s390/bpf: Fix bpf_plt pointer arithmetic

Kui-Feng Lee reported a crash on s390x triggered by the
dummy_st_ops/dummy_init_ptr_arg test [1]:

  [<0000000000000002>] 0x2
  [<00000000009d5cde>] bpf_struct_ops_test_run+0x156/0x250
  [<000000000033145a>] __sys_bpf+0xa1a/0xd00
  [<00000000003319dc>] __s390x_sys_bpf+0x44/0x50
  [<0000000000c4382c>] __do_syscall+0x244/0x300
  [<0000000000c59a40>] system_call+0x70/0x98

This is caused by GCC moving memcpy() after assignments in
bpf_jit_plt(), resulting in NULL pointers being written instead of
the return and the target addresses.

Looking at the GCC internals, the reordering is allowed because the
alias analysis thinks that the memcpy() destination and the assignments'
left-hand-sides are based on different objects: new_plt and
bpf_plt_ret/bpf_plt_target respectively, and therefore they cannot
alias.

This is in turn due to a violation of the C standard:

  When two pointers are subtracted, both shall point to elements of the
  same array object, or one past the last element of the array object
  ...

From the C's perspective, bpf_plt_ret and bpf_plt are distinct objects
and cannot be subtracted. In the practical terms, doing so confuses the
GCC's alias analysis.

The code was written this way in order to let the C side know a few
offsets defined in the assembly. While nice, this is by no means
necessary. Fix the noncompliance by hardcoding these offsets.

[1] https://lore.kernel.org/bpf/c9923c1d-971d-4022-8dc8-1364e929d34c@gmail.com/

Fixes: f1d5df84cd8c ("s390/bpf: Implement bpf_arch_text_poke()")
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Message-ID: <20240320015515.11883-1-iii@linux.ibm.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
index b418333bb08635304780933646e26f5ab9354e8e..5af0402e94b88c07ec3772699926d19f8f18b043 100644 (file)
--- a/arch/s390/net/bpf_jit_comp.c
+++ b/arch/s390/net/bpf_jit_comp.c
@@ -516,11 +516,12 @@ static void bpf_skip(struct bpf_jit *jit, int size)
  * PLT for hotpatchable calls. The calling convention is the same as for the
  * ftrace hotpatch trampolines: %r0 is return address, %r1 is clobbered.
  */
-extern const char bpf_plt[];
-extern const char bpf_plt_ret[];
-extern const char bpf_plt_target[];
-extern const char bpf_plt_end[];
-#define BPF_PLT_SIZE 32
+struct bpf_plt {
+       char code[16];
+       void *ret;
+       void *target;
+} __packed;
+extern const struct bpf_plt bpf_plt;
 asm(
        ".pushsection .rodata\n"
        "       .balign 8\n"
@@ -531,15 +532,14 @@ asm(
        "       .balign 8\n"
        "bpf_plt_ret: .quad 0\n"
        "bpf_plt_target: .quad 0\n"
-       "bpf_plt_end:\n"
        "       .popsection\n"
 );
 
-static void bpf_jit_plt(void *plt, void *ret, void *target)
+static void bpf_jit_plt(struct bpf_plt *plt, void *ret, void *target)
 {
-       memcpy(plt, bpf_plt, BPF_PLT_SIZE);
-       *(void **)((char *)plt + (bpf_plt_ret - bpf_plt)) = ret;
-       *(void **)((char *)plt + (bpf_plt_target - bpf_plt)) = target ?: ret;
+       memcpy(plt, &bpf_plt, sizeof(*plt));
+       plt->ret = ret;
+       plt->target = target;
 }
 
 /*
@@ -662,9 +662,9 @@ static void bpf_jit_epilogue(struct bpf_jit *jit, u32 stack_depth)
        jit->prg = ALIGN(jit->prg, 8);
        jit->prologue_plt = jit->prg;
        if (jit->prg_buf)
-               bpf_jit_plt(jit->prg_buf + jit->prg,
+               bpf_jit_plt((struct bpf_plt *)(jit->prg_buf + jit->prg),
                            jit->prg_buf + jit->prologue_plt_ret, NULL);
-       jit->prg += BPF_PLT_SIZE;
+       jit->prg += sizeof(struct bpf_plt);
 }
 
 static int get_probe_mem_regno(const u8 *insn)
@@ -2040,9 +2040,6 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *fp)
        struct bpf_jit jit;
        int pass;
 
-       if (WARN_ON_ONCE(bpf_plt_end - bpf_plt != BPF_PLT_SIZE))
-               return orig_fp;
-
        if (!fp->jit_requested)
                return orig_fp;
 
@@ -2148,14 +2145,11 @@ bool bpf_jit_supports_far_kfunc_call(void)
 int bpf_arch_text_poke(void *ip, enum bpf_text_poke_type t,
                       void *old_addr, void *new_addr)
 {
+       struct bpf_plt expected_plt, current_plt, new_plt, *plt;
        struct {
                u16 opc;
                s32 disp;
        } __packed insn;
-       char expected_plt[BPF_PLT_SIZE];
-       char current_plt[BPF_PLT_SIZE];
-       char new_plt[BPF_PLT_SIZE];
-       char *plt;
        char *ret;
        int err;
 
@@ -2174,18 +2168,18 @@ int bpf_arch_text_poke(void *ip, enum bpf_text_poke_type t,
                 */
        } else {
                /* Verify the PLT. */
-               plt = (char *)ip + (insn.disp << 1);
-               err = copy_from_kernel_nofault(current_plt, plt, BPF_PLT_SIZE);
+               plt = ip + (insn.disp << 1);
+               err = copy_from_kernel_nofault(&current_plt, plt,
+                                              sizeof(current_plt));
                if (err < 0)
                        return err;
                ret = (char *)ip + 6;
-               bpf_jit_plt(expected_plt, ret, old_addr);
-               if (memcmp(current_plt, expected_plt, BPF_PLT_SIZE))
+               bpf_jit_plt(&expected_plt, ret, old_addr);
+               if (memcmp(&current_plt, &expected_plt, sizeof(current_plt)))
                        return -EINVAL;
                /* Adjust the call address. */
-               bpf_jit_plt(new_plt, ret, new_addr);
-               s390_kernel_write(plt + (bpf_plt_target - bpf_plt),
-                                 new_plt + (bpf_plt_target - bpf_plt),
+               bpf_jit_plt(&new_plt, ret, new_addr);
+               s390_kernel_write(&plt->target, &new_plt.target,
                                  sizeof(void *));
        }