git.baikalelectronics.ru Git - kernel.git/commit

author	Brendan Jackman <jackmanb@google.com>
	Tue, 16 Feb 2021 12:53:07 +0000 (12:53 +0000)
committer	Daniel Borkmann <daniel@iogearbox.net>
	Mon, 22 Feb 2021 17:03:11 +0000 (18:03 +0100)
commit	48a9415d323522976461aae5fd894dfe3d990df7
tree	3c54d592962495bd1a2638fccb8f4ffce5e0a94b	tree \| snapshot
parent	977ced98ece0390e4c65ff82fb57f67ded9a096d	commit \| diff

bpf, x86: Fix BPF_FETCH atomic and/or/xor with r0 as src

This code generates a CMPXCHG loop in order to implement atomic_fetch
bitwise operations. Because CMPXCHG is hard-coded to use rax (which
holds the BPF r0 value), it saves the _real_ r0 value into the
internal "ax" temporary register and restores it once the loop is
complete.

In the middle of the loop, the actual bitwise operation is performed
using src_reg. The bug occurs when src_reg is r0: as described above,
r0 has been clobbered and the real r0 value is in the ax register.

Therefore, perform this operation on the ax register instead, when
src_reg is r0.

Fixes: d5b9c7d79c4e ("bpf: Add bitwise atomic instructions")
Signed-off-by: Brendan Jackman <jackmanb@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: KP Singh <kpsingh@kernel.org>
Link: https://lore.kernel.org/bpf/20210216125307.1406237-1-jackmanb@google.com

arch/x86/net/bpf_jit_comp.c		diff \| blob \| history
tools/testing/selftests/bpf/verifier/atomic_and.c		diff \| blob \| history