While testing some other work that required JIT modifications, I
run into test_bpf causing a hang when JIT enabled on s390. The
problematic test case was the one from
ddc665a4bb4b (bpf, arm64:
fix jit branch offset related to ldimm64), and turns out that we
do have a similar issue on s390 as well. In bpf_jit_prog() we
update next instruction address after returning from bpf_jit_insn()
with an insn_count. bpf_jit_insn() returns either -1 in case of
error (e.g. unsupported insn), 1 or 2. The latter is only the
case for ldimm64 due to spanning 2 insns, however, next address
is only set to i + 1 not taking actual insn_count into account,
thus fix is to use insn_count instead of 1. bpf_jit_enable in
mode 2 provides also disasm on s390:
Before fix:
000003ff800349b6:
a7f40003 brc 15,
3ff800349bc ; target
000003ff800349ba: 0000 unknown
000003ff800349bc:
e3b0f0700024 stg %r11,112(%r15)
000003ff800349c2:
e3e0f0880024 stg %r14,136(%r15)
000003ff800349c8: 0db0 basr %r11,%r0
000003ff800349ca:
c0ef00000000 llilf %r14,0
000003ff800349d0:
e320b0360004 lg %r2,54(%r11)
000003ff800349d6:
e330b03e0004 lg %r3,62(%r11)
000003ff800349dc:
ec23ffeda065 clgrj %r2,%r3,10,
3ff800349b6 ; jmp
000003ff800349e2:
e3e0b0460004 lg %r14,70(%r11)
000003ff800349e8:
e3e0b04e0004 lg %r14,78(%r11)
000003ff800349ee:
b904002e lgr %r2,%r14
000003ff800349f2:
e3b0f0700004 lg %r11,112(%r15)
000003ff800349f8:
e3e0f0880004 lg %r14,136(%r15)
000003ff800349fe: 07fe bcr 15,%r14
After fix:
000003ff80ef3db4:
a7f40003 brc 15,
3ff80ef3dba
000003ff80ef3db8: 0000 unknown
000003ff80ef3dba:
e3b0f0700024 stg %r11,112(%r15)
000003ff80ef3dc0:
e3e0f0880024 stg %r14,136(%r15)
000003ff80ef3dc6: 0db0 basr %r11,%r0
000003ff80ef3dc8:
c0ef00000000 llilf %r14,0
000003ff80ef3dce:
e320b0360004 lg %r2,54(%r11)
000003ff80ef3dd4:
e330b03e0004 lg %r3,62(%r11)
000003ff80ef3dda:
ec230006a065 clgrj %r2,%r3,10,
3ff80ef3de6 ; jmp
000003ff80ef3de0:
e3e0b0460004 lg %r14,70(%r11)
000003ff80ef3de6:
e3e0b04e0004 lg %r14,78(%r11) ; target
000003ff80ef3dec:
b904002e lgr %r2,%r14
000003ff80ef3df0:
e3b0f0700004 lg %r11,112(%r15)
000003ff80ef3df6:
e3e0f0880004 lg %r14,136(%r15)
000003ff80ef3dfc: 07fe bcr 15,%r14
test_bpf.ko suite runs fine after the fix.
Fixes: 054623105728 ("s390/bpf: Add s390x eBPF JIT compiler backend")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Tested-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
insn_count = bpf_jit_insn(jit, fp, i);
if (insn_count < 0)
return -1;
- jit->addrs[i + 1] = jit->prg; /* Next instruction address */
+ /* Next instruction address */
+ jit->addrs[i + insn_count] = jit->prg;
}
bpf_jit_epilogue(jit);