1
2
3
4
5
6
7
8
9
10#include <linux/moduleloader.h>
11#include <asm/cacheflush.h>
12#include <linux/netdevice.h>
13#include <linux/filter.h>
14
15
16
17
18
19
20
21
22
23
24
25
26
27int bpf_jit_enable __read_mostly;
28
29
30
31
32extern u8 sk_load_word[], sk_load_half[], sk_load_byte[], sk_load_byte_msh[];
33extern u8 sk_load_word_positive_offset[], sk_load_half_positive_offset[];
34extern u8 sk_load_byte_positive_offset[], sk_load_byte_msh_positive_offset[];
35extern u8 sk_load_word_negative_offset[], sk_load_half_negative_offset[];
36extern u8 sk_load_byte_negative_offset[], sk_load_byte_msh_negative_offset[];
37
38static inline u8 *emit_code(u8 *ptr, u32 bytes, unsigned int len)
39{
40 if (len == 1)
41 *ptr = bytes;
42 else if (len == 2)
43 *(u16 *)ptr = bytes;
44 else {
45 *(u32 *)ptr = bytes;
46 barrier();
47 }
48 return ptr + len;
49}
50
51#define EMIT(bytes, len) do { prog = emit_code(prog, bytes, len); } while (0)
52
53#define EMIT1(b1) EMIT(b1, 1)
54#define EMIT2(b1, b2) EMIT((b1) + ((b2) << 8), 2)
55#define EMIT3(b1, b2, b3) EMIT((b1) + ((b2) << 8) + ((b3) << 16), 3)
56#define EMIT4(b1, b2, b3, b4) EMIT((b1) + ((b2) << 8) + ((b3) << 16) + ((b4) << 24), 4)
57#define EMIT1_off32(b1, off) do { EMIT1(b1); EMIT(off, 4);} while (0)
58
59#define CLEAR_A() EMIT2(0x31, 0xc0)
60#define CLEAR_X() EMIT2(0x31, 0xdb)
61
62static inline bool is_imm8(int value)
63{
64 return value <= 127 && value >= -128;
65}
66
67static inline bool is_near(int offset)
68{
69 return offset <= 127 && offset >= -128;
70}
71
72#define EMIT_JMP(offset) \
73do { \
74 if (offset) { \
75 if (is_near(offset)) \
76 EMIT2(0xeb, offset); \
77 else \
78 EMIT1_off32(0xe9, offset); \
79 } \
80} while (0)
81
82
83
84
85#define X86_JB 0x72
86#define X86_JAE 0x73
87#define X86_JE 0x74
88#define X86_JNE 0x75
89#define X86_JBE 0x76
90#define X86_JA 0x77
91
92#define EMIT_COND_JMP(op, offset) \
93do { \
94 if (is_near(offset)) \
95 EMIT2(op, offset); \
96 else { \
97 EMIT2(0x0f, op + 0x10); \
98 EMIT(offset, 4); \
99 } \
100} while (0)
101
102#define COND_SEL(CODE, TOP, FOP) \
103 case CODE: \
104 t_op = TOP; \
105 f_op = FOP; \
106 goto cond_branch
107
108
109#define SEEN_DATAREF 1
110#define SEEN_XREG 2
111#define SEEN_MEM 4
112
113static inline void bpf_flush_icache(void *start, void *end)
114{
115 mm_segment_t old_fs = get_fs();
116
117 set_fs(KERNEL_DS);
118 smp_wmb();
119 flush_icache_range((unsigned long)start, (unsigned long)end);
120 set_fs(old_fs);
121}
122
123#define CHOOSE_LOAD_FUNC(K, func) \
124 ((int)K < 0 ? ((int)K >= SKF_LL_OFF ? func##_negative_offset : func) : func##_positive_offset)
125
126void bpf_jit_compile(struct sk_filter *fp)
127{
128 u8 temp[64];
129 u8 *prog;
130 unsigned int proglen, oldproglen = 0;
131 int ilen, i;
132 int t_offset, f_offset;
133 u8 t_op, f_op, seen = 0, pass;
134 u8 *image = NULL;
135 u8 *func;
136 int pc_ret0 = -1;
137 unsigned int cleanup_addr;
138 unsigned int *addrs;
139 const struct sock_filter *filter = fp->insns;
140 int flen = fp->len;
141
142 if (!bpf_jit_enable)
143 return;
144
145 addrs = kmalloc(flen * sizeof(*addrs), GFP_KERNEL);
146 if (addrs == NULL)
147 return;
148
149
150
151
152 for (proglen = 0, i = 0; i < flen; i++) {
153 proglen += 64;
154 addrs[i] = proglen;
155 }
156 cleanup_addr = proglen;
157
158 for (pass = 0; pass < 10; pass++) {
159 u8 seen_or_pass0 = (pass == 0) ? (SEEN_XREG | SEEN_DATAREF | SEEN_MEM) : seen;
160
161 proglen = 0;
162 prog = temp;
163
164 if (seen_or_pass0) {
165 EMIT4(0x55, 0x48, 0x89, 0xe5);
166 EMIT4(0x48, 0x83, 0xec, 96);
167
168 if (seen_or_pass0 & (SEEN_XREG | SEEN_DATAREF))
169 EMIT4(0x48, 0x89, 0x5d, 0xf8);
170 if (seen_or_pass0 & SEEN_XREG)
171 CLEAR_X();
172
173
174
175
176
177
178
179 if (seen_or_pass0 & SEEN_DATAREF) {
180 if (offsetof(struct sk_buff, len) <= 127)
181
182 EMIT4(0x44, 0x8b, 0x4f, offsetof(struct sk_buff, len));
183 else {
184
185 EMIT3(0x44, 0x8b, 0x8f);
186 EMIT(offsetof(struct sk_buff, len), 4);
187 }
188 if (is_imm8(offsetof(struct sk_buff, data_len)))
189
190 EMIT4(0x44, 0x2b, 0x4f, offsetof(struct sk_buff, data_len));
191 else {
192 EMIT3(0x44, 0x2b, 0x8f);
193 EMIT(offsetof(struct sk_buff, data_len), 4);
194 }
195
196 if (is_imm8(offsetof(struct sk_buff, data)))
197
198 EMIT4(0x4c, 0x8b, 0x47, offsetof(struct sk_buff, data));
199 else {
200
201 EMIT3(0x4c, 0x8b, 0x87);
202 EMIT(offsetof(struct sk_buff, data), 4);
203 }
204 }
205 }
206
207 switch (filter[0].code) {
208 case BPF_S_RET_K:
209 case BPF_S_LD_W_LEN:
210 case BPF_S_ANC_PROTOCOL:
211 case BPF_S_ANC_IFINDEX:
212 case BPF_S_ANC_MARK:
213 case BPF_S_ANC_RXHASH:
214 case BPF_S_ANC_CPU:
215 case BPF_S_ANC_QUEUE:
216 case BPF_S_LD_W_ABS:
217 case BPF_S_LD_H_ABS:
218 case BPF_S_LD_B_ABS:
219
220 break;
221 default:
222
223 CLEAR_A();
224 }
225
226 for (i = 0; i < flen; i++) {
227 unsigned int K = filter[i].k;
228
229 switch (filter[i].code) {
230 case BPF_S_ALU_ADD_X:
231 seen |= SEEN_XREG;
232 EMIT2(0x01, 0xd8);
233 break;
234 case BPF_S_ALU_ADD_K:
235 if (!K)
236 break;
237 if (is_imm8(K))
238 EMIT3(0x83, 0xc0, K);
239 else
240 EMIT1_off32(0x05, K);
241 break;
242 case BPF_S_ALU_SUB_X:
243 seen |= SEEN_XREG;
244 EMIT2(0x29, 0xd8);
245 break;
246 case BPF_S_ALU_SUB_K:
247 if (!K)
248 break;
249 if (is_imm8(K))
250 EMIT3(0x83, 0xe8, K);
251 else
252 EMIT1_off32(0x2d, K);
253 break;
254 case BPF_S_ALU_MUL_X:
255 seen |= SEEN_XREG;
256 EMIT3(0x0f, 0xaf, 0xc3);
257 break;
258 case BPF_S_ALU_MUL_K:
259 if (is_imm8(K))
260 EMIT3(0x6b, 0xc0, K);
261 else {
262 EMIT2(0x69, 0xc0);
263 EMIT(K, 4);
264 }
265 break;
266 case BPF_S_ALU_DIV_X:
267 seen |= SEEN_XREG;
268 EMIT2(0x85, 0xdb);
269 if (pc_ret0 > 0) {
270
271
272
273
274 EMIT_COND_JMP(X86_JE, addrs[pc_ret0 - 1] -
275 (addrs[i] - 4));
276 } else {
277 EMIT_COND_JMP(X86_JNE, 2 + 5);
278 CLEAR_A();
279 EMIT1_off32(0xe9, cleanup_addr - (addrs[i] - 4));
280 }
281 EMIT4(0x31, 0xd2, 0xf7, 0xf3);
282 break;
283 case BPF_S_ALU_MOD_X:
284 seen |= SEEN_XREG;
285 EMIT2(0x85, 0xdb);
286 if (pc_ret0 > 0) {
287
288
289
290
291 EMIT_COND_JMP(X86_JE, addrs[pc_ret0 - 1] -
292 (addrs[i] - 6));
293 } else {
294 EMIT_COND_JMP(X86_JNE, 2 + 5);
295 CLEAR_A();
296 EMIT1_off32(0xe9, cleanup_addr - (addrs[i] - 6));
297 }
298 EMIT2(0x31, 0xd2);
299 EMIT2(0xf7, 0xf3);
300 EMIT2(0x89, 0xd0);
301 break;
302 case BPF_S_ALU_MOD_K:
303 EMIT2(0x31, 0xd2);
304 EMIT1(0xb9);EMIT(K, 4);
305 EMIT2(0xf7, 0xf1);
306 EMIT2(0x89, 0xd0);
307 break;
308 case BPF_S_ALU_DIV_K:
309 EMIT3(0x48, 0x69, 0xc0);
310 EMIT(K, 4);
311 EMIT4(0x48, 0xc1, 0xe8, 0x20);
312 break;
313 case BPF_S_ALU_AND_X:
314 seen |= SEEN_XREG;
315 EMIT2(0x21, 0xd8);
316 break;
317 case BPF_S_ALU_AND_K:
318 if (K >= 0xFFFFFF00) {
319 EMIT2(0x24, K & 0xFF);
320 } else if (K >= 0xFFFF0000) {
321 EMIT2(0x66, 0x25);
322 EMIT(K, 2);
323 } else {
324 EMIT1_off32(0x25, K);
325 }
326 break;
327 case BPF_S_ALU_OR_X:
328 seen |= SEEN_XREG;
329 EMIT2(0x09, 0xd8);
330 break;
331 case BPF_S_ALU_OR_K:
332 if (is_imm8(K))
333 EMIT3(0x83, 0xc8, K);
334 else
335 EMIT1_off32(0x0d, K);
336 break;
337 case BPF_S_ANC_ALU_XOR_X:
338 case BPF_S_ALU_XOR_X:
339 seen |= SEEN_XREG;
340 EMIT2(0x31, 0xd8);
341 break;
342 case BPF_S_ALU_XOR_K:
343 if (K == 0)
344 break;
345 if (is_imm8(K))
346 EMIT3(0x83, 0xf0, K);
347 else
348 EMIT1_off32(0x35, K);
349 break;
350 case BPF_S_ALU_LSH_X:
351 seen |= SEEN_XREG;
352 EMIT4(0x89, 0xd9, 0xd3, 0xe0);
353 break;
354 case BPF_S_ALU_LSH_K:
355 if (K == 0)
356 break;
357 else if (K == 1)
358 EMIT2(0xd1, 0xe0);
359 else
360 EMIT3(0xc1, 0xe0, K);
361 break;
362 case BPF_S_ALU_RSH_X:
363 seen |= SEEN_XREG;
364 EMIT4(0x89, 0xd9, 0xd3, 0xe8);
365 break;
366 case BPF_S_ALU_RSH_K:
367 if (K == 0)
368 break;
369 else if (K == 1)
370 EMIT2(0xd1, 0xe8);
371 else
372 EMIT3(0xc1, 0xe8, K);
373 break;
374 case BPF_S_ALU_NEG:
375 EMIT2(0xf7, 0xd8);
376 break;
377 case BPF_S_RET_K:
378 if (!K) {
379 if (pc_ret0 == -1)
380 pc_ret0 = i;
381 CLEAR_A();
382 } else {
383 EMIT1_off32(0xb8, K);
384 }
385
386 case BPF_S_RET_A:
387 if (seen_or_pass0) {
388 if (i != flen - 1) {
389 EMIT_JMP(cleanup_addr - addrs[i]);
390 break;
391 }
392 if (seen_or_pass0 & SEEN_XREG)
393 EMIT4(0x48, 0x8b, 0x5d, 0xf8);
394 EMIT1(0xc9);
395 }
396 EMIT1(0xc3);
397 break;
398 case BPF_S_MISC_TAX:
399 seen |= SEEN_XREG;
400 EMIT2(0x89, 0xc3);
401 break;
402 case BPF_S_MISC_TXA:
403 seen |= SEEN_XREG;
404 EMIT2(0x89, 0xd8);
405 break;
406 case BPF_S_LD_IMM:
407 if (!K)
408 CLEAR_A();
409 else
410 EMIT1_off32(0xb8, K);
411 break;
412 case BPF_S_LDX_IMM:
413 seen |= SEEN_XREG;
414 if (!K)
415 CLEAR_X();
416 else
417 EMIT1_off32(0xbb, K);
418 break;
419 case BPF_S_LD_MEM:
420 seen |= SEEN_MEM;
421 EMIT3(0x8b, 0x45, 0xf0 - K*4);
422 break;
423 case BPF_S_LDX_MEM:
424 seen |= SEEN_XREG | SEEN_MEM;
425 EMIT3(0x8b, 0x5d, 0xf0 - K*4);
426 break;
427 case BPF_S_ST:
428 seen |= SEEN_MEM;
429 EMIT3(0x89, 0x45, 0xf0 - K*4);
430 break;
431 case BPF_S_STX:
432 seen |= SEEN_XREG | SEEN_MEM;
433 EMIT3(0x89, 0x5d, 0xf0 - K*4);
434 break;
435 case BPF_S_LD_W_LEN:
436 BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, len) != 4);
437 if (is_imm8(offsetof(struct sk_buff, len)))
438
439 EMIT3(0x8b, 0x47, offsetof(struct sk_buff, len));
440 else {
441 EMIT2(0x8b, 0x87);
442 EMIT(offsetof(struct sk_buff, len), 4);
443 }
444 break;
445 case BPF_S_LDX_W_LEN:
446 seen |= SEEN_XREG;
447 if (is_imm8(offsetof(struct sk_buff, len)))
448
449 EMIT3(0x8b, 0x5f, offsetof(struct sk_buff, len));
450 else {
451 EMIT2(0x8b, 0x9f);
452 EMIT(offsetof(struct sk_buff, len), 4);
453 }
454 break;
455 case BPF_S_ANC_PROTOCOL:
456 BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, protocol) != 2);
457 if (is_imm8(offsetof(struct sk_buff, protocol))) {
458
459 EMIT4(0x0f, 0xb7, 0x47, offsetof(struct sk_buff, protocol));
460 } else {
461 EMIT3(0x0f, 0xb7, 0x87);
462 EMIT(offsetof(struct sk_buff, protocol), 4);
463 }
464 EMIT2(0x86, 0xc4);
465 break;
466 case BPF_S_ANC_IFINDEX:
467 if (is_imm8(offsetof(struct sk_buff, dev))) {
468
469 EMIT4(0x48, 0x8b, 0x47, offsetof(struct sk_buff, dev));
470 } else {
471 EMIT3(0x48, 0x8b, 0x87);
472 EMIT(offsetof(struct sk_buff, dev), 4);
473 }
474 EMIT3(0x48, 0x85, 0xc0);
475 EMIT_COND_JMP(X86_JE, cleanup_addr - (addrs[i] - 6));
476 BUILD_BUG_ON(FIELD_SIZEOF(struct net_device, ifindex) != 4);
477 EMIT2(0x8b, 0x80);
478 EMIT(offsetof(struct net_device, ifindex), 4);
479 break;
480 case BPF_S_ANC_MARK:
481 BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, mark) != 4);
482 if (is_imm8(offsetof(struct sk_buff, mark))) {
483
484 EMIT3(0x8b, 0x47, offsetof(struct sk_buff, mark));
485 } else {
486 EMIT2(0x8b, 0x87);
487 EMIT(offsetof(struct sk_buff, mark), 4);
488 }
489 break;
490 case BPF_S_ANC_RXHASH:
491 BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, rxhash) != 4);
492 if (is_imm8(offsetof(struct sk_buff, rxhash))) {
493
494 EMIT3(0x8b, 0x47, offsetof(struct sk_buff, rxhash));
495 } else {
496 EMIT2(0x8b, 0x87);
497 EMIT(offsetof(struct sk_buff, rxhash), 4);
498 }
499 break;
500 case BPF_S_ANC_QUEUE:
501 BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, queue_mapping) != 2);
502 if (is_imm8(offsetof(struct sk_buff, queue_mapping))) {
503
504 EMIT4(0x0f, 0xb7, 0x47, offsetof(struct sk_buff, queue_mapping));
505 } else {
506 EMIT3(0x0f, 0xb7, 0x87);
507 EMIT(offsetof(struct sk_buff, queue_mapping), 4);
508 }
509 break;
510 case BPF_S_ANC_CPU:
511#ifdef CONFIG_SMP
512 EMIT4(0x65, 0x8b, 0x04, 0x25);
513 EMIT((u32)(unsigned long)&cpu_number, 4);
514#else
515 CLEAR_A();
516#endif
517 break;
518 case BPF_S_LD_W_ABS:
519 func = CHOOSE_LOAD_FUNC(K, sk_load_word);
520common_load: seen |= SEEN_DATAREF;
521 t_offset = func - (image + addrs[i]);
522 EMIT1_off32(0xbe, K);
523 EMIT1_off32(0xe8, t_offset);
524 break;
525 case BPF_S_LD_H_ABS:
526 func = CHOOSE_LOAD_FUNC(K, sk_load_half);
527 goto common_load;
528 case BPF_S_LD_B_ABS:
529 func = CHOOSE_LOAD_FUNC(K, sk_load_byte);
530 goto common_load;
531 case BPF_S_LDX_B_MSH:
532 func = CHOOSE_LOAD_FUNC(K, sk_load_byte_msh);
533 seen |= SEEN_DATAREF | SEEN_XREG;
534 t_offset = func - (image + addrs[i]);
535 EMIT1_off32(0xbe, K);
536 EMIT1_off32(0xe8, t_offset);
537 break;
538 case BPF_S_LD_W_IND:
539 func = sk_load_word;
540common_load_ind: seen |= SEEN_DATAREF | SEEN_XREG;
541 t_offset = func - (image + addrs[i]);
542 if (K) {
543 if (is_imm8(K)) {
544 EMIT3(0x8d, 0x73, K);
545 } else {
546 EMIT2(0x8d, 0xb3);
547 EMIT(K, 4);
548 }
549 } else {
550 EMIT2(0x89,0xde);
551 }
552 EMIT1_off32(0xe8, t_offset);
553 break;
554 case BPF_S_LD_H_IND:
555 func = sk_load_half;
556 goto common_load_ind;
557 case BPF_S_LD_B_IND:
558 func = sk_load_byte;
559 goto common_load_ind;
560 case BPF_S_JMP_JA:
561 t_offset = addrs[i + K] - addrs[i];
562 EMIT_JMP(t_offset);
563 break;
564 COND_SEL(BPF_S_JMP_JGT_K, X86_JA, X86_JBE);
565 COND_SEL(BPF_S_JMP_JGE_K, X86_JAE, X86_JB);
566 COND_SEL(BPF_S_JMP_JEQ_K, X86_JE, X86_JNE);
567 COND_SEL(BPF_S_JMP_JSET_K,X86_JNE, X86_JE);
568 COND_SEL(BPF_S_JMP_JGT_X, X86_JA, X86_JBE);
569 COND_SEL(BPF_S_JMP_JGE_X, X86_JAE, X86_JB);
570 COND_SEL(BPF_S_JMP_JEQ_X, X86_JE, X86_JNE);
571 COND_SEL(BPF_S_JMP_JSET_X,X86_JNE, X86_JE);
572
573cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i];
574 t_offset = addrs[i + filter[i].jt] - addrs[i];
575
576
577 if (filter[i].jt == filter[i].jf) {
578 EMIT_JMP(t_offset);
579 break;
580 }
581
582 switch (filter[i].code) {
583 case BPF_S_JMP_JGT_X:
584 case BPF_S_JMP_JGE_X:
585 case BPF_S_JMP_JEQ_X:
586 seen |= SEEN_XREG;
587 EMIT2(0x39, 0xd8);
588 break;
589 case BPF_S_JMP_JSET_X:
590 seen |= SEEN_XREG;
591 EMIT2(0x85, 0xd8);
592 break;
593 case BPF_S_JMP_JEQ_K:
594 if (K == 0) {
595 EMIT2(0x85, 0xc0);
596 break;
597 }
598 case BPF_S_JMP_JGT_K:
599 case BPF_S_JMP_JGE_K:
600 if (K <= 127)
601 EMIT3(0x83, 0xf8, K);
602 else
603 EMIT1_off32(0x3d, K);
604 break;
605 case BPF_S_JMP_JSET_K:
606 if (K <= 0xFF)
607 EMIT2(0xa8, K);
608 else if (!(K & 0xFFFF00FF))
609 EMIT3(0xf6, 0xc4, K >> 8);
610 else if (K <= 0xFFFF) {
611 EMIT2(0x66, 0xa9);
612 EMIT(K, 2);
613 } else {
614 EMIT1_off32(0xa9, K);
615 }
616 break;
617 }
618 if (filter[i].jt != 0) {
619 if (filter[i].jf && f_offset)
620 t_offset += is_near(f_offset) ? 2 : 5;
621 EMIT_COND_JMP(t_op, t_offset);
622 if (filter[i].jf)
623 EMIT_JMP(f_offset);
624 break;
625 }
626 EMIT_COND_JMP(f_op, f_offset);
627 break;
628 default:
629
630 goto out;
631 }
632 ilen = prog - temp;
633 if (image) {
634 if (unlikely(proglen + ilen > oldproglen)) {
635 pr_err("bpb_jit_compile fatal error\n");
636 kfree(addrs);
637 module_free(NULL, image);
638 return;
639 }
640 memcpy(image + proglen, temp, ilen);
641 }
642 proglen += ilen;
643 addrs[i] = proglen;
644 prog = temp;
645 }
646
647
648
649 cleanup_addr = proglen - 1;
650 if (seen_or_pass0)
651 cleanup_addr -= 1;
652 if (seen_or_pass0 & SEEN_XREG)
653 cleanup_addr -= 4;
654
655 if (image) {
656 if (proglen != oldproglen)
657 pr_err("bpb_jit_compile proglen=%u != oldproglen=%u\n", proglen, oldproglen);
658 break;
659 }
660 if (proglen == oldproglen) {
661 image = module_alloc(max_t(unsigned int,
662 proglen,
663 sizeof(struct work_struct)));
664 if (!image)
665 goto out;
666 }
667 oldproglen = proglen;
668 }
669 if (bpf_jit_enable > 1)
670 pr_err("flen=%d proglen=%u pass=%d image=%p\n",
671 flen, proglen, pass, image);
672
673 if (image) {
674 if (bpf_jit_enable > 1)
675 print_hex_dump(KERN_ERR, "JIT code: ", DUMP_PREFIX_ADDRESS,
676 16, 1, image, proglen, false);
677
678 bpf_flush_icache(image, image + proglen);
679
680 fp->bpf_func = (void *)image;
681 }
682out:
683 kfree(addrs);
684 return;
685}
686
687static void jit_free_defer(struct work_struct *arg)
688{
689 module_free(NULL, arg);
690}
691
692
693
694
695void bpf_jit_free(struct sk_filter *fp)
696{
697 if (fp->bpf_func != sk_run_filter) {
698 struct work_struct *work = (struct work_struct *)fp->bpf_func;
699
700 INIT_WORK(work, jit_free_defer);
701 schedule_work(work);
702 }
703}
704
