Patch "riscv, bpf: Fix possible infinite tailcall when CONFIG_CFI_CLANG is enabled" has been added to the 6.11-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Tue, 22 Oct 2024 13:40:45 -0400

This is a note to let you know that I've just added the patch titled

    riscv, bpf: Fix possible infinite tailcall when CONFIG_CFI_CLANG is enabled

to the 6.11-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     riscv-bpf-fix-possible-infinite-tailcall-when-config.patch
and it can be found in the queue-6.11 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 8905eb188c0993512791f29bf755c0193bb75f61
Author: Pu Lehui <pulehui@xxxxxxxxxx>
Date:   Tue Oct 8 12:45:44 2024 +0000

    riscv, bpf: Fix possible infinite tailcall when CONFIG_CFI_CLANG is enabled
    
    [ Upstream commit 30a59cc79754fd9ff3f41b7ee2eb21da85988548 ]
    
    When CONFIG_CFI_CLANG is enabled, the number of prologue instructions
    skipped by tailcall needs to include the kcfi instruction, otherwise the
    TCC will be initialized every tailcall is called, which may result in
    infinite tailcalls.
    
    Fixes: e63985ecd226 ("bpf, riscv64/cfi: Support kCFI + BPF on riscv64")
    Signed-off-by: Pu Lehui <pulehui@xxxxxxxxxx>
    Acked-by: Björn Töpel <bjorn@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20241008124544.171161-1-pulehui@xxxxxxxxxxxxxxx
    Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/arch/riscv/net/bpf_jit_comp64.c b/arch/riscv/net/bpf_jit_comp64.c
index 99f34409fb60f..91bd5082c4d8e 100644
--- a/arch/riscv/net/bpf_jit_comp64.c
+++ b/arch/riscv/net/bpf_jit_comp64.c
@@ -18,6 +18,7 @@
 #define RV_MAX_REG_ARGS 8
 #define RV_FENTRY_NINSNS 2
 #define RV_FENTRY_NBYTES (RV_FENTRY_NINSNS * 4)
+#define RV_KCFI_NINSNS (IS_ENABLED(CONFIG_CFI_CLANG) ? 1 : 0)
 /* imm that allows emit_imm to emit max count insns */
 #define RV_MAX_COUNT_IMM 0x7FFF7FF7FF7FF7FF
 
@@ -271,7 +272,8 @@ static void __build_epilogue(bool is_tail_call, struct rv_jit_context *ctx)
 	if (!is_tail_call)
 		emit_addiw(RV_REG_A0, RV_REG_A5, 0, ctx);
 	emit_jalr(RV_REG_ZERO, is_tail_call ? RV_REG_T3 : RV_REG_RA,
-		  is_tail_call ? (RV_FENTRY_NINSNS + 1) * 4 : 0, /* skip reserved nops and TCC init */
+		  /* kcfi, fentry and TCC init insns will be skipped on tailcall */
+		  is_tail_call ? (RV_KCFI_NINSNS + RV_FENTRY_NINSNS + 1) * 4 : 0,
 		  ctx);
 }
 







