1 // SPDX-License-Identifier: GPL-2.0-only
2 /* bpf_jit_comp.c: BPF JIT compiler
9 #include <linux/moduleloader.h>
10 #include <asm/cacheflush.h>
11 #include <asm/asm-compat.h>
12 #include <linux/netdevice.h>
13 #include <linux/filter.h>
14 #include <linux/if_vlan.h>
16 #include "bpf_jit32.h"
18 static inline void bpf_flush_icache(void *start, void *end)
21 flush_icache_range((unsigned long)start, (unsigned long)end);
24 static void bpf_jit_build_prologue(struct bpf_prog *fp, u32 *image,
25 struct codegen_context *ctx)
28 const struct sock_filter *filter = fp->insns;
30 if (ctx->seen & (SEEN_MEM | SEEN_DATAREF)) {
32 if (ctx->seen & SEEN_DATAREF) {
33 /* If we call any helpers (for loads), save LR */
34 EMIT(PPC_INST_MFLR | __PPC_RT(R0));
35 PPC_BPF_STL(0, 1, PPC_LR_STKOFF);
37 /* Back up non-volatile regs. */
38 PPC_BPF_STL(r_D, 1, -(REG_SZ*(32-r_D)));
39 PPC_BPF_STL(r_HL, 1, -(REG_SZ*(32-r_HL)));
41 if (ctx->seen & SEEN_MEM) {
43 * Conditionally save regs r15-r31 as some will be used
46 for (i = r_M; i < (r_M+16); i++) {
47 if (ctx->seen & (1 << (i-r_M)))
48 PPC_BPF_STL(i, 1, -(REG_SZ*(32-i)));
51 PPC_BPF_STLU(1, 1, -BPF_PPC_STACKFRAME);
54 if (ctx->seen & SEEN_DATAREF) {
56 * If this filter needs to access skb data,
57 * prepare r_D and r_HL:
58 * r_HL = skb->len - skb->data_len
61 PPC_LWZ_OFFS(r_scratch1, r_skb, offsetof(struct sk_buff,
63 PPC_LWZ_OFFS(r_HL, r_skb, offsetof(struct sk_buff, len));
64 EMIT(PPC_RAW_SUB(r_HL, r_HL, r_scratch1));
65 PPC_LL_OFFS(r_D, r_skb, offsetof(struct sk_buff, data));
68 if (ctx->seen & SEEN_XREG) {
70 * TODO: Could also detect whether first instr. sets X and
71 * avoid this (as below, with A).
73 EMIT(PPC_RAW_LI(r_X, 0));
76 /* make sure we dont leak kernel information to user */
77 if (bpf_needs_clear_a(&filter[0]))
78 EMIT(PPC_RAW_LI(r_A, 0));
81 static void bpf_jit_build_epilogue(u32 *image, struct codegen_context *ctx)
85 if (ctx->seen & (SEEN_MEM | SEEN_DATAREF)) {
86 EMIT(PPC_RAW_ADDI(1, 1, BPF_PPC_STACKFRAME));
87 if (ctx->seen & SEEN_DATAREF) {
88 PPC_BPF_LL(0, 1, PPC_LR_STKOFF);
89 EMIT(PPC_RAW_MTLR(0));
90 PPC_BPF_LL(r_D, 1, -(REG_SZ*(32-r_D)));
91 PPC_BPF_LL(r_HL, 1, -(REG_SZ*(32-r_HL)));
93 if (ctx->seen & SEEN_MEM) {
94 /* Restore any saved non-vol registers */
95 for (i = r_M; i < (r_M+16); i++) {
96 if (ctx->seen & (1 << (i-r_M)))
97 PPC_BPF_LL(i, 1, -(REG_SZ*(32-i)));
101 /* The RETs have left a return value in R3. */
106 #define CHOOSE_LOAD_FUNC(K, func) \
107 ((int)K < 0 ? ((int)K >= SKF_LL_OFF ? func##_negative_offset : func) : func##_positive_offset)
109 /* Assemble the body code between the prologue & epilogue. */
110 static int bpf_jit_build_body(struct bpf_prog *fp, u32 *image,
111 struct codegen_context *ctx,
114 const struct sock_filter *filter = fp->insns;
117 unsigned int true_cond;
120 /* Start of epilogue code */
121 unsigned int exit_addr = addrs[flen];
123 for (i = 0; i < flen; i++) {
124 unsigned int K = filter[i].k;
125 u16 code = bpf_anc_helper(&filter[i]);
128 * addrs[] maps a BPF bytecode address into a real offset from
129 * the start of the body code.
131 addrs[i] = ctx->idx * 4;
135 case BPF_ALU | BPF_ADD | BPF_X: /* A += X; */
136 ctx->seen |= SEEN_XREG;
137 EMIT(PPC_RAW_ADD(r_A, r_A, r_X));
139 case BPF_ALU | BPF_ADD | BPF_K: /* A += K; */
142 EMIT(PPC_RAW_ADDI(r_A, r_A, IMM_L(K)));
144 EMIT(PPC_RAW_ADDIS(r_A, r_A, IMM_HA(K)));
146 case BPF_ALU | BPF_SUB | BPF_X: /* A -= X; */
147 ctx->seen |= SEEN_XREG;
148 EMIT(PPC_RAW_SUB(r_A, r_A, r_X));
150 case BPF_ALU | BPF_SUB | BPF_K: /* A -= K */
153 EMIT(PPC_RAW_ADDI(r_A, r_A, IMM_L(-K)));
155 EMIT(PPC_RAW_ADDIS(r_A, r_A, IMM_HA(-K)));
157 case BPF_ALU | BPF_MUL | BPF_X: /* A *= X; */
158 ctx->seen |= SEEN_XREG;
159 EMIT(PPC_RAW_MULW(r_A, r_A, r_X));
161 case BPF_ALU | BPF_MUL | BPF_K: /* A *= K */
163 EMIT(PPC_RAW_MULI(r_A, r_A, K));
165 PPC_LI32(r_scratch1, K);
166 EMIT(PPC_RAW_MULW(r_A, r_A, r_scratch1));
169 case BPF_ALU | BPF_MOD | BPF_X: /* A %= X; */
170 case BPF_ALU | BPF_DIV | BPF_X: /* A /= X; */
171 ctx->seen |= SEEN_XREG;
172 EMIT(PPC_RAW_CMPWI(r_X, 0));
173 if (ctx->pc_ret0 != -1) {
174 PPC_BCC(COND_EQ, addrs[ctx->pc_ret0]);
176 PPC_BCC_SHORT(COND_NE, (ctx->idx*4)+12);
177 EMIT(PPC_RAW_LI(r_ret, 0));
180 if (code == (BPF_ALU | BPF_MOD | BPF_X)) {
181 EMIT(PPC_RAW_DIVWU(r_scratch1, r_A, r_X));
182 EMIT(PPC_RAW_MULW(r_scratch1, r_X, r_scratch1));
183 EMIT(PPC_RAW_SUB(r_A, r_A, r_scratch1));
185 EMIT(PPC_RAW_DIVWU(r_A, r_A, r_X));
188 case BPF_ALU | BPF_MOD | BPF_K: /* A %= K; */
189 PPC_LI32(r_scratch2, K);
190 EMIT(PPC_RAW_DIVWU(r_scratch1, r_A, r_scratch2));
191 EMIT(PPC_RAW_MULW(r_scratch1, r_scratch2, r_scratch1));
192 EMIT(PPC_RAW_SUB(r_A, r_A, r_scratch1));
194 case BPF_ALU | BPF_DIV | BPF_K: /* A /= K */
197 PPC_LI32(r_scratch1, K);
198 EMIT(PPC_RAW_DIVWU(r_A, r_A, r_scratch1));
200 case BPF_ALU | BPF_AND | BPF_X:
201 ctx->seen |= SEEN_XREG;
202 EMIT(PPC_RAW_AND(r_A, r_A, r_X));
204 case BPF_ALU | BPF_AND | BPF_K:
206 EMIT(PPC_RAW_ANDI(r_A, r_A, K));
208 PPC_LI32(r_scratch1, K);
209 EMIT(PPC_RAW_AND(r_A, r_A, r_scratch1));
212 case BPF_ALU | BPF_OR | BPF_X:
213 ctx->seen |= SEEN_XREG;
214 EMIT(PPC_RAW_OR(r_A, r_A, r_X));
216 case BPF_ALU | BPF_OR | BPF_K:
218 EMIT(PPC_RAW_ORI(r_A, r_A, IMM_L(K)));
220 EMIT(PPC_RAW_ORIS(r_A, r_A, IMM_H(K)));
222 case BPF_ANC | SKF_AD_ALU_XOR_X:
223 case BPF_ALU | BPF_XOR | BPF_X: /* A ^= X */
224 ctx->seen |= SEEN_XREG;
225 EMIT(PPC_RAW_XOR(r_A, r_A, r_X));
227 case BPF_ALU | BPF_XOR | BPF_K: /* A ^= K */
229 EMIT(PPC_RAW_XORI(r_A, r_A, IMM_L(K)));
231 EMIT(PPC_RAW_XORIS(r_A, r_A, IMM_H(K)));
233 case BPF_ALU | BPF_LSH | BPF_X: /* A <<= X; */
234 ctx->seen |= SEEN_XREG;
235 EMIT(PPC_RAW_SLW(r_A, r_A, r_X));
237 case BPF_ALU | BPF_LSH | BPF_K:
241 EMIT(PPC_RAW_SLWI(r_A, r_A, K));
243 case BPF_ALU | BPF_RSH | BPF_X: /* A >>= X; */
244 ctx->seen |= SEEN_XREG;
245 EMIT(PPC_RAW_SRW(r_A, r_A, r_X));
247 case BPF_ALU | BPF_RSH | BPF_K: /* A >>= K; */
251 EMIT(PPC_RAW_SRWI(r_A, r_A, K));
253 case BPF_ALU | BPF_NEG:
254 EMIT(PPC_RAW_NEG(r_A, r_A));
256 case BPF_RET | BPF_K:
259 if (ctx->pc_ret0 == -1)
263 * If this isn't the very last instruction, branch to
264 * the epilogue if we've stuff to clean up. Otherwise,
265 * if there's nothing to tidy, just return. If we /are/
266 * the last instruction, we're about to fall through to
267 * the epilogue to return.
271 * Note: 'seen' is properly valid only on pass
272 * #2. Both parts of this conditional are the
273 * same instruction size though, meaning the
274 * first pass will still correctly determine the
275 * code size/addresses.
283 case BPF_RET | BPF_A:
284 EMIT(PPC_RAW_MR(r_ret, r_A));
292 case BPF_MISC | BPF_TAX: /* X = A */
293 EMIT(PPC_RAW_MR(r_X, r_A));
295 case BPF_MISC | BPF_TXA: /* A = X */
296 ctx->seen |= SEEN_XREG;
297 EMIT(PPC_RAW_MR(r_A, r_X));
300 /*** Constant loads/M[] access ***/
301 case BPF_LD | BPF_IMM: /* A = K */
304 case BPF_LDX | BPF_IMM: /* X = K */
307 case BPF_LD | BPF_MEM: /* A = mem[K] */
308 EMIT(PPC_RAW_MR(r_A, r_M + (K & 0xf)));
309 ctx->seen |= SEEN_MEM | (1<<(K & 0xf));
311 case BPF_LDX | BPF_MEM: /* X = mem[K] */
312 EMIT(PPC_RAW_MR(r_X, r_M + (K & 0xf)));
313 ctx->seen |= SEEN_MEM | (1<<(K & 0xf));
315 case BPF_ST: /* mem[K] = A */
316 EMIT(PPC_RAW_MR(r_M + (K & 0xf), r_A));
317 ctx->seen |= SEEN_MEM | (1<<(K & 0xf));
319 case BPF_STX: /* mem[K] = X */
320 EMIT(PPC_RAW_MR(r_M + (K & 0xf), r_X));
321 ctx->seen |= SEEN_XREG | SEEN_MEM | (1<<(K & 0xf));
323 case BPF_LD | BPF_W | BPF_LEN: /* A = skb->len; */
324 BUILD_BUG_ON(sizeof_field(struct sk_buff, len) != 4);
325 PPC_LWZ_OFFS(r_A, r_skb, offsetof(struct sk_buff, len));
327 case BPF_LDX | BPF_W | BPF_ABS: /* A = *((u32 *)(seccomp_data + K)); */
328 PPC_LWZ_OFFS(r_A, r_skb, K);
330 case BPF_LDX | BPF_W | BPF_LEN: /* X = skb->len; */
331 PPC_LWZ_OFFS(r_X, r_skb, offsetof(struct sk_buff, len));
334 /*** Ancillary info loads ***/
335 case BPF_ANC | SKF_AD_PROTOCOL: /* A = ntohs(skb->protocol); */
336 BUILD_BUG_ON(sizeof_field(struct sk_buff,
338 PPC_NTOHS_OFFS(r_A, r_skb, offsetof(struct sk_buff,
341 case BPF_ANC | SKF_AD_IFINDEX:
342 case BPF_ANC | SKF_AD_HATYPE:
343 BUILD_BUG_ON(sizeof_field(struct net_device,
345 BUILD_BUG_ON(sizeof_field(struct net_device,
347 PPC_LL_OFFS(r_scratch1, r_skb, offsetof(struct sk_buff,
349 EMIT(PPC_RAW_CMPDI(r_scratch1, 0));
350 if (ctx->pc_ret0 != -1) {
351 PPC_BCC(COND_EQ, addrs[ctx->pc_ret0]);
353 /* Exit, returning 0; first pass hits here. */
354 PPC_BCC_SHORT(COND_NE, ctx->idx * 4 + 12);
355 EMIT(PPC_RAW_LI(r_ret, 0));
358 if (code == (BPF_ANC | SKF_AD_IFINDEX)) {
359 PPC_LWZ_OFFS(r_A, r_scratch1,
360 offsetof(struct net_device, ifindex));
362 PPC_LHZ_OFFS(r_A, r_scratch1,
363 offsetof(struct net_device, type));
367 case BPF_ANC | SKF_AD_MARK:
368 BUILD_BUG_ON(sizeof_field(struct sk_buff, mark) != 4);
369 PPC_LWZ_OFFS(r_A, r_skb, offsetof(struct sk_buff,
372 case BPF_ANC | SKF_AD_RXHASH:
373 BUILD_BUG_ON(sizeof_field(struct sk_buff, hash) != 4);
374 PPC_LWZ_OFFS(r_A, r_skb, offsetof(struct sk_buff,
377 case BPF_ANC | SKF_AD_VLAN_TAG:
378 BUILD_BUG_ON(sizeof_field(struct sk_buff, vlan_tci) != 2);
380 PPC_LHZ_OFFS(r_A, r_skb, offsetof(struct sk_buff,
383 case BPF_ANC | SKF_AD_VLAN_TAG_PRESENT:
384 PPC_LBZ_OFFS(r_A, r_skb, PKT_VLAN_PRESENT_OFFSET());
385 if (PKT_VLAN_PRESENT_BIT)
386 EMIT(PPC_RAW_SRWI(r_A, r_A, PKT_VLAN_PRESENT_BIT));
387 if (PKT_VLAN_PRESENT_BIT < 7)
388 EMIT(PPC_RAW_ANDI(r_A, r_A, 1));
390 case BPF_ANC | SKF_AD_QUEUE:
391 BUILD_BUG_ON(sizeof_field(struct sk_buff,
392 queue_mapping) != 2);
393 PPC_LHZ_OFFS(r_A, r_skb, offsetof(struct sk_buff,
396 case BPF_ANC | SKF_AD_PKTTYPE:
397 PPC_LBZ_OFFS(r_A, r_skb, PKT_TYPE_OFFSET());
398 EMIT(PPC_RAW_ANDI(r_A, r_A, PKT_TYPE_MAX));
399 EMIT(PPC_RAW_SRWI(r_A, r_A, 5));
401 case BPF_ANC | SKF_AD_CPU:
402 PPC_BPF_LOAD_CPU(r_A);
404 /*** Absolute loads from packet header/data ***/
405 case BPF_LD | BPF_W | BPF_ABS:
406 func = CHOOSE_LOAD_FUNC(K, sk_load_word);
408 case BPF_LD | BPF_H | BPF_ABS:
409 func = CHOOSE_LOAD_FUNC(K, sk_load_half);
411 case BPF_LD | BPF_B | BPF_ABS:
412 func = CHOOSE_LOAD_FUNC(K, sk_load_byte);
415 ctx->seen |= SEEN_DATAREF;
416 PPC_FUNC_ADDR(r_scratch1, func);
417 EMIT(PPC_RAW_MTLR(r_scratch1));
419 EMIT(PPC_RAW_BLRL());
421 * Helper returns 'lt' condition on error, and an
422 * appropriate return value in r3
424 PPC_BCC(COND_LT, exit_addr);
427 /*** Indirect loads from packet header/data ***/
428 case BPF_LD | BPF_W | BPF_IND:
430 goto common_load_ind;
431 case BPF_LD | BPF_H | BPF_IND:
433 goto common_load_ind;
434 case BPF_LD | BPF_B | BPF_IND:
438 * Load from [X + K]. Negative offsets are tested for
439 * in the helper functions.
441 ctx->seen |= SEEN_DATAREF | SEEN_XREG;
442 PPC_FUNC_ADDR(r_scratch1, func);
443 EMIT(PPC_RAW_MTLR(r_scratch1));
444 EMIT(PPC_RAW_ADDI(r_addr, r_X, IMM_L(K)));
446 EMIT(PPC_RAW_ADDIS(r_addr, r_addr, IMM_HA(K)));
447 EMIT(PPC_RAW_BLRL());
448 /* If error, cr0.LT set */
449 PPC_BCC(COND_LT, exit_addr);
452 case BPF_LDX | BPF_B | BPF_MSH:
453 func = CHOOSE_LOAD_FUNC(K, sk_load_byte_msh);
457 /*** Jump and branches ***/
458 case BPF_JMP | BPF_JA:
460 PPC_JMP(addrs[i + 1 + K]);
463 case BPF_JMP | BPF_JGT | BPF_K:
464 case BPF_JMP | BPF_JGT | BPF_X:
467 case BPF_JMP | BPF_JGE | BPF_K:
468 case BPF_JMP | BPF_JGE | BPF_X:
471 case BPF_JMP | BPF_JEQ | BPF_K:
472 case BPF_JMP | BPF_JEQ | BPF_X:
475 case BPF_JMP | BPF_JSET | BPF_K:
476 case BPF_JMP | BPF_JSET | BPF_X:
479 /* same targets, can avoid doing the test :) */
480 if (filter[i].jt == filter[i].jf) {
481 if (filter[i].jt > 0)
482 PPC_JMP(addrs[i + 1 + filter[i].jt]);
487 case BPF_JMP | BPF_JGT | BPF_X:
488 case BPF_JMP | BPF_JGE | BPF_X:
489 case BPF_JMP | BPF_JEQ | BPF_X:
490 ctx->seen |= SEEN_XREG;
491 EMIT(PPC_RAW_CMPLW(r_A, r_X));
493 case BPF_JMP | BPF_JSET | BPF_X:
494 ctx->seen |= SEEN_XREG;
495 EMIT(PPC_RAW_AND_DOT(r_scratch1, r_A, r_X));
497 case BPF_JMP | BPF_JEQ | BPF_K:
498 case BPF_JMP | BPF_JGT | BPF_K:
499 case BPF_JMP | BPF_JGE | BPF_K:
501 EMIT(PPC_RAW_CMPLWI(r_A, K));
503 PPC_LI32(r_scratch1, K);
504 EMIT(PPC_RAW_CMPLW(r_A, r_scratch1));
507 case BPF_JMP | BPF_JSET | BPF_K:
509 /* PPC_ANDI is /only/ dot-form */
510 EMIT(PPC_RAW_ANDI(r_scratch1, r_A, K));
512 PPC_LI32(r_scratch1, K);
513 EMIT(PPC_RAW_AND_DOT(r_scratch1, r_A,
518 /* Sometimes branches are constructed "backward", with
519 * the false path being the branch and true path being
520 * a fallthrough to the next instruction.
522 if (filter[i].jt == 0)
523 /* Swap the sense of the branch */
524 PPC_BCC(true_cond ^ COND_CMP_TRUE,
525 addrs[i + 1 + filter[i].jf]);
527 PPC_BCC(true_cond, addrs[i + 1 + filter[i].jt]);
528 if (filter[i].jf != 0)
529 PPC_JMP(addrs[i + 1 + filter[i].jf]);
533 /* The filter contains something cruel & unusual.
534 * We don't handle it, but also there shouldn't be
535 * anything missing from our list.
537 if (printk_ratelimit())
538 pr_err("BPF filter opcode %04x (@%d) unsupported\n",
544 /* Set end-of-body-code address for exit. */
545 addrs[i] = ctx->idx * 4;
550 void bpf_jit_compile(struct bpf_prog *fp)
552 unsigned int proglen;
553 unsigned int alloclen;
557 struct codegen_context cgctx;
564 addrs = kcalloc(flen + 1, sizeof(*addrs), GFP_KERNEL);
569 * There are multiple assembly passes as the generated code will change
570 * size as it settles down, figuring out the max branch offsets/exit
573 * The range of standard conditional branches is +/- 32Kbytes. Since
574 * BPF_MAXINSNS = 4096, we can only jump from (worst case) start to
575 * finish with 8 bytes/instruction. Not feasible, so long jumps are
576 * used, distinct from short branches.
580 * For now, both branch types assemble to 2 words (short branches padded
581 * with a NOP); this is less efficient, but assembly will always complete
582 * after exactly 3 passes:
584 * First pass: No code buffer; Program is "faux-generated" -- no code
585 * emitted but maximum size of output determined (and addrs[] filled
586 * in). Also, we note whether we use M[], whether we use skb data, etc.
587 * All generation choices assumed to be 'worst-case', e.g. branches all
588 * far (2 instructions), return path code reduction not available, etc.
590 * Second pass: Code buffer allocated with size determined previously.
591 * Prologue generated to support features we have seen used. Exit paths
592 * determined and addrs[] is filled in again, as code may be slightly
593 * smaller as a result.
595 * Third pass: Code generated 'for real', and branch destinations
596 * determined from now-accurate addrs[] map.
600 * If we optimise this, near branches will be shorter. On the
601 * first assembly pass, we should err on the side of caution and
602 * generate the biggest code. On subsequent passes, branches will be
603 * generated short or long and code size will reduce. With smaller
604 * code, more branches may fall into the short category, and code will
607 * Finally, if we see one pass generate code the same size as the
608 * previous pass we have converged and should now generate code for
609 * real. Allocating at the end will also save the memory that would
610 * otherwise be wasted by the (small) current code shrinkage.
611 * Preferably, we should do a small number of passes (e.g. 5) and if we
612 * haven't converged by then, get impatient and force code to generate
613 * as-is, even if the odd branch would be left long. The chances of a
614 * long jump are tiny with all but the most enormous of BPF filter
615 * inputs, so we should usually converge on the third pass.
621 /* Scouting faux-generate pass 0 */
622 if (bpf_jit_build_body(fp, 0, &cgctx, addrs))
623 /* We hit something illegal or unsupported. */
627 * Pretend to build prologue, given the features we've seen. This will
628 * update ctgtx.idx as it pretends to output instructions, then we can
629 * calculate total size from idx.
631 bpf_jit_build_prologue(fp, 0, &cgctx);
632 bpf_jit_build_epilogue(0, &cgctx);
634 proglen = cgctx.idx * 4;
635 alloclen = proglen + FUNCTION_DESCR_SIZE;
636 image = module_alloc(alloclen);
640 code_base = image + (FUNCTION_DESCR_SIZE/4);
642 /* Code generation passes 1-2 */
643 for (pass = 1; pass < 3; pass++) {
644 /* Now build the prologue, body code & epilogue for real. */
646 bpf_jit_build_prologue(fp, code_base, &cgctx);
647 bpf_jit_build_body(fp, code_base, &cgctx, addrs);
648 bpf_jit_build_epilogue(code_base, &cgctx);
650 if (bpf_jit_enable > 1)
651 pr_info("Pass %d: shrink = %d, seen = 0x%x\n", pass,
652 proglen - (cgctx.idx * 4), cgctx.seen);
655 if (bpf_jit_enable > 1)
656 /* Note that we output the base address of the code_base
657 * rather than image, since opcodes are in code_base.
659 bpf_jit_dump(flen, proglen, pass, code_base);
661 bpf_flush_icache(code_base, code_base + (proglen/4));
664 /* Function descriptor nastiness: Address + TOC */
665 ((u64 *)image)[0] = (u64)code_base;
666 ((u64 *)image)[1] = local_paca->kernel_toc;
669 fp->bpf_func = (void *)image;
677 void bpf_jit_free(struct bpf_prog *fp)
680 module_memfree(fp->bpf_func);
682 bpf_prog_unlock_free(fp);
projects / linux.git / blob