1. 26 Mar, 2014 1 commit
  2. 18 Jan, 2014 1 commit
    • Heiko Carstens's avatar
      s390/bpf,jit: fix 32 bit divisions, use unsigned divide instructions · 3af57f78
      Heiko Carstens authored
      
      
      The s390 bpf jit compiler emits the signed divide instructions "dr" and "d"
      for unsigned divisions.
      This can cause problems: the dividend will be zero extended to a 64 bit value
      and the divisor is the 32 bit signed value as specified A or X accumulator,
      even though A and X are supposed to be treated as unsigned values.
      
      The divide instrunctions will generate an exception if the result cannot be
      expressed with a 32 bit signed value.
      This is the case if e.g. the dividend is 0xffffffff and the divisor either 1
      or also 0xffffffff (signed: -1).
      
      To avoid all these issues simply use unsigned divide instructions.
      Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3af57f78
  3. 16 Jan, 2014 1 commit
  4. 24 Oct, 2013 2 commits
  5. 07 Oct, 2013 1 commit
    • Alexei Starovoitov's avatar
      net: fix unsafe set_memory_rw from softirq · d45ed4a4
      Alexei Starovoitov authored
      
      
      on x86 system with net.core.bpf_jit_enable = 1
      
      sudo tcpdump -i eth1 'tcp port 22'
      
      causes the warning:
      [   56.766097]  Possible unsafe locking scenario:
      [   56.766097]
      [   56.780146]        CPU0
      [   56.786807]        ----
      [   56.793188]   lock(&(&vb->lock)->rlock);
      [   56.799593]   <Interrupt>
      [   56.805889]     lock(&(&vb->lock)->rlock);
      [   56.812266]
      [   56.812266]  *** DEADLOCK ***
      [   56.812266]
      [   56.830670] 1 lock held by ksoftirqd/1/13:
      [   56.836838]  #0:  (rcu_read_lock){.+.+..}, at: [<ffffffff8118f44c>] vm_unmap_aliases+0x8c/0x380
      [   56.849757]
      [   56.849757] stack backtrace:
      [   56.862194] CPU: 1 PID: 13 Comm: ksoftirqd/1 Not tainted 3.12.0-rc3+ #45
      [   56.868721] Hardware name: System manufacturer System Product Name/P8Z77 WS, BIOS 3007 07/26/2012
      [   56.882004]  ffffffff821944c0 ffff88080bbdb8c8 ffffffff8175a145 0000000000000007
      [   56.895630]  ffff88080bbd5f40 ffff88080bbdb928 ffffffff81755b14 0000000000000001
      [   56.909313]  ffff880800000001 ffff880800000000 ffffffff8101178f 0000000000000001
      [   56.923006] Call Trace:
      [   56.929532]  [<ffffffff8175a145>] dump_stack+0x55/0x76
      [   56.936067]  [<ffffffff81755b14>] print_usage_bug+0x1f7/0x208
      [   56.942445]  [<ffffffff8101178f>] ? save_stack_trace+0x2f/0x50
      [   56.948932]  [<ffffffff810cc0a0>] ? check_usage_backwards+0x150/0x150
      [   56.955470]  [<ffffffff810ccb52>] mark_lock+0x282/0x2c0
      [   56.961945]  [<ffffffff810ccfed>] __lock_acquire+0x45d/0x1d50
      [   56.968474]  [<ffffffff810cce6e>] ? __lock_acquire+0x2de/0x1d50
      [   56.975140]  [<ffffffff81393bf5>] ? cpumask_next_and+0x55/0x90
      [   56.981942]  [<ffffffff810cef72>] lock_acquire+0x92/0x1d0
      [   56.988745]  [<ffffffff8118f52a>] ? vm_unmap_aliases+0x16a/0x380
      [   56.995619]  [<ffffffff817628f1>] _raw_spin_lock+0x41/0x50
      [   57.002493]  [<ffffffff8118f52a>] ? vm_unmap_aliases+0x16a/0x380
      [   57.009447]  [<ffffffff8118f52a>] vm_unmap_aliases+0x16a/0x380
      [   57.016477]  [<ffffffff8118f44c>] ? vm_unmap_aliases+0x8c/0x380
      [   57.023607]  [<ffffffff810436b0>] change_page_attr_set_clr+0xc0/0x460
      [   57.030818]  [<ffffffff810cfb8d>] ? trace_hardirqs_on+0xd/0x10
      [   57.037896]  [<ffffffff811a8330>] ? kmem_cache_free+0xb0/0x2b0
      [   57.044789]  [<ffffffff811b59c3>] ? free_object_rcu+0x93/0xa0
      [   57.051720]  [<ffffffff81043d9f>] set_memory_rw+0x2f/0x40
      [   57.058727]  [<ffffffff8104e17c>] bpf_jit_free+0x2c/0x40
      [   57.065577]  [<ffffffff81642cba>] sk_filter_release_rcu+0x1a/0x30
      [   57.072338]  [<ffffffff811108e2>] rcu_process_callbacks+0x202/0x7c0
      [   57.078962]  [<ffffffff81057f17>] __do_softirq+0xf7/0x3f0
      [   57.085373]  [<ffffffff81058245>] run_ksoftirqd+0x35/0x70
      
      cannot reuse jited filter memory, since it's readonly,
      so use original bpf insns memory to hold work_struct
      
      defer kfree of sk_filter until jit completed freeing
      
      tested on x86_64 and i386
      Signed-off-by: default avatarAlexei Starovoitov <ast@plumgrid.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d45ed4a4
  6. 04 Sep, 2013 1 commit
    • Heiko Carstens's avatar
      s390/bpf,jit: fix address randomization · 4784955a
      Heiko Carstens authored
      Add misssing braces to hole calculation. This resulted in an addition
      instead of an substraction. Which in turn means that the jit compiler
      could try to write out of bounds of the allocated piece of memory.
      
      This bug was introduced with aa2d2c73
      
       "s390/bpf,jit: address randomize
      and write protect jit code".
      
      Fixes this one:
      
      [   37.320956] Unable to handle kernel pointer dereference at virtual kernel address 000003ff80231000
      [   37.320984] Oops: 0011 [#1] PREEMPT SMP DEBUG_PAGEALLOC
      [   37.320993] Modules linked in: dm_multipath scsi_dh eadm_sch dm_mod ctcm fsm autofs4
      [   37.321007] CPU: 28 PID: 6443 Comm: multipathd Not tainted 3.10.9-61.x.20130829-s390xdefault #1
      [   37.321011] task: 0000004ada778000 ti: 0000004ae3304000 task.ti: 0000004ae3304000
      [   37.321014] Krnl PSW : 0704c00180000000 000000000012d1de (bpf_jit_compile+0x198e/0x23d0)
      [   37.321022]            R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 EA:3
                     Krnl GPRS: 000000004350207d 0000004a00000001 0000000000000007 000003ff80231002
      [   37.321029]            0000000000000007 000003ff80230ffe 00000000a7740000 000003ff80230f76
      [   37.321032]            000003ffffffffff 000003ff00000000 000003ff0000007d 000000000071e820
      [   37.321035]            0000004adbe99950 000000000071ea18 0000004af3d9e7c0 0000004ae3307b80
      [   37.321046] Krnl Code: 000000000012d1d0: 41305004            la      %r3,4(%r5)
                                000000000012d1d4: e330f0f80021        clg     %r3,248(%r15)
                               #000000000012d1da: a7240009            brc     2,12d1ec
                               >000000000012d1de: 50805000            st      %r8,0(%r5)
                                000000000012d1e2: e330f0f00004        lg      %r3,240(%r15)
                                000000000012d1e8: 41303004            la      %r3,4(%r3)
                                000000000012d1ec: e380f0e00004        lg      %r8,224(%r15)
                                000000000012d1f2: e330f0f00024        stg     %r3,240(%r15)
      [   37.321074] Call Trace:
      [   37.321077] ([<000000000012da78>] bpf_jit_compile+0x2228/0x23d0)
      [   37.321083]  [<00000000006007c2>] sk_attach_filter+0xfe/0x214
      [   37.321090]  [<00000000005d2d92>] sock_setsockopt+0x926/0xbdc
      [   37.321097]  [<00000000005cbfb6>] SyS_setsockopt+0x8a/0xe8
      [   37.321101]  [<00000000005ccaa8>] SyS_socketcall+0x264/0x364
      [   37.321106]  [<0000000000713f1c>] sysc_nr_ok+0x22/0x28
      [   37.321113]  [<000003fffce10ea8>] 0x3fffce10ea8
      [   37.321118] INFO: lockdep is turned off.
      [   37.321121] Last Breaking-Event-Address:
      [   37.321124]  [<000000000012d192>] bpf_jit_compile+0x1942/0x23d0
      [   37.321132]
      [   37.321135] Kernel panic - not syncing: Fatal exception: panic_on_oops
      
      Cc: stable@vger.kernel.org # v3.11
      Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      4784955a
  7. 18 Jul, 2013 4 commits
  8. 17 Apr, 2013 1 commit
  9. 14 Feb, 2013 1 commit
  10. 03 Dec, 2012 2 commits
  11. 26 Sep, 2012 3 commits