Loading...
1// SPDX-License-Identifier: GPL-2.0
2/*
3 * Just-In-Time compiler for eBPF filters on IA32 (32bit x86)
4 *
5 * Author: Wang YanQing (udknight@gmail.com)
6 * The code based on code and ideas from:
7 * Eric Dumazet (eric.dumazet@gmail.com)
8 * and from:
9 * Shubham Bansal <illusionist.neo@gmail.com>
10 */
11
12#include <linux/netdevice.h>
13#include <linux/filter.h>
14#include <linux/if_vlan.h>
15#include <asm/cacheflush.h>
16#include <asm/set_memory.h>
17#include <asm/nospec-branch.h>
18#include <asm/asm-prototypes.h>
19#include <linux/bpf.h>
20
21/*
22 * eBPF prog stack layout:
23 *
24 * high
25 * original ESP => +-----+
26 * | | callee saved registers
27 * +-----+
28 * | ... | eBPF JIT scratch space
29 * BPF_FP,IA32_EBP => +-----+
30 * | ... | eBPF prog stack
31 * +-----+
32 * |RSVD | JIT scratchpad
33 * current ESP => +-----+
34 * | |
35 * | ... | Function call stack
36 * | |
37 * +-----+
38 * low
39 *
40 * The callee saved registers:
41 *
42 * high
43 * original ESP => +------------------+ \
44 * | ebp | |
45 * current EBP => +------------------+ } callee saved registers
46 * | ebx,esi,edi | |
47 * +------------------+ /
48 * low
49 */
50
51static u8 *emit_code(u8 *ptr, u32 bytes, unsigned int len)
52{
53 if (len == 1)
54 *ptr = bytes;
55 else if (len == 2)
56 *(u16 *)ptr = bytes;
57 else {
58 *(u32 *)ptr = bytes;
59 barrier();
60 }
61 return ptr + len;
62}
63
64#define EMIT(bytes, len) \
65 do { prog = emit_code(prog, bytes, len); cnt += len; } while (0)
66
67#define EMIT1(b1) EMIT(b1, 1)
68#define EMIT2(b1, b2) EMIT((b1) + ((b2) << 8), 2)
69#define EMIT3(b1, b2, b3) EMIT((b1) + ((b2) << 8) + ((b3) << 16), 3)
70#define EMIT4(b1, b2, b3, b4) \
71 EMIT((b1) + ((b2) << 8) + ((b3) << 16) + ((b4) << 24), 4)
72
73#define EMIT1_off32(b1, off) \
74 do { EMIT1(b1); EMIT(off, 4); } while (0)
75#define EMIT2_off32(b1, b2, off) \
76 do { EMIT2(b1, b2); EMIT(off, 4); } while (0)
77#define EMIT3_off32(b1, b2, b3, off) \
78 do { EMIT3(b1, b2, b3); EMIT(off, 4); } while (0)
79#define EMIT4_off32(b1, b2, b3, b4, off) \
80 do { EMIT4(b1, b2, b3, b4); EMIT(off, 4); } while (0)
81
82#define jmp_label(label, jmp_insn_len) (label - cnt - jmp_insn_len)
83
84static bool is_imm8(int value)
85{
86 return value <= 127 && value >= -128;
87}
88
89static bool is_simm32(s64 value)
90{
91 return value == (s64) (s32) value;
92}
93
94#define STACK_OFFSET(k) (k)
95#define TCALL_CNT (MAX_BPF_JIT_REG + 0) /* Tail Call Count */
96
97#define IA32_EAX (0x0)
98#define IA32_EBX (0x3)
99#define IA32_ECX (0x1)
100#define IA32_EDX (0x2)
101#define IA32_ESI (0x6)
102#define IA32_EDI (0x7)
103#define IA32_EBP (0x5)
104#define IA32_ESP (0x4)
105
106/*
107 * List of x86 cond jumps opcodes (. + s8)
108 * Add 0x10 (and an extra 0x0f) to generate far jumps (. + s32)
109 */
110#define IA32_JB 0x72
111#define IA32_JAE 0x73
112#define IA32_JE 0x74
113#define IA32_JNE 0x75
114#define IA32_JBE 0x76
115#define IA32_JA 0x77
116#define IA32_JL 0x7C
117#define IA32_JGE 0x7D
118#define IA32_JLE 0x7E
119#define IA32_JG 0x7F
120
121#define COND_JMP_OPCODE_INVALID (0xFF)
122
123/*
124 * Map eBPF registers to IA32 32bit registers or stack scratch space.
125 *
126 * 1. All the registers, R0-R10, are mapped to scratch space on stack.
127 * 2. We need two 64 bit temp registers to do complex operations on eBPF
128 * registers.
129 * 3. For performance reason, the BPF_REG_AX for blinding constant, is
130 * mapped to real hardware register pair, IA32_ESI and IA32_EDI.
131 *
132 * As the eBPF registers are all 64 bit registers and IA32 has only 32 bit
133 * registers, we have to map each eBPF registers with two IA32 32 bit regs
134 * or scratch memory space and we have to build eBPF 64 bit register from those.
135 *
136 * We use IA32_EAX, IA32_EDX, IA32_ECX, IA32_EBX as temporary registers.
137 */
138static const u8 bpf2ia32[][2] = {
139 /* Return value from in-kernel function, and exit value from eBPF */
140 [BPF_REG_0] = {STACK_OFFSET(0), STACK_OFFSET(4)},
141
142 /* The arguments from eBPF program to in-kernel function */
143 /* Stored on stack scratch space */
144 [BPF_REG_1] = {STACK_OFFSET(8), STACK_OFFSET(12)},
145 [BPF_REG_2] = {STACK_OFFSET(16), STACK_OFFSET(20)},
146 [BPF_REG_3] = {STACK_OFFSET(24), STACK_OFFSET(28)},
147 [BPF_REG_4] = {STACK_OFFSET(32), STACK_OFFSET(36)},
148 [BPF_REG_5] = {STACK_OFFSET(40), STACK_OFFSET(44)},
149
150 /* Callee saved registers that in-kernel function will preserve */
151 /* Stored on stack scratch space */
152 [BPF_REG_6] = {STACK_OFFSET(48), STACK_OFFSET(52)},
153 [BPF_REG_7] = {STACK_OFFSET(56), STACK_OFFSET(60)},
154 [BPF_REG_8] = {STACK_OFFSET(64), STACK_OFFSET(68)},
155 [BPF_REG_9] = {STACK_OFFSET(72), STACK_OFFSET(76)},
156
157 /* Read only Frame Pointer to access Stack */
158 [BPF_REG_FP] = {STACK_OFFSET(80), STACK_OFFSET(84)},
159
160 /* Temporary register for blinding constants. */
161 [BPF_REG_AX] = {IA32_ESI, IA32_EDI},
162
163 /* Tail call count. Stored on stack scratch space. */
164 [TCALL_CNT] = {STACK_OFFSET(88), STACK_OFFSET(92)},
165};
166
167#define dst_lo dst[0]
168#define dst_hi dst[1]
169#define src_lo src[0]
170#define src_hi src[1]
171
172#define STACK_ALIGNMENT 8
173/*
174 * Stack space for BPF_REG_1, BPF_REG_2, BPF_REG_3, BPF_REG_4,
175 * BPF_REG_5, BPF_REG_6, BPF_REG_7, BPF_REG_8, BPF_REG_9,
176 * BPF_REG_FP, BPF_REG_AX and Tail call counts.
177 */
178#define SCRATCH_SIZE 96
179
180/* Total stack size used in JITed code */
181#define _STACK_SIZE (stack_depth + SCRATCH_SIZE)
182
183#define STACK_SIZE ALIGN(_STACK_SIZE, STACK_ALIGNMENT)
184
185/* Get the offset of eBPF REGISTERs stored on scratch space. */
186#define STACK_VAR(off) (off)
187
188/* Encode 'dst_reg' register into IA32 opcode 'byte' */
189static u8 add_1reg(u8 byte, u32 dst_reg)
190{
191 return byte + dst_reg;
192}
193
194/* Encode 'dst_reg' and 'src_reg' registers into IA32 opcode 'byte' */
195static u8 add_2reg(u8 byte, u32 dst_reg, u32 src_reg)
196{
197 return byte + dst_reg + (src_reg << 3);
198}
199
200static void jit_fill_hole(void *area, unsigned int size)
201{
202 /* Fill whole space with int3 instructions */
203 memset(area, 0xcc, size);
204}
205
206static inline void emit_ia32_mov_i(const u8 dst, const u32 val, bool dstk,
207 u8 **pprog)
208{
209 u8 *prog = *pprog;
210 int cnt = 0;
211
212 if (dstk) {
213 if (val == 0) {
214 /* xor eax,eax */
215 EMIT2(0x33, add_2reg(0xC0, IA32_EAX, IA32_EAX));
216 /* mov dword ptr [ebp+off],eax */
217 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EAX),
218 STACK_VAR(dst));
219 } else {
220 EMIT3_off32(0xC7, add_1reg(0x40, IA32_EBP),
221 STACK_VAR(dst), val);
222 }
223 } else {
224 if (val == 0)
225 EMIT2(0x33, add_2reg(0xC0, dst, dst));
226 else
227 EMIT2_off32(0xC7, add_1reg(0xC0, dst),
228 val);
229 }
230 *pprog = prog;
231}
232
233/* dst = imm (4 bytes)*/
234static inline void emit_ia32_mov_r(const u8 dst, const u8 src, bool dstk,
235 bool sstk, u8 **pprog)
236{
237 u8 *prog = *pprog;
238 int cnt = 0;
239 u8 sreg = sstk ? IA32_EAX : src;
240
241 if (sstk)
242 /* mov eax,dword ptr [ebp+off] */
243 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX), STACK_VAR(src));
244 if (dstk)
245 /* mov dword ptr [ebp+off],eax */
246 EMIT3(0x89, add_2reg(0x40, IA32_EBP, sreg), STACK_VAR(dst));
247 else
248 /* mov dst,sreg */
249 EMIT2(0x89, add_2reg(0xC0, dst, sreg));
250
251 *pprog = prog;
252}
253
254/* dst = src */
255static inline void emit_ia32_mov_r64(const bool is64, const u8 dst[],
256 const u8 src[], bool dstk,
257 bool sstk, u8 **pprog,
258 const struct bpf_prog_aux *aux)
259{
260 emit_ia32_mov_r(dst_lo, src_lo, dstk, sstk, pprog);
261 if (is64)
262 /* complete 8 byte move */
263 emit_ia32_mov_r(dst_hi, src_hi, dstk, sstk, pprog);
264 else if (!aux->verifier_zext)
265 /* zero out high 4 bytes */
266 emit_ia32_mov_i(dst_hi, 0, dstk, pprog);
267}
268
269/* Sign extended move */
270static inline void emit_ia32_mov_i64(const bool is64, const u8 dst[],
271 const u32 val, bool dstk, u8 **pprog)
272{
273 u32 hi = 0;
274
275 if (is64 && (val & (1<<31)))
276 hi = (u32)~0;
277 emit_ia32_mov_i(dst_lo, val, dstk, pprog);
278 emit_ia32_mov_i(dst_hi, hi, dstk, pprog);
279}
280
281/*
282 * ALU operation (32 bit)
283 * dst = dst * src
284 */
285static inline void emit_ia32_mul_r(const u8 dst, const u8 src, bool dstk,
286 bool sstk, u8 **pprog)
287{
288 u8 *prog = *pprog;
289 int cnt = 0;
290 u8 sreg = sstk ? IA32_ECX : src;
291
292 if (sstk)
293 /* mov ecx,dword ptr [ebp+off] */
294 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_ECX), STACK_VAR(src));
295
296 if (dstk)
297 /* mov eax,dword ptr [ebp+off] */
298 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX), STACK_VAR(dst));
299 else
300 /* mov eax,dst */
301 EMIT2(0x8B, add_2reg(0xC0, dst, IA32_EAX));
302
303
304 EMIT2(0xF7, add_1reg(0xE0, sreg));
305
306 if (dstk)
307 /* mov dword ptr [ebp+off],eax */
308 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EAX),
309 STACK_VAR(dst));
310 else
311 /* mov dst,eax */
312 EMIT2(0x89, add_2reg(0xC0, dst, IA32_EAX));
313
314 *pprog = prog;
315}
316
317static inline void emit_ia32_to_le_r64(const u8 dst[], s32 val,
318 bool dstk, u8 **pprog,
319 const struct bpf_prog_aux *aux)
320{
321 u8 *prog = *pprog;
322 int cnt = 0;
323 u8 dreg_lo = dstk ? IA32_EAX : dst_lo;
324 u8 dreg_hi = dstk ? IA32_EDX : dst_hi;
325
326 if (dstk && val != 64) {
327 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
328 STACK_VAR(dst_lo));
329 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EDX),
330 STACK_VAR(dst_hi));
331 }
332 switch (val) {
333 case 16:
334 /*
335 * Emit 'movzwl eax,ax' to zero extend 16-bit
336 * into 64 bit
337 */
338 EMIT2(0x0F, 0xB7);
339 EMIT1(add_2reg(0xC0, dreg_lo, dreg_lo));
340 if (!aux->verifier_zext)
341 /* xor dreg_hi,dreg_hi */
342 EMIT2(0x33, add_2reg(0xC0, dreg_hi, dreg_hi));
343 break;
344 case 32:
345 if (!aux->verifier_zext)
346 /* xor dreg_hi,dreg_hi */
347 EMIT2(0x33, add_2reg(0xC0, dreg_hi, dreg_hi));
348 break;
349 case 64:
350 /* nop */
351 break;
352 }
353
354 if (dstk && val != 64) {
355 /* mov dword ptr [ebp+off],dreg_lo */
356 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_lo),
357 STACK_VAR(dst_lo));
358 /* mov dword ptr [ebp+off],dreg_hi */
359 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_hi),
360 STACK_VAR(dst_hi));
361 }
362 *pprog = prog;
363}
364
365static inline void emit_ia32_to_be_r64(const u8 dst[], s32 val,
366 bool dstk, u8 **pprog,
367 const struct bpf_prog_aux *aux)
368{
369 u8 *prog = *pprog;
370 int cnt = 0;
371 u8 dreg_lo = dstk ? IA32_EAX : dst_lo;
372 u8 dreg_hi = dstk ? IA32_EDX : dst_hi;
373
374 if (dstk) {
375 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
376 STACK_VAR(dst_lo));
377 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EDX),
378 STACK_VAR(dst_hi));
379 }
380 switch (val) {
381 case 16:
382 /* Emit 'ror %ax, 8' to swap lower 2 bytes */
383 EMIT1(0x66);
384 EMIT3(0xC1, add_1reg(0xC8, dreg_lo), 8);
385
386 EMIT2(0x0F, 0xB7);
387 EMIT1(add_2reg(0xC0, dreg_lo, dreg_lo));
388
389 if (!aux->verifier_zext)
390 /* xor dreg_hi,dreg_hi */
391 EMIT2(0x33, add_2reg(0xC0, dreg_hi, dreg_hi));
392 break;
393 case 32:
394 /* Emit 'bswap eax' to swap lower 4 bytes */
395 EMIT1(0x0F);
396 EMIT1(add_1reg(0xC8, dreg_lo));
397
398 if (!aux->verifier_zext)
399 /* xor dreg_hi,dreg_hi */
400 EMIT2(0x33, add_2reg(0xC0, dreg_hi, dreg_hi));
401 break;
402 case 64:
403 /* Emit 'bswap eax' to swap lower 4 bytes */
404 EMIT1(0x0F);
405 EMIT1(add_1reg(0xC8, dreg_lo));
406
407 /* Emit 'bswap edx' to swap lower 4 bytes */
408 EMIT1(0x0F);
409 EMIT1(add_1reg(0xC8, dreg_hi));
410
411 /* mov ecx,dreg_hi */
412 EMIT2(0x89, add_2reg(0xC0, IA32_ECX, dreg_hi));
413 /* mov dreg_hi,dreg_lo */
414 EMIT2(0x89, add_2reg(0xC0, dreg_hi, dreg_lo));
415 /* mov dreg_lo,ecx */
416 EMIT2(0x89, add_2reg(0xC0, dreg_lo, IA32_ECX));
417
418 break;
419 }
420 if (dstk) {
421 /* mov dword ptr [ebp+off],dreg_lo */
422 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_lo),
423 STACK_VAR(dst_lo));
424 /* mov dword ptr [ebp+off],dreg_hi */
425 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_hi),
426 STACK_VAR(dst_hi));
427 }
428 *pprog = prog;
429}
430
431/*
432 * ALU operation (32 bit)
433 * dst = dst (div|mod) src
434 */
435static inline void emit_ia32_div_mod_r(const u8 op, const u8 dst, const u8 src,
436 bool dstk, bool sstk, u8 **pprog)
437{
438 u8 *prog = *pprog;
439 int cnt = 0;
440
441 if (sstk)
442 /* mov ecx,dword ptr [ebp+off] */
443 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_ECX),
444 STACK_VAR(src));
445 else if (src != IA32_ECX)
446 /* mov ecx,src */
447 EMIT2(0x8B, add_2reg(0xC0, src, IA32_ECX));
448
449 if (dstk)
450 /* mov eax,dword ptr [ebp+off] */
451 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
452 STACK_VAR(dst));
453 else
454 /* mov eax,dst */
455 EMIT2(0x8B, add_2reg(0xC0, dst, IA32_EAX));
456
457 /* xor edx,edx */
458 EMIT2(0x31, add_2reg(0xC0, IA32_EDX, IA32_EDX));
459 /* div ecx */
460 EMIT2(0xF7, add_1reg(0xF0, IA32_ECX));
461
462 if (op == BPF_MOD) {
463 if (dstk)
464 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EDX),
465 STACK_VAR(dst));
466 else
467 EMIT2(0x89, add_2reg(0xC0, dst, IA32_EDX));
468 } else {
469 if (dstk)
470 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EAX),
471 STACK_VAR(dst));
472 else
473 EMIT2(0x89, add_2reg(0xC0, dst, IA32_EAX));
474 }
475 *pprog = prog;
476}
477
478/*
479 * ALU operation (32 bit)
480 * dst = dst (shift) src
481 */
482static inline void emit_ia32_shift_r(const u8 op, const u8 dst, const u8 src,
483 bool dstk, bool sstk, u8 **pprog)
484{
485 u8 *prog = *pprog;
486 int cnt = 0;
487 u8 dreg = dstk ? IA32_EAX : dst;
488 u8 b2;
489
490 if (dstk)
491 /* mov eax,dword ptr [ebp+off] */
492 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX), STACK_VAR(dst));
493
494 if (sstk)
495 /* mov ecx,dword ptr [ebp+off] */
496 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_ECX), STACK_VAR(src));
497 else if (src != IA32_ECX)
498 /* mov ecx,src */
499 EMIT2(0x8B, add_2reg(0xC0, src, IA32_ECX));
500
501 switch (op) {
502 case BPF_LSH:
503 b2 = 0xE0; break;
504 case BPF_RSH:
505 b2 = 0xE8; break;
506 case BPF_ARSH:
507 b2 = 0xF8; break;
508 default:
509 return;
510 }
511 EMIT2(0xD3, add_1reg(b2, dreg));
512
513 if (dstk)
514 /* mov dword ptr [ebp+off],dreg */
515 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg), STACK_VAR(dst));
516 *pprog = prog;
517}
518
519/*
520 * ALU operation (32 bit)
521 * dst = dst (op) src
522 */
523static inline void emit_ia32_alu_r(const bool is64, const bool hi, const u8 op,
524 const u8 dst, const u8 src, bool dstk,
525 bool sstk, u8 **pprog)
526{
527 u8 *prog = *pprog;
528 int cnt = 0;
529 u8 sreg = sstk ? IA32_EAX : src;
530 u8 dreg = dstk ? IA32_EDX : dst;
531
532 if (sstk)
533 /* mov eax,dword ptr [ebp+off] */
534 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX), STACK_VAR(src));
535
536 if (dstk)
537 /* mov eax,dword ptr [ebp+off] */
538 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EDX), STACK_VAR(dst));
539
540 switch (BPF_OP(op)) {
541 /* dst = dst + src */
542 case BPF_ADD:
543 if (hi && is64)
544 EMIT2(0x11, add_2reg(0xC0, dreg, sreg));
545 else
546 EMIT2(0x01, add_2reg(0xC0, dreg, sreg));
547 break;
548 /* dst = dst - src */
549 case BPF_SUB:
550 if (hi && is64)
551 EMIT2(0x19, add_2reg(0xC0, dreg, sreg));
552 else
553 EMIT2(0x29, add_2reg(0xC0, dreg, sreg));
554 break;
555 /* dst = dst | src */
556 case BPF_OR:
557 EMIT2(0x09, add_2reg(0xC0, dreg, sreg));
558 break;
559 /* dst = dst & src */
560 case BPF_AND:
561 EMIT2(0x21, add_2reg(0xC0, dreg, sreg));
562 break;
563 /* dst = dst ^ src */
564 case BPF_XOR:
565 EMIT2(0x31, add_2reg(0xC0, dreg, sreg));
566 break;
567 }
568
569 if (dstk)
570 /* mov dword ptr [ebp+off],dreg */
571 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg),
572 STACK_VAR(dst));
573 *pprog = prog;
574}
575
576/* ALU operation (64 bit) */
577static inline void emit_ia32_alu_r64(const bool is64, const u8 op,
578 const u8 dst[], const u8 src[],
579 bool dstk, bool sstk,
580 u8 **pprog, const struct bpf_prog_aux *aux)
581{
582 u8 *prog = *pprog;
583
584 emit_ia32_alu_r(is64, false, op, dst_lo, src_lo, dstk, sstk, &prog);
585 if (is64)
586 emit_ia32_alu_r(is64, true, op, dst_hi, src_hi, dstk, sstk,
587 &prog);
588 else if (!aux->verifier_zext)
589 emit_ia32_mov_i(dst_hi, 0, dstk, &prog);
590 *pprog = prog;
591}
592
593/*
594 * ALU operation (32 bit)
595 * dst = dst (op) val
596 */
597static inline void emit_ia32_alu_i(const bool is64, const bool hi, const u8 op,
598 const u8 dst, const s32 val, bool dstk,
599 u8 **pprog)
600{
601 u8 *prog = *pprog;
602 int cnt = 0;
603 u8 dreg = dstk ? IA32_EAX : dst;
604 u8 sreg = IA32_EDX;
605
606 if (dstk)
607 /* mov eax,dword ptr [ebp+off] */
608 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX), STACK_VAR(dst));
609
610 if (!is_imm8(val))
611 /* mov edx,imm32*/
612 EMIT2_off32(0xC7, add_1reg(0xC0, IA32_EDX), val);
613
614 switch (op) {
615 /* dst = dst + val */
616 case BPF_ADD:
617 if (hi && is64) {
618 if (is_imm8(val))
619 EMIT3(0x83, add_1reg(0xD0, dreg), val);
620 else
621 EMIT2(0x11, add_2reg(0xC0, dreg, sreg));
622 } else {
623 if (is_imm8(val))
624 EMIT3(0x83, add_1reg(0xC0, dreg), val);
625 else
626 EMIT2(0x01, add_2reg(0xC0, dreg, sreg));
627 }
628 break;
629 /* dst = dst - val */
630 case BPF_SUB:
631 if (hi && is64) {
632 if (is_imm8(val))
633 EMIT3(0x83, add_1reg(0xD8, dreg), val);
634 else
635 EMIT2(0x19, add_2reg(0xC0, dreg, sreg));
636 } else {
637 if (is_imm8(val))
638 EMIT3(0x83, add_1reg(0xE8, dreg), val);
639 else
640 EMIT2(0x29, add_2reg(0xC0, dreg, sreg));
641 }
642 break;
643 /* dst = dst | val */
644 case BPF_OR:
645 if (is_imm8(val))
646 EMIT3(0x83, add_1reg(0xC8, dreg), val);
647 else
648 EMIT2(0x09, add_2reg(0xC0, dreg, sreg));
649 break;
650 /* dst = dst & val */
651 case BPF_AND:
652 if (is_imm8(val))
653 EMIT3(0x83, add_1reg(0xE0, dreg), val);
654 else
655 EMIT2(0x21, add_2reg(0xC0, dreg, sreg));
656 break;
657 /* dst = dst ^ val */
658 case BPF_XOR:
659 if (is_imm8(val))
660 EMIT3(0x83, add_1reg(0xF0, dreg), val);
661 else
662 EMIT2(0x31, add_2reg(0xC0, dreg, sreg));
663 break;
664 case BPF_NEG:
665 EMIT2(0xF7, add_1reg(0xD8, dreg));
666 break;
667 }
668
669 if (dstk)
670 /* mov dword ptr [ebp+off],dreg */
671 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg),
672 STACK_VAR(dst));
673 *pprog = prog;
674}
675
676/* ALU operation (64 bit) */
677static inline void emit_ia32_alu_i64(const bool is64, const u8 op,
678 const u8 dst[], const u32 val,
679 bool dstk, u8 **pprog,
680 const struct bpf_prog_aux *aux)
681{
682 u8 *prog = *pprog;
683 u32 hi = 0;
684
685 if (is64 && (val & (1<<31)))
686 hi = (u32)~0;
687
688 emit_ia32_alu_i(is64, false, op, dst_lo, val, dstk, &prog);
689 if (is64)
690 emit_ia32_alu_i(is64, true, op, dst_hi, hi, dstk, &prog);
691 else if (!aux->verifier_zext)
692 emit_ia32_mov_i(dst_hi, 0, dstk, &prog);
693
694 *pprog = prog;
695}
696
697/* dst = ~dst (64 bit) */
698static inline void emit_ia32_neg64(const u8 dst[], bool dstk, u8 **pprog)
699{
700 u8 *prog = *pprog;
701 int cnt = 0;
702 u8 dreg_lo = dstk ? IA32_EAX : dst_lo;
703 u8 dreg_hi = dstk ? IA32_EDX : dst_hi;
704
705 if (dstk) {
706 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
707 STACK_VAR(dst_lo));
708 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EDX),
709 STACK_VAR(dst_hi));
710 }
711
712 /* neg dreg_lo */
713 EMIT2(0xF7, add_1reg(0xD8, dreg_lo));
714 /* adc dreg_hi,0x0 */
715 EMIT3(0x83, add_1reg(0xD0, dreg_hi), 0x00);
716 /* neg dreg_hi */
717 EMIT2(0xF7, add_1reg(0xD8, dreg_hi));
718
719 if (dstk) {
720 /* mov dword ptr [ebp+off],dreg_lo */
721 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_lo),
722 STACK_VAR(dst_lo));
723 /* mov dword ptr [ebp+off],dreg_hi */
724 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_hi),
725 STACK_VAR(dst_hi));
726 }
727 *pprog = prog;
728}
729
730/* dst = dst << src */
731static inline void emit_ia32_lsh_r64(const u8 dst[], const u8 src[],
732 bool dstk, bool sstk, u8 **pprog)
733{
734 u8 *prog = *pprog;
735 int cnt = 0;
736 u8 dreg_lo = dstk ? IA32_EAX : dst_lo;
737 u8 dreg_hi = dstk ? IA32_EDX : dst_hi;
738
739 if (dstk) {
740 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
741 STACK_VAR(dst_lo));
742 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EDX),
743 STACK_VAR(dst_hi));
744 }
745
746 if (sstk)
747 /* mov ecx,dword ptr [ebp+off] */
748 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_ECX),
749 STACK_VAR(src_lo));
750 else
751 /* mov ecx,src_lo */
752 EMIT2(0x8B, add_2reg(0xC0, src_lo, IA32_ECX));
753
754 /* shld dreg_hi,dreg_lo,cl */
755 EMIT3(0x0F, 0xA5, add_2reg(0xC0, dreg_hi, dreg_lo));
756 /* shl dreg_lo,cl */
757 EMIT2(0xD3, add_1reg(0xE0, dreg_lo));
758
759 /* if ecx >= 32, mov dreg_lo into dreg_hi and clear dreg_lo */
760
761 /* cmp ecx,32 */
762 EMIT3(0x83, add_1reg(0xF8, IA32_ECX), 32);
763 /* skip the next two instructions (4 bytes) when < 32 */
764 EMIT2(IA32_JB, 4);
765
766 /* mov dreg_hi,dreg_lo */
767 EMIT2(0x89, add_2reg(0xC0, dreg_hi, dreg_lo));
768 /* xor dreg_lo,dreg_lo */
769 EMIT2(0x33, add_2reg(0xC0, dreg_lo, dreg_lo));
770
771 if (dstk) {
772 /* mov dword ptr [ebp+off],dreg_lo */
773 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_lo),
774 STACK_VAR(dst_lo));
775 /* mov dword ptr [ebp+off],dreg_hi */
776 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_hi),
777 STACK_VAR(dst_hi));
778 }
779 /* out: */
780 *pprog = prog;
781}
782
783/* dst = dst >> src (signed)*/
784static inline void emit_ia32_arsh_r64(const u8 dst[], const u8 src[],
785 bool dstk, bool sstk, u8 **pprog)
786{
787 u8 *prog = *pprog;
788 int cnt = 0;
789 u8 dreg_lo = dstk ? IA32_EAX : dst_lo;
790 u8 dreg_hi = dstk ? IA32_EDX : dst_hi;
791
792 if (dstk) {
793 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
794 STACK_VAR(dst_lo));
795 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EDX),
796 STACK_VAR(dst_hi));
797 }
798
799 if (sstk)
800 /* mov ecx,dword ptr [ebp+off] */
801 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_ECX),
802 STACK_VAR(src_lo));
803 else
804 /* mov ecx,src_lo */
805 EMIT2(0x8B, add_2reg(0xC0, src_lo, IA32_ECX));
806
807 /* shrd dreg_lo,dreg_hi,cl */
808 EMIT3(0x0F, 0xAD, add_2reg(0xC0, dreg_lo, dreg_hi));
809 /* sar dreg_hi,cl */
810 EMIT2(0xD3, add_1reg(0xF8, dreg_hi));
811
812 /* if ecx >= 32, mov dreg_hi to dreg_lo and set/clear dreg_hi depending on sign */
813
814 /* cmp ecx,32 */
815 EMIT3(0x83, add_1reg(0xF8, IA32_ECX), 32);
816 /* skip the next two instructions (5 bytes) when < 32 */
817 EMIT2(IA32_JB, 5);
818
819 /* mov dreg_lo,dreg_hi */
820 EMIT2(0x89, add_2reg(0xC0, dreg_lo, dreg_hi));
821 /* sar dreg_hi,31 */
822 EMIT3(0xC1, add_1reg(0xF8, dreg_hi), 31);
823
824 if (dstk) {
825 /* mov dword ptr [ebp+off],dreg_lo */
826 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_lo),
827 STACK_VAR(dst_lo));
828 /* mov dword ptr [ebp+off],dreg_hi */
829 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_hi),
830 STACK_VAR(dst_hi));
831 }
832 /* out: */
833 *pprog = prog;
834}
835
836/* dst = dst >> src */
837static inline void emit_ia32_rsh_r64(const u8 dst[], const u8 src[], bool dstk,
838 bool sstk, u8 **pprog)
839{
840 u8 *prog = *pprog;
841 int cnt = 0;
842 u8 dreg_lo = dstk ? IA32_EAX : dst_lo;
843 u8 dreg_hi = dstk ? IA32_EDX : dst_hi;
844
845 if (dstk) {
846 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
847 STACK_VAR(dst_lo));
848 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EDX),
849 STACK_VAR(dst_hi));
850 }
851
852 if (sstk)
853 /* mov ecx,dword ptr [ebp+off] */
854 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_ECX),
855 STACK_VAR(src_lo));
856 else
857 /* mov ecx,src_lo */
858 EMIT2(0x8B, add_2reg(0xC0, src_lo, IA32_ECX));
859
860 /* shrd dreg_lo,dreg_hi,cl */
861 EMIT3(0x0F, 0xAD, add_2reg(0xC0, dreg_lo, dreg_hi));
862 /* shr dreg_hi,cl */
863 EMIT2(0xD3, add_1reg(0xE8, dreg_hi));
864
865 /* if ecx >= 32, mov dreg_hi to dreg_lo and clear dreg_hi */
866
867 /* cmp ecx,32 */
868 EMIT3(0x83, add_1reg(0xF8, IA32_ECX), 32);
869 /* skip the next two instructions (4 bytes) when < 32 */
870 EMIT2(IA32_JB, 4);
871
872 /* mov dreg_lo,dreg_hi */
873 EMIT2(0x89, add_2reg(0xC0, dreg_lo, dreg_hi));
874 /* xor dreg_hi,dreg_hi */
875 EMIT2(0x33, add_2reg(0xC0, dreg_hi, dreg_hi));
876
877 if (dstk) {
878 /* mov dword ptr [ebp+off],dreg_lo */
879 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_lo),
880 STACK_VAR(dst_lo));
881 /* mov dword ptr [ebp+off],dreg_hi */
882 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_hi),
883 STACK_VAR(dst_hi));
884 }
885 /* out: */
886 *pprog = prog;
887}
888
889/* dst = dst << val */
890static inline void emit_ia32_lsh_i64(const u8 dst[], const u32 val,
891 bool dstk, u8 **pprog)
892{
893 u8 *prog = *pprog;
894 int cnt = 0;
895 u8 dreg_lo = dstk ? IA32_EAX : dst_lo;
896 u8 dreg_hi = dstk ? IA32_EDX : dst_hi;
897
898 if (dstk) {
899 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
900 STACK_VAR(dst_lo));
901 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EDX),
902 STACK_VAR(dst_hi));
903 }
904 /* Do LSH operation */
905 if (val < 32) {
906 /* shld dreg_hi,dreg_lo,imm8 */
907 EMIT4(0x0F, 0xA4, add_2reg(0xC0, dreg_hi, dreg_lo), val);
908 /* shl dreg_lo,imm8 */
909 EMIT3(0xC1, add_1reg(0xE0, dreg_lo), val);
910 } else if (val >= 32 && val < 64) {
911 u32 value = val - 32;
912
913 /* shl dreg_lo,imm8 */
914 EMIT3(0xC1, add_1reg(0xE0, dreg_lo), value);
915 /* mov dreg_hi,dreg_lo */
916 EMIT2(0x89, add_2reg(0xC0, dreg_hi, dreg_lo));
917 /* xor dreg_lo,dreg_lo */
918 EMIT2(0x33, add_2reg(0xC0, dreg_lo, dreg_lo));
919 } else {
920 /* xor dreg_lo,dreg_lo */
921 EMIT2(0x33, add_2reg(0xC0, dreg_lo, dreg_lo));
922 /* xor dreg_hi,dreg_hi */
923 EMIT2(0x33, add_2reg(0xC0, dreg_hi, dreg_hi));
924 }
925
926 if (dstk) {
927 /* mov dword ptr [ebp+off],dreg_lo */
928 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_lo),
929 STACK_VAR(dst_lo));
930 /* mov dword ptr [ebp+off],dreg_hi */
931 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_hi),
932 STACK_VAR(dst_hi));
933 }
934 *pprog = prog;
935}
936
937/* dst = dst >> val */
938static inline void emit_ia32_rsh_i64(const u8 dst[], const u32 val,
939 bool dstk, u8 **pprog)
940{
941 u8 *prog = *pprog;
942 int cnt = 0;
943 u8 dreg_lo = dstk ? IA32_EAX : dst_lo;
944 u8 dreg_hi = dstk ? IA32_EDX : dst_hi;
945
946 if (dstk) {
947 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
948 STACK_VAR(dst_lo));
949 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EDX),
950 STACK_VAR(dst_hi));
951 }
952
953 /* Do RSH operation */
954 if (val < 32) {
955 /* shrd dreg_lo,dreg_hi,imm8 */
956 EMIT4(0x0F, 0xAC, add_2reg(0xC0, dreg_lo, dreg_hi), val);
957 /* shr dreg_hi,imm8 */
958 EMIT3(0xC1, add_1reg(0xE8, dreg_hi), val);
959 } else if (val >= 32 && val < 64) {
960 u32 value = val - 32;
961
962 /* shr dreg_hi,imm8 */
963 EMIT3(0xC1, add_1reg(0xE8, dreg_hi), value);
964 /* mov dreg_lo,dreg_hi */
965 EMIT2(0x89, add_2reg(0xC0, dreg_lo, dreg_hi));
966 /* xor dreg_hi,dreg_hi */
967 EMIT2(0x33, add_2reg(0xC0, dreg_hi, dreg_hi));
968 } else {
969 /* xor dreg_lo,dreg_lo */
970 EMIT2(0x33, add_2reg(0xC0, dreg_lo, dreg_lo));
971 /* xor dreg_hi,dreg_hi */
972 EMIT2(0x33, add_2reg(0xC0, dreg_hi, dreg_hi));
973 }
974
975 if (dstk) {
976 /* mov dword ptr [ebp+off],dreg_lo */
977 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_lo),
978 STACK_VAR(dst_lo));
979 /* mov dword ptr [ebp+off],dreg_hi */
980 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_hi),
981 STACK_VAR(dst_hi));
982 }
983 *pprog = prog;
984}
985
986/* dst = dst >> val (signed) */
987static inline void emit_ia32_arsh_i64(const u8 dst[], const u32 val,
988 bool dstk, u8 **pprog)
989{
990 u8 *prog = *pprog;
991 int cnt = 0;
992 u8 dreg_lo = dstk ? IA32_EAX : dst_lo;
993 u8 dreg_hi = dstk ? IA32_EDX : dst_hi;
994
995 if (dstk) {
996 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
997 STACK_VAR(dst_lo));
998 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EDX),
999 STACK_VAR(dst_hi));
1000 }
1001 /* Do RSH operation */
1002 if (val < 32) {
1003 /* shrd dreg_lo,dreg_hi,imm8 */
1004 EMIT4(0x0F, 0xAC, add_2reg(0xC0, dreg_lo, dreg_hi), val);
1005 /* ashr dreg_hi,imm8 */
1006 EMIT3(0xC1, add_1reg(0xF8, dreg_hi), val);
1007 } else if (val >= 32 && val < 64) {
1008 u32 value = val - 32;
1009
1010 /* ashr dreg_hi,imm8 */
1011 EMIT3(0xC1, add_1reg(0xF8, dreg_hi), value);
1012 /* mov dreg_lo,dreg_hi */
1013 EMIT2(0x89, add_2reg(0xC0, dreg_lo, dreg_hi));
1014
1015 /* ashr dreg_hi,imm8 */
1016 EMIT3(0xC1, add_1reg(0xF8, dreg_hi), 31);
1017 } else {
1018 /* ashr dreg_hi,imm8 */
1019 EMIT3(0xC1, add_1reg(0xF8, dreg_hi), 31);
1020 /* mov dreg_lo,dreg_hi */
1021 EMIT2(0x89, add_2reg(0xC0, dreg_lo, dreg_hi));
1022 }
1023
1024 if (dstk) {
1025 /* mov dword ptr [ebp+off],dreg_lo */
1026 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_lo),
1027 STACK_VAR(dst_lo));
1028 /* mov dword ptr [ebp+off],dreg_hi */
1029 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_hi),
1030 STACK_VAR(dst_hi));
1031 }
1032 *pprog = prog;
1033}
1034
1035static inline void emit_ia32_mul_r64(const u8 dst[], const u8 src[], bool dstk,
1036 bool sstk, u8 **pprog)
1037{
1038 u8 *prog = *pprog;
1039 int cnt = 0;
1040
1041 if (dstk)
1042 /* mov eax,dword ptr [ebp+off] */
1043 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
1044 STACK_VAR(dst_hi));
1045 else
1046 /* mov eax,dst_hi */
1047 EMIT2(0x8B, add_2reg(0xC0, dst_hi, IA32_EAX));
1048
1049 if (sstk)
1050 /* mul dword ptr [ebp+off] */
1051 EMIT3(0xF7, add_1reg(0x60, IA32_EBP), STACK_VAR(src_lo));
1052 else
1053 /* mul src_lo */
1054 EMIT2(0xF7, add_1reg(0xE0, src_lo));
1055
1056 /* mov ecx,eax */
1057 EMIT2(0x89, add_2reg(0xC0, IA32_ECX, IA32_EAX));
1058
1059 if (dstk)
1060 /* mov eax,dword ptr [ebp+off] */
1061 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
1062 STACK_VAR(dst_lo));
1063 else
1064 /* mov eax,dst_lo */
1065 EMIT2(0x8B, add_2reg(0xC0, dst_lo, IA32_EAX));
1066
1067 if (sstk)
1068 /* mul dword ptr [ebp+off] */
1069 EMIT3(0xF7, add_1reg(0x60, IA32_EBP), STACK_VAR(src_hi));
1070 else
1071 /* mul src_hi */
1072 EMIT2(0xF7, add_1reg(0xE0, src_hi));
1073
1074 /* add eax,eax */
1075 EMIT2(0x01, add_2reg(0xC0, IA32_ECX, IA32_EAX));
1076
1077 if (dstk)
1078 /* mov eax,dword ptr [ebp+off] */
1079 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
1080 STACK_VAR(dst_lo));
1081 else
1082 /* mov eax,dst_lo */
1083 EMIT2(0x8B, add_2reg(0xC0, dst_lo, IA32_EAX));
1084
1085 if (sstk)
1086 /* mul dword ptr [ebp+off] */
1087 EMIT3(0xF7, add_1reg(0x60, IA32_EBP), STACK_VAR(src_lo));
1088 else
1089 /* mul src_lo */
1090 EMIT2(0xF7, add_1reg(0xE0, src_lo));
1091
1092 /* add ecx,edx */
1093 EMIT2(0x01, add_2reg(0xC0, IA32_ECX, IA32_EDX));
1094
1095 if (dstk) {
1096 /* mov dword ptr [ebp+off],eax */
1097 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EAX),
1098 STACK_VAR(dst_lo));
1099 /* mov dword ptr [ebp+off],ecx */
1100 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_ECX),
1101 STACK_VAR(dst_hi));
1102 } else {
1103 /* mov dst_lo,eax */
1104 EMIT2(0x89, add_2reg(0xC0, dst_lo, IA32_EAX));
1105 /* mov dst_hi,ecx */
1106 EMIT2(0x89, add_2reg(0xC0, dst_hi, IA32_ECX));
1107 }
1108
1109 *pprog = prog;
1110}
1111
1112static inline void emit_ia32_mul_i64(const u8 dst[], const u32 val,
1113 bool dstk, u8 **pprog)
1114{
1115 u8 *prog = *pprog;
1116 int cnt = 0;
1117 u32 hi;
1118
1119 hi = val & (1<<31) ? (u32)~0 : 0;
1120 /* movl eax,imm32 */
1121 EMIT2_off32(0xC7, add_1reg(0xC0, IA32_EAX), val);
1122 if (dstk)
1123 /* mul dword ptr [ebp+off] */
1124 EMIT3(0xF7, add_1reg(0x60, IA32_EBP), STACK_VAR(dst_hi));
1125 else
1126 /* mul dst_hi */
1127 EMIT2(0xF7, add_1reg(0xE0, dst_hi));
1128
1129 /* mov ecx,eax */
1130 EMIT2(0x89, add_2reg(0xC0, IA32_ECX, IA32_EAX));
1131
1132 /* movl eax,imm32 */
1133 EMIT2_off32(0xC7, add_1reg(0xC0, IA32_EAX), hi);
1134 if (dstk)
1135 /* mul dword ptr [ebp+off] */
1136 EMIT3(0xF7, add_1reg(0x60, IA32_EBP), STACK_VAR(dst_lo));
1137 else
1138 /* mul dst_lo */
1139 EMIT2(0xF7, add_1reg(0xE0, dst_lo));
1140 /* add ecx,eax */
1141 EMIT2(0x01, add_2reg(0xC0, IA32_ECX, IA32_EAX));
1142
1143 /* movl eax,imm32 */
1144 EMIT2_off32(0xC7, add_1reg(0xC0, IA32_EAX), val);
1145 if (dstk)
1146 /* mul dword ptr [ebp+off] */
1147 EMIT3(0xF7, add_1reg(0x60, IA32_EBP), STACK_VAR(dst_lo));
1148 else
1149 /* mul dst_lo */
1150 EMIT2(0xF7, add_1reg(0xE0, dst_lo));
1151
1152 /* add ecx,edx */
1153 EMIT2(0x01, add_2reg(0xC0, IA32_ECX, IA32_EDX));
1154
1155 if (dstk) {
1156 /* mov dword ptr [ebp+off],eax */
1157 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EAX),
1158 STACK_VAR(dst_lo));
1159 /* mov dword ptr [ebp+off],ecx */
1160 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_ECX),
1161 STACK_VAR(dst_hi));
1162 } else {
1163 /* mov dword ptr [ebp+off],eax */
1164 EMIT2(0x89, add_2reg(0xC0, dst_lo, IA32_EAX));
1165 /* mov dword ptr [ebp+off],ecx */
1166 EMIT2(0x89, add_2reg(0xC0, dst_hi, IA32_ECX));
1167 }
1168
1169 *pprog = prog;
1170}
1171
1172static int bpf_size_to_x86_bytes(int bpf_size)
1173{
1174 if (bpf_size == BPF_W)
1175 return 4;
1176 else if (bpf_size == BPF_H)
1177 return 2;
1178 else if (bpf_size == BPF_B)
1179 return 1;
1180 else if (bpf_size == BPF_DW)
1181 return 4; /* imm32 */
1182 else
1183 return 0;
1184}
1185
1186struct jit_context {
1187 int cleanup_addr; /* Epilogue code offset */
1188};
1189
1190/* Maximum number of bytes emitted while JITing one eBPF insn */
1191#define BPF_MAX_INSN_SIZE 128
1192#define BPF_INSN_SAFETY 64
1193
1194#define PROLOGUE_SIZE 35
1195
1196/*
1197 * Emit prologue code for BPF program and check its size.
1198 * bpf_tail_call helper will skip it while jumping into another program.
1199 */
1200static void emit_prologue(u8 **pprog, u32 stack_depth)
1201{
1202 u8 *prog = *pprog;
1203 int cnt = 0;
1204 const u8 *r1 = bpf2ia32[BPF_REG_1];
1205 const u8 fplo = bpf2ia32[BPF_REG_FP][0];
1206 const u8 fphi = bpf2ia32[BPF_REG_FP][1];
1207 const u8 *tcc = bpf2ia32[TCALL_CNT];
1208
1209 /* push ebp */
1210 EMIT1(0x55);
1211 /* mov ebp,esp */
1212 EMIT2(0x89, 0xE5);
1213 /* push edi */
1214 EMIT1(0x57);
1215 /* push esi */
1216 EMIT1(0x56);
1217 /* push ebx */
1218 EMIT1(0x53);
1219
1220 /* sub esp,STACK_SIZE */
1221 EMIT2_off32(0x81, 0xEC, STACK_SIZE);
1222 /* sub ebp,SCRATCH_SIZE+12*/
1223 EMIT3(0x83, add_1reg(0xE8, IA32_EBP), SCRATCH_SIZE + 12);
1224 /* xor ebx,ebx */
1225 EMIT2(0x31, add_2reg(0xC0, IA32_EBX, IA32_EBX));
1226
1227 /* Set up BPF prog stack base register */
1228 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EBP), STACK_VAR(fplo));
1229 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EBX), STACK_VAR(fphi));
1230
1231 /* Move BPF_CTX (EAX) to BPF_REG_R1 */
1232 /* mov dword ptr [ebp+off],eax */
1233 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EAX), STACK_VAR(r1[0]));
1234 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EBX), STACK_VAR(r1[1]));
1235
1236 /* Initialize Tail Count */
1237 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EBX), STACK_VAR(tcc[0]));
1238 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EBX), STACK_VAR(tcc[1]));
1239
1240 BUILD_BUG_ON(cnt != PROLOGUE_SIZE);
1241 *pprog = prog;
1242}
1243
1244/* Emit epilogue code for BPF program */
1245static void emit_epilogue(u8 **pprog, u32 stack_depth)
1246{
1247 u8 *prog = *pprog;
1248 const u8 *r0 = bpf2ia32[BPF_REG_0];
1249 int cnt = 0;
1250
1251 /* mov eax,dword ptr [ebp+off]*/
1252 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX), STACK_VAR(r0[0]));
1253 /* mov edx,dword ptr [ebp+off]*/
1254 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EDX), STACK_VAR(r0[1]));
1255
1256 /* add ebp,SCRATCH_SIZE+12*/
1257 EMIT3(0x83, add_1reg(0xC0, IA32_EBP), SCRATCH_SIZE + 12);
1258
1259 /* mov ebx,dword ptr [ebp-12]*/
1260 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EBX), -12);
1261 /* mov esi,dword ptr [ebp-8]*/
1262 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_ESI), -8);
1263 /* mov edi,dword ptr [ebp-4]*/
1264 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EDI), -4);
1265
1266 EMIT1(0xC9); /* leave */
1267 EMIT1(0xC3); /* ret */
1268 *pprog = prog;
1269}
1270
1271static int emit_jmp_edx(u8 **pprog, u8 *ip)
1272{
1273 u8 *prog = *pprog;
1274 int cnt = 0;
1275
1276#ifdef CONFIG_MITIGATION_RETPOLINE
1277 EMIT1_off32(0xE9, (u8 *)__x86_indirect_thunk_edx - (ip + 5));
1278#else
1279 EMIT2(0xFF, 0xE2);
1280#endif
1281 *pprog = prog;
1282
1283 return cnt;
1284}
1285
1286/*
1287 * Generate the following code:
1288 * ... bpf_tail_call(void *ctx, struct bpf_array *array, u64 index) ...
1289 * if (index >= array->map.max_entries)
1290 * goto out;
1291 * if (++tail_call_cnt > MAX_TAIL_CALL_CNT)
1292 * goto out;
1293 * prog = array->ptrs[index];
1294 * if (prog == NULL)
1295 * goto out;
1296 * goto *(prog->bpf_func + prologue_size);
1297 * out:
1298 */
1299static void emit_bpf_tail_call(u8 **pprog, u8 *ip)
1300{
1301 u8 *prog = *pprog;
1302 int cnt = 0;
1303 const u8 *r1 = bpf2ia32[BPF_REG_1];
1304 const u8 *r2 = bpf2ia32[BPF_REG_2];
1305 const u8 *r3 = bpf2ia32[BPF_REG_3];
1306 const u8 *tcc = bpf2ia32[TCALL_CNT];
1307 u32 lo, hi;
1308 static int jmp_label1 = -1;
1309
1310 /*
1311 * if (index >= array->map.max_entries)
1312 * goto out;
1313 */
1314 /* mov eax,dword ptr [ebp+off] */
1315 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX), STACK_VAR(r2[0]));
1316 /* mov edx,dword ptr [ebp+off] */
1317 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EDX), STACK_VAR(r3[0]));
1318
1319 /* cmp dword ptr [eax+off],edx */
1320 EMIT3(0x39, add_2reg(0x40, IA32_EAX, IA32_EDX),
1321 offsetof(struct bpf_array, map.max_entries));
1322 /* jbe out */
1323 EMIT2(IA32_JBE, jmp_label(jmp_label1, 2));
1324
1325 /*
1326 * if (tail_call_cnt++ >= MAX_TAIL_CALL_CNT)
1327 * goto out;
1328 */
1329 lo = (u32)MAX_TAIL_CALL_CNT;
1330 hi = (u32)((u64)MAX_TAIL_CALL_CNT >> 32);
1331 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_ECX), STACK_VAR(tcc[0]));
1332 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EBX), STACK_VAR(tcc[1]));
1333
1334 /* cmp edx,hi */
1335 EMIT3(0x83, add_1reg(0xF8, IA32_EBX), hi);
1336 EMIT2(IA32_JNE, 3);
1337 /* cmp ecx,lo */
1338 EMIT3(0x83, add_1reg(0xF8, IA32_ECX), lo);
1339
1340 /* jae out */
1341 EMIT2(IA32_JAE, jmp_label(jmp_label1, 2));
1342
1343 /* add eax,0x1 */
1344 EMIT3(0x83, add_1reg(0xC0, IA32_ECX), 0x01);
1345 /* adc ebx,0x0 */
1346 EMIT3(0x83, add_1reg(0xD0, IA32_EBX), 0x00);
1347
1348 /* mov dword ptr [ebp+off],eax */
1349 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_ECX), STACK_VAR(tcc[0]));
1350 /* mov dword ptr [ebp+off],edx */
1351 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EBX), STACK_VAR(tcc[1]));
1352
1353 /* prog = array->ptrs[index]; */
1354 /* mov edx, [eax + edx * 4 + offsetof(...)] */
1355 EMIT3_off32(0x8B, 0x94, 0x90, offsetof(struct bpf_array, ptrs));
1356
1357 /*
1358 * if (prog == NULL)
1359 * goto out;
1360 */
1361 /* test edx,edx */
1362 EMIT2(0x85, add_2reg(0xC0, IA32_EDX, IA32_EDX));
1363 /* je out */
1364 EMIT2(IA32_JE, jmp_label(jmp_label1, 2));
1365
1366 /* goto *(prog->bpf_func + prologue_size); */
1367 /* mov edx, dword ptr [edx + 32] */
1368 EMIT3(0x8B, add_2reg(0x40, IA32_EDX, IA32_EDX),
1369 offsetof(struct bpf_prog, bpf_func));
1370 /* add edx,prologue_size */
1371 EMIT3(0x83, add_1reg(0xC0, IA32_EDX), PROLOGUE_SIZE);
1372
1373 /* mov eax,dword ptr [ebp+off] */
1374 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX), STACK_VAR(r1[0]));
1375
1376 /*
1377 * Now we're ready to jump into next BPF program:
1378 * eax == ctx (1st arg)
1379 * edx == prog->bpf_func + prologue_size
1380 */
1381 cnt += emit_jmp_edx(&prog, ip + cnt);
1382
1383 if (jmp_label1 == -1)
1384 jmp_label1 = cnt;
1385
1386 /* out: */
1387 *pprog = prog;
1388}
1389
1390/* Push the scratch stack register on top of the stack. */
1391static inline void emit_push_r64(const u8 src[], u8 **pprog)
1392{
1393 u8 *prog = *pprog;
1394 int cnt = 0;
1395
1396 /* mov ecx,dword ptr [ebp+off] */
1397 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_ECX), STACK_VAR(src_hi));
1398 /* push ecx */
1399 EMIT1(0x51);
1400
1401 /* mov ecx,dword ptr [ebp+off] */
1402 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_ECX), STACK_VAR(src_lo));
1403 /* push ecx */
1404 EMIT1(0x51);
1405
1406 *pprog = prog;
1407}
1408
1409static void emit_push_r32(const u8 src[], u8 **pprog)
1410{
1411 u8 *prog = *pprog;
1412 int cnt = 0;
1413
1414 /* mov ecx,dword ptr [ebp+off] */
1415 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_ECX), STACK_VAR(src_lo));
1416 /* push ecx */
1417 EMIT1(0x51);
1418
1419 *pprog = prog;
1420}
1421
1422static u8 get_cond_jmp_opcode(const u8 op, bool is_cmp_lo)
1423{
1424 u8 jmp_cond;
1425
1426 /* Convert BPF opcode to x86 */
1427 switch (op) {
1428 case BPF_JEQ:
1429 jmp_cond = IA32_JE;
1430 break;
1431 case BPF_JSET:
1432 case BPF_JNE:
1433 jmp_cond = IA32_JNE;
1434 break;
1435 case BPF_JGT:
1436 /* GT is unsigned '>', JA in x86 */
1437 jmp_cond = IA32_JA;
1438 break;
1439 case BPF_JLT:
1440 /* LT is unsigned '<', JB in x86 */
1441 jmp_cond = IA32_JB;
1442 break;
1443 case BPF_JGE:
1444 /* GE is unsigned '>=', JAE in x86 */
1445 jmp_cond = IA32_JAE;
1446 break;
1447 case BPF_JLE:
1448 /* LE is unsigned '<=', JBE in x86 */
1449 jmp_cond = IA32_JBE;
1450 break;
1451 case BPF_JSGT:
1452 if (!is_cmp_lo)
1453 /* Signed '>', GT in x86 */
1454 jmp_cond = IA32_JG;
1455 else
1456 /* GT is unsigned '>', JA in x86 */
1457 jmp_cond = IA32_JA;
1458 break;
1459 case BPF_JSLT:
1460 if (!is_cmp_lo)
1461 /* Signed '<', LT in x86 */
1462 jmp_cond = IA32_JL;
1463 else
1464 /* LT is unsigned '<', JB in x86 */
1465 jmp_cond = IA32_JB;
1466 break;
1467 case BPF_JSGE:
1468 if (!is_cmp_lo)
1469 /* Signed '>=', GE in x86 */
1470 jmp_cond = IA32_JGE;
1471 else
1472 /* GE is unsigned '>=', JAE in x86 */
1473 jmp_cond = IA32_JAE;
1474 break;
1475 case BPF_JSLE:
1476 if (!is_cmp_lo)
1477 /* Signed '<=', LE in x86 */
1478 jmp_cond = IA32_JLE;
1479 else
1480 /* LE is unsigned '<=', JBE in x86 */
1481 jmp_cond = IA32_JBE;
1482 break;
1483 default: /* to silence GCC warning */
1484 jmp_cond = COND_JMP_OPCODE_INVALID;
1485 break;
1486 }
1487
1488 return jmp_cond;
1489}
1490
1491/* i386 kernel compiles with "-mregparm=3". From gcc document:
1492 *
1493 * ==== snippet ====
1494 * regparm (number)
1495 * On x86-32 targets, the regparm attribute causes the compiler
1496 * to pass arguments number one to (number) if they are of integral
1497 * type in registers EAX, EDX, and ECX instead of on the stack.
1498 * Functions that take a variable number of arguments continue
1499 * to be passed all of their arguments on the stack.
1500 * ==== snippet ====
1501 *
1502 * The first three args of a function will be considered for
1503 * putting into the 32bit register EAX, EDX, and ECX.
1504 *
1505 * Two 32bit registers are used to pass a 64bit arg.
1506 *
1507 * For example,
1508 * void foo(u32 a, u32 b, u32 c, u32 d):
1509 * u32 a: EAX
1510 * u32 b: EDX
1511 * u32 c: ECX
1512 * u32 d: stack
1513 *
1514 * void foo(u64 a, u32 b, u32 c):
1515 * u64 a: EAX (lo32) EDX (hi32)
1516 * u32 b: ECX
1517 * u32 c: stack
1518 *
1519 * void foo(u32 a, u64 b, u32 c):
1520 * u32 a: EAX
1521 * u64 b: EDX (lo32) ECX (hi32)
1522 * u32 c: stack
1523 *
1524 * void foo(u32 a, u32 b, u64 c):
1525 * u32 a: EAX
1526 * u32 b: EDX
1527 * u64 c: stack
1528 *
1529 * The return value will be stored in the EAX (and EDX for 64bit value).
1530 *
1531 * For example,
1532 * u32 foo(u32 a, u32 b, u32 c):
1533 * return value: EAX
1534 *
1535 * u64 foo(u32 a, u32 b, u32 c):
1536 * return value: EAX (lo32) EDX (hi32)
1537 *
1538 * Notes:
1539 * The verifier only accepts function having integer and pointers
1540 * as its args and return value, so it does not have
1541 * struct-by-value.
1542 *
1543 * emit_kfunc_call() finds out the btf_func_model by calling
1544 * bpf_jit_find_kfunc_model(). A btf_func_model
1545 * has the details about the number of args, size of each arg,
1546 * and the size of the return value.
1547 *
1548 * It first decides how many args can be passed by EAX, EDX, and ECX.
1549 * That will decide what args should be pushed to the stack:
1550 * [first_stack_regno, last_stack_regno] are the bpf regnos
1551 * that should be pushed to the stack.
1552 *
1553 * It will first push all args to the stack because the push
1554 * will need to use ECX. Then, it moves
1555 * [BPF_REG_1, first_stack_regno) to EAX, EDX, and ECX.
1556 *
1557 * When emitting a call (0xE8), it needs to figure out
1558 * the jmp_offset relative to the jit-insn address immediately
1559 * following the call (0xE8) instruction. At this point, it knows
1560 * the end of the jit-insn address after completely translated the
1561 * current (BPF_JMP | BPF_CALL) bpf-insn. It is passed as "end_addr"
1562 * to the emit_kfunc_call(). Thus, it can learn the "immediate-follow-call"
1563 * address by figuring out how many jit-insn is generated between
1564 * the call (0xE8) and the end_addr:
1565 * - 0-1 jit-insn (3 bytes each) to restore the esp pointer if there
1566 * is arg pushed to the stack.
1567 * - 0-2 jit-insns (3 bytes each) to handle the return value.
1568 */
1569static int emit_kfunc_call(const struct bpf_prog *bpf_prog, u8 *end_addr,
1570 const struct bpf_insn *insn, u8 **pprog)
1571{
1572 const u8 arg_regs[] = { IA32_EAX, IA32_EDX, IA32_ECX };
1573 int i, cnt = 0, first_stack_regno, last_stack_regno;
1574 int free_arg_regs = ARRAY_SIZE(arg_regs);
1575 const struct btf_func_model *fm;
1576 int bytes_in_stack = 0;
1577 const u8 *cur_arg_reg;
1578 u8 *prog = *pprog;
1579 s64 jmp_offset;
1580
1581 fm = bpf_jit_find_kfunc_model(bpf_prog, insn);
1582 if (!fm)
1583 return -EINVAL;
1584
1585 first_stack_regno = BPF_REG_1;
1586 for (i = 0; i < fm->nr_args; i++) {
1587 int regs_needed = fm->arg_size[i] > sizeof(u32) ? 2 : 1;
1588
1589 if (regs_needed > free_arg_regs)
1590 break;
1591
1592 free_arg_regs -= regs_needed;
1593 first_stack_regno++;
1594 }
1595
1596 /* Push the args to the stack */
1597 last_stack_regno = BPF_REG_0 + fm->nr_args;
1598 for (i = last_stack_regno; i >= first_stack_regno; i--) {
1599 if (fm->arg_size[i - 1] > sizeof(u32)) {
1600 emit_push_r64(bpf2ia32[i], &prog);
1601 bytes_in_stack += 8;
1602 } else {
1603 emit_push_r32(bpf2ia32[i], &prog);
1604 bytes_in_stack += 4;
1605 }
1606 }
1607
1608 cur_arg_reg = &arg_regs[0];
1609 for (i = BPF_REG_1; i < first_stack_regno; i++) {
1610 /* mov e[adc]x,dword ptr [ebp+off] */
1611 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, *cur_arg_reg++),
1612 STACK_VAR(bpf2ia32[i][0]));
1613 if (fm->arg_size[i - 1] > sizeof(u32))
1614 /* mov e[adc]x,dword ptr [ebp+off] */
1615 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, *cur_arg_reg++),
1616 STACK_VAR(bpf2ia32[i][1]));
1617 }
1618
1619 if (bytes_in_stack)
1620 /* add esp,"bytes_in_stack" */
1621 end_addr -= 3;
1622
1623 /* mov dword ptr [ebp+off],edx */
1624 if (fm->ret_size > sizeof(u32))
1625 end_addr -= 3;
1626
1627 /* mov dword ptr [ebp+off],eax */
1628 if (fm->ret_size)
1629 end_addr -= 3;
1630
1631 jmp_offset = (u8 *)__bpf_call_base + insn->imm - end_addr;
1632 if (!is_simm32(jmp_offset)) {
1633 pr_err("unsupported BPF kernel function jmp_offset:%lld\n",
1634 jmp_offset);
1635 return -EINVAL;
1636 }
1637
1638 EMIT1_off32(0xE8, jmp_offset);
1639
1640 if (fm->ret_size)
1641 /* mov dword ptr [ebp+off],eax */
1642 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EAX),
1643 STACK_VAR(bpf2ia32[BPF_REG_0][0]));
1644
1645 if (fm->ret_size > sizeof(u32))
1646 /* mov dword ptr [ebp+off],edx */
1647 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EDX),
1648 STACK_VAR(bpf2ia32[BPF_REG_0][1]));
1649
1650 if (bytes_in_stack)
1651 /* add esp,"bytes_in_stack" */
1652 EMIT3(0x83, add_1reg(0xC0, IA32_ESP), bytes_in_stack);
1653
1654 *pprog = prog;
1655
1656 return 0;
1657}
1658
1659static int do_jit(struct bpf_prog *bpf_prog, int *addrs, u8 *image,
1660 int oldproglen, struct jit_context *ctx)
1661{
1662 struct bpf_insn *insn = bpf_prog->insnsi;
1663 int insn_cnt = bpf_prog->len;
1664 bool seen_exit = false;
1665 u8 temp[BPF_MAX_INSN_SIZE + BPF_INSN_SAFETY];
1666 int i, cnt = 0;
1667 int proglen = 0;
1668 u8 *prog = temp;
1669
1670 emit_prologue(&prog, bpf_prog->aux->stack_depth);
1671
1672 for (i = 0; i < insn_cnt; i++, insn++) {
1673 const s32 imm32 = insn->imm;
1674 const bool is64 = BPF_CLASS(insn->code) == BPF_ALU64;
1675 const bool dstk = insn->dst_reg != BPF_REG_AX;
1676 const bool sstk = insn->src_reg != BPF_REG_AX;
1677 const u8 code = insn->code;
1678 const u8 *dst = bpf2ia32[insn->dst_reg];
1679 const u8 *src = bpf2ia32[insn->src_reg];
1680 const u8 *r0 = bpf2ia32[BPF_REG_0];
1681 s64 jmp_offset;
1682 u8 jmp_cond;
1683 int ilen;
1684 u8 *func;
1685
1686 switch (code) {
1687 /* ALU operations */
1688 /* dst = src */
1689 case BPF_ALU | BPF_MOV | BPF_K:
1690 case BPF_ALU | BPF_MOV | BPF_X:
1691 case BPF_ALU64 | BPF_MOV | BPF_K:
1692 case BPF_ALU64 | BPF_MOV | BPF_X:
1693 switch (BPF_SRC(code)) {
1694 case BPF_X:
1695 if (imm32 == 1) {
1696 /* Special mov32 for zext. */
1697 emit_ia32_mov_i(dst_hi, 0, dstk, &prog);
1698 break;
1699 }
1700 emit_ia32_mov_r64(is64, dst, src, dstk, sstk,
1701 &prog, bpf_prog->aux);
1702 break;
1703 case BPF_K:
1704 /* Sign-extend immediate value to dst reg */
1705 emit_ia32_mov_i64(is64, dst, imm32,
1706 dstk, &prog);
1707 break;
1708 }
1709 break;
1710 /* dst = dst + src/imm */
1711 /* dst = dst - src/imm */
1712 /* dst = dst | src/imm */
1713 /* dst = dst & src/imm */
1714 /* dst = dst ^ src/imm */
1715 /* dst = dst * src/imm */
1716 /* dst = dst << src */
1717 /* dst = dst >> src */
1718 case BPF_ALU | BPF_ADD | BPF_K:
1719 case BPF_ALU | BPF_ADD | BPF_X:
1720 case BPF_ALU | BPF_SUB | BPF_K:
1721 case BPF_ALU | BPF_SUB | BPF_X:
1722 case BPF_ALU | BPF_OR | BPF_K:
1723 case BPF_ALU | BPF_OR | BPF_X:
1724 case BPF_ALU | BPF_AND | BPF_K:
1725 case BPF_ALU | BPF_AND | BPF_X:
1726 case BPF_ALU | BPF_XOR | BPF_K:
1727 case BPF_ALU | BPF_XOR | BPF_X:
1728 case BPF_ALU64 | BPF_ADD | BPF_K:
1729 case BPF_ALU64 | BPF_ADD | BPF_X:
1730 case BPF_ALU64 | BPF_SUB | BPF_K:
1731 case BPF_ALU64 | BPF_SUB | BPF_X:
1732 case BPF_ALU64 | BPF_OR | BPF_K:
1733 case BPF_ALU64 | BPF_OR | BPF_X:
1734 case BPF_ALU64 | BPF_AND | BPF_K:
1735 case BPF_ALU64 | BPF_AND | BPF_X:
1736 case BPF_ALU64 | BPF_XOR | BPF_K:
1737 case BPF_ALU64 | BPF_XOR | BPF_X:
1738 switch (BPF_SRC(code)) {
1739 case BPF_X:
1740 emit_ia32_alu_r64(is64, BPF_OP(code), dst,
1741 src, dstk, sstk, &prog,
1742 bpf_prog->aux);
1743 break;
1744 case BPF_K:
1745 emit_ia32_alu_i64(is64, BPF_OP(code), dst,
1746 imm32, dstk, &prog,
1747 bpf_prog->aux);
1748 break;
1749 }
1750 break;
1751 case BPF_ALU | BPF_MUL | BPF_K:
1752 case BPF_ALU | BPF_MUL | BPF_X:
1753 switch (BPF_SRC(code)) {
1754 case BPF_X:
1755 emit_ia32_mul_r(dst_lo, src_lo, dstk,
1756 sstk, &prog);
1757 break;
1758 case BPF_K:
1759 /* mov ecx,imm32*/
1760 EMIT2_off32(0xC7, add_1reg(0xC0, IA32_ECX),
1761 imm32);
1762 emit_ia32_mul_r(dst_lo, IA32_ECX, dstk,
1763 false, &prog);
1764 break;
1765 }
1766 if (!bpf_prog->aux->verifier_zext)
1767 emit_ia32_mov_i(dst_hi, 0, dstk, &prog);
1768 break;
1769 case BPF_ALU | BPF_LSH | BPF_X:
1770 case BPF_ALU | BPF_RSH | BPF_X:
1771 case BPF_ALU | BPF_ARSH | BPF_K:
1772 case BPF_ALU | BPF_ARSH | BPF_X:
1773 switch (BPF_SRC(code)) {
1774 case BPF_X:
1775 emit_ia32_shift_r(BPF_OP(code), dst_lo, src_lo,
1776 dstk, sstk, &prog);
1777 break;
1778 case BPF_K:
1779 /* mov ecx,imm32*/
1780 EMIT2_off32(0xC7, add_1reg(0xC0, IA32_ECX),
1781 imm32);
1782 emit_ia32_shift_r(BPF_OP(code), dst_lo,
1783 IA32_ECX, dstk, false,
1784 &prog);
1785 break;
1786 }
1787 if (!bpf_prog->aux->verifier_zext)
1788 emit_ia32_mov_i(dst_hi, 0, dstk, &prog);
1789 break;
1790 /* dst = dst / src(imm) */
1791 /* dst = dst % src(imm) */
1792 case BPF_ALU | BPF_DIV | BPF_K:
1793 case BPF_ALU | BPF_DIV | BPF_X:
1794 case BPF_ALU | BPF_MOD | BPF_K:
1795 case BPF_ALU | BPF_MOD | BPF_X:
1796 switch (BPF_SRC(code)) {
1797 case BPF_X:
1798 emit_ia32_div_mod_r(BPF_OP(code), dst_lo,
1799 src_lo, dstk, sstk, &prog);
1800 break;
1801 case BPF_K:
1802 /* mov ecx,imm32*/
1803 EMIT2_off32(0xC7, add_1reg(0xC0, IA32_ECX),
1804 imm32);
1805 emit_ia32_div_mod_r(BPF_OP(code), dst_lo,
1806 IA32_ECX, dstk, false,
1807 &prog);
1808 break;
1809 }
1810 if (!bpf_prog->aux->verifier_zext)
1811 emit_ia32_mov_i(dst_hi, 0, dstk, &prog);
1812 break;
1813 case BPF_ALU64 | BPF_DIV | BPF_K:
1814 case BPF_ALU64 | BPF_DIV | BPF_X:
1815 case BPF_ALU64 | BPF_MOD | BPF_K:
1816 case BPF_ALU64 | BPF_MOD | BPF_X:
1817 goto notyet;
1818 /* dst = dst >> imm */
1819 /* dst = dst << imm */
1820 case BPF_ALU | BPF_RSH | BPF_K:
1821 case BPF_ALU | BPF_LSH | BPF_K:
1822 if (unlikely(imm32 > 31))
1823 return -EINVAL;
1824 /* mov ecx,imm32*/
1825 EMIT2_off32(0xC7, add_1reg(0xC0, IA32_ECX), imm32);
1826 emit_ia32_shift_r(BPF_OP(code), dst_lo, IA32_ECX, dstk,
1827 false, &prog);
1828 if (!bpf_prog->aux->verifier_zext)
1829 emit_ia32_mov_i(dst_hi, 0, dstk, &prog);
1830 break;
1831 /* dst = dst << imm */
1832 case BPF_ALU64 | BPF_LSH | BPF_K:
1833 if (unlikely(imm32 > 63))
1834 return -EINVAL;
1835 emit_ia32_lsh_i64(dst, imm32, dstk, &prog);
1836 break;
1837 /* dst = dst >> imm */
1838 case BPF_ALU64 | BPF_RSH | BPF_K:
1839 if (unlikely(imm32 > 63))
1840 return -EINVAL;
1841 emit_ia32_rsh_i64(dst, imm32, dstk, &prog);
1842 break;
1843 /* dst = dst << src */
1844 case BPF_ALU64 | BPF_LSH | BPF_X:
1845 emit_ia32_lsh_r64(dst, src, dstk, sstk, &prog);
1846 break;
1847 /* dst = dst >> src */
1848 case BPF_ALU64 | BPF_RSH | BPF_X:
1849 emit_ia32_rsh_r64(dst, src, dstk, sstk, &prog);
1850 break;
1851 /* dst = dst >> src (signed) */
1852 case BPF_ALU64 | BPF_ARSH | BPF_X:
1853 emit_ia32_arsh_r64(dst, src, dstk, sstk, &prog);
1854 break;
1855 /* dst = dst >> imm (signed) */
1856 case BPF_ALU64 | BPF_ARSH | BPF_K:
1857 if (unlikely(imm32 > 63))
1858 return -EINVAL;
1859 emit_ia32_arsh_i64(dst, imm32, dstk, &prog);
1860 break;
1861 /* dst = ~dst */
1862 case BPF_ALU | BPF_NEG:
1863 emit_ia32_alu_i(is64, false, BPF_OP(code),
1864 dst_lo, 0, dstk, &prog);
1865 if (!bpf_prog->aux->verifier_zext)
1866 emit_ia32_mov_i(dst_hi, 0, dstk, &prog);
1867 break;
1868 /* dst = ~dst (64 bit) */
1869 case BPF_ALU64 | BPF_NEG:
1870 emit_ia32_neg64(dst, dstk, &prog);
1871 break;
1872 /* dst = dst * src/imm */
1873 case BPF_ALU64 | BPF_MUL | BPF_X:
1874 case BPF_ALU64 | BPF_MUL | BPF_K:
1875 switch (BPF_SRC(code)) {
1876 case BPF_X:
1877 emit_ia32_mul_r64(dst, src, dstk, sstk, &prog);
1878 break;
1879 case BPF_K:
1880 emit_ia32_mul_i64(dst, imm32, dstk, &prog);
1881 break;
1882 }
1883 break;
1884 /* dst = htole(dst) */
1885 case BPF_ALU | BPF_END | BPF_FROM_LE:
1886 emit_ia32_to_le_r64(dst, imm32, dstk, &prog,
1887 bpf_prog->aux);
1888 break;
1889 /* dst = htobe(dst) */
1890 case BPF_ALU | BPF_END | BPF_FROM_BE:
1891 emit_ia32_to_be_r64(dst, imm32, dstk, &prog,
1892 bpf_prog->aux);
1893 break;
1894 /* dst = imm64 */
1895 case BPF_LD | BPF_IMM | BPF_DW: {
1896 s32 hi, lo = imm32;
1897
1898 hi = insn[1].imm;
1899 emit_ia32_mov_i(dst_lo, lo, dstk, &prog);
1900 emit_ia32_mov_i(dst_hi, hi, dstk, &prog);
1901 insn++;
1902 i++;
1903 break;
1904 }
1905 /* speculation barrier */
1906 case BPF_ST | BPF_NOSPEC:
1907 if (boot_cpu_has(X86_FEATURE_XMM2))
1908 /* Emit 'lfence' */
1909 EMIT3(0x0F, 0xAE, 0xE8);
1910 break;
1911 /* ST: *(u8*)(dst_reg + off) = imm */
1912 case BPF_ST | BPF_MEM | BPF_H:
1913 case BPF_ST | BPF_MEM | BPF_B:
1914 case BPF_ST | BPF_MEM | BPF_W:
1915 case BPF_ST | BPF_MEM | BPF_DW:
1916 if (dstk)
1917 /* mov eax,dword ptr [ebp+off] */
1918 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
1919 STACK_VAR(dst_lo));
1920 else
1921 /* mov eax,dst_lo */
1922 EMIT2(0x8B, add_2reg(0xC0, dst_lo, IA32_EAX));
1923
1924 switch (BPF_SIZE(code)) {
1925 case BPF_B:
1926 EMIT(0xC6, 1); break;
1927 case BPF_H:
1928 EMIT2(0x66, 0xC7); break;
1929 case BPF_W:
1930 case BPF_DW:
1931 EMIT(0xC7, 1); break;
1932 }
1933
1934 if (is_imm8(insn->off))
1935 EMIT2(add_1reg(0x40, IA32_EAX), insn->off);
1936 else
1937 EMIT1_off32(add_1reg(0x80, IA32_EAX),
1938 insn->off);
1939 EMIT(imm32, bpf_size_to_x86_bytes(BPF_SIZE(code)));
1940
1941 if (BPF_SIZE(code) == BPF_DW) {
1942 u32 hi;
1943
1944 hi = imm32 & (1<<31) ? (u32)~0 : 0;
1945 EMIT2_off32(0xC7, add_1reg(0x80, IA32_EAX),
1946 insn->off + 4);
1947 EMIT(hi, 4);
1948 }
1949 break;
1950
1951 /* STX: *(u8*)(dst_reg + off) = src_reg */
1952 case BPF_STX | BPF_MEM | BPF_B:
1953 case BPF_STX | BPF_MEM | BPF_H:
1954 case BPF_STX | BPF_MEM | BPF_W:
1955 case BPF_STX | BPF_MEM | BPF_DW:
1956 if (dstk)
1957 /* mov eax,dword ptr [ebp+off] */
1958 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
1959 STACK_VAR(dst_lo));
1960 else
1961 /* mov eax,dst_lo */
1962 EMIT2(0x8B, add_2reg(0xC0, dst_lo, IA32_EAX));
1963
1964 if (sstk)
1965 /* mov edx,dword ptr [ebp+off] */
1966 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EDX),
1967 STACK_VAR(src_lo));
1968 else
1969 /* mov edx,src_lo */
1970 EMIT2(0x8B, add_2reg(0xC0, src_lo, IA32_EDX));
1971
1972 switch (BPF_SIZE(code)) {
1973 case BPF_B:
1974 EMIT(0x88, 1); break;
1975 case BPF_H:
1976 EMIT2(0x66, 0x89); break;
1977 case BPF_W:
1978 case BPF_DW:
1979 EMIT(0x89, 1); break;
1980 }
1981
1982 if (is_imm8(insn->off))
1983 EMIT2(add_2reg(0x40, IA32_EAX, IA32_EDX),
1984 insn->off);
1985 else
1986 EMIT1_off32(add_2reg(0x80, IA32_EAX, IA32_EDX),
1987 insn->off);
1988
1989 if (BPF_SIZE(code) == BPF_DW) {
1990 if (sstk)
1991 /* mov edi,dword ptr [ebp+off] */
1992 EMIT3(0x8B, add_2reg(0x40, IA32_EBP,
1993 IA32_EDX),
1994 STACK_VAR(src_hi));
1995 else
1996 /* mov edi,src_hi */
1997 EMIT2(0x8B, add_2reg(0xC0, src_hi,
1998 IA32_EDX));
1999 EMIT1(0x89);
2000 if (is_imm8(insn->off + 4)) {
2001 EMIT2(add_2reg(0x40, IA32_EAX,
2002 IA32_EDX),
2003 insn->off + 4);
2004 } else {
2005 EMIT1(add_2reg(0x80, IA32_EAX,
2006 IA32_EDX));
2007 EMIT(insn->off + 4, 4);
2008 }
2009 }
2010 break;
2011
2012 /* LDX: dst_reg = *(u8*)(src_reg + off) */
2013 case BPF_LDX | BPF_MEM | BPF_B:
2014 case BPF_LDX | BPF_MEM | BPF_H:
2015 case BPF_LDX | BPF_MEM | BPF_W:
2016 case BPF_LDX | BPF_MEM | BPF_DW:
2017 if (sstk)
2018 /* mov eax,dword ptr [ebp+off] */
2019 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
2020 STACK_VAR(src_lo));
2021 else
2022 /* mov eax,dword ptr [ebp+off] */
2023 EMIT2(0x8B, add_2reg(0xC0, src_lo, IA32_EAX));
2024
2025 switch (BPF_SIZE(code)) {
2026 case BPF_B:
2027 EMIT2(0x0F, 0xB6); break;
2028 case BPF_H:
2029 EMIT2(0x0F, 0xB7); break;
2030 case BPF_W:
2031 case BPF_DW:
2032 EMIT(0x8B, 1); break;
2033 }
2034
2035 if (is_imm8(insn->off))
2036 EMIT2(add_2reg(0x40, IA32_EAX, IA32_EDX),
2037 insn->off);
2038 else
2039 EMIT1_off32(add_2reg(0x80, IA32_EAX, IA32_EDX),
2040 insn->off);
2041
2042 if (dstk)
2043 /* mov dword ptr [ebp+off],edx */
2044 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EDX),
2045 STACK_VAR(dst_lo));
2046 else
2047 /* mov dst_lo,edx */
2048 EMIT2(0x89, add_2reg(0xC0, dst_lo, IA32_EDX));
2049 switch (BPF_SIZE(code)) {
2050 case BPF_B:
2051 case BPF_H:
2052 case BPF_W:
2053 if (bpf_prog->aux->verifier_zext)
2054 break;
2055 if (dstk) {
2056 EMIT3(0xC7, add_1reg(0x40, IA32_EBP),
2057 STACK_VAR(dst_hi));
2058 EMIT(0x0, 4);
2059 } else {
2060 /* xor dst_hi,dst_hi */
2061 EMIT2(0x33,
2062 add_2reg(0xC0, dst_hi, dst_hi));
2063 }
2064 break;
2065 case BPF_DW:
2066 EMIT2_off32(0x8B,
2067 add_2reg(0x80, IA32_EAX, IA32_EDX),
2068 insn->off + 4);
2069 if (dstk)
2070 EMIT3(0x89,
2071 add_2reg(0x40, IA32_EBP,
2072 IA32_EDX),
2073 STACK_VAR(dst_hi));
2074 else
2075 EMIT2(0x89,
2076 add_2reg(0xC0, dst_hi, IA32_EDX));
2077 break;
2078 default:
2079 break;
2080 }
2081 break;
2082 /* call */
2083 case BPF_JMP | BPF_CALL:
2084 {
2085 const u8 *r1 = bpf2ia32[BPF_REG_1];
2086 const u8 *r2 = bpf2ia32[BPF_REG_2];
2087 const u8 *r3 = bpf2ia32[BPF_REG_3];
2088 const u8 *r4 = bpf2ia32[BPF_REG_4];
2089 const u8 *r5 = bpf2ia32[BPF_REG_5];
2090
2091 if (insn->src_reg == BPF_PSEUDO_CALL)
2092 goto notyet;
2093
2094 if (insn->src_reg == BPF_PSEUDO_KFUNC_CALL) {
2095 int err;
2096
2097 err = emit_kfunc_call(bpf_prog,
2098 image + addrs[i],
2099 insn, &prog);
2100
2101 if (err)
2102 return err;
2103 break;
2104 }
2105
2106 func = (u8 *) __bpf_call_base + imm32;
2107 jmp_offset = func - (image + addrs[i]);
2108
2109 if (!imm32 || !is_simm32(jmp_offset)) {
2110 pr_err("unsupported BPF func %d addr %p image %p\n",
2111 imm32, func, image);
2112 return -EINVAL;
2113 }
2114
2115 /* mov eax,dword ptr [ebp+off] */
2116 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
2117 STACK_VAR(r1[0]));
2118 /* mov edx,dword ptr [ebp+off] */
2119 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EDX),
2120 STACK_VAR(r1[1]));
2121
2122 emit_push_r64(r5, &prog);
2123 emit_push_r64(r4, &prog);
2124 emit_push_r64(r3, &prog);
2125 emit_push_r64(r2, &prog);
2126
2127 EMIT1_off32(0xE8, jmp_offset + 9);
2128
2129 /* mov dword ptr [ebp+off],eax */
2130 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EAX),
2131 STACK_VAR(r0[0]));
2132 /* mov dword ptr [ebp+off],edx */
2133 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EDX),
2134 STACK_VAR(r0[1]));
2135
2136 /* add esp,32 */
2137 EMIT3(0x83, add_1reg(0xC0, IA32_ESP), 32);
2138 break;
2139 }
2140 case BPF_JMP | BPF_TAIL_CALL:
2141 emit_bpf_tail_call(&prog, image + addrs[i - 1]);
2142 break;
2143
2144 /* cond jump */
2145 case BPF_JMP | BPF_JEQ | BPF_X:
2146 case BPF_JMP | BPF_JNE | BPF_X:
2147 case BPF_JMP | BPF_JGT | BPF_X:
2148 case BPF_JMP | BPF_JLT | BPF_X:
2149 case BPF_JMP | BPF_JGE | BPF_X:
2150 case BPF_JMP | BPF_JLE | BPF_X:
2151 case BPF_JMP32 | BPF_JEQ | BPF_X:
2152 case BPF_JMP32 | BPF_JNE | BPF_X:
2153 case BPF_JMP32 | BPF_JGT | BPF_X:
2154 case BPF_JMP32 | BPF_JLT | BPF_X:
2155 case BPF_JMP32 | BPF_JGE | BPF_X:
2156 case BPF_JMP32 | BPF_JLE | BPF_X:
2157 case BPF_JMP32 | BPF_JSGT | BPF_X:
2158 case BPF_JMP32 | BPF_JSLE | BPF_X:
2159 case BPF_JMP32 | BPF_JSLT | BPF_X:
2160 case BPF_JMP32 | BPF_JSGE | BPF_X: {
2161 bool is_jmp64 = BPF_CLASS(insn->code) == BPF_JMP;
2162 u8 dreg_lo = dstk ? IA32_EAX : dst_lo;
2163 u8 dreg_hi = dstk ? IA32_EDX : dst_hi;
2164 u8 sreg_lo = sstk ? IA32_ECX : src_lo;
2165 u8 sreg_hi = sstk ? IA32_EBX : src_hi;
2166
2167 if (dstk) {
2168 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
2169 STACK_VAR(dst_lo));
2170 if (is_jmp64)
2171 EMIT3(0x8B,
2172 add_2reg(0x40, IA32_EBP,
2173 IA32_EDX),
2174 STACK_VAR(dst_hi));
2175 }
2176
2177 if (sstk) {
2178 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_ECX),
2179 STACK_VAR(src_lo));
2180 if (is_jmp64)
2181 EMIT3(0x8B,
2182 add_2reg(0x40, IA32_EBP,
2183 IA32_EBX),
2184 STACK_VAR(src_hi));
2185 }
2186
2187 if (is_jmp64) {
2188 /* cmp dreg_hi,sreg_hi */
2189 EMIT2(0x39, add_2reg(0xC0, dreg_hi, sreg_hi));
2190 EMIT2(IA32_JNE, 2);
2191 }
2192 /* cmp dreg_lo,sreg_lo */
2193 EMIT2(0x39, add_2reg(0xC0, dreg_lo, sreg_lo));
2194 goto emit_cond_jmp;
2195 }
2196 case BPF_JMP | BPF_JSGT | BPF_X:
2197 case BPF_JMP | BPF_JSLE | BPF_X:
2198 case BPF_JMP | BPF_JSLT | BPF_X:
2199 case BPF_JMP | BPF_JSGE | BPF_X: {
2200 u8 dreg_lo = dstk ? IA32_EAX : dst_lo;
2201 u8 dreg_hi = dstk ? IA32_EDX : dst_hi;
2202 u8 sreg_lo = sstk ? IA32_ECX : src_lo;
2203 u8 sreg_hi = sstk ? IA32_EBX : src_hi;
2204
2205 if (dstk) {
2206 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
2207 STACK_VAR(dst_lo));
2208 EMIT3(0x8B,
2209 add_2reg(0x40, IA32_EBP,
2210 IA32_EDX),
2211 STACK_VAR(dst_hi));
2212 }
2213
2214 if (sstk) {
2215 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_ECX),
2216 STACK_VAR(src_lo));
2217 EMIT3(0x8B,
2218 add_2reg(0x40, IA32_EBP,
2219 IA32_EBX),
2220 STACK_VAR(src_hi));
2221 }
2222
2223 /* cmp dreg_hi,sreg_hi */
2224 EMIT2(0x39, add_2reg(0xC0, dreg_hi, sreg_hi));
2225 EMIT2(IA32_JNE, 10);
2226 /* cmp dreg_lo,sreg_lo */
2227 EMIT2(0x39, add_2reg(0xC0, dreg_lo, sreg_lo));
2228 goto emit_cond_jmp_signed;
2229 }
2230 case BPF_JMP | BPF_JSET | BPF_X:
2231 case BPF_JMP32 | BPF_JSET | BPF_X: {
2232 bool is_jmp64 = BPF_CLASS(insn->code) == BPF_JMP;
2233 u8 dreg_lo = IA32_EAX;
2234 u8 dreg_hi = IA32_EDX;
2235 u8 sreg_lo = sstk ? IA32_ECX : src_lo;
2236 u8 sreg_hi = sstk ? IA32_EBX : src_hi;
2237
2238 if (dstk) {
2239 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
2240 STACK_VAR(dst_lo));
2241 if (is_jmp64)
2242 EMIT3(0x8B,
2243 add_2reg(0x40, IA32_EBP,
2244 IA32_EDX),
2245 STACK_VAR(dst_hi));
2246 } else {
2247 /* mov dreg_lo,dst_lo */
2248 EMIT2(0x89, add_2reg(0xC0, dreg_lo, dst_lo));
2249 if (is_jmp64)
2250 /* mov dreg_hi,dst_hi */
2251 EMIT2(0x89,
2252 add_2reg(0xC0, dreg_hi, dst_hi));
2253 }
2254
2255 if (sstk) {
2256 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_ECX),
2257 STACK_VAR(src_lo));
2258 if (is_jmp64)
2259 EMIT3(0x8B,
2260 add_2reg(0x40, IA32_EBP,
2261 IA32_EBX),
2262 STACK_VAR(src_hi));
2263 }
2264 /* and dreg_lo,sreg_lo */
2265 EMIT2(0x23, add_2reg(0xC0, sreg_lo, dreg_lo));
2266 if (is_jmp64) {
2267 /* and dreg_hi,sreg_hi */
2268 EMIT2(0x23, add_2reg(0xC0, sreg_hi, dreg_hi));
2269 /* or dreg_lo,dreg_hi */
2270 EMIT2(0x09, add_2reg(0xC0, dreg_lo, dreg_hi));
2271 }
2272 goto emit_cond_jmp;
2273 }
2274 case BPF_JMP | BPF_JSET | BPF_K:
2275 case BPF_JMP32 | BPF_JSET | BPF_K: {
2276 bool is_jmp64 = BPF_CLASS(insn->code) == BPF_JMP;
2277 u8 dreg_lo = IA32_EAX;
2278 u8 dreg_hi = IA32_EDX;
2279 u8 sreg_lo = IA32_ECX;
2280 u8 sreg_hi = IA32_EBX;
2281 u32 hi;
2282
2283 if (dstk) {
2284 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
2285 STACK_VAR(dst_lo));
2286 if (is_jmp64)
2287 EMIT3(0x8B,
2288 add_2reg(0x40, IA32_EBP,
2289 IA32_EDX),
2290 STACK_VAR(dst_hi));
2291 } else {
2292 /* mov dreg_lo,dst_lo */
2293 EMIT2(0x89, add_2reg(0xC0, dreg_lo, dst_lo));
2294 if (is_jmp64)
2295 /* mov dreg_hi,dst_hi */
2296 EMIT2(0x89,
2297 add_2reg(0xC0, dreg_hi, dst_hi));
2298 }
2299
2300 /* mov ecx,imm32 */
2301 EMIT2_off32(0xC7, add_1reg(0xC0, sreg_lo), imm32);
2302
2303 /* and dreg_lo,sreg_lo */
2304 EMIT2(0x23, add_2reg(0xC0, sreg_lo, dreg_lo));
2305 if (is_jmp64) {
2306 hi = imm32 & (1 << 31) ? (u32)~0 : 0;
2307 /* mov ebx,imm32 */
2308 EMIT2_off32(0xC7, add_1reg(0xC0, sreg_hi), hi);
2309 /* and dreg_hi,sreg_hi */
2310 EMIT2(0x23, add_2reg(0xC0, sreg_hi, dreg_hi));
2311 /* or dreg_lo,dreg_hi */
2312 EMIT2(0x09, add_2reg(0xC0, dreg_lo, dreg_hi));
2313 }
2314 goto emit_cond_jmp;
2315 }
2316 case BPF_JMP | BPF_JEQ | BPF_K:
2317 case BPF_JMP | BPF_JNE | BPF_K:
2318 case BPF_JMP | BPF_JGT | BPF_K:
2319 case BPF_JMP | BPF_JLT | BPF_K:
2320 case BPF_JMP | BPF_JGE | BPF_K:
2321 case BPF_JMP | BPF_JLE | BPF_K:
2322 case BPF_JMP32 | BPF_JEQ | BPF_K:
2323 case BPF_JMP32 | BPF_JNE | BPF_K:
2324 case BPF_JMP32 | BPF_JGT | BPF_K:
2325 case BPF_JMP32 | BPF_JLT | BPF_K:
2326 case BPF_JMP32 | BPF_JGE | BPF_K:
2327 case BPF_JMP32 | BPF_JLE | BPF_K:
2328 case BPF_JMP32 | BPF_JSGT | BPF_K:
2329 case BPF_JMP32 | BPF_JSLE | BPF_K:
2330 case BPF_JMP32 | BPF_JSLT | BPF_K:
2331 case BPF_JMP32 | BPF_JSGE | BPF_K: {
2332 bool is_jmp64 = BPF_CLASS(insn->code) == BPF_JMP;
2333 u8 dreg_lo = dstk ? IA32_EAX : dst_lo;
2334 u8 dreg_hi = dstk ? IA32_EDX : dst_hi;
2335 u8 sreg_lo = IA32_ECX;
2336 u8 sreg_hi = IA32_EBX;
2337 u32 hi;
2338
2339 if (dstk) {
2340 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
2341 STACK_VAR(dst_lo));
2342 if (is_jmp64)
2343 EMIT3(0x8B,
2344 add_2reg(0x40, IA32_EBP,
2345 IA32_EDX),
2346 STACK_VAR(dst_hi));
2347 }
2348
2349 /* mov ecx,imm32 */
2350 EMIT2_off32(0xC7, add_1reg(0xC0, IA32_ECX), imm32);
2351 if (is_jmp64) {
2352 hi = imm32 & (1 << 31) ? (u32)~0 : 0;
2353 /* mov ebx,imm32 */
2354 EMIT2_off32(0xC7, add_1reg(0xC0, IA32_EBX), hi);
2355 /* cmp dreg_hi,sreg_hi */
2356 EMIT2(0x39, add_2reg(0xC0, dreg_hi, sreg_hi));
2357 EMIT2(IA32_JNE, 2);
2358 }
2359 /* cmp dreg_lo,sreg_lo */
2360 EMIT2(0x39, add_2reg(0xC0, dreg_lo, sreg_lo));
2361
2362emit_cond_jmp: jmp_cond = get_cond_jmp_opcode(BPF_OP(code), false);
2363 if (jmp_cond == COND_JMP_OPCODE_INVALID)
2364 return -EFAULT;
2365 jmp_offset = addrs[i + insn->off] - addrs[i];
2366 if (is_imm8(jmp_offset)) {
2367 EMIT2(jmp_cond, jmp_offset);
2368 } else if (is_simm32(jmp_offset)) {
2369 EMIT2_off32(0x0F, jmp_cond + 0x10, jmp_offset);
2370 } else {
2371 pr_err("cond_jmp gen bug %llx\n", jmp_offset);
2372 return -EFAULT;
2373 }
2374 break;
2375 }
2376 case BPF_JMP | BPF_JSGT | BPF_K:
2377 case BPF_JMP | BPF_JSLE | BPF_K:
2378 case BPF_JMP | BPF_JSLT | BPF_K:
2379 case BPF_JMP | BPF_JSGE | BPF_K: {
2380 u8 dreg_lo = dstk ? IA32_EAX : dst_lo;
2381 u8 dreg_hi = dstk ? IA32_EDX : dst_hi;
2382 u8 sreg_lo = IA32_ECX;
2383 u8 sreg_hi = IA32_EBX;
2384 u32 hi;
2385
2386 if (dstk) {
2387 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
2388 STACK_VAR(dst_lo));
2389 EMIT3(0x8B,
2390 add_2reg(0x40, IA32_EBP,
2391 IA32_EDX),
2392 STACK_VAR(dst_hi));
2393 }
2394
2395 /* mov ecx,imm32 */
2396 EMIT2_off32(0xC7, add_1reg(0xC0, IA32_ECX), imm32);
2397 hi = imm32 & (1 << 31) ? (u32)~0 : 0;
2398 /* mov ebx,imm32 */
2399 EMIT2_off32(0xC7, add_1reg(0xC0, IA32_EBX), hi);
2400 /* cmp dreg_hi,sreg_hi */
2401 EMIT2(0x39, add_2reg(0xC0, dreg_hi, sreg_hi));
2402 EMIT2(IA32_JNE, 10);
2403 /* cmp dreg_lo,sreg_lo */
2404 EMIT2(0x39, add_2reg(0xC0, dreg_lo, sreg_lo));
2405
2406 /*
2407 * For simplicity of branch offset computation,
2408 * let's use fixed jump coding here.
2409 */
2410emit_cond_jmp_signed: /* Check the condition for low 32-bit comparison */
2411 jmp_cond = get_cond_jmp_opcode(BPF_OP(code), true);
2412 if (jmp_cond == COND_JMP_OPCODE_INVALID)
2413 return -EFAULT;
2414 jmp_offset = addrs[i + insn->off] - addrs[i] + 8;
2415 if (is_simm32(jmp_offset)) {
2416 EMIT2_off32(0x0F, jmp_cond + 0x10, jmp_offset);
2417 } else {
2418 pr_err("cond_jmp gen bug %llx\n", jmp_offset);
2419 return -EFAULT;
2420 }
2421 EMIT2(0xEB, 6);
2422
2423 /* Check the condition for high 32-bit comparison */
2424 jmp_cond = get_cond_jmp_opcode(BPF_OP(code), false);
2425 if (jmp_cond == COND_JMP_OPCODE_INVALID)
2426 return -EFAULT;
2427 jmp_offset = addrs[i + insn->off] - addrs[i];
2428 if (is_simm32(jmp_offset)) {
2429 EMIT2_off32(0x0F, jmp_cond + 0x10, jmp_offset);
2430 } else {
2431 pr_err("cond_jmp gen bug %llx\n", jmp_offset);
2432 return -EFAULT;
2433 }
2434 break;
2435 }
2436 case BPF_JMP | BPF_JA:
2437 if (insn->off == -1)
2438 /* -1 jmp instructions will always jump
2439 * backwards two bytes. Explicitly handling
2440 * this case avoids wasting too many passes
2441 * when there are long sequences of replaced
2442 * dead code.
2443 */
2444 jmp_offset = -2;
2445 else
2446 jmp_offset = addrs[i + insn->off] - addrs[i];
2447
2448 if (!jmp_offset)
2449 /* Optimize out nop jumps */
2450 break;
2451emit_jmp:
2452 if (is_imm8(jmp_offset)) {
2453 EMIT2(0xEB, jmp_offset);
2454 } else if (is_simm32(jmp_offset)) {
2455 EMIT1_off32(0xE9, jmp_offset);
2456 } else {
2457 pr_err("jmp gen bug %llx\n", jmp_offset);
2458 return -EFAULT;
2459 }
2460 break;
2461 case BPF_STX | BPF_ATOMIC | BPF_W:
2462 case BPF_STX | BPF_ATOMIC | BPF_DW:
2463 goto notyet;
2464 case BPF_JMP | BPF_EXIT:
2465 if (seen_exit) {
2466 jmp_offset = ctx->cleanup_addr - addrs[i];
2467 goto emit_jmp;
2468 }
2469 seen_exit = true;
2470 /* Update cleanup_addr */
2471 ctx->cleanup_addr = proglen;
2472 emit_epilogue(&prog, bpf_prog->aux->stack_depth);
2473 break;
2474notyet:
2475 pr_info_once("*** NOT YET: opcode %02x ***\n", code);
2476 return -EFAULT;
2477 default:
2478 /*
2479 * This error will be seen if new instruction was added
2480 * to interpreter, but not to JIT or if there is junk in
2481 * bpf_prog
2482 */
2483 pr_err("bpf_jit: unknown opcode %02x\n", code);
2484 return -EINVAL;
2485 }
2486
2487 ilen = prog - temp;
2488 if (ilen > BPF_MAX_INSN_SIZE) {
2489 pr_err("bpf_jit: fatal insn size error\n");
2490 return -EFAULT;
2491 }
2492
2493 if (image) {
2494 /*
2495 * When populating the image, assert that:
2496 *
2497 * i) We do not write beyond the allocated space, and
2498 * ii) addrs[i] did not change from the prior run, in order
2499 * to validate assumptions made for computing branch
2500 * displacements.
2501 */
2502 if (unlikely(proglen + ilen > oldproglen ||
2503 proglen + ilen != addrs[i])) {
2504 pr_err("bpf_jit: fatal error\n");
2505 return -EFAULT;
2506 }
2507 memcpy(image + proglen, temp, ilen);
2508 }
2509 proglen += ilen;
2510 addrs[i] = proglen;
2511 prog = temp;
2512 }
2513 return proglen;
2514}
2515
2516bool bpf_jit_needs_zext(void)
2517{
2518 return true;
2519}
2520
2521struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog)
2522{
2523 struct bpf_binary_header *header = NULL;
2524 struct bpf_prog *tmp, *orig_prog = prog;
2525 int proglen, oldproglen = 0;
2526 struct jit_context ctx = {};
2527 bool tmp_blinded = false;
2528 u8 *image = NULL;
2529 int *addrs;
2530 int pass;
2531 int i;
2532
2533 if (!prog->jit_requested)
2534 return orig_prog;
2535
2536 tmp = bpf_jit_blind_constants(prog);
2537 /*
2538 * If blinding was requested and we failed during blinding,
2539 * we must fall back to the interpreter.
2540 */
2541 if (IS_ERR(tmp))
2542 return orig_prog;
2543 if (tmp != prog) {
2544 tmp_blinded = true;
2545 prog = tmp;
2546 }
2547
2548 addrs = kmalloc_array(prog->len, sizeof(*addrs), GFP_KERNEL);
2549 if (!addrs) {
2550 prog = orig_prog;
2551 goto out;
2552 }
2553
2554 /*
2555 * Before first pass, make a rough estimation of addrs[]
2556 * each BPF instruction is translated to less than 64 bytes
2557 */
2558 for (proglen = 0, i = 0; i < prog->len; i++) {
2559 proglen += 64;
2560 addrs[i] = proglen;
2561 }
2562 ctx.cleanup_addr = proglen;
2563
2564 /*
2565 * JITed image shrinks with every pass and the loop iterates
2566 * until the image stops shrinking. Very large BPF programs
2567 * may converge on the last pass. In such case do one more
2568 * pass to emit the final image.
2569 */
2570 for (pass = 0; pass < 20 || image; pass++) {
2571 proglen = do_jit(prog, addrs, image, oldproglen, &ctx);
2572 if (proglen <= 0) {
2573out_image:
2574 image = NULL;
2575 if (header)
2576 bpf_jit_binary_free(header);
2577 prog = orig_prog;
2578 goto out_addrs;
2579 }
2580 if (image) {
2581 if (proglen != oldproglen) {
2582 pr_err("bpf_jit: proglen=%d != oldproglen=%d\n",
2583 proglen, oldproglen);
2584 goto out_image;
2585 }
2586 break;
2587 }
2588 if (proglen == oldproglen) {
2589 header = bpf_jit_binary_alloc(proglen, &image,
2590 1, jit_fill_hole);
2591 if (!header) {
2592 prog = orig_prog;
2593 goto out_addrs;
2594 }
2595 }
2596 oldproglen = proglen;
2597 cond_resched();
2598 }
2599
2600 if (bpf_jit_enable > 1)
2601 bpf_jit_dump(prog->len, proglen, pass + 1, image);
2602
2603 if (image && !bpf_jit_binary_lock_ro(header)) {
2604 prog->bpf_func = (void *)image;
2605 prog->jited = 1;
2606 prog->jited_len = proglen;
2607 } else {
2608 prog = orig_prog;
2609 }
2610
2611out_addrs:
2612 kfree(addrs);
2613out:
2614 if (tmp_blinded)
2615 bpf_jit_prog_release_other(prog, prog == orig_prog ?
2616 tmp : orig_prog);
2617 return prog;
2618}
2619
2620bool bpf_jit_supports_kfunc_call(void)
2621{
2622 return true;
2623}
1// SPDX-License-Identifier: GPL-2.0
2/*
3 * Just-In-Time compiler for eBPF filters on IA32 (32bit x86)
4 *
5 * Author: Wang YanQing (udknight@gmail.com)
6 * The code based on code and ideas from:
7 * Eric Dumazet (eric.dumazet@gmail.com)
8 * and from:
9 * Shubham Bansal <illusionist.neo@gmail.com>
10 */
11
12#include <linux/netdevice.h>
13#include <linux/filter.h>
14#include <linux/if_vlan.h>
15#include <asm/cacheflush.h>
16#include <asm/set_memory.h>
17#include <asm/nospec-branch.h>
18#include <linux/bpf.h>
19
20/*
21 * eBPF prog stack layout:
22 *
23 * high
24 * original ESP => +-----+
25 * | | callee saved registers
26 * +-----+
27 * | ... | eBPF JIT scratch space
28 * BPF_FP,IA32_EBP => +-----+
29 * | ... | eBPF prog stack
30 * +-----+
31 * |RSVD | JIT scratchpad
32 * current ESP => +-----+
33 * | |
34 * | ... | Function call stack
35 * | |
36 * +-----+
37 * low
38 *
39 * The callee saved registers:
40 *
41 * high
42 * original ESP => +------------------+ \
43 * | ebp | |
44 * current EBP => +------------------+ } callee saved registers
45 * | ebx,esi,edi | |
46 * +------------------+ /
47 * low
48 */
49
50static u8 *emit_code(u8 *ptr, u32 bytes, unsigned int len)
51{
52 if (len == 1)
53 *ptr = bytes;
54 else if (len == 2)
55 *(u16 *)ptr = bytes;
56 else {
57 *(u32 *)ptr = bytes;
58 barrier();
59 }
60 return ptr + len;
61}
62
63#define EMIT(bytes, len) \
64 do { prog = emit_code(prog, bytes, len); cnt += len; } while (0)
65
66#define EMIT1(b1) EMIT(b1, 1)
67#define EMIT2(b1, b2) EMIT((b1) + ((b2) << 8), 2)
68#define EMIT3(b1, b2, b3) EMIT((b1) + ((b2) << 8) + ((b3) << 16), 3)
69#define EMIT4(b1, b2, b3, b4) \
70 EMIT((b1) + ((b2) << 8) + ((b3) << 16) + ((b4) << 24), 4)
71
72#define EMIT1_off32(b1, off) \
73 do { EMIT1(b1); EMIT(off, 4); } while (0)
74#define EMIT2_off32(b1, b2, off) \
75 do { EMIT2(b1, b2); EMIT(off, 4); } while (0)
76#define EMIT3_off32(b1, b2, b3, off) \
77 do { EMIT3(b1, b2, b3); EMIT(off, 4); } while (0)
78#define EMIT4_off32(b1, b2, b3, b4, off) \
79 do { EMIT4(b1, b2, b3, b4); EMIT(off, 4); } while (0)
80
81#define jmp_label(label, jmp_insn_len) (label - cnt - jmp_insn_len)
82
83static bool is_imm8(int value)
84{
85 return value <= 127 && value >= -128;
86}
87
88static bool is_simm32(s64 value)
89{
90 return value == (s64) (s32) value;
91}
92
93#define STACK_OFFSET(k) (k)
94#define TCALL_CNT (MAX_BPF_JIT_REG + 0) /* Tail Call Count */
95
96#define IA32_EAX (0x0)
97#define IA32_EBX (0x3)
98#define IA32_ECX (0x1)
99#define IA32_EDX (0x2)
100#define IA32_ESI (0x6)
101#define IA32_EDI (0x7)
102#define IA32_EBP (0x5)
103#define IA32_ESP (0x4)
104
105/*
106 * List of x86 cond jumps opcodes (. + s8)
107 * Add 0x10 (and an extra 0x0f) to generate far jumps (. + s32)
108 */
109#define IA32_JB 0x72
110#define IA32_JAE 0x73
111#define IA32_JE 0x74
112#define IA32_JNE 0x75
113#define IA32_JBE 0x76
114#define IA32_JA 0x77
115#define IA32_JL 0x7C
116#define IA32_JGE 0x7D
117#define IA32_JLE 0x7E
118#define IA32_JG 0x7F
119
120#define COND_JMP_OPCODE_INVALID (0xFF)
121
122/*
123 * Map eBPF registers to IA32 32bit registers or stack scratch space.
124 *
125 * 1. All the registers, R0-R10, are mapped to scratch space on stack.
126 * 2. We need two 64 bit temp registers to do complex operations on eBPF
127 * registers.
128 * 3. For performance reason, the BPF_REG_AX for blinding constant, is
129 * mapped to real hardware register pair, IA32_ESI and IA32_EDI.
130 *
131 * As the eBPF registers are all 64 bit registers and IA32 has only 32 bit
132 * registers, we have to map each eBPF registers with two IA32 32 bit regs
133 * or scratch memory space and we have to build eBPF 64 bit register from those.
134 *
135 * We use IA32_EAX, IA32_EDX, IA32_ECX, IA32_EBX as temporary registers.
136 */
137static const u8 bpf2ia32[][2] = {
138 /* Return value from in-kernel function, and exit value from eBPF */
139 [BPF_REG_0] = {STACK_OFFSET(0), STACK_OFFSET(4)},
140
141 /* The arguments from eBPF program to in-kernel function */
142 /* Stored on stack scratch space */
143 [BPF_REG_1] = {STACK_OFFSET(8), STACK_OFFSET(12)},
144 [BPF_REG_2] = {STACK_OFFSET(16), STACK_OFFSET(20)},
145 [BPF_REG_3] = {STACK_OFFSET(24), STACK_OFFSET(28)},
146 [BPF_REG_4] = {STACK_OFFSET(32), STACK_OFFSET(36)},
147 [BPF_REG_5] = {STACK_OFFSET(40), STACK_OFFSET(44)},
148
149 /* Callee saved registers that in-kernel function will preserve */
150 /* Stored on stack scratch space */
151 [BPF_REG_6] = {STACK_OFFSET(48), STACK_OFFSET(52)},
152 [BPF_REG_7] = {STACK_OFFSET(56), STACK_OFFSET(60)},
153 [BPF_REG_8] = {STACK_OFFSET(64), STACK_OFFSET(68)},
154 [BPF_REG_9] = {STACK_OFFSET(72), STACK_OFFSET(76)},
155
156 /* Read only Frame Pointer to access Stack */
157 [BPF_REG_FP] = {STACK_OFFSET(80), STACK_OFFSET(84)},
158
159 /* Temporary register for blinding constants. */
160 [BPF_REG_AX] = {IA32_ESI, IA32_EDI},
161
162 /* Tail call count. Stored on stack scratch space. */
163 [TCALL_CNT] = {STACK_OFFSET(88), STACK_OFFSET(92)},
164};
165
166#define dst_lo dst[0]
167#define dst_hi dst[1]
168#define src_lo src[0]
169#define src_hi src[1]
170
171#define STACK_ALIGNMENT 8
172/*
173 * Stack space for BPF_REG_1, BPF_REG_2, BPF_REG_3, BPF_REG_4,
174 * BPF_REG_5, BPF_REG_6, BPF_REG_7, BPF_REG_8, BPF_REG_9,
175 * BPF_REG_FP, BPF_REG_AX and Tail call counts.
176 */
177#define SCRATCH_SIZE 96
178
179/* Total stack size used in JITed code */
180#define _STACK_SIZE (stack_depth + SCRATCH_SIZE)
181
182#define STACK_SIZE ALIGN(_STACK_SIZE, STACK_ALIGNMENT)
183
184/* Get the offset of eBPF REGISTERs stored on scratch space. */
185#define STACK_VAR(off) (off)
186
187/* Encode 'dst_reg' register into IA32 opcode 'byte' */
188static u8 add_1reg(u8 byte, u32 dst_reg)
189{
190 return byte + dst_reg;
191}
192
193/* Encode 'dst_reg' and 'src_reg' registers into IA32 opcode 'byte' */
194static u8 add_2reg(u8 byte, u32 dst_reg, u32 src_reg)
195{
196 return byte + dst_reg + (src_reg << 3);
197}
198
199static void jit_fill_hole(void *area, unsigned int size)
200{
201 /* Fill whole space with int3 instructions */
202 memset(area, 0xcc, size);
203}
204
205static inline void emit_ia32_mov_i(const u8 dst, const u32 val, bool dstk,
206 u8 **pprog)
207{
208 u8 *prog = *pprog;
209 int cnt = 0;
210
211 if (dstk) {
212 if (val == 0) {
213 /* xor eax,eax */
214 EMIT2(0x33, add_2reg(0xC0, IA32_EAX, IA32_EAX));
215 /* mov dword ptr [ebp+off],eax */
216 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EAX),
217 STACK_VAR(dst));
218 } else {
219 EMIT3_off32(0xC7, add_1reg(0x40, IA32_EBP),
220 STACK_VAR(dst), val);
221 }
222 } else {
223 if (val == 0)
224 EMIT2(0x33, add_2reg(0xC0, dst, dst));
225 else
226 EMIT2_off32(0xC7, add_1reg(0xC0, dst),
227 val);
228 }
229 *pprog = prog;
230}
231
232/* dst = imm (4 bytes)*/
233static inline void emit_ia32_mov_r(const u8 dst, const u8 src, bool dstk,
234 bool sstk, u8 **pprog)
235{
236 u8 *prog = *pprog;
237 int cnt = 0;
238 u8 sreg = sstk ? IA32_EAX : src;
239
240 if (sstk)
241 /* mov eax,dword ptr [ebp+off] */
242 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX), STACK_VAR(src));
243 if (dstk)
244 /* mov dword ptr [ebp+off],eax */
245 EMIT3(0x89, add_2reg(0x40, IA32_EBP, sreg), STACK_VAR(dst));
246 else
247 /* mov dst,sreg */
248 EMIT2(0x89, add_2reg(0xC0, dst, sreg));
249
250 *pprog = prog;
251}
252
253/* dst = src */
254static inline void emit_ia32_mov_r64(const bool is64, const u8 dst[],
255 const u8 src[], bool dstk,
256 bool sstk, u8 **pprog,
257 const struct bpf_prog_aux *aux)
258{
259 emit_ia32_mov_r(dst_lo, src_lo, dstk, sstk, pprog);
260 if (is64)
261 /* complete 8 byte move */
262 emit_ia32_mov_r(dst_hi, src_hi, dstk, sstk, pprog);
263 else if (!aux->verifier_zext)
264 /* zero out high 4 bytes */
265 emit_ia32_mov_i(dst_hi, 0, dstk, pprog);
266}
267
268/* Sign extended move */
269static inline void emit_ia32_mov_i64(const bool is64, const u8 dst[],
270 const u32 val, bool dstk, u8 **pprog)
271{
272 u32 hi = 0;
273
274 if (is64 && (val & (1<<31)))
275 hi = (u32)~0;
276 emit_ia32_mov_i(dst_lo, val, dstk, pprog);
277 emit_ia32_mov_i(dst_hi, hi, dstk, pprog);
278}
279
280/*
281 * ALU operation (32 bit)
282 * dst = dst * src
283 */
284static inline void emit_ia32_mul_r(const u8 dst, const u8 src, bool dstk,
285 bool sstk, u8 **pprog)
286{
287 u8 *prog = *pprog;
288 int cnt = 0;
289 u8 sreg = sstk ? IA32_ECX : src;
290
291 if (sstk)
292 /* mov ecx,dword ptr [ebp+off] */
293 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_ECX), STACK_VAR(src));
294
295 if (dstk)
296 /* mov eax,dword ptr [ebp+off] */
297 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX), STACK_VAR(dst));
298 else
299 /* mov eax,dst */
300 EMIT2(0x8B, add_2reg(0xC0, dst, IA32_EAX));
301
302
303 EMIT2(0xF7, add_1reg(0xE0, sreg));
304
305 if (dstk)
306 /* mov dword ptr [ebp+off],eax */
307 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EAX),
308 STACK_VAR(dst));
309 else
310 /* mov dst,eax */
311 EMIT2(0x89, add_2reg(0xC0, dst, IA32_EAX));
312
313 *pprog = prog;
314}
315
316static inline void emit_ia32_to_le_r64(const u8 dst[], s32 val,
317 bool dstk, u8 **pprog,
318 const struct bpf_prog_aux *aux)
319{
320 u8 *prog = *pprog;
321 int cnt = 0;
322 u8 dreg_lo = dstk ? IA32_EAX : dst_lo;
323 u8 dreg_hi = dstk ? IA32_EDX : dst_hi;
324
325 if (dstk && val != 64) {
326 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
327 STACK_VAR(dst_lo));
328 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EDX),
329 STACK_VAR(dst_hi));
330 }
331 switch (val) {
332 case 16:
333 /*
334 * Emit 'movzwl eax,ax' to zero extend 16-bit
335 * into 64 bit
336 */
337 EMIT2(0x0F, 0xB7);
338 EMIT1(add_2reg(0xC0, dreg_lo, dreg_lo));
339 if (!aux->verifier_zext)
340 /* xor dreg_hi,dreg_hi */
341 EMIT2(0x33, add_2reg(0xC0, dreg_hi, dreg_hi));
342 break;
343 case 32:
344 if (!aux->verifier_zext)
345 /* xor dreg_hi,dreg_hi */
346 EMIT2(0x33, add_2reg(0xC0, dreg_hi, dreg_hi));
347 break;
348 case 64:
349 /* nop */
350 break;
351 }
352
353 if (dstk && val != 64) {
354 /* mov dword ptr [ebp+off],dreg_lo */
355 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_lo),
356 STACK_VAR(dst_lo));
357 /* mov dword ptr [ebp+off],dreg_hi */
358 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_hi),
359 STACK_VAR(dst_hi));
360 }
361 *pprog = prog;
362}
363
364static inline void emit_ia32_to_be_r64(const u8 dst[], s32 val,
365 bool dstk, u8 **pprog,
366 const struct bpf_prog_aux *aux)
367{
368 u8 *prog = *pprog;
369 int cnt = 0;
370 u8 dreg_lo = dstk ? IA32_EAX : dst_lo;
371 u8 dreg_hi = dstk ? IA32_EDX : dst_hi;
372
373 if (dstk) {
374 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
375 STACK_VAR(dst_lo));
376 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EDX),
377 STACK_VAR(dst_hi));
378 }
379 switch (val) {
380 case 16:
381 /* Emit 'ror %ax, 8' to swap lower 2 bytes */
382 EMIT1(0x66);
383 EMIT3(0xC1, add_1reg(0xC8, dreg_lo), 8);
384
385 EMIT2(0x0F, 0xB7);
386 EMIT1(add_2reg(0xC0, dreg_lo, dreg_lo));
387
388 if (!aux->verifier_zext)
389 /* xor dreg_hi,dreg_hi */
390 EMIT2(0x33, add_2reg(0xC0, dreg_hi, dreg_hi));
391 break;
392 case 32:
393 /* Emit 'bswap eax' to swap lower 4 bytes */
394 EMIT1(0x0F);
395 EMIT1(add_1reg(0xC8, dreg_lo));
396
397 if (!aux->verifier_zext)
398 /* xor dreg_hi,dreg_hi */
399 EMIT2(0x33, add_2reg(0xC0, dreg_hi, dreg_hi));
400 break;
401 case 64:
402 /* Emit 'bswap eax' to swap lower 4 bytes */
403 EMIT1(0x0F);
404 EMIT1(add_1reg(0xC8, dreg_lo));
405
406 /* Emit 'bswap edx' to swap lower 4 bytes */
407 EMIT1(0x0F);
408 EMIT1(add_1reg(0xC8, dreg_hi));
409
410 /* mov ecx,dreg_hi */
411 EMIT2(0x89, add_2reg(0xC0, IA32_ECX, dreg_hi));
412 /* mov dreg_hi,dreg_lo */
413 EMIT2(0x89, add_2reg(0xC0, dreg_hi, dreg_lo));
414 /* mov dreg_lo,ecx */
415 EMIT2(0x89, add_2reg(0xC0, dreg_lo, IA32_ECX));
416
417 break;
418 }
419 if (dstk) {
420 /* mov dword ptr [ebp+off],dreg_lo */
421 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_lo),
422 STACK_VAR(dst_lo));
423 /* mov dword ptr [ebp+off],dreg_hi */
424 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_hi),
425 STACK_VAR(dst_hi));
426 }
427 *pprog = prog;
428}
429
430/*
431 * ALU operation (32 bit)
432 * dst = dst (div|mod) src
433 */
434static inline void emit_ia32_div_mod_r(const u8 op, const u8 dst, const u8 src,
435 bool dstk, bool sstk, u8 **pprog)
436{
437 u8 *prog = *pprog;
438 int cnt = 0;
439
440 if (sstk)
441 /* mov ecx,dword ptr [ebp+off] */
442 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_ECX),
443 STACK_VAR(src));
444 else if (src != IA32_ECX)
445 /* mov ecx,src */
446 EMIT2(0x8B, add_2reg(0xC0, src, IA32_ECX));
447
448 if (dstk)
449 /* mov eax,dword ptr [ebp+off] */
450 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
451 STACK_VAR(dst));
452 else
453 /* mov eax,dst */
454 EMIT2(0x8B, add_2reg(0xC0, dst, IA32_EAX));
455
456 /* xor edx,edx */
457 EMIT2(0x31, add_2reg(0xC0, IA32_EDX, IA32_EDX));
458 /* div ecx */
459 EMIT2(0xF7, add_1reg(0xF0, IA32_ECX));
460
461 if (op == BPF_MOD) {
462 if (dstk)
463 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EDX),
464 STACK_VAR(dst));
465 else
466 EMIT2(0x89, add_2reg(0xC0, dst, IA32_EDX));
467 } else {
468 if (dstk)
469 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EAX),
470 STACK_VAR(dst));
471 else
472 EMIT2(0x89, add_2reg(0xC0, dst, IA32_EAX));
473 }
474 *pprog = prog;
475}
476
477/*
478 * ALU operation (32 bit)
479 * dst = dst (shift) src
480 */
481static inline void emit_ia32_shift_r(const u8 op, const u8 dst, const u8 src,
482 bool dstk, bool sstk, u8 **pprog)
483{
484 u8 *prog = *pprog;
485 int cnt = 0;
486 u8 dreg = dstk ? IA32_EAX : dst;
487 u8 b2;
488
489 if (dstk)
490 /* mov eax,dword ptr [ebp+off] */
491 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX), STACK_VAR(dst));
492
493 if (sstk)
494 /* mov ecx,dword ptr [ebp+off] */
495 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_ECX), STACK_VAR(src));
496 else if (src != IA32_ECX)
497 /* mov ecx,src */
498 EMIT2(0x8B, add_2reg(0xC0, src, IA32_ECX));
499
500 switch (op) {
501 case BPF_LSH:
502 b2 = 0xE0; break;
503 case BPF_RSH:
504 b2 = 0xE8; break;
505 case BPF_ARSH:
506 b2 = 0xF8; break;
507 default:
508 return;
509 }
510 EMIT2(0xD3, add_1reg(b2, dreg));
511
512 if (dstk)
513 /* mov dword ptr [ebp+off],dreg */
514 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg), STACK_VAR(dst));
515 *pprog = prog;
516}
517
518/*
519 * ALU operation (32 bit)
520 * dst = dst (op) src
521 */
522static inline void emit_ia32_alu_r(const bool is64, const bool hi, const u8 op,
523 const u8 dst, const u8 src, bool dstk,
524 bool sstk, u8 **pprog)
525{
526 u8 *prog = *pprog;
527 int cnt = 0;
528 u8 sreg = sstk ? IA32_EAX : src;
529 u8 dreg = dstk ? IA32_EDX : dst;
530
531 if (sstk)
532 /* mov eax,dword ptr [ebp+off] */
533 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX), STACK_VAR(src));
534
535 if (dstk)
536 /* mov eax,dword ptr [ebp+off] */
537 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EDX), STACK_VAR(dst));
538
539 switch (BPF_OP(op)) {
540 /* dst = dst + src */
541 case BPF_ADD:
542 if (hi && is64)
543 EMIT2(0x11, add_2reg(0xC0, dreg, sreg));
544 else
545 EMIT2(0x01, add_2reg(0xC0, dreg, sreg));
546 break;
547 /* dst = dst - src */
548 case BPF_SUB:
549 if (hi && is64)
550 EMIT2(0x19, add_2reg(0xC0, dreg, sreg));
551 else
552 EMIT2(0x29, add_2reg(0xC0, dreg, sreg));
553 break;
554 /* dst = dst | src */
555 case BPF_OR:
556 EMIT2(0x09, add_2reg(0xC0, dreg, sreg));
557 break;
558 /* dst = dst & src */
559 case BPF_AND:
560 EMIT2(0x21, add_2reg(0xC0, dreg, sreg));
561 break;
562 /* dst = dst ^ src */
563 case BPF_XOR:
564 EMIT2(0x31, add_2reg(0xC0, dreg, sreg));
565 break;
566 }
567
568 if (dstk)
569 /* mov dword ptr [ebp+off],dreg */
570 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg),
571 STACK_VAR(dst));
572 *pprog = prog;
573}
574
575/* ALU operation (64 bit) */
576static inline void emit_ia32_alu_r64(const bool is64, const u8 op,
577 const u8 dst[], const u8 src[],
578 bool dstk, bool sstk,
579 u8 **pprog, const struct bpf_prog_aux *aux)
580{
581 u8 *prog = *pprog;
582
583 emit_ia32_alu_r(is64, false, op, dst_lo, src_lo, dstk, sstk, &prog);
584 if (is64)
585 emit_ia32_alu_r(is64, true, op, dst_hi, src_hi, dstk, sstk,
586 &prog);
587 else if (!aux->verifier_zext)
588 emit_ia32_mov_i(dst_hi, 0, dstk, &prog);
589 *pprog = prog;
590}
591
592/*
593 * ALU operation (32 bit)
594 * dst = dst (op) val
595 */
596static inline void emit_ia32_alu_i(const bool is64, const bool hi, const u8 op,
597 const u8 dst, const s32 val, bool dstk,
598 u8 **pprog)
599{
600 u8 *prog = *pprog;
601 int cnt = 0;
602 u8 dreg = dstk ? IA32_EAX : dst;
603 u8 sreg = IA32_EDX;
604
605 if (dstk)
606 /* mov eax,dword ptr [ebp+off] */
607 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX), STACK_VAR(dst));
608
609 if (!is_imm8(val))
610 /* mov edx,imm32*/
611 EMIT2_off32(0xC7, add_1reg(0xC0, IA32_EDX), val);
612
613 switch (op) {
614 /* dst = dst + val */
615 case BPF_ADD:
616 if (hi && is64) {
617 if (is_imm8(val))
618 EMIT3(0x83, add_1reg(0xD0, dreg), val);
619 else
620 EMIT2(0x11, add_2reg(0xC0, dreg, sreg));
621 } else {
622 if (is_imm8(val))
623 EMIT3(0x83, add_1reg(0xC0, dreg), val);
624 else
625 EMIT2(0x01, add_2reg(0xC0, dreg, sreg));
626 }
627 break;
628 /* dst = dst - val */
629 case BPF_SUB:
630 if (hi && is64) {
631 if (is_imm8(val))
632 EMIT3(0x83, add_1reg(0xD8, dreg), val);
633 else
634 EMIT2(0x19, add_2reg(0xC0, dreg, sreg));
635 } else {
636 if (is_imm8(val))
637 EMIT3(0x83, add_1reg(0xE8, dreg), val);
638 else
639 EMIT2(0x29, add_2reg(0xC0, dreg, sreg));
640 }
641 break;
642 /* dst = dst | val */
643 case BPF_OR:
644 if (is_imm8(val))
645 EMIT3(0x83, add_1reg(0xC8, dreg), val);
646 else
647 EMIT2(0x09, add_2reg(0xC0, dreg, sreg));
648 break;
649 /* dst = dst & val */
650 case BPF_AND:
651 if (is_imm8(val))
652 EMIT3(0x83, add_1reg(0xE0, dreg), val);
653 else
654 EMIT2(0x21, add_2reg(0xC0, dreg, sreg));
655 break;
656 /* dst = dst ^ val */
657 case BPF_XOR:
658 if (is_imm8(val))
659 EMIT3(0x83, add_1reg(0xF0, dreg), val);
660 else
661 EMIT2(0x31, add_2reg(0xC0, dreg, sreg));
662 break;
663 case BPF_NEG:
664 EMIT2(0xF7, add_1reg(0xD8, dreg));
665 break;
666 }
667
668 if (dstk)
669 /* mov dword ptr [ebp+off],dreg */
670 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg),
671 STACK_VAR(dst));
672 *pprog = prog;
673}
674
675/* ALU operation (64 bit) */
676static inline void emit_ia32_alu_i64(const bool is64, const u8 op,
677 const u8 dst[], const u32 val,
678 bool dstk, u8 **pprog,
679 const struct bpf_prog_aux *aux)
680{
681 u8 *prog = *pprog;
682 u32 hi = 0;
683
684 if (is64 && (val & (1<<31)))
685 hi = (u32)~0;
686
687 emit_ia32_alu_i(is64, false, op, dst_lo, val, dstk, &prog);
688 if (is64)
689 emit_ia32_alu_i(is64, true, op, dst_hi, hi, dstk, &prog);
690 else if (!aux->verifier_zext)
691 emit_ia32_mov_i(dst_hi, 0, dstk, &prog);
692
693 *pprog = prog;
694}
695
696/* dst = ~dst (64 bit) */
697static inline void emit_ia32_neg64(const u8 dst[], bool dstk, u8 **pprog)
698{
699 u8 *prog = *pprog;
700 int cnt = 0;
701 u8 dreg_lo = dstk ? IA32_EAX : dst_lo;
702 u8 dreg_hi = dstk ? IA32_EDX : dst_hi;
703
704 if (dstk) {
705 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
706 STACK_VAR(dst_lo));
707 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EDX),
708 STACK_VAR(dst_hi));
709 }
710
711 /* neg dreg_lo */
712 EMIT2(0xF7, add_1reg(0xD8, dreg_lo));
713 /* adc dreg_hi,0x0 */
714 EMIT3(0x83, add_1reg(0xD0, dreg_hi), 0x00);
715 /* neg dreg_hi */
716 EMIT2(0xF7, add_1reg(0xD8, dreg_hi));
717
718 if (dstk) {
719 /* mov dword ptr [ebp+off],dreg_lo */
720 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_lo),
721 STACK_VAR(dst_lo));
722 /* mov dword ptr [ebp+off],dreg_hi */
723 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_hi),
724 STACK_VAR(dst_hi));
725 }
726 *pprog = prog;
727}
728
729/* dst = dst << src */
730static inline void emit_ia32_lsh_r64(const u8 dst[], const u8 src[],
731 bool dstk, bool sstk, u8 **pprog)
732{
733 u8 *prog = *pprog;
734 int cnt = 0;
735 u8 dreg_lo = dstk ? IA32_EAX : dst_lo;
736 u8 dreg_hi = dstk ? IA32_EDX : dst_hi;
737
738 if (dstk) {
739 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
740 STACK_VAR(dst_lo));
741 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EDX),
742 STACK_VAR(dst_hi));
743 }
744
745 if (sstk)
746 /* mov ecx,dword ptr [ebp+off] */
747 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_ECX),
748 STACK_VAR(src_lo));
749 else
750 /* mov ecx,src_lo */
751 EMIT2(0x8B, add_2reg(0xC0, src_lo, IA32_ECX));
752
753 /* shld dreg_hi,dreg_lo,cl */
754 EMIT3(0x0F, 0xA5, add_2reg(0xC0, dreg_hi, dreg_lo));
755 /* shl dreg_lo,cl */
756 EMIT2(0xD3, add_1reg(0xE0, dreg_lo));
757
758 /* if ecx >= 32, mov dreg_lo into dreg_hi and clear dreg_lo */
759
760 /* cmp ecx,32 */
761 EMIT3(0x83, add_1reg(0xF8, IA32_ECX), 32);
762 /* skip the next two instructions (4 bytes) when < 32 */
763 EMIT2(IA32_JB, 4);
764
765 /* mov dreg_hi,dreg_lo */
766 EMIT2(0x89, add_2reg(0xC0, dreg_hi, dreg_lo));
767 /* xor dreg_lo,dreg_lo */
768 EMIT2(0x33, add_2reg(0xC0, dreg_lo, dreg_lo));
769
770 if (dstk) {
771 /* mov dword ptr [ebp+off],dreg_lo */
772 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_lo),
773 STACK_VAR(dst_lo));
774 /* mov dword ptr [ebp+off],dreg_hi */
775 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_hi),
776 STACK_VAR(dst_hi));
777 }
778 /* out: */
779 *pprog = prog;
780}
781
782/* dst = dst >> src (signed)*/
783static inline void emit_ia32_arsh_r64(const u8 dst[], const u8 src[],
784 bool dstk, bool sstk, u8 **pprog)
785{
786 u8 *prog = *pprog;
787 int cnt = 0;
788 u8 dreg_lo = dstk ? IA32_EAX : dst_lo;
789 u8 dreg_hi = dstk ? IA32_EDX : dst_hi;
790
791 if (dstk) {
792 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
793 STACK_VAR(dst_lo));
794 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EDX),
795 STACK_VAR(dst_hi));
796 }
797
798 if (sstk)
799 /* mov ecx,dword ptr [ebp+off] */
800 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_ECX),
801 STACK_VAR(src_lo));
802 else
803 /* mov ecx,src_lo */
804 EMIT2(0x8B, add_2reg(0xC0, src_lo, IA32_ECX));
805
806 /* shrd dreg_lo,dreg_hi,cl */
807 EMIT3(0x0F, 0xAD, add_2reg(0xC0, dreg_lo, dreg_hi));
808 /* sar dreg_hi,cl */
809 EMIT2(0xD3, add_1reg(0xF8, dreg_hi));
810
811 /* if ecx >= 32, mov dreg_hi to dreg_lo and set/clear dreg_hi depending on sign */
812
813 /* cmp ecx,32 */
814 EMIT3(0x83, add_1reg(0xF8, IA32_ECX), 32);
815 /* skip the next two instructions (5 bytes) when < 32 */
816 EMIT2(IA32_JB, 5);
817
818 /* mov dreg_lo,dreg_hi */
819 EMIT2(0x89, add_2reg(0xC0, dreg_lo, dreg_hi));
820 /* sar dreg_hi,31 */
821 EMIT3(0xC1, add_1reg(0xF8, dreg_hi), 31);
822
823 if (dstk) {
824 /* mov dword ptr [ebp+off],dreg_lo */
825 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_lo),
826 STACK_VAR(dst_lo));
827 /* mov dword ptr [ebp+off],dreg_hi */
828 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_hi),
829 STACK_VAR(dst_hi));
830 }
831 /* out: */
832 *pprog = prog;
833}
834
835/* dst = dst >> src */
836static inline void emit_ia32_rsh_r64(const u8 dst[], const u8 src[], bool dstk,
837 bool sstk, u8 **pprog)
838{
839 u8 *prog = *pprog;
840 int cnt = 0;
841 u8 dreg_lo = dstk ? IA32_EAX : dst_lo;
842 u8 dreg_hi = dstk ? IA32_EDX : dst_hi;
843
844 if (dstk) {
845 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
846 STACK_VAR(dst_lo));
847 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EDX),
848 STACK_VAR(dst_hi));
849 }
850
851 if (sstk)
852 /* mov ecx,dword ptr [ebp+off] */
853 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_ECX),
854 STACK_VAR(src_lo));
855 else
856 /* mov ecx,src_lo */
857 EMIT2(0x8B, add_2reg(0xC0, src_lo, IA32_ECX));
858
859 /* shrd dreg_lo,dreg_hi,cl */
860 EMIT3(0x0F, 0xAD, add_2reg(0xC0, dreg_lo, dreg_hi));
861 /* shr dreg_hi,cl */
862 EMIT2(0xD3, add_1reg(0xE8, dreg_hi));
863
864 /* if ecx >= 32, mov dreg_hi to dreg_lo and clear dreg_hi */
865
866 /* cmp ecx,32 */
867 EMIT3(0x83, add_1reg(0xF8, IA32_ECX), 32);
868 /* skip the next two instructions (4 bytes) when < 32 */
869 EMIT2(IA32_JB, 4);
870
871 /* mov dreg_lo,dreg_hi */
872 EMIT2(0x89, add_2reg(0xC0, dreg_lo, dreg_hi));
873 /* xor dreg_hi,dreg_hi */
874 EMIT2(0x33, add_2reg(0xC0, dreg_hi, dreg_hi));
875
876 if (dstk) {
877 /* mov dword ptr [ebp+off],dreg_lo */
878 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_lo),
879 STACK_VAR(dst_lo));
880 /* mov dword ptr [ebp+off],dreg_hi */
881 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_hi),
882 STACK_VAR(dst_hi));
883 }
884 /* out: */
885 *pprog = prog;
886}
887
888/* dst = dst << val */
889static inline void emit_ia32_lsh_i64(const u8 dst[], const u32 val,
890 bool dstk, u8 **pprog)
891{
892 u8 *prog = *pprog;
893 int cnt = 0;
894 u8 dreg_lo = dstk ? IA32_EAX : dst_lo;
895 u8 dreg_hi = dstk ? IA32_EDX : dst_hi;
896
897 if (dstk) {
898 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
899 STACK_VAR(dst_lo));
900 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EDX),
901 STACK_VAR(dst_hi));
902 }
903 /* Do LSH operation */
904 if (val < 32) {
905 /* shld dreg_hi,dreg_lo,imm8 */
906 EMIT4(0x0F, 0xA4, add_2reg(0xC0, dreg_hi, dreg_lo), val);
907 /* shl dreg_lo,imm8 */
908 EMIT3(0xC1, add_1reg(0xE0, dreg_lo), val);
909 } else if (val >= 32 && val < 64) {
910 u32 value = val - 32;
911
912 /* shl dreg_lo,imm8 */
913 EMIT3(0xC1, add_1reg(0xE0, dreg_lo), value);
914 /* mov dreg_hi,dreg_lo */
915 EMIT2(0x89, add_2reg(0xC0, dreg_hi, dreg_lo));
916 /* xor dreg_lo,dreg_lo */
917 EMIT2(0x33, add_2reg(0xC0, dreg_lo, dreg_lo));
918 } else {
919 /* xor dreg_lo,dreg_lo */
920 EMIT2(0x33, add_2reg(0xC0, dreg_lo, dreg_lo));
921 /* xor dreg_hi,dreg_hi */
922 EMIT2(0x33, add_2reg(0xC0, dreg_hi, dreg_hi));
923 }
924
925 if (dstk) {
926 /* mov dword ptr [ebp+off],dreg_lo */
927 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_lo),
928 STACK_VAR(dst_lo));
929 /* mov dword ptr [ebp+off],dreg_hi */
930 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_hi),
931 STACK_VAR(dst_hi));
932 }
933 *pprog = prog;
934}
935
936/* dst = dst >> val */
937static inline void emit_ia32_rsh_i64(const u8 dst[], const u32 val,
938 bool dstk, u8 **pprog)
939{
940 u8 *prog = *pprog;
941 int cnt = 0;
942 u8 dreg_lo = dstk ? IA32_EAX : dst_lo;
943 u8 dreg_hi = dstk ? IA32_EDX : dst_hi;
944
945 if (dstk) {
946 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
947 STACK_VAR(dst_lo));
948 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EDX),
949 STACK_VAR(dst_hi));
950 }
951
952 /* Do RSH operation */
953 if (val < 32) {
954 /* shrd dreg_lo,dreg_hi,imm8 */
955 EMIT4(0x0F, 0xAC, add_2reg(0xC0, dreg_lo, dreg_hi), val);
956 /* shr dreg_hi,imm8 */
957 EMIT3(0xC1, add_1reg(0xE8, dreg_hi), val);
958 } else if (val >= 32 && val < 64) {
959 u32 value = val - 32;
960
961 /* shr dreg_hi,imm8 */
962 EMIT3(0xC1, add_1reg(0xE8, dreg_hi), value);
963 /* mov dreg_lo,dreg_hi */
964 EMIT2(0x89, add_2reg(0xC0, dreg_lo, dreg_hi));
965 /* xor dreg_hi,dreg_hi */
966 EMIT2(0x33, add_2reg(0xC0, dreg_hi, dreg_hi));
967 } else {
968 /* xor dreg_lo,dreg_lo */
969 EMIT2(0x33, add_2reg(0xC0, dreg_lo, dreg_lo));
970 /* xor dreg_hi,dreg_hi */
971 EMIT2(0x33, add_2reg(0xC0, dreg_hi, dreg_hi));
972 }
973
974 if (dstk) {
975 /* mov dword ptr [ebp+off],dreg_lo */
976 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_lo),
977 STACK_VAR(dst_lo));
978 /* mov dword ptr [ebp+off],dreg_hi */
979 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_hi),
980 STACK_VAR(dst_hi));
981 }
982 *pprog = prog;
983}
984
985/* dst = dst >> val (signed) */
986static inline void emit_ia32_arsh_i64(const u8 dst[], const u32 val,
987 bool dstk, u8 **pprog)
988{
989 u8 *prog = *pprog;
990 int cnt = 0;
991 u8 dreg_lo = dstk ? IA32_EAX : dst_lo;
992 u8 dreg_hi = dstk ? IA32_EDX : dst_hi;
993
994 if (dstk) {
995 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
996 STACK_VAR(dst_lo));
997 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EDX),
998 STACK_VAR(dst_hi));
999 }
1000 /* Do RSH operation */
1001 if (val < 32) {
1002 /* shrd dreg_lo,dreg_hi,imm8 */
1003 EMIT4(0x0F, 0xAC, add_2reg(0xC0, dreg_lo, dreg_hi), val);
1004 /* ashr dreg_hi,imm8 */
1005 EMIT3(0xC1, add_1reg(0xF8, dreg_hi), val);
1006 } else if (val >= 32 && val < 64) {
1007 u32 value = val - 32;
1008
1009 /* ashr dreg_hi,imm8 */
1010 EMIT3(0xC1, add_1reg(0xF8, dreg_hi), value);
1011 /* mov dreg_lo,dreg_hi */
1012 EMIT2(0x89, add_2reg(0xC0, dreg_lo, dreg_hi));
1013
1014 /* ashr dreg_hi,imm8 */
1015 EMIT3(0xC1, add_1reg(0xF8, dreg_hi), 31);
1016 } else {
1017 /* ashr dreg_hi,imm8 */
1018 EMIT3(0xC1, add_1reg(0xF8, dreg_hi), 31);
1019 /* mov dreg_lo,dreg_hi */
1020 EMIT2(0x89, add_2reg(0xC0, dreg_lo, dreg_hi));
1021 }
1022
1023 if (dstk) {
1024 /* mov dword ptr [ebp+off],dreg_lo */
1025 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_lo),
1026 STACK_VAR(dst_lo));
1027 /* mov dword ptr [ebp+off],dreg_hi */
1028 EMIT3(0x89, add_2reg(0x40, IA32_EBP, dreg_hi),
1029 STACK_VAR(dst_hi));
1030 }
1031 *pprog = prog;
1032}
1033
1034static inline void emit_ia32_mul_r64(const u8 dst[], const u8 src[], bool dstk,
1035 bool sstk, u8 **pprog)
1036{
1037 u8 *prog = *pprog;
1038 int cnt = 0;
1039
1040 if (dstk)
1041 /* mov eax,dword ptr [ebp+off] */
1042 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
1043 STACK_VAR(dst_hi));
1044 else
1045 /* mov eax,dst_hi */
1046 EMIT2(0x8B, add_2reg(0xC0, dst_hi, IA32_EAX));
1047
1048 if (sstk)
1049 /* mul dword ptr [ebp+off] */
1050 EMIT3(0xF7, add_1reg(0x60, IA32_EBP), STACK_VAR(src_lo));
1051 else
1052 /* mul src_lo */
1053 EMIT2(0xF7, add_1reg(0xE0, src_lo));
1054
1055 /* mov ecx,eax */
1056 EMIT2(0x89, add_2reg(0xC0, IA32_ECX, IA32_EAX));
1057
1058 if (dstk)
1059 /* mov eax,dword ptr [ebp+off] */
1060 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
1061 STACK_VAR(dst_lo));
1062 else
1063 /* mov eax,dst_lo */
1064 EMIT2(0x8B, add_2reg(0xC0, dst_lo, IA32_EAX));
1065
1066 if (sstk)
1067 /* mul dword ptr [ebp+off] */
1068 EMIT3(0xF7, add_1reg(0x60, IA32_EBP), STACK_VAR(src_hi));
1069 else
1070 /* mul src_hi */
1071 EMIT2(0xF7, add_1reg(0xE0, src_hi));
1072
1073 /* add eax,eax */
1074 EMIT2(0x01, add_2reg(0xC0, IA32_ECX, IA32_EAX));
1075
1076 if (dstk)
1077 /* mov eax,dword ptr [ebp+off] */
1078 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
1079 STACK_VAR(dst_lo));
1080 else
1081 /* mov eax,dst_lo */
1082 EMIT2(0x8B, add_2reg(0xC0, dst_lo, IA32_EAX));
1083
1084 if (sstk)
1085 /* mul dword ptr [ebp+off] */
1086 EMIT3(0xF7, add_1reg(0x60, IA32_EBP), STACK_VAR(src_lo));
1087 else
1088 /* mul src_lo */
1089 EMIT2(0xF7, add_1reg(0xE0, src_lo));
1090
1091 /* add ecx,edx */
1092 EMIT2(0x01, add_2reg(0xC0, IA32_ECX, IA32_EDX));
1093
1094 if (dstk) {
1095 /* mov dword ptr [ebp+off],eax */
1096 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EAX),
1097 STACK_VAR(dst_lo));
1098 /* mov dword ptr [ebp+off],ecx */
1099 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_ECX),
1100 STACK_VAR(dst_hi));
1101 } else {
1102 /* mov dst_lo,eax */
1103 EMIT2(0x89, add_2reg(0xC0, dst_lo, IA32_EAX));
1104 /* mov dst_hi,ecx */
1105 EMIT2(0x89, add_2reg(0xC0, dst_hi, IA32_ECX));
1106 }
1107
1108 *pprog = prog;
1109}
1110
1111static inline void emit_ia32_mul_i64(const u8 dst[], const u32 val,
1112 bool dstk, u8 **pprog)
1113{
1114 u8 *prog = *pprog;
1115 int cnt = 0;
1116 u32 hi;
1117
1118 hi = val & (1<<31) ? (u32)~0 : 0;
1119 /* movl eax,imm32 */
1120 EMIT2_off32(0xC7, add_1reg(0xC0, IA32_EAX), val);
1121 if (dstk)
1122 /* mul dword ptr [ebp+off] */
1123 EMIT3(0xF7, add_1reg(0x60, IA32_EBP), STACK_VAR(dst_hi));
1124 else
1125 /* mul dst_hi */
1126 EMIT2(0xF7, add_1reg(0xE0, dst_hi));
1127
1128 /* mov ecx,eax */
1129 EMIT2(0x89, add_2reg(0xC0, IA32_ECX, IA32_EAX));
1130
1131 /* movl eax,imm32 */
1132 EMIT2_off32(0xC7, add_1reg(0xC0, IA32_EAX), hi);
1133 if (dstk)
1134 /* mul dword ptr [ebp+off] */
1135 EMIT3(0xF7, add_1reg(0x60, IA32_EBP), STACK_VAR(dst_lo));
1136 else
1137 /* mul dst_lo */
1138 EMIT2(0xF7, add_1reg(0xE0, dst_lo));
1139 /* add ecx,eax */
1140 EMIT2(0x01, add_2reg(0xC0, IA32_ECX, IA32_EAX));
1141
1142 /* movl eax,imm32 */
1143 EMIT2_off32(0xC7, add_1reg(0xC0, IA32_EAX), val);
1144 if (dstk)
1145 /* mul dword ptr [ebp+off] */
1146 EMIT3(0xF7, add_1reg(0x60, IA32_EBP), STACK_VAR(dst_lo));
1147 else
1148 /* mul dst_lo */
1149 EMIT2(0xF7, add_1reg(0xE0, dst_lo));
1150
1151 /* add ecx,edx */
1152 EMIT2(0x01, add_2reg(0xC0, IA32_ECX, IA32_EDX));
1153
1154 if (dstk) {
1155 /* mov dword ptr [ebp+off],eax */
1156 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EAX),
1157 STACK_VAR(dst_lo));
1158 /* mov dword ptr [ebp+off],ecx */
1159 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_ECX),
1160 STACK_VAR(dst_hi));
1161 } else {
1162 /* mov dword ptr [ebp+off],eax */
1163 EMIT2(0x89, add_2reg(0xC0, dst_lo, IA32_EAX));
1164 /* mov dword ptr [ebp+off],ecx */
1165 EMIT2(0x89, add_2reg(0xC0, dst_hi, IA32_ECX));
1166 }
1167
1168 *pprog = prog;
1169}
1170
1171static int bpf_size_to_x86_bytes(int bpf_size)
1172{
1173 if (bpf_size == BPF_W)
1174 return 4;
1175 else if (bpf_size == BPF_H)
1176 return 2;
1177 else if (bpf_size == BPF_B)
1178 return 1;
1179 else if (bpf_size == BPF_DW)
1180 return 4; /* imm32 */
1181 else
1182 return 0;
1183}
1184
1185struct jit_context {
1186 int cleanup_addr; /* Epilogue code offset */
1187};
1188
1189/* Maximum number of bytes emitted while JITing one eBPF insn */
1190#define BPF_MAX_INSN_SIZE 128
1191#define BPF_INSN_SAFETY 64
1192
1193#define PROLOGUE_SIZE 35
1194
1195/*
1196 * Emit prologue code for BPF program and check it's size.
1197 * bpf_tail_call helper will skip it while jumping into another program.
1198 */
1199static void emit_prologue(u8 **pprog, u32 stack_depth)
1200{
1201 u8 *prog = *pprog;
1202 int cnt = 0;
1203 const u8 *r1 = bpf2ia32[BPF_REG_1];
1204 const u8 fplo = bpf2ia32[BPF_REG_FP][0];
1205 const u8 fphi = bpf2ia32[BPF_REG_FP][1];
1206 const u8 *tcc = bpf2ia32[TCALL_CNT];
1207
1208 /* push ebp */
1209 EMIT1(0x55);
1210 /* mov ebp,esp */
1211 EMIT2(0x89, 0xE5);
1212 /* push edi */
1213 EMIT1(0x57);
1214 /* push esi */
1215 EMIT1(0x56);
1216 /* push ebx */
1217 EMIT1(0x53);
1218
1219 /* sub esp,STACK_SIZE */
1220 EMIT2_off32(0x81, 0xEC, STACK_SIZE);
1221 /* sub ebp,SCRATCH_SIZE+12*/
1222 EMIT3(0x83, add_1reg(0xE8, IA32_EBP), SCRATCH_SIZE + 12);
1223 /* xor ebx,ebx */
1224 EMIT2(0x31, add_2reg(0xC0, IA32_EBX, IA32_EBX));
1225
1226 /* Set up BPF prog stack base register */
1227 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EBP), STACK_VAR(fplo));
1228 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EBX), STACK_VAR(fphi));
1229
1230 /* Move BPF_CTX (EAX) to BPF_REG_R1 */
1231 /* mov dword ptr [ebp+off],eax */
1232 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EAX), STACK_VAR(r1[0]));
1233 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EBX), STACK_VAR(r1[1]));
1234
1235 /* Initialize Tail Count */
1236 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EBX), STACK_VAR(tcc[0]));
1237 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EBX), STACK_VAR(tcc[1]));
1238
1239 BUILD_BUG_ON(cnt != PROLOGUE_SIZE);
1240 *pprog = prog;
1241}
1242
1243/* Emit epilogue code for BPF program */
1244static void emit_epilogue(u8 **pprog, u32 stack_depth)
1245{
1246 u8 *prog = *pprog;
1247 const u8 *r0 = bpf2ia32[BPF_REG_0];
1248 int cnt = 0;
1249
1250 /* mov eax,dword ptr [ebp+off]*/
1251 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX), STACK_VAR(r0[0]));
1252 /* mov edx,dword ptr [ebp+off]*/
1253 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EDX), STACK_VAR(r0[1]));
1254
1255 /* add ebp,SCRATCH_SIZE+12*/
1256 EMIT3(0x83, add_1reg(0xC0, IA32_EBP), SCRATCH_SIZE + 12);
1257
1258 /* mov ebx,dword ptr [ebp-12]*/
1259 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EBX), -12);
1260 /* mov esi,dword ptr [ebp-8]*/
1261 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_ESI), -8);
1262 /* mov edi,dword ptr [ebp-4]*/
1263 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EDI), -4);
1264
1265 EMIT1(0xC9); /* leave */
1266 EMIT1(0xC3); /* ret */
1267 *pprog = prog;
1268}
1269
1270/*
1271 * Generate the following code:
1272 * ... bpf_tail_call(void *ctx, struct bpf_array *array, u64 index) ...
1273 * if (index >= array->map.max_entries)
1274 * goto out;
1275 * if (++tail_call_cnt > MAX_TAIL_CALL_CNT)
1276 * goto out;
1277 * prog = array->ptrs[index];
1278 * if (prog == NULL)
1279 * goto out;
1280 * goto *(prog->bpf_func + prologue_size);
1281 * out:
1282 */
1283static void emit_bpf_tail_call(u8 **pprog)
1284{
1285 u8 *prog = *pprog;
1286 int cnt = 0;
1287 const u8 *r1 = bpf2ia32[BPF_REG_1];
1288 const u8 *r2 = bpf2ia32[BPF_REG_2];
1289 const u8 *r3 = bpf2ia32[BPF_REG_3];
1290 const u8 *tcc = bpf2ia32[TCALL_CNT];
1291 u32 lo, hi;
1292 static int jmp_label1 = -1;
1293
1294 /*
1295 * if (index >= array->map.max_entries)
1296 * goto out;
1297 */
1298 /* mov eax,dword ptr [ebp+off] */
1299 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX), STACK_VAR(r2[0]));
1300 /* mov edx,dword ptr [ebp+off] */
1301 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EDX), STACK_VAR(r3[0]));
1302
1303 /* cmp dword ptr [eax+off],edx */
1304 EMIT3(0x39, add_2reg(0x40, IA32_EAX, IA32_EDX),
1305 offsetof(struct bpf_array, map.max_entries));
1306 /* jbe out */
1307 EMIT2(IA32_JBE, jmp_label(jmp_label1, 2));
1308
1309 /*
1310 * if (tail_call_cnt > MAX_TAIL_CALL_CNT)
1311 * goto out;
1312 */
1313 lo = (u32)MAX_TAIL_CALL_CNT;
1314 hi = (u32)((u64)MAX_TAIL_CALL_CNT >> 32);
1315 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_ECX), STACK_VAR(tcc[0]));
1316 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EBX), STACK_VAR(tcc[1]));
1317
1318 /* cmp edx,hi */
1319 EMIT3(0x83, add_1reg(0xF8, IA32_EBX), hi);
1320 EMIT2(IA32_JNE, 3);
1321 /* cmp ecx,lo */
1322 EMIT3(0x83, add_1reg(0xF8, IA32_ECX), lo);
1323
1324 /* ja out */
1325 EMIT2(IA32_JAE, jmp_label(jmp_label1, 2));
1326
1327 /* add eax,0x1 */
1328 EMIT3(0x83, add_1reg(0xC0, IA32_ECX), 0x01);
1329 /* adc ebx,0x0 */
1330 EMIT3(0x83, add_1reg(0xD0, IA32_EBX), 0x00);
1331
1332 /* mov dword ptr [ebp+off],eax */
1333 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_ECX), STACK_VAR(tcc[0]));
1334 /* mov dword ptr [ebp+off],edx */
1335 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EBX), STACK_VAR(tcc[1]));
1336
1337 /* prog = array->ptrs[index]; */
1338 /* mov edx, [eax + edx * 4 + offsetof(...)] */
1339 EMIT3_off32(0x8B, 0x94, 0x90, offsetof(struct bpf_array, ptrs));
1340
1341 /*
1342 * if (prog == NULL)
1343 * goto out;
1344 */
1345 /* test edx,edx */
1346 EMIT2(0x85, add_2reg(0xC0, IA32_EDX, IA32_EDX));
1347 /* je out */
1348 EMIT2(IA32_JE, jmp_label(jmp_label1, 2));
1349
1350 /* goto *(prog->bpf_func + prologue_size); */
1351 /* mov edx, dword ptr [edx + 32] */
1352 EMIT3(0x8B, add_2reg(0x40, IA32_EDX, IA32_EDX),
1353 offsetof(struct bpf_prog, bpf_func));
1354 /* add edx,prologue_size */
1355 EMIT3(0x83, add_1reg(0xC0, IA32_EDX), PROLOGUE_SIZE);
1356
1357 /* mov eax,dword ptr [ebp+off] */
1358 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX), STACK_VAR(r1[0]));
1359
1360 /*
1361 * Now we're ready to jump into next BPF program:
1362 * eax == ctx (1st arg)
1363 * edx == prog->bpf_func + prologue_size
1364 */
1365 RETPOLINE_EDX_BPF_JIT();
1366
1367 if (jmp_label1 == -1)
1368 jmp_label1 = cnt;
1369
1370 /* out: */
1371 *pprog = prog;
1372}
1373
1374/* Push the scratch stack register on top of the stack. */
1375static inline void emit_push_r64(const u8 src[], u8 **pprog)
1376{
1377 u8 *prog = *pprog;
1378 int cnt = 0;
1379
1380 /* mov ecx,dword ptr [ebp+off] */
1381 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_ECX), STACK_VAR(src_hi));
1382 /* push ecx */
1383 EMIT1(0x51);
1384
1385 /* mov ecx,dword ptr [ebp+off] */
1386 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_ECX), STACK_VAR(src_lo));
1387 /* push ecx */
1388 EMIT1(0x51);
1389
1390 *pprog = prog;
1391}
1392
1393static void emit_push_r32(const u8 src[], u8 **pprog)
1394{
1395 u8 *prog = *pprog;
1396 int cnt = 0;
1397
1398 /* mov ecx,dword ptr [ebp+off] */
1399 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_ECX), STACK_VAR(src_lo));
1400 /* push ecx */
1401 EMIT1(0x51);
1402
1403 *pprog = prog;
1404}
1405
1406static u8 get_cond_jmp_opcode(const u8 op, bool is_cmp_lo)
1407{
1408 u8 jmp_cond;
1409
1410 /* Convert BPF opcode to x86 */
1411 switch (op) {
1412 case BPF_JEQ:
1413 jmp_cond = IA32_JE;
1414 break;
1415 case BPF_JSET:
1416 case BPF_JNE:
1417 jmp_cond = IA32_JNE;
1418 break;
1419 case BPF_JGT:
1420 /* GT is unsigned '>', JA in x86 */
1421 jmp_cond = IA32_JA;
1422 break;
1423 case BPF_JLT:
1424 /* LT is unsigned '<', JB in x86 */
1425 jmp_cond = IA32_JB;
1426 break;
1427 case BPF_JGE:
1428 /* GE is unsigned '>=', JAE in x86 */
1429 jmp_cond = IA32_JAE;
1430 break;
1431 case BPF_JLE:
1432 /* LE is unsigned '<=', JBE in x86 */
1433 jmp_cond = IA32_JBE;
1434 break;
1435 case BPF_JSGT:
1436 if (!is_cmp_lo)
1437 /* Signed '>', GT in x86 */
1438 jmp_cond = IA32_JG;
1439 else
1440 /* GT is unsigned '>', JA in x86 */
1441 jmp_cond = IA32_JA;
1442 break;
1443 case BPF_JSLT:
1444 if (!is_cmp_lo)
1445 /* Signed '<', LT in x86 */
1446 jmp_cond = IA32_JL;
1447 else
1448 /* LT is unsigned '<', JB in x86 */
1449 jmp_cond = IA32_JB;
1450 break;
1451 case BPF_JSGE:
1452 if (!is_cmp_lo)
1453 /* Signed '>=', GE in x86 */
1454 jmp_cond = IA32_JGE;
1455 else
1456 /* GE is unsigned '>=', JAE in x86 */
1457 jmp_cond = IA32_JAE;
1458 break;
1459 case BPF_JSLE:
1460 if (!is_cmp_lo)
1461 /* Signed '<=', LE in x86 */
1462 jmp_cond = IA32_JLE;
1463 else
1464 /* LE is unsigned '<=', JBE in x86 */
1465 jmp_cond = IA32_JBE;
1466 break;
1467 default: /* to silence GCC warning */
1468 jmp_cond = COND_JMP_OPCODE_INVALID;
1469 break;
1470 }
1471
1472 return jmp_cond;
1473}
1474
1475/* i386 kernel compiles with "-mregparm=3". From gcc document:
1476 *
1477 * ==== snippet ====
1478 * regparm (number)
1479 * On x86-32 targets, the regparm attribute causes the compiler
1480 * to pass arguments number one to (number) if they are of integral
1481 * type in registers EAX, EDX, and ECX instead of on the stack.
1482 * Functions that take a variable number of arguments continue
1483 * to be passed all of their arguments on the stack.
1484 * ==== snippet ====
1485 *
1486 * The first three args of a function will be considered for
1487 * putting into the 32bit register EAX, EDX, and ECX.
1488 *
1489 * Two 32bit registers are used to pass a 64bit arg.
1490 *
1491 * For example,
1492 * void foo(u32 a, u32 b, u32 c, u32 d):
1493 * u32 a: EAX
1494 * u32 b: EDX
1495 * u32 c: ECX
1496 * u32 d: stack
1497 *
1498 * void foo(u64 a, u32 b, u32 c):
1499 * u64 a: EAX (lo32) EDX (hi32)
1500 * u32 b: ECX
1501 * u32 c: stack
1502 *
1503 * void foo(u32 a, u64 b, u32 c):
1504 * u32 a: EAX
1505 * u64 b: EDX (lo32) ECX (hi32)
1506 * u32 c: stack
1507 *
1508 * void foo(u32 a, u32 b, u64 c):
1509 * u32 a: EAX
1510 * u32 b: EDX
1511 * u64 c: stack
1512 *
1513 * The return value will be stored in the EAX (and EDX for 64bit value).
1514 *
1515 * For example,
1516 * u32 foo(u32 a, u32 b, u32 c):
1517 * return value: EAX
1518 *
1519 * u64 foo(u32 a, u32 b, u32 c):
1520 * return value: EAX (lo32) EDX (hi32)
1521 *
1522 * Notes:
1523 * The verifier only accepts function having integer and pointers
1524 * as its args and return value, so it does not have
1525 * struct-by-value.
1526 *
1527 * emit_kfunc_call() finds out the btf_func_model by calling
1528 * bpf_jit_find_kfunc_model(). A btf_func_model
1529 * has the details about the number of args, size of each arg,
1530 * and the size of the return value.
1531 *
1532 * It first decides how many args can be passed by EAX, EDX, and ECX.
1533 * That will decide what args should be pushed to the stack:
1534 * [first_stack_regno, last_stack_regno] are the bpf regnos
1535 * that should be pushed to the stack.
1536 *
1537 * It will first push all args to the stack because the push
1538 * will need to use ECX. Then, it moves
1539 * [BPF_REG_1, first_stack_regno) to EAX, EDX, and ECX.
1540 *
1541 * When emitting a call (0xE8), it needs to figure out
1542 * the jmp_offset relative to the jit-insn address immediately
1543 * following the call (0xE8) instruction. At this point, it knows
1544 * the end of the jit-insn address after completely translated the
1545 * current (BPF_JMP | BPF_CALL) bpf-insn. It is passed as "end_addr"
1546 * to the emit_kfunc_call(). Thus, it can learn the "immediate-follow-call"
1547 * address by figuring out how many jit-insn is generated between
1548 * the call (0xE8) and the end_addr:
1549 * - 0-1 jit-insn (3 bytes each) to restore the esp pointer if there
1550 * is arg pushed to the stack.
1551 * - 0-2 jit-insns (3 bytes each) to handle the return value.
1552 */
1553static int emit_kfunc_call(const struct bpf_prog *bpf_prog, u8 *end_addr,
1554 const struct bpf_insn *insn, u8 **pprog)
1555{
1556 const u8 arg_regs[] = { IA32_EAX, IA32_EDX, IA32_ECX };
1557 int i, cnt = 0, first_stack_regno, last_stack_regno;
1558 int free_arg_regs = ARRAY_SIZE(arg_regs);
1559 const struct btf_func_model *fm;
1560 int bytes_in_stack = 0;
1561 const u8 *cur_arg_reg;
1562 u8 *prog = *pprog;
1563 s64 jmp_offset;
1564
1565 fm = bpf_jit_find_kfunc_model(bpf_prog, insn);
1566 if (!fm)
1567 return -EINVAL;
1568
1569 first_stack_regno = BPF_REG_1;
1570 for (i = 0; i < fm->nr_args; i++) {
1571 int regs_needed = fm->arg_size[i] > sizeof(u32) ? 2 : 1;
1572
1573 if (regs_needed > free_arg_regs)
1574 break;
1575
1576 free_arg_regs -= regs_needed;
1577 first_stack_regno++;
1578 }
1579
1580 /* Push the args to the stack */
1581 last_stack_regno = BPF_REG_0 + fm->nr_args;
1582 for (i = last_stack_regno; i >= first_stack_regno; i--) {
1583 if (fm->arg_size[i - 1] > sizeof(u32)) {
1584 emit_push_r64(bpf2ia32[i], &prog);
1585 bytes_in_stack += 8;
1586 } else {
1587 emit_push_r32(bpf2ia32[i], &prog);
1588 bytes_in_stack += 4;
1589 }
1590 }
1591
1592 cur_arg_reg = &arg_regs[0];
1593 for (i = BPF_REG_1; i < first_stack_regno; i++) {
1594 /* mov e[adc]x,dword ptr [ebp+off] */
1595 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, *cur_arg_reg++),
1596 STACK_VAR(bpf2ia32[i][0]));
1597 if (fm->arg_size[i - 1] > sizeof(u32))
1598 /* mov e[adc]x,dword ptr [ebp+off] */
1599 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, *cur_arg_reg++),
1600 STACK_VAR(bpf2ia32[i][1]));
1601 }
1602
1603 if (bytes_in_stack)
1604 /* add esp,"bytes_in_stack" */
1605 end_addr -= 3;
1606
1607 /* mov dword ptr [ebp+off],edx */
1608 if (fm->ret_size > sizeof(u32))
1609 end_addr -= 3;
1610
1611 /* mov dword ptr [ebp+off],eax */
1612 if (fm->ret_size)
1613 end_addr -= 3;
1614
1615 jmp_offset = (u8 *)__bpf_call_base + insn->imm - end_addr;
1616 if (!is_simm32(jmp_offset)) {
1617 pr_err("unsupported BPF kernel function jmp_offset:%lld\n",
1618 jmp_offset);
1619 return -EINVAL;
1620 }
1621
1622 EMIT1_off32(0xE8, jmp_offset);
1623
1624 if (fm->ret_size)
1625 /* mov dword ptr [ebp+off],eax */
1626 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EAX),
1627 STACK_VAR(bpf2ia32[BPF_REG_0][0]));
1628
1629 if (fm->ret_size > sizeof(u32))
1630 /* mov dword ptr [ebp+off],edx */
1631 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EDX),
1632 STACK_VAR(bpf2ia32[BPF_REG_0][1]));
1633
1634 if (bytes_in_stack)
1635 /* add esp,"bytes_in_stack" */
1636 EMIT3(0x83, add_1reg(0xC0, IA32_ESP), bytes_in_stack);
1637
1638 *pprog = prog;
1639
1640 return 0;
1641}
1642
1643static int do_jit(struct bpf_prog *bpf_prog, int *addrs, u8 *image,
1644 int oldproglen, struct jit_context *ctx)
1645{
1646 struct bpf_insn *insn = bpf_prog->insnsi;
1647 int insn_cnt = bpf_prog->len;
1648 bool seen_exit = false;
1649 u8 temp[BPF_MAX_INSN_SIZE + BPF_INSN_SAFETY];
1650 int i, cnt = 0;
1651 int proglen = 0;
1652 u8 *prog = temp;
1653
1654 emit_prologue(&prog, bpf_prog->aux->stack_depth);
1655
1656 for (i = 0; i < insn_cnt; i++, insn++) {
1657 const s32 imm32 = insn->imm;
1658 const bool is64 = BPF_CLASS(insn->code) == BPF_ALU64;
1659 const bool dstk = insn->dst_reg != BPF_REG_AX;
1660 const bool sstk = insn->src_reg != BPF_REG_AX;
1661 const u8 code = insn->code;
1662 const u8 *dst = bpf2ia32[insn->dst_reg];
1663 const u8 *src = bpf2ia32[insn->src_reg];
1664 const u8 *r0 = bpf2ia32[BPF_REG_0];
1665 s64 jmp_offset;
1666 u8 jmp_cond;
1667 int ilen;
1668 u8 *func;
1669
1670 switch (code) {
1671 /* ALU operations */
1672 /* dst = src */
1673 case BPF_ALU | BPF_MOV | BPF_K:
1674 case BPF_ALU | BPF_MOV | BPF_X:
1675 case BPF_ALU64 | BPF_MOV | BPF_K:
1676 case BPF_ALU64 | BPF_MOV | BPF_X:
1677 switch (BPF_SRC(code)) {
1678 case BPF_X:
1679 if (imm32 == 1) {
1680 /* Special mov32 for zext. */
1681 emit_ia32_mov_i(dst_hi, 0, dstk, &prog);
1682 break;
1683 }
1684 emit_ia32_mov_r64(is64, dst, src, dstk, sstk,
1685 &prog, bpf_prog->aux);
1686 break;
1687 case BPF_K:
1688 /* Sign-extend immediate value to dst reg */
1689 emit_ia32_mov_i64(is64, dst, imm32,
1690 dstk, &prog);
1691 break;
1692 }
1693 break;
1694 /* dst = dst + src/imm */
1695 /* dst = dst - src/imm */
1696 /* dst = dst | src/imm */
1697 /* dst = dst & src/imm */
1698 /* dst = dst ^ src/imm */
1699 /* dst = dst * src/imm */
1700 /* dst = dst << src */
1701 /* dst = dst >> src */
1702 case BPF_ALU | BPF_ADD | BPF_K:
1703 case BPF_ALU | BPF_ADD | BPF_X:
1704 case BPF_ALU | BPF_SUB | BPF_K:
1705 case BPF_ALU | BPF_SUB | BPF_X:
1706 case BPF_ALU | BPF_OR | BPF_K:
1707 case BPF_ALU | BPF_OR | BPF_X:
1708 case BPF_ALU | BPF_AND | BPF_K:
1709 case BPF_ALU | BPF_AND | BPF_X:
1710 case BPF_ALU | BPF_XOR | BPF_K:
1711 case BPF_ALU | BPF_XOR | BPF_X:
1712 case BPF_ALU64 | BPF_ADD | BPF_K:
1713 case BPF_ALU64 | BPF_ADD | BPF_X:
1714 case BPF_ALU64 | BPF_SUB | BPF_K:
1715 case BPF_ALU64 | BPF_SUB | BPF_X:
1716 case BPF_ALU64 | BPF_OR | BPF_K:
1717 case BPF_ALU64 | BPF_OR | BPF_X:
1718 case BPF_ALU64 | BPF_AND | BPF_K:
1719 case BPF_ALU64 | BPF_AND | BPF_X:
1720 case BPF_ALU64 | BPF_XOR | BPF_K:
1721 case BPF_ALU64 | BPF_XOR | BPF_X:
1722 switch (BPF_SRC(code)) {
1723 case BPF_X:
1724 emit_ia32_alu_r64(is64, BPF_OP(code), dst,
1725 src, dstk, sstk, &prog,
1726 bpf_prog->aux);
1727 break;
1728 case BPF_K:
1729 emit_ia32_alu_i64(is64, BPF_OP(code), dst,
1730 imm32, dstk, &prog,
1731 bpf_prog->aux);
1732 break;
1733 }
1734 break;
1735 case BPF_ALU | BPF_MUL | BPF_K:
1736 case BPF_ALU | BPF_MUL | BPF_X:
1737 switch (BPF_SRC(code)) {
1738 case BPF_X:
1739 emit_ia32_mul_r(dst_lo, src_lo, dstk,
1740 sstk, &prog);
1741 break;
1742 case BPF_K:
1743 /* mov ecx,imm32*/
1744 EMIT2_off32(0xC7, add_1reg(0xC0, IA32_ECX),
1745 imm32);
1746 emit_ia32_mul_r(dst_lo, IA32_ECX, dstk,
1747 false, &prog);
1748 break;
1749 }
1750 if (!bpf_prog->aux->verifier_zext)
1751 emit_ia32_mov_i(dst_hi, 0, dstk, &prog);
1752 break;
1753 case BPF_ALU | BPF_LSH | BPF_X:
1754 case BPF_ALU | BPF_RSH | BPF_X:
1755 case BPF_ALU | BPF_ARSH | BPF_K:
1756 case BPF_ALU | BPF_ARSH | BPF_X:
1757 switch (BPF_SRC(code)) {
1758 case BPF_X:
1759 emit_ia32_shift_r(BPF_OP(code), dst_lo, src_lo,
1760 dstk, sstk, &prog);
1761 break;
1762 case BPF_K:
1763 /* mov ecx,imm32*/
1764 EMIT2_off32(0xC7, add_1reg(0xC0, IA32_ECX),
1765 imm32);
1766 emit_ia32_shift_r(BPF_OP(code), dst_lo,
1767 IA32_ECX, dstk, false,
1768 &prog);
1769 break;
1770 }
1771 if (!bpf_prog->aux->verifier_zext)
1772 emit_ia32_mov_i(dst_hi, 0, dstk, &prog);
1773 break;
1774 /* dst = dst / src(imm) */
1775 /* dst = dst % src(imm) */
1776 case BPF_ALU | BPF_DIV | BPF_K:
1777 case BPF_ALU | BPF_DIV | BPF_X:
1778 case BPF_ALU | BPF_MOD | BPF_K:
1779 case BPF_ALU | BPF_MOD | BPF_X:
1780 switch (BPF_SRC(code)) {
1781 case BPF_X:
1782 emit_ia32_div_mod_r(BPF_OP(code), dst_lo,
1783 src_lo, dstk, sstk, &prog);
1784 break;
1785 case BPF_K:
1786 /* mov ecx,imm32*/
1787 EMIT2_off32(0xC7, add_1reg(0xC0, IA32_ECX),
1788 imm32);
1789 emit_ia32_div_mod_r(BPF_OP(code), dst_lo,
1790 IA32_ECX, dstk, false,
1791 &prog);
1792 break;
1793 }
1794 if (!bpf_prog->aux->verifier_zext)
1795 emit_ia32_mov_i(dst_hi, 0, dstk, &prog);
1796 break;
1797 case BPF_ALU64 | BPF_DIV | BPF_K:
1798 case BPF_ALU64 | BPF_DIV | BPF_X:
1799 case BPF_ALU64 | BPF_MOD | BPF_K:
1800 case BPF_ALU64 | BPF_MOD | BPF_X:
1801 goto notyet;
1802 /* dst = dst >> imm */
1803 /* dst = dst << imm */
1804 case BPF_ALU | BPF_RSH | BPF_K:
1805 case BPF_ALU | BPF_LSH | BPF_K:
1806 if (unlikely(imm32 > 31))
1807 return -EINVAL;
1808 /* mov ecx,imm32*/
1809 EMIT2_off32(0xC7, add_1reg(0xC0, IA32_ECX), imm32);
1810 emit_ia32_shift_r(BPF_OP(code), dst_lo, IA32_ECX, dstk,
1811 false, &prog);
1812 if (!bpf_prog->aux->verifier_zext)
1813 emit_ia32_mov_i(dst_hi, 0, dstk, &prog);
1814 break;
1815 /* dst = dst << imm */
1816 case BPF_ALU64 | BPF_LSH | BPF_K:
1817 if (unlikely(imm32 > 63))
1818 return -EINVAL;
1819 emit_ia32_lsh_i64(dst, imm32, dstk, &prog);
1820 break;
1821 /* dst = dst >> imm */
1822 case BPF_ALU64 | BPF_RSH | BPF_K:
1823 if (unlikely(imm32 > 63))
1824 return -EINVAL;
1825 emit_ia32_rsh_i64(dst, imm32, dstk, &prog);
1826 break;
1827 /* dst = dst << src */
1828 case BPF_ALU64 | BPF_LSH | BPF_X:
1829 emit_ia32_lsh_r64(dst, src, dstk, sstk, &prog);
1830 break;
1831 /* dst = dst >> src */
1832 case BPF_ALU64 | BPF_RSH | BPF_X:
1833 emit_ia32_rsh_r64(dst, src, dstk, sstk, &prog);
1834 break;
1835 /* dst = dst >> src (signed) */
1836 case BPF_ALU64 | BPF_ARSH | BPF_X:
1837 emit_ia32_arsh_r64(dst, src, dstk, sstk, &prog);
1838 break;
1839 /* dst = dst >> imm (signed) */
1840 case BPF_ALU64 | BPF_ARSH | BPF_K:
1841 if (unlikely(imm32 > 63))
1842 return -EINVAL;
1843 emit_ia32_arsh_i64(dst, imm32, dstk, &prog);
1844 break;
1845 /* dst = ~dst */
1846 case BPF_ALU | BPF_NEG:
1847 emit_ia32_alu_i(is64, false, BPF_OP(code),
1848 dst_lo, 0, dstk, &prog);
1849 if (!bpf_prog->aux->verifier_zext)
1850 emit_ia32_mov_i(dst_hi, 0, dstk, &prog);
1851 break;
1852 /* dst = ~dst (64 bit) */
1853 case BPF_ALU64 | BPF_NEG:
1854 emit_ia32_neg64(dst, dstk, &prog);
1855 break;
1856 /* dst = dst * src/imm */
1857 case BPF_ALU64 | BPF_MUL | BPF_X:
1858 case BPF_ALU64 | BPF_MUL | BPF_K:
1859 switch (BPF_SRC(code)) {
1860 case BPF_X:
1861 emit_ia32_mul_r64(dst, src, dstk, sstk, &prog);
1862 break;
1863 case BPF_K:
1864 emit_ia32_mul_i64(dst, imm32, dstk, &prog);
1865 break;
1866 }
1867 break;
1868 /* dst = htole(dst) */
1869 case BPF_ALU | BPF_END | BPF_FROM_LE:
1870 emit_ia32_to_le_r64(dst, imm32, dstk, &prog,
1871 bpf_prog->aux);
1872 break;
1873 /* dst = htobe(dst) */
1874 case BPF_ALU | BPF_END | BPF_FROM_BE:
1875 emit_ia32_to_be_r64(dst, imm32, dstk, &prog,
1876 bpf_prog->aux);
1877 break;
1878 /* dst = imm64 */
1879 case BPF_LD | BPF_IMM | BPF_DW: {
1880 s32 hi, lo = imm32;
1881
1882 hi = insn[1].imm;
1883 emit_ia32_mov_i(dst_lo, lo, dstk, &prog);
1884 emit_ia32_mov_i(dst_hi, hi, dstk, &prog);
1885 insn++;
1886 i++;
1887 break;
1888 }
1889 /* speculation barrier */
1890 case BPF_ST | BPF_NOSPEC:
1891 if (boot_cpu_has(X86_FEATURE_XMM2))
1892 /* Emit 'lfence' */
1893 EMIT3(0x0F, 0xAE, 0xE8);
1894 break;
1895 /* ST: *(u8*)(dst_reg + off) = imm */
1896 case BPF_ST | BPF_MEM | BPF_H:
1897 case BPF_ST | BPF_MEM | BPF_B:
1898 case BPF_ST | BPF_MEM | BPF_W:
1899 case BPF_ST | BPF_MEM | BPF_DW:
1900 if (dstk)
1901 /* mov eax,dword ptr [ebp+off] */
1902 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
1903 STACK_VAR(dst_lo));
1904 else
1905 /* mov eax,dst_lo */
1906 EMIT2(0x8B, add_2reg(0xC0, dst_lo, IA32_EAX));
1907
1908 switch (BPF_SIZE(code)) {
1909 case BPF_B:
1910 EMIT(0xC6, 1); break;
1911 case BPF_H:
1912 EMIT2(0x66, 0xC7); break;
1913 case BPF_W:
1914 case BPF_DW:
1915 EMIT(0xC7, 1); break;
1916 }
1917
1918 if (is_imm8(insn->off))
1919 EMIT2(add_1reg(0x40, IA32_EAX), insn->off);
1920 else
1921 EMIT1_off32(add_1reg(0x80, IA32_EAX),
1922 insn->off);
1923 EMIT(imm32, bpf_size_to_x86_bytes(BPF_SIZE(code)));
1924
1925 if (BPF_SIZE(code) == BPF_DW) {
1926 u32 hi;
1927
1928 hi = imm32 & (1<<31) ? (u32)~0 : 0;
1929 EMIT2_off32(0xC7, add_1reg(0x80, IA32_EAX),
1930 insn->off + 4);
1931 EMIT(hi, 4);
1932 }
1933 break;
1934
1935 /* STX: *(u8*)(dst_reg + off) = src_reg */
1936 case BPF_STX | BPF_MEM | BPF_B:
1937 case BPF_STX | BPF_MEM | BPF_H:
1938 case BPF_STX | BPF_MEM | BPF_W:
1939 case BPF_STX | BPF_MEM | BPF_DW:
1940 if (dstk)
1941 /* mov eax,dword ptr [ebp+off] */
1942 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
1943 STACK_VAR(dst_lo));
1944 else
1945 /* mov eax,dst_lo */
1946 EMIT2(0x8B, add_2reg(0xC0, dst_lo, IA32_EAX));
1947
1948 if (sstk)
1949 /* mov edx,dword ptr [ebp+off] */
1950 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EDX),
1951 STACK_VAR(src_lo));
1952 else
1953 /* mov edx,src_lo */
1954 EMIT2(0x8B, add_2reg(0xC0, src_lo, IA32_EDX));
1955
1956 switch (BPF_SIZE(code)) {
1957 case BPF_B:
1958 EMIT(0x88, 1); break;
1959 case BPF_H:
1960 EMIT2(0x66, 0x89); break;
1961 case BPF_W:
1962 case BPF_DW:
1963 EMIT(0x89, 1); break;
1964 }
1965
1966 if (is_imm8(insn->off))
1967 EMIT2(add_2reg(0x40, IA32_EAX, IA32_EDX),
1968 insn->off);
1969 else
1970 EMIT1_off32(add_2reg(0x80, IA32_EAX, IA32_EDX),
1971 insn->off);
1972
1973 if (BPF_SIZE(code) == BPF_DW) {
1974 if (sstk)
1975 /* mov edi,dword ptr [ebp+off] */
1976 EMIT3(0x8B, add_2reg(0x40, IA32_EBP,
1977 IA32_EDX),
1978 STACK_VAR(src_hi));
1979 else
1980 /* mov edi,src_hi */
1981 EMIT2(0x8B, add_2reg(0xC0, src_hi,
1982 IA32_EDX));
1983 EMIT1(0x89);
1984 if (is_imm8(insn->off + 4)) {
1985 EMIT2(add_2reg(0x40, IA32_EAX,
1986 IA32_EDX),
1987 insn->off + 4);
1988 } else {
1989 EMIT1(add_2reg(0x80, IA32_EAX,
1990 IA32_EDX));
1991 EMIT(insn->off + 4, 4);
1992 }
1993 }
1994 break;
1995
1996 /* LDX: dst_reg = *(u8*)(src_reg + off) */
1997 case BPF_LDX | BPF_MEM | BPF_B:
1998 case BPF_LDX | BPF_MEM | BPF_H:
1999 case BPF_LDX | BPF_MEM | BPF_W:
2000 case BPF_LDX | BPF_MEM | BPF_DW:
2001 if (sstk)
2002 /* mov eax,dword ptr [ebp+off] */
2003 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
2004 STACK_VAR(src_lo));
2005 else
2006 /* mov eax,dword ptr [ebp+off] */
2007 EMIT2(0x8B, add_2reg(0xC0, src_lo, IA32_EAX));
2008
2009 switch (BPF_SIZE(code)) {
2010 case BPF_B:
2011 EMIT2(0x0F, 0xB6); break;
2012 case BPF_H:
2013 EMIT2(0x0F, 0xB7); break;
2014 case BPF_W:
2015 case BPF_DW:
2016 EMIT(0x8B, 1); break;
2017 }
2018
2019 if (is_imm8(insn->off))
2020 EMIT2(add_2reg(0x40, IA32_EAX, IA32_EDX),
2021 insn->off);
2022 else
2023 EMIT1_off32(add_2reg(0x80, IA32_EAX, IA32_EDX),
2024 insn->off);
2025
2026 if (dstk)
2027 /* mov dword ptr [ebp+off],edx */
2028 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EDX),
2029 STACK_VAR(dst_lo));
2030 else
2031 /* mov dst_lo,edx */
2032 EMIT2(0x89, add_2reg(0xC0, dst_lo, IA32_EDX));
2033 switch (BPF_SIZE(code)) {
2034 case BPF_B:
2035 case BPF_H:
2036 case BPF_W:
2037 if (bpf_prog->aux->verifier_zext)
2038 break;
2039 if (dstk) {
2040 EMIT3(0xC7, add_1reg(0x40, IA32_EBP),
2041 STACK_VAR(dst_hi));
2042 EMIT(0x0, 4);
2043 } else {
2044 /* xor dst_hi,dst_hi */
2045 EMIT2(0x33,
2046 add_2reg(0xC0, dst_hi, dst_hi));
2047 }
2048 break;
2049 case BPF_DW:
2050 EMIT2_off32(0x8B,
2051 add_2reg(0x80, IA32_EAX, IA32_EDX),
2052 insn->off + 4);
2053 if (dstk)
2054 EMIT3(0x89,
2055 add_2reg(0x40, IA32_EBP,
2056 IA32_EDX),
2057 STACK_VAR(dst_hi));
2058 else
2059 EMIT2(0x89,
2060 add_2reg(0xC0, dst_hi, IA32_EDX));
2061 break;
2062 default:
2063 break;
2064 }
2065 break;
2066 /* call */
2067 case BPF_JMP | BPF_CALL:
2068 {
2069 const u8 *r1 = bpf2ia32[BPF_REG_1];
2070 const u8 *r2 = bpf2ia32[BPF_REG_2];
2071 const u8 *r3 = bpf2ia32[BPF_REG_3];
2072 const u8 *r4 = bpf2ia32[BPF_REG_4];
2073 const u8 *r5 = bpf2ia32[BPF_REG_5];
2074
2075 if (insn->src_reg == BPF_PSEUDO_CALL)
2076 goto notyet;
2077
2078 if (insn->src_reg == BPF_PSEUDO_KFUNC_CALL) {
2079 int err;
2080
2081 err = emit_kfunc_call(bpf_prog,
2082 image + addrs[i],
2083 insn, &prog);
2084
2085 if (err)
2086 return err;
2087 break;
2088 }
2089
2090 func = (u8 *) __bpf_call_base + imm32;
2091 jmp_offset = func - (image + addrs[i]);
2092
2093 if (!imm32 || !is_simm32(jmp_offset)) {
2094 pr_err("unsupported BPF func %d addr %p image %p\n",
2095 imm32, func, image);
2096 return -EINVAL;
2097 }
2098
2099 /* mov eax,dword ptr [ebp+off] */
2100 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
2101 STACK_VAR(r1[0]));
2102 /* mov edx,dword ptr [ebp+off] */
2103 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EDX),
2104 STACK_VAR(r1[1]));
2105
2106 emit_push_r64(r5, &prog);
2107 emit_push_r64(r4, &prog);
2108 emit_push_r64(r3, &prog);
2109 emit_push_r64(r2, &prog);
2110
2111 EMIT1_off32(0xE8, jmp_offset + 9);
2112
2113 /* mov dword ptr [ebp+off],eax */
2114 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EAX),
2115 STACK_VAR(r0[0]));
2116 /* mov dword ptr [ebp+off],edx */
2117 EMIT3(0x89, add_2reg(0x40, IA32_EBP, IA32_EDX),
2118 STACK_VAR(r0[1]));
2119
2120 /* add esp,32 */
2121 EMIT3(0x83, add_1reg(0xC0, IA32_ESP), 32);
2122 break;
2123 }
2124 case BPF_JMP | BPF_TAIL_CALL:
2125 emit_bpf_tail_call(&prog);
2126 break;
2127
2128 /* cond jump */
2129 case BPF_JMP | BPF_JEQ | BPF_X:
2130 case BPF_JMP | BPF_JNE | BPF_X:
2131 case BPF_JMP | BPF_JGT | BPF_X:
2132 case BPF_JMP | BPF_JLT | BPF_X:
2133 case BPF_JMP | BPF_JGE | BPF_X:
2134 case BPF_JMP | BPF_JLE | BPF_X:
2135 case BPF_JMP32 | BPF_JEQ | BPF_X:
2136 case BPF_JMP32 | BPF_JNE | BPF_X:
2137 case BPF_JMP32 | BPF_JGT | BPF_X:
2138 case BPF_JMP32 | BPF_JLT | BPF_X:
2139 case BPF_JMP32 | BPF_JGE | BPF_X:
2140 case BPF_JMP32 | BPF_JLE | BPF_X:
2141 case BPF_JMP32 | BPF_JSGT | BPF_X:
2142 case BPF_JMP32 | BPF_JSLE | BPF_X:
2143 case BPF_JMP32 | BPF_JSLT | BPF_X:
2144 case BPF_JMP32 | BPF_JSGE | BPF_X: {
2145 bool is_jmp64 = BPF_CLASS(insn->code) == BPF_JMP;
2146 u8 dreg_lo = dstk ? IA32_EAX : dst_lo;
2147 u8 dreg_hi = dstk ? IA32_EDX : dst_hi;
2148 u8 sreg_lo = sstk ? IA32_ECX : src_lo;
2149 u8 sreg_hi = sstk ? IA32_EBX : src_hi;
2150
2151 if (dstk) {
2152 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
2153 STACK_VAR(dst_lo));
2154 if (is_jmp64)
2155 EMIT3(0x8B,
2156 add_2reg(0x40, IA32_EBP,
2157 IA32_EDX),
2158 STACK_VAR(dst_hi));
2159 }
2160
2161 if (sstk) {
2162 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_ECX),
2163 STACK_VAR(src_lo));
2164 if (is_jmp64)
2165 EMIT3(0x8B,
2166 add_2reg(0x40, IA32_EBP,
2167 IA32_EBX),
2168 STACK_VAR(src_hi));
2169 }
2170
2171 if (is_jmp64) {
2172 /* cmp dreg_hi,sreg_hi */
2173 EMIT2(0x39, add_2reg(0xC0, dreg_hi, sreg_hi));
2174 EMIT2(IA32_JNE, 2);
2175 }
2176 /* cmp dreg_lo,sreg_lo */
2177 EMIT2(0x39, add_2reg(0xC0, dreg_lo, sreg_lo));
2178 goto emit_cond_jmp;
2179 }
2180 case BPF_JMP | BPF_JSGT | BPF_X:
2181 case BPF_JMP | BPF_JSLE | BPF_X:
2182 case BPF_JMP | BPF_JSLT | BPF_X:
2183 case BPF_JMP | BPF_JSGE | BPF_X: {
2184 u8 dreg_lo = dstk ? IA32_EAX : dst_lo;
2185 u8 dreg_hi = dstk ? IA32_EDX : dst_hi;
2186 u8 sreg_lo = sstk ? IA32_ECX : src_lo;
2187 u8 sreg_hi = sstk ? IA32_EBX : src_hi;
2188
2189 if (dstk) {
2190 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
2191 STACK_VAR(dst_lo));
2192 EMIT3(0x8B,
2193 add_2reg(0x40, IA32_EBP,
2194 IA32_EDX),
2195 STACK_VAR(dst_hi));
2196 }
2197
2198 if (sstk) {
2199 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_ECX),
2200 STACK_VAR(src_lo));
2201 EMIT3(0x8B,
2202 add_2reg(0x40, IA32_EBP,
2203 IA32_EBX),
2204 STACK_VAR(src_hi));
2205 }
2206
2207 /* cmp dreg_hi,sreg_hi */
2208 EMIT2(0x39, add_2reg(0xC0, dreg_hi, sreg_hi));
2209 EMIT2(IA32_JNE, 10);
2210 /* cmp dreg_lo,sreg_lo */
2211 EMIT2(0x39, add_2reg(0xC0, dreg_lo, sreg_lo));
2212 goto emit_cond_jmp_signed;
2213 }
2214 case BPF_JMP | BPF_JSET | BPF_X:
2215 case BPF_JMP32 | BPF_JSET | BPF_X: {
2216 bool is_jmp64 = BPF_CLASS(insn->code) == BPF_JMP;
2217 u8 dreg_lo = IA32_EAX;
2218 u8 dreg_hi = IA32_EDX;
2219 u8 sreg_lo = sstk ? IA32_ECX : src_lo;
2220 u8 sreg_hi = sstk ? IA32_EBX : src_hi;
2221
2222 if (dstk) {
2223 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
2224 STACK_VAR(dst_lo));
2225 if (is_jmp64)
2226 EMIT3(0x8B,
2227 add_2reg(0x40, IA32_EBP,
2228 IA32_EDX),
2229 STACK_VAR(dst_hi));
2230 } else {
2231 /* mov dreg_lo,dst_lo */
2232 EMIT2(0x89, add_2reg(0xC0, dreg_lo, dst_lo));
2233 if (is_jmp64)
2234 /* mov dreg_hi,dst_hi */
2235 EMIT2(0x89,
2236 add_2reg(0xC0, dreg_hi, dst_hi));
2237 }
2238
2239 if (sstk) {
2240 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_ECX),
2241 STACK_VAR(src_lo));
2242 if (is_jmp64)
2243 EMIT3(0x8B,
2244 add_2reg(0x40, IA32_EBP,
2245 IA32_EBX),
2246 STACK_VAR(src_hi));
2247 }
2248 /* and dreg_lo,sreg_lo */
2249 EMIT2(0x23, add_2reg(0xC0, sreg_lo, dreg_lo));
2250 if (is_jmp64) {
2251 /* and dreg_hi,sreg_hi */
2252 EMIT2(0x23, add_2reg(0xC0, sreg_hi, dreg_hi));
2253 /* or dreg_lo,dreg_hi */
2254 EMIT2(0x09, add_2reg(0xC0, dreg_lo, dreg_hi));
2255 }
2256 goto emit_cond_jmp;
2257 }
2258 case BPF_JMP | BPF_JSET | BPF_K:
2259 case BPF_JMP32 | BPF_JSET | BPF_K: {
2260 bool is_jmp64 = BPF_CLASS(insn->code) == BPF_JMP;
2261 u8 dreg_lo = IA32_EAX;
2262 u8 dreg_hi = IA32_EDX;
2263 u8 sreg_lo = IA32_ECX;
2264 u8 sreg_hi = IA32_EBX;
2265 u32 hi;
2266
2267 if (dstk) {
2268 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
2269 STACK_VAR(dst_lo));
2270 if (is_jmp64)
2271 EMIT3(0x8B,
2272 add_2reg(0x40, IA32_EBP,
2273 IA32_EDX),
2274 STACK_VAR(dst_hi));
2275 } else {
2276 /* mov dreg_lo,dst_lo */
2277 EMIT2(0x89, add_2reg(0xC0, dreg_lo, dst_lo));
2278 if (is_jmp64)
2279 /* mov dreg_hi,dst_hi */
2280 EMIT2(0x89,
2281 add_2reg(0xC0, dreg_hi, dst_hi));
2282 }
2283
2284 /* mov ecx,imm32 */
2285 EMIT2_off32(0xC7, add_1reg(0xC0, sreg_lo), imm32);
2286
2287 /* and dreg_lo,sreg_lo */
2288 EMIT2(0x23, add_2reg(0xC0, sreg_lo, dreg_lo));
2289 if (is_jmp64) {
2290 hi = imm32 & (1 << 31) ? (u32)~0 : 0;
2291 /* mov ebx,imm32 */
2292 EMIT2_off32(0xC7, add_1reg(0xC0, sreg_hi), hi);
2293 /* and dreg_hi,sreg_hi */
2294 EMIT2(0x23, add_2reg(0xC0, sreg_hi, dreg_hi));
2295 /* or dreg_lo,dreg_hi */
2296 EMIT2(0x09, add_2reg(0xC0, dreg_lo, dreg_hi));
2297 }
2298 goto emit_cond_jmp;
2299 }
2300 case BPF_JMP | BPF_JEQ | BPF_K:
2301 case BPF_JMP | BPF_JNE | BPF_K:
2302 case BPF_JMP | BPF_JGT | BPF_K:
2303 case BPF_JMP | BPF_JLT | BPF_K:
2304 case BPF_JMP | BPF_JGE | BPF_K:
2305 case BPF_JMP | BPF_JLE | BPF_K:
2306 case BPF_JMP32 | BPF_JEQ | BPF_K:
2307 case BPF_JMP32 | BPF_JNE | BPF_K:
2308 case BPF_JMP32 | BPF_JGT | BPF_K:
2309 case BPF_JMP32 | BPF_JLT | BPF_K:
2310 case BPF_JMP32 | BPF_JGE | BPF_K:
2311 case BPF_JMP32 | BPF_JLE | BPF_K:
2312 case BPF_JMP32 | BPF_JSGT | BPF_K:
2313 case BPF_JMP32 | BPF_JSLE | BPF_K:
2314 case BPF_JMP32 | BPF_JSLT | BPF_K:
2315 case BPF_JMP32 | BPF_JSGE | BPF_K: {
2316 bool is_jmp64 = BPF_CLASS(insn->code) == BPF_JMP;
2317 u8 dreg_lo = dstk ? IA32_EAX : dst_lo;
2318 u8 dreg_hi = dstk ? IA32_EDX : dst_hi;
2319 u8 sreg_lo = IA32_ECX;
2320 u8 sreg_hi = IA32_EBX;
2321 u32 hi;
2322
2323 if (dstk) {
2324 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
2325 STACK_VAR(dst_lo));
2326 if (is_jmp64)
2327 EMIT3(0x8B,
2328 add_2reg(0x40, IA32_EBP,
2329 IA32_EDX),
2330 STACK_VAR(dst_hi));
2331 }
2332
2333 /* mov ecx,imm32 */
2334 EMIT2_off32(0xC7, add_1reg(0xC0, IA32_ECX), imm32);
2335 if (is_jmp64) {
2336 hi = imm32 & (1 << 31) ? (u32)~0 : 0;
2337 /* mov ebx,imm32 */
2338 EMIT2_off32(0xC7, add_1reg(0xC0, IA32_EBX), hi);
2339 /* cmp dreg_hi,sreg_hi */
2340 EMIT2(0x39, add_2reg(0xC0, dreg_hi, sreg_hi));
2341 EMIT2(IA32_JNE, 2);
2342 }
2343 /* cmp dreg_lo,sreg_lo */
2344 EMIT2(0x39, add_2reg(0xC0, dreg_lo, sreg_lo));
2345
2346emit_cond_jmp: jmp_cond = get_cond_jmp_opcode(BPF_OP(code), false);
2347 if (jmp_cond == COND_JMP_OPCODE_INVALID)
2348 return -EFAULT;
2349 jmp_offset = addrs[i + insn->off] - addrs[i];
2350 if (is_imm8(jmp_offset)) {
2351 EMIT2(jmp_cond, jmp_offset);
2352 } else if (is_simm32(jmp_offset)) {
2353 EMIT2_off32(0x0F, jmp_cond + 0x10, jmp_offset);
2354 } else {
2355 pr_err("cond_jmp gen bug %llx\n", jmp_offset);
2356 return -EFAULT;
2357 }
2358 break;
2359 }
2360 case BPF_JMP | BPF_JSGT | BPF_K:
2361 case BPF_JMP | BPF_JSLE | BPF_K:
2362 case BPF_JMP | BPF_JSLT | BPF_K:
2363 case BPF_JMP | BPF_JSGE | BPF_K: {
2364 u8 dreg_lo = dstk ? IA32_EAX : dst_lo;
2365 u8 dreg_hi = dstk ? IA32_EDX : dst_hi;
2366 u8 sreg_lo = IA32_ECX;
2367 u8 sreg_hi = IA32_EBX;
2368 u32 hi;
2369
2370 if (dstk) {
2371 EMIT3(0x8B, add_2reg(0x40, IA32_EBP, IA32_EAX),
2372 STACK_VAR(dst_lo));
2373 EMIT3(0x8B,
2374 add_2reg(0x40, IA32_EBP,
2375 IA32_EDX),
2376 STACK_VAR(dst_hi));
2377 }
2378
2379 /* mov ecx,imm32 */
2380 EMIT2_off32(0xC7, add_1reg(0xC0, IA32_ECX), imm32);
2381 hi = imm32 & (1 << 31) ? (u32)~0 : 0;
2382 /* mov ebx,imm32 */
2383 EMIT2_off32(0xC7, add_1reg(0xC0, IA32_EBX), hi);
2384 /* cmp dreg_hi,sreg_hi */
2385 EMIT2(0x39, add_2reg(0xC0, dreg_hi, sreg_hi));
2386 EMIT2(IA32_JNE, 10);
2387 /* cmp dreg_lo,sreg_lo */
2388 EMIT2(0x39, add_2reg(0xC0, dreg_lo, sreg_lo));
2389
2390 /*
2391 * For simplicity of branch offset computation,
2392 * let's use fixed jump coding here.
2393 */
2394emit_cond_jmp_signed: /* Check the condition for low 32-bit comparison */
2395 jmp_cond = get_cond_jmp_opcode(BPF_OP(code), true);
2396 if (jmp_cond == COND_JMP_OPCODE_INVALID)
2397 return -EFAULT;
2398 jmp_offset = addrs[i + insn->off] - addrs[i] + 8;
2399 if (is_simm32(jmp_offset)) {
2400 EMIT2_off32(0x0F, jmp_cond + 0x10, jmp_offset);
2401 } else {
2402 pr_err("cond_jmp gen bug %llx\n", jmp_offset);
2403 return -EFAULT;
2404 }
2405 EMIT2(0xEB, 6);
2406
2407 /* Check the condition for high 32-bit comparison */
2408 jmp_cond = get_cond_jmp_opcode(BPF_OP(code), false);
2409 if (jmp_cond == COND_JMP_OPCODE_INVALID)
2410 return -EFAULT;
2411 jmp_offset = addrs[i + insn->off] - addrs[i];
2412 if (is_simm32(jmp_offset)) {
2413 EMIT2_off32(0x0F, jmp_cond + 0x10, jmp_offset);
2414 } else {
2415 pr_err("cond_jmp gen bug %llx\n", jmp_offset);
2416 return -EFAULT;
2417 }
2418 break;
2419 }
2420 case BPF_JMP | BPF_JA:
2421 if (insn->off == -1)
2422 /* -1 jmp instructions will always jump
2423 * backwards two bytes. Explicitly handling
2424 * this case avoids wasting too many passes
2425 * when there are long sequences of replaced
2426 * dead code.
2427 */
2428 jmp_offset = -2;
2429 else
2430 jmp_offset = addrs[i + insn->off] - addrs[i];
2431
2432 if (!jmp_offset)
2433 /* Optimize out nop jumps */
2434 break;
2435emit_jmp:
2436 if (is_imm8(jmp_offset)) {
2437 EMIT2(0xEB, jmp_offset);
2438 } else if (is_simm32(jmp_offset)) {
2439 EMIT1_off32(0xE9, jmp_offset);
2440 } else {
2441 pr_err("jmp gen bug %llx\n", jmp_offset);
2442 return -EFAULT;
2443 }
2444 break;
2445 case BPF_STX | BPF_ATOMIC | BPF_W:
2446 case BPF_STX | BPF_ATOMIC | BPF_DW:
2447 goto notyet;
2448 case BPF_JMP | BPF_EXIT:
2449 if (seen_exit) {
2450 jmp_offset = ctx->cleanup_addr - addrs[i];
2451 goto emit_jmp;
2452 }
2453 seen_exit = true;
2454 /* Update cleanup_addr */
2455 ctx->cleanup_addr = proglen;
2456 emit_epilogue(&prog, bpf_prog->aux->stack_depth);
2457 break;
2458notyet:
2459 pr_info_once("*** NOT YET: opcode %02x ***\n", code);
2460 return -EFAULT;
2461 default:
2462 /*
2463 * This error will be seen if new instruction was added
2464 * to interpreter, but not to JIT or if there is junk in
2465 * bpf_prog
2466 */
2467 pr_err("bpf_jit: unknown opcode %02x\n", code);
2468 return -EINVAL;
2469 }
2470
2471 ilen = prog - temp;
2472 if (ilen > BPF_MAX_INSN_SIZE) {
2473 pr_err("bpf_jit: fatal insn size error\n");
2474 return -EFAULT;
2475 }
2476
2477 if (image) {
2478 /*
2479 * When populating the image, assert that:
2480 *
2481 * i) We do not write beyond the allocated space, and
2482 * ii) addrs[i] did not change from the prior run, in order
2483 * to validate assumptions made for computing branch
2484 * displacements.
2485 */
2486 if (unlikely(proglen + ilen > oldproglen ||
2487 proglen + ilen != addrs[i])) {
2488 pr_err("bpf_jit: fatal error\n");
2489 return -EFAULT;
2490 }
2491 memcpy(image + proglen, temp, ilen);
2492 }
2493 proglen += ilen;
2494 addrs[i] = proglen;
2495 prog = temp;
2496 }
2497 return proglen;
2498}
2499
2500bool bpf_jit_needs_zext(void)
2501{
2502 return true;
2503}
2504
2505struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog)
2506{
2507 struct bpf_binary_header *header = NULL;
2508 struct bpf_prog *tmp, *orig_prog = prog;
2509 int proglen, oldproglen = 0;
2510 struct jit_context ctx = {};
2511 bool tmp_blinded = false;
2512 u8 *image = NULL;
2513 int *addrs;
2514 int pass;
2515 int i;
2516
2517 if (!prog->jit_requested)
2518 return orig_prog;
2519
2520 tmp = bpf_jit_blind_constants(prog);
2521 /*
2522 * If blinding was requested and we failed during blinding,
2523 * we must fall back to the interpreter.
2524 */
2525 if (IS_ERR(tmp))
2526 return orig_prog;
2527 if (tmp != prog) {
2528 tmp_blinded = true;
2529 prog = tmp;
2530 }
2531
2532 addrs = kmalloc_array(prog->len, sizeof(*addrs), GFP_KERNEL);
2533 if (!addrs) {
2534 prog = orig_prog;
2535 goto out;
2536 }
2537
2538 /*
2539 * Before first pass, make a rough estimation of addrs[]
2540 * each BPF instruction is translated to less than 64 bytes
2541 */
2542 for (proglen = 0, i = 0; i < prog->len; i++) {
2543 proglen += 64;
2544 addrs[i] = proglen;
2545 }
2546 ctx.cleanup_addr = proglen;
2547
2548 /*
2549 * JITed image shrinks with every pass and the loop iterates
2550 * until the image stops shrinking. Very large BPF programs
2551 * may converge on the last pass. In such case do one more
2552 * pass to emit the final image.
2553 */
2554 for (pass = 0; pass < 20 || image; pass++) {
2555 proglen = do_jit(prog, addrs, image, oldproglen, &ctx);
2556 if (proglen <= 0) {
2557out_image:
2558 image = NULL;
2559 if (header)
2560 bpf_jit_binary_free(header);
2561 prog = orig_prog;
2562 goto out_addrs;
2563 }
2564 if (image) {
2565 if (proglen != oldproglen) {
2566 pr_err("bpf_jit: proglen=%d != oldproglen=%d\n",
2567 proglen, oldproglen);
2568 goto out_image;
2569 }
2570 break;
2571 }
2572 if (proglen == oldproglen) {
2573 header = bpf_jit_binary_alloc(proglen, &image,
2574 1, jit_fill_hole);
2575 if (!header) {
2576 prog = orig_prog;
2577 goto out_addrs;
2578 }
2579 }
2580 oldproglen = proglen;
2581 cond_resched();
2582 }
2583
2584 if (bpf_jit_enable > 1)
2585 bpf_jit_dump(prog->len, proglen, pass + 1, image);
2586
2587 if (image) {
2588 bpf_jit_binary_lock_ro(header);
2589 prog->bpf_func = (void *)image;
2590 prog->jited = 1;
2591 prog->jited_len = proglen;
2592 } else {
2593 prog = orig_prog;
2594 }
2595
2596out_addrs:
2597 kfree(addrs);
2598out:
2599 if (tmp_blinded)
2600 bpf_jit_prog_release_other(prog, prog == orig_prog ?
2601 tmp : orig_prog);
2602 return prog;
2603}
2604
2605bool bpf_jit_supports_kfunc_call(void)
2606{
2607 return true;
2608}