From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Alexei Starovoitov <ast@kernel.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 41/91] bpf, x64: fix stack layout of JITed bpf code
Date: Fri, 12 Jul 2019 14:18:44 +0200 [thread overview]
Message-ID: <20190712121623.675904684@linuxfoundation.org> (raw)
In-Reply-To: <20190712121621.422224300@linuxfoundation.org>
[ Upstream commit fe8d9571dc50232b569242fac7ea6332a654f186 ]
Since commit 177366bf7ceb the %rbp stopped pointing to %rbp of the
previous stack frame. That broke frame pointer based stack unwinding.
This commit is a partial revert of it.
Note that the location of tail_call_cnt is fixed, since the verifier
enforces MAX_BPF_STACK stack size for programs with tail calls.
Fixes: 177366bf7ceb ("bpf: change x86 JITed program stack layout")
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/net/bpf_jit_comp.c | 74 +++++++++++--------------------------
1 file changed, 21 insertions(+), 53 deletions(-)
diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
index 2580cd2e98b1..a32fc3d99407 100644
--- a/arch/x86/net/bpf_jit_comp.c
+++ b/arch/x86/net/bpf_jit_comp.c
@@ -190,9 +190,7 @@ struct jit_context {
#define BPF_MAX_INSN_SIZE 128
#define BPF_INSN_SAFETY 64
-#define AUX_STACK_SPACE 40 /* Space for RBX, R13, R14, R15, tailcnt */
-
-#define PROLOGUE_SIZE 37
+#define PROLOGUE_SIZE 20
/*
* Emit x86-64 prologue code for BPF program and check its size.
@@ -203,44 +201,19 @@ static void emit_prologue(u8 **pprog, u32 stack_depth, bool ebpf_from_cbpf)
u8 *prog = *pprog;
int cnt = 0;
- /* push rbp */
- EMIT1(0x55);
-
- /* mov rbp,rsp */
- EMIT3(0x48, 0x89, 0xE5);
-
- /* sub rsp, rounded_stack_depth + AUX_STACK_SPACE */
- EMIT3_off32(0x48, 0x81, 0xEC,
- round_up(stack_depth, 8) + AUX_STACK_SPACE);
-
- /* sub rbp, AUX_STACK_SPACE */
- EMIT4(0x48, 0x83, 0xED, AUX_STACK_SPACE);
-
- /* mov qword ptr [rbp+0],rbx */
- EMIT4(0x48, 0x89, 0x5D, 0);
- /* mov qword ptr [rbp+8],r13 */
- EMIT4(0x4C, 0x89, 0x6D, 8);
- /* mov qword ptr [rbp+16],r14 */
- EMIT4(0x4C, 0x89, 0x75, 16);
- /* mov qword ptr [rbp+24],r15 */
- EMIT4(0x4C, 0x89, 0x7D, 24);
-
+ EMIT1(0x55); /* push rbp */
+ EMIT3(0x48, 0x89, 0xE5); /* mov rbp, rsp */
+ /* sub rsp, rounded_stack_depth */
+ EMIT3_off32(0x48, 0x81, 0xEC, round_up(stack_depth, 8));
+ EMIT1(0x53); /* push rbx */
+ EMIT2(0x41, 0x55); /* push r13 */
+ EMIT2(0x41, 0x56); /* push r14 */
+ EMIT2(0x41, 0x57); /* push r15 */
if (!ebpf_from_cbpf) {
- /*
- * Clear the tail call counter (tail_call_cnt): for eBPF tail
- * calls we need to reset the counter to 0. It's done in two
- * instructions, resetting RAX register to 0, and moving it
- * to the counter location.
- */
-
- /* xor eax, eax */
- EMIT2(0x31, 0xc0);
- /* mov qword ptr [rbp+32], rax */
- EMIT4(0x48, 0x89, 0x45, 32);
-
+ /* zero init tail_call_cnt */
+ EMIT2(0x6a, 0x00);
BUILD_BUG_ON(cnt != PROLOGUE_SIZE);
}
-
*pprog = prog;
}
@@ -285,13 +258,13 @@ static void emit_bpf_tail_call(u8 **pprog)
* if (tail_call_cnt > MAX_TAIL_CALL_CNT)
* goto out;
*/
- EMIT2_off32(0x8B, 0x85, 36); /* mov eax, dword ptr [rbp + 36] */
+ EMIT2_off32(0x8B, 0x85, -36 - MAX_BPF_STACK); /* mov eax, dword ptr [rbp - 548] */
EMIT3(0x83, 0xF8, MAX_TAIL_CALL_CNT); /* cmp eax, MAX_TAIL_CALL_CNT */
#define OFFSET2 (30 + RETPOLINE_RAX_BPF_JIT_SIZE)
EMIT2(X86_JA, OFFSET2); /* ja out */
label2 = cnt;
EMIT3(0x83, 0xC0, 0x01); /* add eax, 1 */
- EMIT2_off32(0x89, 0x85, 36); /* mov dword ptr [rbp + 36], eax */
+ EMIT2_off32(0x89, 0x85, -36 - MAX_BPF_STACK); /* mov dword ptr [rbp -548], eax */
/* prog = array->ptrs[index]; */
EMIT4_off32(0x48, 0x8B, 0x84, 0xD6, /* mov rax, [rsi + rdx * 8 + offsetof(...)] */
@@ -1006,19 +979,14 @@ xadd: if (is_imm8(insn->off))
seen_exit = true;
/* Update cleanup_addr */
ctx->cleanup_addr = proglen;
- /* mov rbx, qword ptr [rbp+0] */
- EMIT4(0x48, 0x8B, 0x5D, 0);
- /* mov r13, qword ptr [rbp+8] */
- EMIT4(0x4C, 0x8B, 0x6D, 8);
- /* mov r14, qword ptr [rbp+16] */
- EMIT4(0x4C, 0x8B, 0x75, 16);
- /* mov r15, qword ptr [rbp+24] */
- EMIT4(0x4C, 0x8B, 0x7D, 24);
-
- /* add rbp, AUX_STACK_SPACE */
- EMIT4(0x48, 0x83, 0xC5, AUX_STACK_SPACE);
- EMIT1(0xC9); /* leave */
- EMIT1(0xC3); /* ret */
+ if (!bpf_prog_was_classic(bpf_prog))
+ EMIT1(0x5B); /* get rid of tail_call_cnt */
+ EMIT2(0x41, 0x5F); /* pop r15 */
+ EMIT2(0x41, 0x5E); /* pop r14 */
+ EMIT2(0x41, 0x5D); /* pop r13 */
+ EMIT1(0x5B); /* pop rbx */
+ EMIT1(0xC9); /* leave */
+ EMIT1(0xC3); /* ret */
break;
default:
--
2.20.1
next prev parent reply other threads:[~2019-07-12 12:21 UTC|newest]
Thread overview: 99+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-12 12:18 [PATCH 4.19 00/91] 4.19.59-stable review Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 01/91] crypto: talitos - fix hash on SEC1 Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 02/91] crypto: talitos - rename alternative AEAD algos Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 03/91] soc: brcmstb: Fix error path for unsupported CPUs Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 04/91] soc: bcm: brcmstb: biuctrl: Register writes require a barrier Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 05/91] Input: elantech - enable middle button support on 2 ThinkPads Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 06/91] samples, bpf: fix to change the buffer size for read() Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 07/91] samples, bpf: suppress compiler warning Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 08/91] mac80211: fix rate reporting inside cfg80211_calculate_bitrate_he() Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 09/91] bpf: sockmap, fix use after free from sleep in psock backlog workqueue Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 10/91] soundwire: stream: fix out of boundary access on port properties Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 11/91] staging:iio:ad7150: fix threshold mode config bit Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 12/91] mac80211: mesh: fix RCU warning Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 13/91] mac80211: free peer keys before vif down in mesh Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 14/91] mwifiex: Fix possible buffer overflows at parsing bss descriptor Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 15/91] iwlwifi: Fix double-free problems in iwl_req_fw_callback() Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 16/91] mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies() Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 17/91] soundwire: intel: set dai min and max channels correctly Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 18/91] dt-bindings: can: mcp251x: add mcp25625 support Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 19/91] can: mcp251x: add support for mcp25625 Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 20/91] can: m_can: implement errata "Needless activation of MRAF irq" Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 21/91] can: af_can: Fix error path of can_init() Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 22/91] net: phy: rename Asix Electronics PHY driver Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 23/91] ibmvnic: Do not close unopened driver during reset Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 24/91] ibmvnic: Refresh device multicast list after reset Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 25/91] ibmvnic: Fix unchecked return codes of memory allocations Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 26/91] ARM: dts: am335x phytec boards: Fix cd-gpios active level Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 27/91] s390/boot: disable address-of-packed-member warning Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 28/91] drm/vmwgfx: Honor the sg list segment size limitation Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 29/91] drm/vmwgfx: fix a warning due to missing dma_parms Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 30/91] riscv: Fix udelay in RV32 Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 31/91] Input: imx_keypad - make sure keyboard can always wake up system Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 32/91] KVM: arm/arm64: vgic: Fix kvm_device leak in vgic_its_destroy Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 33/91] mlxsw: spectrum: Disallow prio-tagged packets when PVID is removed Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 34/91] ARM: davinci: da850-evm: call regulator_has_full_constraints() Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 35/91] ARM: davinci: da8xx: specify dma_coherent_mask for lcdc Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 36/91] mac80211: only warn once on chanctx_conf being NULL Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 37/91] mac80211: do not start any work during reconfigure flow Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 38/91] bpf, devmap: Fix premature entry free on destroying map Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 39/91] bpf, devmap: Add missing bulk queue free Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 40/91] bpf, devmap: Add missing RCU read lock on flush Greg Kroah-Hartman
2019-07-12 12:18 ` Greg Kroah-Hartman [this message]
2019-07-12 12:18 ` [PATCH 4.19 42/91] qmi_wwan: add support for QMAP padding in the RX path Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 43/91] qmi_wwan: avoid RCU stalls on device disconnect when in QMAP mode Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 44/91] qmi_wwan: extend permitted QMAP mux_id value range Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 45/91] mmc: core: complete HS400 before checking status Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 46/91] md: fix for divide error in status_resync Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 47/91] bnx2x: Check if transceiver implements DDM before access Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 48/91] drm: return -EFAULT if copy_to_user() fails Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 49/91] ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 50/91] net: lio_core: fix potential sign-extension overflow on large shift Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 51/91] scsi: qedi: Check targetname while finding boot target information Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 52/91] quota: fix a problem about transfer quota Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 53/91] net: dsa: mv88e6xxx: fix shift of FID bits in mv88e6185_g1_vtu_loadpurge() Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 54/91] NFS4: Only set creation opendata if O_CREAT Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 55/91] net :sunrpc :clnt :Fix xps refcount imbalance on the error path Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 56/91] fscrypt: dont set policy for a dead directory Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 57/91] udf: Fix incorrect final NOT_ALLOCATED (hole) extent length Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 58/91] media: stv0297: fix frequency range limit Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 59/91] ALSA: usb-audio: Fix parse of UAC2 Extension Units Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 60/91] ALSA: hda/realtek - Headphone Mic cant record after S3 Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 61/91] block, bfq: NULL out the bic when its no longer valid Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 62/91] perf pmu: Fix uncore PMU alias list for ARM64 Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 63/91] x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg() Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 64/91] x86/tls: Fix possible spectre-v1 in do_get_thread_area() Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 65/91] Documentation: Add section about CPU vulnerabilities for Spectre Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 66/91] Documentation/admin: Remove the vsyscall=native documentation Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 67/91] mwifiex: Abort at too short BSS descriptor element Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 68/91] mwifiex: Dont abort on small, spec-compliant vendor IEs Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 69/91] USB: serial: ftdi_sio: add ID for isodebug v1 Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 70/91] USB: serial: option: add support for GosunCn ME3630 RNDIS mode Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 71/91] Revert "serial: 8250: Dont service RX FIFO if interrupts are disabled" Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 72/91] p54usb: Fix race between disconnect and firmware loading Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 73/91] usb: gadget: ether: Fix race between gether_disconnect and rx_submit Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 74/91] usb: dwc2: use a longer AHB idle timeout in dwc2_core_reset() Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 75/91] usb: renesas_usbhs: add a workaround for a race condition of workqueue Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 76/91] drivers/usb/typec/tps6598x.c: fix portinfo width Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 77/91] drivers/usb/typec/tps6598x.c: fix 4CC cmd write Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 78/91] staging: comedi: dt282x: fix a null pointer deref on interrupt Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 79/91] staging: comedi: amplc_pci230: fix " Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 80/91] HID: Add another Primax PIXART OEM mouse quirk Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 81/91] lkdtm: support llvm-objcopy Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 82/91] binder: fix memory leak in error path Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 83/91] carl9170: fix misuse of device driver API Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 84/91] VMCI: Fix integer overflow in VMCI handle arrays Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 85/91] MIPS: Remove superfluous check for __linux__ Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 86/91] staging: fsl-dpaa2/ethsw: fix memory leak of switchdev_work Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 87/91] staging: bcm2835-camera: Replace spinlock protecting context_map with mutex Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 88/91] staging: bcm2835-camera: Ensure all buffers are returned on disable Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 89/91] staging: bcm2835-camera: Remove check of the number of buffers supplied Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 90/91] staging: bcm2835-camera: Handle empty EOS buffers whilst streaming Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 91/91] staging: rtl8712: reduce stack usage, again Greg Kroah-Hartman
2019-07-12 13:36 ` [PATCH 4.19 00/91] 4.19.59-stable review Jon Hunter
2019-07-12 22:06 ` shuah
2019-07-12 23:53 ` kernelci.org bot
2019-07-13 1:50 ` Naresh Kamboju
2019-07-13 20:39 ` Luke Nowakowski-Krijger
2019-07-13 22:05 ` Guenter Roeck
2019-07-14 5:34 ` Kelsey Skunberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190712121623.675904684@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ast@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).