* [PATCH 6.1.y 1/2] bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG
@ 2025-05-13 6:45 bin.lan.cn
2025-05-13 6:45 ` [PATCH 6.1.y 2/2] bpf, arm64: Fix address emission with tag-based KASAN enabled bin.lan.cn
2025-05-13 18:49 ` [PATCH 6.1.y 1/2] bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG Sasha Levin
0 siblings, 2 replies; 4+ messages in thread
From: bin.lan.cn @ 2025-05-13 6:45 UTC (permalink / raw)
To: gregkh, stable
Cc: puranjay, bin.lan.cn, SJ0PR15MB461564D3F7E7A763498CA6A8CBDB2,
daniel
From: Puranjay Mohan <puranjay@kernel.org>
[ Upstream commit 19d3c179a37730caf600a97fed3794feac2b197b ]
When BPF_TRAMP_F_CALL_ORIG is set, the trampoline calls
__bpf_tramp_enter() and __bpf_tramp_exit() functions, passing them
the struct bpf_tramp_image *im pointer as an argument in R0.
The trampoline generation code uses emit_addr_mov_i64() to emit
instructions for moving the bpf_tramp_image address into R0, but
emit_addr_mov_i64() assumes the address to be in the vmalloc() space
and uses only 48 bits. Because bpf_tramp_image is allocated using
kzalloc(), its address can use more than 48-bits, in this case the
trampoline will pass an invalid address to __bpf_tramp_enter/exit()
causing a kernel crash.
Fix this by using emit_a64_mov_i64() in place of emit_addr_mov_i64()
as it can work with addresses that are greater than 48-bits.
Fixes: efc9909fdce0 ("bpf, arm64: Add bpf trampoline for arm64")
Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Closes: https://lore.kernel.org/all/SJ0PR15MB461564D3F7E7A763498CA6A8CBDB2@SJ0PR15MB4615.namprd15.prod.outlook.com/
Link: https://lore.kernel.org/bpf/20240711151838.43469-1-puranjay@kernel.org
[Minor context change fixed.]
Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
---
Build test passed.
---
arch/arm64/net/bpf_jit_comp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
index c04ace8f4843..3168343815b3 100644
--- a/arch/arm64/net/bpf_jit_comp.c
+++ b/arch/arm64/net/bpf_jit_comp.c
@@ -1893,7 +1893,7 @@ static int prepare_trampoline(struct jit_ctx *ctx, struct bpf_tramp_image *im,
emit(A64_STR64I(A64_R(20), A64_SP, regs_off + 8), ctx);
if (flags & BPF_TRAMP_F_CALL_ORIG) {
- emit_addr_mov_i64(A64_R(0), (const u64)im, ctx);
+ emit_a64_mov_i64(A64_R(0), (const u64)im, ctx);
emit_call((const u64)__bpf_tramp_enter, ctx);
}
@@ -1937,7 +1937,7 @@ static int prepare_trampoline(struct jit_ctx *ctx, struct bpf_tramp_image *im,
if (flags & BPF_TRAMP_F_CALL_ORIG) {
im->ip_epilogue = ctx->image + ctx->idx;
- emit_addr_mov_i64(A64_R(0), (const u64)im, ctx);
+ emit_a64_mov_i64(A64_R(0), (const u64)im, ctx);
emit_call((const u64)__bpf_tramp_exit, ctx);
}
--
2.34.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 6.1.y 2/2] bpf, arm64: Fix address emission with tag-based KASAN enabled
2025-05-13 6:45 [PATCH 6.1.y 1/2] bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG bin.lan.cn
@ 2025-05-13 6:45 ` bin.lan.cn
2025-05-13 18:49 ` Sasha Levin
2025-05-13 18:49 ` [PATCH 6.1.y 1/2] bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG Sasha Levin
1 sibling, 1 reply; 4+ messages in thread
From: bin.lan.cn @ 2025-05-13 6:45 UTC (permalink / raw)
To: gregkh, stable
Cc: puranjay, bin.lan.cn, SJ0PR15MB461564D3F7E7A763498CA6A8CBDB2,
daniel
From: Peter Collingbourne <pcc@google.com>
[ Upstream commit a552e2ef5fd1a6c78267cd4ec5a9b49aa11bbb1c ]
When BPF_TRAMP_F_CALL_ORIG is enabled, the address of a bpf_tramp_image
struct on the stack is passed during the size calculation pass and
an address on the heap is passed during code generation. This may
cause a heap buffer overflow if the heap address is tagged because
emit_a64_mov_i64() will emit longer code than it did during the size
calculation pass. The same problem could occur without tag-based
KASAN if one of the 16-bit words of the stack address happened to
be all-ones during the size calculation pass. Fix the problem by
assuming the worst case (4 instructions) when calculating the size
of the bpf_tramp_image address emission.
Fixes: 19d3c179a377 ("bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG")
Signed-off-by: Peter Collingbourne <pcc@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Xu Kuohai <xukuohai@huawei.com>
Link: https://linux-review.googlesource.com/id/I1496f2bc24fba7a1d492e16e2b94cf43714f2d3c
Link: https://lore.kernel.org/bpf/20241018221644.3240898-1-pcc@google.com
[Minor context change fixed.]
Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
---
Build test passed.
---
arch/arm64/net/bpf_jit_comp.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
index 3168343815b3..4afbbfc1d488 100644
--- a/arch/arm64/net/bpf_jit_comp.c
+++ b/arch/arm64/net/bpf_jit_comp.c
@@ -1893,7 +1893,11 @@ static int prepare_trampoline(struct jit_ctx *ctx, struct bpf_tramp_image *im,
emit(A64_STR64I(A64_R(20), A64_SP, regs_off + 8), ctx);
if (flags & BPF_TRAMP_F_CALL_ORIG) {
- emit_a64_mov_i64(A64_R(0), (const u64)im, ctx);
+ /* for the first pass, assume the worst case */
+ if (!ctx->image)
+ ctx->idx += 4;
+ else
+ emit_a64_mov_i64(A64_R(0), (const u64)im, ctx);
emit_call((const u64)__bpf_tramp_enter, ctx);
}
@@ -1937,7 +1941,11 @@ static int prepare_trampoline(struct jit_ctx *ctx, struct bpf_tramp_image *im,
if (flags & BPF_TRAMP_F_CALL_ORIG) {
im->ip_epilogue = ctx->image + ctx->idx;
- emit_a64_mov_i64(A64_R(0), (const u64)im, ctx);
+ /* for the first pass, assume the worst case */
+ if (!ctx->image)
+ ctx->idx += 4;
+ else
+ emit_a64_mov_i64(A64_R(0), (const u64)im, ctx);
emit_call((const u64)__bpf_tramp_exit, ctx);
}
--
2.34.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 6.1.y 1/2] bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG
2025-05-13 6:45 [PATCH 6.1.y 1/2] bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG bin.lan.cn
2025-05-13 6:45 ` [PATCH 6.1.y 2/2] bpf, arm64: Fix address emission with tag-based KASAN enabled bin.lan.cn
@ 2025-05-13 18:49 ` Sasha Levin
1 sibling, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2025-05-13 18:49 UTC (permalink / raw)
To: stable, bin.lan.cn; +Cc: Sasha Levin
[ Sasha's backport helper bot ]
Hi,
Summary of potential issues:
⚠️ Found follow-up fixes in mainline
The upstream commit SHA1 provided is correct: 19d3c179a37730caf600a97fed3794feac2b197b
WARNING: Author mismatch between patch and upstream commit:
Backport author: bin.lan.cn@windriver.com
Commit author: Puranjay Mohan<puranjay@kernel.org>
Status in newer kernel trees:
6.14.y | Present (exact SHA1)
6.12.y | Present (exact SHA1)
6.6.y | Not found
Found fixes commits:
a552e2ef5fd1 bpf, arm64: Fix address emission with tag-based KASAN enabled
Note: The patch differs from the upstream commit:
---
1: 19d3c179a3773 ! 1: 1aa523ed63730 bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG
@@ Metadata
## Commit message ##
bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG
+ [ Upstream commit 19d3c179a37730caf600a97fed3794feac2b197b ]
+
When BPF_TRAMP_F_CALL_ORIG is set, the trampoline calls
__bpf_tramp_enter() and __bpf_tramp_exit() functions, passing them
the struct bpf_tramp_image *im pointer as an argument in R0.
@@ Commit message
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Closes: https://lore.kernel.org/all/SJ0PR15MB461564D3F7E7A763498CA6A8CBDB2@SJ0PR15MB4615.namprd15.prod.outlook.com/
Link: https://lore.kernel.org/bpf/20240711151838.43469-1-puranjay@kernel.org
+ [Minor context change fixed.]
+ Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
+ Signed-off-by: He Zhe <zhe.he@windriver.com>
## arch/arm64/net/bpf_jit_comp.c ##
@@ arch/arm64/net/bpf_jit_comp.c: static int prepare_trampoline(struct jit_ctx *ctx, struct bpf_tramp_image *im,
@@ arch/arm64/net/bpf_jit_comp.c: static int prepare_trampoline(struct jit_ctx *ctx
@@ arch/arm64/net/bpf_jit_comp.c: static int prepare_trampoline(struct jit_ctx *ctx, struct bpf_tramp_image *im,
if (flags & BPF_TRAMP_F_CALL_ORIG) {
- im->ip_epilogue = ctx->ro_image + ctx->idx;
+ im->ip_epilogue = ctx->image + ctx->idx;
- emit_addr_mov_i64(A64_R(0), (const u64)im, ctx);
+ emit_a64_mov_i64(A64_R(0), (const u64)im, ctx);
emit_call((const u64)__bpf_tramp_exit, ctx);
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.1.y | Success | Success |
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 6.1.y 2/2] bpf, arm64: Fix address emission with tag-based KASAN enabled
2025-05-13 6:45 ` [PATCH 6.1.y 2/2] bpf, arm64: Fix address emission with tag-based KASAN enabled bin.lan.cn
@ 2025-05-13 18:49 ` Sasha Levin
0 siblings, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2025-05-13 18:49 UTC (permalink / raw)
To: stable; +Cc: bin.lan.cn, Sasha Levin
[ Sasha's backport helper bot ]
Hi,
✅ All tests passed successfully. No issues detected.
No action required from the submitter.
The upstream commit SHA1 provided is correct: a552e2ef5fd1a6c78267cd4ec5a9b49aa11bbb1c
WARNING: Author mismatch between patch and upstream commit:
Backport author: bin.lan.cn@windriver.com
Commit author: Peter Collingbourne<pcc@google.com>
Status in newer kernel trees:
6.14.y | Present (exact SHA1)
6.12.y | Present (exact SHA1)
6.6.y | Not found
Note: The patch differs from the upstream commit:
---
1: a552e2ef5fd1a ! 1: f5313793f7e10 bpf, arm64: Fix address emission with tag-based KASAN enabled
@@ Metadata
## Commit message ##
bpf, arm64: Fix address emission with tag-based KASAN enabled
+ [ Upstream commit a552e2ef5fd1a6c78267cd4ec5a9b49aa11bbb1c ]
+
When BPF_TRAMP_F_CALL_ORIG is enabled, the address of a bpf_tramp_image
struct on the stack is passed during the size calculation pass and
an address on the heap is passed during code generation. This may
@@ Commit message
Acked-by: Xu Kuohai <xukuohai@huawei.com>
Link: https://linux-review.googlesource.com/id/I1496f2bc24fba7a1d492e16e2b94cf43714f2d3c
Link: https://lore.kernel.org/bpf/20241018221644.3240898-1-pcc@google.com
+ [Minor context change fixed.]
+ Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
+ Signed-off-by: He Zhe <zhe.he@windriver.com>
## arch/arm64/net/bpf_jit_comp.c ##
@@ arch/arm64/net/bpf_jit_comp.c: static int prepare_trampoline(struct jit_ctx *ctx, struct bpf_tramp_image *im,
@@ arch/arm64/net/bpf_jit_comp.c: static int prepare_trampoline(struct jit_ctx *ctx
@@ arch/arm64/net/bpf_jit_comp.c: static int prepare_trampoline(struct jit_ctx *ctx, struct bpf_tramp_image *im,
if (flags & BPF_TRAMP_F_CALL_ORIG) {
- im->ip_epilogue = ctx->ro_image + ctx->idx;
+ im->ip_epilogue = ctx->image + ctx->idx;
- emit_a64_mov_i64(A64_R(0), (const u64)im, ctx);
+ /* for the first pass, assume the worst case */
+ if (!ctx->image)
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.6.y | Success | Success |
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-05-13 18:49 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-05-13 6:45 [PATCH 6.1.y 1/2] bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG bin.lan.cn
2025-05-13 6:45 ` [PATCH 6.1.y 2/2] bpf, arm64: Fix address emission with tag-based KASAN enabled bin.lan.cn
2025-05-13 18:49 ` Sasha Levin
2025-05-13 18:49 ` [PATCH 6.1.y 1/2] bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox