| From e8b00c95c9eb15a63fc60ab51b361640b6006594 Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Thu, 15 Jul 2021 13:57:12 +0100 |
| Subject: s390/bpf: Perform r1 range checking before accessing |
| jit->seen_reg[r1] |
| |
| From: Colin Ian King <colin.king@canonical.com> |
| |
| [ Upstream commit 91091656252f5d6d8c476e0c92776ce9fae7b445 ] |
| |
| Currently array jit->seen_reg[r1] is being accessed before the range |
| checking of index r1. The range changing on r1 should be performed |
| first since it will avoid any potential out-of-range accesses on the |
| array seen_reg[] and also it is more optimal to perform checks on r1 |
| before fetching data from the array. Fix this by swapping the order |
| of the checks before the array access. |
| |
| Fixes: 054623105728 ("s390/bpf: Add s390x eBPF JIT compiler backend") |
| Signed-off-by: Colin Ian King <colin.king@canonical.com> |
| Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> |
| Tested-by: Ilya Leoshkevich <iii@linux.ibm.com> |
| Acked-by: Ilya Leoshkevich <iii@linux.ibm.com> |
| Link: https://lore.kernel.org/bpf/20210715125712.24690-1-colin.king@canonical.com |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| arch/s390/net/bpf_jit_comp.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c |
| index 63cae0476bb4..2ae419f5115a 100644 |
| --- a/arch/s390/net/bpf_jit_comp.c |
| +++ b/arch/s390/net/bpf_jit_comp.c |
| @@ -112,7 +112,7 @@ static inline void reg_set_seen(struct bpf_jit *jit, u32 b1) |
| { |
| u32 r1 = reg2hex[b1]; |
| |
| - if (!jit->seen_reg[r1] && r1 >= 6 && r1 <= 15) |
| + if (r1 >= 6 && r1 <= 15 && !jit->seen_reg[r1]) |
| jit->seen_reg[r1] = 1; |
| } |
| |
| -- |
| 2.30.2 |
| |