On 03/01/2019 11:58 PM, Paul Burton wrote: > The MIPS eBPF JIT calls flush_icache_range() in order to ensure the > icache observes the code that we just wrote. Unfortunately it gets the > end address calculation wrong due to some bad pointer arithmetic. > > The struct jit_ctx target field is of type pointer to u32, and as such > adding one to it will increment the address being pointed to by 4 bytes. > Therefore in order to find the address of the end of the code we simply > need to add the number of 4 byte instructions emitted, but we mistakenly > add the number of instructions multiplied by 4. This results in the call > to flush_icache_range() operating on a memory region 4x larger than > intended, which is always wasteful and can cause crashes if we overrun > into an unmapped page. > > Fix this by correcting the pointer arithmetic to remove the bogus > multiplication, and use braces to remove the need for a set of brackets > whilst also making it obvious that the target field is a pointer. > > Signed-off-by: Paul Burton <[email protected]> > Fixes: b6bd53f9c4e8 ("MIPS: Add missing file for eBPF JIT.") > Cc: Alexei Starovoitov <[email protected]> > Cc: Daniel Borkmann <[email protected]> > Cc: Martin KaFai Lau <[email protected]> > Cc: Song Liu <[email protected]> > Cc: Yonghong Song <[email protected]> > Cc: [email protected] > Cc: [email protected] > Cc: [email protected] > Cc: [email protected] # v4.13+
Good catch, applied to bpf, thanks!
