releases/4.4.14/s390-bpf-fix-recache-skb-data-hlen-for-skb_vlan_push-pop.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 6edf0aa4f8bbdfbb4d6d786892fa02728d05dc36 Mon Sep 17 00:00:00 2001
 From: Michael Holzheu <holzheu@linux.vnet.ibm.com>
 Date: Wed, 11 May 2016 21:13:13 +0200
 Subject: s390/bpf: fix recache skb->data/hlen for skb_vlan_push/pop

 From: Michael Holzheu <holzheu@linux.vnet.ibm.com>

 commit 6edf0aa4f8bbdfbb4d6d786892fa02728d05dc36 upstream.

 In case of usage of skb_vlan_push/pop, in the prologue we store
 the SKB pointer on the stack and restore it after BPF_JMP_CALL
 to skb_vlan_push/pop.

 Unfortunately currently there are two bugs in the code:

  1) The wrong stack slot (offset 170 instead of 176) is used
  2) The wrong register (W1 instead of B1) is saved

 So fix this and use correct stack slot and register.

 Fixes: 9db7f2b81880 ("s390/bpf: recache skb->data/hlen for skb_vlan_push/pop")
 Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
 Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  arch/s390/net/bpf_jit.h      |    4 ++--
  arch/s390/net/bpf_jit_comp.c |    2 +-
  2 files changed, 3 insertions(+), 3 deletions(-)

 --- a/arch/s390/net/bpf_jit.h
 +++ b/arch/s390/net/bpf_jit.h
 @@ -37,7 +37,7 @@ extern u8 sk_load_word[], sk_load_half[]
   *	      |		      |     |
   *	      +---------------+     |
   *	      | 8 byte skbp   |     |
 - * R15+170 -> +---------------+     |
 + * R15+176 -> +---------------+     |
   *	      | 8 byte hlen   |     |
   * R15+168 -> +---------------+     |
   *	      | 4 byte align  |     |
 @@ -58,7 +58,7 @@ extern u8 sk_load_word[], sk_load_half[]
  #define STK_OFF		(STK_SPACE - STK_160_UNUSED)
  #define STK_OFF_TMP	160	/* Offset of tmp buffer on stack */
  #define STK_OFF_HLEN	168	/* Offset of SKB header length on stack */
 -#define STK_OFF_SKBP	170	/* Offset of SKB pointer on stack */
 +#define STK_OFF_SKBP	176	/* Offset of SKB pointer on stack */

  #define STK_OFF_R6	(160 - 11 * 8)	/* Offset of r6 on stack */
  #define STK_OFF_TCCNT	(160 - 12 * 8)	/* Offset of tail_call_cnt on stack */
 --- a/arch/s390/net/bpf_jit_comp.c
 +++ b/arch/s390/net/bpf_jit_comp.c
 @@ -446,7 +446,7 @@ static void bpf_jit_prologue(struct bpf_
  		emit_load_skb_data_hlen(jit);
  	if (jit->seen & SEEN_SKB_CHANGE)
  		/* stg %b1,ST_OFF_SKBP(%r0,%r15) */
 -		EMIT6_DISP_LH(0xe3000000, 0x0024, REG_W1, REG_0, REG_15,
 +		EMIT6_DISP_LH(0xe3000000, 0x0024, BPF_REG_1, REG_0, REG_15,
  			      STK_OFF_SKBP);
  	/* Clear A (%b0) and X (%b7) registers for converted BPF programs */
  	if (is_classic) {
	From 6edf0aa4f8bbdfbb4d6d786892fa02728d05dc36 Mon Sep 17 00:00:00 2001
	From: Michael Holzheu <holzheu@linux.vnet.ibm.com>
	Date: Wed, 11 May 2016 21:13:13 +0200
	Subject: s390/bpf: fix recache skb->data/hlen for skb_vlan_push/pop

	From: Michael Holzheu <holzheu@linux.vnet.ibm.com>

	commit 6edf0aa4f8bbdfbb4d6d786892fa02728d05dc36 upstream.

	In case of usage of skb_vlan_push/pop, in the prologue we store
	the SKB pointer on the stack and restore it after BPF_JMP_CALL
	to skb_vlan_push/pop.

	Unfortunately currently there are two bugs in the code:

	1) The wrong stack slot (offset 170 instead of 176) is used
	2) The wrong register (W1 instead of B1) is saved

	So fix this and use correct stack slot and register.

	Fixes: 9db7f2b81880 ("s390/bpf: recache skb->data/hlen for skb_vlan_push/pop")
	Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
	Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	arch/s390/net/bpf_jit.h \| 4 ++--
	arch/s390/net/bpf_jit_comp.c \| 2 +-
	2 files changed, 3 insertions(+), 3 deletions(-)

	--- a/arch/s390/net/bpf_jit.h
	+++ b/arch/s390/net/bpf_jit.h
	@@ -37,7 +37,7 @@ extern u8 sk_load_word[], sk_load_half[]
	* \| \| \|
	* +---------------+ \|
	* \| 8 byte skbp \| \|
	- * R15+170 -> +---------------+ \|
	+ * R15+176 -> +---------------+ \|
	* \| 8 byte hlen \| \|
	* R15+168 -> +---------------+ \|
	* \| 4 byte align \| \|
	@@ -58,7 +58,7 @@ extern u8 sk_load_word[], sk_load_half[]
	#define STK_OFF (STK_SPACE - STK_160_UNUSED)
	#define STK_OFF_TMP 160 /* Offset of tmp buffer on stack */
	#define STK_OFF_HLEN 168 /* Offset of SKB header length on stack */
	-#define STK_OFF_SKBP 170 /* Offset of SKB pointer on stack */
	+#define STK_OFF_SKBP 176 /* Offset of SKB pointer on stack */

	#define STK_OFF_R6 (160 - 11 * 8) /* Offset of r6 on stack */
	#define STK_OFF_TCCNT (160 - 12 * 8) /* Offset of tail_call_cnt on stack */
	--- a/arch/s390/net/bpf_jit_comp.c
	+++ b/arch/s390/net/bpf_jit_comp.c
	@@ -446,7 +446,7 @@ static void bpf_jit_prologue(struct bpf_
	emit_load_skb_data_hlen(jit);
	if (jit->seen & SEEN_SKB_CHANGE)
	/* stg %b1,ST_OFF_SKBP(%r0,%r15) */
	- EMIT6_DISP_LH(0xe3000000, 0x0024, REG_W1, REG_0, REG_15,
	+ EMIT6_DISP_LH(0xe3000000, 0x0024, BPF_REG_1, REG_0, REG_15,
	STK_OFF_SKBP);
	/* Clear A (%b0) and X (%b7) registers for converted BPF programs */
	if (is_classic) {