diff --git a/patches.suse/bpf-x86-Fix-encoding-for-lower-8-bit-registers-in-BP.patch b/patches.suse/bpf-x86-Fix-encoding-for-lower-8-bit-registers-in-BP.patch new file mode 100644 index 0000000..6aff34b --- /dev/null +++ b/patches.suse/bpf-x86-Fix-encoding-for-lower-8-bit-registers-in-BP.patch @@ -0,0 +1,72 @@ +From: Luke Nelson +Date: Sat, 18 Apr 2020 16:26:53 -0700 +Subject: bpf, x86: Fix encoding for lower 8-bit registers in BPF_STX BPF_B +Git-commit: aee194b14dd2b2bde6252b3acf57d36dccfc743a +Patch-mainline: 5.7-rc3 +References: git-fixes + +This patch fixes an encoding bug in emit_stx for BPF_B when the source +register is BPF_REG_FP. + +The current implementation for BPF_STX BPF_B in emit_stx saves one REX +byte when the operands can be encoded using Mod-R/M alone. The lower 8 +bits of registers %rax, %rbx, %rcx, and %rdx can be accessed without using +a REX prefix via %al, %bl, %cl, and %dl, respectively. Other registers, +(e.g., %rsi, %rdi, %rbp, %rsp) require a REX prefix to use their 8-bit +equivalents (%sil, %dil, %bpl, %spl). + +The current code checks if the source for BPF_STX BPF_B is BPF_REG_1 +or BPF_REG_2 (which map to %rdi and %rsi), in which case it emits the +required REX prefix. However, it misses the case when the source is +BPF_REG_FP (mapped to %rbp). + +The result is that BPF_STX BPF_B with BPF_REG_FP as the source operand +will read from register %ch instead of the correct %bpl. This patch fixes +the problem by fixing and refactoring the check on which registers need +the extra REX byte. Since no BPF registers map to %rsp, there is no need +to handle %spl. + +Fixes: 622582786c9e0 ("net: filter: x86: internal BPF JIT") +Signed-off-by: Xi Wang +Signed-off-by: Luke Nelson +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20200418232655.23870-1-luke.r.nels@gmail.com +Signed-off-by: Jiri Slaby +--- + arch/x86/net/bpf_jit_comp.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +--- a/arch/x86/net/bpf_jit_comp.c ++++ b/arch/x86/net/bpf_jit_comp.c +@@ -146,6 +146,19 @@ static bool is_ereg(u32 reg) + BIT(BPF_REG_AX)); + } + ++/* ++ * is_ereg_8l() == true if BPF register 'reg' is mapped to access x86-64 ++ * lower 8-bit registers dil,sil,bpl,spl,r8b..r15b, which need extra byte ++ * of encoding. al,cl,dl,bl have simpler encoding. ++ */ ++static bool is_ereg_8l(u32 reg) ++{ ++ return is_ereg(reg) || ++ (1 << reg) & (BIT(BPF_REG_1) | ++ BIT(BPF_REG_2) | ++ BIT(BPF_REG_FP)); ++} ++ + /* add modifiers if 'reg' maps to x64 registers r8..r15 */ + static u8 add_1mod(u8 byte, u32 reg) + { +@@ -720,9 +733,8 @@ st: if (is_imm8(insn->off)) + /* STX: *(u8*)(dst_reg + off) = src_reg */ + case BPF_STX | BPF_MEM | BPF_B: + /* emit 'mov byte ptr [rax + off], al' */ +- if (is_ereg(dst_reg) || is_ereg(src_reg) || +- /* have to add extra byte for x86 SIL, DIL regs */ +- src_reg == BPF_REG_1 || src_reg == BPF_REG_2) ++ if (is_ereg(dst_reg) || is_ereg_8l(src_reg)) ++ /* Add extra byte for eregs or SIL,DIL,BPL in src_reg */ + EMIT2(add_2mod(0x40, dst_reg, src_reg), 0x88); + else + EMIT1(0x88); diff --git a/series.conf b/series.conf index c27fccc..ad93ee2 100644 --- a/series.conf +++ b/series.conf @@ -56271,6 +56271,7 @@ patches.suse/net-systemport-suppress-warnings-on-failed-Rx-SKB-al.patch patches.suse/cpumap-Avoid-warning-when-CONFIG_DEBUG_PER_CPU_MAPS-.patch patches.suse/bpf-Forbid-XADD-on-spilled-pointers-for-unprivileged.patch + patches.suse/bpf-x86-Fix-encoding-for-lower-8-bit-registers-in-BP.patch patches.suse/powerpc-setup_64-Set-cache-line-size-based-on-cache-.patch patches.suse/s390-ftrace-fix-potential-crashes-when-switching-tracers patches.suse/s390-pci-do-not-set-affinity-for-floating-irqs