* [PATCH 1/2] ARM: net: bpf_jit_32: fix kzalloc gfp/size mismatch.
@ 2012-12-06 14:38 Nicolas Schichan
2012-12-06 14:38 ` [PATCH 2/2] ARM: net: bpf_jit_32: fix sp-relative load/stores offsets Nicolas Schichan
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Nicolas Schichan @ 2012-12-06 14:38 UTC (permalink / raw)
To: mgherzan, rmk+kernel
Cc: Nicolas Schichan, Russell King, Eric Dumazet, David S. Miller,
linux-arm-kernel, linux-kernel
Official prototype for kzalloc is:
void *kzalloc(size_t, gfp_t);
The ARM bpf_jit code was having the assumption that it was:
void *kzalloc(gfp_t, size);
This was resulting the use of some random GFP flags depending on the
size requested and some random overflows once the really needed size
was more than the value of GFP_KERNEL.
This bug was present since the original inclusion of bpf_jit for ARM
(ddecdfce: ARM: 7259/3: net: JIT compiler for packet filters).
Signed-off-by: Nicolas Schichan <nschichan@freebox.fr>
---
arch/arm/net/bpf_jit_32.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c
index c641fb6..a64d349 100644
--- a/arch/arm/net/bpf_jit_32.c
+++ b/arch/arm/net/bpf_jit_32.c
@@ -845,7 +845,7 @@ void bpf_jit_compile(struct sk_filter *fp)
ctx.skf = fp;
ctx.ret0_fp_idx = -1;
- ctx.offsets = kzalloc(GFP_KERNEL, 4 * (ctx.skf->len + 1));
+ ctx.offsets = kzalloc(4 * (ctx.skf->len + 1), GFP_KERNEL);
if (ctx.offsets == NULL)
return;
@@ -864,7 +864,7 @@ void bpf_jit_compile(struct sk_filter *fp)
ctx.idx += ctx.imm_count;
if (ctx.imm_count) {
- ctx.imms = kzalloc(GFP_KERNEL, 4 * ctx.imm_count);
+ ctx.imms = kzalloc(4 * ctx.imm_count, GFP_KERNEL);
if (ctx.imms == NULL)
goto out;
}
--
1.7.5.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 2/2] ARM: net: bpf_jit_32: fix sp-relative load/stores offsets.
2012-12-06 14:38 [PATCH 1/2] ARM: net: bpf_jit_32: fix kzalloc gfp/size mismatch Nicolas Schichan
@ 2012-12-06 14:38 ` Nicolas Schichan
2012-12-07 23:15 ` Mircea Gherzan
2012-12-07 16:51 ` [PATCH 1/2] ARM: net: bpf_jit_32: fix kzalloc gfp/size mismatch Florian Fainelli
2012-12-07 23:04 ` Mircea Gherzan
2 siblings, 1 reply; 7+ messages in thread
From: Nicolas Schichan @ 2012-12-06 14:38 UTC (permalink / raw)
To: mgherzan, rmk+kernel
Cc: Nicolas Schichan, Russell King, Eric Dumazet, David S. Miller,
linux-arm-kernel, linux-kernel
The offset must be multiplied by 4 to be sure to access the correct
32bit word in the stack scratch space.
For instance, a store at scratch memory cell #1 was generating the
following:
st r4, [sp, #1]
While the correct code for this is:
st r4, [sp, #4]
To reproduce the bug (assuming your system has a NIC with the mac
address 52:54:00:12:34:56):
echo 0 > /proc/sys/net/core/bpf_jit_enable
tcpdump -ni eth0 "ether[1] + ether[2] - ether[3] * ether[4] - ether[5] \
== -0x3AA" # this will capture packets as expected
echo 1 > /proc/sys/net/core/bpf_jit_enable
tcpdump -ni eth0 "ether[1] + ether[2] - ether[3] * ether[4] - ether[5] \
== -0x3AA" # this will not.
This bug was present since the original inclusion of bpf_jit for ARM
(ddecdfce: ARM: 7259/3: net: JIT compiler for packet filters).
Signed-off-by: Nicolas Schichan <nschichan@freebox.fr>
---
arch/arm/net/bpf_jit_32.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c
index a64d349..b6f305e 100644
--- a/arch/arm/net/bpf_jit_32.c
+++ b/arch/arm/net/bpf_jit_32.c
@@ -42,7 +42,7 @@
#define r_skb_hl ARM_R8
#define SCRATCH_SP_OFFSET 0
-#define SCRATCH_OFF(k) (SCRATCH_SP_OFFSET + (k))
+#define SCRATCH_OFF(k) (SCRATCH_SP_OFFSET + 4 * (k))
#define SEEN_MEM ((1 << BPF_MEMWORDS) - 1)
#define SEEN_MEM_WORD(k) (1 << (k))
--
1.7.5.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 1/2] ARM: net: bpf_jit_32: fix kzalloc gfp/size mismatch.
2012-12-06 14:38 [PATCH 1/2] ARM: net: bpf_jit_32: fix kzalloc gfp/size mismatch Nicolas Schichan
2012-12-06 14:38 ` [PATCH 2/2] ARM: net: bpf_jit_32: fix sp-relative load/stores offsets Nicolas Schichan
@ 2012-12-07 16:51 ` Florian Fainelli
2012-12-07 23:04 ` Mircea Gherzan
2 siblings, 0 replies; 7+ messages in thread
From: Florian Fainelli @ 2012-12-07 16:51 UTC (permalink / raw)
To: Nicolas Schichan
Cc: mgherzan, rmk+kernel, Russell King, Eric Dumazet,
David S. Miller, linux-arm-kernel, linux-kernel
On Thursday 06 December 2012 15:38:31 Nicolas Schichan wrote:
> Official prototype for kzalloc is:
>
> void *kzalloc(size_t, gfp_t);
>
> The ARM bpf_jit code was having the assumption that it was:
>
> void *kzalloc(gfp_t, size);
>
> This was resulting the use of some random GFP flags depending on the
> size requested and some random overflows once the really needed size
> was more than the value of GFP_KERNEL.
>
> This bug was present since the original inclusion of bpf_jit for ARM
> (ddecdfce: ARM: 7259/3: net: JIT compiler for packet filters).
>
> Signed-off-by: Nicolas Schichan <nschichan@freebox.fr>
This patch is a stable candidate for kernels 3.4+.
> ---
> arch/arm/net/bpf_jit_32.c | 4 ++--
> 1 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c
> index c641fb6..a64d349 100644
> --- a/arch/arm/net/bpf_jit_32.c
> +++ b/arch/arm/net/bpf_jit_32.c
> @@ -845,7 +845,7 @@ void bpf_jit_compile(struct sk_filter *fp)
> ctx.skf = fp;
> ctx.ret0_fp_idx = -1;
>
> - ctx.offsets = kzalloc(GFP_KERNEL, 4 * (ctx.skf->len + 1));
> + ctx.offsets = kzalloc(4 * (ctx.skf->len + 1), GFP_KERNEL);
> if (ctx.offsets == NULL)
> return;
>
> @@ -864,7 +864,7 @@ void bpf_jit_compile(struct sk_filter *fp)
>
> ctx.idx += ctx.imm_count;
> if (ctx.imm_count) {
> - ctx.imms = kzalloc(GFP_KERNEL, 4 * ctx.imm_count);
> + ctx.imms = kzalloc(4 * ctx.imm_count, GFP_KERNEL);
> if (ctx.imms == NULL)
> goto out;
> }
> --
> 1.7.5.4
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/2] ARM: net: bpf_jit_32: fix kzalloc gfp/size mismatch.
2012-12-06 14:38 [PATCH 1/2] ARM: net: bpf_jit_32: fix kzalloc gfp/size mismatch Nicolas Schichan
2012-12-06 14:38 ` [PATCH 2/2] ARM: net: bpf_jit_32: fix sp-relative load/stores offsets Nicolas Schichan
2012-12-07 16:51 ` [PATCH 1/2] ARM: net: bpf_jit_32: fix kzalloc gfp/size mismatch Florian Fainelli
@ 2012-12-07 23:04 ` Mircea Gherzan
2012-12-10 13:18 ` Nicolas Schichan
2 siblings, 1 reply; 7+ messages in thread
From: Mircea Gherzan @ 2012-12-07 23:04 UTC (permalink / raw)
To: Nicolas Schichan
Cc: rmk+kernel, Russell King, Eric Dumazet, David S. Miller,
linux-arm-kernel, linux-kernel
Am 06.12.2012 15:38, schrieb Nicolas Schichan:
> Official prototype for kzalloc is:
>
> void *kzalloc(size_t, gfp_t);
>
> The ARM bpf_jit code was having the assumption that it was:
>
> void *kzalloc(gfp_t, size);
>
> This was resulting the use of some random GFP flags depending on the
> size requested and some random overflows once the really needed size
> was more than the value of GFP_KERNEL.
>
> This bug was present since the original inclusion of bpf_jit for ARM
> (ddecdfce: ARM: 7259/3: net: JIT compiler for packet filters).
>
> Signed-off-by: Nicolas Schichan <nschichan@freebox.fr>
> ---
> arch/arm/net/bpf_jit_32.c | 4 ++--
> 1 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c
> index c641fb6..a64d349 100644
> --- a/arch/arm/net/bpf_jit_32.c
> +++ b/arch/arm/net/bpf_jit_32.c
> @@ -845,7 +845,7 @@ void bpf_jit_compile(struct sk_filter *fp)
> ctx.skf = fp;
> ctx.ret0_fp_idx = -1;
>
> - ctx.offsets = kzalloc(GFP_KERNEL, 4 * (ctx.skf->len + 1));
> + ctx.offsets = kzalloc(4 * (ctx.skf->len + 1), GFP_KERNEL);
> if (ctx.offsets == NULL)
> return;
>
> @@ -864,7 +864,7 @@ void bpf_jit_compile(struct sk_filter *fp)
>
> ctx.idx += ctx.imm_count;
> if (ctx.imm_count) {
> - ctx.imms = kzalloc(GFP_KERNEL, 4 * ctx.imm_count);
> + ctx.imms = kzalloc(4 * ctx.imm_count, GFP_KERNEL);
> if (ctx.imms == NULL)
> goto out;
> }
Acked-by: Mircea Gherzan <mgherzan@gmail.com>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 2/2] ARM: net: bpf_jit_32: fix sp-relative load/stores offsets.
2012-12-06 14:38 ` [PATCH 2/2] ARM: net: bpf_jit_32: fix sp-relative load/stores offsets Nicolas Schichan
@ 2012-12-07 23:15 ` Mircea Gherzan
0 siblings, 0 replies; 7+ messages in thread
From: Mircea Gherzan @ 2012-12-07 23:15 UTC (permalink / raw)
To: Nicolas Schichan
Cc: rmk+kernel, Russell King, Eric Dumazet, David S. Miller,
linux-arm-kernel, linux-kernel
Am 06.12.2012 15:38, schrieb Nicolas Schichan:
> The offset must be multiplied by 4 to be sure to access the correct
> 32bit word in the stack scratch space.
>
> For instance, a store at scratch memory cell #1 was generating the
> following:
>
> st r4, [sp, #1]
>
> While the correct code for this is:
>
> st r4, [sp, #4]
>
> To reproduce the bug (assuming your system has a NIC with the mac
> address 52:54:00:12:34:56):
>
> echo 0 > /proc/sys/net/core/bpf_jit_enable
> tcpdump -ni eth0 "ether[1] + ether[2] - ether[3] * ether[4] - ether[5] \
> == -0x3AA" # this will capture packets as expected
>
> echo 1 > /proc/sys/net/core/bpf_jit_enable
> tcpdump -ni eth0 "ether[1] + ether[2] - ether[3] * ether[4] - ether[5] \
> == -0x3AA" # this will not.
>
> This bug was present since the original inclusion of bpf_jit for ARM
> (ddecdfce: ARM: 7259/3: net: JIT compiler for packet filters).
>
> Signed-off-by: Nicolas Schichan <nschichan@freebox.fr>
> ---
> arch/arm/net/bpf_jit_32.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c
> index a64d349..b6f305e 100644
> --- a/arch/arm/net/bpf_jit_32.c
> +++ b/arch/arm/net/bpf_jit_32.c
> @@ -42,7 +42,7 @@
> #define r_skb_hl ARM_R8
>
> #define SCRATCH_SP_OFFSET 0
> -#define SCRATCH_OFF(k) (SCRATCH_SP_OFFSET + (k))
> +#define SCRATCH_OFF(k) (SCRATCH_SP_OFFSET + 4 * (k))
>
> #define SEEN_MEM ((1 << BPF_MEMWORDS) - 1)
> #define SEEN_MEM_WORD(k) (1 << (k))
Acked-by: Mircea Gherzan <mgherzan@gmail.com>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/2] ARM: net: bpf_jit_32: fix kzalloc gfp/size mismatch.
2012-12-07 23:04 ` Mircea Gherzan
@ 2012-12-10 13:18 ` Nicolas Schichan
2012-12-10 13:20 ` Russell King - ARM Linux
0 siblings, 1 reply; 7+ messages in thread
From: Nicolas Schichan @ 2012-12-10 13:18 UTC (permalink / raw)
To: Mircea Gherzan
Cc: rmk+kernel, Russell King, Eric Dumazet, David S. Miller,
linux-arm-kernel, linux-kernel
On 12/08/2012 12:04 AM, Mircea Gherzan wrote:
> Am 06.12.2012 15:38, schrieb Nicolas Schichan:
[...]
> Acked-by: Mircea Gherzan<mgherzan@gmail.com>
Hi,
Thanks for acking those two patches.
Shall I send them to the patch system now ?
Regards,
--
Nicolas Schichan
Freebox SAS
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/2] ARM: net: bpf_jit_32: fix kzalloc gfp/size mismatch.
2012-12-10 13:18 ` Nicolas Schichan
@ 2012-12-10 13:20 ` Russell King - ARM Linux
0 siblings, 0 replies; 7+ messages in thread
From: Russell King - ARM Linux @ 2012-12-10 13:20 UTC (permalink / raw)
To: Nicolas Schichan
Cc: Mircea Gherzan, Eric Dumazet, David S. Miller, linux-arm-kernel,
linux-kernel
On Mon, Dec 10, 2012 at 02:18:59PM +0100, Nicolas Schichan wrote:
> On 12/08/2012 12:04 AM, Mircea Gherzan wrote:
>> Am 06.12.2012 15:38, schrieb Nicolas Schichan:
> [...]
>> Acked-by: Mircea Gherzan<mgherzan@gmail.com>
>
> Hi,
>
> Thanks for acking those two patches.
>
> Shall I send them to the patch system now ?
Yes please.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2012-12-10 13:29 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-12-06 14:38 [PATCH 1/2] ARM: net: bpf_jit_32: fix kzalloc gfp/size mismatch Nicolas Schichan
2012-12-06 14:38 ` [PATCH 2/2] ARM: net: bpf_jit_32: fix sp-relative load/stores offsets Nicolas Schichan
2012-12-07 23:15 ` Mircea Gherzan
2012-12-07 16:51 ` [PATCH 1/2] ARM: net: bpf_jit_32: fix kzalloc gfp/size mismatch Florian Fainelli
2012-12-07 23:04 ` Mircea Gherzan
2012-12-10 13:18 ` Nicolas Schichan
2012-12-10 13:20 ` Russell King - ARM Linux
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).