From: Nicolas Schichan nschichan@freebox.fr
emit_ldx_r() and emit_a32_mov_i() were both using TMP_REG_1 and clashing with each other. Using TMP_REG_2 in emit_ldx_r() fixes the issue.
Fixes: ec19e02b343 ("ARM: net: bpf: fix LDX instructions") Cc: Russell King rmk+kernel@armlinux.org.uk Signed-off-by: Nicolas Schichan nschichan@freebox.fr Signed-off-by: Daniel Borkmann daniel@iogearbox.net --- [ Note, this has been implicitly fixed upstream by a6eccac507e ("ARM: net: bpf: 64-bit accessor functions for BPF registers"), so the fix here is a minimal stand-alone fix for 4.14. test_bpf suite runs without error after the fix. ]
arch/arm/net/bpf_jit_32.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c index ece2d1d..dafeb5f 100644 --- a/arch/arm/net/bpf_jit_32.c +++ b/arch/arm/net/bpf_jit_32.c @@ -915,7 +915,7 @@ static inline void emit_str_r(const u8 dst, const u8 src, bool dstk, /* dst = *(size*)(src + off) */ static inline void emit_ldx_r(const u8 dst[], const u8 src, bool dstk, s32 off, struct jit_ctx *ctx, const u8 sz){ - const u8 *tmp = bpf2a32[TMP_REG_1]; + const u8 *tmp = bpf2a32[TMP_REG_2]; const u8 *rd = dstk ? tmp : dst; u8 rm = src; s32 off_max;
On Wed, Dec 19, 2018 at 10:40:42PM +0100, Daniel Borkmann wrote:
From: Nicolas Schichan nschichan@freebox.fr
emit_ldx_r() and emit_a32_mov_i() were both using TMP_REG_1 and clashing with each other. Using TMP_REG_2 in emit_ldx_r() fixes the issue.
Fixes: ec19e02b343 ("ARM: net: bpf: fix LDX instructions") Cc: Russell King rmk+kernel@armlinux.org.uk Signed-off-by: Nicolas Schichan nschichan@freebox.fr Signed-off-by: Daniel Borkmann daniel@iogearbox.net
[ Note, this has been implicitly fixed upstream by a6eccac507e ("ARM: net: bpf: 64-bit accessor functions for BPF registers"), so the fix here is a minimal stand-alone fix for 4.14. test_bpf suite runs without error after the fix. ]
Queued for 4.14, thank you.
-- Thanks, Sasha
linux-stable-mirror@lists.linaro.org
-
Daniel Borkmann -
Sasha Levin