bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG

puranjaymohan · gregkh · commit 077149478497 · 2025-05-22T14:10:09.000+02:00
commit 19d3c179a37730caf600a97fed3794feac2b197b upstream. When BPF_TRAMP_F_CALL_ORIG is set, the trampoline calls __bpf_tramp_enter() and __bpf_tramp_exit() functions, passing them the struct bpf_tramp_image *im pointer as an argument in R0. The trampoline generation code uses emit_addr_mov_i64() to emit instructions for moving the bpf_tramp_image address into R0, but emit_addr_mov_i64() assumes the address to be in the vmalloc() space and uses only 48 bits. Because bpf_tramp_image is allocated using kzalloc(), its address can use more than 48-bits, in this case the trampoline will pass an invalid address to __bpf_tramp_enter/exit() causing a kernel crash. Fix this by using emit_a64_mov_i64() in place of emit_addr_mov_i64() as it can work with addresses that are greater than 48-bits. Fixes: efc9909 ("bpf, arm64: Add bpf trampoline for arm64") Signed-off-by: Puranjay Mohan <puranjay@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Closes: https://lore.kernel.org/all/SJ0PR15MB461564D3F7E7A763498CA6A8CBDB2@SJ0PR15MB4615.namprd15.prod.outlook.com/ Link: https://lore.kernel.org/bpf/20240711151838.43469-1-puranjay@kernel.org [Minor context change fixed.] Signed-off-by: Bin Lan <bin.lan.cn@windriver.com> Signed-off-by: He Zhe <zhe.he@windriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
@@ -1942,7 +1942,7 @@ static int prepare_trampoline(struct jit_ctx *ctx, struct bpf_tramp_image *im,
 	emit(A64_STR64I(A64_R(20), A64_SP, regs_off + 8), ctx);
 
 	if (flags & BPF_TRAMP_F_CALL_ORIG) {
-		emit_addr_mov_i64(A64_R(0), (const u64)im, ctx);
+		emit_a64_mov_i64(A64_R(0), (const u64)im, ctx);
 		emit_call((const u64)__bpf_tramp_enter, ctx);
 	}
 
@@ -1986,7 +1986,7 @@ static int prepare_trampoline(struct jit_ctx *ctx, struct bpf_tramp_image *im,
 
 	if (flags & BPF_TRAMP_F_CALL_ORIG) {
 		im->ip_epilogue = ctx->image + ctx->idx;
-		emit_addr_mov_i64(A64_R(0), (const u64)im, ctx);
+		emit_a64_mov_i64(A64_R(0), (const u64)im, ctx);
 		emit_call((const u64)__bpf_tramp_exit, ctx);
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -1942,7 +1942,7 @@ static int prepare_trampoline(struct jit_ctx ctx, struct bpf_tramp_image im,`
`1942`	`1942`	`emit(A64_STR64I(A64_R(20), A64_SP, regs_off + 8), ctx);`
`1943`	`1943`
`1944`	`1944`	`if (flags & BPF_TRAMP_F_CALL_ORIG) {`
`1945`		`- emit_addr_mov_i64(A64_R(0), (const u64)im, ctx);`
	`1945`	`+ emit_a64_mov_i64(A64_R(0), (const u64)im, ctx);`
`1946`	`1946`	`emit_call((const u64)__bpf_tramp_enter, ctx);`
`1947`	`1947`	`}`
`1948`	`1948`
`@@ -1986,7 +1986,7 @@ static int prepare_trampoline(struct jit_ctx ctx, struct bpf_tramp_image im,`
`1986`	`1986`
`1987`	`1987`	`if (flags & BPF_TRAMP_F_CALL_ORIG) {`
`1988`	`1988`	`im->ip_epilogue = ctx->image + ctx->idx;`
`1989`		`- emit_addr_mov_i64(A64_R(0), (const u64)im, ctx);`
	`1989`	`+ emit_a64_mov_i64(A64_R(0), (const u64)im, ctx);`
`1990`	`1990`	`emit_call((const u64)__bpf_tramp_exit, ctx);`
`1991`	`1991`	`}`
`1992`	`1992`