1 /*
2 * Just-In-Time compiler for BPF filters on 32bit ARM
3 *
4 * Copyright (c) 2011 Mircea Gherzan <mgherzan@gmail.com>
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; version 2 of the License.
9 */
10
11 #include <linux/bitops.h>
12 #include <linux/compiler.h>
13 #include <linux/errno.h>
14 #include <linux/filter.h>
15 #include <linux/netdevice.h>
16 #include <linux/string.h>
17 #include <linux/slab.h>
18 #include <linux/if_vlan.h>
19
20 #include <asm/cacheflush.h>
21 #include <asm/hwcap.h>
22 #include <asm/opcodes.h>
23
24 #include "bpf_jit_32.h"
25
26 /*
27 * ABI:
28 *
29 * r0 scratch register
30 * r4 BPF register A
31 * r5 BPF register X
32 * r6 pointer to the skb
33 * r7 skb->data
34 * r8 skb_headlen(skb)
35 */
36
37 #define r_scratch ARM_R0
38 /* r1-r3 are (also) used for the unaligned loads on the non-ARMv7 slowpath */
39 #define r_off ARM_R1
40 #define r_A ARM_R4
41 #define r_X ARM_R5
42 #define r_skb ARM_R6
43 #define r_skb_data ARM_R7
44 #define r_skb_hl ARM_R8
45
46 #define SCRATCH_SP_OFFSET 0
47 #define SCRATCH_OFF(k) (SCRATCH_SP_OFFSET + 4 * (k))
48
49 #define SEEN_MEM ((1 << BPF_MEMWORDS) - 1)
50 #define SEEN_MEM_WORD(k) (1 << (k))
51 #define SEEN_X (1 << BPF_MEMWORDS)
52 #define SEEN_CALL (1 << (BPF_MEMWORDS + 1))
53 #define SEEN_SKB (1 << (BPF_MEMWORDS + 2))
54 #define SEEN_DATA (1 << (BPF_MEMWORDS + 3))
55
56 #define FLAG_NEED_X_RESET (1 << 0)
57 #define FLAG_IMM_OVERFLOW (1 << 1)
58
59 struct jit_ctx {
60 const struct bpf_prog *skf;
61 unsigned idx;
62 unsigned prologue_bytes;
63 int ret0_fp_idx;
64 u32 seen;
65 u32 flags;
66 u32 *offsets;
67 u32 *target;
68 #if __LINUX_ARM_ARCH__ < 7
69 u16 epilogue_bytes;
70 u16 imm_count;
71 u32 *imms;
72 #endif
73 };
74
75 int bpf_jit_enable __read_mostly;
76
jit_get_skb_b(struct sk_buff * skb,unsigned offset)77 static u64 jit_get_skb_b(struct sk_buff *skb, unsigned offset)
78 {
79 u8 ret;
80 int err;
81
82 err = skb_copy_bits(skb, offset, &ret, 1);
83
84 return (u64)err << 32 | ret;
85 }
86
jit_get_skb_h(struct sk_buff * skb,unsigned offset)87 static u64 jit_get_skb_h(struct sk_buff *skb, unsigned offset)
88 {
89 u16 ret;
90 int err;
91
92 err = skb_copy_bits(skb, offset, &ret, 2);
93
94 return (u64)err << 32 | ntohs(ret);
95 }
96
jit_get_skb_w(struct sk_buff * skb,unsigned offset)97 static u64 jit_get_skb_w(struct sk_buff *skb, unsigned offset)
98 {
99 u32 ret;
100 int err;
101
102 err = skb_copy_bits(skb, offset, &ret, 4);
103
104 return (u64)err << 32 | ntohl(ret);
105 }
106
107 /*
108 * Wrapper that handles both OABI and EABI and assures Thumb2 interworking
109 * (where the assembly routines like __aeabi_uidiv could cause problems).
110 */
jit_udiv(u32 dividend,u32 divisor)111 static u32 jit_udiv(u32 dividend, u32 divisor)
112 {
113 return dividend / divisor;
114 }
115
_emit(int cond,u32 inst,struct jit_ctx * ctx)116 static inline void _emit(int cond, u32 inst, struct jit_ctx *ctx)
117 {
118 inst |= (cond << 28);
119 inst = __opcode_to_mem_arm(inst);
120
121 if (ctx->target != NULL)
122 ctx->target[ctx->idx] = inst;
123
124 ctx->idx++;
125 }
126
127 /*
128 * Emit an instruction that will be executed unconditionally.
129 */
emit(u32 inst,struct jit_ctx * ctx)130 static inline void emit(u32 inst, struct jit_ctx *ctx)
131 {
132 _emit(ARM_COND_AL, inst, ctx);
133 }
134
saved_regs(struct jit_ctx * ctx)135 static u16 saved_regs(struct jit_ctx *ctx)
136 {
137 u16 ret = 0;
138
139 if ((ctx->skf->len > 1) ||
140 (ctx->skf->insns[0].code == (BPF_RET | BPF_A)))
141 ret |= 1 << r_A;
142
143 #ifdef CONFIG_FRAME_POINTER
144 ret |= (1 << ARM_FP) | (1 << ARM_IP) | (1 << ARM_LR) | (1 << ARM_PC);
145 #else
146 if (ctx->seen & SEEN_CALL)
147 ret |= 1 << ARM_LR;
148 #endif
149 if (ctx->seen & (SEEN_DATA | SEEN_SKB))
150 ret |= 1 << r_skb;
151 if (ctx->seen & SEEN_DATA)
152 ret |= (1 << r_skb_data) | (1 << r_skb_hl);
153 if (ctx->seen & SEEN_X)
154 ret |= 1 << r_X;
155
156 return ret;
157 }
158
mem_words_used(struct jit_ctx * ctx)159 static inline int mem_words_used(struct jit_ctx *ctx)
160 {
161 /* yes, we do waste some stack space IF there are "holes" in the set" */
162 return fls(ctx->seen & SEEN_MEM);
163 }
164
jit_fill_hole(void * area,unsigned int size)165 static void jit_fill_hole(void *area, unsigned int size)
166 {
167 u32 *ptr;
168 /* We are guaranteed to have aligned memory. */
169 for (ptr = area; size >= sizeof(u32); size -= sizeof(u32))
170 *ptr++ = __opcode_to_mem_arm(ARM_INST_UDF);
171 }
172
build_prologue(struct jit_ctx * ctx)173 static void build_prologue(struct jit_ctx *ctx)
174 {
175 u16 reg_set = saved_regs(ctx);
176 u16 off;
177
178 #ifdef CONFIG_FRAME_POINTER
179 emit(ARM_MOV_R(ARM_IP, ARM_SP), ctx);
180 emit(ARM_PUSH(reg_set), ctx);
181 emit(ARM_SUB_I(ARM_FP, ARM_IP, 4), ctx);
182 #else
183 if (reg_set)
184 emit(ARM_PUSH(reg_set), ctx);
185 #endif
186
187 if (ctx->seen & (SEEN_DATA | SEEN_SKB))
188 emit(ARM_MOV_R(r_skb, ARM_R0), ctx);
189
190 if (ctx->seen & SEEN_DATA) {
191 off = offsetof(struct sk_buff, data);
192 emit(ARM_LDR_I(r_skb_data, r_skb, off), ctx);
193 /* headlen = len - data_len */
194 off = offsetof(struct sk_buff, len);
195 emit(ARM_LDR_I(r_skb_hl, r_skb, off), ctx);
196 off = offsetof(struct sk_buff, data_len);
197 emit(ARM_LDR_I(r_scratch, r_skb, off), ctx);
198 emit(ARM_SUB_R(r_skb_hl, r_skb_hl, r_scratch), ctx);
199 }
200
201 if (ctx->flags & FLAG_NEED_X_RESET)
202 emit(ARM_MOV_I(r_X, 0), ctx);
203
204 /* do not leak kernel data to userspace */
205 if (bpf_needs_clear_a(&ctx->skf->insns[0]))
206 emit(ARM_MOV_I(r_A, 0), ctx);
207
208 /* stack space for the BPF_MEM words */
209 if (ctx->seen & SEEN_MEM)
210 emit(ARM_SUB_I(ARM_SP, ARM_SP, mem_words_used(ctx) * 4), ctx);
211 }
212
build_epilogue(struct jit_ctx * ctx)213 static void build_epilogue(struct jit_ctx *ctx)
214 {
215 u16 reg_set = saved_regs(ctx);
216
217 if (ctx->seen & SEEN_MEM)
218 emit(ARM_ADD_I(ARM_SP, ARM_SP, mem_words_used(ctx) * 4), ctx);
219
220 reg_set &= ~(1 << ARM_LR);
221
222 #ifdef CONFIG_FRAME_POINTER
223 /* the first instruction of the prologue was: mov ip, sp */
224 reg_set &= ~(1 << ARM_IP);
225 reg_set |= (1 << ARM_SP);
226 emit(ARM_LDM(ARM_SP, reg_set), ctx);
227 #else
228 if (reg_set) {
229 if (ctx->seen & SEEN_CALL)
230 reg_set |= 1 << ARM_PC;
231 emit(ARM_POP(reg_set), ctx);
232 }
233
234 if (!(ctx->seen & SEEN_CALL))
235 emit(ARM_BX(ARM_LR), ctx);
236 #endif
237 }
238
imm8m(u32 x)239 static int16_t imm8m(u32 x)
240 {
241 u32 rot;
242
243 for (rot = 0; rot < 16; rot++)
244 if ((x & ~ror32(0xff, 2 * rot)) == 0)
245 return rol32(x, 2 * rot) | (rot << 8);
246
247 return -1;
248 }
249
250 #if __LINUX_ARM_ARCH__ < 7
251
imm_offset(u32 k,struct jit_ctx * ctx)252 static u16 imm_offset(u32 k, struct jit_ctx *ctx)
253 {
254 unsigned i = 0, offset;
255 u16 imm;
256
257 /* on the "fake" run we just count them (duplicates included) */
258 if (ctx->target == NULL) {
259 ctx->imm_count++;
260 return 0;
261 }
262
263 while ((i < ctx->imm_count) && ctx->imms[i]) {
264 if (ctx->imms[i] == k)
265 break;
266 i++;
267 }
268
269 if (ctx->imms[i] == 0)
270 ctx->imms[i] = k;
271
272 /* constants go just after the epilogue */
273 offset = ctx->offsets[ctx->skf->len];
274 offset += ctx->prologue_bytes;
275 offset += ctx->epilogue_bytes;
276 offset += i * 4;
277
278 ctx->target[offset / 4] = k;
279
280 /* PC in ARM mode == address of the instruction + 8 */
281 imm = offset - (8 + ctx->idx * 4);
282
283 if (imm & ~0xfff) {
284 /*
285 * literal pool is too far, signal it into flags. we
286 * can only detect it on the second pass unfortunately.
287 */
288 ctx->flags |= FLAG_IMM_OVERFLOW;
289 return 0;
290 }
291
292 return imm;
293 }
294
295 #endif /* __LINUX_ARM_ARCH__ */
296
297 /*
298 * Move an immediate that's not an imm8m to a core register.
299 */
emit_mov_i_no8m(int rd,u32 val,struct jit_ctx * ctx)300 static inline void emit_mov_i_no8m(int rd, u32 val, struct jit_ctx *ctx)
301 {
302 #if __LINUX_ARM_ARCH__ < 7
303 emit(ARM_LDR_I(rd, ARM_PC, imm_offset(val, ctx)), ctx);
304 #else
305 emit(ARM_MOVW(rd, val & 0xffff), ctx);
306 if (val > 0xffff)
307 emit(ARM_MOVT(rd, val >> 16), ctx);
308 #endif
309 }
310
emit_mov_i(int rd,u32 val,struct jit_ctx * ctx)311 static inline void emit_mov_i(int rd, u32 val, struct jit_ctx *ctx)
312 {
313 int imm12 = imm8m(val);
314
315 if (imm12 >= 0)
316 emit(ARM_MOV_I(rd, imm12), ctx);
317 else
318 emit_mov_i_no8m(rd, val, ctx);
319 }
320
321 #if __LINUX_ARM_ARCH__ < 6
322
emit_load_be32(u8 cond,u8 r_res,u8 r_addr,struct jit_ctx * ctx)323 static void emit_load_be32(u8 cond, u8 r_res, u8 r_addr, struct jit_ctx *ctx)
324 {
325 _emit(cond, ARM_LDRB_I(ARM_R3, r_addr, 1), ctx);
326 _emit(cond, ARM_LDRB_I(ARM_R1, r_addr, 0), ctx);
327 _emit(cond, ARM_LDRB_I(ARM_R2, r_addr, 3), ctx);
328 _emit(cond, ARM_LSL_I(ARM_R3, ARM_R3, 16), ctx);
329 _emit(cond, ARM_LDRB_I(ARM_R0, r_addr, 2), ctx);
330 _emit(cond, ARM_ORR_S(ARM_R3, ARM_R3, ARM_R1, SRTYPE_LSL, 24), ctx);
331 _emit(cond, ARM_ORR_R(ARM_R3, ARM_R3, ARM_R2), ctx);
332 _emit(cond, ARM_ORR_S(r_res, ARM_R3, ARM_R0, SRTYPE_LSL, 8), ctx);
333 }
334
emit_load_be16(u8 cond,u8 r_res,u8 r_addr,struct jit_ctx * ctx)335 static void emit_load_be16(u8 cond, u8 r_res, u8 r_addr, struct jit_ctx *ctx)
336 {
337 _emit(cond, ARM_LDRB_I(ARM_R1, r_addr, 0), ctx);
338 _emit(cond, ARM_LDRB_I(ARM_R2, r_addr, 1), ctx);
339 _emit(cond, ARM_ORR_S(r_res, ARM_R2, ARM_R1, SRTYPE_LSL, 8), ctx);
340 }
341
emit_swap16(u8 r_dst,u8 r_src,struct jit_ctx * ctx)342 static inline void emit_swap16(u8 r_dst, u8 r_src, struct jit_ctx *ctx)
343 {
344 /* r_dst = (r_src << 8) | (r_src >> 8) */
345 emit(ARM_LSL_I(ARM_R1, r_src, 8), ctx);
346 emit(ARM_ORR_S(r_dst, ARM_R1, r_src, SRTYPE_LSR, 8), ctx);
347
348 /*
349 * we need to mask out the bits set in r_dst[23:16] due to
350 * the first shift instruction.
351 *
352 * note that 0x8ff is the encoded immediate 0x00ff0000.
353 */
354 emit(ARM_BIC_I(r_dst, r_dst, 0x8ff), ctx);
355 }
356
357 #else /* ARMv6+ */
358
emit_load_be32(u8 cond,u8 r_res,u8 r_addr,struct jit_ctx * ctx)359 static void emit_load_be32(u8 cond, u8 r_res, u8 r_addr, struct jit_ctx *ctx)
360 {
361 _emit(cond, ARM_LDR_I(r_res, r_addr, 0), ctx);
362 #ifdef __LITTLE_ENDIAN
363 _emit(cond, ARM_REV(r_res, r_res), ctx);
364 #endif
365 }
366
emit_load_be16(u8 cond,u8 r_res,u8 r_addr,struct jit_ctx * ctx)367 static void emit_load_be16(u8 cond, u8 r_res, u8 r_addr, struct jit_ctx *ctx)
368 {
369 _emit(cond, ARM_LDRH_I(r_res, r_addr, 0), ctx);
370 #ifdef __LITTLE_ENDIAN
371 _emit(cond, ARM_REV16(r_res, r_res), ctx);
372 #endif
373 }
374
emit_swap16(u8 r_dst __maybe_unused,u8 r_src __maybe_unused,struct jit_ctx * ctx __maybe_unused)375 static inline void emit_swap16(u8 r_dst __maybe_unused,
376 u8 r_src __maybe_unused,
377 struct jit_ctx *ctx __maybe_unused)
378 {
379 #ifdef __LITTLE_ENDIAN
380 emit(ARM_REV16(r_dst, r_src), ctx);
381 #endif
382 }
383
384 #endif /* __LINUX_ARM_ARCH__ < 6 */
385
386
387 /* Compute the immediate value for a PC-relative branch. */
b_imm(unsigned tgt,struct jit_ctx * ctx)388 static inline u32 b_imm(unsigned tgt, struct jit_ctx *ctx)
389 {
390 u32 imm;
391
392 if (ctx->target == NULL)
393 return 0;
394 /*
395 * BPF allows only forward jumps and the offset of the target is
396 * still the one computed during the first pass.
397 */
398 imm = ctx->offsets[tgt] + ctx->prologue_bytes - (ctx->idx * 4 + 8);
399
400 return imm >> 2;
401 }
402
403 #define OP_IMM3(op, r1, r2, imm_val, ctx) \
404 do { \
405 imm12 = imm8m(imm_val); \
406 if (imm12 < 0) { \
407 emit_mov_i_no8m(r_scratch, imm_val, ctx); \
408 emit(op ## _R((r1), (r2), r_scratch), ctx); \
409 } else { \
410 emit(op ## _I((r1), (r2), imm12), ctx); \
411 } \
412 } while (0)
413
emit_err_ret(u8 cond,struct jit_ctx * ctx)414 static inline void emit_err_ret(u8 cond, struct jit_ctx *ctx)
415 {
416 if (ctx->ret0_fp_idx >= 0) {
417 _emit(cond, ARM_B(b_imm(ctx->ret0_fp_idx, ctx)), ctx);
418 /* NOP to keep the size constant between passes */
419 emit(ARM_MOV_R(ARM_R0, ARM_R0), ctx);
420 } else {
421 _emit(cond, ARM_MOV_I(ARM_R0, 0), ctx);
422 _emit(cond, ARM_B(b_imm(ctx->skf->len, ctx)), ctx);
423 }
424 }
425
emit_blx_r(u8 tgt_reg,struct jit_ctx * ctx)426 static inline void emit_blx_r(u8 tgt_reg, struct jit_ctx *ctx)
427 {
428 #if __LINUX_ARM_ARCH__ < 5
429 emit(ARM_MOV_R(ARM_LR, ARM_PC), ctx);
430
431 if (elf_hwcap & HWCAP_THUMB)
432 emit(ARM_BX(tgt_reg), ctx);
433 else
434 emit(ARM_MOV_R(ARM_PC, tgt_reg), ctx);
435 #else
436 emit(ARM_BLX_R(tgt_reg), ctx);
437 #endif
438 }
439
emit_udiv(u8 rd,u8 rm,u8 rn,struct jit_ctx * ctx)440 static inline void emit_udiv(u8 rd, u8 rm, u8 rn, struct jit_ctx *ctx)
441 {
442 #if __LINUX_ARM_ARCH__ == 7
443 if (elf_hwcap & HWCAP_IDIVA) {
444 emit(ARM_UDIV(rd, rm, rn), ctx);
445 return;
446 }
447 #endif
448
449 /*
450 * For BPF_ALU | BPF_DIV | BPF_K instructions, rm is ARM_R4
451 * (r_A) and rn is ARM_R0 (r_scratch) so load rn first into
452 * ARM_R1 to avoid accidentally overwriting ARM_R0 with rm
453 * before using it as a source for ARM_R1.
454 *
455 * For BPF_ALU | BPF_DIV | BPF_X rm is ARM_R4 (r_A) and rn is
456 * ARM_R5 (r_X) so there is no particular register overlap
457 * issues.
458 */
459 if (rn != ARM_R1)
460 emit(ARM_MOV_R(ARM_R1, rn), ctx);
461 if (rm != ARM_R0)
462 emit(ARM_MOV_R(ARM_R0, rm), ctx);
463
464 ctx->seen |= SEEN_CALL;
465 emit_mov_i(ARM_R3, (u32)jit_udiv, ctx);
466 emit_blx_r(ARM_R3, ctx);
467
468 if (rd != ARM_R0)
469 emit(ARM_MOV_R(rd, ARM_R0), ctx);
470 }
471
update_on_xread(struct jit_ctx * ctx)472 static inline void update_on_xread(struct jit_ctx *ctx)
473 {
474 if (!(ctx->seen & SEEN_X))
475 ctx->flags |= FLAG_NEED_X_RESET;
476
477 ctx->seen |= SEEN_X;
478 }
479
build_body(struct jit_ctx * ctx)480 static int build_body(struct jit_ctx *ctx)
481 {
482 void *load_func[] = {jit_get_skb_b, jit_get_skb_h, jit_get_skb_w};
483 const struct bpf_prog *prog = ctx->skf;
484 const struct sock_filter *inst;
485 unsigned i, load_order, off, condt;
486 int imm12;
487 u32 k;
488
489 for (i = 0; i < prog->len; i++) {
490 u16 code;
491
492 inst = &(prog->insns[i]);
493 /* K as an immediate value operand */
494 k = inst->k;
495 code = bpf_anc_helper(inst);
496
497 /* compute offsets only in the fake pass */
498 if (ctx->target == NULL)
499 ctx->offsets[i] = ctx->idx * 4;
500
501 switch (code) {
502 case BPF_LD | BPF_IMM:
503 emit_mov_i(r_A, k, ctx);
504 break;
505 case BPF_LD | BPF_W | BPF_LEN:
506 ctx->seen |= SEEN_SKB;
507 BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, len) != 4);
508 emit(ARM_LDR_I(r_A, r_skb,
509 offsetof(struct sk_buff, len)), ctx);
510 break;
511 case BPF_LD | BPF_MEM:
512 /* A = scratch[k] */
513 ctx->seen |= SEEN_MEM_WORD(k);
514 emit(ARM_LDR_I(r_A, ARM_SP, SCRATCH_OFF(k)), ctx);
515 break;
516 case BPF_LD | BPF_W | BPF_ABS:
517 load_order = 2;
518 goto load;
519 case BPF_LD | BPF_H | BPF_ABS:
520 load_order = 1;
521 goto load;
522 case BPF_LD | BPF_B | BPF_ABS:
523 load_order = 0;
524 load:
525 /* the interpreter will deal with the negative K */
526 if ((int)k < 0)
527 return -ENOTSUPP;
528 emit_mov_i(r_off, k, ctx);
529 load_common:
530 ctx->seen |= SEEN_DATA | SEEN_CALL;
531
532 if (load_order > 0) {
533 emit(ARM_SUB_I(r_scratch, r_skb_hl,
534 1 << load_order), ctx);
535 emit(ARM_CMP_R(r_scratch, r_off), ctx);
536 condt = ARM_COND_HS;
537 } else {
538 emit(ARM_CMP_R(r_skb_hl, r_off), ctx);
539 condt = ARM_COND_HI;
540 }
541
542 _emit(condt, ARM_ADD_R(r_scratch, r_off, r_skb_data),
543 ctx);
544
545 if (load_order == 0)
546 _emit(condt, ARM_LDRB_I(r_A, r_scratch, 0),
547 ctx);
548 else if (load_order == 1)
549 emit_load_be16(condt, r_A, r_scratch, ctx);
550 else if (load_order == 2)
551 emit_load_be32(condt, r_A, r_scratch, ctx);
552
553 _emit(condt, ARM_B(b_imm(i + 1, ctx)), ctx);
554
555 /* the slowpath */
556 emit_mov_i(ARM_R3, (u32)load_func[load_order], ctx);
557 emit(ARM_MOV_R(ARM_R0, r_skb), ctx);
558 /* the offset is already in R1 */
559 emit_blx_r(ARM_R3, ctx);
560 /* check the result of skb_copy_bits */
561 emit(ARM_CMP_I(ARM_R1, 0), ctx);
562 emit_err_ret(ARM_COND_NE, ctx);
563 emit(ARM_MOV_R(r_A, ARM_R0), ctx);
564 break;
565 case BPF_LD | BPF_W | BPF_IND:
566 load_order = 2;
567 goto load_ind;
568 case BPF_LD | BPF_H | BPF_IND:
569 load_order = 1;
570 goto load_ind;
571 case BPF_LD | BPF_B | BPF_IND:
572 load_order = 0;
573 load_ind:
574 OP_IMM3(ARM_ADD, r_off, r_X, k, ctx);
575 goto load_common;
576 case BPF_LDX | BPF_IMM:
577 ctx->seen |= SEEN_X;
578 emit_mov_i(r_X, k, ctx);
579 break;
580 case BPF_LDX | BPF_W | BPF_LEN:
581 ctx->seen |= SEEN_X | SEEN_SKB;
582 emit(ARM_LDR_I(r_X, r_skb,
583 offsetof(struct sk_buff, len)), ctx);
584 break;
585 case BPF_LDX | BPF_MEM:
586 ctx->seen |= SEEN_X | SEEN_MEM_WORD(k);
587 emit(ARM_LDR_I(r_X, ARM_SP, SCRATCH_OFF(k)), ctx);
588 break;
589 case BPF_LDX | BPF_B | BPF_MSH:
590 /* x = ((*(frame + k)) & 0xf) << 2; */
591 ctx->seen |= SEEN_X | SEEN_DATA | SEEN_CALL;
592 /* the interpreter should deal with the negative K */
593 if ((int)k < 0)
594 return -1;
595 /* offset in r1: we might have to take the slow path */
596 emit_mov_i(r_off, k, ctx);
597 emit(ARM_CMP_R(r_skb_hl, r_off), ctx);
598
599 /* load in r0: common with the slowpath */
600 _emit(ARM_COND_HI, ARM_LDRB_R(ARM_R0, r_skb_data,
601 ARM_R1), ctx);
602 /*
603 * emit_mov_i() might generate one or two instructions,
604 * the same holds for emit_blx_r()
605 */
606 _emit(ARM_COND_HI, ARM_B(b_imm(i + 1, ctx) - 2), ctx);
607
608 emit(ARM_MOV_R(ARM_R0, r_skb), ctx);
609 /* r_off is r1 */
610 emit_mov_i(ARM_R3, (u32)jit_get_skb_b, ctx);
611 emit_blx_r(ARM_R3, ctx);
612 /* check the return value of skb_copy_bits */
613 emit(ARM_CMP_I(ARM_R1, 0), ctx);
614 emit_err_ret(ARM_COND_NE, ctx);
615
616 emit(ARM_AND_I(r_X, ARM_R0, 0x00f), ctx);
617 emit(ARM_LSL_I(r_X, r_X, 2), ctx);
618 break;
619 case BPF_ST:
620 ctx->seen |= SEEN_MEM_WORD(k);
621 emit(ARM_STR_I(r_A, ARM_SP, SCRATCH_OFF(k)), ctx);
622 break;
623 case BPF_STX:
624 update_on_xread(ctx);
625 ctx->seen |= SEEN_MEM_WORD(k);
626 emit(ARM_STR_I(r_X, ARM_SP, SCRATCH_OFF(k)), ctx);
627 break;
628 case BPF_ALU | BPF_ADD | BPF_K:
629 /* A += K */
630 OP_IMM3(ARM_ADD, r_A, r_A, k, ctx);
631 break;
632 case BPF_ALU | BPF_ADD | BPF_X:
633 update_on_xread(ctx);
634 emit(ARM_ADD_R(r_A, r_A, r_X), ctx);
635 break;
636 case BPF_ALU | BPF_SUB | BPF_K:
637 /* A -= K */
638 OP_IMM3(ARM_SUB, r_A, r_A, k, ctx);
639 break;
640 case BPF_ALU | BPF_SUB | BPF_X:
641 update_on_xread(ctx);
642 emit(ARM_SUB_R(r_A, r_A, r_X), ctx);
643 break;
644 case BPF_ALU | BPF_MUL | BPF_K:
645 /* A *= K */
646 emit_mov_i(r_scratch, k, ctx);
647 emit(ARM_MUL(r_A, r_A, r_scratch), ctx);
648 break;
649 case BPF_ALU | BPF_MUL | BPF_X:
650 update_on_xread(ctx);
651 emit(ARM_MUL(r_A, r_A, r_X), ctx);
652 break;
653 case BPF_ALU | BPF_DIV | BPF_K:
654 if (k == 1)
655 break;
656 emit_mov_i(r_scratch, k, ctx);
657 emit_udiv(r_A, r_A, r_scratch, ctx);
658 break;
659 case BPF_ALU | BPF_DIV | BPF_X:
660 update_on_xread(ctx);
661 emit(ARM_CMP_I(r_X, 0), ctx);
662 emit_err_ret(ARM_COND_EQ, ctx);
663 emit_udiv(r_A, r_A, r_X, ctx);
664 break;
665 case BPF_ALU | BPF_OR | BPF_K:
666 /* A |= K */
667 OP_IMM3(ARM_ORR, r_A, r_A, k, ctx);
668 break;
669 case BPF_ALU | BPF_OR | BPF_X:
670 update_on_xread(ctx);
671 emit(ARM_ORR_R(r_A, r_A, r_X), ctx);
672 break;
673 case BPF_ALU | BPF_XOR | BPF_K:
674 /* A ^= K; */
675 OP_IMM3(ARM_EOR, r_A, r_A, k, ctx);
676 break;
677 case BPF_ANC | SKF_AD_ALU_XOR_X:
678 case BPF_ALU | BPF_XOR | BPF_X:
679 /* A ^= X */
680 update_on_xread(ctx);
681 emit(ARM_EOR_R(r_A, r_A, r_X), ctx);
682 break;
683 case BPF_ALU | BPF_AND | BPF_K:
684 /* A &= K */
685 OP_IMM3(ARM_AND, r_A, r_A, k, ctx);
686 break;
687 case BPF_ALU | BPF_AND | BPF_X:
688 update_on_xread(ctx);
689 emit(ARM_AND_R(r_A, r_A, r_X), ctx);
690 break;
691 case BPF_ALU | BPF_LSH | BPF_K:
692 if (unlikely(k > 31))
693 return -1;
694 emit(ARM_LSL_I(r_A, r_A, k), ctx);
695 break;
696 case BPF_ALU | BPF_LSH | BPF_X:
697 update_on_xread(ctx);
698 emit(ARM_LSL_R(r_A, r_A, r_X), ctx);
699 break;
700 case BPF_ALU | BPF_RSH | BPF_K:
701 if (unlikely(k > 31))
702 return -1;
703 emit(ARM_LSR_I(r_A, r_A, k), ctx);
704 break;
705 case BPF_ALU | BPF_RSH | BPF_X:
706 update_on_xread(ctx);
707 emit(ARM_LSR_R(r_A, r_A, r_X), ctx);
708 break;
709 case BPF_ALU | BPF_NEG:
710 /* A = -A */
711 emit(ARM_RSB_I(r_A, r_A, 0), ctx);
712 break;
713 case BPF_JMP | BPF_JA:
714 /* pc += K */
715 emit(ARM_B(b_imm(i + k + 1, ctx)), ctx);
716 break;
717 case BPF_JMP | BPF_JEQ | BPF_K:
718 /* pc += (A == K) ? pc->jt : pc->jf */
719 condt = ARM_COND_EQ;
720 goto cmp_imm;
721 case BPF_JMP | BPF_JGT | BPF_K:
722 /* pc += (A > K) ? pc->jt : pc->jf */
723 condt = ARM_COND_HI;
724 goto cmp_imm;
725 case BPF_JMP | BPF_JGE | BPF_K:
726 /* pc += (A >= K) ? pc->jt : pc->jf */
727 condt = ARM_COND_HS;
728 cmp_imm:
729 imm12 = imm8m(k);
730 if (imm12 < 0) {
731 emit_mov_i_no8m(r_scratch, k, ctx);
732 emit(ARM_CMP_R(r_A, r_scratch), ctx);
733 } else {
734 emit(ARM_CMP_I(r_A, imm12), ctx);
735 }
736 cond_jump:
737 if (inst->jt)
738 _emit(condt, ARM_B(b_imm(i + inst->jt + 1,
739 ctx)), ctx);
740 if (inst->jf)
741 _emit(condt ^ 1, ARM_B(b_imm(i + inst->jf + 1,
742 ctx)), ctx);
743 break;
744 case BPF_JMP | BPF_JEQ | BPF_X:
745 /* pc += (A == X) ? pc->jt : pc->jf */
746 condt = ARM_COND_EQ;
747 goto cmp_x;
748 case BPF_JMP | BPF_JGT | BPF_X:
749 /* pc += (A > X) ? pc->jt : pc->jf */
750 condt = ARM_COND_HI;
751 goto cmp_x;
752 case BPF_JMP | BPF_JGE | BPF_X:
753 /* pc += (A >= X) ? pc->jt : pc->jf */
754 condt = ARM_COND_CS;
755 cmp_x:
756 update_on_xread(ctx);
757 emit(ARM_CMP_R(r_A, r_X), ctx);
758 goto cond_jump;
759 case BPF_JMP | BPF_JSET | BPF_K:
760 /* pc += (A & K) ? pc->jt : pc->jf */
761 condt = ARM_COND_NE;
762 /* not set iff all zeroes iff Z==1 iff EQ */
763
764 imm12 = imm8m(k);
765 if (imm12 < 0) {
766 emit_mov_i_no8m(r_scratch, k, ctx);
767 emit(ARM_TST_R(r_A, r_scratch), ctx);
768 } else {
769 emit(ARM_TST_I(r_A, imm12), ctx);
770 }
771 goto cond_jump;
772 case BPF_JMP | BPF_JSET | BPF_X:
773 /* pc += (A & X) ? pc->jt : pc->jf */
774 update_on_xread(ctx);
775 condt = ARM_COND_NE;
776 emit(ARM_TST_R(r_A, r_X), ctx);
777 goto cond_jump;
778 case BPF_RET | BPF_A:
779 emit(ARM_MOV_R(ARM_R0, r_A), ctx);
780 goto b_epilogue;
781 case BPF_RET | BPF_K:
782 if ((k == 0) && (ctx->ret0_fp_idx < 0))
783 ctx->ret0_fp_idx = i;
784 emit_mov_i(ARM_R0, k, ctx);
785 b_epilogue:
786 if (i != ctx->skf->len - 1)
787 emit(ARM_B(b_imm(prog->len, ctx)), ctx);
788 break;
789 case BPF_MISC | BPF_TAX:
790 /* X = A */
791 ctx->seen |= SEEN_X;
792 emit(ARM_MOV_R(r_X, r_A), ctx);
793 break;
794 case BPF_MISC | BPF_TXA:
795 /* A = X */
796 update_on_xread(ctx);
797 emit(ARM_MOV_R(r_A, r_X), ctx);
798 break;
799 case BPF_ANC | SKF_AD_PROTOCOL:
800 /* A = ntohs(skb->protocol) */
801 ctx->seen |= SEEN_SKB;
802 BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff,
803 protocol) != 2);
804 off = offsetof(struct sk_buff, protocol);
805 emit(ARM_LDRH_I(r_scratch, r_skb, off), ctx);
806 emit_swap16(r_A, r_scratch, ctx);
807 break;
808 case BPF_ANC | SKF_AD_CPU:
809 /* r_scratch = current_thread_info() */
810 OP_IMM3(ARM_BIC, r_scratch, ARM_SP, THREAD_SIZE - 1, ctx);
811 /* A = current_thread_info()->cpu */
812 BUILD_BUG_ON(FIELD_SIZEOF(struct thread_info, cpu) != 4);
813 off = offsetof(struct thread_info, cpu);
814 emit(ARM_LDR_I(r_A, r_scratch, off), ctx);
815 break;
816 case BPF_ANC | SKF_AD_IFINDEX:
817 /* A = skb->dev->ifindex */
818 ctx->seen |= SEEN_SKB;
819 off = offsetof(struct sk_buff, dev);
820 emit(ARM_LDR_I(r_scratch, r_skb, off), ctx);
821
822 emit(ARM_CMP_I(r_scratch, 0), ctx);
823 emit_err_ret(ARM_COND_EQ, ctx);
824
825 BUILD_BUG_ON(FIELD_SIZEOF(struct net_device,
826 ifindex) != 4);
827 off = offsetof(struct net_device, ifindex);
828 emit(ARM_LDR_I(r_A, r_scratch, off), ctx);
829 break;
830 case BPF_ANC | SKF_AD_MARK:
831 ctx->seen |= SEEN_SKB;
832 BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, mark) != 4);
833 off = offsetof(struct sk_buff, mark);
834 emit(ARM_LDR_I(r_A, r_skb, off), ctx);
835 break;
836 case BPF_ANC | SKF_AD_RXHASH:
837 ctx->seen |= SEEN_SKB;
838 BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, hash) != 4);
839 off = offsetof(struct sk_buff, hash);
840 emit(ARM_LDR_I(r_A, r_skb, off), ctx);
841 break;
842 case BPF_ANC | SKF_AD_VLAN_TAG:
843 case BPF_ANC | SKF_AD_VLAN_TAG_PRESENT:
844 ctx->seen |= SEEN_SKB;
845 BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, vlan_tci) != 2);
846 off = offsetof(struct sk_buff, vlan_tci);
847 emit(ARM_LDRH_I(r_A, r_skb, off), ctx);
848 if (code == (BPF_ANC | SKF_AD_VLAN_TAG))
849 OP_IMM3(ARM_AND, r_A, r_A, VLAN_VID_MASK, ctx);
850 else
851 OP_IMM3(ARM_AND, r_A, r_A, VLAN_TAG_PRESENT, ctx);
852 break;
853 case BPF_ANC | SKF_AD_QUEUE:
854 ctx->seen |= SEEN_SKB;
855 BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff,
856 queue_mapping) != 2);
857 BUILD_BUG_ON(offsetof(struct sk_buff,
858 queue_mapping) > 0xff);
859 off = offsetof(struct sk_buff, queue_mapping);
860 emit(ARM_LDRH_I(r_A, r_skb, off), ctx);
861 break;
862 default:
863 return -1;
864 }
865
866 if (ctx->flags & FLAG_IMM_OVERFLOW)
867 /*
868 * this instruction generated an overflow when
869 * trying to access the literal pool, so
870 * delegate this filter to the kernel interpreter.
871 */
872 return -1;
873 }
874
875 /* compute offsets only during the first pass */
876 if (ctx->target == NULL)
877 ctx->offsets[i] = ctx->idx * 4;
878
879 return 0;
880 }
881
882
bpf_jit_compile(struct bpf_prog * fp)883 void bpf_jit_compile(struct bpf_prog *fp)
884 {
885 struct bpf_binary_header *header;
886 struct jit_ctx ctx;
887 unsigned tmp_idx;
888 unsigned alloc_size;
889 u8 *target_ptr;
890
891 if (!bpf_jit_enable)
892 return;
893
894 memset(&ctx, 0, sizeof(ctx));
895 ctx.skf = fp;
896 ctx.ret0_fp_idx = -1;
897
898 ctx.offsets = kzalloc(4 * (ctx.skf->len + 1), GFP_KERNEL);
899 if (ctx.offsets == NULL)
900 return;
901
902 /* fake pass to fill in the ctx->seen */
903 if (unlikely(build_body(&ctx)))
904 goto out;
905
906 tmp_idx = ctx.idx;
907 build_prologue(&ctx);
908 ctx.prologue_bytes = (ctx.idx - tmp_idx) * 4;
909
910 #if __LINUX_ARM_ARCH__ < 7
911 tmp_idx = ctx.idx;
912 build_epilogue(&ctx);
913 ctx.epilogue_bytes = (ctx.idx - tmp_idx) * 4;
914
915 ctx.idx += ctx.imm_count;
916 if (ctx.imm_count) {
917 ctx.imms = kzalloc(4 * ctx.imm_count, GFP_KERNEL);
918 if (ctx.imms == NULL)
919 goto out;
920 }
921 #else
922 /* there's nothing after the epilogue on ARMv7 */
923 build_epilogue(&ctx);
924 #endif
925 alloc_size = 4 * ctx.idx;
926 header = bpf_jit_binary_alloc(alloc_size, &target_ptr,
927 4, jit_fill_hole);
928 if (header == NULL)
929 goto out;
930
931 ctx.target = (u32 *) target_ptr;
932 ctx.idx = 0;
933
934 build_prologue(&ctx);
935 if (build_body(&ctx) < 0) {
936 #if __LINUX_ARM_ARCH__ < 7
937 if (ctx.imm_count)
938 kfree(ctx.imms);
939 #endif
940 bpf_jit_binary_free(header);
941 goto out;
942 }
943 build_epilogue(&ctx);
944
945 flush_icache_range((u32)ctx.target, (u32)(ctx.target + ctx.idx));
946
947 #if __LINUX_ARM_ARCH__ < 7
948 if (ctx.imm_count)
949 kfree(ctx.imms);
950 #endif
951
952 if (bpf_jit_enable > 1)
953 /* there are 2 passes here */
954 bpf_jit_dump(fp->len, alloc_size, 2, ctx.target);
955
956 set_memory_ro((unsigned long)header, header->pages);
957 fp->bpf_func = (void *)ctx.target;
958 fp->jited = true;
959 out:
960 kfree(ctx.offsets);
961 return;
962 }
963
bpf_jit_free(struct bpf_prog * fp)964 void bpf_jit_free(struct bpf_prog *fp)
965 {
966 unsigned long addr = (unsigned long)fp->bpf_func & PAGE_MASK;
967 struct bpf_binary_header *header = (void *)addr;
968
969 if (!fp->jited)
970 goto free_filter;
971
972 set_memory_rw(addr, header->pages);
973 bpf_jit_binary_free(header);
974
975 free_filter:
976 bpf_prog_unlock_free(fp);
977 }
978