[thirdparty/kernel/stable-queue.git] / releases / 4.19.27 / mips-ebpf-fix-icache-flush-end-address.patch

From d1a2930d8a992fb6ac2529449f81a0056e1b98d1 Mon Sep 17 00:00:00 2001
From: Paul Burton <paul.burton@mips.com>
Date: Fri, 1 Mar 2019 22:58:09 +0000
Subject: MIPS: eBPF: Fix icache flush end address

From: Paul Burton <paul.burton@mips.com>

commit d1a2930d8a992fb6ac2529449f81a0056e1b98d1 upstream.

The MIPS eBPF JIT calls flush_icache_range() in order to ensure the
icache observes the code that we just wrote. Unfortunately it gets the
end address calculation wrong due to some bad pointer arithmetic.

The struct jit_ctx target field is of type pointer to u32, and as such
adding one to it will increment the address being pointed to by 4 bytes.
Therefore in order to find the address of the end of the code we simply
need to add the number of 4 byte instructions emitted, but we mistakenly
add the number of instructions multiplied by 4. This results in the call
to flush_icache_range() operating on a memory region 4x larger than
intended, which is always wasteful and can cause crashes if we overrun
into an unmapped page.

Fix this by correcting the pointer arithmetic to remove the bogus
multiplication, and use braces to remove the need for a set of brackets
whilst also making it obvious that the target field is a pointer.

Signed-off-by: Paul Burton <paul.burton@mips.com>
Fixes: b6bd53f9c4e8 ("MIPS: Add missing file for eBPF JIT.")
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Martin KaFai Lau <kafai@fb.com>
Cc: Song Liu <songliubraving@fb.com>
Cc: Yonghong Song <yhs@fb.com>
Cc: netdev@vger.kernel.org
Cc: bpf@vger.kernel.org
Cc: linux-mips@vger.kernel.org
Cc: stable@vger.kernel.org # v4.13+
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/mips/net/ebpf_jit.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/mips/net/ebpf_jit.c
+++ b/arch/mips/net/ebpf_jit.c
@@ -1818,7 +1818,7 @@ struct bpf_prog *bpf_int_jit_compile(str
 
 	/* Update the icache */
 	flush_icache_range((unsigned long)ctx.target,
-			   (unsigned long)(ctx.target + ctx.idx * sizeof(u32)));
+			   (unsigned long)&ctx.target[ctx.idx]);
 
 	if (bpf_jit_enable > 1)
 		/* Dump JIT code */
Commit	Line	Data
e793be79 GKH	1	From d1a2930d8a992fb6ac2529449f81a0056e1b98d1 Mon Sep 17 00:00:00 2001
	2	From: Paul Burton <paul.burton@mips.com>
	3	Date: Fri, 1 Mar 2019 22:58:09 +0000
	4	Subject: MIPS: eBPF: Fix icache flush end address
	5
	6	From: Paul Burton <paul.burton@mips.com>
	7
	8	commit d1a2930d8a992fb6ac2529449f81a0056e1b98d1 upstream.
	9
	10	The MIPS eBPF JIT calls flush_icache_range() in order to ensure the
	11	icache observes the code that we just wrote. Unfortunately it gets the
	12	end address calculation wrong due to some bad pointer arithmetic.
	13
	14	The struct jit_ctx target field is of type pointer to u32, and as such
	15	adding one to it will increment the address being pointed to by 4 bytes.
	16	Therefore in order to find the address of the end of the code we simply
	17	need to add the number of 4 byte instructions emitted, but we mistakenly
	18	add the number of instructions multiplied by 4. This results in the call
	19	to flush_icache_range() operating on a memory region 4x larger than
	20	intended, which is always wasteful and can cause crashes if we overrun
	21	into an unmapped page.
	22
	23	Fix this by correcting the pointer arithmetic to remove the bogus
	24	multiplication, and use braces to remove the need for a set of brackets
	25	whilst also making it obvious that the target field is a pointer.
	26
	27	Signed-off-by: Paul Burton <paul.burton@mips.com>
	28	Fixes: b6bd53f9c4e8 ("MIPS: Add missing file for eBPF JIT.")
	29	Cc: Alexei Starovoitov <ast@kernel.org>
	30	Cc: Daniel Borkmann <daniel@iogearbox.net>
	31	Cc: Martin KaFai Lau <kafai@fb.com>
	32	Cc: Song Liu <songliubraving@fb.com>
	33	Cc: Yonghong Song <yhs@fb.com>
	34	Cc: netdev@vger.kernel.org
	35	Cc: bpf@vger.kernel.org
	36	Cc: linux-mips@vger.kernel.org
	37	Cc: stable@vger.kernel.org # v4.13+
	38	Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
	39	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	40
	41	---
	42	arch/mips/net/ebpf_jit.c \| 2 +-
	43	1 file changed, 1 insertion(+), 1 deletion(-)
	44
	45	--- a/arch/mips/net/ebpf_jit.c
	46	+++ b/arch/mips/net/ebpf_jit.c
	47	@@ -1818,7 +1818,7 @@ struct bpf_prog *bpf_int_jit_compile(str
	48
	49	/* Update the icache */
	50	flush_icache_range((unsigned long)ctx.target,
	51	- (unsigned long)(ctx.target + ctx.idx * sizeof(u32)));
	52	+ (unsigned long)&ctx.target[ctx.idx]);
	53
	54	if (bpf_jit_enable > 1)
	55	/* Dump JIT code */