL pointer dereference in vc4_save_hang_state() Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.14 23/71] net: Allow neigh contructor functions ability to modify the primary_key Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.14 24/71] ipv4: Make neigh lookup keys for loopback/point-to-point devices be INADDR_ANY Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.14 25/71] dccp: dont restart ccid2_hc_tx_rto_expire() if sk in closed state Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.14 26/71] ipv6: Fix getsockopt() for sockets with default IPV6_AUTOFLOWLABEL Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.14 27/71] ipv6: fix udpv6 sendmsg crash caused by too small MTU Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.14 28/71] ipv6: ip6_make_skb() needs to clear cork.base.dst Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.14 29/71] lan78xx: Fix failure in USB Full Speed Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.14 30/71] net: igmp: fix source address check for IGMPv3 reports Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.14 31/71] net: qdisc_pkt_len_init() should be more robust Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 32/71] net: tcp: close sock if net namespace is exiting Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 33/71] net/tls: Fix inverted error codes to avoid endless loop Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 34/71] net: vrf: Add support for sends to local broadcast address Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 35/71] pppoe: take ->needed_headroom of lower device into account on xmit Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 36/71] r8169: fix memory corruption on retrieval of hardware statistics Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 37/71] sctp: do not allow the v4 socket to bind a v4mapped v6 address Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 38/71] sctp: return error if the asoc has been peeled off in sctp_wait_for_sndbuf Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 39/71] tipc: fix a memory leak in tipc_nl_node_get_link() Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 40/71] {net,ib}/mlx5: Dont disable local loopback multicast traffic when needed Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 41/71] net/mlx5: Fix get vector affinity helper function Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 42/71] ppp: unlock all_ppp_mutex before registering device Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 43/71] be2net: restore properly promisc mode after queues reconfiguration Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 44/71] ip6_gre: init dev->mtu and dev->hard_header_len correctly Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 45/71] gso: validate gso_type in GSO handlers Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 46/71] mlxsw: spectrum_router: Dont log an error on missing neighbor Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 47/71] tun: fix a memory leak for tfile->tx_array Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 48/71] flow_dissector: properly cap thoff field Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 49/71] sctp: reinit stream if stream outcnt has been change by sinit in sendmsg Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 50/71] netlink: extack needs to be reset each time through loop Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 51/71] net/mlx5e: Fix fixpoint divide exception in mlx5e_am_stats_compare Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 52/71] nfp: use the correct index for link speed table Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 53/71] netlink: reset extack earlier in netlink_rcv_skb Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 54/71] net/tls: Only attach to sockets in ESTABLISHED state Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 55/71] tls: fix sw_ctx leak Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 56/71] tls: return -EBUSY if crypto_info is already set Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 57/71] tls: reset crypto_info when do_tls_setsockopt_tx fails Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 58/71] net: ipv4: Make "ip route get" match iif lo rules again Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 59/71] vmxnet3: repair memory leak Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 60/71] perf/x86/amd/power: Do not load AMD power module on !AMD platforms Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 61/71] x86/microcode/intel: Extend BDW late-loading further with LLC size check Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 62/71] x86/microcode: Fix again accessing initrd after having been freed Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 63/71] x86/mm/64: Fix vmapped stack syncing on very-large-memory 4-level systems Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 64/71] hrtimer: Reset hrtimer cpu base proper on CPU hotplug Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 65/71] bpf: introduce BPF_JIT_ALWAYS_ON config Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 66/71] bpf: avoid false sharing of map refcount with max_entries Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 67/71] bpf: fix divides by zero Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 68/71] bpf: fix 32-bit divide " Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 69/71] bpf: reject stores into ctx via st and xadd Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 70/71] bpf, arm64: fix stack_depth tracking in combination with tail calls Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.14 71/71] cpufreq: governor: Ensure sufficiently large sampling intervals Greg Kroah-Hartman
2018-01-29 23:59 ` [PATCH 4.14 00/71] 4.14.16-stable review Shuah Khan
2018-01-30 10:06 ` Naresh Kamboju
2018-01-30 12:53 ` Greg Kroah-Hartman
2018-01-30 14:21 ` Guenter Roeck
2018-01-30 14:52 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180129123828.315103969@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rmk+kernel@armlinux.org.uk \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).