bpf.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v2 00/10] powerpc/bpf: Various fixes
@ 2021-10-05 20:25 Naveen N. Rao
  2021-10-05 20:25 ` [PATCH v2 01/10] powerpc/lib: Add helper to check if offset is within conditional branch range Naveen N. Rao
                   ` (10 more replies)
  0 siblings, 11 replies; 22+ messages in thread
From: Naveen N. Rao @ 2021-10-05 20:25 UTC (permalink / raw)
  To: Michael Ellerman, Nicholas Piggin, Jordan Niethe,
	Daniel Borkmann, Alexei Starovoitov, Christophe Leroy,
	Johan Almbladh, Song Liu
  Cc: bpf, linuxppc-dev

This is v2 of the series posted at:
http://lkml.kernel.org/r/cover.1633104510.git.naveen.n.rao@linux.vnet.ibm.com

Only patches from v1 that need to go into powerpc/fixes are included.
Other patches will be posted as a separate series for inclusion into
powerpc/next. 

Patches 7 to 10 are new and fix issues in ppc32.


- Naveen


Naveen N. Rao (10):
  powerpc/lib: Add helper to check if offset is within conditional
    branch range
  powerpc/bpf: Validate branch ranges
  powerpc/bpf: Fix BPF_MOD when imm == 1
  powerpc/bpf: Fix BPF_SUB when imm == 0x80000000
  powerpc/security: Add a helper to query stf_barrier type
  powerpc/bpf: Emit stf barrier instruction sequences for BPF_NOSPEC
  powerpc/bpf ppc32: Fix ALU32 BPF_ARSH operation
  powerpc/bpf ppc32: Fix JMP32_JSET_K
  powerpc/bpf ppc32: Do not emit zero extend instruction for 64-bit
    BPF_END
  powerpc/bpf ppc32: Fix BPF_SUB when imm == 0x80000000

 arch/powerpc/include/asm/code-patching.h     |   1 +
 arch/powerpc/include/asm/security_features.h |   5 +
 arch/powerpc/kernel/security.c               |   5 +
 arch/powerpc/lib/code-patching.c             |   7 +-
 arch/powerpc/net/bpf_jit.h                   |  33 +++---
 arch/powerpc/net/bpf_jit64.h                 |   8 +-
 arch/powerpc/net/bpf_jit_comp.c              |   6 +-
 arch/powerpc/net/bpf_jit_comp32.c            |  16 +--
 arch/powerpc/net/bpf_jit_comp64.c            | 100 +++++++++++++++----
 9 files changed, 139 insertions(+), 42 deletions(-)


base-commit: cdcb1396e357bd198f81dc7fa4f5d819063abe44
-- 
2.33.0


^ permalink raw reply	[flat|nested] 22+ messages in thread

* [PATCH v2 01/10] powerpc/lib: Add helper to check if offset is within conditional branch range
  2021-10-05 20:25 [PATCH v2 00/10] powerpc/bpf: Various fixes Naveen N. Rao
@ 2021-10-05 20:25 ` Naveen N. Rao
  2021-10-06  4:50   ` Christophe Leroy
  2021-10-05 20:25 ` [PATCH v2 02/10] powerpc/bpf: Validate branch ranges Naveen N. Rao
                   ` (9 subsequent siblings)
  10 siblings, 1 reply; 22+ messages in thread
From: Naveen N. Rao @ 2021-10-05 20:25 UTC (permalink / raw)
  To: Michael Ellerman, Nicholas Piggin, Jordan Niethe,
	Daniel Borkmann, Alexei Starovoitov, Christophe Leroy,
	Johan Almbladh, Song Liu
  Cc: bpf, linuxppc-dev

Add a helper to check if a given offset is within the branch range for a
powerpc conditional branch instruction, and update some sites to use the
new helper.

Acked-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
---
Changelog:
- Change 0x7FFF to 0x7fff, per Christophe


 arch/powerpc/include/asm/code-patching.h | 1 +
 arch/powerpc/lib/code-patching.c         | 7 ++++++-
 arch/powerpc/net/bpf_jit.h               | 7 +------
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/arch/powerpc/include/asm/code-patching.h b/arch/powerpc/include/asm/code-patching.h
index a95f63788c6b14..4ba834599c4d4c 100644
--- a/arch/powerpc/include/asm/code-patching.h
+++ b/arch/powerpc/include/asm/code-patching.h
@@ -23,6 +23,7 @@
 #define BRANCH_ABSOLUTE	0x2
 
 bool is_offset_in_branch_range(long offset);
+bool is_offset_in_cond_branch_range(long offset);
 int create_branch(struct ppc_inst *instr, const u32 *addr,
 		  unsigned long target, int flags);
 int create_cond_branch(struct ppc_inst *instr, const u32 *addr,
diff --git a/arch/powerpc/lib/code-patching.c b/arch/powerpc/lib/code-patching.c
index f9a3019e37b43c..c5ed9882383521 100644
--- a/arch/powerpc/lib/code-patching.c
+++ b/arch/powerpc/lib/code-patching.c
@@ -228,6 +228,11 @@ bool is_offset_in_branch_range(long offset)
 	return (offset >= -0x2000000 && offset <= 0x1fffffc && !(offset & 0x3));
 }
 
+bool is_offset_in_cond_branch_range(long offset)
+{
+	return offset >= -0x8000 && offset <= 0x7fff && !(offset & 0x3);
+}
+
 /*
  * Helper to check if a given instruction is a conditional branch
  * Derived from the conditional checks in analyse_instr()
@@ -280,7 +285,7 @@ int create_cond_branch(struct ppc_inst *instr, const u32 *addr,
 		offset = offset - (unsigned long)addr;
 
 	/* Check we can represent the target in the instruction format */
-	if (offset < -0x8000 || offset > 0x7FFF || offset & 0x3)
+	if (!is_offset_in_cond_branch_range(offset))
 		return 1;
 
 	/* Mask out the flags and target, so they don't step on each other. */
diff --git a/arch/powerpc/net/bpf_jit.h b/arch/powerpc/net/bpf_jit.h
index 99fad093f43ec1..935ea95b66359e 100644
--- a/arch/powerpc/net/bpf_jit.h
+++ b/arch/powerpc/net/bpf_jit.h
@@ -78,11 +78,6 @@
 #define PPC_FUNC_ADDR(d,i) do { PPC_LI32(d, i); } while(0)
 #endif
 
-static inline bool is_nearbranch(int offset)
-{
-	return (offset < 32768) && (offset >= -32768);
-}
-
 /*
  * The fly in the ointment of code size changing from pass to pass is
  * avoided by padding the short branch case with a NOP.	 If code size differs
@@ -91,7 +86,7 @@ static inline bool is_nearbranch(int offset)
  * state.
  */
 #define PPC_BCC(cond, dest)	do {					      \
-		if (is_nearbranch((dest) - (ctx->idx * 4))) {		      \
+		if (is_offset_in_cond_branch_range((long)(dest) - (ctx->idx * 4))) {	\
 			PPC_BCC_SHORT(cond, dest);			      \
 			EMIT(PPC_RAW_NOP());				      \
 		} else {						      \
-- 
2.33.0


^ permalink raw reply related	[flat|nested] 22+ messages in thread

* [PATCH v2 02/10] powerpc/bpf: Validate branch ranges
  2021-10-05 20:25 [PATCH v2 00/10] powerpc/bpf: Various fixes Naveen N. Rao
  2021-10-05 20:25 ` [PATCH v2 01/10] powerpc/lib: Add helper to check if offset is within conditional branch range Naveen N. Rao
@ 2021-10-05 20:25 ` Naveen N. Rao
  2021-10-06  4:51   ` LEROY Christophe
  2021-10-06  4:51   ` Christophe Leroy
  2021-10-05 20:25 ` [PATCH v2 03/10] powerpc/bpf: Fix BPF_MOD when imm == 1 Naveen N. Rao
                   ` (8 subsequent siblings)
  10 siblings, 2 replies; 22+ messages in thread
From: Naveen N. Rao @ 2021-10-05 20:25 UTC (permalink / raw)
  To: Michael Ellerman, Nicholas Piggin, Jordan Niethe,
	Daniel Borkmann, Alexei Starovoitov, Christophe Leroy,
	Johan Almbladh, Song Liu
  Cc: bpf, linuxppc-dev

Add checks to ensure that we never emit branch instructions with
truncated branch offsets.

Acked-by: Song Liu <songliubraving@fb.com>
Acked-by: Johan Almbladh <johan.almbladh@anyfinetworks.com>
Tested-by: Johan Almbladh <johan.almbladh@anyfinetworks.com>
Suggested-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
---
 arch/powerpc/net/bpf_jit.h        | 26 ++++++++++++++++++++------
 arch/powerpc/net/bpf_jit_comp.c   |  6 +++++-
 arch/powerpc/net/bpf_jit_comp32.c |  8 ++++++--
 arch/powerpc/net/bpf_jit_comp64.c |  8 ++++++--
 4 files changed, 37 insertions(+), 11 deletions(-)

diff --git a/arch/powerpc/net/bpf_jit.h b/arch/powerpc/net/bpf_jit.h
index 935ea95b66359e..7e9b978b768ed9 100644
--- a/arch/powerpc/net/bpf_jit.h
+++ b/arch/powerpc/net/bpf_jit.h
@@ -24,16 +24,30 @@
 #define EMIT(instr)		PLANT_INSTR(image, ctx->idx, instr)
 
 /* Long jump; (unconditional 'branch') */
-#define PPC_JMP(dest)		EMIT(PPC_INST_BRANCH |			      \
-				     (((dest) - (ctx->idx * 4)) & 0x03fffffc))
+#define PPC_JMP(dest)							      \
+	do {								      \
+		long offset = (long)(dest) - (ctx->idx * 4);		      \
+		if (!is_offset_in_branch_range(offset)) {		      \
+			pr_err_ratelimited("Branch offset 0x%lx (@%u) out of range\n", offset, ctx->idx);			\
+			return -ERANGE;					      \
+		}							      \
+		EMIT(PPC_INST_BRANCH | (offset & 0x03fffffc));		      \
+	} while (0)
+
 /* blr; (unconditional 'branch' with link) to absolute address */
 #define PPC_BL_ABS(dest)	EMIT(PPC_INST_BL |			      \
 				     (((dest) - (unsigned long)(image + ctx->idx)) & 0x03fffffc))
 /* "cond" here covers BO:BI fields. */
-#define PPC_BCC_SHORT(cond, dest)	EMIT(PPC_INST_BRANCH_COND |	      \
-					     (((cond) & 0x3ff) << 16) |	      \
-					     (((dest) - (ctx->idx * 4)) &     \
-					      0xfffc))
+#define PPC_BCC_SHORT(cond, dest)					      \
+	do {								      \
+		long offset = (long)(dest) - (ctx->idx * 4);		      \
+		if (!is_offset_in_cond_branch_range(offset)) {		      \
+			pr_err_ratelimited("Conditional branch offset 0x%lx (@%u) out of range\n", offset, ctx->idx);		\
+			return -ERANGE;					      \
+		}							      \
+		EMIT(PPC_INST_BRANCH_COND | (((cond) & 0x3ff) << 16) | (offset & 0xfffc));					\
+	} while (0)
+
 /* Sign-extended 32-bit immediate load */
 #define PPC_LI32(d, i)		do {					      \
 		if ((int)(uintptr_t)(i) >= -32768 &&			      \
diff --git a/arch/powerpc/net/bpf_jit_comp.c b/arch/powerpc/net/bpf_jit_comp.c
index 53aefee3fe70be..fcbf7a917c566e 100644
--- a/arch/powerpc/net/bpf_jit_comp.c
+++ b/arch/powerpc/net/bpf_jit_comp.c
@@ -210,7 +210,11 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *fp)
 		/* Now build the prologue, body code & epilogue for real. */
 		cgctx.idx = 0;
 		bpf_jit_build_prologue(code_base, &cgctx);
-		bpf_jit_build_body(fp, code_base, &cgctx, addrs, extra_pass);
+		if (bpf_jit_build_body(fp, code_base, &cgctx, addrs, extra_pass)) {
+			bpf_jit_binary_free(bpf_hdr);
+			fp = org_fp;
+			goto out_addrs;
+		}
 		bpf_jit_build_epilogue(code_base, &cgctx);
 
 		if (bpf_jit_enable > 1)
diff --git a/arch/powerpc/net/bpf_jit_comp32.c b/arch/powerpc/net/bpf_jit_comp32.c
index beb12cbc8c2994..a74d52204f8da2 100644
--- a/arch/powerpc/net/bpf_jit_comp32.c
+++ b/arch/powerpc/net/bpf_jit_comp32.c
@@ -200,7 +200,7 @@ void bpf_jit_emit_func_call_rel(u32 *image, struct codegen_context *ctx, u64 fun
 	}
 }
 
-static void bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32 out)
+static int bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32 out)
 {
 	/*
 	 * By now, the eBPF program has already setup parameters in r3-r6
@@ -261,7 +261,9 @@ static void bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32
 	bpf_jit_emit_common_epilogue(image, ctx);
 
 	EMIT(PPC_RAW_BCTR());
+
 	/* out: */
+	return 0;
 }
 
 /* Assemble the body code between the prologue & epilogue */
@@ -1090,7 +1092,9 @@ int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, struct codegen_context *
 		 */
 		case BPF_JMP | BPF_TAIL_CALL:
 			ctx->seen |= SEEN_TAILCALL;
-			bpf_jit_emit_tail_call(image, ctx, addrs[i + 1]);
+			ret = bpf_jit_emit_tail_call(image, ctx, addrs[i + 1]);
+			if (ret < 0)
+				return ret;
 			break;
 
 		default:
diff --git a/arch/powerpc/net/bpf_jit_comp64.c b/arch/powerpc/net/bpf_jit_comp64.c
index b87a63dba9c8fb..f06c62089b1457 100644
--- a/arch/powerpc/net/bpf_jit_comp64.c
+++ b/arch/powerpc/net/bpf_jit_comp64.c
@@ -206,7 +206,7 @@ void bpf_jit_emit_func_call_rel(u32 *image, struct codegen_context *ctx, u64 fun
 	EMIT(PPC_RAW_BCTRL());
 }
 
-static void bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32 out)
+static int bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32 out)
 {
 	/*
 	 * By now, the eBPF program has already setup parameters in r3, r4 and r5
@@ -267,7 +267,9 @@ static void bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32
 	bpf_jit_emit_common_epilogue(image, ctx);
 
 	EMIT(PPC_RAW_BCTR());
+
 	/* out: */
+	return 0;
 }
 
 /* Assemble the body code between the prologue & epilogue */
@@ -993,7 +995,9 @@ int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, struct codegen_context *
 		 */
 		case BPF_JMP | BPF_TAIL_CALL:
 			ctx->seen |= SEEN_TAILCALL;
-			bpf_jit_emit_tail_call(image, ctx, addrs[i + 1]);
+			ret = bpf_jit_emit_tail_call(image, ctx, addrs[i + 1]);
+			if (ret < 0)
+				return ret;
 			break;
 
 		default:
-- 
2.33.0


^ permalink raw reply related	[flat|nested] 22+ messages in thread

* [PATCH v2 03/10] powerpc/bpf: Fix BPF_MOD when imm == 1
  2021-10-05 20:25 [PATCH v2 00/10] powerpc/bpf: Various fixes Naveen N. Rao
  2021-10-05 20:25 ` [PATCH v2 01/10] powerpc/lib: Add helper to check if offset is within conditional branch range Naveen N. Rao
  2021-10-05 20:25 ` [PATCH v2 02/10] powerpc/bpf: Validate branch ranges Naveen N. Rao
@ 2021-10-05 20:25 ` Naveen N. Rao
  2021-10-06  4:52   ` Christophe Leroy
  2021-10-05 20:25 ` [PATCH v2 04/10] powerpc/bpf: Fix BPF_SUB when imm == 0x80000000 Naveen N. Rao
                   ` (7 subsequent siblings)
  10 siblings, 1 reply; 22+ messages in thread
From: Naveen N. Rao @ 2021-10-05 20:25 UTC (permalink / raw)
  To: Michael Ellerman, Nicholas Piggin, Jordan Niethe,
	Daniel Borkmann, Alexei Starovoitov, Christophe Leroy,
	Johan Almbladh, Song Liu
  Cc: bpf, linuxppc-dev

Only ignore the operation if dividing by 1.

Acked-by: Song Liu <songliubraving@fb.com>
Acked-by: Johan Almbladh <johan.almbladh@anyfinetworks.com>
Tested-by: Johan Almbladh <johan.almbladh@anyfinetworks.com>
Fixes: 156d0e290e969c ("powerpc/ebpf/jit: Implement JIT compiler for extended BPF")
Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
---
 arch/powerpc/net/bpf_jit_comp64.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/arch/powerpc/net/bpf_jit_comp64.c b/arch/powerpc/net/bpf_jit_comp64.c
index f06c62089b1457..d67f6d62e2e1ff 100644
--- a/arch/powerpc/net/bpf_jit_comp64.c
+++ b/arch/powerpc/net/bpf_jit_comp64.c
@@ -391,8 +391,14 @@ int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, struct codegen_context *
 		case BPF_ALU64 | BPF_DIV | BPF_K: /* dst /= imm */
 			if (imm == 0)
 				return -EINVAL;
-			else if (imm == 1)
-				goto bpf_alu32_trunc;
+			if (imm == 1) {
+				if (BPF_OP(code) == BPF_DIV) {
+					goto bpf_alu32_trunc;
+				} else {
+					EMIT(PPC_RAW_LI(dst_reg, 0));
+					break;
+				}
+			}
 
 			PPC_LI32(b2p[TMP_REG_1], imm);
 			switch (BPF_CLASS(code)) {
-- 
2.33.0


^ permalink raw reply related	[flat|nested] 22+ messages in thread

* [PATCH v2 04/10] powerpc/bpf: Fix BPF_SUB when imm == 0x80000000
  2021-10-05 20:25 [PATCH v2 00/10] powerpc/bpf: Various fixes Naveen N. Rao
                   ` (2 preceding siblings ...)
  2021-10-05 20:25 ` [PATCH v2 03/10] powerpc/bpf: Fix BPF_MOD when imm == 1 Naveen N. Rao
@ 2021-10-05 20:25 ` Naveen N. Rao
  2021-10-06  4:55   ` Christophe Leroy
  2021-10-05 20:25 ` [PATCH v2 05/10] powerpc/security: Add a helper to query stf_barrier type Naveen N. Rao
                   ` (6 subsequent siblings)
  10 siblings, 1 reply; 22+ messages in thread
From: Naveen N. Rao @ 2021-10-05 20:25 UTC (permalink / raw)
  To: Michael Ellerman, Nicholas Piggin, Jordan Niethe,
	Daniel Borkmann, Alexei Starovoitov, Christophe Leroy,
	Johan Almbladh, Song Liu
  Cc: bpf, linuxppc-dev

We aren't handling subtraction involving an immediate value of
0x80000000 properly. Fix the same.

Fixes: 156d0e290e969c ("powerpc/ebpf/jit: Implement JIT compiler for extended BPF")
Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
---
Changelog:
- Split up BPF_ADD and BPF_SUB cases per Christophe's comments

 arch/powerpc/net/bpf_jit_comp64.c | 27 +++++++++++++++++----------
 1 file changed, 17 insertions(+), 10 deletions(-)

diff --git a/arch/powerpc/net/bpf_jit_comp64.c b/arch/powerpc/net/bpf_jit_comp64.c
index d67f6d62e2e1ff..6626e6c17d4ed2 100644
--- a/arch/powerpc/net/bpf_jit_comp64.c
+++ b/arch/powerpc/net/bpf_jit_comp64.c
@@ -330,18 +330,25 @@ int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, struct codegen_context *
 			EMIT(PPC_RAW_SUB(dst_reg, dst_reg, src_reg));
 			goto bpf_alu32_trunc;
 		case BPF_ALU | BPF_ADD | BPF_K: /* (u32) dst += (u32) imm */
-		case BPF_ALU | BPF_SUB | BPF_K: /* (u32) dst -= (u32) imm */
 		case BPF_ALU64 | BPF_ADD | BPF_K: /* dst += imm */
+			if (!imm) {
+				goto bpf_alu32_trunc;
+			} else if (imm >= -32768 && imm < 32768) {
+				EMIT(PPC_RAW_ADDI(dst_reg, dst_reg, IMM_L(imm)));
+			} else {
+				PPC_LI32(b2p[TMP_REG_1], imm);
+				EMIT(PPC_RAW_ADD(dst_reg, dst_reg, b2p[TMP_REG_1]));
+			}
+			goto bpf_alu32_trunc;
+		case BPF_ALU | BPF_SUB | BPF_K: /* (u32) dst -= (u32) imm */
 		case BPF_ALU64 | BPF_SUB | BPF_K: /* dst -= imm */
-			if (BPF_OP(code) == BPF_SUB)
-				imm = -imm;
-			if (imm) {
-				if (imm >= -32768 && imm < 32768)
-					EMIT(PPC_RAW_ADDI(dst_reg, dst_reg, IMM_L(imm)));
-				else {
-					PPC_LI32(b2p[TMP_REG_1], imm);
-					EMIT(PPC_RAW_ADD(dst_reg, dst_reg, b2p[TMP_REG_1]));
-				}
+			if (!imm) {
+				goto bpf_alu32_trunc;
+			} else if (imm > -32768 && imm < 32768) {
+				EMIT(PPC_RAW_ADDI(dst_reg, dst_reg, IMM_L(-imm)));
+			} else {
+				PPC_LI32(b2p[TMP_REG_1], imm);
+				EMIT(PPC_RAW_SUB(dst_reg, dst_reg, b2p[TMP_REG_1]));
 			}
 			goto bpf_alu32_trunc;
 		case BPF_ALU | BPF_MUL | BPF_X: /* (u32) dst *= (u32) src */
-- 
2.33.0


^ permalink raw reply related	[flat|nested] 22+ messages in thread

* [PATCH v2 05/10] powerpc/security: Add a helper to query stf_barrier type
  2021-10-05 20:25 [PATCH v2 00/10] powerpc/bpf: Various fixes Naveen N. Rao
                   ` (3 preceding siblings ...)
  2021-10-05 20:25 ` [PATCH v2 04/10] powerpc/bpf: Fix BPF_SUB when imm == 0x80000000 Naveen N. Rao
@ 2021-10-05 20:25 ` Naveen N. Rao
  2021-10-05 20:25 ` [PATCH v2 06/10] powerpc/bpf: Emit stf barrier instruction sequences for BPF_NOSPEC Naveen N. Rao
                   ` (5 subsequent siblings)
  10 siblings, 0 replies; 22+ messages in thread
From: Naveen N. Rao @ 2021-10-05 20:25 UTC (permalink / raw)
  To: Michael Ellerman, Nicholas Piggin, Jordan Niethe,
	Daniel Borkmann, Alexei Starovoitov, Christophe Leroy,
	Johan Almbladh, Song Liu
  Cc: bpf, linuxppc-dev

Add a helper to return the stf_barrier type for the current processor.

Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
---
 arch/powerpc/include/asm/security_features.h | 5 +++++
 arch/powerpc/kernel/security.c               | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/arch/powerpc/include/asm/security_features.h b/arch/powerpc/include/asm/security_features.h
index 792eefaf230b80..27574f218b371f 100644
--- a/arch/powerpc/include/asm/security_features.h
+++ b/arch/powerpc/include/asm/security_features.h
@@ -39,6 +39,11 @@ static inline bool security_ftr_enabled(u64 feature)
 	return !!(powerpc_security_features & feature);
 }
 
+#ifdef CONFIG_PPC_BOOK3S_64
+enum stf_barrier_type stf_barrier_type_get(void);
+#else
+static inline enum stf_barrier_type stf_barrier_type_get(void) { return STF_BARRIER_NONE; }
+#endif
 
 // Features indicating support for Spectre/Meltdown mitigations
 
diff --git a/arch/powerpc/kernel/security.c b/arch/powerpc/kernel/security.c
index 1a998490fe60f0..15fb5ea1b9eafa 100644
--- a/arch/powerpc/kernel/security.c
+++ b/arch/powerpc/kernel/security.c
@@ -263,6 +263,11 @@ static int __init handle_no_stf_barrier(char *p)
 
 early_param("no_stf_barrier", handle_no_stf_barrier);
 
+enum stf_barrier_type stf_barrier_type_get(void)
+{
+	return stf_enabled_flush_types;
+}
+
 /* This is the generic flag used by other architectures */
 static int __init handle_ssbd(char *p)
 {
-- 
2.33.0


^ permalink raw reply related	[flat|nested] 22+ messages in thread

* [PATCH v2 06/10] powerpc/bpf: Emit stf barrier instruction sequences for BPF_NOSPEC
  2021-10-05 20:25 [PATCH v2 00/10] powerpc/bpf: Various fixes Naveen N. Rao
                   ` (4 preceding siblings ...)
  2021-10-05 20:25 ` [PATCH v2 05/10] powerpc/security: Add a helper to query stf_barrier type Naveen N. Rao
@ 2021-10-05 20:25 ` Naveen N. Rao
  2021-10-05 20:25 ` [PATCH v2 07/10] powerpc/bpf ppc32: Fix ALU32 BPF_ARSH operation Naveen N. Rao
                   ` (4 subsequent siblings)
  10 siblings, 0 replies; 22+ messages in thread
From: Naveen N. Rao @ 2021-10-05 20:25 UTC (permalink / raw)
  To: Michael Ellerman, Nicholas Piggin, Jordan Niethe,
	Daniel Borkmann, Alexei Starovoitov, Christophe Leroy,
	Johan Almbladh, Song Liu
  Cc: bpf, linuxppc-dev

Emit similar instruction sequences to commit a048a07d7f4535
("powerpc/64s: Add support for a store forwarding barrier at kernel
entry/exit") when encountering BPF_NOSPEC.

Mitigations are enabled depending on what the firmware advertises. In
particular, we do not gate these mitigations based on current settings,
just like in x86. Due to this, we don't need to take any action if
mitigations are enabled or disabled at runtime.

Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
---
 arch/powerpc/net/bpf_jit64.h      |  8 ++---
 arch/powerpc/net/bpf_jit_comp64.c | 55 ++++++++++++++++++++++++++++---
 2 files changed, 55 insertions(+), 8 deletions(-)

diff --git a/arch/powerpc/net/bpf_jit64.h b/arch/powerpc/net/bpf_jit64.h
index 7b713edfa7e261..b63b35e45e558c 100644
--- a/arch/powerpc/net/bpf_jit64.h
+++ b/arch/powerpc/net/bpf_jit64.h
@@ -16,18 +16,18 @@
  * with our redzone usage.
  *
  *		[	prev sp		] <-------------
- *		[   nv gpr save area	] 6*8		|
+ *		[   nv gpr save area	] 5*8		|
  *		[    tail_call_cnt	] 8		|
- *		[    local_tmp_var	] 8		|
+ *		[    local_tmp_var	] 16		|
  * fp (r31) -->	[   ebpf stack space	] upto 512	|
  *		[     frame header	] 32/112	|
  * sp (r1) --->	[    stack pointer	] --------------
  */
 
 /* for gpr non volatile registers BPG_REG_6 to 10 */
-#define BPF_PPC_STACK_SAVE	(6*8)
+#define BPF_PPC_STACK_SAVE	(5*8)
 /* for bpf JIT code internal usage */
-#define BPF_PPC_STACK_LOCALS	16
+#define BPF_PPC_STACK_LOCALS	24
 /* stack frame excluding BPF stack, ensure this is quadword aligned */
 #define BPF_PPC_STACKFRAME	(STACK_FRAME_MIN_SIZE + \
 				 BPF_PPC_STACK_LOCALS + BPF_PPC_STACK_SAVE)
diff --git a/arch/powerpc/net/bpf_jit_comp64.c b/arch/powerpc/net/bpf_jit_comp64.c
index 6626e6c17d4ed2..51c7f6cd9a0a10 100644
--- a/arch/powerpc/net/bpf_jit_comp64.c
+++ b/arch/powerpc/net/bpf_jit_comp64.c
@@ -15,6 +15,7 @@
 #include <linux/if_vlan.h>
 #include <asm/kprobes.h>
 #include <linux/bpf.h>
+#include <asm/security_features.h>
 
 #include "bpf_jit64.h"
 
@@ -35,9 +36,9 @@ static inline bool bpf_has_stack_frame(struct codegen_context *ctx)
  *		[	prev sp		] <-------------
  *		[	  ...       	] 		|
  * sp (r1) --->	[    stack pointer	] --------------
- *		[   nv gpr save area	] 6*8
+ *		[   nv gpr save area	] 5*8
  *		[    tail_call_cnt	] 8
- *		[    local_tmp_var	] 8
+ *		[    local_tmp_var	] 16
  *		[   unused red zone	] 208 bytes protected
  */
 static int bpf_jit_stack_local(struct codegen_context *ctx)
@@ -45,12 +46,12 @@ static int bpf_jit_stack_local(struct codegen_context *ctx)
 	if (bpf_has_stack_frame(ctx))
 		return STACK_FRAME_MIN_SIZE + ctx->stack_size;
 	else
-		return -(BPF_PPC_STACK_SAVE + 16);
+		return -(BPF_PPC_STACK_SAVE + 24);
 }
 
 static int bpf_jit_stack_tailcallcnt(struct codegen_context *ctx)
 {
-	return bpf_jit_stack_local(ctx) + 8;
+	return bpf_jit_stack_local(ctx) + 16;
 }
 
 static int bpf_jit_stack_offsetof(struct codegen_context *ctx, int reg)
@@ -272,10 +273,33 @@ static int bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32 o
 	return 0;
 }
 
+/*
+ * We spill into the redzone always, even if the bpf program has its own stackframe.
+ * Offsets hardcoded based on BPF_PPC_STACK_SAVE -- see bpf_jit_stack_local()
+ */
+void bpf_stf_barrier(void);
+
+asm (
+"		.global bpf_stf_barrier		;"
+"	bpf_stf_barrier:			;"
+"		std	21,-64(1)		;"
+"		std	22,-56(1)		;"
+"		sync				;"
+"		ld	21,-64(1)		;"
+"		ld	22,-56(1)		;"
+"		ori	31,31,0			;"
+"		.rept 14			;"
+"		b	1f			;"
+"	1:					;"
+"		.endr				;"
+"		blr				;"
+);
+
 /* Assemble the body code between the prologue & epilogue */
 int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, struct codegen_context *ctx,
 		       u32 *addrs, bool extra_pass)
 {
+	enum stf_barrier_type stf_barrier = stf_barrier_type_get();
 	const struct bpf_insn *insn = fp->insnsi;
 	int flen = fp->len;
 	int i, ret;
@@ -646,6 +670,29 @@ int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, struct codegen_context *
 		 * BPF_ST NOSPEC (speculation barrier)
 		 */
 		case BPF_ST | BPF_NOSPEC:
+			if (!security_ftr_enabled(SEC_FTR_FAVOUR_SECURITY) ||
+					!security_ftr_enabled(SEC_FTR_STF_BARRIER))
+				break;
+
+			switch (stf_barrier) {
+			case STF_BARRIER_EIEIO:
+				EMIT(PPC_RAW_EIEIO() | 0x02000000);
+				break;
+			case STF_BARRIER_SYNC_ORI:
+				EMIT(PPC_RAW_SYNC());
+				EMIT(PPC_RAW_LD(b2p[TMP_REG_1], _R13, 0));
+				EMIT(PPC_RAW_ORI(_R31, _R31, 0));
+				break;
+			case STF_BARRIER_FALLBACK:
+				EMIT(PPC_RAW_MFLR(b2p[TMP_REG_1]));
+				PPC_LI64(12, dereference_kernel_function_descriptor(bpf_stf_barrier));
+				EMIT(PPC_RAW_MTCTR(12));
+				EMIT(PPC_RAW_BCTRL());
+				EMIT(PPC_RAW_MTLR(b2p[TMP_REG_1]));
+				break;
+			case STF_BARRIER_NONE:
+				break;
+			}
 			break;
 
 		/*
-- 
2.33.0


^ permalink raw reply related	[flat|nested] 22+ messages in thread

* [PATCH v2 07/10] powerpc/bpf ppc32: Fix ALU32 BPF_ARSH operation
  2021-10-05 20:25 [PATCH v2 00/10] powerpc/bpf: Various fixes Naveen N. Rao
                   ` (5 preceding siblings ...)
  2021-10-05 20:25 ` [PATCH v2 06/10] powerpc/bpf: Emit stf barrier instruction sequences for BPF_NOSPEC Naveen N. Rao
@ 2021-10-05 20:25 ` Naveen N. Rao
  2021-10-06  4:56   ` Christophe Leroy
  2021-10-05 20:25 ` [PATCH v2 08/10] powerpc/bpf ppc32: Fix JMP32_JSET_K Naveen N. Rao
                   ` (3 subsequent siblings)
  10 siblings, 1 reply; 22+ messages in thread
From: Naveen N. Rao @ 2021-10-05 20:25 UTC (permalink / raw)
  To: Michael Ellerman, Nicholas Piggin, Jordan Niethe,
	Daniel Borkmann, Alexei Starovoitov, Christophe Leroy,
	Johan Almbladh, Song Liu
  Cc: bpf, linuxppc-dev

Correct the destination register used for ALU32 BPF_ARSH operation.

Fixes: 51c66ad849a703 ("powerpc/bpf: Implement extended BPF on PPC32")
Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
---
 arch/powerpc/net/bpf_jit_comp32.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/powerpc/net/bpf_jit_comp32.c b/arch/powerpc/net/bpf_jit_comp32.c
index a74d52204f8da2..519ecb9ab67266 100644
--- a/arch/powerpc/net/bpf_jit_comp32.c
+++ b/arch/powerpc/net/bpf_jit_comp32.c
@@ -625,7 +625,7 @@ int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, struct codegen_context *
 			EMIT(PPC_RAW_LI(dst_reg_h, 0));
 			break;
 		case BPF_ALU | BPF_ARSH | BPF_X: /* (s32) dst >>= src */
-			EMIT(PPC_RAW_SRAW(dst_reg_h, dst_reg, src_reg));
+			EMIT(PPC_RAW_SRAW(dst_reg, dst_reg, src_reg));
 			break;
 		case BPF_ALU64 | BPF_ARSH | BPF_X: /* (s64) dst >>= src */
 			bpf_set_seen_register(ctx, tmp_reg);
-- 
2.33.0


^ permalink raw reply related	[flat|nested] 22+ messages in thread

* [PATCH v2 08/10] powerpc/bpf ppc32: Fix JMP32_JSET_K
  2021-10-05 20:25 [PATCH v2 00/10] powerpc/bpf: Various fixes Naveen N. Rao
                   ` (6 preceding siblings ...)
  2021-10-05 20:25 ` [PATCH v2 07/10] powerpc/bpf ppc32: Fix ALU32 BPF_ARSH operation Naveen N. Rao
@ 2021-10-05 20:25 ` Naveen N. Rao
  2021-10-06  5:00   ` Christophe Leroy
  2021-10-05 20:25 ` [PATCH v2 09/10] powerpc/bpf ppc32: Do not emit zero extend instruction for 64-bit BPF_END Naveen N. Rao
                   ` (2 subsequent siblings)
  10 siblings, 1 reply; 22+ messages in thread
From: Naveen N. Rao @ 2021-10-05 20:25 UTC (permalink / raw)
  To: Michael Ellerman, Nicholas Piggin, Jordan Niethe,
	Daniel Borkmann, Alexei Starovoitov, Christophe Leroy,
	Johan Almbladh, Song Liu
  Cc: bpf, linuxppc-dev

'andi' only takes an unsigned 16-bit value. Correct the imm range used
when emitting andi.

Fixes: 51c66ad849a703 ("powerpc/bpf: Implement extended BPF on PPC32")
Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
---
 arch/powerpc/net/bpf_jit_comp32.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/powerpc/net/bpf_jit_comp32.c b/arch/powerpc/net/bpf_jit_comp32.c
index 519ecb9ab67266..7c65de9ed4fa64 100644
--- a/arch/powerpc/net/bpf_jit_comp32.c
+++ b/arch/powerpc/net/bpf_jit_comp32.c
@@ -1075,7 +1075,7 @@ int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, struct codegen_context *
 				break;
 			case BPF_JMP32 | BPF_JSET | BPF_K:
 				/* andi does not sign-extend the immediate */
-				if (imm >= -32768 && imm < 32768) {
+				if (imm >= 0 && imm < 32768) {
 					/* PPC_ANDI is _only/always_ dot-form */
 					EMIT(PPC_RAW_ANDI(_R0, dst_reg, imm));
 				} else {
-- 
2.33.0


^ permalink raw reply related	[flat|nested] 22+ messages in thread

* [PATCH v2 09/10] powerpc/bpf ppc32: Do not emit zero extend instruction for 64-bit BPF_END
  2021-10-05 20:25 [PATCH v2 00/10] powerpc/bpf: Various fixes Naveen N. Rao
                   ` (7 preceding siblings ...)
  2021-10-05 20:25 ` [PATCH v2 08/10] powerpc/bpf ppc32: Fix JMP32_JSET_K Naveen N. Rao
@ 2021-10-05 20:25 ` Naveen N. Rao
  2021-10-06  5:03   ` Christophe Leroy
  2021-10-05 20:25 ` [PATCH v2 10/10] powerpc/bpf ppc32: Fix BPF_SUB when imm == 0x80000000 Naveen N. Rao
  2021-10-08 13:22 ` [PATCH v2 00/10] powerpc/bpf: Various fixes Michael Ellerman
  10 siblings, 1 reply; 22+ messages in thread
From: Naveen N. Rao @ 2021-10-05 20:25 UTC (permalink / raw)
  To: Michael Ellerman, Nicholas Piggin, Jordan Niethe,
	Daniel Borkmann, Alexei Starovoitov, Christophe Leroy,
	Johan Almbladh, Song Liu
  Cc: bpf, linuxppc-dev

Suppress emitting zero extend instruction for 64-bit BPF_END_FROM_[L|B]E
operation.

Fixes: 51c66ad849a703 ("powerpc/bpf: Implement extended BPF on PPC32")
Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
---
 arch/powerpc/net/bpf_jit_comp32.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/powerpc/net/bpf_jit_comp32.c b/arch/powerpc/net/bpf_jit_comp32.c
index 7c65de9ed4fa64..68dc8a8231de04 100644
--- a/arch/powerpc/net/bpf_jit_comp32.c
+++ b/arch/powerpc/net/bpf_jit_comp32.c
@@ -1107,7 +1107,7 @@ int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, struct codegen_context *
 			return -EOPNOTSUPP;
 		}
 		if (BPF_CLASS(code) == BPF_ALU && !fp->aux->verifier_zext &&
-		    !insn_is_zext(&insn[i + 1]))
+		    !insn_is_zext(&insn[i + 1]) && !(BPF_OP(code) == BPF_END && imm == 64))
 			EMIT(PPC_RAW_LI(dst_reg_h, 0));
 	}
 
-- 
2.33.0


^ permalink raw reply related	[flat|nested] 22+ messages in thread

* [PATCH v2 10/10] powerpc/bpf ppc32: Fix BPF_SUB when imm == 0x80000000
  2021-10-05 20:25 [PATCH v2 00/10] powerpc/bpf: Various fixes Naveen N. Rao
                   ` (8 preceding siblings ...)
  2021-10-05 20:25 ` [PATCH v2 09/10] powerpc/bpf ppc32: Do not emit zero extend instruction for 64-bit BPF_END Naveen N. Rao
@ 2021-10-05 20:25 ` Naveen N. Rao
  2021-10-06  5:02   ` Christophe Leroy
  2021-10-08 13:22 ` [PATCH v2 00/10] powerpc/bpf: Various fixes Michael Ellerman
  10 siblings, 1 reply; 22+ messages in thread
From: Naveen N. Rao @ 2021-10-05 20:25 UTC (permalink / raw)
  To: Michael Ellerman, Nicholas Piggin, Jordan Niethe,
	Daniel Borkmann, Alexei Starovoitov, Christophe Leroy,
	Johan Almbladh, Song Liu
  Cc: bpf, linuxppc-dev

Special case handling of the smallest 32-bit negative number for BPF_SUB.

Fixes: 51c66ad849a703 ("powerpc/bpf: Implement extended BPF on PPC32")
Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
---
 arch/powerpc/net/bpf_jit_comp32.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/powerpc/net/bpf_jit_comp32.c b/arch/powerpc/net/bpf_jit_comp32.c
index 68dc8a8231de04..0da31d41d41310 100644
--- a/arch/powerpc/net/bpf_jit_comp32.c
+++ b/arch/powerpc/net/bpf_jit_comp32.c
@@ -357,7 +357,7 @@ int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, struct codegen_context *
 				PPC_LI32(_R0, imm);
 				EMIT(PPC_RAW_ADDC(dst_reg, dst_reg, _R0));
 			}
-			if (imm >= 0)
+			if (imm >= 0 || (BPF_OP(code) == BPF_SUB && imm == 0x80000000))
 				EMIT(PPC_RAW_ADDZE(dst_reg_h, dst_reg_h));
 			else
 				EMIT(PPC_RAW_ADDME(dst_reg_h, dst_reg_h));
-- 
2.33.0


^ permalink raw reply related	[flat|nested] 22+ messages in thread

* Re: [PATCH v2 01/10] powerpc/lib: Add helper to check if offset is within conditional branch range
  2021-10-05 20:25 ` [PATCH v2 01/10] powerpc/lib: Add helper to check if offset is within conditional branch range Naveen N. Rao
@ 2021-10-06  4:50   ` Christophe Leroy
  0 siblings, 0 replies; 22+ messages in thread
From: Christophe Leroy @ 2021-10-06  4:50 UTC (permalink / raw)
  To: Naveen N. Rao, Michael Ellerman, Nicholas Piggin, Jordan Niethe,
	Daniel Borkmann, Alexei Starovoitov, Johan Almbladh, Song Liu
  Cc: bpf, linuxppc-dev



Le 05/10/2021 à 22:25, Naveen N. Rao a écrit :
> Add a helper to check if a given offset is within the branch range for a
> powerpc conditional branch instruction, and update some sites to use the
> new helper.
> 
> Acked-by: Song Liu <songliubraving@fb.com>
> Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>

Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>

> ---
> Changelog:
> - Change 0x7FFF to 0x7fff, per Christophe
> 
> 
>   arch/powerpc/include/asm/code-patching.h | 1 +
>   arch/powerpc/lib/code-patching.c         | 7 ++++++-
>   arch/powerpc/net/bpf_jit.h               | 7 +------
>   3 files changed, 8 insertions(+), 7 deletions(-)
> 
> diff --git a/arch/powerpc/include/asm/code-patching.h b/arch/powerpc/include/asm/code-patching.h
> index a95f63788c6b14..4ba834599c4d4c 100644
> --- a/arch/powerpc/include/asm/code-patching.h
> +++ b/arch/powerpc/include/asm/code-patching.h
> @@ -23,6 +23,7 @@
>   #define BRANCH_ABSOLUTE	0x2
>   
>   bool is_offset_in_branch_range(long offset);
> +bool is_offset_in_cond_branch_range(long offset);
>   int create_branch(struct ppc_inst *instr, const u32 *addr,
>   		  unsigned long target, int flags);
>   int create_cond_branch(struct ppc_inst *instr, const u32 *addr,
> diff --git a/arch/powerpc/lib/code-patching.c b/arch/powerpc/lib/code-patching.c
> index f9a3019e37b43c..c5ed9882383521 100644
> --- a/arch/powerpc/lib/code-patching.c
> +++ b/arch/powerpc/lib/code-patching.c
> @@ -228,6 +228,11 @@ bool is_offset_in_branch_range(long offset)
>   	return (offset >= -0x2000000 && offset <= 0x1fffffc && !(offset & 0x3));
>   }
>   
> +bool is_offset_in_cond_branch_range(long offset)
> +{
> +	return offset >= -0x8000 && offset <= 0x7fff && !(offset & 0x3);
> +}
> +
>   /*
>    * Helper to check if a given instruction is a conditional branch
>    * Derived from the conditional checks in analyse_instr()
> @@ -280,7 +285,7 @@ int create_cond_branch(struct ppc_inst *instr, const u32 *addr,
>   		offset = offset - (unsigned long)addr;
>   
>   	/* Check we can represent the target in the instruction format */
> -	if (offset < -0x8000 || offset > 0x7FFF || offset & 0x3)
> +	if (!is_offset_in_cond_branch_range(offset))
>   		return 1;
>   
>   	/* Mask out the flags and target, so they don't step on each other. */
> diff --git a/arch/powerpc/net/bpf_jit.h b/arch/powerpc/net/bpf_jit.h
> index 99fad093f43ec1..935ea95b66359e 100644
> --- a/arch/powerpc/net/bpf_jit.h
> +++ b/arch/powerpc/net/bpf_jit.h
> @@ -78,11 +78,6 @@
>   #define PPC_FUNC_ADDR(d,i) do { PPC_LI32(d, i); } while(0)
>   #endif
>   
> -static inline bool is_nearbranch(int offset)
> -{
> -	return (offset < 32768) && (offset >= -32768);
> -}
> -
>   /*
>    * The fly in the ointment of code size changing from pass to pass is
>    * avoided by padding the short branch case with a NOP.	 If code size differs
> @@ -91,7 +86,7 @@ static inline bool is_nearbranch(int offset)
>    * state.
>    */
>   #define PPC_BCC(cond, dest)	do {					      \
> -		if (is_nearbranch((dest) - (ctx->idx * 4))) {		      \
> +		if (is_offset_in_cond_branch_range((long)(dest) - (ctx->idx * 4))) {	\
>   			PPC_BCC_SHORT(cond, dest);			      \
>   			EMIT(PPC_RAW_NOP());				      \
>   		} else {						      \
> 

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PATCH v2 02/10] powerpc/bpf: Validate branch ranges
  2021-10-05 20:25 ` [PATCH v2 02/10] powerpc/bpf: Validate branch ranges Naveen N. Rao
@ 2021-10-06  4:51   ` LEROY Christophe
  2021-10-06  4:51   ` Christophe Leroy
  1 sibling, 0 replies; 22+ messages in thread
From: LEROY Christophe @ 2021-10-06  4:51 UTC (permalink / raw)
  To: Naveen N. Rao, Michael Ellerman, Nicholas Piggin, Jordan Niethe,
	Daniel Borkmann, Alexei Starovoitov, Johan Almbladh, Song Liu
  Cc: bpf, linuxppc-dev



Le 05/10/2021 à 22:25, Naveen N. Rao a écrit :
> Add checks to ensure that we never emit branch instructions with
> truncated branch offsets.
> 
> Acked-by: Song Liu <songliubraving@fb.com>
> Acked-by: Johan Almbladh <johan.almbladh@anyfinetworks.com>
> Tested-by: Johan Almbladh <johan.almbladh@anyfinetworks.com>
> Suggested-by: Michael Ellerman <mpe@ellerman.id.au>
> Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>

Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>

> ---
>   arch/powerpc/net/bpf_jit.h        | 26 ++++++++++++++++++++------
>   arch/powerpc/net/bpf_jit_comp.c   |  6 +++++-
>   arch/powerpc/net/bpf_jit_comp32.c |  8 ++++++--
>   arch/powerpc/net/bpf_jit_comp64.c |  8 ++++++--
>   4 files changed, 37 insertions(+), 11 deletions(-)
> 
> diff --git a/arch/powerpc/net/bpf_jit.h b/arch/powerpc/net/bpf_jit.h
> index 935ea95b66359e..7e9b978b768ed9 100644
> --- a/arch/powerpc/net/bpf_jit.h
> +++ b/arch/powerpc/net/bpf_jit.h
> @@ -24,16 +24,30 @@
>   #define EMIT(instr)		PLANT_INSTR(image, ctx->idx, instr)
>   
>   /* Long jump; (unconditional 'branch') */
> -#define PPC_JMP(dest)		EMIT(PPC_INST_BRANCH |			      \
> -				     (((dest) - (ctx->idx * 4)) & 0x03fffffc))
> +#define PPC_JMP(dest)							      \
> +	do {								      \
> +		long offset = (long)(dest) - (ctx->idx * 4);		      \
> +		if (!is_offset_in_branch_range(offset)) {		      \
> +			pr_err_ratelimited("Branch offset 0x%lx (@%u) out of range\n", offset, ctx->idx);			\
> +			return -ERANGE;					      \
> +		}							      \
> +		EMIT(PPC_INST_BRANCH | (offset & 0x03fffffc));		      \
> +	} while (0)
> +
>   /* blr; (unconditional 'branch' with link) to absolute address */
>   #define PPC_BL_ABS(dest)	EMIT(PPC_INST_BL |			      \
>   				     (((dest) - (unsigned long)(image + ctx->idx)) & 0x03fffffc))
>   /* "cond" here covers BO:BI fields. */
> -#define PPC_BCC_SHORT(cond, dest)	EMIT(PPC_INST_BRANCH_COND |	      \
> -					     (((cond) & 0x3ff) << 16) |	      \
> -					     (((dest) - (ctx->idx * 4)) &     \
> -					      0xfffc))
> +#define PPC_BCC_SHORT(cond, dest)					      \
> +	do {								      \
> +		long offset = (long)(dest) - (ctx->idx * 4);		      \
> +		if (!is_offset_in_cond_branch_range(offset)) {		      \
> +			pr_err_ratelimited("Conditional branch offset 0x%lx (@%u) out of range\n", offset, ctx->idx);		\
> +			return -ERANGE;					      \
> +		}							      \
> +		EMIT(PPC_INST_BRANCH_COND | (((cond) & 0x3ff) << 16) | (offset & 0xfffc));					\
> +	} while (0)
> +
>   /* Sign-extended 32-bit immediate load */
>   #define PPC_LI32(d, i)		do {					      \
>   		if ((int)(uintptr_t)(i) >= -32768 &&			      \
> diff --git a/arch/powerpc/net/bpf_jit_comp.c b/arch/powerpc/net/bpf_jit_comp.c
> index 53aefee3fe70be..fcbf7a917c566e 100644
> --- a/arch/powerpc/net/bpf_jit_comp.c
> +++ b/arch/powerpc/net/bpf_jit_comp.c
> @@ -210,7 +210,11 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *fp)
>   		/* Now build the prologue, body code & epilogue for real. */
>   		cgctx.idx = 0;
>   		bpf_jit_build_prologue(code_base, &cgctx);
> -		bpf_jit_build_body(fp, code_base, &cgctx, addrs, extra_pass);
> +		if (bpf_jit_build_body(fp, code_base, &cgctx, addrs, extra_pass)) {
> +			bpf_jit_binary_free(bpf_hdr);
> +			fp = org_fp;
> +			goto out_addrs;
> +		}
>   		bpf_jit_build_epilogue(code_base, &cgctx);
>   
>   		if (bpf_jit_enable > 1)
> diff --git a/arch/powerpc/net/bpf_jit_comp32.c b/arch/powerpc/net/bpf_jit_comp32.c
> index beb12cbc8c2994..a74d52204f8da2 100644
> --- a/arch/powerpc/net/bpf_jit_comp32.c
> +++ b/arch/powerpc/net/bpf_jit_comp32.c
> @@ -200,7 +200,7 @@ void bpf_jit_emit_func_call_rel(u32 *image, struct codegen_context *ctx, u64 fun
>   	}
>   }
>   
> -static void bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32 out)
> +static int bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32 out)
>   {
>   	/*
>   	 * By now, the eBPF program has already setup parameters in r3-r6
> @@ -261,7 +261,9 @@ static void bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32
>   	bpf_jit_emit_common_epilogue(image, ctx);
>   
>   	EMIT(PPC_RAW_BCTR());
> +
>   	/* out: */
> +	return 0;
>   }
>   
>   /* Assemble the body code between the prologue & epilogue */
> @@ -1090,7 +1092,9 @@ int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, struct codegen_context *
>   		 */
>   		case BPF_JMP | BPF_TAIL_CALL:
>   			ctx->seen |= SEEN_TAILCALL;
> -			bpf_jit_emit_tail_call(image, ctx, addrs[i + 1]);
> +			ret = bpf_jit_emit_tail_call(image, ctx, addrs[i + 1]);
> +			if (ret < 0)
> +				return ret;
>   			break;
>   
>   		default:
> diff --git a/arch/powerpc/net/bpf_jit_comp64.c b/arch/powerpc/net/bpf_jit_comp64.c
> index b87a63dba9c8fb..f06c62089b1457 100644
> --- a/arch/powerpc/net/bpf_jit_comp64.c
> +++ b/arch/powerpc/net/bpf_jit_comp64.c
> @@ -206,7 +206,7 @@ void bpf_jit_emit_func_call_rel(u32 *image, struct codegen_context *ctx, u64 fun
>   	EMIT(PPC_RAW_BCTRL());
>   }
>   
> -static void bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32 out)
> +static int bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32 out)
>   {
>   	/*
>   	 * By now, the eBPF program has already setup parameters in r3, r4 and r5
> @@ -267,7 +267,9 @@ static void bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32
>   	bpf_jit_emit_common_epilogue(image, ctx);
>   
>   	EMIT(PPC_RAW_BCTR());
> +
>   	/* out: */
> +	return 0;
>   }
>   
>   /* Assemble the body code between the prologue & epilogue */
> @@ -993,7 +995,9 @@ int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, struct codegen_context *
>   		 */
>   		case BPF_JMP | BPF_TAIL_CALL:
>   			ctx->seen |= SEEN_TAILCALL;
> -			bpf_jit_emit_tail_call(image, ctx, addrs[i + 1]);
> +			ret = bpf_jit_emit_tail_call(image, ctx, addrs[i + 1]);
> +			if (ret < 0)
> +				return ret;
>   			break;
>   
>   		default:
> 

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PATCH v2 02/10] powerpc/bpf: Validate branch ranges
  2021-10-05 20:25 ` [PATCH v2 02/10] powerpc/bpf: Validate branch ranges Naveen N. Rao
  2021-10-06  4:51   ` LEROY Christophe
@ 2021-10-06  4:51   ` Christophe Leroy
  1 sibling, 0 replies; 22+ messages in thread
From: Christophe Leroy @ 2021-10-06  4:51 UTC (permalink / raw)
  To: Naveen N. Rao, Michael Ellerman, Nicholas Piggin, Jordan Niethe,
	Daniel Borkmann, Alexei Starovoitov, Johan Almbladh, Song Liu
  Cc: bpf, linuxppc-dev



Le 05/10/2021 à 22:25, Naveen N. Rao a écrit :
> Add checks to ensure that we never emit branch instructions with
> truncated branch offsets.
> 
> Acked-by: Song Liu <songliubraving@fb.com>
> Acked-by: Johan Almbladh <johan.almbladh@anyfinetworks.com>
> Tested-by: Johan Almbladh <johan.almbladh@anyfinetworks.com>
> Suggested-by: Michael Ellerman <mpe@ellerman.id.au>
> Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>

Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>

> ---
>   arch/powerpc/net/bpf_jit.h        | 26 ++++++++++++++++++++------
>   arch/powerpc/net/bpf_jit_comp.c   |  6 +++++-
>   arch/powerpc/net/bpf_jit_comp32.c |  8 ++++++--
>   arch/powerpc/net/bpf_jit_comp64.c |  8 ++++++--
>   4 files changed, 37 insertions(+), 11 deletions(-)
> 
> diff --git a/arch/powerpc/net/bpf_jit.h b/arch/powerpc/net/bpf_jit.h
> index 935ea95b66359e..7e9b978b768ed9 100644
> --- a/arch/powerpc/net/bpf_jit.h
> +++ b/arch/powerpc/net/bpf_jit.h
> @@ -24,16 +24,30 @@
>   #define EMIT(instr)		PLANT_INSTR(image, ctx->idx, instr)
>   
>   /* Long jump; (unconditional 'branch') */
> -#define PPC_JMP(dest)		EMIT(PPC_INST_BRANCH |			      \
> -				     (((dest) - (ctx->idx * 4)) & 0x03fffffc))
> +#define PPC_JMP(dest)							      \
> +	do {								      \
> +		long offset = (long)(dest) - (ctx->idx * 4);		      \
> +		if (!is_offset_in_branch_range(offset)) {		      \
> +			pr_err_ratelimited("Branch offset 0x%lx (@%u) out of range\n", offset, ctx->idx);			\
> +			return -ERANGE;					      \
> +		}							      \
> +		EMIT(PPC_INST_BRANCH | (offset & 0x03fffffc));		      \
> +	} while (0)
> +
>   /* blr; (unconditional 'branch' with link) to absolute address */
>   #define PPC_BL_ABS(dest)	EMIT(PPC_INST_BL |			      \
>   				     (((dest) - (unsigned long)(image + ctx->idx)) & 0x03fffffc))
>   /* "cond" here covers BO:BI fields. */
> -#define PPC_BCC_SHORT(cond, dest)	EMIT(PPC_INST_BRANCH_COND |	      \
> -					     (((cond) & 0x3ff) << 16) |	      \
> -					     (((dest) - (ctx->idx * 4)) &     \
> -					      0xfffc))
> +#define PPC_BCC_SHORT(cond, dest)					      \
> +	do {								      \
> +		long offset = (long)(dest) - (ctx->idx * 4);		      \
> +		if (!is_offset_in_cond_branch_range(offset)) {		      \
> +			pr_err_ratelimited("Conditional branch offset 0x%lx (@%u) out of range\n", offset, ctx->idx);		\
> +			return -ERANGE;					      \
> +		}							      \
> +		EMIT(PPC_INST_BRANCH_COND | (((cond) & 0x3ff) << 16) | (offset & 0xfffc));					\
> +	} while (0)
> +
>   /* Sign-extended 32-bit immediate load */
>   #define PPC_LI32(d, i)		do {					      \
>   		if ((int)(uintptr_t)(i) >= -32768 &&			      \
> diff --git a/arch/powerpc/net/bpf_jit_comp.c b/arch/powerpc/net/bpf_jit_comp.c
> index 53aefee3fe70be..fcbf7a917c566e 100644
> --- a/arch/powerpc/net/bpf_jit_comp.c
> +++ b/arch/powerpc/net/bpf_jit_comp.c
> @@ -210,7 +210,11 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *fp)
>   		/* Now build the prologue, body code & epilogue for real. */
>   		cgctx.idx = 0;
>   		bpf_jit_build_prologue(code_base, &cgctx);
> -		bpf_jit_build_body(fp, code_base, &cgctx, addrs, extra_pass);
> +		if (bpf_jit_build_body(fp, code_base, &cgctx, addrs, extra_pass)) {
> +			bpf_jit_binary_free(bpf_hdr);
> +			fp = org_fp;
> +			goto out_addrs;
> +		}
>   		bpf_jit_build_epilogue(code_base, &cgctx);
>   
>   		if (bpf_jit_enable > 1)
> diff --git a/arch/powerpc/net/bpf_jit_comp32.c b/arch/powerpc/net/bpf_jit_comp32.c
> index beb12cbc8c2994..a74d52204f8da2 100644
> --- a/arch/powerpc/net/bpf_jit_comp32.c
> +++ b/arch/powerpc/net/bpf_jit_comp32.c
> @@ -200,7 +200,7 @@ void bpf_jit_emit_func_call_rel(u32 *image, struct codegen_context *ctx, u64 fun
>   	}
>   }
>   
> -static void bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32 out)
> +static int bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32 out)
>   {
>   	/*
>   	 * By now, the eBPF program has already setup parameters in r3-r6
> @@ -261,7 +261,9 @@ static void bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32
>   	bpf_jit_emit_common_epilogue(image, ctx);
>   
>   	EMIT(PPC_RAW_BCTR());
> +
>   	/* out: */
> +	return 0;
>   }
>   
>   /* Assemble the body code between the prologue & epilogue */
> @@ -1090,7 +1092,9 @@ int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, struct codegen_context *
>   		 */
>   		case BPF_JMP | BPF_TAIL_CALL:
>   			ctx->seen |= SEEN_TAILCALL;
> -			bpf_jit_emit_tail_call(image, ctx, addrs[i + 1]);
> +			ret = bpf_jit_emit_tail_call(image, ctx, addrs[i + 1]);
> +			if (ret < 0)
> +				return ret;
>   			break;
>   
>   		default:
> diff --git a/arch/powerpc/net/bpf_jit_comp64.c b/arch/powerpc/net/bpf_jit_comp64.c
> index b87a63dba9c8fb..f06c62089b1457 100644
> --- a/arch/powerpc/net/bpf_jit_comp64.c
> +++ b/arch/powerpc/net/bpf_jit_comp64.c
> @@ -206,7 +206,7 @@ void bpf_jit_emit_func_call_rel(u32 *image, struct codegen_context *ctx, u64 fun
>   	EMIT(PPC_RAW_BCTRL());
>   }
>   
> -static void bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32 out)
> +static int bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32 out)
>   {
>   	/*
>   	 * By now, the eBPF program has already setup parameters in r3, r4 and r5
> @@ -267,7 +267,9 @@ static void bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32
>   	bpf_jit_emit_common_epilogue(image, ctx);
>   
>   	EMIT(PPC_RAW_BCTR());
> +
>   	/* out: */
> +	return 0;
>   }
>   
>   /* Assemble the body code between the prologue & epilogue */
> @@ -993,7 +995,9 @@ int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, struct codegen_context *
>   		 */
>   		case BPF_JMP | BPF_TAIL_CALL:
>   			ctx->seen |= SEEN_TAILCALL;
> -			bpf_jit_emit_tail_call(image, ctx, addrs[i + 1]);
> +			ret = bpf_jit_emit_tail_call(image, ctx, addrs[i + 1]);
> +			if (ret < 0)
> +				return ret;
>   			break;
>   
>   		default:
> 

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PATCH v2 03/10] powerpc/bpf: Fix BPF_MOD when imm == 1
  2021-10-05 20:25 ` [PATCH v2 03/10] powerpc/bpf: Fix BPF_MOD when imm == 1 Naveen N. Rao
@ 2021-10-06  4:52   ` Christophe Leroy
  0 siblings, 0 replies; 22+ messages in thread
From: Christophe Leroy @ 2021-10-06  4:52 UTC (permalink / raw)
  To: Naveen N. Rao, Michael Ellerman, Nicholas Piggin, Jordan Niethe,
	Daniel Borkmann, Alexei Starovoitov, Johan Almbladh, Song Liu
  Cc: bpf, linuxppc-dev



Le 05/10/2021 à 22:25, Naveen N. Rao a écrit :
> Only ignore the operation if dividing by 1.
> 
> Acked-by: Song Liu <songliubraving@fb.com>
> Acked-by: Johan Almbladh <johan.almbladh@anyfinetworks.com>
> Tested-by: Johan Almbladh <johan.almbladh@anyfinetworks.com>
> Fixes: 156d0e290e969c ("powerpc/ebpf/jit: Implement JIT compiler for extended BPF")
> Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>

Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>

> ---
>   arch/powerpc/net/bpf_jit_comp64.c | 10 ++++++++--
>   1 file changed, 8 insertions(+), 2 deletions(-)
> 
> diff --git a/arch/powerpc/net/bpf_jit_comp64.c b/arch/powerpc/net/bpf_jit_comp64.c
> index f06c62089b1457..d67f6d62e2e1ff 100644
> --- a/arch/powerpc/net/bpf_jit_comp64.c
> +++ b/arch/powerpc/net/bpf_jit_comp64.c
> @@ -391,8 +391,14 @@ int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, struct codegen_context *
>   		case BPF_ALU64 | BPF_DIV | BPF_K: /* dst /= imm */
>   			if (imm == 0)
>   				return -EINVAL;
> -			else if (imm == 1)
> -				goto bpf_alu32_trunc;
> +			if (imm == 1) {
> +				if (BPF_OP(code) == BPF_DIV) {
> +					goto bpf_alu32_trunc;
> +				} else {
> +					EMIT(PPC_RAW_LI(dst_reg, 0));
> +					break;
> +				}
> +			}
>   
>   			PPC_LI32(b2p[TMP_REG_1], imm);
>   			switch (BPF_CLASS(code)) {
> 

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PATCH v2 04/10] powerpc/bpf: Fix BPF_SUB when imm == 0x80000000
  2021-10-05 20:25 ` [PATCH v2 04/10] powerpc/bpf: Fix BPF_SUB when imm == 0x80000000 Naveen N. Rao
@ 2021-10-06  4:55   ` Christophe Leroy
  2021-10-07  8:47     ` Naveen N. Rao
  0 siblings, 1 reply; 22+ messages in thread
From: Christophe Leroy @ 2021-10-06  4:55 UTC (permalink / raw)
  To: Naveen N. Rao, Michael Ellerman, Nicholas Piggin, Jordan Niethe,
	Daniel Borkmann, Alexei Starovoitov, Johan Almbladh, Song Liu
  Cc: bpf, linuxppc-dev



Le 05/10/2021 à 22:25, Naveen N. Rao a écrit :
> We aren't handling subtraction involving an immediate value of
> 0x80000000 properly. Fix the same.
> 
> Fixes: 156d0e290e969c ("powerpc/ebpf/jit: Implement JIT compiler for extended BPF")
> Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
> ---
> Changelog:
> - Split up BPF_ADD and BPF_SUB cases per Christophe's comments
> 
>   arch/powerpc/net/bpf_jit_comp64.c | 27 +++++++++++++++++----------
>   1 file changed, 17 insertions(+), 10 deletions(-)
> 
> diff --git a/arch/powerpc/net/bpf_jit_comp64.c b/arch/powerpc/net/bpf_jit_comp64.c
> index d67f6d62e2e1ff..6626e6c17d4ed2 100644
> --- a/arch/powerpc/net/bpf_jit_comp64.c
> +++ b/arch/powerpc/net/bpf_jit_comp64.c
> @@ -330,18 +330,25 @@ int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, struct codegen_context *
>   			EMIT(PPC_RAW_SUB(dst_reg, dst_reg, src_reg));
>   			goto bpf_alu32_trunc;
>   		case BPF_ALU | BPF_ADD | BPF_K: /* (u32) dst += (u32) imm */
> -		case BPF_ALU | BPF_SUB | BPF_K: /* (u32) dst -= (u32) imm */
>   		case BPF_ALU64 | BPF_ADD | BPF_K: /* dst += imm */
> +			if (!imm) {
> +				goto bpf_alu32_trunc;
> +			} else if (imm >= -32768 && imm < 32768) {
> +				EMIT(PPC_RAW_ADDI(dst_reg, dst_reg, IMM_L(imm)));
> +			} else {
> +				PPC_LI32(b2p[TMP_REG_1], imm);
> +				EMIT(PPC_RAW_ADD(dst_reg, dst_reg, b2p[TMP_REG_1]));
> +			}
> +			goto bpf_alu32_trunc;
> +		case BPF_ALU | BPF_SUB | BPF_K: /* (u32) dst -= (u32) imm */
>   		case BPF_ALU64 | BPF_SUB | BPF_K: /* dst -= imm */
> -			if (BPF_OP(code) == BPF_SUB)
> -				imm = -imm;
> -			if (imm) {
> -				if (imm >= -32768 && imm < 32768)
> -					EMIT(PPC_RAW_ADDI(dst_reg, dst_reg, IMM_L(imm)));
> -				else {
> -					PPC_LI32(b2p[TMP_REG_1], imm);
> -					EMIT(PPC_RAW_ADD(dst_reg, dst_reg, b2p[TMP_REG_1]));
> -				}
> +			if (!imm) {
> +				goto bpf_alu32_trunc;
> +			} else if (imm > -32768 && imm < 32768) {

Why do you exclude imm == 32768 ?


Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>



> +				EMIT(PPC_RAW_ADDI(dst_reg, dst_reg, IMM_L(-imm)));
> +			} else {
> +				PPC_LI32(b2p[TMP_REG_1], imm);
> +				EMIT(PPC_RAW_SUB(dst_reg, dst_reg, b2p[TMP_REG_1]));
>   			}
>   			goto bpf_alu32_trunc;
>   		case BPF_ALU | BPF_MUL | BPF_X: /* (u32) dst *= (u32) src */
> 

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PATCH v2 07/10] powerpc/bpf ppc32: Fix ALU32 BPF_ARSH operation
  2021-10-05 20:25 ` [PATCH v2 07/10] powerpc/bpf ppc32: Fix ALU32 BPF_ARSH operation Naveen N. Rao
@ 2021-10-06  4:56   ` Christophe Leroy
  0 siblings, 0 replies; 22+ messages in thread
From: Christophe Leroy @ 2021-10-06  4:56 UTC (permalink / raw)
  To: Naveen N. Rao, Michael Ellerman, Nicholas Piggin, Jordan Niethe,
	Daniel Borkmann, Alexei Starovoitov, Johan Almbladh, Song Liu
  Cc: bpf, linuxppc-dev



Le 05/10/2021 à 22:25, Naveen N. Rao a écrit :
> Correct the destination register used for ALU32 BPF_ARSH operation.
> 
> Fixes: 51c66ad849a703 ("powerpc/bpf: Implement extended BPF on PPC32")
> Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>

Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>

> ---
>   arch/powerpc/net/bpf_jit_comp32.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/arch/powerpc/net/bpf_jit_comp32.c b/arch/powerpc/net/bpf_jit_comp32.c
> index a74d52204f8da2..519ecb9ab67266 100644
> --- a/arch/powerpc/net/bpf_jit_comp32.c
> +++ b/arch/powerpc/net/bpf_jit_comp32.c
> @@ -625,7 +625,7 @@ int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, struct codegen_context *
>   			EMIT(PPC_RAW_LI(dst_reg_h, 0));
>   			break;
>   		case BPF_ALU | BPF_ARSH | BPF_X: /* (s32) dst >>= src */
> -			EMIT(PPC_RAW_SRAW(dst_reg_h, dst_reg, src_reg));
> +			EMIT(PPC_RAW_SRAW(dst_reg, dst_reg, src_reg));
>   			break;
>   		case BPF_ALU64 | BPF_ARSH | BPF_X: /* (s64) dst >>= src */
>   			bpf_set_seen_register(ctx, tmp_reg);
> 

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PATCH v2 08/10] powerpc/bpf ppc32: Fix JMP32_JSET_K
  2021-10-05 20:25 ` [PATCH v2 08/10] powerpc/bpf ppc32: Fix JMP32_JSET_K Naveen N. Rao
@ 2021-10-06  5:00   ` Christophe Leroy
  0 siblings, 0 replies; 22+ messages in thread
From: Christophe Leroy @ 2021-10-06  5:00 UTC (permalink / raw)
  To: Naveen N. Rao, Michael Ellerman, Nicholas Piggin, Jordan Niethe,
	Daniel Borkmann, Alexei Starovoitov, Johan Almbladh, Song Liu
  Cc: bpf, linuxppc-dev



Le 05/10/2021 à 22:25, Naveen N. Rao a écrit :
> 'andi' only takes an unsigned 16-bit value. Correct the imm range used
> when emitting andi.
> 
> Fixes: 51c66ad849a703 ("powerpc/bpf: Implement extended BPF on PPC32")
> Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>

Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>

> ---
>   arch/powerpc/net/bpf_jit_comp32.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/arch/powerpc/net/bpf_jit_comp32.c b/arch/powerpc/net/bpf_jit_comp32.c
> index 519ecb9ab67266..7c65de9ed4fa64 100644
> --- a/arch/powerpc/net/bpf_jit_comp32.c
> +++ b/arch/powerpc/net/bpf_jit_comp32.c
> @@ -1075,7 +1075,7 @@ int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, struct codegen_context *
>   				break;
>   			case BPF_JMP32 | BPF_JSET | BPF_K:
>   				/* andi does not sign-extend the immediate */
> -				if (imm >= -32768 && imm < 32768) {
> +				if (imm >= 0 && imm < 32768) {
>   					/* PPC_ANDI is _only/always_ dot-form */
>   					EMIT(PPC_RAW_ANDI(_R0, dst_reg, imm));
>   				} else {
> 

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PATCH v2 10/10] powerpc/bpf ppc32: Fix BPF_SUB when imm == 0x80000000
  2021-10-05 20:25 ` [PATCH v2 10/10] powerpc/bpf ppc32: Fix BPF_SUB when imm == 0x80000000 Naveen N. Rao
@ 2021-10-06  5:02   ` Christophe Leroy
  0 siblings, 0 replies; 22+ messages in thread
From: Christophe Leroy @ 2021-10-06  5:02 UTC (permalink / raw)
  To: Naveen N. Rao, Michael Ellerman, Nicholas Piggin, Jordan Niethe,
	Daniel Borkmann, Alexei Starovoitov, Johan Almbladh, Song Liu
  Cc: bpf, linuxppc-dev



Le 05/10/2021 à 22:25, Naveen N. Rao a écrit :
> Special case handling of the smallest 32-bit negative number for BPF_SUB.
> 
> Fixes: 51c66ad849a703 ("powerpc/bpf: Implement extended BPF on PPC32")
> Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>

Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>

> ---
>   arch/powerpc/net/bpf_jit_comp32.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/arch/powerpc/net/bpf_jit_comp32.c b/arch/powerpc/net/bpf_jit_comp32.c
> index 68dc8a8231de04..0da31d41d41310 100644
> --- a/arch/powerpc/net/bpf_jit_comp32.c
> +++ b/arch/powerpc/net/bpf_jit_comp32.c
> @@ -357,7 +357,7 @@ int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, struct codegen_context *
>   				PPC_LI32(_R0, imm);
>   				EMIT(PPC_RAW_ADDC(dst_reg, dst_reg, _R0));
>   			}
> -			if (imm >= 0)
> +			if (imm >= 0 || (BPF_OP(code) == BPF_SUB && imm == 0x80000000))
>   				EMIT(PPC_RAW_ADDZE(dst_reg_h, dst_reg_h));
>   			else
>   				EMIT(PPC_RAW_ADDME(dst_reg_h, dst_reg_h));
> 

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PATCH v2 09/10] powerpc/bpf ppc32: Do not emit zero extend instruction for 64-bit BPF_END
  2021-10-05 20:25 ` [PATCH v2 09/10] powerpc/bpf ppc32: Do not emit zero extend instruction for 64-bit BPF_END Naveen N. Rao
@ 2021-10-06  5:03   ` Christophe Leroy
  0 siblings, 0 replies; 22+ messages in thread
From: Christophe Leroy @ 2021-10-06  5:03 UTC (permalink / raw)
  To: Naveen N. Rao, Michael Ellerman, Nicholas Piggin, Jordan Niethe,
	Daniel Borkmann, Alexei Starovoitov, Johan Almbladh, Song Liu
  Cc: bpf, linuxppc-dev



Le 05/10/2021 à 22:25, Naveen N. Rao a écrit :
> Suppress emitting zero extend instruction for 64-bit BPF_END_FROM_[L|B]E
> operation.
> 
> Fixes: 51c66ad849a703 ("powerpc/bpf: Implement extended BPF on PPC32")
> Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>

Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>

> ---
>   arch/powerpc/net/bpf_jit_comp32.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/arch/powerpc/net/bpf_jit_comp32.c b/arch/powerpc/net/bpf_jit_comp32.c
> index 7c65de9ed4fa64..68dc8a8231de04 100644
> --- a/arch/powerpc/net/bpf_jit_comp32.c
> +++ b/arch/powerpc/net/bpf_jit_comp32.c
> @@ -1107,7 +1107,7 @@ int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, struct codegen_context *
>   			return -EOPNOTSUPP;
>   		}
>   		if (BPF_CLASS(code) == BPF_ALU && !fp->aux->verifier_zext &&
> -		    !insn_is_zext(&insn[i + 1]))
> +		    !insn_is_zext(&insn[i + 1]) && !(BPF_OP(code) == BPF_END && imm == 64))
>   			EMIT(PPC_RAW_LI(dst_reg_h, 0));
>   	}
>   
> 

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PATCH v2 04/10] powerpc/bpf: Fix BPF_SUB when imm == 0x80000000
  2021-10-06  4:55   ` Christophe Leroy
@ 2021-10-07  8:47     ` Naveen N. Rao
  0 siblings, 0 replies; 22+ messages in thread
From: Naveen N. Rao @ 2021-10-07  8:47 UTC (permalink / raw)
  To: Alexei Starovoitov, Christophe Leroy, Daniel Borkmann,
	Jordan Niethe, Johan Almbladh, Michael Ellerman, Nicholas Piggin,
	Song Liu
  Cc: bpf, linuxppc-dev

Christophe Leroy wrote:
> 
> 
> Le 05/10/2021 à 22:25, Naveen N. Rao a écrit :
>> We aren't handling subtraction involving an immediate value of
>> 0x80000000 properly. Fix the same.
>> 
>> Fixes: 156d0e290e969c ("powerpc/ebpf/jit: Implement JIT compiler for extended BPF")
>> Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
>> ---
>> Changelog:
>> - Split up BPF_ADD and BPF_SUB cases per Christophe's comments
>> 
>>   arch/powerpc/net/bpf_jit_comp64.c | 27 +++++++++++++++++----------
>>   1 file changed, 17 insertions(+), 10 deletions(-)
>> 
>> diff --git a/arch/powerpc/net/bpf_jit_comp64.c b/arch/powerpc/net/bpf_jit_comp64.c
>> index d67f6d62e2e1ff..6626e6c17d4ed2 100644
>> --- a/arch/powerpc/net/bpf_jit_comp64.c
>> +++ b/arch/powerpc/net/bpf_jit_comp64.c
>> @@ -330,18 +330,25 @@ int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, struct codegen_context *
>>   			EMIT(PPC_RAW_SUB(dst_reg, dst_reg, src_reg));
>>   			goto bpf_alu32_trunc;
>>   		case BPF_ALU | BPF_ADD | BPF_K: /* (u32) dst += (u32) imm */
>> -		case BPF_ALU | BPF_SUB | BPF_K: /* (u32) dst -= (u32) imm */
>>   		case BPF_ALU64 | BPF_ADD | BPF_K: /* dst += imm */
>> +			if (!imm) {
>> +				goto bpf_alu32_trunc;
>> +			} else if (imm >= -32768 && imm < 32768) {
>> +				EMIT(PPC_RAW_ADDI(dst_reg, dst_reg, IMM_L(imm)));
>> +			} else {
>> +				PPC_LI32(b2p[TMP_REG_1], imm);
>> +				EMIT(PPC_RAW_ADD(dst_reg, dst_reg, b2p[TMP_REG_1]));
>> +			}
>> +			goto bpf_alu32_trunc;
>> +		case BPF_ALU | BPF_SUB | BPF_K: /* (u32) dst -= (u32) imm */
>>   		case BPF_ALU64 | BPF_SUB | BPF_K: /* dst -= imm */
>> -			if (BPF_OP(code) == BPF_SUB)
>> -				imm = -imm;
>> -			if (imm) {
>> -				if (imm >= -32768 && imm < 32768)
>> -					EMIT(PPC_RAW_ADDI(dst_reg, dst_reg, IMM_L(imm)));
>> -				else {
>> -					PPC_LI32(b2p[TMP_REG_1], imm);
>> -					EMIT(PPC_RAW_ADD(dst_reg, dst_reg, b2p[TMP_REG_1]));
>> -				}
>> +			if (!imm) {
>> +				goto bpf_alu32_trunc;
>> +			} else if (imm > -32768 && imm < 32768) {
> 
> Why do you exclude imm == 32768 ?
> 
> Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>

Good catch -- that was from an earlier version where this was shared 
across BPF_ADD and BPF_SUB. I missed updating this section before 
posting.

Michael, please consider squashing in the below diff into this patch.

Thanks!
- Naveen


---
diff --git a/arch/powerpc/net/bpf_jit_comp64.c b/arch/powerpc/net/bpf_jit_comp64.c
index f5a804d8c95bc1..0fdc1ff86e4f1c 100644
--- a/arch/powerpc/net/bpf_jit_comp64.c
+++ b/arch/powerpc/net/bpf_jit_comp64.c
@@ -368,7 +368,7 @@ int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, struct codegen_context *
 		case BPF_ALU64 | BPF_SUB | BPF_K: /* dst -= imm */
 			if (!imm) {
 				goto bpf_alu32_trunc;
-			} else if (imm > -32768 && imm < 32768) {
+			} else if (imm > -32768 && imm <= 32768) {
 				EMIT(PPC_RAW_ADDI(dst_reg, dst_reg, IMM_L(-imm)));
 			} else {
 				PPC_LI32(b2p[TMP_REG_1], imm);

^ permalink raw reply related	[flat|nested] 22+ messages in thread

* Re: [PATCH v2 00/10] powerpc/bpf: Various fixes
  2021-10-05 20:25 [PATCH v2 00/10] powerpc/bpf: Various fixes Naveen N. Rao
                   ` (9 preceding siblings ...)
  2021-10-05 20:25 ` [PATCH v2 10/10] powerpc/bpf ppc32: Fix BPF_SUB when imm == 0x80000000 Naveen N. Rao
@ 2021-10-08 13:22 ` Michael Ellerman
  10 siblings, 0 replies; 22+ messages in thread
From: Michael Ellerman @ 2021-10-08 13:22 UTC (permalink / raw)
  To: Song Liu, Nicholas Piggin, Jordan Niethe, Alexei Starovoitov,
	Naveen N. Rao, Michael Ellerman, Christophe Leroy,
	Johan Almbladh, Daniel Borkmann
  Cc: bpf, linuxppc-dev

On Wed, 6 Oct 2021 01:55:19 +0530, Naveen N. Rao wrote:
> This is v2 of the series posted at:
> http://lkml.kernel.org/r/cover.1633104510.git.naveen.n.rao@linux.vnet.ibm.com
> 
> Only patches from v1 that need to go into powerpc/fixes are included.
> Other patches will be posted as a separate series for inclusion into
> powerpc/next.
> 
> [...]

Applied to powerpc/fixes.

[01/10] powerpc/lib: Add helper to check if offset is within conditional branch range
        https://git.kernel.org/powerpc/c/4549c3ea3160fa8b3f37dfe2f957657bb265eda9
[02/10] powerpc/bpf: Validate branch ranges
        https://git.kernel.org/powerpc/c/3832ba4e283d7052b783dab8311df7e3590fed93
[03/10] powerpc/bpf: Fix BPF_MOD when imm == 1
        https://git.kernel.org/powerpc/c/8bbc9d822421d9ac8ff9ed26a3713c9afc69d6c8
[04/10] powerpc/bpf: Fix BPF_SUB when imm == 0x80000000
        https://git.kernel.org/powerpc/c/5855c4c1f415ca3ba1046e77c0b3d3dfc96c9025
[05/10] powerpc/security: Add a helper to query stf_barrier type
        https://git.kernel.org/powerpc/c/030905920f32e91a52794937f67434ac0b3ea41a
[06/10] powerpc/bpf: Emit stf barrier instruction sequences for BPF_NOSPEC
        https://git.kernel.org/powerpc/c/b7540d62509453263604a155bf2d5f0ed450cba2
[07/10] powerpc/bpf ppc32: Fix ALU32 BPF_ARSH operation
        https://git.kernel.org/powerpc/c/c9b8da77f22d28348d1f89a6c4d3fec102e9b1c4
[08/10] powerpc/bpf ppc32: Fix JMP32_JSET_K
        https://git.kernel.org/powerpc/c/e8278d44443207bb6609c7b064073f353e6f4978
[09/10] powerpc/bpf ppc32: Do not emit zero extend instruction for 64-bit BPF_END
        https://git.kernel.org/powerpc/c/48164fccdff6d5cc11308126c050bd25a329df25
[10/10] powerpc/bpf ppc32: Fix BPF_SUB when imm == 0x80000000
        https://git.kernel.org/powerpc/c/548b762763b885b81850db676258df47c55dd5f9

cheers

^ permalink raw reply	[flat|nested] 22+ messages in thread

end of thread, other threads:[~2021-10-08 13:24 UTC | newest]

Thread overview: 22+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-05 20:25 [PATCH v2 00/10] powerpc/bpf: Various fixes Naveen N. Rao
2021-10-05 20:25 ` [PATCH v2 01/10] powerpc/lib: Add helper to check if offset is within conditional branch range Naveen N. Rao
2021-10-06  4:50   ` Christophe Leroy
2021-10-05 20:25 ` [PATCH v2 02/10] powerpc/bpf: Validate branch ranges Naveen N. Rao
2021-10-06  4:51   ` LEROY Christophe
2021-10-06  4:51   ` Christophe Leroy
2021-10-05 20:25 ` [PATCH v2 03/10] powerpc/bpf: Fix BPF_MOD when imm == 1 Naveen N. Rao
2021-10-06  4:52   ` Christophe Leroy
2021-10-05 20:25 ` [PATCH v2 04/10] powerpc/bpf: Fix BPF_SUB when imm == 0x80000000 Naveen N. Rao
2021-10-06  4:55   ` Christophe Leroy
2021-10-07  8:47     ` Naveen N. Rao
2021-10-05 20:25 ` [PATCH v2 05/10] powerpc/security: Add a helper to query stf_barrier type Naveen N. Rao
2021-10-05 20:25 ` [PATCH v2 06/10] powerpc/bpf: Emit stf barrier instruction sequences for BPF_NOSPEC Naveen N. Rao
2021-10-05 20:25 ` [PATCH v2 07/10] powerpc/bpf ppc32: Fix ALU32 BPF_ARSH operation Naveen N. Rao
2021-10-06  4:56   ` Christophe Leroy
2021-10-05 20:25 ` [PATCH v2 08/10] powerpc/bpf ppc32: Fix JMP32_JSET_K Naveen N. Rao
2021-10-06  5:00   ` Christophe Leroy
2021-10-05 20:25 ` [PATCH v2 09/10] powerpc/bpf ppc32: Do not emit zero extend instruction for 64-bit BPF_END Naveen N. Rao
2021-10-06  5:03   ` Christophe Leroy
2021-10-05 20:25 ` [PATCH v2 10/10] powerpc/bpf ppc32: Fix BPF_SUB when imm == 0x80000000 Naveen N. Rao
2021-10-06  5:02   ` Christophe Leroy
2021-10-08 13:22 ` [PATCH v2 00/10] powerpc/bpf: Various fixes Michael Ellerman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).