LoongArch: BPF: Zero-extend bpf_tail_call() index

commit eb71f5c433e1c6dff089b315881dec40a88a7baf upstream.

The bpf_tail_call() index should be treated as a u32 value. Let's
zero-extend it to avoid calling wrong BPF progs. See similar fixes
for x86 [1]) and arm64 ([2]) for more details.

  [1]: https://github.com/torvalds/linux/commit/90caccdd8cc0215705f18b92771b449b01e2474a
  [2]: https://github.com/torvalds/linux/commit/16338a9b3ac30740d49f5dfed81bac0ffa53b9c7

Cc: stable@vger.kernel.org
Fixes: 5dc615520c4d ("LoongArch: Add BPF JIT support")
Signed-off-by: Hengqi Chen <hengqi.chen@gmail.com>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/arch/loongarch/net/bpf_jit.c b/arch/loongarch/net/bpf_jit.c
index 5ba3249cea98a278faa3c3cb7761d5f8071929c2..795fb878125d79bd1adf98f12c4596a4bf46fd18 100644 (file)
--- a/arch/loongarch/net/bpf_jit.c
+++ b/arch/loongarch/net/bpf_jit.c
@@ -231,6 +231,8 @@ static int emit_bpf_tail_call(struct jit_ctx *ctx, int insn)
         *       goto out;
         */
        tc_ninsn = insn ? ctx->offset[insn+1] - ctx->offset[insn] : ctx->offset[0];
+       emit_zext_32(ctx, a2, true);
+
        off = offsetof(struct bpf_array, map.max_entries);
        emit_insn(ctx, ldwu, t1, a1, off);
        /* bgeu $a2, $t1, jmp_offset */