From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S966879AbcA0Tid (ORCPT <rfc822;w@1wt.eu>);
	Wed, 27 Jan 2016 14:38:33 -0500
Received: from mail.linuxfoundation.org ([140.211.169.12]:56219 "EHLO
	mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S966168AbcA0TQy (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Wed, 27 Jan 2016 14:16:54 -0500
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org,
        Zi Shen Lim <zlim.lnx@gmail.com>, Yang Shi <yang.shi@linaro.org>,
        Xi Wang <xi.wang@gmail.com>, Alexei Starovoitov <ast@plumgrid.com>,
        Catalin Marinas <catalin.marinas@arm.com>
Subject: [PATCH 4.1 110/127] arm64: bpf: fix mod-by-zero case
Date: Wed, 27 Jan 2016 10:14:34 -0800
Message-Id: <20160127180811.283389253@linuxfoundation.org>
X-Mailer: git-send-email 2.7.0
In-Reply-To: <20160127180805.624425994@linuxfoundation.org>
References: <20160127180805.624425994@linuxfoundation.org>
User-Agent: quilt/0.64
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-15
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.1-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Zi Shen Lim <zlim.lnx@gmail.com>

commit 14e589ff4aa3f28a5424e92b6495ecb8950080f7 upstream.

Turns out in the case of modulo by zero in a BPF program:
	A = A % X;  (X == 0)
the expected behavior is to terminate with return value 0.

The bug in JIT is exposed by a new test case [1].

[1] https://lkml.org/lkml/2015/11/4/499

Signed-off-by: Zi Shen Lim <zlim.lnx@gmail.com>
Reported-by: Yang Shi <yang.shi@linaro.org>
Reported-by: Xi Wang <xi.wang@gmail.com>
CC: Alexei Starovoitov <ast@plumgrid.com>
Fixes: e54bcde3d69d ("arm64: eBPF JIT compiler")
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/net/bpf_jit_comp.c |   21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

--- a/arch/arm64/net/bpf_jit_comp.c
+++ b/arch/arm64/net/bpf_jit_comp.c
@@ -269,6 +269,8 @@ static int build_insn(const struct bpf_i
 		break;
 	case BPF_ALU | BPF_DIV | BPF_X:
 	case BPF_ALU64 | BPF_DIV | BPF_X:
+	case BPF_ALU | BPF_MOD | BPF_X:
+	case BPF_ALU64 | BPF_MOD | BPF_X:
 	{
 		const u8 r0 = bpf2a64[BPF_REG_0];
 
@@ -281,16 +283,19 @@ static int build_insn(const struct bpf_i
 		check_imm26(jmp_offset);
 		emit(A64_B(jmp_offset), ctx);
 		/* else */
-		emit(A64_UDIV(is64, dst, dst, src), ctx);
+		switch (BPF_OP(code)) {
+		case BPF_DIV:
+			emit(A64_UDIV(is64, dst, dst, src), ctx);
+			break;
+		case BPF_MOD:
+			ctx->tmp_used = 1;
+			emit(A64_UDIV(is64, tmp, dst, src), ctx);
+			emit(A64_MUL(is64, tmp, tmp, src), ctx);
+			emit(A64_SUB(is64, dst, dst, tmp), ctx);
+			break;
+		}
 		break;
 	}
-	case BPF_ALU | BPF_MOD | BPF_X:
-	case BPF_ALU64 | BPF_MOD | BPF_X:
-		ctx->tmp_used = 1;
-		emit(A64_UDIV(is64, tmp, dst, src), ctx);
-		emit(A64_MUL(is64, tmp, tmp, src), ctx);
-		emit(A64_SUB(is64, dst, dst, tmp), ctx);
-		break;
 	case BPF_ALU | BPF_LSH | BPF_X:
 	case BPF_ALU64 | BPF_LSH | BPF_X:
 		emit(A64_LSLV(is64, dst, dst, src), ctx);