1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Just-In-Time compiler for eBPF bytecode on MIPS. 4 * Implementation of JIT functions common to 32-bit and 64-bit CPUs. 5 * 6 * Copyright (c) 2021 Anyfi Networks AB. 7 * Author: Johan Almbladh <johan.almbladh@gmail.com> 8 * 9 * Based on code and ideas from 10 * Copyright (c) 2017 Cavium, Inc. 11 * Copyright (c) 2017 Shubham Bansal <illusionist.neo@gmail.com> 12 * Copyright (c) 2011 Mircea Gherzan <mgherzan@gmail.com> 13 */ 14 15 /* 16 * Code overview 17 * ============= 18 * 19 * - bpf_jit_comp.h 20 * Common definitions and utilities. 21 * 22 * - bpf_jit_comp.c 23 * Implementation of JIT top-level logic and exported JIT API functions. 24 * Implementation of internal operations shared by 32-bit and 64-bit code. 25 * JMP and ALU JIT control code, register control code, shared ALU and 26 * JMP/JMP32 JIT operations. 27 * 28 * - bpf_jit_comp32.c 29 * Implementation of functions to JIT prologue, epilogue and a single eBPF 30 * instruction for 32-bit MIPS CPUs. The functions use shared operations 31 * where possible, and implement the rest for 32-bit MIPS such as ALU64 32 * operations. 33 * 34 * - bpf_jit_comp64.c 35 * Ditto, for 64-bit MIPS CPUs. 36 * 37 * Zero and sign extension 38 * ======================== 39 * 32-bit MIPS instructions on 64-bit MIPS registers use sign extension, 40 * but the eBPF instruction set mandates zero extension. We let the verifier 41 * insert explicit zero-extensions after 32-bit ALU operations, both for 42 * 32-bit and 64-bit MIPS JITs. Conditional JMP32 operations on 64-bit MIPs 43 * are JITed with sign extensions inserted when so expected. 44 * 45 * ALU operations 46 * ============== 47 * ALU operations on 32/64-bit MIPS and ALU64 operations on 64-bit MIPS are 48 * JITed in the following steps. ALU64 operations on 32-bit MIPS are more 49 * complicated and therefore only processed by special implementations in 50 * step (3). 51 * 52 * 1) valid_alu_i: 53 * Determine if an immediate operation can be emitted as such, or if 54 * we must fall back to the register version. 55 * 56 * 2) rewrite_alu_i: 57 * Convert BPF operation and immediate value to a canonical form for 58 * JITing. In some degenerate cases this form may be a no-op. 59 * 60 * 3) emit_alu_{i,i64,r,64}: 61 * Emit instructions for an ALU or ALU64 immediate or register operation. 62 * 63 * JMP operations 64 * ============== 65 * JMP and JMP32 operations require an JIT instruction offset table for 66 * translating the jump offset. This table is computed by dry-running the 67 * JIT without actually emitting anything. However, the computed PC-relative 68 * offset may overflow the 18-bit offset field width of the native MIPS 69 * branch instruction. In such cases, the long jump is converted into the 70 * following sequence. 71 * 72 * <branch> !<cond> +2 Inverted PC-relative branch 73 * nop Delay slot 74 * j <offset> Unconditional absolute long jump 75 * nop Delay slot 76 * 77 * Since this converted sequence alters the offset table, all offsets must 78 * be re-calculated. This may in turn trigger new branch conversions, so 79 * the process is repeated until no further changes are made. Normally it 80 * completes in 1-2 iterations. If JIT_MAX_ITERATIONS should reached, we 81 * fall back to converting every remaining jump operation. The branch 82 * conversion is independent of how the JMP or JMP32 condition is JITed. 83 * 84 * JMP32 and JMP operations are JITed as follows. 85 * 86 * 1) setup_jmp_{i,r}: 87 * Convert jump conditional and offset into a form that can be JITed. 88 * This form may be a no-op, a canonical form, or an inverted PC-relative 89 * jump if branch conversion is necessary. 90 * 91 * 2) valid_jmp_i: 92 * Determine if an immediate operations can be emitted as such, or if 93 * we must fall back to the register version. Applies to JMP32 for 32-bit 94 * MIPS, and both JMP and JMP32 for 64-bit MIPS. 95 * 96 * 3) emit_jmp_{i,i64,r,r64}: 97 * Emit instructions for an JMP or JMP32 immediate or register operation. 98 * 99 * 4) finish_jmp_{i,r}: 100 * Emit any instructions needed to finish the jump. This includes a nop 101 * for the delay slot if a branch was emitted, and a long absolute jump 102 * if the branch was converted. 103 */ 104 105 #include <linux/limits.h> 106 #include <linux/bitops.h> 107 #include <linux/errno.h> 108 #include <linux/filter.h> 109 #include <linux/bpf.h> 110 #include <linux/slab.h> 111 #include <asm/bitops.h> 112 #include <asm/cacheflush.h> 113 #include <asm/cpu-features.h> 114 #include <asm/isa-rev.h> 115 #include <asm/uasm.h> 116 117 #include "bpf_jit_comp.h" 118 119 /* Convenience macros for descriptor access */ 120 #define CONVERTED(desc) ((desc) & JIT_DESC_CONVERT) 121 #define INDEX(desc) ((desc) & ~JIT_DESC_CONVERT) 122 123 /* 124 * Push registers on the stack, starting at a given depth from the stack 125 * pointer and increasing. The next depth to be written is returned. 126 */ 127 int push_regs(struct jit_context *ctx, u32 mask, u32 excl, int depth) 128 { 129 int reg; 130 131 for (reg = 0; reg < BITS_PER_BYTE * sizeof(mask); reg++) 132 if (mask & BIT(reg)) { 133 if ((excl & BIT(reg)) == 0) { 134 if (sizeof(long) == 4) 135 emit(ctx, sw, reg, depth, MIPS_R_SP); 136 else /* sizeof(long) == 8 */ 137 emit(ctx, sd, reg, depth, MIPS_R_SP); 138 } 139 depth += sizeof(long); 140 } 141 142 ctx->stack_used = max((int)ctx->stack_used, depth); 143 return depth; 144 } 145 146 /* 147 * Pop registers from the stack, starting at a given depth from the stack 148 * pointer and increasing. The next depth to be read is returned. 149 */ 150 int pop_regs(struct jit_context *ctx, u32 mask, u32 excl, int depth) 151 { 152 int reg; 153 154 for (reg = 0; reg < BITS_PER_BYTE * sizeof(mask); reg++) 155 if (mask & BIT(reg)) { 156 if ((excl & BIT(reg)) == 0) { 157 if (sizeof(long) == 4) 158 emit(ctx, lw, reg, depth, MIPS_R_SP); 159 else /* sizeof(long) == 8 */ 160 emit(ctx, ld, reg, depth, MIPS_R_SP); 161 } 162 depth += sizeof(long); 163 } 164 165 return depth; 166 } 167 168 /* Compute the 28-bit jump target address from a BPF program location */ 169 int get_target(struct jit_context *ctx, u32 loc) 170 { 171 u32 index = INDEX(ctx->descriptors[loc]); 172 unsigned long pc = (unsigned long)&ctx->target[ctx->jit_index]; 173 unsigned long addr = (unsigned long)&ctx->target[index]; 174 175 if (!ctx->target) 176 return 0; 177 178 if ((addr ^ pc) & ~MIPS_JMP_MASK) 179 return -1; 180 181 return addr & MIPS_JMP_MASK; 182 } 183 184 /* Compute the PC-relative offset to relative BPF program offset */ 185 int get_offset(const struct jit_context *ctx, int off) 186 { 187 return (INDEX(ctx->descriptors[ctx->bpf_index + off]) - 188 ctx->jit_index - 1) * sizeof(u32); 189 } 190 191 /* dst = imm (register width) */ 192 void emit_mov_i(struct jit_context *ctx, u8 dst, s32 imm) 193 { 194 if (imm >= -0x8000 && imm <= 0x7fff) { 195 emit(ctx, addiu, dst, MIPS_R_ZERO, imm); 196 } else { 197 emit(ctx, lui, dst, (s16)((u32)imm >> 16)); 198 emit(ctx, ori, dst, dst, (u16)(imm & 0xffff)); 199 } 200 clobber_reg(ctx, dst); 201 } 202 203 /* dst = src (register width) */ 204 void emit_mov_r(struct jit_context *ctx, u8 dst, u8 src) 205 { 206 emit(ctx, ori, dst, src, 0); 207 clobber_reg(ctx, dst); 208 } 209 210 /* Validate ALU immediate range */ 211 bool valid_alu_i(u8 op, s32 imm) 212 { 213 switch (BPF_OP(op)) { 214 case BPF_NEG: 215 case BPF_LSH: 216 case BPF_RSH: 217 case BPF_ARSH: 218 /* All legal eBPF values are valid */ 219 return true; 220 case BPF_ADD: 221 /* imm must be 16 bits */ 222 return imm >= -0x8000 && imm <= 0x7fff; 223 case BPF_SUB: 224 /* -imm must be 16 bits */ 225 return imm >= -0x7fff && imm <= 0x8000; 226 case BPF_AND: 227 case BPF_OR: 228 case BPF_XOR: 229 /* imm must be 16 bits unsigned */ 230 return imm >= 0 && imm <= 0xffff; 231 case BPF_MUL: 232 /* imm must be zero or a positive power of two */ 233 return imm == 0 || (imm > 0 && is_power_of_2(imm)); 234 case BPF_DIV: 235 case BPF_MOD: 236 /* imm must be an 17-bit power of two */ 237 return (u32)imm <= 0x10000 && is_power_of_2((u32)imm); 238 } 239 return false; 240 } 241 242 /* Rewrite ALU immediate operation */ 243 bool rewrite_alu_i(u8 op, s32 imm, u8 *alu, s32 *val) 244 { 245 bool act = true; 246 247 switch (BPF_OP(op)) { 248 case BPF_LSH: 249 case BPF_RSH: 250 case BPF_ARSH: 251 case BPF_ADD: 252 case BPF_SUB: 253 case BPF_OR: 254 case BPF_XOR: 255 /* imm == 0 is a no-op */ 256 act = imm != 0; 257 break; 258 case BPF_MUL: 259 if (imm == 1) { 260 /* dst * 1 is a no-op */ 261 act = false; 262 } else if (imm == 0) { 263 /* dst * 0 is dst & 0 */ 264 op = BPF_AND; 265 } else { 266 /* dst * (1 << n) is dst << n */ 267 op = BPF_LSH; 268 imm = ilog2(abs(imm)); 269 } 270 break; 271 case BPF_DIV: 272 if (imm == 1) { 273 /* dst / 1 is a no-op */ 274 act = false; 275 } else { 276 /* dst / (1 << n) is dst >> n */ 277 op = BPF_RSH; 278 imm = ilog2(imm); 279 } 280 break; 281 case BPF_MOD: 282 /* dst % (1 << n) is dst & ((1 << n) - 1) */ 283 op = BPF_AND; 284 imm--; 285 break; 286 } 287 288 *alu = op; 289 *val = imm; 290 return act; 291 } 292 293 /* ALU immediate operation (32-bit) */ 294 void emit_alu_i(struct jit_context *ctx, u8 dst, s32 imm, u8 op) 295 { 296 switch (BPF_OP(op)) { 297 /* dst = -dst */ 298 case BPF_NEG: 299 emit(ctx, subu, dst, MIPS_R_ZERO, dst); 300 break; 301 /* dst = dst & imm */ 302 case BPF_AND: 303 emit(ctx, andi, dst, dst, (u16)imm); 304 break; 305 /* dst = dst | imm */ 306 case BPF_OR: 307 emit(ctx, ori, dst, dst, (u16)imm); 308 break; 309 /* dst = dst ^ imm */ 310 case BPF_XOR: 311 emit(ctx, xori, dst, dst, (u16)imm); 312 break; 313 /* dst = dst << imm */ 314 case BPF_LSH: 315 emit(ctx, sll, dst, dst, imm); 316 break; 317 /* dst = dst >> imm */ 318 case BPF_RSH: 319 emit(ctx, srl, dst, dst, imm); 320 break; 321 /* dst = dst >> imm (arithmetic) */ 322 case BPF_ARSH: 323 emit(ctx, sra, dst, dst, imm); 324 break; 325 /* dst = dst + imm */ 326 case BPF_ADD: 327 emit(ctx, addiu, dst, dst, imm); 328 break; 329 /* dst = dst - imm */ 330 case BPF_SUB: 331 emit(ctx, addiu, dst, dst, -imm); 332 break; 333 } 334 clobber_reg(ctx, dst); 335 } 336 337 /* ALU register operation (32-bit) */ 338 void emit_alu_r(struct jit_context *ctx, u8 dst, u8 src, u8 op) 339 { 340 switch (BPF_OP(op)) { 341 /* dst = dst & src */ 342 case BPF_AND: 343 emit(ctx, and, dst, dst, src); 344 break; 345 /* dst = dst | src */ 346 case BPF_OR: 347 emit(ctx, or, dst, dst, src); 348 break; 349 /* dst = dst ^ src */ 350 case BPF_XOR: 351 emit(ctx, xor, dst, dst, src); 352 break; 353 /* dst = dst << src */ 354 case BPF_LSH: 355 emit(ctx, sllv, dst, dst, src); 356 break; 357 /* dst = dst >> src */ 358 case BPF_RSH: 359 emit(ctx, srlv, dst, dst, src); 360 break; 361 /* dst = dst >> src (arithmetic) */ 362 case BPF_ARSH: 363 emit(ctx, srav, dst, dst, src); 364 break; 365 /* dst = dst + src */ 366 case BPF_ADD: 367 emit(ctx, addu, dst, dst, src); 368 break; 369 /* dst = dst - src */ 370 case BPF_SUB: 371 emit(ctx, subu, dst, dst, src); 372 break; 373 /* dst = dst * src */ 374 case BPF_MUL: 375 if (cpu_has_mips32r1 || cpu_has_mips32r6) { 376 emit(ctx, mul, dst, dst, src); 377 } else { 378 emit(ctx, multu, dst, src); 379 emit(ctx, mflo, dst); 380 } 381 break; 382 /* dst = dst / src */ 383 case BPF_DIV: 384 if (cpu_has_mips32r6) { 385 emit(ctx, divu_r6, dst, dst, src); 386 } else { 387 emit(ctx, divu, dst, src); 388 emit(ctx, mflo, dst); 389 } 390 break; 391 /* dst = dst % src */ 392 case BPF_MOD: 393 if (cpu_has_mips32r6) { 394 emit(ctx, modu, dst, dst, src); 395 } else { 396 emit(ctx, divu, dst, src); 397 emit(ctx, mfhi, dst); 398 } 399 break; 400 } 401 clobber_reg(ctx, dst); 402 } 403 404 /* Atomic read-modify-write (32-bit) */ 405 void emit_atomic_r(struct jit_context *ctx, u8 dst, u8 src, s16 off, u8 code) 406 { 407 emit(ctx, ll, MIPS_R_T9, off, dst); 408 switch (code) { 409 case BPF_ADD: 410 case BPF_ADD | BPF_FETCH: 411 emit(ctx, addu, MIPS_R_T8, MIPS_R_T9, src); 412 break; 413 case BPF_AND: 414 case BPF_AND | BPF_FETCH: 415 emit(ctx, and, MIPS_R_T8, MIPS_R_T9, src); 416 break; 417 case BPF_OR: 418 case BPF_OR | BPF_FETCH: 419 emit(ctx, or, MIPS_R_T8, MIPS_R_T9, src); 420 break; 421 case BPF_XOR: 422 case BPF_XOR | BPF_FETCH: 423 emit(ctx, xor, MIPS_R_T8, MIPS_R_T9, src); 424 break; 425 case BPF_XCHG: 426 emit(ctx, move, MIPS_R_T8, src); 427 break; 428 } 429 emit(ctx, sc, MIPS_R_T8, off, dst); 430 emit(ctx, beqz, MIPS_R_T8, -16); 431 emit(ctx, nop); /* Delay slot */ 432 433 if (code & BPF_FETCH) { 434 emit(ctx, move, src, MIPS_R_T9); 435 clobber_reg(ctx, src); 436 } 437 } 438 439 /* Atomic compare-and-exchange (32-bit) */ 440 void emit_cmpxchg_r(struct jit_context *ctx, u8 dst, u8 src, u8 res, s16 off) 441 { 442 emit(ctx, ll, MIPS_R_T9, off, dst); 443 emit(ctx, bne, MIPS_R_T9, res, 12); 444 emit(ctx, move, MIPS_R_T8, src); /* Delay slot */ 445 emit(ctx, sc, MIPS_R_T8, off, dst); 446 emit(ctx, beqz, MIPS_R_T8, -20); 447 emit(ctx, move, res, MIPS_R_T9); /* Delay slot */ 448 clobber_reg(ctx, res); 449 } 450 451 /* Swap bytes and truncate a register word or half word */ 452 void emit_bswap_r(struct jit_context *ctx, u8 dst, u32 width) 453 { 454 u8 tmp = MIPS_R_T8; 455 u8 msk = MIPS_R_T9; 456 457 switch (width) { 458 /* Swap bytes in a word */ 459 case 32: 460 if (cpu_has_mips32r2 || cpu_has_mips32r6) { 461 emit(ctx, wsbh, dst, dst); 462 emit(ctx, rotr, dst, dst, 16); 463 } else { 464 emit(ctx, sll, tmp, dst, 16); /* tmp = dst << 16 */ 465 emit(ctx, srl, dst, dst, 16); /* dst = dst >> 16 */ 466 emit(ctx, or, dst, dst, tmp); /* dst = dst | tmp */ 467 468 emit(ctx, lui, msk, 0xff); /* msk = 0x00ff0000 */ 469 emit(ctx, ori, msk, msk, 0xff); /* msk = msk | 0xff */ 470 471 emit(ctx, and, tmp, dst, msk); /* tmp = dst & msk */ 472 emit(ctx, sll, tmp, tmp, 8); /* tmp = tmp << 8 */ 473 emit(ctx, srl, dst, dst, 8); /* dst = dst >> 8 */ 474 emit(ctx, and, dst, dst, msk); /* dst = dst & msk */ 475 emit(ctx, or, dst, dst, tmp); /* reg = dst | tmp */ 476 } 477 break; 478 /* Swap bytes in a half word */ 479 case 16: 480 if (cpu_has_mips32r2 || cpu_has_mips32r6) { 481 emit(ctx, wsbh, dst, dst); 482 emit(ctx, andi, dst, dst, 0xffff); 483 } else { 484 emit(ctx, andi, tmp, dst, 0xff00); /* t = d & 0xff00 */ 485 emit(ctx, srl, tmp, tmp, 8); /* t = t >> 8 */ 486 emit(ctx, andi, dst, dst, 0x00ff); /* d = d & 0x00ff */ 487 emit(ctx, sll, dst, dst, 8); /* d = d << 8 */ 488 emit(ctx, or, dst, dst, tmp); /* d = d | t */ 489 } 490 break; 491 } 492 clobber_reg(ctx, dst); 493 } 494 495 /* Validate jump immediate range */ 496 bool valid_jmp_i(u8 op, s32 imm) 497 { 498 switch (op) { 499 case JIT_JNOP: 500 /* Immediate value not used */ 501 return true; 502 case BPF_JEQ: 503 case BPF_JNE: 504 /* No immediate operation */ 505 return false; 506 case BPF_JSET: 507 case JIT_JNSET: 508 /* imm must be 16 bits unsigned */ 509 return imm >= 0 && imm <= 0xffff; 510 case BPF_JGE: 511 case BPF_JLT: 512 case BPF_JSGE: 513 case BPF_JSLT: 514 /* imm must be 16 bits */ 515 return imm >= -0x8000 && imm <= 0x7fff; 516 case BPF_JGT: 517 case BPF_JLE: 518 case BPF_JSGT: 519 case BPF_JSLE: 520 /* imm + 1 must be 16 bits */ 521 return imm >= -0x8001 && imm <= 0x7ffe; 522 } 523 return false; 524 } 525 526 /* Invert a conditional jump operation */ 527 static u8 invert_jmp(u8 op) 528 { 529 switch (op) { 530 case BPF_JA: return JIT_JNOP; 531 case BPF_JEQ: return BPF_JNE; 532 case BPF_JNE: return BPF_JEQ; 533 case BPF_JSET: return JIT_JNSET; 534 case BPF_JGT: return BPF_JLE; 535 case BPF_JGE: return BPF_JLT; 536 case BPF_JLT: return BPF_JGE; 537 case BPF_JLE: return BPF_JGT; 538 case BPF_JSGT: return BPF_JSLE; 539 case BPF_JSGE: return BPF_JSLT; 540 case BPF_JSLT: return BPF_JSGE; 541 case BPF_JSLE: return BPF_JSGT; 542 } 543 return 0; 544 } 545 546 /* Prepare a PC-relative jump operation */ 547 static void setup_jmp(struct jit_context *ctx, u8 bpf_op, 548 s16 bpf_off, u8 *jit_op, s32 *jit_off) 549 { 550 u32 *descp = &ctx->descriptors[ctx->bpf_index]; 551 int op = bpf_op; 552 int offset = 0; 553 554 /* Do not compute offsets on the first pass */ 555 if (INDEX(*descp) == 0) 556 goto done; 557 558 /* Skip jumps never taken */ 559 if (bpf_op == JIT_JNOP) 560 goto done; 561 562 /* Convert jumps always taken */ 563 if (bpf_op == BPF_JA) 564 *descp |= JIT_DESC_CONVERT; 565 566 /* 567 * Current ctx->jit_index points to the start of the branch preamble. 568 * Since the preamble differs among different branch conditionals, 569 * the current index cannot be used to compute the branch offset. 570 * Instead, we use the offset table value for the next instruction, 571 * which gives the index immediately after the branch delay slot. 572 */ 573 if (!CONVERTED(*descp)) { 574 int target = ctx->bpf_index + bpf_off + 1; 575 int origin = ctx->bpf_index + 1; 576 577 offset = (INDEX(ctx->descriptors[target]) - 578 INDEX(ctx->descriptors[origin]) + 1) * sizeof(u32); 579 } 580 581 /* 582 * The PC-relative branch offset field on MIPS is 18 bits signed, 583 * so if the computed offset is larger than this we generate a an 584 * absolute jump that we skip with an inverted conditional branch. 585 */ 586 if (CONVERTED(*descp) || offset < -0x20000 || offset > 0x1ffff) { 587 offset = 3 * sizeof(u32); 588 op = invert_jmp(bpf_op); 589 ctx->changes += !CONVERTED(*descp); 590 *descp |= JIT_DESC_CONVERT; 591 } 592 593 done: 594 *jit_off = offset; 595 *jit_op = op; 596 } 597 598 /* Prepare a PC-relative jump operation with immediate conditional */ 599 void setup_jmp_i(struct jit_context *ctx, s32 imm, u8 width, 600 u8 bpf_op, s16 bpf_off, u8 *jit_op, s32 *jit_off) 601 { 602 bool always = false; 603 bool never = false; 604 605 switch (bpf_op) { 606 case BPF_JEQ: 607 case BPF_JNE: 608 break; 609 case BPF_JSET: 610 case BPF_JLT: 611 never = imm == 0; 612 break; 613 case BPF_JGE: 614 always = imm == 0; 615 break; 616 case BPF_JGT: 617 never = (u32)imm == U32_MAX; 618 break; 619 case BPF_JLE: 620 always = (u32)imm == U32_MAX; 621 break; 622 case BPF_JSGT: 623 never = imm == S32_MAX && width == 32; 624 break; 625 case BPF_JSGE: 626 always = imm == S32_MIN && width == 32; 627 break; 628 case BPF_JSLT: 629 never = imm == S32_MIN && width == 32; 630 break; 631 case BPF_JSLE: 632 always = imm == S32_MAX && width == 32; 633 break; 634 } 635 636 if (never) 637 bpf_op = JIT_JNOP; 638 if (always) 639 bpf_op = BPF_JA; 640 setup_jmp(ctx, bpf_op, bpf_off, jit_op, jit_off); 641 } 642 643 /* Prepare a PC-relative jump operation with register conditional */ 644 void setup_jmp_r(struct jit_context *ctx, bool same_reg, 645 u8 bpf_op, s16 bpf_off, u8 *jit_op, s32 *jit_off) 646 { 647 switch (bpf_op) { 648 case BPF_JSET: 649 break; 650 case BPF_JEQ: 651 case BPF_JGE: 652 case BPF_JLE: 653 case BPF_JSGE: 654 case BPF_JSLE: 655 if (same_reg) 656 bpf_op = BPF_JA; 657 break; 658 case BPF_JNE: 659 case BPF_JLT: 660 case BPF_JGT: 661 case BPF_JSGT: 662 case BPF_JSLT: 663 if (same_reg) 664 bpf_op = JIT_JNOP; 665 break; 666 } 667 setup_jmp(ctx, bpf_op, bpf_off, jit_op, jit_off); 668 } 669 670 /* Finish a PC-relative jump operation */ 671 int finish_jmp(struct jit_context *ctx, u8 jit_op, s16 bpf_off) 672 { 673 /* Emit conditional branch delay slot */ 674 if (jit_op != JIT_JNOP) 675 emit(ctx, nop); 676 /* 677 * Emit an absolute long jump with delay slot, 678 * if the PC-relative branch was converted. 679 */ 680 if (CONVERTED(ctx->descriptors[ctx->bpf_index])) { 681 int target = get_target(ctx, ctx->bpf_index + bpf_off + 1); 682 683 if (target < 0) 684 return -1; 685 emit(ctx, j, target); 686 emit(ctx, nop); 687 } 688 return 0; 689 } 690 691 /* Jump immediate (32-bit) */ 692 void emit_jmp_i(struct jit_context *ctx, u8 dst, s32 imm, s32 off, u8 op) 693 { 694 switch (op) { 695 /* No-op, used internally for branch optimization */ 696 case JIT_JNOP: 697 break; 698 /* PC += off if dst & imm */ 699 case BPF_JSET: 700 emit(ctx, andi, MIPS_R_T9, dst, (u16)imm); 701 emit(ctx, bnez, MIPS_R_T9, off); 702 break; 703 /* PC += off if (dst & imm) == 0 (not in BPF, used for long jumps) */ 704 case JIT_JNSET: 705 emit(ctx, andi, MIPS_R_T9, dst, (u16)imm); 706 emit(ctx, beqz, MIPS_R_T9, off); 707 break; 708 /* PC += off if dst > imm */ 709 case BPF_JGT: 710 emit(ctx, sltiu, MIPS_R_T9, dst, imm + 1); 711 emit(ctx, beqz, MIPS_R_T9, off); 712 break; 713 /* PC += off if dst >= imm */ 714 case BPF_JGE: 715 emit(ctx, sltiu, MIPS_R_T9, dst, imm); 716 emit(ctx, beqz, MIPS_R_T9, off); 717 break; 718 /* PC += off if dst < imm */ 719 case BPF_JLT: 720 emit(ctx, sltiu, MIPS_R_T9, dst, imm); 721 emit(ctx, bnez, MIPS_R_T9, off); 722 break; 723 /* PC += off if dst <= imm */ 724 case BPF_JLE: 725 emit(ctx, sltiu, MIPS_R_T9, dst, imm + 1); 726 emit(ctx, bnez, MIPS_R_T9, off); 727 break; 728 /* PC += off if dst > imm (signed) */ 729 case BPF_JSGT: 730 emit(ctx, slti, MIPS_R_T9, dst, imm + 1); 731 emit(ctx, beqz, MIPS_R_T9, off); 732 break; 733 /* PC += off if dst >= imm (signed) */ 734 case BPF_JSGE: 735 emit(ctx, slti, MIPS_R_T9, dst, imm); 736 emit(ctx, beqz, MIPS_R_T9, off); 737 break; 738 /* PC += off if dst < imm (signed) */ 739 case BPF_JSLT: 740 emit(ctx, slti, MIPS_R_T9, dst, imm); 741 emit(ctx, bnez, MIPS_R_T9, off); 742 break; 743 /* PC += off if dst <= imm (signed) */ 744 case BPF_JSLE: 745 emit(ctx, slti, MIPS_R_T9, dst, imm + 1); 746 emit(ctx, bnez, MIPS_R_T9, off); 747 break; 748 } 749 } 750 751 /* Jump register (32-bit) */ 752 void emit_jmp_r(struct jit_context *ctx, u8 dst, u8 src, s32 off, u8 op) 753 { 754 switch (op) { 755 /* No-op, used internally for branch optimization */ 756 case JIT_JNOP: 757 break; 758 /* PC += off if dst == src */ 759 case BPF_JEQ: 760 emit(ctx, beq, dst, src, off); 761 break; 762 /* PC += off if dst != src */ 763 case BPF_JNE: 764 emit(ctx, bne, dst, src, off); 765 break; 766 /* PC += off if dst & src */ 767 case BPF_JSET: 768 emit(ctx, and, MIPS_R_T9, dst, src); 769 emit(ctx, bnez, MIPS_R_T9, off); 770 break; 771 /* PC += off if (dst & imm) == 0 (not in BPF, used for long jumps) */ 772 case JIT_JNSET: 773 emit(ctx, and, MIPS_R_T9, dst, src); 774 emit(ctx, beqz, MIPS_R_T9, off); 775 break; 776 /* PC += off if dst > src */ 777 case BPF_JGT: 778 emit(ctx, sltu, MIPS_R_T9, src, dst); 779 emit(ctx, bnez, MIPS_R_T9, off); 780 break; 781 /* PC += off if dst >= src */ 782 case BPF_JGE: 783 emit(ctx, sltu, MIPS_R_T9, dst, src); 784 emit(ctx, beqz, MIPS_R_T9, off); 785 break; 786 /* PC += off if dst < src */ 787 case BPF_JLT: 788 emit(ctx, sltu, MIPS_R_T9, dst, src); 789 emit(ctx, bnez, MIPS_R_T9, off); 790 break; 791 /* PC += off if dst <= src */ 792 case BPF_JLE: 793 emit(ctx, sltu, MIPS_R_T9, src, dst); 794 emit(ctx, beqz, MIPS_R_T9, off); 795 break; 796 /* PC += off if dst > src (signed) */ 797 case BPF_JSGT: 798 emit(ctx, slt, MIPS_R_T9, src, dst); 799 emit(ctx, bnez, MIPS_R_T9, off); 800 break; 801 /* PC += off if dst >= src (signed) */ 802 case BPF_JSGE: 803 emit(ctx, slt, MIPS_R_T9, dst, src); 804 emit(ctx, beqz, MIPS_R_T9, off); 805 break; 806 /* PC += off if dst < src (signed) */ 807 case BPF_JSLT: 808 emit(ctx, slt, MIPS_R_T9, dst, src); 809 emit(ctx, bnez, MIPS_R_T9, off); 810 break; 811 /* PC += off if dst <= src (signed) */ 812 case BPF_JSLE: 813 emit(ctx, slt, MIPS_R_T9, src, dst); 814 emit(ctx, beqz, MIPS_R_T9, off); 815 break; 816 } 817 } 818 819 /* Jump always */ 820 int emit_ja(struct jit_context *ctx, s16 off) 821 { 822 int target = get_target(ctx, ctx->bpf_index + off + 1); 823 824 if (target < 0) 825 return -1; 826 emit(ctx, j, target); 827 emit(ctx, nop); 828 return 0; 829 } 830 831 /* Jump to epilogue */ 832 int emit_exit(struct jit_context *ctx) 833 { 834 int target = get_target(ctx, ctx->program->len); 835 836 if (target < 0) 837 return -1; 838 emit(ctx, j, target); 839 emit(ctx, nop); 840 return 0; 841 } 842 843 /* Build the program body from eBPF bytecode */ 844 static int build_body(struct jit_context *ctx) 845 { 846 const struct bpf_prog *prog = ctx->program; 847 unsigned int i; 848 849 ctx->stack_used = 0; 850 for (i = 0; i < prog->len; i++) { 851 const struct bpf_insn *insn = &prog->insnsi[i]; 852 u32 *descp = &ctx->descriptors[i]; 853 int ret; 854 855 access_reg(ctx, insn->src_reg); 856 access_reg(ctx, insn->dst_reg); 857 858 ctx->bpf_index = i; 859 if (ctx->target == NULL) { 860 ctx->changes += INDEX(*descp) != ctx->jit_index; 861 *descp &= JIT_DESC_CONVERT; 862 *descp |= ctx->jit_index; 863 } 864 865 ret = build_insn(insn, ctx); 866 if (ret < 0) 867 return ret; 868 869 if (ret > 0) { 870 i++; 871 if (ctx->target == NULL) 872 descp[1] = ctx->jit_index; 873 } 874 } 875 876 /* Store the end offset, where the epilogue begins */ 877 ctx->descriptors[prog->len] = ctx->jit_index; 878 return 0; 879 } 880 881 /* Set the branch conversion flag on all instructions */ 882 static void set_convert_flag(struct jit_context *ctx, bool enable) 883 { 884 const struct bpf_prog *prog = ctx->program; 885 u32 flag = enable ? JIT_DESC_CONVERT : 0; 886 unsigned int i; 887 888 for (i = 0; i <= prog->len; i++) 889 ctx->descriptors[i] = INDEX(ctx->descriptors[i]) | flag; 890 } 891 892 static void jit_fill_hole(void *area, unsigned int size) 893 { 894 u32 *p; 895 896 /* We are guaranteed to have aligned memory. */ 897 for (p = area; size >= sizeof(u32); size -= sizeof(u32)) 898 uasm_i_break(&p, BRK_BUG); /* Increments p */ 899 } 900 901 bool bpf_jit_needs_zext(void) 902 { 903 return true; 904 } 905 906 struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) 907 { 908 struct bpf_prog *tmp, *orig_prog = prog; 909 struct bpf_binary_header *header = NULL; 910 struct jit_context ctx; 911 bool tmp_blinded = false; 912 unsigned int tmp_idx; 913 unsigned int image_size; 914 u8 *image_ptr; 915 int tries; 916 917 /* 918 * If BPF JIT was not enabled then we must fall back to 919 * the interpreter. 920 */ 921 if (!prog->jit_requested) 922 return orig_prog; 923 /* 924 * If constant blinding was enabled and we failed during blinding 925 * then we must fall back to the interpreter. Otherwise, we save 926 * the new JITed code. 927 */ 928 tmp = bpf_jit_blind_constants(prog); 929 if (IS_ERR(tmp)) 930 return orig_prog; 931 if (tmp != prog) { 932 tmp_blinded = true; 933 prog = tmp; 934 } 935 936 memset(&ctx, 0, sizeof(ctx)); 937 ctx.program = prog; 938 939 /* 940 * Not able to allocate memory for descriptors[], then 941 * we must fall back to the interpreter 942 */ 943 ctx.descriptors = kcalloc(prog->len + 1, sizeof(*ctx.descriptors), 944 GFP_KERNEL); 945 if (ctx.descriptors == NULL) 946 goto out_err; 947 948 /* First pass discovers used resources */ 949 if (build_body(&ctx) < 0) 950 goto out_err; 951 /* 952 * Second pass computes instruction offsets. 953 * If any PC-relative branches are out of range, a sequence of 954 * a PC-relative branch + a jump is generated, and we have to 955 * try again from the beginning to generate the new offsets. 956 * This is done until no additional conversions are necessary. 957 * The last two iterations are done with all branches being 958 * converted, to guarantee offset table convergence within a 959 * fixed number of iterations. 960 */ 961 ctx.jit_index = 0; 962 build_prologue(&ctx); 963 tmp_idx = ctx.jit_index; 964 965 tries = JIT_MAX_ITERATIONS; 966 do { 967 ctx.jit_index = tmp_idx; 968 ctx.changes = 0; 969 if (tries == 2) 970 set_convert_flag(&ctx, true); 971 if (build_body(&ctx) < 0) 972 goto out_err; 973 } while (ctx.changes > 0 && --tries > 0); 974 975 if (WARN_ONCE(ctx.changes > 0, "JIT offsets failed to converge")) 976 goto out_err; 977 978 build_epilogue(&ctx, MIPS_R_RA); 979 980 /* Now we know the size of the structure to make */ 981 image_size = sizeof(u32) * ctx.jit_index; 982 header = bpf_jit_binary_alloc(image_size, &image_ptr, 983 sizeof(u32), jit_fill_hole); 984 /* 985 * Not able to allocate memory for the structure then 986 * we must fall back to the interpretation 987 */ 988 if (header == NULL) 989 goto out_err; 990 991 /* Actual pass to generate final JIT code */ 992 ctx.target = (u32 *)image_ptr; 993 ctx.jit_index = 0; 994 995 /* 996 * If building the JITed code fails somehow, 997 * we fall back to the interpretation. 998 */ 999 build_prologue(&ctx); 1000 if (build_body(&ctx) < 0) 1001 goto out_err; 1002 build_epilogue(&ctx, MIPS_R_RA); 1003 1004 /* Populate line info meta data */ 1005 set_convert_flag(&ctx, false); 1006 bpf_prog_fill_jited_linfo(prog, &ctx.descriptors[1]); 1007 1008 /* Set as read-only exec and flush instruction cache */ 1009 bpf_jit_binary_lock_ro(header); 1010 flush_icache_range((unsigned long)header, 1011 (unsigned long)&ctx.target[ctx.jit_index]); 1012 1013 if (bpf_jit_enable > 1) 1014 bpf_jit_dump(prog->len, image_size, 2, ctx.target); 1015 1016 prog->bpf_func = (void *)ctx.target; 1017 prog->jited = 1; 1018 prog->jited_len = image_size; 1019 1020 out: 1021 if (tmp_blinded) 1022 bpf_jit_prog_release_other(prog, prog == orig_prog ? 1023 tmp : orig_prog); 1024 kfree(ctx.descriptors); 1025 return prog; 1026 1027 out_err: 1028 prog = orig_prog; 1029 if (header) 1030 bpf_jit_binary_free(header); 1031 goto out; 1032 } 1033