1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * BPF Jit compiler for s390. 4 * 5 * Minimum build requirements: 6 * 7 * - HAVE_MARCH_Z196_FEATURES: laal, laalg 8 * - HAVE_MARCH_Z10_FEATURES: msfi, cgrj, clgrj 9 * - HAVE_MARCH_Z9_109_FEATURES: alfi, llilf, clfi, oilf, nilf 10 * - 64BIT 11 * 12 * Copyright IBM Corp. 2012,2015 13 * 14 * Author(s): Martin Schwidefsky <schwidefsky@de.ibm.com> 15 * Michael Holzheu <holzheu@linux.vnet.ibm.com> 16 */ 17 18 #define pr_fmt(fmt) "bpf_jit: " fmt 19 20 #include <linux/netdevice.h> 21 #include <linux/filter.h> 22 #include <linux/init.h> 23 #include <linux/bpf.h> 24 #include <linux/mm.h> 25 #include <linux/kernel.h> 26 #include <asm/cacheflush.h> 27 #include <asm/extable.h> 28 #include <asm/dis.h> 29 #include <asm/facility.h> 30 #include <asm/lowcore.h> 31 #include <asm/nospec-branch.h> 32 #include <asm/set_memory.h> 33 #include <asm/text-patching.h> 34 #include <asm/unwind.h> 35 36 struct bpf_jit { 37 u32 seen; /* Flags to remember seen eBPF instructions */ 38 u16 seen_regs; /* Mask to remember which registers are used */ 39 u32 *addrs; /* Array with relative instruction addresses */ 40 u8 *prg_buf; /* Start of program */ 41 int size; /* Size of program and literal pool */ 42 int size_prg; /* Size of program */ 43 int prg; /* Current position in program */ 44 int lit32_start; /* Start of 32-bit literal pool */ 45 int lit32; /* Current position in 32-bit literal pool */ 46 int lit64_start; /* Start of 64-bit literal pool */ 47 int lit64; /* Current position in 64-bit literal pool */ 48 int base_ip; /* Base address for literal pool */ 49 int exit_ip; /* Address of exit */ 50 int tail_call_start; /* Tail call start offset */ 51 int excnt; /* Number of exception table entries */ 52 int prologue_plt_ret; /* Return address for prologue hotpatch PLT */ 53 int prologue_plt; /* Start of prologue hotpatch PLT */ 54 int kern_arena; /* Pool offset of kernel arena address */ 55 u64 user_arena; /* User arena address */ 56 u32 frame_off; /* Offset of struct bpf_prog from %r15 */ 57 }; 58 59 #define SEEN_MEM BIT(0) /* use mem[] for temporary storage */ 60 #define SEEN_LITERAL BIT(1) /* code uses literals */ 61 #define SEEN_FUNC BIT(2) /* calls C functions */ 62 #define SEEN_STACK (SEEN_FUNC | SEEN_MEM) 63 64 #define NVREGS 0xffc0 /* %r6-%r15 */ 65 66 /* 67 * s390 registers 68 */ 69 #define REG_W0 (MAX_BPF_JIT_REG + 0) /* Work register 1 (even) */ 70 #define REG_W1 (MAX_BPF_JIT_REG + 1) /* Work register 2 (odd) */ 71 #define REG_L (MAX_BPF_JIT_REG + 2) /* Literal pool register */ 72 #define REG_15 (MAX_BPF_JIT_REG + 3) /* Register 15 */ 73 #define REG_0 REG_W0 /* Register 0 */ 74 #define REG_1 REG_W1 /* Register 1 */ 75 #define REG_2 BPF_REG_1 /* Register 2 */ 76 #define REG_3 BPF_REG_2 /* Register 3 */ 77 #define REG_4 BPF_REG_3 /* Register 4 */ 78 #define REG_7 BPF_REG_6 /* Register 7 */ 79 #define REG_8 BPF_REG_7 /* Register 8 */ 80 #define REG_14 BPF_REG_0 /* Register 14 */ 81 82 /* 83 * Mapping of BPF registers to s390 registers 84 */ 85 static const int reg2hex[] = { 86 /* Return code */ 87 [BPF_REG_0] = 14, 88 /* Function parameters */ 89 [BPF_REG_1] = 2, 90 [BPF_REG_2] = 3, 91 [BPF_REG_3] = 4, 92 [BPF_REG_4] = 5, 93 [BPF_REG_5] = 6, 94 /* Call saved registers */ 95 [BPF_REG_6] = 7, 96 [BPF_REG_7] = 8, 97 [BPF_REG_8] = 9, 98 [BPF_REG_9] = 10, 99 /* BPF stack pointer */ 100 [BPF_REG_FP] = 13, 101 /* Register for blinding */ 102 [BPF_REG_AX] = 12, 103 /* Work registers for s390x backend */ 104 [REG_W0] = 0, 105 [REG_W1] = 1, 106 [REG_L] = 11, 107 [REG_15] = 15, 108 }; 109 110 static inline u32 reg(u32 dst_reg, u32 src_reg) 111 { 112 return reg2hex[dst_reg] << 4 | reg2hex[src_reg]; 113 } 114 115 static inline u32 reg_high(u32 reg) 116 { 117 return reg2hex[reg] << 4; 118 } 119 120 static inline void reg_set_seen(struct bpf_jit *jit, u32 b1) 121 { 122 u32 r1 = reg2hex[b1]; 123 124 if (r1 >= 6 && r1 <= 15) 125 jit->seen_regs |= (1 << r1); 126 } 127 128 static s32 off_to_pcrel(struct bpf_jit *jit, u32 off) 129 { 130 return off - jit->prg; 131 } 132 133 static s64 ptr_to_pcrel(struct bpf_jit *jit, const void *ptr) 134 { 135 if (jit->prg_buf) 136 return (const u8 *)ptr - ((const u8 *)jit->prg_buf + jit->prg); 137 return 0; 138 } 139 140 #define REG_SET_SEEN(b1) \ 141 ({ \ 142 reg_set_seen(jit, b1); \ 143 }) 144 145 /* 146 * EMIT macros for code generation 147 */ 148 149 #define _EMIT2(op) \ 150 ({ \ 151 if (jit->prg_buf) \ 152 *(u16 *) (jit->prg_buf + jit->prg) = (op); \ 153 jit->prg += 2; \ 154 }) 155 156 #define EMIT2(op, b1, b2) \ 157 ({ \ 158 _EMIT2((op) | reg(b1, b2)); \ 159 REG_SET_SEEN(b1); \ 160 REG_SET_SEEN(b2); \ 161 }) 162 163 #define _EMIT4(op) \ 164 ({ \ 165 if (jit->prg_buf) \ 166 *(u32 *) (jit->prg_buf + jit->prg) = (op); \ 167 jit->prg += 4; \ 168 }) 169 170 #define EMIT4(op, b1, b2) \ 171 ({ \ 172 _EMIT4((op) | reg(b1, b2)); \ 173 REG_SET_SEEN(b1); \ 174 REG_SET_SEEN(b2); \ 175 }) 176 177 #define EMIT4_RRF(op, b1, b2, b3) \ 178 ({ \ 179 _EMIT4((op) | reg_high(b3) << 8 | reg(b1, b2)); \ 180 REG_SET_SEEN(b1); \ 181 REG_SET_SEEN(b2); \ 182 REG_SET_SEEN(b3); \ 183 }) 184 185 #define _EMIT4_DISP(op, disp) \ 186 ({ \ 187 unsigned int __disp = (disp) & 0xfff; \ 188 _EMIT4((op) | __disp); \ 189 }) 190 191 #define EMIT4_DISP(op, b1, b2, disp) \ 192 ({ \ 193 _EMIT4_DISP((op) | reg_high(b1) << 16 | \ 194 reg_high(b2) << 8, (disp)); \ 195 REG_SET_SEEN(b1); \ 196 REG_SET_SEEN(b2); \ 197 }) 198 199 #define EMIT4_IMM(op, b1, imm) \ 200 ({ \ 201 unsigned int __imm = (imm) & 0xffff; \ 202 _EMIT4((op) | reg_high(b1) << 16 | __imm); \ 203 REG_SET_SEEN(b1); \ 204 }) 205 206 #define EMIT4_PCREL(op, pcrel) \ 207 ({ \ 208 long __pcrel = ((pcrel) >> 1) & 0xffff; \ 209 _EMIT4((op) | __pcrel); \ 210 }) 211 212 #define EMIT4_PCREL_RIC(op, mask, target) \ 213 ({ \ 214 int __rel = off_to_pcrel(jit, target) / 2; \ 215 _EMIT4((op) | (mask) << 20 | (__rel & 0xffff)); \ 216 }) 217 218 #define _EMIT6(op1, op2) \ 219 ({ \ 220 if (jit->prg_buf) { \ 221 *(u32 *) (jit->prg_buf + jit->prg) = (op1); \ 222 *(u16 *) (jit->prg_buf + jit->prg + 4) = (op2); \ 223 } \ 224 jit->prg += 6; \ 225 }) 226 227 #define _EMIT6_DISP(op1, op2, disp) \ 228 ({ \ 229 unsigned int __disp = (disp) & 0xfff; \ 230 _EMIT6((op1) | __disp, op2); \ 231 }) 232 233 #define _EMIT6_DISP_LH(op1, op2, disp) \ 234 ({ \ 235 u32 _disp = (u32) (disp); \ 236 unsigned int __disp_h = _disp & 0xff000; \ 237 unsigned int __disp_l = _disp & 0x00fff; \ 238 _EMIT6((op1) | __disp_l, (op2) | __disp_h >> 4); \ 239 }) 240 241 #define EMIT6_DISP_LH(op1, op2, b1, b2, b3, disp) \ 242 ({ \ 243 _EMIT6_DISP_LH((op1) | reg(b1, b2) << 16 | \ 244 reg_high(b3) << 8, op2, disp); \ 245 REG_SET_SEEN(b1); \ 246 REG_SET_SEEN(b2); \ 247 REG_SET_SEEN(b3); \ 248 }) 249 250 #define EMIT6_PCREL_RIEB(op1, op2, b1, b2, mask, target) \ 251 ({ \ 252 unsigned int rel = off_to_pcrel(jit, target) / 2; \ 253 _EMIT6((op1) | reg(b1, b2) << 16 | (rel & 0xffff), \ 254 (op2) | (mask) << 12); \ 255 REG_SET_SEEN(b1); \ 256 REG_SET_SEEN(b2); \ 257 }) 258 259 #define EMIT6_PCREL_RIEC(op1, op2, b1, imm, mask, target) \ 260 ({ \ 261 unsigned int rel = off_to_pcrel(jit, target) / 2; \ 262 _EMIT6((op1) | (reg_high(b1) | (mask)) << 16 | \ 263 (rel & 0xffff), (op2) | ((imm) & 0xff) << 8); \ 264 REG_SET_SEEN(b1); \ 265 BUILD_BUG_ON(((unsigned long) (imm)) > 0xff); \ 266 }) 267 268 #define EMIT6_PCREL(op1, op2, b1, b2, i, off, mask) \ 269 ({ \ 270 int rel = off_to_pcrel(jit, addrs[(i) + (off) + 1]) / 2;\ 271 _EMIT6((op1) | reg(b1, b2) << 16 | (rel & 0xffff), (op2) | (mask));\ 272 REG_SET_SEEN(b1); \ 273 REG_SET_SEEN(b2); \ 274 }) 275 276 static void emit6_pcrel_ril(struct bpf_jit *jit, u32 op, s64 pcrel) 277 { 278 u32 pc32dbl = (s32)(pcrel / 2); 279 280 _EMIT6(op | pc32dbl >> 16, pc32dbl & 0xffff); 281 } 282 283 static void emit6_pcrel_rilb(struct bpf_jit *jit, u32 op, u8 b, s64 pcrel) 284 { 285 emit6_pcrel_ril(jit, op | reg_high(b) << 16, pcrel); 286 REG_SET_SEEN(b); 287 } 288 289 #define EMIT6_PCREL_RILB(op, b, target) \ 290 emit6_pcrel_rilb(jit, op, b, off_to_pcrel(jit, target)) 291 292 #define EMIT6_PCREL_RILB_PTR(op, b, target_ptr) \ 293 emit6_pcrel_rilb(jit, op, b, ptr_to_pcrel(jit, target_ptr)) 294 295 static void emit6_pcrel_rilc(struct bpf_jit *jit, u32 op, u8 mask, s64 pcrel) 296 { 297 emit6_pcrel_ril(jit, op | mask << 20, pcrel); 298 } 299 300 #define EMIT6_PCREL_RILC(op, mask, target) \ 301 emit6_pcrel_rilc(jit, op, mask, off_to_pcrel(jit, target)) 302 303 #define EMIT6_PCREL_RILC_PTR(op, mask, target_ptr) \ 304 emit6_pcrel_rilc(jit, op, mask, ptr_to_pcrel(jit, target_ptr)) 305 306 #define _EMIT6_IMM(op, imm) \ 307 ({ \ 308 unsigned int __imm = (imm); \ 309 _EMIT6((op) | (__imm >> 16), __imm & 0xffff); \ 310 }) 311 312 #define EMIT6_IMM(op, b1, imm) \ 313 ({ \ 314 _EMIT6_IMM((op) | reg_high(b1) << 16, imm); \ 315 REG_SET_SEEN(b1); \ 316 }) 317 318 #define _EMIT_CONST_U32(val) \ 319 ({ \ 320 unsigned int ret; \ 321 ret = jit->lit32; \ 322 if (jit->prg_buf) \ 323 *(u32 *)(jit->prg_buf + jit->lit32) = (u32)(val);\ 324 jit->lit32 += 4; \ 325 ret; \ 326 }) 327 328 #define EMIT_CONST_U32(val) \ 329 ({ \ 330 jit->seen |= SEEN_LITERAL; \ 331 _EMIT_CONST_U32(val) - jit->base_ip; \ 332 }) 333 334 #define _EMIT_CONST_U64(val) \ 335 ({ \ 336 unsigned int ret; \ 337 ret = jit->lit64; \ 338 if (jit->prg_buf) \ 339 *(u64 *)(jit->prg_buf + jit->lit64) = (u64)(val);\ 340 jit->lit64 += 8; \ 341 ret; \ 342 }) 343 344 #define EMIT_CONST_U64(val) \ 345 ({ \ 346 jit->seen |= SEEN_LITERAL; \ 347 _EMIT_CONST_U64(val) - jit->base_ip; \ 348 }) 349 350 #define EMIT_ZERO(b1) \ 351 ({ \ 352 if (!fp->aux->verifier_zext) { \ 353 /* llgfr %dst,%dst (zero extend to 64 bit) */ \ 354 EMIT4(0xb9160000, b1, b1); \ 355 REG_SET_SEEN(b1); \ 356 } \ 357 }) 358 359 /* 360 * Return whether this is the first pass. The first pass is special, since we 361 * don't know any sizes yet, and thus must be conservative. 362 */ 363 static bool is_first_pass(struct bpf_jit *jit) 364 { 365 return jit->size == 0; 366 } 367 368 /* 369 * Return whether this is the code generation pass. The code generation pass is 370 * special, since we should change as little as possible. 371 */ 372 static bool is_codegen_pass(struct bpf_jit *jit) 373 { 374 return jit->prg_buf; 375 } 376 377 /* 378 * Return whether "rel" can be encoded as a short PC-relative offset 379 */ 380 static bool is_valid_rel(int rel) 381 { 382 return rel >= -65536 && rel <= 65534; 383 } 384 385 /* 386 * Return whether "off" can be reached using a short PC-relative offset 387 */ 388 static bool can_use_rel(struct bpf_jit *jit, int off) 389 { 390 return is_valid_rel(off - jit->prg); 391 } 392 393 /* 394 * Return whether given displacement can be encoded using 395 * Long-Displacement Facility 396 */ 397 static bool is_valid_ldisp(int disp) 398 { 399 return disp >= -524288 && disp <= 524287; 400 } 401 402 /* 403 * Return whether the next 32-bit literal pool entry can be referenced using 404 * Long-Displacement Facility 405 */ 406 static bool can_use_ldisp_for_lit32(struct bpf_jit *jit) 407 { 408 return is_valid_ldisp(jit->lit32 - jit->base_ip); 409 } 410 411 /* 412 * Return whether the next 64-bit literal pool entry can be referenced using 413 * Long-Displacement Facility 414 */ 415 static bool can_use_ldisp_for_lit64(struct bpf_jit *jit) 416 { 417 return is_valid_ldisp(jit->lit64 - jit->base_ip); 418 } 419 420 /* 421 * Fill whole space with illegal instructions 422 */ 423 static void jit_fill_hole(void *area, unsigned int size) 424 { 425 memset(area, 0, size); 426 } 427 428 /* 429 * Caller-allocated part of the frame. 430 * Thanks to packed stack, its otherwise unused initial part can be used for 431 * the BPF stack and for the next frame. 432 */ 433 struct prog_frame { 434 u64 unused[8]; 435 /* BPF stack starts here and grows towards 0 */ 436 u32 tail_call_cnt; 437 u32 pad; 438 u64 r6[10]; /* r6 - r15 */ 439 u64 backchain; 440 } __packed; 441 442 /* 443 * Save registers from "rs" (register start) to "re" (register end) on stack 444 */ 445 static void save_regs(struct bpf_jit *jit, u32 rs, u32 re) 446 { 447 u32 off = offsetof(struct prog_frame, r6) + (rs - 6) * 8; 448 449 if (rs == re) 450 /* stg %rs,off(%r15) */ 451 _EMIT6(0xe300f000 | rs << 20 | off, 0x0024); 452 else 453 /* stmg %rs,%re,off(%r15) */ 454 _EMIT6_DISP(0xeb00f000 | rs << 20 | re << 16, 0x0024, off); 455 } 456 457 /* 458 * Restore registers from "rs" (register start) to "re" (register end) on stack 459 */ 460 static void restore_regs(struct bpf_jit *jit, u32 rs, u32 re) 461 { 462 u32 off = jit->frame_off + offsetof(struct prog_frame, r6) + (rs - 6) * 8; 463 464 if (rs == re) 465 /* lg %rs,off(%r15) */ 466 _EMIT6(0xe300f000 | rs << 20 | off, 0x0004); 467 else 468 /* lmg %rs,%re,off(%r15) */ 469 _EMIT6_DISP(0xeb00f000 | rs << 20 | re << 16, 0x0004, off); 470 } 471 472 /* 473 * Return first seen register (from start) 474 */ 475 static int get_start(u16 seen_regs, int start) 476 { 477 int i; 478 479 for (i = start; i <= 15; i++) { 480 if (seen_regs & (1 << i)) 481 return i; 482 } 483 return 0; 484 } 485 486 /* 487 * Return last seen register (from start) (gap >= 2) 488 */ 489 static int get_end(u16 seen_regs, int start) 490 { 491 int i; 492 493 for (i = start; i < 15; i++) { 494 if (!(seen_regs & (3 << i))) 495 return i - 1; 496 } 497 return (seen_regs & (1 << 15)) ? 15 : 14; 498 } 499 500 #define REGS_SAVE 1 501 #define REGS_RESTORE 0 502 /* 503 * Save and restore clobbered registers (6-15) on stack. 504 * We save/restore registers in chunks with gap >= 2 registers. 505 */ 506 static void save_restore_regs(struct bpf_jit *jit, int op, u16 extra_regs) 507 { 508 u16 seen_regs = jit->seen_regs | extra_regs; 509 const int last = 15, save_restore_size = 6; 510 int re = 6, rs; 511 512 if (is_first_pass(jit)) { 513 /* 514 * We don't know yet which registers are used. Reserve space 515 * conservatively. 516 */ 517 jit->prg += (last - re + 1) * save_restore_size; 518 return; 519 } 520 521 do { 522 rs = get_start(seen_regs, re); 523 if (!rs) 524 break; 525 re = get_end(seen_regs, rs + 1); 526 if (op == REGS_SAVE) 527 save_regs(jit, rs, re); 528 else 529 restore_regs(jit, rs, re); 530 re++; 531 } while (re <= last); 532 } 533 534 static void bpf_skip(struct bpf_jit *jit, int size) 535 { 536 if (size >= 6 && !is_valid_rel(size)) { 537 /* brcl 0xf,size */ 538 EMIT6_PCREL_RILC(0xc0040000, 0xf, size); 539 size -= 6; 540 } else if (size >= 4 && is_valid_rel(size)) { 541 /* brc 0xf,size */ 542 EMIT4_PCREL(0xa7f40000, size); 543 size -= 4; 544 } 545 while (size >= 2) { 546 /* bcr 0,%0 */ 547 _EMIT2(0x0700); 548 size -= 2; 549 } 550 } 551 552 /* 553 * PLT for hotpatchable calls. The calling convention is the same as for the 554 * ftrace hotpatch trampolines: %r0 is return address, %r1 is clobbered. 555 */ 556 struct bpf_plt { 557 char code[16]; 558 void *ret; 559 void *target; 560 } __packed; 561 extern const struct bpf_plt bpf_plt; 562 asm( 563 ".pushsection .rodata\n" 564 " .balign 8\n" 565 "bpf_plt:\n" 566 " lgrl %r0,bpf_plt_ret\n" 567 " lgrl %r1,bpf_plt_target\n" 568 " br %r1\n" 569 " .balign 8\n" 570 "bpf_plt_ret: .quad 0\n" 571 "bpf_plt_target: .quad 0\n" 572 " .popsection\n" 573 ); 574 575 static void bpf_jit_plt(struct bpf_plt *plt, void *ret, void *target) 576 { 577 memcpy(plt, &bpf_plt, sizeof(*plt)); 578 plt->ret = ret; 579 /* 580 * (target == NULL) implies that the branch to this PLT entry was 581 * patched and became a no-op. However, some CPU could have jumped 582 * to this PLT entry before patching and may be still executing it. 583 * 584 * Since the intention in this case is to make the PLT entry a no-op, 585 * make the target point to the return label instead of NULL. 586 */ 587 plt->target = target ?: ret; 588 } 589 590 /* 591 * Emit function prologue 592 * 593 * Save registers and create stack frame if necessary. 594 * Stack frame layout is described by struct prog_frame. 595 */ 596 static void bpf_jit_prologue(struct bpf_jit *jit, struct bpf_prog *fp) 597 { 598 BUILD_BUG_ON(sizeof(struct prog_frame) != STACK_FRAME_OVERHEAD); 599 600 /* No-op for hotpatching */ 601 /* brcl 0,prologue_plt */ 602 EMIT6_PCREL_RILC(0xc0040000, 0, jit->prologue_plt); 603 jit->prologue_plt_ret = jit->prg; 604 605 if (!bpf_is_subprog(fp)) { 606 /* Initialize the tail call counter in the main program. */ 607 /* xc tail_call_cnt(4,%r15),tail_call_cnt(%r15) */ 608 _EMIT6(0xd703f000 | offsetof(struct prog_frame, tail_call_cnt), 609 0xf000 | offsetof(struct prog_frame, tail_call_cnt)); 610 } else { 611 /* 612 * Skip the tail call counter initialization in subprograms. 613 * Insert nops in order to have tail_call_start at a 614 * predictable offset. 615 */ 616 bpf_skip(jit, 6); 617 } 618 /* Tail calls have to skip above initialization */ 619 jit->tail_call_start = jit->prg; 620 if (fp->aux->exception_cb) { 621 /* 622 * Switch stack, the new address is in the 2nd parameter. 623 * 624 * Arrange the restoration of %r6-%r15 in the epilogue. 625 * Do not restore them now, the prog does not need them. 626 */ 627 /* lgr %r15,%r3 */ 628 EMIT4(0xb9040000, REG_15, REG_3); 629 jit->seen_regs |= NVREGS; 630 } else { 631 /* Save registers */ 632 save_restore_regs(jit, REGS_SAVE, 633 fp->aux->exception_boundary ? NVREGS : 0); 634 } 635 /* Setup literal pool */ 636 if (is_first_pass(jit) || (jit->seen & SEEN_LITERAL)) { 637 if (!is_first_pass(jit) && 638 is_valid_ldisp(jit->size - (jit->prg + 2))) { 639 /* basr %l,0 */ 640 EMIT2(0x0d00, REG_L, REG_0); 641 jit->base_ip = jit->prg; 642 } else { 643 /* larl %l,lit32_start */ 644 EMIT6_PCREL_RILB(0xc0000000, REG_L, jit->lit32_start); 645 jit->base_ip = jit->lit32_start; 646 } 647 } 648 /* Setup stack and backchain */ 649 if (is_first_pass(jit) || (jit->seen & SEEN_STACK)) { 650 /* lgr %w1,%r15 (backchain) */ 651 EMIT4(0xb9040000, REG_W1, REG_15); 652 /* la %bfp,unused_end(%r15) (BPF frame pointer) */ 653 EMIT4_DISP(0x41000000, BPF_REG_FP, REG_15, 654 offsetofend(struct prog_frame, unused)); 655 /* aghi %r15,-frame_off */ 656 EMIT4_IMM(0xa70b0000, REG_15, -jit->frame_off); 657 /* stg %w1,backchain(%r15) */ 658 EMIT6_DISP_LH(0xe3000000, 0x0024, REG_W1, REG_0, 659 REG_15, 660 offsetof(struct prog_frame, backchain)); 661 } 662 } 663 664 /* 665 * Jump using a register either directly or via an expoline thunk 666 */ 667 #define EMIT_JUMP_REG(reg) do { \ 668 if (nospec_uses_trampoline()) \ 669 /* brcl 0xf,__s390_indirect_jump_rN */ \ 670 EMIT6_PCREL_RILC_PTR(0xc0040000, 0x0f, \ 671 __s390_indirect_jump_r ## reg); \ 672 else \ 673 /* br %rN */ \ 674 _EMIT2(0x07f0 | reg); \ 675 } while (0) 676 677 /* 678 * Function epilogue 679 */ 680 static void bpf_jit_epilogue(struct bpf_jit *jit) 681 { 682 jit->exit_ip = jit->prg; 683 /* Load exit code: lgr %r2,%b0 */ 684 EMIT4(0xb9040000, REG_2, BPF_REG_0); 685 /* Restore registers */ 686 save_restore_regs(jit, REGS_RESTORE, 0); 687 EMIT_JUMP_REG(14); 688 689 jit->prg = ALIGN(jit->prg, 8); 690 jit->prologue_plt = jit->prg; 691 if (jit->prg_buf) 692 bpf_jit_plt((struct bpf_plt *)(jit->prg_buf + jit->prg), 693 jit->prg_buf + jit->prologue_plt_ret, NULL); 694 jit->prg += sizeof(struct bpf_plt); 695 } 696 697 bool ex_handler_bpf(const struct exception_table_entry *x, struct pt_regs *regs) 698 { 699 regs->psw.addr = extable_fixup(x); 700 if (x->data != -1) 701 regs->gprs[x->data] = 0; 702 return true; 703 } 704 705 /* 706 * A single BPF probe instruction 707 */ 708 struct bpf_jit_probe { 709 int prg; /* JITed instruction offset */ 710 int nop_prg; /* JITed nop offset */ 711 int reg; /* Register to clear on exception */ 712 int arena_reg; /* Register to use for arena addressing */ 713 }; 714 715 static void bpf_jit_probe_init(struct bpf_jit_probe *probe) 716 { 717 probe->prg = -1; 718 probe->nop_prg = -1; 719 probe->reg = -1; 720 probe->arena_reg = REG_0; 721 } 722 723 /* 724 * Handlers of certain exceptions leave psw.addr pointing to the instruction 725 * directly after the failing one. Therefore, create two exception table 726 * entries and also add a nop in case two probing instructions come directly 727 * after each other. 728 */ 729 static void bpf_jit_probe_emit_nop(struct bpf_jit *jit, 730 struct bpf_jit_probe *probe) 731 { 732 if (probe->prg == -1 || probe->nop_prg != -1) 733 /* The probe is not armed or nop is already emitted. */ 734 return; 735 736 probe->nop_prg = jit->prg; 737 /* bcr 0,%0 */ 738 _EMIT2(0x0700); 739 } 740 741 static void bpf_jit_probe_load_pre(struct bpf_jit *jit, struct bpf_insn *insn, 742 struct bpf_jit_probe *probe) 743 { 744 if (BPF_MODE(insn->code) != BPF_PROBE_MEM && 745 BPF_MODE(insn->code) != BPF_PROBE_MEMSX && 746 BPF_MODE(insn->code) != BPF_PROBE_MEM32) 747 return; 748 749 if (BPF_MODE(insn->code) == BPF_PROBE_MEM32) { 750 /* lgrl %r1,kern_arena */ 751 EMIT6_PCREL_RILB(0xc4080000, REG_W1, jit->kern_arena); 752 probe->arena_reg = REG_W1; 753 } 754 probe->prg = jit->prg; 755 probe->reg = reg2hex[insn->dst_reg]; 756 } 757 758 static void bpf_jit_probe_store_pre(struct bpf_jit *jit, struct bpf_insn *insn, 759 struct bpf_jit_probe *probe) 760 { 761 if (BPF_MODE(insn->code) != BPF_PROBE_MEM32) 762 return; 763 764 /* lgrl %r1,kern_arena */ 765 EMIT6_PCREL_RILB(0xc4080000, REG_W1, jit->kern_arena); 766 probe->arena_reg = REG_W1; 767 probe->prg = jit->prg; 768 } 769 770 static void bpf_jit_probe_atomic_pre(struct bpf_jit *jit, 771 struct bpf_insn *insn, 772 struct bpf_jit_probe *probe) 773 { 774 if (BPF_MODE(insn->code) != BPF_PROBE_ATOMIC) 775 return; 776 777 /* lgrl %r1,kern_arena */ 778 EMIT6_PCREL_RILB(0xc4080000, REG_W1, jit->kern_arena); 779 /* agr %r1,%dst */ 780 EMIT4(0xb9080000, REG_W1, insn->dst_reg); 781 probe->arena_reg = REG_W1; 782 probe->prg = jit->prg; 783 } 784 785 static int bpf_jit_probe_post(struct bpf_jit *jit, struct bpf_prog *fp, 786 struct bpf_jit_probe *probe) 787 { 788 struct exception_table_entry *ex; 789 int i, prg; 790 s64 delta; 791 u8 *insn; 792 793 if (probe->prg == -1) 794 /* The probe is not armed. */ 795 return 0; 796 bpf_jit_probe_emit_nop(jit, probe); 797 if (!fp->aux->extable) 798 /* Do nothing during early JIT passes. */ 799 return 0; 800 insn = jit->prg_buf + probe->prg; 801 if (WARN_ON_ONCE(probe->prg + insn_length(*insn) != probe->nop_prg)) 802 /* JIT bug - gap between probe and nop instructions. */ 803 return -1; 804 for (i = 0; i < 2; i++) { 805 if (WARN_ON_ONCE(jit->excnt >= fp->aux->num_exentries)) 806 /* Verifier bug - not enough entries. */ 807 return -1; 808 ex = &fp->aux->extable[jit->excnt]; 809 /* Add extable entries for probe and nop instructions. */ 810 prg = i == 0 ? probe->prg : probe->nop_prg; 811 delta = jit->prg_buf + prg - (u8 *)&ex->insn; 812 if (WARN_ON_ONCE(delta < INT_MIN || delta > INT_MAX)) 813 /* JIT bug - code and extable must be close. */ 814 return -1; 815 ex->insn = delta; 816 /* 817 * Land on the current instruction. Note that the extable 818 * infrastructure ignores the fixup field; it is handled by 819 * ex_handler_bpf(). 820 */ 821 delta = jit->prg_buf + jit->prg - (u8 *)&ex->fixup; 822 if (WARN_ON_ONCE(delta < INT_MIN || delta > INT_MAX)) 823 /* JIT bug - landing pad and extable must be close. */ 824 return -1; 825 ex->fixup = delta; 826 ex->type = EX_TYPE_BPF; 827 ex->data = probe->reg; 828 jit->excnt++; 829 } 830 return 0; 831 } 832 833 /* 834 * Sign- or zero-extend the register if necessary 835 */ 836 static int sign_zero_extend(struct bpf_jit *jit, int r, u8 size, u8 flags) 837 { 838 switch (size) { 839 case 1: 840 if (flags & BTF_FMODEL_SIGNED_ARG) 841 /* lgbr %r,%r */ 842 EMIT4(0xb9060000, r, r); 843 else 844 /* llgcr %r,%r */ 845 EMIT4(0xb9840000, r, r); 846 return 0; 847 case 2: 848 if (flags & BTF_FMODEL_SIGNED_ARG) 849 /* lghr %r,%r */ 850 EMIT4(0xb9070000, r, r); 851 else 852 /* llghr %r,%r */ 853 EMIT4(0xb9850000, r, r); 854 return 0; 855 case 4: 856 if (flags & BTF_FMODEL_SIGNED_ARG) 857 /* lgfr %r,%r */ 858 EMIT4(0xb9140000, r, r); 859 else 860 /* llgfr %r,%r */ 861 EMIT4(0xb9160000, r, r); 862 return 0; 863 case 8: 864 return 0; 865 default: 866 return -1; 867 } 868 } 869 870 /* 871 * Compile one eBPF instruction into s390x code 872 * 873 * NOTE: Use noinline because for gcov (-fprofile-arcs) gcc allocates a lot of 874 * stack space for the large switch statement. 875 */ 876 static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, 877 int i, bool extra_pass) 878 { 879 struct bpf_insn *insn = &fp->insnsi[i]; 880 s32 branch_oc_off = insn->off; 881 u32 dst_reg = insn->dst_reg; 882 u32 src_reg = insn->src_reg; 883 struct bpf_jit_probe probe; 884 int last, insn_count = 1; 885 u32 *addrs = jit->addrs; 886 s32 imm = insn->imm; 887 s16 off = insn->off; 888 unsigned int mask; 889 int err; 890 891 bpf_jit_probe_init(&probe); 892 893 switch (insn->code) { 894 /* 895 * BPF_MOV 896 */ 897 case BPF_ALU | BPF_MOV | BPF_X: 898 switch (insn->off) { 899 case 0: /* DST = (u32) SRC */ 900 /* llgfr %dst,%src */ 901 EMIT4(0xb9160000, dst_reg, src_reg); 902 if (insn_is_zext(&insn[1])) 903 insn_count = 2; 904 break; 905 case 8: /* DST = (u32)(s8) SRC */ 906 /* lbr %dst,%src */ 907 EMIT4(0xb9260000, dst_reg, src_reg); 908 /* llgfr %dst,%dst */ 909 EMIT4(0xb9160000, dst_reg, dst_reg); 910 break; 911 case 16: /* DST = (u32)(s16) SRC */ 912 /* lhr %dst,%src */ 913 EMIT4(0xb9270000, dst_reg, src_reg); 914 /* llgfr %dst,%dst */ 915 EMIT4(0xb9160000, dst_reg, dst_reg); 916 break; 917 } 918 break; 919 case BPF_ALU64 | BPF_MOV | BPF_X: 920 if (insn_is_cast_user(insn)) { 921 int patch_brc; 922 923 /* ltgr %dst,%src */ 924 EMIT4(0xb9020000, dst_reg, src_reg); 925 /* brc 8,0f */ 926 patch_brc = jit->prg; 927 EMIT4_PCREL_RIC(0xa7040000, 8, 0); 928 /* iihf %dst,user_arena>>32 */ 929 EMIT6_IMM(0xc0080000, dst_reg, jit->user_arena >> 32); 930 /* 0: */ 931 if (jit->prg_buf) 932 *(u16 *)(jit->prg_buf + patch_brc + 2) = 933 (jit->prg - patch_brc) >> 1; 934 break; 935 } 936 switch (insn->off) { 937 case 0: /* DST = SRC */ 938 /* lgr %dst,%src */ 939 EMIT4(0xb9040000, dst_reg, src_reg); 940 break; 941 case 8: /* DST = (s8) SRC */ 942 /* lgbr %dst,%src */ 943 EMIT4(0xb9060000, dst_reg, src_reg); 944 break; 945 case 16: /* DST = (s16) SRC */ 946 /* lghr %dst,%src */ 947 EMIT4(0xb9070000, dst_reg, src_reg); 948 break; 949 case 32: /* DST = (s32) SRC */ 950 /* lgfr %dst,%src */ 951 EMIT4(0xb9140000, dst_reg, src_reg); 952 break; 953 } 954 break; 955 case BPF_ALU | BPF_MOV | BPF_K: /* dst = (u32) imm */ 956 /* llilf %dst,imm */ 957 EMIT6_IMM(0xc00f0000, dst_reg, imm); 958 if (insn_is_zext(&insn[1])) 959 insn_count = 2; 960 break; 961 case BPF_ALU64 | BPF_MOV | BPF_K: /* dst = imm */ 962 /* lgfi %dst,imm */ 963 EMIT6_IMM(0xc0010000, dst_reg, imm); 964 break; 965 /* 966 * BPF_LD 64 967 */ 968 case BPF_LD | BPF_IMM | BPF_DW: /* dst = (u64) imm */ 969 { 970 /* 16 byte instruction that uses two 'struct bpf_insn' */ 971 u64 imm64; 972 973 imm64 = (u64)(u32) insn[0].imm | ((u64)(u32) insn[1].imm) << 32; 974 /* lgrl %dst,imm */ 975 EMIT6_PCREL_RILB(0xc4080000, dst_reg, _EMIT_CONST_U64(imm64)); 976 insn_count = 2; 977 break; 978 } 979 /* 980 * BPF_ADD 981 */ 982 case BPF_ALU | BPF_ADD | BPF_X: /* dst = (u32) dst + (u32) src */ 983 /* ar %dst,%src */ 984 EMIT2(0x1a00, dst_reg, src_reg); 985 EMIT_ZERO(dst_reg); 986 break; 987 case BPF_ALU64 | BPF_ADD | BPF_X: /* dst = dst + src */ 988 /* agr %dst,%src */ 989 EMIT4(0xb9080000, dst_reg, src_reg); 990 break; 991 case BPF_ALU | BPF_ADD | BPF_K: /* dst = (u32) dst + (u32) imm */ 992 if (imm != 0) { 993 /* alfi %dst,imm */ 994 EMIT6_IMM(0xc20b0000, dst_reg, imm); 995 } 996 EMIT_ZERO(dst_reg); 997 break; 998 case BPF_ALU64 | BPF_ADD | BPF_K: /* dst = dst + imm */ 999 if (!imm) 1000 break; 1001 /* agfi %dst,imm */ 1002 EMIT6_IMM(0xc2080000, dst_reg, imm); 1003 break; 1004 /* 1005 * BPF_SUB 1006 */ 1007 case BPF_ALU | BPF_SUB | BPF_X: /* dst = (u32) dst - (u32) src */ 1008 /* sr %dst,%src */ 1009 EMIT2(0x1b00, dst_reg, src_reg); 1010 EMIT_ZERO(dst_reg); 1011 break; 1012 case BPF_ALU64 | BPF_SUB | BPF_X: /* dst = dst - src */ 1013 /* sgr %dst,%src */ 1014 EMIT4(0xb9090000, dst_reg, src_reg); 1015 break; 1016 case BPF_ALU | BPF_SUB | BPF_K: /* dst = (u32) dst - (u32) imm */ 1017 if (imm != 0) { 1018 /* alfi %dst,-imm */ 1019 EMIT6_IMM(0xc20b0000, dst_reg, -imm); 1020 } 1021 EMIT_ZERO(dst_reg); 1022 break; 1023 case BPF_ALU64 | BPF_SUB | BPF_K: /* dst = dst - imm */ 1024 if (!imm) 1025 break; 1026 if (imm == -0x80000000) { 1027 /* algfi %dst,0x80000000 */ 1028 EMIT6_IMM(0xc20a0000, dst_reg, 0x80000000); 1029 } else { 1030 /* agfi %dst,-imm */ 1031 EMIT6_IMM(0xc2080000, dst_reg, -imm); 1032 } 1033 break; 1034 /* 1035 * BPF_MUL 1036 */ 1037 case BPF_ALU | BPF_MUL | BPF_X: /* dst = (u32) dst * (u32) src */ 1038 /* msr %dst,%src */ 1039 EMIT4(0xb2520000, dst_reg, src_reg); 1040 EMIT_ZERO(dst_reg); 1041 break; 1042 case BPF_ALU64 | BPF_MUL | BPF_X: /* dst = dst * src */ 1043 /* msgr %dst,%src */ 1044 EMIT4(0xb90c0000, dst_reg, src_reg); 1045 break; 1046 case BPF_ALU | BPF_MUL | BPF_K: /* dst = (u32) dst * (u32) imm */ 1047 if (imm != 1) { 1048 /* msfi %r5,imm */ 1049 EMIT6_IMM(0xc2010000, dst_reg, imm); 1050 } 1051 EMIT_ZERO(dst_reg); 1052 break; 1053 case BPF_ALU64 | BPF_MUL | BPF_K: /* dst = dst * imm */ 1054 if (imm == 1) 1055 break; 1056 /* msgfi %dst,imm */ 1057 EMIT6_IMM(0xc2000000, dst_reg, imm); 1058 break; 1059 /* 1060 * BPF_DIV / BPF_MOD 1061 */ 1062 case BPF_ALU | BPF_DIV | BPF_X: 1063 case BPF_ALU | BPF_MOD | BPF_X: 1064 { 1065 int rc_reg = BPF_OP(insn->code) == BPF_DIV ? REG_W1 : REG_W0; 1066 1067 switch (off) { 1068 case 0: /* dst = (u32) dst {/,%} (u32) src */ 1069 /* xr %w0,%w0 */ 1070 EMIT2(0x1700, REG_W0, REG_W0); 1071 /* lr %w1,%dst */ 1072 EMIT2(0x1800, REG_W1, dst_reg); 1073 /* dlr %w0,%src */ 1074 EMIT4(0xb9970000, REG_W0, src_reg); 1075 break; 1076 case 1: /* dst = (u32) ((s32) dst {/,%} (s32) src) */ 1077 /* lgfr %r1,%dst */ 1078 EMIT4(0xb9140000, REG_W1, dst_reg); 1079 /* dsgfr %r0,%src */ 1080 EMIT4(0xb91d0000, REG_W0, src_reg); 1081 break; 1082 } 1083 /* llgfr %dst,%rc */ 1084 EMIT4(0xb9160000, dst_reg, rc_reg); 1085 if (insn_is_zext(&insn[1])) 1086 insn_count = 2; 1087 break; 1088 } 1089 case BPF_ALU64 | BPF_DIV | BPF_X: 1090 case BPF_ALU64 | BPF_MOD | BPF_X: 1091 { 1092 int rc_reg = BPF_OP(insn->code) == BPF_DIV ? REG_W1 : REG_W0; 1093 1094 switch (off) { 1095 case 0: /* dst = dst {/,%} src */ 1096 /* lghi %w0,0 */ 1097 EMIT4_IMM(0xa7090000, REG_W0, 0); 1098 /* lgr %w1,%dst */ 1099 EMIT4(0xb9040000, REG_W1, dst_reg); 1100 /* dlgr %w0,%src */ 1101 EMIT4(0xb9870000, REG_W0, src_reg); 1102 break; 1103 case 1: /* dst = (s64) dst {/,%} (s64) src */ 1104 /* lgr %w1,%dst */ 1105 EMIT4(0xb9040000, REG_W1, dst_reg); 1106 /* dsgr %w0,%src */ 1107 EMIT4(0xb90d0000, REG_W0, src_reg); 1108 break; 1109 } 1110 /* lgr %dst,%rc */ 1111 EMIT4(0xb9040000, dst_reg, rc_reg); 1112 break; 1113 } 1114 case BPF_ALU | BPF_DIV | BPF_K: 1115 case BPF_ALU | BPF_MOD | BPF_K: 1116 { 1117 int rc_reg = BPF_OP(insn->code) == BPF_DIV ? REG_W1 : REG_W0; 1118 1119 if (imm == 1) { 1120 if (BPF_OP(insn->code) == BPF_MOD) 1121 /* lghi %dst,0 */ 1122 EMIT4_IMM(0xa7090000, dst_reg, 0); 1123 else 1124 EMIT_ZERO(dst_reg); 1125 break; 1126 } 1127 if (!is_first_pass(jit) && can_use_ldisp_for_lit32(jit)) { 1128 switch (off) { 1129 case 0: /* dst = (u32) dst {/,%} (u32) imm */ 1130 /* xr %w0,%w0 */ 1131 EMIT2(0x1700, REG_W0, REG_W0); 1132 /* lr %w1,%dst */ 1133 EMIT2(0x1800, REG_W1, dst_reg); 1134 /* dl %w0,<d(imm)>(%l) */ 1135 EMIT6_DISP_LH(0xe3000000, 0x0097, REG_W0, REG_0, 1136 REG_L, EMIT_CONST_U32(imm)); 1137 break; 1138 case 1: /* dst = (s32) dst {/,%} (s32) imm */ 1139 /* lgfr %r1,%dst */ 1140 EMIT4(0xb9140000, REG_W1, dst_reg); 1141 /* dsgf %r0,<d(imm)>(%l) */ 1142 EMIT6_DISP_LH(0xe3000000, 0x001d, REG_W0, REG_0, 1143 REG_L, EMIT_CONST_U32(imm)); 1144 break; 1145 } 1146 } else { 1147 switch (off) { 1148 case 0: /* dst = (u32) dst {/,%} (u32) imm */ 1149 /* xr %w0,%w0 */ 1150 EMIT2(0x1700, REG_W0, REG_W0); 1151 /* lr %w1,%dst */ 1152 EMIT2(0x1800, REG_W1, dst_reg); 1153 /* lrl %dst,imm */ 1154 EMIT6_PCREL_RILB(0xc40d0000, dst_reg, 1155 _EMIT_CONST_U32(imm)); 1156 jit->seen |= SEEN_LITERAL; 1157 /* dlr %w0,%dst */ 1158 EMIT4(0xb9970000, REG_W0, dst_reg); 1159 break; 1160 case 1: /* dst = (s32) dst {/,%} (s32) imm */ 1161 /* lgfr %w1,%dst */ 1162 EMIT4(0xb9140000, REG_W1, dst_reg); 1163 /* lgfrl %dst,imm */ 1164 EMIT6_PCREL_RILB(0xc40c0000, dst_reg, 1165 _EMIT_CONST_U32(imm)); 1166 jit->seen |= SEEN_LITERAL; 1167 /* dsgr %w0,%dst */ 1168 EMIT4(0xb90d0000, REG_W0, dst_reg); 1169 break; 1170 } 1171 } 1172 /* llgfr %dst,%rc */ 1173 EMIT4(0xb9160000, dst_reg, rc_reg); 1174 if (insn_is_zext(&insn[1])) 1175 insn_count = 2; 1176 break; 1177 } 1178 case BPF_ALU64 | BPF_DIV | BPF_K: 1179 case BPF_ALU64 | BPF_MOD | BPF_K: 1180 { 1181 int rc_reg = BPF_OP(insn->code) == BPF_DIV ? REG_W1 : REG_W0; 1182 1183 if (imm == 1) { 1184 if (BPF_OP(insn->code) == BPF_MOD) 1185 /* lhgi %dst,0 */ 1186 EMIT4_IMM(0xa7090000, dst_reg, 0); 1187 break; 1188 } 1189 if (!is_first_pass(jit) && can_use_ldisp_for_lit64(jit)) { 1190 switch (off) { 1191 case 0: /* dst = dst {/,%} imm */ 1192 /* lghi %w0,0 */ 1193 EMIT4_IMM(0xa7090000, REG_W0, 0); 1194 /* lgr %w1,%dst */ 1195 EMIT4(0xb9040000, REG_W1, dst_reg); 1196 /* dlg %w0,<d(imm)>(%l) */ 1197 EMIT6_DISP_LH(0xe3000000, 0x0087, REG_W0, REG_0, 1198 REG_L, EMIT_CONST_U64(imm)); 1199 break; 1200 case 1: /* dst = (s64) dst {/,%} (s64) imm */ 1201 /* lgr %w1,%dst */ 1202 EMIT4(0xb9040000, REG_W1, dst_reg); 1203 /* dsg %w0,<d(imm)>(%l) */ 1204 EMIT6_DISP_LH(0xe3000000, 0x000d, REG_W0, REG_0, 1205 REG_L, EMIT_CONST_U64(imm)); 1206 break; 1207 } 1208 } else { 1209 switch (off) { 1210 case 0: /* dst = dst {/,%} imm */ 1211 /* lghi %w0,0 */ 1212 EMIT4_IMM(0xa7090000, REG_W0, 0); 1213 /* lgr %w1,%dst */ 1214 EMIT4(0xb9040000, REG_W1, dst_reg); 1215 /* lgrl %dst,imm */ 1216 EMIT6_PCREL_RILB(0xc4080000, dst_reg, 1217 _EMIT_CONST_U64(imm)); 1218 jit->seen |= SEEN_LITERAL; 1219 /* dlgr %w0,%dst */ 1220 EMIT4(0xb9870000, REG_W0, dst_reg); 1221 break; 1222 case 1: /* dst = (s64) dst {/,%} (s64) imm */ 1223 /* lgr %w1,%dst */ 1224 EMIT4(0xb9040000, REG_W1, dst_reg); 1225 /* lgrl %dst,imm */ 1226 EMIT6_PCREL_RILB(0xc4080000, dst_reg, 1227 _EMIT_CONST_U64(imm)); 1228 jit->seen |= SEEN_LITERAL; 1229 /* dsgr %w0,%dst */ 1230 EMIT4(0xb90d0000, REG_W0, dst_reg); 1231 break; 1232 } 1233 } 1234 /* lgr %dst,%rc */ 1235 EMIT4(0xb9040000, dst_reg, rc_reg); 1236 break; 1237 } 1238 /* 1239 * BPF_AND 1240 */ 1241 case BPF_ALU | BPF_AND | BPF_X: /* dst = (u32) dst & (u32) src */ 1242 /* nr %dst,%src */ 1243 EMIT2(0x1400, dst_reg, src_reg); 1244 EMIT_ZERO(dst_reg); 1245 break; 1246 case BPF_ALU64 | BPF_AND | BPF_X: /* dst = dst & src */ 1247 /* ngr %dst,%src */ 1248 EMIT4(0xb9800000, dst_reg, src_reg); 1249 break; 1250 case BPF_ALU | BPF_AND | BPF_K: /* dst = (u32) dst & (u32) imm */ 1251 /* nilf %dst,imm */ 1252 EMIT6_IMM(0xc00b0000, dst_reg, imm); 1253 EMIT_ZERO(dst_reg); 1254 break; 1255 case BPF_ALU64 | BPF_AND | BPF_K: /* dst = dst & imm */ 1256 if (!is_first_pass(jit) && can_use_ldisp_for_lit64(jit)) { 1257 /* ng %dst,<d(imm)>(%l) */ 1258 EMIT6_DISP_LH(0xe3000000, 0x0080, 1259 dst_reg, REG_0, REG_L, 1260 EMIT_CONST_U64(imm)); 1261 } else { 1262 /* lgrl %w0,imm */ 1263 EMIT6_PCREL_RILB(0xc4080000, REG_W0, 1264 _EMIT_CONST_U64(imm)); 1265 jit->seen |= SEEN_LITERAL; 1266 /* ngr %dst,%w0 */ 1267 EMIT4(0xb9800000, dst_reg, REG_W0); 1268 } 1269 break; 1270 /* 1271 * BPF_OR 1272 */ 1273 case BPF_ALU | BPF_OR | BPF_X: /* dst = (u32) dst | (u32) src */ 1274 /* or %dst,%src */ 1275 EMIT2(0x1600, dst_reg, src_reg); 1276 EMIT_ZERO(dst_reg); 1277 break; 1278 case BPF_ALU64 | BPF_OR | BPF_X: /* dst = dst | src */ 1279 /* ogr %dst,%src */ 1280 EMIT4(0xb9810000, dst_reg, src_reg); 1281 break; 1282 case BPF_ALU | BPF_OR | BPF_K: /* dst = (u32) dst | (u32) imm */ 1283 /* oilf %dst,imm */ 1284 EMIT6_IMM(0xc00d0000, dst_reg, imm); 1285 EMIT_ZERO(dst_reg); 1286 break; 1287 case BPF_ALU64 | BPF_OR | BPF_K: /* dst = dst | imm */ 1288 if (!is_first_pass(jit) && can_use_ldisp_for_lit64(jit)) { 1289 /* og %dst,<d(imm)>(%l) */ 1290 EMIT6_DISP_LH(0xe3000000, 0x0081, 1291 dst_reg, REG_0, REG_L, 1292 EMIT_CONST_U64(imm)); 1293 } else { 1294 /* lgrl %w0,imm */ 1295 EMIT6_PCREL_RILB(0xc4080000, REG_W0, 1296 _EMIT_CONST_U64(imm)); 1297 jit->seen |= SEEN_LITERAL; 1298 /* ogr %dst,%w0 */ 1299 EMIT4(0xb9810000, dst_reg, REG_W0); 1300 } 1301 break; 1302 /* 1303 * BPF_XOR 1304 */ 1305 case BPF_ALU | BPF_XOR | BPF_X: /* dst = (u32) dst ^ (u32) src */ 1306 /* xr %dst,%src */ 1307 EMIT2(0x1700, dst_reg, src_reg); 1308 EMIT_ZERO(dst_reg); 1309 break; 1310 case BPF_ALU64 | BPF_XOR | BPF_X: /* dst = dst ^ src */ 1311 /* xgr %dst,%src */ 1312 EMIT4(0xb9820000, dst_reg, src_reg); 1313 break; 1314 case BPF_ALU | BPF_XOR | BPF_K: /* dst = (u32) dst ^ (u32) imm */ 1315 if (imm != 0) { 1316 /* xilf %dst,imm */ 1317 EMIT6_IMM(0xc0070000, dst_reg, imm); 1318 } 1319 EMIT_ZERO(dst_reg); 1320 break; 1321 case BPF_ALU64 | BPF_XOR | BPF_K: /* dst = dst ^ imm */ 1322 if (!is_first_pass(jit) && can_use_ldisp_for_lit64(jit)) { 1323 /* xg %dst,<d(imm)>(%l) */ 1324 EMIT6_DISP_LH(0xe3000000, 0x0082, 1325 dst_reg, REG_0, REG_L, 1326 EMIT_CONST_U64(imm)); 1327 } else { 1328 /* lgrl %w0,imm */ 1329 EMIT6_PCREL_RILB(0xc4080000, REG_W0, 1330 _EMIT_CONST_U64(imm)); 1331 jit->seen |= SEEN_LITERAL; 1332 /* xgr %dst,%w0 */ 1333 EMIT4(0xb9820000, dst_reg, REG_W0); 1334 } 1335 break; 1336 /* 1337 * BPF_LSH 1338 */ 1339 case BPF_ALU | BPF_LSH | BPF_X: /* dst = (u32) dst << (u32) src */ 1340 /* sll %dst,0(%src) */ 1341 EMIT4_DISP(0x89000000, dst_reg, src_reg, 0); 1342 EMIT_ZERO(dst_reg); 1343 break; 1344 case BPF_ALU64 | BPF_LSH | BPF_X: /* dst = dst << src */ 1345 /* sllg %dst,%dst,0(%src) */ 1346 EMIT6_DISP_LH(0xeb000000, 0x000d, dst_reg, dst_reg, src_reg, 0); 1347 break; 1348 case BPF_ALU | BPF_LSH | BPF_K: /* dst = (u32) dst << (u32) imm */ 1349 if (imm != 0) { 1350 /* sll %dst,imm(%r0) */ 1351 EMIT4_DISP(0x89000000, dst_reg, REG_0, imm); 1352 } 1353 EMIT_ZERO(dst_reg); 1354 break; 1355 case BPF_ALU64 | BPF_LSH | BPF_K: /* dst = dst << imm */ 1356 if (imm == 0) 1357 break; 1358 /* sllg %dst,%dst,imm(%r0) */ 1359 EMIT6_DISP_LH(0xeb000000, 0x000d, dst_reg, dst_reg, REG_0, imm); 1360 break; 1361 /* 1362 * BPF_RSH 1363 */ 1364 case BPF_ALU | BPF_RSH | BPF_X: /* dst = (u32) dst >> (u32) src */ 1365 /* srl %dst,0(%src) */ 1366 EMIT4_DISP(0x88000000, dst_reg, src_reg, 0); 1367 EMIT_ZERO(dst_reg); 1368 break; 1369 case BPF_ALU64 | BPF_RSH | BPF_X: /* dst = dst >> src */ 1370 /* srlg %dst,%dst,0(%src) */ 1371 EMIT6_DISP_LH(0xeb000000, 0x000c, dst_reg, dst_reg, src_reg, 0); 1372 break; 1373 case BPF_ALU | BPF_RSH | BPF_K: /* dst = (u32) dst >> (u32) imm */ 1374 if (imm != 0) { 1375 /* srl %dst,imm(%r0) */ 1376 EMIT4_DISP(0x88000000, dst_reg, REG_0, imm); 1377 } 1378 EMIT_ZERO(dst_reg); 1379 break; 1380 case BPF_ALU64 | BPF_RSH | BPF_K: /* dst = dst >> imm */ 1381 if (imm == 0) 1382 break; 1383 /* srlg %dst,%dst,imm(%r0) */ 1384 EMIT6_DISP_LH(0xeb000000, 0x000c, dst_reg, dst_reg, REG_0, imm); 1385 break; 1386 /* 1387 * BPF_ARSH 1388 */ 1389 case BPF_ALU | BPF_ARSH | BPF_X: /* ((s32) dst) >>= src */ 1390 /* sra %dst,%dst,0(%src) */ 1391 EMIT4_DISP(0x8a000000, dst_reg, src_reg, 0); 1392 EMIT_ZERO(dst_reg); 1393 break; 1394 case BPF_ALU64 | BPF_ARSH | BPF_X: /* ((s64) dst) >>= src */ 1395 /* srag %dst,%dst,0(%src) */ 1396 EMIT6_DISP_LH(0xeb000000, 0x000a, dst_reg, dst_reg, src_reg, 0); 1397 break; 1398 case BPF_ALU | BPF_ARSH | BPF_K: /* ((s32) dst >> imm */ 1399 if (imm != 0) { 1400 /* sra %dst,imm(%r0) */ 1401 EMIT4_DISP(0x8a000000, dst_reg, REG_0, imm); 1402 } 1403 EMIT_ZERO(dst_reg); 1404 break; 1405 case BPF_ALU64 | BPF_ARSH | BPF_K: /* ((s64) dst) >>= imm */ 1406 if (imm == 0) 1407 break; 1408 /* srag %dst,%dst,imm(%r0) */ 1409 EMIT6_DISP_LH(0xeb000000, 0x000a, dst_reg, dst_reg, REG_0, imm); 1410 break; 1411 /* 1412 * BPF_NEG 1413 */ 1414 case BPF_ALU | BPF_NEG: /* dst = (u32) -dst */ 1415 /* lcr %dst,%dst */ 1416 EMIT2(0x1300, dst_reg, dst_reg); 1417 EMIT_ZERO(dst_reg); 1418 break; 1419 case BPF_ALU64 | BPF_NEG: /* dst = -dst */ 1420 /* lcgr %dst,%dst */ 1421 EMIT4(0xb9030000, dst_reg, dst_reg); 1422 break; 1423 /* 1424 * BPF_FROM_BE/LE 1425 */ 1426 case BPF_ALU | BPF_END | BPF_FROM_BE: 1427 /* s390 is big endian, therefore only clear high order bytes */ 1428 switch (imm) { 1429 case 16: /* dst = (u16) cpu_to_be16(dst) */ 1430 /* llghr %dst,%dst */ 1431 EMIT4(0xb9850000, dst_reg, dst_reg); 1432 if (insn_is_zext(&insn[1])) 1433 insn_count = 2; 1434 break; 1435 case 32: /* dst = (u32) cpu_to_be32(dst) */ 1436 if (!fp->aux->verifier_zext) 1437 /* llgfr %dst,%dst */ 1438 EMIT4(0xb9160000, dst_reg, dst_reg); 1439 break; 1440 case 64: /* dst = (u64) cpu_to_be64(dst) */ 1441 break; 1442 } 1443 break; 1444 case BPF_ALU | BPF_END | BPF_FROM_LE: 1445 case BPF_ALU64 | BPF_END | BPF_FROM_LE: 1446 switch (imm) { 1447 case 16: /* dst = (u16) cpu_to_le16(dst) */ 1448 /* lrvr %dst,%dst */ 1449 EMIT4(0xb91f0000, dst_reg, dst_reg); 1450 /* srl %dst,16(%r0) */ 1451 EMIT4_DISP(0x88000000, dst_reg, REG_0, 16); 1452 /* llghr %dst,%dst */ 1453 EMIT4(0xb9850000, dst_reg, dst_reg); 1454 if (insn_is_zext(&insn[1])) 1455 insn_count = 2; 1456 break; 1457 case 32: /* dst = (u32) cpu_to_le32(dst) */ 1458 /* lrvr %dst,%dst */ 1459 EMIT4(0xb91f0000, dst_reg, dst_reg); 1460 if (!fp->aux->verifier_zext) 1461 /* llgfr %dst,%dst */ 1462 EMIT4(0xb9160000, dst_reg, dst_reg); 1463 break; 1464 case 64: /* dst = (u64) cpu_to_le64(dst) */ 1465 /* lrvgr %dst,%dst */ 1466 EMIT4(0xb90f0000, dst_reg, dst_reg); 1467 break; 1468 } 1469 break; 1470 /* 1471 * BPF_NOSPEC (speculation barrier) 1472 */ 1473 case BPF_ST | BPF_NOSPEC: 1474 break; 1475 /* 1476 * BPF_ST(X) 1477 */ 1478 case BPF_STX | BPF_MEM | BPF_B: /* *(u8 *)(dst + off) = src_reg */ 1479 case BPF_STX | BPF_PROBE_MEM32 | BPF_B: 1480 bpf_jit_probe_store_pre(jit, insn, &probe); 1481 /* stcy %src,off(%dst,%arena) */ 1482 EMIT6_DISP_LH(0xe3000000, 0x0072, src_reg, dst_reg, 1483 probe.arena_reg, off); 1484 err = bpf_jit_probe_post(jit, fp, &probe); 1485 if (err < 0) 1486 return err; 1487 jit->seen |= SEEN_MEM; 1488 break; 1489 case BPF_STX | BPF_MEM | BPF_H: /* (u16 *)(dst + off) = src */ 1490 case BPF_STX | BPF_PROBE_MEM32 | BPF_H: 1491 bpf_jit_probe_store_pre(jit, insn, &probe); 1492 /* sthy %src,off(%dst,%arena) */ 1493 EMIT6_DISP_LH(0xe3000000, 0x0070, src_reg, dst_reg, 1494 probe.arena_reg, off); 1495 err = bpf_jit_probe_post(jit, fp, &probe); 1496 if (err < 0) 1497 return err; 1498 jit->seen |= SEEN_MEM; 1499 break; 1500 case BPF_STX | BPF_MEM | BPF_W: /* *(u32 *)(dst + off) = src */ 1501 case BPF_STX | BPF_PROBE_MEM32 | BPF_W: 1502 bpf_jit_probe_store_pre(jit, insn, &probe); 1503 /* sty %src,off(%dst,%arena) */ 1504 EMIT6_DISP_LH(0xe3000000, 0x0050, src_reg, dst_reg, 1505 probe.arena_reg, off); 1506 err = bpf_jit_probe_post(jit, fp, &probe); 1507 if (err < 0) 1508 return err; 1509 jit->seen |= SEEN_MEM; 1510 break; 1511 case BPF_STX | BPF_MEM | BPF_DW: /* (u64 *)(dst + off) = src */ 1512 case BPF_STX | BPF_PROBE_MEM32 | BPF_DW: 1513 bpf_jit_probe_store_pre(jit, insn, &probe); 1514 /* stg %src,off(%dst,%arena) */ 1515 EMIT6_DISP_LH(0xe3000000, 0x0024, src_reg, dst_reg, 1516 probe.arena_reg, off); 1517 err = bpf_jit_probe_post(jit, fp, &probe); 1518 if (err < 0) 1519 return err; 1520 jit->seen |= SEEN_MEM; 1521 break; 1522 case BPF_ST | BPF_MEM | BPF_B: /* *(u8 *)(dst + off) = imm */ 1523 case BPF_ST | BPF_PROBE_MEM32 | BPF_B: 1524 /* lhi %w0,imm */ 1525 EMIT4_IMM(0xa7080000, REG_W0, (u8) imm); 1526 bpf_jit_probe_store_pre(jit, insn, &probe); 1527 /* stcy %w0,off(%dst,%arena) */ 1528 EMIT6_DISP_LH(0xe3000000, 0x0072, REG_W0, dst_reg, 1529 probe.arena_reg, off); 1530 err = bpf_jit_probe_post(jit, fp, &probe); 1531 if (err < 0) 1532 return err; 1533 jit->seen |= SEEN_MEM; 1534 break; 1535 case BPF_ST | BPF_MEM | BPF_H: /* (u16 *)(dst + off) = imm */ 1536 case BPF_ST | BPF_PROBE_MEM32 | BPF_H: 1537 /* lhi %w0,imm */ 1538 EMIT4_IMM(0xa7080000, REG_W0, (u16) imm); 1539 bpf_jit_probe_store_pre(jit, insn, &probe); 1540 /* sthy %w0,off(%dst,%arena) */ 1541 EMIT6_DISP_LH(0xe3000000, 0x0070, REG_W0, dst_reg, 1542 probe.arena_reg, off); 1543 err = bpf_jit_probe_post(jit, fp, &probe); 1544 if (err < 0) 1545 return err; 1546 jit->seen |= SEEN_MEM; 1547 break; 1548 case BPF_ST | BPF_MEM | BPF_W: /* *(u32 *)(dst + off) = imm */ 1549 case BPF_ST | BPF_PROBE_MEM32 | BPF_W: 1550 /* llilf %w0,imm */ 1551 EMIT6_IMM(0xc00f0000, REG_W0, (u32) imm); 1552 bpf_jit_probe_store_pre(jit, insn, &probe); 1553 /* sty %w0,off(%dst,%arena) */ 1554 EMIT6_DISP_LH(0xe3000000, 0x0050, REG_W0, dst_reg, 1555 probe.arena_reg, off); 1556 err = bpf_jit_probe_post(jit, fp, &probe); 1557 if (err < 0) 1558 return err; 1559 jit->seen |= SEEN_MEM; 1560 break; 1561 case BPF_ST | BPF_MEM | BPF_DW: /* *(u64 *)(dst + off) = imm */ 1562 case BPF_ST | BPF_PROBE_MEM32 | BPF_DW: 1563 /* lgfi %w0,imm */ 1564 EMIT6_IMM(0xc0010000, REG_W0, imm); 1565 bpf_jit_probe_store_pre(jit, insn, &probe); 1566 /* stg %w0,off(%dst,%arena) */ 1567 EMIT6_DISP_LH(0xe3000000, 0x0024, REG_W0, dst_reg, 1568 probe.arena_reg, off); 1569 err = bpf_jit_probe_post(jit, fp, &probe); 1570 if (err < 0) 1571 return err; 1572 jit->seen |= SEEN_MEM; 1573 break; 1574 /* 1575 * BPF_ATOMIC 1576 */ 1577 case BPF_STX | BPF_ATOMIC | BPF_DW: 1578 case BPF_STX | BPF_ATOMIC | BPF_W: 1579 case BPF_STX | BPF_PROBE_ATOMIC | BPF_DW: 1580 case BPF_STX | BPF_PROBE_ATOMIC | BPF_W: 1581 { 1582 bool is32 = BPF_SIZE(insn->code) == BPF_W; 1583 1584 /* 1585 * Unlike loads and stores, atomics have only a base register, 1586 * but no index register. For the non-arena case, simply use 1587 * %dst as a base. For the arena case, use the work register 1588 * %r1: first, load the arena base into it, and then add %dst 1589 * to it. 1590 */ 1591 probe.arena_reg = dst_reg; 1592 1593 switch (insn->imm) { 1594 #define EMIT_ATOMIC(op32, op64) do { \ 1595 bpf_jit_probe_atomic_pre(jit, insn, &probe); \ 1596 /* {op32|op64} {%w0|%src},%src,off(%arena) */ \ 1597 EMIT6_DISP_LH(0xeb000000, is32 ? (op32) : (op64), \ 1598 (insn->imm & BPF_FETCH) ? src_reg : REG_W0, \ 1599 src_reg, probe.arena_reg, off); \ 1600 err = bpf_jit_probe_post(jit, fp, &probe); \ 1601 if (err < 0) \ 1602 return err; \ 1603 if (insn->imm & BPF_FETCH) { \ 1604 /* bcr 14,0 - see atomic_fetch_{add,and,or,xor}() */ \ 1605 _EMIT2(0x07e0); \ 1606 if (is32) \ 1607 EMIT_ZERO(src_reg); \ 1608 } \ 1609 } while (0) 1610 case BPF_ADD: 1611 case BPF_ADD | BPF_FETCH: 1612 /* {laal|laalg} */ 1613 EMIT_ATOMIC(0x00fa, 0x00ea); 1614 break; 1615 case BPF_AND: 1616 case BPF_AND | BPF_FETCH: 1617 /* {lan|lang} */ 1618 EMIT_ATOMIC(0x00f4, 0x00e4); 1619 break; 1620 case BPF_OR: 1621 case BPF_OR | BPF_FETCH: 1622 /* {lao|laog} */ 1623 EMIT_ATOMIC(0x00f6, 0x00e6); 1624 break; 1625 case BPF_XOR: 1626 case BPF_XOR | BPF_FETCH: 1627 /* {lax|laxg} */ 1628 EMIT_ATOMIC(0x00f7, 0x00e7); 1629 break; 1630 #undef EMIT_ATOMIC 1631 case BPF_XCHG: { 1632 struct bpf_jit_probe load_probe = probe; 1633 int loop_start; 1634 1635 bpf_jit_probe_atomic_pre(jit, insn, &load_probe); 1636 /* {ly|lg} %w0,off(%arena) */ 1637 EMIT6_DISP_LH(0xe3000000, 1638 is32 ? 0x0058 : 0x0004, REG_W0, REG_0, 1639 load_probe.arena_reg, off); 1640 bpf_jit_probe_emit_nop(jit, &load_probe); 1641 /* Reuse {ly|lg}'s arena_reg for {csy|csg}. */ 1642 if (load_probe.prg != -1) { 1643 probe.prg = jit->prg; 1644 probe.arena_reg = load_probe.arena_reg; 1645 } 1646 loop_start = jit->prg; 1647 /* 0: {csy|csg} %w0,%src,off(%arena) */ 1648 EMIT6_DISP_LH(0xeb000000, is32 ? 0x0014 : 0x0030, 1649 REG_W0, src_reg, probe.arena_reg, off); 1650 bpf_jit_probe_emit_nop(jit, &probe); 1651 /* brc 4,0b */ 1652 EMIT4_PCREL_RIC(0xa7040000, 4, loop_start); 1653 /* {llgfr|lgr} %src,%w0 */ 1654 EMIT4(is32 ? 0xb9160000 : 0xb9040000, src_reg, REG_W0); 1655 /* Both probes should land here on exception. */ 1656 err = bpf_jit_probe_post(jit, fp, &load_probe); 1657 if (err < 0) 1658 return err; 1659 err = bpf_jit_probe_post(jit, fp, &probe); 1660 if (err < 0) 1661 return err; 1662 if (is32 && insn_is_zext(&insn[1])) 1663 insn_count = 2; 1664 break; 1665 } 1666 case BPF_CMPXCHG: 1667 bpf_jit_probe_atomic_pre(jit, insn, &probe); 1668 /* 0: {csy|csg} %b0,%src,off(%arena) */ 1669 EMIT6_DISP_LH(0xeb000000, is32 ? 0x0014 : 0x0030, 1670 BPF_REG_0, src_reg, 1671 probe.arena_reg, off); 1672 err = bpf_jit_probe_post(jit, fp, &probe); 1673 if (err < 0) 1674 return err; 1675 break; 1676 default: 1677 pr_err("Unknown atomic operation %02x\n", insn->imm); 1678 return -1; 1679 } 1680 1681 jit->seen |= SEEN_MEM; 1682 break; 1683 } 1684 /* 1685 * BPF_LDX 1686 */ 1687 case BPF_LDX | BPF_MEM | BPF_B: /* dst = *(u8 *)(ul) (src + off) */ 1688 case BPF_LDX | BPF_PROBE_MEM | BPF_B: 1689 case BPF_LDX | BPF_PROBE_MEM32 | BPF_B: 1690 bpf_jit_probe_load_pre(jit, insn, &probe); 1691 /* llgc %dst,off(%src,%arena) */ 1692 EMIT6_DISP_LH(0xe3000000, 0x0090, dst_reg, src_reg, 1693 probe.arena_reg, off); 1694 err = bpf_jit_probe_post(jit, fp, &probe); 1695 if (err < 0) 1696 return err; 1697 jit->seen |= SEEN_MEM; 1698 if (insn_is_zext(&insn[1])) 1699 insn_count = 2; 1700 break; 1701 case BPF_LDX | BPF_MEMSX | BPF_B: /* dst = *(s8 *)(ul) (src + off) */ 1702 case BPF_LDX | BPF_PROBE_MEMSX | BPF_B: 1703 bpf_jit_probe_load_pre(jit, insn, &probe); 1704 /* lgb %dst,off(%src) */ 1705 EMIT6_DISP_LH(0xe3000000, 0x0077, dst_reg, src_reg, REG_0, off); 1706 err = bpf_jit_probe_post(jit, fp, &probe); 1707 if (err < 0) 1708 return err; 1709 jit->seen |= SEEN_MEM; 1710 break; 1711 case BPF_LDX | BPF_MEM | BPF_H: /* dst = *(u16 *)(ul) (src + off) */ 1712 case BPF_LDX | BPF_PROBE_MEM | BPF_H: 1713 case BPF_LDX | BPF_PROBE_MEM32 | BPF_H: 1714 bpf_jit_probe_load_pre(jit, insn, &probe); 1715 /* llgh %dst,off(%src,%arena) */ 1716 EMIT6_DISP_LH(0xe3000000, 0x0091, dst_reg, src_reg, 1717 probe.arena_reg, off); 1718 err = bpf_jit_probe_post(jit, fp, &probe); 1719 if (err < 0) 1720 return err; 1721 jit->seen |= SEEN_MEM; 1722 if (insn_is_zext(&insn[1])) 1723 insn_count = 2; 1724 break; 1725 case BPF_LDX | BPF_MEMSX | BPF_H: /* dst = *(s16 *)(ul) (src + off) */ 1726 case BPF_LDX | BPF_PROBE_MEMSX | BPF_H: 1727 bpf_jit_probe_load_pre(jit, insn, &probe); 1728 /* lgh %dst,off(%src) */ 1729 EMIT6_DISP_LH(0xe3000000, 0x0015, dst_reg, src_reg, REG_0, off); 1730 err = bpf_jit_probe_post(jit, fp, &probe); 1731 if (err < 0) 1732 return err; 1733 jit->seen |= SEEN_MEM; 1734 break; 1735 case BPF_LDX | BPF_MEM | BPF_W: /* dst = *(u32 *)(ul) (src + off) */ 1736 case BPF_LDX | BPF_PROBE_MEM | BPF_W: 1737 case BPF_LDX | BPF_PROBE_MEM32 | BPF_W: 1738 bpf_jit_probe_load_pre(jit, insn, &probe); 1739 /* llgf %dst,off(%src) */ 1740 jit->seen |= SEEN_MEM; 1741 EMIT6_DISP_LH(0xe3000000, 0x0016, dst_reg, src_reg, 1742 probe.arena_reg, off); 1743 err = bpf_jit_probe_post(jit, fp, &probe); 1744 if (err < 0) 1745 return err; 1746 if (insn_is_zext(&insn[1])) 1747 insn_count = 2; 1748 break; 1749 case BPF_LDX | BPF_MEMSX | BPF_W: /* dst = *(s32 *)(ul) (src + off) */ 1750 case BPF_LDX | BPF_PROBE_MEMSX | BPF_W: 1751 bpf_jit_probe_load_pre(jit, insn, &probe); 1752 /* lgf %dst,off(%src) */ 1753 jit->seen |= SEEN_MEM; 1754 EMIT6_DISP_LH(0xe3000000, 0x0014, dst_reg, src_reg, REG_0, off); 1755 err = bpf_jit_probe_post(jit, fp, &probe); 1756 if (err < 0) 1757 return err; 1758 break; 1759 case BPF_LDX | BPF_MEM | BPF_DW: /* dst = *(u64 *)(ul) (src + off) */ 1760 case BPF_LDX | BPF_PROBE_MEM | BPF_DW: 1761 case BPF_LDX | BPF_PROBE_MEM32 | BPF_DW: 1762 bpf_jit_probe_load_pre(jit, insn, &probe); 1763 /* lg %dst,off(%src,%arena) */ 1764 jit->seen |= SEEN_MEM; 1765 EMIT6_DISP_LH(0xe3000000, 0x0004, dst_reg, src_reg, 1766 probe.arena_reg, off); 1767 err = bpf_jit_probe_post(jit, fp, &probe); 1768 if (err < 0) 1769 return err; 1770 break; 1771 /* 1772 * BPF_JMP / CALL 1773 */ 1774 case BPF_JMP | BPF_CALL: 1775 { 1776 const struct btf_func_model *m; 1777 bool func_addr_fixed; 1778 int j, ret; 1779 u64 func; 1780 1781 /* Implement helper call to bpf_get_smp_processor_id() inline */ 1782 if (insn->src_reg == 0 && 1783 insn->imm == BPF_FUNC_get_smp_processor_id) { 1784 const u32 *cpu_nr = &get_lowcore()->cpu_nr; 1785 1786 /* ly %b0, cpu_nr */ 1787 EMIT6_DISP_LH(0xe3000000, 0x0058, BPF_REG_0, REG_0, REG_0, 1788 (unsigned long)cpu_nr); 1789 break; 1790 } 1791 1792 /* Implement helper call to bpf_get_current_task/_btf() inline */ 1793 if (insn->src_reg == 0 && 1794 (insn->imm == BPF_FUNC_get_current_task || 1795 insn->imm == BPF_FUNC_get_current_task_btf)) { 1796 const u64 *current_task = 1797 &get_lowcore()->current_task; 1798 1799 /* lg %b0, current_task */ 1800 EMIT6_DISP_LH(0xe3000000, 0x0004, BPF_REG_0, REG_0, REG_0, 1801 (unsigned long)current_task); 1802 break; 1803 } 1804 1805 ret = bpf_jit_get_func_addr(fp, insn, extra_pass, 1806 &func, &func_addr_fixed); 1807 if (ret < 0) 1808 return -1; 1809 1810 REG_SET_SEEN(BPF_REG_5); 1811 jit->seen |= SEEN_FUNC; 1812 1813 /* 1814 * Copy the tail call counter to where the callee expects it. 1815 */ 1816 1817 if (insn->src_reg == BPF_PSEUDO_CALL) 1818 /* 1819 * mvc tail_call_cnt(4,%r15), 1820 * frame_off+tail_call_cnt(%r15) 1821 */ 1822 _EMIT6(0xd203f000 | offsetof(struct prog_frame, 1823 tail_call_cnt), 1824 0xf000 | (jit->frame_off + 1825 offsetof(struct prog_frame, 1826 tail_call_cnt))); 1827 1828 /* Sign-extend the kfunc arguments. */ 1829 if (insn->src_reg == BPF_PSEUDO_KFUNC_CALL) { 1830 m = bpf_jit_find_kfunc_model(fp, insn); 1831 if (!m) 1832 return -1; 1833 1834 for (j = 0; j < m->nr_args; j++) { 1835 if (sign_zero_extend(jit, BPF_REG_1 + j, 1836 m->arg_size[j], 1837 m->arg_flags[j])) 1838 return -1; 1839 } 1840 } 1841 1842 if ((void *)func == arch_bpf_timed_may_goto) { 1843 /* 1844 * arch_bpf_timed_may_goto() has a special ABI: the 1845 * parameters are in BPF_REG_AX and BPF_REG_10; the 1846 * return value is in BPF_REG_AX; and all GPRs except 1847 * REG_W0, REG_W1, and BPF_REG_AX are callee-saved. 1848 */ 1849 1850 /* brasl %r0,func */ 1851 EMIT6_PCREL_RILB_PTR(0xc0050000, REG_0, (void *)func); 1852 } else { 1853 /* brasl %r14,func */ 1854 EMIT6_PCREL_RILB_PTR(0xc0050000, REG_14, (void *)func); 1855 /* lgr %b0,%r2: load return value into %b0 */ 1856 EMIT4(0xb9040000, BPF_REG_0, REG_2); 1857 } 1858 1859 /* 1860 * Copy the potentially updated tail call counter back. 1861 */ 1862 1863 if (insn->src_reg == BPF_PSEUDO_CALL) 1864 /* 1865 * mvc frame_off+tail_call_cnt(%r15), 1866 * tail_call_cnt(4,%r15) 1867 */ 1868 _EMIT6(0xd203f000 | (jit->frame_off + 1869 offsetof(struct prog_frame, 1870 tail_call_cnt)), 1871 0xf000 | offsetof(struct prog_frame, 1872 tail_call_cnt)); 1873 1874 break; 1875 } 1876 case BPF_JMP | BPF_TAIL_CALL: { 1877 int patch_1_clrj, patch_2_clij, patch_3_brc; 1878 1879 /* 1880 * Implicit input: 1881 * B1: pointer to ctx 1882 * B2: pointer to bpf_array 1883 * B3: index in bpf_array 1884 * 1885 * if (index >= array->map.max_entries) 1886 * goto out; 1887 */ 1888 1889 /* llgf %w1,map.max_entries(%b2) */ 1890 EMIT6_DISP_LH(0xe3000000, 0x0016, REG_W1, REG_0, BPF_REG_2, 1891 offsetof(struct bpf_array, map.max_entries)); 1892 /* if ((u32)%b3 >= (u32)%w1) goto out; */ 1893 /* clrj %b3,%w1,0xa,out */ 1894 patch_1_clrj = jit->prg; 1895 EMIT6_PCREL_RIEB(0xec000000, 0x0077, BPF_REG_3, REG_W1, 0xa, 1896 jit->prg); 1897 1898 /* 1899 * if (tail_call_cnt >= MAX_TAIL_CALL_CNT) 1900 * goto out; 1901 * 1902 * tail_call_cnt is read into %w0, which needs to be preserved 1903 * until it's incremented and flushed. 1904 */ 1905 1906 off = jit->frame_off + 1907 offsetof(struct prog_frame, tail_call_cnt); 1908 /* ly %w0,off(%r15) */ 1909 EMIT6_DISP_LH(0xe3000000, 0x0058, REG_W0, REG_0, REG_15, off); 1910 /* clij %w0,MAX_TAIL_CALL_CNT,0xa,out */ 1911 patch_2_clij = jit->prg; 1912 EMIT6_PCREL_RIEC(0xec000000, 0x007f, REG_W0, MAX_TAIL_CALL_CNT, 1913 0xa, jit->prg); 1914 1915 /* 1916 * prog = array->ptrs[index]; 1917 * if (prog == NULL) 1918 * goto out; 1919 */ 1920 1921 /* llgfr %r1,%b3: %r1 = (u32) index */ 1922 EMIT4(0xb9160000, REG_1, BPF_REG_3); 1923 /* sllg %r1,%r1,3: %r1 *= 8 */ 1924 EMIT6_DISP_LH(0xeb000000, 0x000d, REG_1, REG_1, REG_0, 3); 1925 /* ltg %r1,prog(%b2,%r1) */ 1926 EMIT6_DISP_LH(0xe3000000, 0x0002, REG_1, BPF_REG_2, 1927 REG_1, offsetof(struct bpf_array, ptrs)); 1928 /* brc 0x8,out */ 1929 patch_3_brc = jit->prg; 1930 EMIT4_PCREL_RIC(0xa7040000, 8, jit->prg); 1931 1932 /* tail_call_cnt++; */ 1933 /* ahi %w0,1 */ 1934 EMIT4_IMM(0xa70a0000, REG_W0, 1); 1935 /* sty %w0,off(%r15) */ 1936 EMIT6_DISP_LH(0xe3000000, 0x0050, REG_W0, REG_0, REG_15, off); 1937 1938 /* 1939 * Restore registers before calling function 1940 */ 1941 save_restore_regs(jit, REGS_RESTORE, 0); 1942 1943 /* 1944 * goto *(prog->bpf_func + tail_call_start); 1945 */ 1946 1947 /* lg %r1,bpf_func(%r1) */ 1948 EMIT6_DISP_LH(0xe3000000, 0x0004, REG_1, REG_1, REG_0, 1949 offsetof(struct bpf_prog, bpf_func)); 1950 if (nospec_uses_trampoline()) { 1951 jit->seen |= SEEN_FUNC; 1952 /* aghi %r1,tail_call_start */ 1953 EMIT4_IMM(0xa70b0000, REG_1, jit->tail_call_start); 1954 /* brcl 0xf,__s390_indirect_jump_r1 */ 1955 EMIT6_PCREL_RILC_PTR(0xc0040000, 0xf, 1956 __s390_indirect_jump_r1); 1957 } else { 1958 /* bc 0xf,tail_call_start(%r1) */ 1959 _EMIT4(0x47f01000 + jit->tail_call_start); 1960 } 1961 /* out: */ 1962 if (jit->prg_buf) { 1963 *(u16 *)(jit->prg_buf + patch_1_clrj + 2) = 1964 (jit->prg - patch_1_clrj) >> 1; 1965 *(u16 *)(jit->prg_buf + patch_2_clij + 2) = 1966 (jit->prg - patch_2_clij) >> 1; 1967 *(u16 *)(jit->prg_buf + patch_3_brc + 2) = 1968 (jit->prg - patch_3_brc) >> 1; 1969 } 1970 break; 1971 } 1972 case BPF_JMP | BPF_EXIT: /* return b0 */ 1973 last = (i == fp->len - 1) ? 1 : 0; 1974 if (last) 1975 break; 1976 if (!is_first_pass(jit) && can_use_rel(jit, jit->exit_ip)) 1977 /* brc 0xf, <exit> */ 1978 EMIT4_PCREL_RIC(0xa7040000, 0xf, jit->exit_ip); 1979 else 1980 /* brcl 0xf, <exit> */ 1981 EMIT6_PCREL_RILC(0xc0040000, 0xf, jit->exit_ip); 1982 break; 1983 /* 1984 * Branch relative (number of skipped instructions) to offset on 1985 * condition. 1986 * 1987 * Condition code to mask mapping: 1988 * 1989 * CC | Description | Mask 1990 * ------------------------------ 1991 * 0 | Operands equal | 8 1992 * 1 | First operand low | 4 1993 * 2 | First operand high | 2 1994 * 3 | Unused | 1 1995 * 1996 * For s390x relative branches: ip = ip + off_bytes 1997 * For BPF relative branches: insn = insn + off_insns + 1 1998 * 1999 * For example for s390x with offset 0 we jump to the branch 2000 * instruction itself (loop) and for BPF with offset 0 we 2001 * branch to the instruction behind the branch. 2002 */ 2003 case BPF_JMP32 | BPF_JA: /* if (true) */ 2004 branch_oc_off = imm; 2005 fallthrough; 2006 case BPF_JMP | BPF_JA: /* if (true) */ 2007 mask = 0xf000; /* j */ 2008 goto branch_oc; 2009 case BPF_JMP | BPF_JSGT | BPF_K: /* ((s64) dst > (s64) imm) */ 2010 case BPF_JMP32 | BPF_JSGT | BPF_K: /* ((s32) dst > (s32) imm) */ 2011 mask = 0x2000; /* jh */ 2012 goto branch_ks; 2013 case BPF_JMP | BPF_JSLT | BPF_K: /* ((s64) dst < (s64) imm) */ 2014 case BPF_JMP32 | BPF_JSLT | BPF_K: /* ((s32) dst < (s32) imm) */ 2015 mask = 0x4000; /* jl */ 2016 goto branch_ks; 2017 case BPF_JMP | BPF_JSGE | BPF_K: /* ((s64) dst >= (s64) imm) */ 2018 case BPF_JMP32 | BPF_JSGE | BPF_K: /* ((s32) dst >= (s32) imm) */ 2019 mask = 0xa000; /* jhe */ 2020 goto branch_ks; 2021 case BPF_JMP | BPF_JSLE | BPF_K: /* ((s64) dst <= (s64) imm) */ 2022 case BPF_JMP32 | BPF_JSLE | BPF_K: /* ((s32) dst <= (s32) imm) */ 2023 mask = 0xc000; /* jle */ 2024 goto branch_ks; 2025 case BPF_JMP | BPF_JGT | BPF_K: /* (dst_reg > imm) */ 2026 case BPF_JMP32 | BPF_JGT | BPF_K: /* ((u32) dst_reg > (u32) imm) */ 2027 mask = 0x2000; /* jh */ 2028 goto branch_ku; 2029 case BPF_JMP | BPF_JLT | BPF_K: /* (dst_reg < imm) */ 2030 case BPF_JMP32 | BPF_JLT | BPF_K: /* ((u32) dst_reg < (u32) imm) */ 2031 mask = 0x4000; /* jl */ 2032 goto branch_ku; 2033 case BPF_JMP | BPF_JGE | BPF_K: /* (dst_reg >= imm) */ 2034 case BPF_JMP32 | BPF_JGE | BPF_K: /* ((u32) dst_reg >= (u32) imm) */ 2035 mask = 0xa000; /* jhe */ 2036 goto branch_ku; 2037 case BPF_JMP | BPF_JLE | BPF_K: /* (dst_reg <= imm) */ 2038 case BPF_JMP32 | BPF_JLE | BPF_K: /* ((u32) dst_reg <= (u32) imm) */ 2039 mask = 0xc000; /* jle */ 2040 goto branch_ku; 2041 case BPF_JMP | BPF_JNE | BPF_K: /* (dst_reg != imm) */ 2042 case BPF_JMP32 | BPF_JNE | BPF_K: /* ((u32) dst_reg != (u32) imm) */ 2043 mask = 0x7000; /* jne */ 2044 goto branch_ku; 2045 case BPF_JMP | BPF_JEQ | BPF_K: /* (dst_reg == imm) */ 2046 case BPF_JMP32 | BPF_JEQ | BPF_K: /* ((u32) dst_reg == (u32) imm) */ 2047 mask = 0x8000; /* je */ 2048 goto branch_ku; 2049 case BPF_JMP | BPF_JSET | BPF_K: /* (dst_reg & imm) */ 2050 case BPF_JMP32 | BPF_JSET | BPF_K: /* ((u32) dst_reg & (u32) imm) */ 2051 mask = 0x7000; /* jnz */ 2052 if (BPF_CLASS(insn->code) == BPF_JMP32) { 2053 /* llilf %w1,imm (load zero extend imm) */ 2054 EMIT6_IMM(0xc00f0000, REG_W1, imm); 2055 /* nr %w1,%dst */ 2056 EMIT2(0x1400, REG_W1, dst_reg); 2057 } else { 2058 /* lgfi %w1,imm (load sign extend imm) */ 2059 EMIT6_IMM(0xc0010000, REG_W1, imm); 2060 /* ngr %w1,%dst */ 2061 EMIT4(0xb9800000, REG_W1, dst_reg); 2062 } 2063 goto branch_oc; 2064 2065 case BPF_JMP | BPF_JSGT | BPF_X: /* ((s64) dst > (s64) src) */ 2066 case BPF_JMP32 | BPF_JSGT | BPF_X: /* ((s32) dst > (s32) src) */ 2067 mask = 0x2000; /* jh */ 2068 goto branch_xs; 2069 case BPF_JMP | BPF_JSLT | BPF_X: /* ((s64) dst < (s64) src) */ 2070 case BPF_JMP32 | BPF_JSLT | BPF_X: /* ((s32) dst < (s32) src) */ 2071 mask = 0x4000; /* jl */ 2072 goto branch_xs; 2073 case BPF_JMP | BPF_JSGE | BPF_X: /* ((s64) dst >= (s64) src) */ 2074 case BPF_JMP32 | BPF_JSGE | BPF_X: /* ((s32) dst >= (s32) src) */ 2075 mask = 0xa000; /* jhe */ 2076 goto branch_xs; 2077 case BPF_JMP | BPF_JSLE | BPF_X: /* ((s64) dst <= (s64) src) */ 2078 case BPF_JMP32 | BPF_JSLE | BPF_X: /* ((s32) dst <= (s32) src) */ 2079 mask = 0xc000; /* jle */ 2080 goto branch_xs; 2081 case BPF_JMP | BPF_JGT | BPF_X: /* (dst > src) */ 2082 case BPF_JMP32 | BPF_JGT | BPF_X: /* ((u32) dst > (u32) src) */ 2083 mask = 0x2000; /* jh */ 2084 goto branch_xu; 2085 case BPF_JMP | BPF_JLT | BPF_X: /* (dst < src) */ 2086 case BPF_JMP32 | BPF_JLT | BPF_X: /* ((u32) dst < (u32) src) */ 2087 mask = 0x4000; /* jl */ 2088 goto branch_xu; 2089 case BPF_JMP | BPF_JGE | BPF_X: /* (dst >= src) */ 2090 case BPF_JMP32 | BPF_JGE | BPF_X: /* ((u32) dst >= (u32) src) */ 2091 mask = 0xa000; /* jhe */ 2092 goto branch_xu; 2093 case BPF_JMP | BPF_JLE | BPF_X: /* (dst <= src) */ 2094 case BPF_JMP32 | BPF_JLE | BPF_X: /* ((u32) dst <= (u32) src) */ 2095 mask = 0xc000; /* jle */ 2096 goto branch_xu; 2097 case BPF_JMP | BPF_JNE | BPF_X: /* (dst != src) */ 2098 case BPF_JMP32 | BPF_JNE | BPF_X: /* ((u32) dst != (u32) src) */ 2099 mask = 0x7000; /* jne */ 2100 goto branch_xu; 2101 case BPF_JMP | BPF_JEQ | BPF_X: /* (dst == src) */ 2102 case BPF_JMP32 | BPF_JEQ | BPF_X: /* ((u32) dst == (u32) src) */ 2103 mask = 0x8000; /* je */ 2104 goto branch_xu; 2105 case BPF_JMP | BPF_JSET | BPF_X: /* (dst & src) */ 2106 case BPF_JMP32 | BPF_JSET | BPF_X: /* ((u32) dst & (u32) src) */ 2107 { 2108 bool is_jmp32 = BPF_CLASS(insn->code) == BPF_JMP32; 2109 2110 mask = 0x7000; /* jnz */ 2111 /* nrk or ngrk %w1,%dst,%src */ 2112 EMIT4_RRF((is_jmp32 ? 0xb9f40000 : 0xb9e40000), 2113 REG_W1, dst_reg, src_reg); 2114 goto branch_oc; 2115 branch_ks: 2116 is_jmp32 = BPF_CLASS(insn->code) == BPF_JMP32; 2117 /* cfi or cgfi %dst,imm */ 2118 EMIT6_IMM(is_jmp32 ? 0xc20d0000 : 0xc20c0000, 2119 dst_reg, imm); 2120 if (!is_first_pass(jit) && 2121 can_use_rel(jit, addrs[i + off + 1])) { 2122 /* brc mask,off */ 2123 EMIT4_PCREL_RIC(0xa7040000, 2124 mask >> 12, addrs[i + off + 1]); 2125 } else { 2126 /* brcl mask,off */ 2127 EMIT6_PCREL_RILC(0xc0040000, 2128 mask >> 12, addrs[i + off + 1]); 2129 } 2130 break; 2131 branch_ku: 2132 /* lgfi %w1,imm (load sign extend imm) */ 2133 src_reg = REG_1; 2134 EMIT6_IMM(0xc0010000, src_reg, imm); 2135 goto branch_xu; 2136 branch_xs: 2137 is_jmp32 = BPF_CLASS(insn->code) == BPF_JMP32; 2138 if (!is_first_pass(jit) && 2139 can_use_rel(jit, addrs[i + off + 1])) { 2140 /* crj or cgrj %dst,%src,mask,off */ 2141 EMIT6_PCREL(0xec000000, (is_jmp32 ? 0x0076 : 0x0064), 2142 dst_reg, src_reg, i, off, mask); 2143 } else { 2144 /* cr or cgr %dst,%src */ 2145 if (is_jmp32) 2146 EMIT2(0x1900, dst_reg, src_reg); 2147 else 2148 EMIT4(0xb9200000, dst_reg, src_reg); 2149 /* brcl mask,off */ 2150 EMIT6_PCREL_RILC(0xc0040000, 2151 mask >> 12, addrs[i + off + 1]); 2152 } 2153 break; 2154 branch_xu: 2155 is_jmp32 = BPF_CLASS(insn->code) == BPF_JMP32; 2156 if (!is_first_pass(jit) && 2157 can_use_rel(jit, addrs[i + off + 1])) { 2158 /* clrj or clgrj %dst,%src,mask,off */ 2159 EMIT6_PCREL(0xec000000, (is_jmp32 ? 0x0077 : 0x0065), 2160 dst_reg, src_reg, i, off, mask); 2161 } else { 2162 /* clr or clgr %dst,%src */ 2163 if (is_jmp32) 2164 EMIT2(0x1500, dst_reg, src_reg); 2165 else 2166 EMIT4(0xb9210000, dst_reg, src_reg); 2167 /* brcl mask,off */ 2168 EMIT6_PCREL_RILC(0xc0040000, 2169 mask >> 12, addrs[i + off + 1]); 2170 } 2171 break; 2172 branch_oc: 2173 if (!is_first_pass(jit) && 2174 can_use_rel(jit, addrs[i + branch_oc_off + 1])) { 2175 /* brc mask,off */ 2176 EMIT4_PCREL_RIC(0xa7040000, 2177 mask >> 12, 2178 addrs[i + branch_oc_off + 1]); 2179 } else { 2180 /* brcl mask,off */ 2181 EMIT6_PCREL_RILC(0xc0040000, 2182 mask >> 12, 2183 addrs[i + branch_oc_off + 1]); 2184 } 2185 break; 2186 } 2187 default: /* too complex, give up */ 2188 pr_err("Unknown opcode %02x\n", insn->code); 2189 return -1; 2190 } 2191 2192 return insn_count; 2193 } 2194 2195 /* 2196 * Return whether new i-th instruction address does not violate any invariant 2197 */ 2198 static bool bpf_is_new_addr_sane(struct bpf_jit *jit, int i) 2199 { 2200 /* On the first pass anything goes */ 2201 if (is_first_pass(jit)) 2202 return true; 2203 2204 /* The codegen pass must not change anything */ 2205 if (is_codegen_pass(jit)) 2206 return jit->addrs[i] == jit->prg; 2207 2208 /* Passes in between must not increase code size */ 2209 return jit->addrs[i] >= jit->prg; 2210 } 2211 2212 /* 2213 * Update the address of i-th instruction 2214 */ 2215 static int bpf_set_addr(struct bpf_jit *jit, int i) 2216 { 2217 int delta; 2218 2219 if (is_codegen_pass(jit)) { 2220 delta = jit->prg - jit->addrs[i]; 2221 if (delta < 0) 2222 bpf_skip(jit, -delta); 2223 } 2224 if (WARN_ON_ONCE(!bpf_is_new_addr_sane(jit, i))) 2225 return -1; 2226 jit->addrs[i] = jit->prg; 2227 return 0; 2228 } 2229 2230 /* 2231 * Compile eBPF program into s390x code 2232 */ 2233 static int bpf_jit_prog(struct bpf_jit *jit, struct bpf_prog *fp, 2234 bool extra_pass) 2235 { 2236 int i, insn_count, lit32_size, lit64_size; 2237 u64 kern_arena; 2238 2239 jit->lit32 = jit->lit32_start; 2240 jit->lit64 = jit->lit64_start; 2241 jit->prg = 0; 2242 jit->excnt = 0; 2243 if (is_first_pass(jit) || (jit->seen & SEEN_STACK)) 2244 jit->frame_off = sizeof(struct prog_frame) - 2245 offsetofend(struct prog_frame, unused) + 2246 round_up(fp->aux->stack_depth, 8); 2247 else 2248 jit->frame_off = 0; 2249 2250 kern_arena = bpf_arena_get_kern_vm_start(fp->aux->arena); 2251 if (kern_arena) 2252 jit->kern_arena = _EMIT_CONST_U64(kern_arena); 2253 jit->user_arena = bpf_arena_get_user_vm_start(fp->aux->arena); 2254 2255 bpf_jit_prologue(jit, fp); 2256 if (bpf_set_addr(jit, 0) < 0) 2257 return -1; 2258 for (i = 0; i < fp->len; i += insn_count) { 2259 insn_count = bpf_jit_insn(jit, fp, i, extra_pass); 2260 if (insn_count < 0) 2261 return -1; 2262 /* Next instruction address */ 2263 if (bpf_set_addr(jit, i + insn_count) < 0) 2264 return -1; 2265 } 2266 bpf_jit_epilogue(jit); 2267 2268 lit32_size = jit->lit32 - jit->lit32_start; 2269 lit64_size = jit->lit64 - jit->lit64_start; 2270 jit->lit32_start = jit->prg; 2271 if (lit32_size) 2272 jit->lit32_start = ALIGN(jit->lit32_start, 4); 2273 jit->lit64_start = jit->lit32_start + lit32_size; 2274 if (lit64_size) 2275 jit->lit64_start = ALIGN(jit->lit64_start, 8); 2276 jit->size = jit->lit64_start + lit64_size; 2277 jit->size_prg = jit->prg; 2278 2279 if (WARN_ON_ONCE(fp->aux->extable && 2280 jit->excnt != fp->aux->num_exentries)) 2281 /* Verifier bug - too many entries. */ 2282 return -1; 2283 2284 return 0; 2285 } 2286 2287 bool bpf_jit_needs_zext(void) 2288 { 2289 return true; 2290 } 2291 2292 struct s390_jit_data { 2293 struct bpf_binary_header *header; 2294 struct bpf_jit ctx; 2295 int pass; 2296 }; 2297 2298 static struct bpf_binary_header *bpf_jit_alloc(struct bpf_jit *jit, 2299 struct bpf_prog *fp) 2300 { 2301 struct bpf_binary_header *header; 2302 struct bpf_insn *insn; 2303 u32 extable_size; 2304 u32 code_size; 2305 int i; 2306 2307 for (i = 0; i < fp->len; i++) { 2308 insn = &fp->insnsi[i]; 2309 2310 if (BPF_CLASS(insn->code) == BPF_STX && 2311 BPF_MODE(insn->code) == BPF_PROBE_ATOMIC && 2312 (BPF_SIZE(insn->code) == BPF_DW || 2313 BPF_SIZE(insn->code) == BPF_W) && 2314 insn->imm == BPF_XCHG) 2315 /* 2316 * bpf_jit_insn() emits a load and a compare-and-swap, 2317 * both of which need to be probed. 2318 */ 2319 fp->aux->num_exentries += 1; 2320 } 2321 /* We need two entries per insn. */ 2322 fp->aux->num_exentries *= 2; 2323 2324 code_size = roundup(jit->size, 2325 __alignof__(struct exception_table_entry)); 2326 extable_size = fp->aux->num_exentries * 2327 sizeof(struct exception_table_entry); 2328 header = bpf_jit_binary_alloc(code_size + extable_size, &jit->prg_buf, 2329 8, jit_fill_hole); 2330 if (!header) 2331 return NULL; 2332 fp->aux->extable = (struct exception_table_entry *) 2333 (jit->prg_buf + code_size); 2334 return header; 2335 } 2336 2337 /* 2338 * Compile eBPF program "fp" 2339 */ 2340 struct bpf_prog *bpf_int_jit_compile(struct bpf_verifier_env *env, struct bpf_prog *fp) 2341 { 2342 struct bpf_binary_header *header; 2343 struct s390_jit_data *jit_data; 2344 bool extra_pass = false; 2345 struct bpf_jit jit; 2346 int pass; 2347 2348 if (!fp->jit_requested) 2349 return fp; 2350 2351 jit_data = fp->aux->jit_data; 2352 if (!jit_data) { 2353 jit_data = kzalloc_obj(*jit_data); 2354 if (!jit_data) 2355 return fp; 2356 fp->aux->jit_data = jit_data; 2357 } 2358 if (jit_data->ctx.addrs) { 2359 jit = jit_data->ctx; 2360 header = jit_data->header; 2361 extra_pass = true; 2362 pass = jit_data->pass + 1; 2363 goto skip_init_ctx; 2364 } 2365 2366 memset(&jit, 0, sizeof(jit)); 2367 jit.addrs = kvcalloc(fp->len + 1, sizeof(*jit.addrs), GFP_KERNEL); 2368 if (jit.addrs == NULL) 2369 goto out_err; 2370 /* 2371 * Three initial passes: 2372 * - 1/2: Determine clobbered registers 2373 * - 3: Calculate program size and addrs array 2374 */ 2375 for (pass = 1; pass <= 3; pass++) { 2376 if (bpf_jit_prog(&jit, fp, extra_pass)) 2377 goto out_err; 2378 } 2379 /* 2380 * Final pass: Allocate and generate program 2381 */ 2382 header = bpf_jit_alloc(&jit, fp); 2383 if (!header) 2384 goto out_err; 2385 skip_init_ctx: 2386 if (bpf_jit_prog(&jit, fp, extra_pass)) { 2387 bpf_jit_binary_free(header); 2388 goto out_err; 2389 } 2390 if (bpf_jit_enable > 1) { 2391 bpf_jit_dump(fp->len, jit.size, pass, jit.prg_buf); 2392 print_fn_code(jit.prg_buf, jit.size_prg); 2393 } 2394 if (!fp->is_func || extra_pass) { 2395 if (bpf_jit_binary_lock_ro(header)) { 2396 bpf_jit_binary_free(header); 2397 goto out_err; 2398 } 2399 } else { 2400 jit_data->header = header; 2401 jit_data->ctx = jit; 2402 jit_data->pass = pass; 2403 } 2404 fp->bpf_func = (void *) jit.prg_buf; 2405 fp->jited = 1; 2406 fp->jited_len = jit.size; 2407 2408 if (!fp->is_func || extra_pass) { 2409 bpf_prog_fill_jited_linfo(fp, jit.addrs + 1); 2410 free_addrs: 2411 kvfree(jit.addrs); 2412 kfree(jit_data); 2413 fp->aux->jit_data = NULL; 2414 } 2415 2416 return fp; 2417 2418 out_err: 2419 if (extra_pass) { 2420 fp->bpf_func = NULL; 2421 fp->jited = 0; 2422 fp->jited_len = 0; 2423 } 2424 goto free_addrs; 2425 } 2426 2427 bool bpf_jit_supports_kfunc_call(void) 2428 { 2429 return true; 2430 } 2431 2432 bool bpf_jit_supports_far_kfunc_call(void) 2433 { 2434 return true; 2435 } 2436 2437 int bpf_arch_text_poke(void *ip, enum bpf_text_poke_type old_t, 2438 enum bpf_text_poke_type new_t, void *old_addr, 2439 void *new_addr) 2440 { 2441 struct bpf_plt expected_plt, current_plt, new_plt, *plt; 2442 struct { 2443 u16 opc; 2444 s32 disp; 2445 } __packed insn; 2446 char *ret; 2447 int err; 2448 2449 /* Verify the branch to be patched. */ 2450 err = copy_from_kernel_nofault(&insn, ip, sizeof(insn)); 2451 if (err < 0) 2452 return err; 2453 if (insn.opc != (0xc004 | (old_addr ? 0xf0 : 0))) 2454 return -EINVAL; 2455 2456 if ((new_t == BPF_MOD_JUMP || old_t == BPF_MOD_JUMP) && 2457 insn.disp == ((char *)new_addr - (char *)ip) >> 1) { 2458 /* 2459 * The branch already points to the destination, 2460 * there is no PLT. 2461 */ 2462 } else { 2463 /* Verify the PLT. */ 2464 plt = ip + (insn.disp << 1); 2465 err = copy_from_kernel_nofault(¤t_plt, plt, 2466 sizeof(current_plt)); 2467 if (err < 0) 2468 return err; 2469 ret = (char *)ip + 6; 2470 bpf_jit_plt(&expected_plt, ret, old_addr); 2471 if (memcmp(¤t_plt, &expected_plt, sizeof(current_plt))) 2472 return -EINVAL; 2473 /* Adjust the call address. */ 2474 bpf_jit_plt(&new_plt, ret, new_addr); 2475 s390_kernel_write(&plt->target, &new_plt.target, 2476 sizeof(void *)); 2477 } 2478 2479 /* Adjust the mask of the branch. */ 2480 insn.opc = 0xc004 | (new_addr ? 0xf0 : 0); 2481 s390_kernel_write((char *)ip + 1, (char *)&insn.opc + 1, 1); 2482 2483 /* Make the new code visible to the other CPUs. */ 2484 text_poke_sync_lock(); 2485 2486 return 0; 2487 } 2488 2489 struct bpf_tramp_jit { 2490 struct bpf_jit common; 2491 int orig_stack_args_off;/* Offset of arguments placed on stack by the 2492 * func_addr's original caller 2493 */ 2494 int stack_size; /* Trampoline stack size */ 2495 int backchain_off; /* Offset of backchain */ 2496 int stack_args_off; /* Offset of stack arguments for calling 2497 * func_addr, has to be at the top 2498 */ 2499 int reg_args_off; /* Offset of register arguments for calling 2500 * func_addr 2501 */ 2502 int ip_off; /* For bpf_get_func_ip(), has to be at 2503 * (ctx - 16) 2504 */ 2505 int func_meta_off; /* For bpf_get_func_arg_cnt()/fsession, has 2506 * to be at (ctx - 8) 2507 */ 2508 int bpf_args_off; /* Offset of BPF_PROG context, which consists 2509 * of BPF arguments followed by return value 2510 */ 2511 int retval_off; /* Offset of return value (see above) */ 2512 int r7_r8_off; /* Offset of saved %r7 and %r8, which are used 2513 * for __bpf_prog_enter() return value and 2514 * func_addr respectively 2515 */ 2516 int run_ctx_off; /* Offset of struct bpf_tramp_run_ctx */ 2517 int tccnt_off; /* Offset of saved tailcall counter */ 2518 int r14_off; /* Offset of saved %r14, has to be at the 2519 * bottom */ 2520 int do_fexit; /* do_fexit: label */ 2521 }; 2522 2523 static void load_imm64(struct bpf_jit *jit, int dst_reg, u64 val) 2524 { 2525 /* llihf %dst_reg,val_hi */ 2526 EMIT6_IMM(0xc00e0000, dst_reg, (val >> 32)); 2527 /* oilf %rdst_reg,val_lo */ 2528 EMIT6_IMM(0xc00d0000, dst_reg, val); 2529 } 2530 2531 static void emit_store_stack_imm64(struct bpf_jit *jit, int tmp_reg, int stack_off, u64 imm) 2532 { 2533 load_imm64(jit, tmp_reg, imm); 2534 /* stg %tmp_reg,stack_off(%r15) */ 2535 EMIT6_DISP_LH(0xe3000000, 0x0024, tmp_reg, REG_0, REG_15, stack_off); 2536 } 2537 2538 static int invoke_bpf_prog(struct bpf_tramp_jit *tjit, 2539 const struct btf_func_model *m, 2540 struct bpf_tramp_node *node, bool save_ret) 2541 { 2542 struct bpf_jit *jit = &tjit->common; 2543 int cookie_off = tjit->run_ctx_off + 2544 offsetof(struct bpf_tramp_run_ctx, bpf_cookie); 2545 struct bpf_prog *p = node->link->prog; 2546 int patch; 2547 2548 /* 2549 * run_ctx.cookie = node->cookie; 2550 */ 2551 2552 emit_store_stack_imm64(jit, REG_W0, cookie_off, node->cookie); 2553 2554 /* 2555 * if ((start = __bpf_prog_enter(p, &run_ctx)) == 0) 2556 * goto skip; 2557 */ 2558 2559 /* %r2 = p */ 2560 load_imm64(jit, REG_2, (u64)p); 2561 /* la %r3,run_ctx_off(%r15) */ 2562 EMIT4_DISP(0x41000000, REG_3, REG_15, tjit->run_ctx_off); 2563 /* brasl %r14,__bpf_prog_enter */ 2564 EMIT6_PCREL_RILB_PTR(0xc0050000, REG_14, bpf_trampoline_enter(p)); 2565 /* ltgr %r7,%r2 */ 2566 EMIT4(0xb9020000, REG_7, REG_2); 2567 /* brcl 8,skip */ 2568 patch = jit->prg; 2569 EMIT6_PCREL_RILC(0xc0040000, 8, 0); 2570 2571 /* 2572 * retval = bpf_func(args, p->insnsi); 2573 */ 2574 2575 /* la %r2,bpf_args_off(%r15) */ 2576 EMIT4_DISP(0x41000000, REG_2, REG_15, tjit->bpf_args_off); 2577 /* %r3 = p->insnsi */ 2578 if (!p->jited) 2579 load_imm64(jit, REG_3, (u64)p->insnsi); 2580 /* brasl %r14,p->bpf_func */ 2581 EMIT6_PCREL_RILB_PTR(0xc0050000, REG_14, p->bpf_func); 2582 /* stg %r2,retval_off(%r15) */ 2583 if (save_ret) { 2584 if (sign_zero_extend(jit, REG_2, m->ret_size, m->ret_flags)) 2585 return -1; 2586 EMIT6_DISP_LH(0xe3000000, 0x0024, REG_2, REG_0, REG_15, 2587 tjit->retval_off); 2588 } 2589 2590 /* skip: */ 2591 if (jit->prg_buf) 2592 *(u32 *)&jit->prg_buf[patch + 2] = (jit->prg - patch) >> 1; 2593 2594 /* 2595 * __bpf_prog_exit(p, start, &run_ctx); 2596 */ 2597 2598 /* %r2 = p */ 2599 load_imm64(jit, REG_2, (u64)p); 2600 /* lgr %r3,%r7 */ 2601 EMIT4(0xb9040000, REG_3, REG_7); 2602 /* la %r4,run_ctx_off(%r15) */ 2603 EMIT4_DISP(0x41000000, REG_4, REG_15, tjit->run_ctx_off); 2604 /* brasl %r14,__bpf_prog_exit */ 2605 EMIT6_PCREL_RILB_PTR(0xc0050000, REG_14, bpf_trampoline_exit(p)); 2606 2607 return 0; 2608 } 2609 2610 static int invoke_bpf(struct bpf_tramp_jit *tjit, 2611 const struct btf_func_model *m, 2612 struct bpf_tramp_nodes *tn, bool save_ret, 2613 u64 func_meta, int cookie_off) 2614 { 2615 int i, cur_cookie = (tjit->bpf_args_off - cookie_off) / sizeof(u64); 2616 struct bpf_jit *jit = &tjit->common; 2617 2618 for (i = 0; i < tn->nr_nodes; i++) { 2619 if (bpf_prog_calls_session_cookie(tn->nodes[i])) { 2620 u64 meta = func_meta | ((u64)cur_cookie << BPF_TRAMP_COOKIE_INDEX_SHIFT); 2621 2622 emit_store_stack_imm64(jit, REG_0, tjit->func_meta_off, meta); 2623 cur_cookie--; 2624 } 2625 if (invoke_bpf_prog(tjit, m, tn->nodes[i], save_ret)) 2626 return -EINVAL; 2627 } 2628 2629 return 0; 2630 } 2631 2632 static int alloc_stack(struct bpf_tramp_jit *tjit, size_t size) 2633 { 2634 int stack_offset = tjit->stack_size; 2635 2636 tjit->stack_size += size; 2637 return stack_offset; 2638 } 2639 2640 /* ABI uses %r2 - %r6 for parameter passing. */ 2641 #define MAX_NR_REG_ARGS 5 2642 2643 /* The "L" field of the "mvc" instruction is 8 bits. */ 2644 #define MAX_MVC_SIZE 256 2645 #define MAX_NR_STACK_ARGS (MAX_MVC_SIZE / sizeof(u64)) 2646 2647 /* -mfentry generates a 6-byte nop on s390x. */ 2648 #define S390X_PATCH_SIZE 6 2649 2650 static int __arch_prepare_bpf_trampoline(struct bpf_tramp_image *im, 2651 struct bpf_tramp_jit *tjit, 2652 const struct btf_func_model *m, 2653 u32 flags, 2654 struct bpf_tramp_nodes *tnodes, 2655 void *func_addr) 2656 { 2657 struct bpf_tramp_nodes *fmod_ret = &tnodes[BPF_TRAMP_MODIFY_RETURN]; 2658 struct bpf_tramp_nodes *fentry = &tnodes[BPF_TRAMP_FENTRY]; 2659 struct bpf_tramp_nodes *fexit = &tnodes[BPF_TRAMP_FEXIT]; 2660 int nr_bpf_args, nr_reg_args, nr_stack_args; 2661 int cookie_cnt, cookie_off, fsession_cnt; 2662 struct bpf_jit *jit = &tjit->common; 2663 int arg, bpf_arg_off; 2664 u64 func_meta; 2665 int i, j; 2666 2667 /* Support as many stack arguments as "mvc" instruction can handle. */ 2668 nr_reg_args = min_t(int, m->nr_args, MAX_NR_REG_ARGS); 2669 nr_stack_args = m->nr_args - nr_reg_args; 2670 if (nr_stack_args > MAX_NR_STACK_ARGS) 2671 return -ENOTSUPP; 2672 2673 /* Return to %r14 in the struct_ops case. */ 2674 if (flags & BPF_TRAMP_F_INDIRECT) 2675 flags |= BPF_TRAMP_F_SKIP_FRAME; 2676 2677 /* 2678 * Compute how many arguments we need to pass to BPF programs. 2679 * BPF ABI mirrors that of x86_64: arguments that are 16 bytes or 2680 * smaller are packed into 1 or 2 registers; larger arguments are 2681 * passed via pointers. 2682 * In s390x ABI, arguments that are 8 bytes or smaller are packed into 2683 * a register; larger arguments are passed via pointers. 2684 * We need to deal with this difference. 2685 */ 2686 nr_bpf_args = 0; 2687 for (i = 0; i < m->nr_args; i++) { 2688 if (m->arg_size[i] <= 8) 2689 nr_bpf_args += 1; 2690 else if (m->arg_size[i] <= 16) 2691 nr_bpf_args += 2; 2692 else 2693 return -ENOTSUPP; 2694 } 2695 2696 cookie_cnt = bpf_fsession_cookie_cnt(tnodes); 2697 fsession_cnt = bpf_fsession_cnt(tnodes); 2698 2699 /* 2700 * Calculate the stack layout. 2701 */ 2702 2703 /* 2704 * Allocate STACK_FRAME_OVERHEAD bytes for the callees. As the s390x 2705 * ABI requires, put our backchain at the end of the allocated memory. 2706 */ 2707 tjit->stack_size = STACK_FRAME_OVERHEAD; 2708 tjit->backchain_off = tjit->stack_size - sizeof(u64); 2709 tjit->stack_args_off = alloc_stack(tjit, nr_stack_args * sizeof(u64)); 2710 tjit->reg_args_off = alloc_stack(tjit, nr_reg_args * sizeof(u64)); 2711 cookie_off = alloc_stack(tjit, cookie_cnt * sizeof(u64)); 2712 tjit->ip_off = alloc_stack(tjit, sizeof(u64)); 2713 tjit->func_meta_off = alloc_stack(tjit, sizeof(u64)); 2714 tjit->bpf_args_off = alloc_stack(tjit, nr_bpf_args * sizeof(u64)); 2715 tjit->retval_off = alloc_stack(tjit, sizeof(u64)); 2716 tjit->r7_r8_off = alloc_stack(tjit, 2 * sizeof(u64)); 2717 tjit->run_ctx_off = alloc_stack(tjit, 2718 sizeof(struct bpf_tramp_run_ctx)); 2719 tjit->tccnt_off = alloc_stack(tjit, sizeof(u64)); 2720 tjit->r14_off = alloc_stack(tjit, sizeof(u64) * 2); 2721 /* 2722 * In accordance with the s390x ABI, the caller has allocated 2723 * STACK_FRAME_OVERHEAD bytes for us. 8 of them contain the caller's 2724 * backchain, and the rest we can use. 2725 */ 2726 tjit->stack_size -= STACK_FRAME_OVERHEAD - sizeof(u64); 2727 tjit->orig_stack_args_off = tjit->stack_size + STACK_FRAME_OVERHEAD; 2728 2729 /* lgr %r1,%r15 */ 2730 EMIT4(0xb9040000, REG_1, REG_15); 2731 /* aghi %r15,-stack_size */ 2732 EMIT4_IMM(0xa70b0000, REG_15, -tjit->stack_size); 2733 /* stg %r1,backchain_off(%r15) */ 2734 EMIT6_DISP_LH(0xe3000000, 0x0024, REG_1, REG_0, REG_15, 2735 tjit->backchain_off); 2736 /* mvc tccnt_off(4,%r15),stack_size+tail_call_cnt(%r15) */ 2737 _EMIT6(0xd203f000 | tjit->tccnt_off, 2738 0xf000 | (tjit->stack_size + 2739 offsetof(struct prog_frame, tail_call_cnt))); 2740 /* stmg %r2,%rN,fwd_reg_args_off(%r15) */ 2741 if (nr_reg_args) 2742 EMIT6_DISP_LH(0xeb000000, 0x0024, REG_2, 2743 REG_2 + (nr_reg_args - 1), REG_15, 2744 tjit->reg_args_off); 2745 for (i = 0, j = 0; i < m->nr_args; i++) { 2746 if (i < MAX_NR_REG_ARGS) 2747 arg = REG_2 + i; 2748 else 2749 arg = tjit->orig_stack_args_off + 2750 (i - MAX_NR_REG_ARGS) * sizeof(u64); 2751 bpf_arg_off = tjit->bpf_args_off + j * sizeof(u64); 2752 if (m->arg_size[i] <= 8) { 2753 if (i < MAX_NR_REG_ARGS) 2754 /* stg %arg,bpf_arg_off(%r15) */ 2755 EMIT6_DISP_LH(0xe3000000, 0x0024, arg, 2756 REG_0, REG_15, bpf_arg_off); 2757 else 2758 /* mvc bpf_arg_off(8,%r15),arg(%r15) */ 2759 _EMIT6(0xd207f000 | bpf_arg_off, 2760 0xf000 | arg); 2761 j += 1; 2762 } else { 2763 if (i < MAX_NR_REG_ARGS) { 2764 /* mvc bpf_arg_off(16,%r15),0(%arg) */ 2765 _EMIT6(0xd20ff000 | bpf_arg_off, 2766 reg2hex[arg] << 12); 2767 } else { 2768 /* lg %r1,arg(%r15) */ 2769 EMIT6_DISP_LH(0xe3000000, 0x0004, REG_1, REG_0, 2770 REG_15, arg); 2771 /* mvc bpf_arg_off(16,%r15),0(%r1) */ 2772 _EMIT6(0xd20ff000 | bpf_arg_off, 0x1000); 2773 } 2774 j += 2; 2775 } 2776 } 2777 /* stmg %r7,%r8,r7_r8_off(%r15) */ 2778 EMIT6_DISP_LH(0xeb000000, 0x0024, REG_7, REG_8, REG_15, 2779 tjit->r7_r8_off); 2780 /* stg %r14,r14_off(%r15) */ 2781 EMIT6_DISP_LH(0xe3000000, 0x0024, REG_14, REG_0, REG_15, tjit->r14_off); 2782 2783 if (flags & BPF_TRAMP_F_ORIG_STACK) { 2784 /* 2785 * The ftrace trampoline puts the return address (which is the 2786 * address of the original function + S390X_PATCH_SIZE) into 2787 * %r0; see ftrace_shared_hotpatch_trampoline_br and 2788 * ftrace_init_nop() for details. 2789 */ 2790 2791 /* lgr %r8,%r0 */ 2792 EMIT4(0xb9040000, REG_8, REG_0); 2793 } 2794 2795 /* 2796 * ip = func_addr; 2797 * arg_cnt = m->nr_args; 2798 */ 2799 2800 if (flags & BPF_TRAMP_F_IP_ARG) 2801 emit_store_stack_imm64(jit, REG_0, tjit->ip_off, (u64)func_addr); 2802 func_meta = nr_bpf_args; 2803 /* lghi %r0,func_meta */ 2804 EMIT4_IMM(0xa7090000, REG_0, func_meta); 2805 /* stg %r0,func_meta_off(%r15) */ 2806 EMIT6_DISP_LH(0xe3000000, 0x0024, REG_0, REG_0, REG_15, 2807 tjit->func_meta_off); 2808 2809 if (flags & BPF_TRAMP_F_CALL_ORIG) { 2810 /* 2811 * __bpf_tramp_enter(im); 2812 */ 2813 2814 /* %r2 = im */ 2815 load_imm64(jit, REG_2, (u64)im); 2816 /* brasl %r14,__bpf_tramp_enter */ 2817 EMIT6_PCREL_RILB_PTR(0xc0050000, REG_14, __bpf_tramp_enter); 2818 } 2819 2820 if (fsession_cnt) { 2821 /* Clear all the session cookies' value. */ 2822 for (i = 0; i < cookie_cnt; i++) 2823 emit_store_stack_imm64(jit, REG_0, cookie_off + 8 * i, 0); 2824 /* Clear the return value to make sure fentry always gets 0. */ 2825 emit_store_stack_imm64(jit, REG_0, tjit->retval_off, 0); 2826 } 2827 2828 if (invoke_bpf(tjit, m, fentry, flags & BPF_TRAMP_F_RET_FENTRY_RET, 2829 func_meta, cookie_off)) 2830 return -EINVAL; 2831 2832 if (fmod_ret->nr_nodes) { 2833 /* 2834 * retval = 0; 2835 */ 2836 2837 /* xc retval_off(8,%r15),retval_off(%r15) */ 2838 _EMIT6(0xd707f000 | tjit->retval_off, 2839 0xf000 | tjit->retval_off); 2840 2841 for (i = 0; i < fmod_ret->nr_nodes; i++) { 2842 if (invoke_bpf_prog(tjit, m, fmod_ret->nodes[i], true)) 2843 return -EINVAL; 2844 2845 /* 2846 * if (retval) 2847 * goto do_fexit; 2848 */ 2849 2850 /* ltg %r0,retval_off(%r15) */ 2851 EMIT6_DISP_LH(0xe3000000, 0x0002, REG_0, REG_0, REG_15, 2852 tjit->retval_off); 2853 /* brcl 7,do_fexit */ 2854 EMIT6_PCREL_RILC(0xc0040000, 7, tjit->do_fexit); 2855 } 2856 } 2857 2858 if (flags & BPF_TRAMP_F_CALL_ORIG) { 2859 /* 2860 * retval = func_addr(args); 2861 */ 2862 2863 /* lmg %r2,%rN,reg_args_off(%r15) */ 2864 if (nr_reg_args) 2865 EMIT6_DISP_LH(0xeb000000, 0x0004, REG_2, 2866 REG_2 + (nr_reg_args - 1), REG_15, 2867 tjit->reg_args_off); 2868 /* mvc stack_args_off(N,%r15),orig_stack_args_off(%r15) */ 2869 if (nr_stack_args) 2870 _EMIT6(0xd200f000 | 2871 (nr_stack_args * sizeof(u64) - 1) << 16 | 2872 tjit->stack_args_off, 2873 0xf000 | tjit->orig_stack_args_off); 2874 /* mvc tail_call_cnt(4,%r15),tccnt_off(%r15) */ 2875 _EMIT6(0xd203f000 | offsetof(struct prog_frame, tail_call_cnt), 2876 0xf000 | tjit->tccnt_off); 2877 if (flags & BPF_TRAMP_F_ORIG_STACK) { 2878 if (nospec_uses_trampoline()) 2879 /* brasl %r14,__s390_indirect_jump_r8 */ 2880 EMIT6_PCREL_RILB_PTR(0xc0050000, REG_14, 2881 __s390_indirect_jump_r8); 2882 else 2883 /* basr %r14,%r8 */ 2884 EMIT2(0x0d00, REG_14, REG_8); 2885 } else { 2886 /* brasl %r14,func_addr+S390X_PATCH_SIZE */ 2887 EMIT6_PCREL_RILB_PTR(0xc0050000, REG_14, 2888 func_addr + S390X_PATCH_SIZE); 2889 } 2890 /* stg %r2,retval_off(%r15) */ 2891 EMIT6_DISP_LH(0xe3000000, 0x0024, REG_2, REG_0, REG_15, 2892 tjit->retval_off); 2893 /* mvc tccnt_off(%r15),tail_call_cnt(4,%r15) */ 2894 _EMIT6(0xd203f000 | tjit->tccnt_off, 2895 0xf000 | offsetof(struct prog_frame, tail_call_cnt)); 2896 2897 im->ip_after_call = jit->prg_buf + jit->prg; 2898 2899 /* 2900 * The following nop will be patched by bpf_tramp_image_put(). 2901 */ 2902 2903 /* brcl 0,im->ip_epilogue */ 2904 EMIT6_PCREL_RILC(0xc0040000, 0, (u64)im->ip_epilogue); 2905 } 2906 2907 /* Set the "is_return" flag for fsession. */ 2908 func_meta |= (1ULL << BPF_TRAMP_IS_RETURN_SHIFT); 2909 if (fsession_cnt) 2910 emit_store_stack_imm64(jit, REG_W0, tjit->func_meta_off, 2911 func_meta); 2912 2913 /* do_fexit: */ 2914 tjit->do_fexit = jit->prg; 2915 if (invoke_bpf(tjit, m, fexit, false, func_meta, cookie_off)) 2916 return -EINVAL; 2917 2918 if (flags & BPF_TRAMP_F_CALL_ORIG) { 2919 im->ip_epilogue = jit->prg_buf + jit->prg; 2920 2921 /* 2922 * __bpf_tramp_exit(im); 2923 */ 2924 2925 /* %r2 = im */ 2926 load_imm64(jit, REG_2, (u64)im); 2927 /* brasl %r14,__bpf_tramp_exit */ 2928 EMIT6_PCREL_RILB_PTR(0xc0050000, REG_14, __bpf_tramp_exit); 2929 } 2930 2931 /* lmg %r2,%rN,reg_args_off(%r15) */ 2932 if ((flags & BPF_TRAMP_F_RESTORE_REGS) && nr_reg_args) 2933 EMIT6_DISP_LH(0xeb000000, 0x0004, REG_2, 2934 REG_2 + (nr_reg_args - 1), REG_15, 2935 tjit->reg_args_off); 2936 /* lgr %r1,%r8 */ 2937 if (!(flags & BPF_TRAMP_F_SKIP_FRAME) && 2938 (flags & BPF_TRAMP_F_ORIG_STACK)) 2939 EMIT4(0xb9040000, REG_1, REG_8); 2940 /* lmg %r7,%r8,r7_r8_off(%r15) */ 2941 EMIT6_DISP_LH(0xeb000000, 0x0004, REG_7, REG_8, REG_15, 2942 tjit->r7_r8_off); 2943 /* lg %r14,r14_off(%r15) */ 2944 EMIT6_DISP_LH(0xe3000000, 0x0004, REG_14, REG_0, REG_15, tjit->r14_off); 2945 /* lg %r2,retval_off(%r15) */ 2946 if (flags & (BPF_TRAMP_F_CALL_ORIG | BPF_TRAMP_F_RET_FENTRY_RET)) 2947 EMIT6_DISP_LH(0xe3000000, 0x0004, REG_2, REG_0, REG_15, 2948 tjit->retval_off); 2949 /* mvc stack_size+tail_call_cnt(4,%r15),tccnt_off(%r15) */ 2950 _EMIT6(0xd203f000 | (tjit->stack_size + 2951 offsetof(struct prog_frame, tail_call_cnt)), 2952 0xf000 | tjit->tccnt_off); 2953 /* aghi %r15,stack_size */ 2954 EMIT4_IMM(0xa70b0000, REG_15, tjit->stack_size); 2955 if (flags & BPF_TRAMP_F_SKIP_FRAME) 2956 EMIT_JUMP_REG(14); 2957 else if (flags & BPF_TRAMP_F_ORIG_STACK) 2958 EMIT_JUMP_REG(1); 2959 else 2960 /* brcl 0xf,func_addr+S390X_PATCH_SIZE */ 2961 EMIT6_PCREL_RILC_PTR(0xc0040000, 0xf, 2962 func_addr + S390X_PATCH_SIZE); 2963 return 0; 2964 } 2965 2966 int arch_bpf_trampoline_size(const struct btf_func_model *m, u32 flags, 2967 struct bpf_tramp_nodes *tnodes, void *orig_call) 2968 { 2969 struct bpf_tramp_image im; 2970 struct bpf_tramp_jit tjit; 2971 int ret; 2972 2973 memset(&tjit, 0, sizeof(tjit)); 2974 2975 ret = __arch_prepare_bpf_trampoline(&im, &tjit, m, flags, 2976 tnodes, orig_call); 2977 2978 return ret < 0 ? ret : tjit.common.prg; 2979 } 2980 2981 int arch_prepare_bpf_trampoline(struct bpf_tramp_image *im, void *image, 2982 void *image_end, const struct btf_func_model *m, 2983 u32 flags, struct bpf_tramp_nodes *tnodes, 2984 void *func_addr) 2985 { 2986 struct bpf_tramp_jit tjit; 2987 int ret; 2988 2989 /* Compute offsets, check whether the code fits. */ 2990 memset(&tjit, 0, sizeof(tjit)); 2991 ret = __arch_prepare_bpf_trampoline(im, &tjit, m, flags, 2992 tnodes, func_addr); 2993 2994 if (ret < 0) 2995 return ret; 2996 if (tjit.common.prg > (char *)image_end - (char *)image) 2997 /* 2998 * Use the same error code as for exceeding 2999 * BPF_MAX_TRAMP_LINKS. 3000 */ 3001 return -E2BIG; 3002 3003 tjit.common.prg = 0; 3004 tjit.common.prg_buf = image; 3005 ret = __arch_prepare_bpf_trampoline(im, &tjit, m, flags, 3006 tnodes, func_addr); 3007 3008 return ret < 0 ? ret : tjit.common.prg; 3009 } 3010 3011 bool bpf_jit_supports_subprog_tailcalls(void) 3012 { 3013 return true; 3014 } 3015 3016 bool bpf_jit_supports_arena(void) 3017 { 3018 return true; 3019 } 3020 3021 bool bpf_jit_supports_fsession(void) 3022 { 3023 return true; 3024 } 3025 3026 bool bpf_jit_supports_insn(struct bpf_insn *insn, bool in_arena) 3027 { 3028 if (!in_arena) 3029 return true; 3030 switch (insn->code) { 3031 case BPF_STX | BPF_ATOMIC | BPF_B: 3032 case BPF_STX | BPF_ATOMIC | BPF_H: 3033 case BPF_STX | BPF_ATOMIC | BPF_W: 3034 case BPF_STX | BPF_ATOMIC | BPF_DW: 3035 if (bpf_atomic_is_load_store(insn)) 3036 return false; 3037 break; 3038 case BPF_LDX | BPF_MEMSX | BPF_B: 3039 case BPF_LDX | BPF_MEMSX | BPF_H: 3040 case BPF_LDX | BPF_MEMSX | BPF_W: 3041 return false; 3042 } 3043 return true; 3044 } 3045 3046 bool bpf_jit_supports_exceptions(void) 3047 { 3048 /* 3049 * Exceptions require unwinding support, which is always available, 3050 * because the kernel is always built with backchain. 3051 */ 3052 return true; 3053 } 3054 3055 void arch_bpf_stack_walk(bool (*consume_fn)(void *, u64, u64, u64), 3056 void *cookie) 3057 { 3058 unsigned long addr, prev_addr = 0; 3059 struct unwind_state state; 3060 3061 unwind_for_each_frame(&state, NULL, NULL, 0) { 3062 addr = unwind_get_return_address(&state); 3063 if (!addr) 3064 break; 3065 /* 3066 * addr is a return address and state.sp is the value of %r15 3067 * at this address. exception_cb needs %r15 at entry to the 3068 * function containing addr, so take the next state.sp. 3069 * 3070 * There is no bp, and the exception_cb prog does not need one 3071 * to perform a quasi-longjmp. The common code requires a 3072 * non-zero bp, so pass sp there as well. 3073 */ 3074 if (prev_addr && !consume_fn(cookie, prev_addr, state.sp, 3075 state.sp)) 3076 break; 3077 prev_addr = addr; 3078 } 3079 } 3080 3081 bool bpf_jit_supports_timed_may_goto(void) 3082 { 3083 return true; 3084 } 3085 3086 bool bpf_jit_inlines_helper_call(s32 imm) 3087 { 3088 switch (imm) { 3089 case BPF_FUNC_get_smp_processor_id: 3090 case BPF_FUNC_get_current_task: 3091 case BPF_FUNC_get_current_task_btf: 3092 return true; 3093 default: 3094 return false; 3095 } 3096 } 3097