bpf_jit_comp.c 26 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. * Just-In-Time compiler for eBPF bytecode on MIPS.
  4. * Implementation of JIT functions common to 32-bit and 64-bit CPUs.
  5. *
  6. * Copyright (c) 2021 Anyfi Networks AB.
  7. * Author: Johan Almbladh <johan.almbladh@gmail.com>
  8. *
  9. * Based on code and ideas from
  10. * Copyright (c) 2017 Cavium, Inc.
  11. * Copyright (c) 2017 Shubham Bansal <illusionist.neo@gmail.com>
  12. * Copyright (c) 2011 Mircea Gherzan <mgherzan@gmail.com>
  13. */
  14. /*
  15. * Code overview
  16. * =============
  17. *
  18. * - bpf_jit_comp.h
  19. * Common definitions and utilities.
  20. *
  21. * - bpf_jit_comp.c
  22. * Implementation of JIT top-level logic and exported JIT API functions.
  23. * Implementation of internal operations shared by 32-bit and 64-bit code.
  24. * JMP and ALU JIT control code, register control code, shared ALU and
  25. * JMP/JMP32 JIT operations.
  26. *
  27. * - bpf_jit_comp32.c
  28. * Implementation of functions to JIT prologue, epilogue and a single eBPF
  29. * instruction for 32-bit MIPS CPUs. The functions use shared operations
  30. * where possible, and implement the rest for 32-bit MIPS such as ALU64
  31. * operations.
  32. *
  33. * - bpf_jit_comp64.c
  34. * Ditto, for 64-bit MIPS CPUs.
  35. *
  36. * Zero and sign extension
  37. * ========================
  38. * 32-bit MIPS instructions on 64-bit MIPS registers use sign extension,
  39. * but the eBPF instruction set mandates zero extension. We let the verifier
  40. * insert explicit zero-extensions after 32-bit ALU operations, both for
  41. * 32-bit and 64-bit MIPS JITs. Conditional JMP32 operations on 64-bit MIPs
  42. * are JITed with sign extensions inserted when so expected.
  43. *
  44. * ALU operations
  45. * ==============
  46. * ALU operations on 32/64-bit MIPS and ALU64 operations on 64-bit MIPS are
  47. * JITed in the following steps. ALU64 operations on 32-bit MIPS are more
  48. * complicated and therefore only processed by special implementations in
  49. * step (3).
  50. *
  51. * 1) valid_alu_i:
  52. * Determine if an immediate operation can be emitted as such, or if
  53. * we must fall back to the register version.
  54. *
  55. * 2) rewrite_alu_i:
  56. * Convert BPF operation and immediate value to a canonical form for
  57. * JITing. In some degenerate cases this form may be a no-op.
  58. *
  59. * 3) emit_alu_{i,i64,r,64}:
  60. * Emit instructions for an ALU or ALU64 immediate or register operation.
  61. *
  62. * JMP operations
  63. * ==============
  64. * JMP and JMP32 operations require an JIT instruction offset table for
  65. * translating the jump offset. This table is computed by dry-running the
  66. * JIT without actually emitting anything. However, the computed PC-relative
  67. * offset may overflow the 18-bit offset field width of the native MIPS
  68. * branch instruction. In such cases, the long jump is converted into the
  69. * following sequence.
  70. *
  71. * <branch> !<cond> +2 Inverted PC-relative branch
  72. * nop Delay slot
  73. * j <offset> Unconditional absolute long jump
  74. * nop Delay slot
  75. *
  76. * Since this converted sequence alters the offset table, all offsets must
  77. * be re-calculated. This may in turn trigger new branch conversions, so
  78. * the process is repeated until no further changes are made. Normally it
  79. * completes in 1-2 iterations. If JIT_MAX_ITERATIONS should reached, we
  80. * fall back to converting every remaining jump operation. The branch
  81. * conversion is independent of how the JMP or JMP32 condition is JITed.
  82. *
  83. * JMP32 and JMP operations are JITed as follows.
  84. *
  85. * 1) setup_jmp_{i,r}:
  86. * Convert jump conditional and offset into a form that can be JITed.
  87. * This form may be a no-op, a canonical form, or an inverted PC-relative
  88. * jump if branch conversion is necessary.
  89. *
  90. * 2) valid_jmp_i:
  91. * Determine if an immediate operations can be emitted as such, or if
  92. * we must fall back to the register version. Applies to JMP32 for 32-bit
  93. * MIPS, and both JMP and JMP32 for 64-bit MIPS.
  94. *
  95. * 3) emit_jmp_{i,i64,r,r64}:
  96. * Emit instructions for an JMP or JMP32 immediate or register operation.
  97. *
  98. * 4) finish_jmp_{i,r}:
  99. * Emit any instructions needed to finish the jump. This includes a nop
  100. * for the delay slot if a branch was emitted, and a long absolute jump
  101. * if the branch was converted.
  102. */
  103. #include <linux/limits.h>
  104. #include <linux/bitops.h>
  105. #include <linux/errno.h>
  106. #include <linux/filter.h>
  107. #include <linux/bpf.h>
  108. #include <linux/slab.h>
  109. #include <asm/bitops.h>
  110. #include <asm/cacheflush.h>
  111. #include <asm/cpu-features.h>
  112. #include <asm/isa-rev.h>
  113. #include <asm/uasm.h>
  114. #include "bpf_jit_comp.h"
  115. /* Convenience macros for descriptor access */
  116. #define CONVERTED(desc) ((desc) & JIT_DESC_CONVERT)
  117. #define INDEX(desc) ((desc) & ~JIT_DESC_CONVERT)
  118. /*
  119. * Push registers on the stack, starting at a given depth from the stack
  120. * pointer and increasing. The next depth to be written is returned.
  121. */
  122. int push_regs(struct jit_context *ctx, u32 mask, u32 excl, int depth)
  123. {
  124. int reg;
  125. for (reg = 0; reg < BITS_PER_BYTE * sizeof(mask); reg++)
  126. if (mask & BIT(reg)) {
  127. if ((excl & BIT(reg)) == 0) {
  128. if (sizeof(long) == 4)
  129. emit(ctx, sw, reg, depth, MIPS_R_SP);
  130. else /* sizeof(long) == 8 */
  131. emit(ctx, sd, reg, depth, MIPS_R_SP);
  132. }
  133. depth += sizeof(long);
  134. }
  135. ctx->stack_used = max((int)ctx->stack_used, depth);
  136. return depth;
  137. }
  138. /*
  139. * Pop registers from the stack, starting at a given depth from the stack
  140. * pointer and increasing. The next depth to be read is returned.
  141. */
  142. int pop_regs(struct jit_context *ctx, u32 mask, u32 excl, int depth)
  143. {
  144. int reg;
  145. for (reg = 0; reg < BITS_PER_BYTE * sizeof(mask); reg++)
  146. if (mask & BIT(reg)) {
  147. if ((excl & BIT(reg)) == 0) {
  148. if (sizeof(long) == 4)
  149. emit(ctx, lw, reg, depth, MIPS_R_SP);
  150. else /* sizeof(long) == 8 */
  151. emit(ctx, ld, reg, depth, MIPS_R_SP);
  152. }
  153. depth += sizeof(long);
  154. }
  155. return depth;
  156. }
  157. /* Compute the 28-bit jump target address from a BPF program location */
  158. int get_target(struct jit_context *ctx, u32 loc)
  159. {
  160. u32 index = INDEX(ctx->descriptors[loc]);
  161. unsigned long pc = (unsigned long)&ctx->target[ctx->jit_index];
  162. unsigned long addr = (unsigned long)&ctx->target[index];
  163. if (!ctx->target)
  164. return 0;
  165. if ((addr ^ pc) & ~MIPS_JMP_MASK)
  166. return -1;
  167. return addr & MIPS_JMP_MASK;
  168. }
  169. /* Compute the PC-relative offset to relative BPF program offset */
  170. int get_offset(const struct jit_context *ctx, int off)
  171. {
  172. return (INDEX(ctx->descriptors[ctx->bpf_index + off]) -
  173. ctx->jit_index - 1) * sizeof(u32);
  174. }
  175. /* dst = imm (register width) */
  176. void emit_mov_i(struct jit_context *ctx, u8 dst, s32 imm)
  177. {
  178. if (imm >= -0x8000 && imm <= 0x7fff) {
  179. emit(ctx, addiu, dst, MIPS_R_ZERO, imm);
  180. } else {
  181. emit(ctx, lui, dst, (s16)((u32)imm >> 16));
  182. emit(ctx, ori, dst, dst, (u16)(imm & 0xffff));
  183. }
  184. clobber_reg(ctx, dst);
  185. }
  186. /* dst = src (register width) */
  187. void emit_mov_r(struct jit_context *ctx, u8 dst, u8 src)
  188. {
  189. emit(ctx, ori, dst, src, 0);
  190. clobber_reg(ctx, dst);
  191. }
  192. /* Validate ALU immediate range */
  193. bool valid_alu_i(u8 op, s32 imm)
  194. {
  195. switch (BPF_OP(op)) {
  196. case BPF_NEG:
  197. case BPF_LSH:
  198. case BPF_RSH:
  199. case BPF_ARSH:
  200. /* All legal eBPF values are valid */
  201. return true;
  202. case BPF_ADD:
  203. if (IS_ENABLED(CONFIG_CPU_DADDI_WORKAROUNDS))
  204. return false;
  205. /* imm must be 16 bits */
  206. return imm >= -0x8000 && imm <= 0x7fff;
  207. case BPF_SUB:
  208. if (IS_ENABLED(CONFIG_CPU_DADDI_WORKAROUNDS))
  209. return false;
  210. /* -imm must be 16 bits */
  211. return imm >= -0x7fff && imm <= 0x8000;
  212. case BPF_AND:
  213. case BPF_OR:
  214. case BPF_XOR:
  215. /* imm must be 16 bits unsigned */
  216. return imm >= 0 && imm <= 0xffff;
  217. case BPF_MUL:
  218. /* imm must be zero or a positive power of two */
  219. return imm == 0 || (imm > 0 && is_power_of_2(imm));
  220. case BPF_DIV:
  221. case BPF_MOD:
  222. /* imm must be an 17-bit power of two */
  223. return (u32)imm <= 0x10000 && is_power_of_2((u32)imm);
  224. }
  225. return false;
  226. }
  227. /* Rewrite ALU immediate operation */
  228. bool rewrite_alu_i(u8 op, s32 imm, u8 *alu, s32 *val)
  229. {
  230. bool act = true;
  231. switch (BPF_OP(op)) {
  232. case BPF_LSH:
  233. case BPF_RSH:
  234. case BPF_ARSH:
  235. case BPF_ADD:
  236. case BPF_SUB:
  237. case BPF_OR:
  238. case BPF_XOR:
  239. /* imm == 0 is a no-op */
  240. act = imm != 0;
  241. break;
  242. case BPF_MUL:
  243. if (imm == 1) {
  244. /* dst * 1 is a no-op */
  245. act = false;
  246. } else if (imm == 0) {
  247. /* dst * 0 is dst & 0 */
  248. op = BPF_AND;
  249. } else {
  250. /* dst * (1 << n) is dst << n */
  251. op = BPF_LSH;
  252. imm = ilog2(abs(imm));
  253. }
  254. break;
  255. case BPF_DIV:
  256. if (imm == 1) {
  257. /* dst / 1 is a no-op */
  258. act = false;
  259. } else {
  260. /* dst / (1 << n) is dst >> n */
  261. op = BPF_RSH;
  262. imm = ilog2(imm);
  263. }
  264. break;
  265. case BPF_MOD:
  266. /* dst % (1 << n) is dst & ((1 << n) - 1) */
  267. op = BPF_AND;
  268. imm--;
  269. break;
  270. }
  271. *alu = op;
  272. *val = imm;
  273. return act;
  274. }
  275. /* ALU immediate operation (32-bit) */
  276. void emit_alu_i(struct jit_context *ctx, u8 dst, s32 imm, u8 op)
  277. {
  278. switch (BPF_OP(op)) {
  279. /* dst = -dst */
  280. case BPF_NEG:
  281. emit(ctx, subu, dst, MIPS_R_ZERO, dst);
  282. break;
  283. /* dst = dst & imm */
  284. case BPF_AND:
  285. emit(ctx, andi, dst, dst, (u16)imm);
  286. break;
  287. /* dst = dst | imm */
  288. case BPF_OR:
  289. emit(ctx, ori, dst, dst, (u16)imm);
  290. break;
  291. /* dst = dst ^ imm */
  292. case BPF_XOR:
  293. emit(ctx, xori, dst, dst, (u16)imm);
  294. break;
  295. /* dst = dst << imm */
  296. case BPF_LSH:
  297. emit(ctx, sll, dst, dst, imm);
  298. break;
  299. /* dst = dst >> imm */
  300. case BPF_RSH:
  301. emit(ctx, srl, dst, dst, imm);
  302. break;
  303. /* dst = dst >> imm (arithmetic) */
  304. case BPF_ARSH:
  305. emit(ctx, sra, dst, dst, imm);
  306. break;
  307. /* dst = dst + imm */
  308. case BPF_ADD:
  309. emit(ctx, addiu, dst, dst, imm);
  310. break;
  311. /* dst = dst - imm */
  312. case BPF_SUB:
  313. emit(ctx, addiu, dst, dst, -imm);
  314. break;
  315. }
  316. clobber_reg(ctx, dst);
  317. }
  318. /* ALU register operation (32-bit) */
  319. void emit_alu_r(struct jit_context *ctx, u8 dst, u8 src, u8 op)
  320. {
  321. switch (BPF_OP(op)) {
  322. /* dst = dst & src */
  323. case BPF_AND:
  324. emit(ctx, and, dst, dst, src);
  325. break;
  326. /* dst = dst | src */
  327. case BPF_OR:
  328. emit(ctx, or, dst, dst, src);
  329. break;
  330. /* dst = dst ^ src */
  331. case BPF_XOR:
  332. emit(ctx, xor, dst, dst, src);
  333. break;
  334. /* dst = dst << src */
  335. case BPF_LSH:
  336. emit(ctx, sllv, dst, dst, src);
  337. break;
  338. /* dst = dst >> src */
  339. case BPF_RSH:
  340. emit(ctx, srlv, dst, dst, src);
  341. break;
  342. /* dst = dst >> src (arithmetic) */
  343. case BPF_ARSH:
  344. emit(ctx, srav, dst, dst, src);
  345. break;
  346. /* dst = dst + src */
  347. case BPF_ADD:
  348. emit(ctx, addu, dst, dst, src);
  349. break;
  350. /* dst = dst - src */
  351. case BPF_SUB:
  352. emit(ctx, subu, dst, dst, src);
  353. break;
  354. /* dst = dst * src */
  355. case BPF_MUL:
  356. if (cpu_has_mips32r1 || cpu_has_mips32r6) {
  357. emit(ctx, mul, dst, dst, src);
  358. } else {
  359. emit(ctx, multu, dst, src);
  360. emit(ctx, mflo, dst);
  361. }
  362. break;
  363. /* dst = dst / src */
  364. case BPF_DIV:
  365. if (cpu_has_mips32r6) {
  366. emit(ctx, divu_r6, dst, dst, src);
  367. } else {
  368. emit(ctx, divu, dst, src);
  369. emit(ctx, mflo, dst);
  370. }
  371. break;
  372. /* dst = dst % src */
  373. case BPF_MOD:
  374. if (cpu_has_mips32r6) {
  375. emit(ctx, modu, dst, dst, src);
  376. } else {
  377. emit(ctx, divu, dst, src);
  378. emit(ctx, mfhi, dst);
  379. }
  380. break;
  381. }
  382. clobber_reg(ctx, dst);
  383. }
  384. /* Atomic read-modify-write (32-bit) */
  385. void emit_atomic_r(struct jit_context *ctx, u8 dst, u8 src, s16 off, u8 code)
  386. {
  387. LLSC_sync(ctx);
  388. emit(ctx, ll, MIPS_R_T9, off, dst);
  389. switch (code) {
  390. case BPF_ADD:
  391. case BPF_ADD | BPF_FETCH:
  392. emit(ctx, addu, MIPS_R_T8, MIPS_R_T9, src);
  393. break;
  394. case BPF_AND:
  395. case BPF_AND | BPF_FETCH:
  396. emit(ctx, and, MIPS_R_T8, MIPS_R_T9, src);
  397. break;
  398. case BPF_OR:
  399. case BPF_OR | BPF_FETCH:
  400. emit(ctx, or, MIPS_R_T8, MIPS_R_T9, src);
  401. break;
  402. case BPF_XOR:
  403. case BPF_XOR | BPF_FETCH:
  404. emit(ctx, xor, MIPS_R_T8, MIPS_R_T9, src);
  405. break;
  406. case BPF_XCHG:
  407. emit(ctx, move, MIPS_R_T8, src);
  408. break;
  409. }
  410. emit(ctx, sc, MIPS_R_T8, off, dst);
  411. emit(ctx, LLSC_beqz, MIPS_R_T8, -16 - LLSC_offset);
  412. emit(ctx, nop); /* Delay slot */
  413. if (code & BPF_FETCH) {
  414. emit(ctx, move, src, MIPS_R_T9);
  415. clobber_reg(ctx, src);
  416. }
  417. }
  418. /* Atomic compare-and-exchange (32-bit) */
  419. void emit_cmpxchg_r(struct jit_context *ctx, u8 dst, u8 src, u8 res, s16 off)
  420. {
  421. LLSC_sync(ctx);
  422. emit(ctx, ll, MIPS_R_T9, off, dst);
  423. emit(ctx, bne, MIPS_R_T9, res, 12);
  424. emit(ctx, move, MIPS_R_T8, src); /* Delay slot */
  425. emit(ctx, sc, MIPS_R_T8, off, dst);
  426. emit(ctx, LLSC_beqz, MIPS_R_T8, -20 - LLSC_offset);
  427. emit(ctx, move, res, MIPS_R_T9); /* Delay slot */
  428. clobber_reg(ctx, res);
  429. }
  430. /* Swap bytes and truncate a register word or half word */
  431. void emit_bswap_r(struct jit_context *ctx, u8 dst, u32 width)
  432. {
  433. u8 tmp = MIPS_R_T8;
  434. u8 msk = MIPS_R_T9;
  435. switch (width) {
  436. /* Swap bytes in a word */
  437. case 32:
  438. if (cpu_has_mips32r2 || cpu_has_mips32r6) {
  439. emit(ctx, wsbh, dst, dst);
  440. emit(ctx, rotr, dst, dst, 16);
  441. } else {
  442. emit(ctx, sll, tmp, dst, 16); /* tmp = dst << 16 */
  443. emit(ctx, srl, dst, dst, 16); /* dst = dst >> 16 */
  444. emit(ctx, or, dst, dst, tmp); /* dst = dst | tmp */
  445. emit(ctx, lui, msk, 0xff); /* msk = 0x00ff0000 */
  446. emit(ctx, ori, msk, msk, 0xff); /* msk = msk | 0xff */
  447. emit(ctx, and, tmp, dst, msk); /* tmp = dst & msk */
  448. emit(ctx, sll, tmp, tmp, 8); /* tmp = tmp << 8 */
  449. emit(ctx, srl, dst, dst, 8); /* dst = dst >> 8 */
  450. emit(ctx, and, dst, dst, msk); /* dst = dst & msk */
  451. emit(ctx, or, dst, dst, tmp); /* reg = dst | tmp */
  452. }
  453. break;
  454. /* Swap bytes in a half word */
  455. case 16:
  456. if (cpu_has_mips32r2 || cpu_has_mips32r6) {
  457. emit(ctx, wsbh, dst, dst);
  458. emit(ctx, andi, dst, dst, 0xffff);
  459. } else {
  460. emit(ctx, andi, tmp, dst, 0xff00); /* t = d & 0xff00 */
  461. emit(ctx, srl, tmp, tmp, 8); /* t = t >> 8 */
  462. emit(ctx, andi, dst, dst, 0x00ff); /* d = d & 0x00ff */
  463. emit(ctx, sll, dst, dst, 8); /* d = d << 8 */
  464. emit(ctx, or, dst, dst, tmp); /* d = d | t */
  465. }
  466. break;
  467. }
  468. clobber_reg(ctx, dst);
  469. }
  470. /* Validate jump immediate range */
  471. bool valid_jmp_i(u8 op, s32 imm)
  472. {
  473. switch (op) {
  474. case JIT_JNOP:
  475. /* Immediate value not used */
  476. return true;
  477. case BPF_JEQ:
  478. case BPF_JNE:
  479. /* No immediate operation */
  480. return false;
  481. case BPF_JSET:
  482. case JIT_JNSET:
  483. /* imm must be 16 bits unsigned */
  484. return imm >= 0 && imm <= 0xffff;
  485. case BPF_JGE:
  486. case BPF_JLT:
  487. case BPF_JSGE:
  488. case BPF_JSLT:
  489. /* imm must be 16 bits */
  490. return imm >= -0x8000 && imm <= 0x7fff;
  491. case BPF_JGT:
  492. case BPF_JLE:
  493. case BPF_JSGT:
  494. case BPF_JSLE:
  495. /* imm + 1 must be 16 bits */
  496. return imm >= -0x8001 && imm <= 0x7ffe;
  497. }
  498. return false;
  499. }
  500. /* Invert a conditional jump operation */
  501. static u8 invert_jmp(u8 op)
  502. {
  503. switch (op) {
  504. case BPF_JA: return JIT_JNOP;
  505. case BPF_JEQ: return BPF_JNE;
  506. case BPF_JNE: return BPF_JEQ;
  507. case BPF_JSET: return JIT_JNSET;
  508. case BPF_JGT: return BPF_JLE;
  509. case BPF_JGE: return BPF_JLT;
  510. case BPF_JLT: return BPF_JGE;
  511. case BPF_JLE: return BPF_JGT;
  512. case BPF_JSGT: return BPF_JSLE;
  513. case BPF_JSGE: return BPF_JSLT;
  514. case BPF_JSLT: return BPF_JSGE;
  515. case BPF_JSLE: return BPF_JSGT;
  516. }
  517. return 0;
  518. }
  519. /* Prepare a PC-relative jump operation */
  520. static void setup_jmp(struct jit_context *ctx, u8 bpf_op,
  521. s16 bpf_off, u8 *jit_op, s32 *jit_off)
  522. {
  523. u32 *descp = &ctx->descriptors[ctx->bpf_index];
  524. int op = bpf_op;
  525. int offset = 0;
  526. /* Do not compute offsets on the first pass */
  527. if (INDEX(*descp) == 0)
  528. goto done;
  529. /* Skip jumps never taken */
  530. if (bpf_op == JIT_JNOP)
  531. goto done;
  532. /* Convert jumps always taken */
  533. if (bpf_op == BPF_JA)
  534. *descp |= JIT_DESC_CONVERT;
  535. /*
  536. * Current ctx->jit_index points to the start of the branch preamble.
  537. * Since the preamble differs among different branch conditionals,
  538. * the current index cannot be used to compute the branch offset.
  539. * Instead, we use the offset table value for the next instruction,
  540. * which gives the index immediately after the branch delay slot.
  541. */
  542. if (!CONVERTED(*descp)) {
  543. int target = ctx->bpf_index + bpf_off + 1;
  544. int origin = ctx->bpf_index + 1;
  545. offset = (INDEX(ctx->descriptors[target]) -
  546. INDEX(ctx->descriptors[origin]) + 1) * sizeof(u32);
  547. }
  548. /*
  549. * The PC-relative branch offset field on MIPS is 18 bits signed,
  550. * so if the computed offset is larger than this we generate a an
  551. * absolute jump that we skip with an inverted conditional branch.
  552. */
  553. if (CONVERTED(*descp) || offset < -0x20000 || offset > 0x1ffff) {
  554. offset = 3 * sizeof(u32);
  555. op = invert_jmp(bpf_op);
  556. ctx->changes += !CONVERTED(*descp);
  557. *descp |= JIT_DESC_CONVERT;
  558. }
  559. done:
  560. *jit_off = offset;
  561. *jit_op = op;
  562. }
  563. /* Prepare a PC-relative jump operation with immediate conditional */
  564. void setup_jmp_i(struct jit_context *ctx, s32 imm, u8 width,
  565. u8 bpf_op, s16 bpf_off, u8 *jit_op, s32 *jit_off)
  566. {
  567. bool always = false;
  568. bool never = false;
  569. switch (bpf_op) {
  570. case BPF_JEQ:
  571. case BPF_JNE:
  572. break;
  573. case BPF_JSET:
  574. case BPF_JLT:
  575. never = imm == 0;
  576. break;
  577. case BPF_JGE:
  578. always = imm == 0;
  579. break;
  580. case BPF_JGT:
  581. never = (u32)imm == U32_MAX;
  582. break;
  583. case BPF_JLE:
  584. always = (u32)imm == U32_MAX;
  585. break;
  586. case BPF_JSGT:
  587. never = imm == S32_MAX && width == 32;
  588. break;
  589. case BPF_JSGE:
  590. always = imm == S32_MIN && width == 32;
  591. break;
  592. case BPF_JSLT:
  593. never = imm == S32_MIN && width == 32;
  594. break;
  595. case BPF_JSLE:
  596. always = imm == S32_MAX && width == 32;
  597. break;
  598. }
  599. if (never)
  600. bpf_op = JIT_JNOP;
  601. if (always)
  602. bpf_op = BPF_JA;
  603. setup_jmp(ctx, bpf_op, bpf_off, jit_op, jit_off);
  604. }
  605. /* Prepare a PC-relative jump operation with register conditional */
  606. void setup_jmp_r(struct jit_context *ctx, bool same_reg,
  607. u8 bpf_op, s16 bpf_off, u8 *jit_op, s32 *jit_off)
  608. {
  609. switch (bpf_op) {
  610. case BPF_JSET:
  611. break;
  612. case BPF_JEQ:
  613. case BPF_JGE:
  614. case BPF_JLE:
  615. case BPF_JSGE:
  616. case BPF_JSLE:
  617. if (same_reg)
  618. bpf_op = BPF_JA;
  619. break;
  620. case BPF_JNE:
  621. case BPF_JLT:
  622. case BPF_JGT:
  623. case BPF_JSGT:
  624. case BPF_JSLT:
  625. if (same_reg)
  626. bpf_op = JIT_JNOP;
  627. break;
  628. }
  629. setup_jmp(ctx, bpf_op, bpf_off, jit_op, jit_off);
  630. }
  631. /* Finish a PC-relative jump operation */
  632. int finish_jmp(struct jit_context *ctx, u8 jit_op, s16 bpf_off)
  633. {
  634. /* Emit conditional branch delay slot */
  635. if (jit_op != JIT_JNOP)
  636. emit(ctx, nop);
  637. /*
  638. * Emit an absolute long jump with delay slot,
  639. * if the PC-relative branch was converted.
  640. */
  641. if (CONVERTED(ctx->descriptors[ctx->bpf_index])) {
  642. int target = get_target(ctx, ctx->bpf_index + bpf_off + 1);
  643. if (target < 0)
  644. return -1;
  645. emit(ctx, j, target);
  646. emit(ctx, nop);
  647. }
  648. return 0;
  649. }
  650. /* Jump immediate (32-bit) */
  651. void emit_jmp_i(struct jit_context *ctx, u8 dst, s32 imm, s32 off, u8 op)
  652. {
  653. switch (op) {
  654. /* No-op, used internally for branch optimization */
  655. case JIT_JNOP:
  656. break;
  657. /* PC += off if dst & imm */
  658. case BPF_JSET:
  659. emit(ctx, andi, MIPS_R_T9, dst, (u16)imm);
  660. emit(ctx, bnez, MIPS_R_T9, off);
  661. break;
  662. /* PC += off if (dst & imm) == 0 (not in BPF, used for long jumps) */
  663. case JIT_JNSET:
  664. emit(ctx, andi, MIPS_R_T9, dst, (u16)imm);
  665. emit(ctx, beqz, MIPS_R_T9, off);
  666. break;
  667. /* PC += off if dst > imm */
  668. case BPF_JGT:
  669. emit(ctx, sltiu, MIPS_R_T9, dst, imm + 1);
  670. emit(ctx, beqz, MIPS_R_T9, off);
  671. break;
  672. /* PC += off if dst >= imm */
  673. case BPF_JGE:
  674. emit(ctx, sltiu, MIPS_R_T9, dst, imm);
  675. emit(ctx, beqz, MIPS_R_T9, off);
  676. break;
  677. /* PC += off if dst < imm */
  678. case BPF_JLT:
  679. emit(ctx, sltiu, MIPS_R_T9, dst, imm);
  680. emit(ctx, bnez, MIPS_R_T9, off);
  681. break;
  682. /* PC += off if dst <= imm */
  683. case BPF_JLE:
  684. emit(ctx, sltiu, MIPS_R_T9, dst, imm + 1);
  685. emit(ctx, bnez, MIPS_R_T9, off);
  686. break;
  687. /* PC += off if dst > imm (signed) */
  688. case BPF_JSGT:
  689. emit(ctx, slti, MIPS_R_T9, dst, imm + 1);
  690. emit(ctx, beqz, MIPS_R_T9, off);
  691. break;
  692. /* PC += off if dst >= imm (signed) */
  693. case BPF_JSGE:
  694. emit(ctx, slti, MIPS_R_T9, dst, imm);
  695. emit(ctx, beqz, MIPS_R_T9, off);
  696. break;
  697. /* PC += off if dst < imm (signed) */
  698. case BPF_JSLT:
  699. emit(ctx, slti, MIPS_R_T9, dst, imm);
  700. emit(ctx, bnez, MIPS_R_T9, off);
  701. break;
  702. /* PC += off if dst <= imm (signed) */
  703. case BPF_JSLE:
  704. emit(ctx, slti, MIPS_R_T9, dst, imm + 1);
  705. emit(ctx, bnez, MIPS_R_T9, off);
  706. break;
  707. }
  708. }
  709. /* Jump register (32-bit) */
  710. void emit_jmp_r(struct jit_context *ctx, u8 dst, u8 src, s32 off, u8 op)
  711. {
  712. switch (op) {
  713. /* No-op, used internally for branch optimization */
  714. case JIT_JNOP:
  715. break;
  716. /* PC += off if dst == src */
  717. case BPF_JEQ:
  718. emit(ctx, beq, dst, src, off);
  719. break;
  720. /* PC += off if dst != src */
  721. case BPF_JNE:
  722. emit(ctx, bne, dst, src, off);
  723. break;
  724. /* PC += off if dst & src */
  725. case BPF_JSET:
  726. emit(ctx, and, MIPS_R_T9, dst, src);
  727. emit(ctx, bnez, MIPS_R_T9, off);
  728. break;
  729. /* PC += off if (dst & imm) == 0 (not in BPF, used for long jumps) */
  730. case JIT_JNSET:
  731. emit(ctx, and, MIPS_R_T9, dst, src);
  732. emit(ctx, beqz, MIPS_R_T9, off);
  733. break;
  734. /* PC += off if dst > src */
  735. case BPF_JGT:
  736. emit(ctx, sltu, MIPS_R_T9, src, dst);
  737. emit(ctx, bnez, MIPS_R_T9, off);
  738. break;
  739. /* PC += off if dst >= src */
  740. case BPF_JGE:
  741. emit(ctx, sltu, MIPS_R_T9, dst, src);
  742. emit(ctx, beqz, MIPS_R_T9, off);
  743. break;
  744. /* PC += off if dst < src */
  745. case BPF_JLT:
  746. emit(ctx, sltu, MIPS_R_T9, dst, src);
  747. emit(ctx, bnez, MIPS_R_T9, off);
  748. break;
  749. /* PC += off if dst <= src */
  750. case BPF_JLE:
  751. emit(ctx, sltu, MIPS_R_T9, src, dst);
  752. emit(ctx, beqz, MIPS_R_T9, off);
  753. break;
  754. /* PC += off if dst > src (signed) */
  755. case BPF_JSGT:
  756. emit(ctx, slt, MIPS_R_T9, src, dst);
  757. emit(ctx, bnez, MIPS_R_T9, off);
  758. break;
  759. /* PC += off if dst >= src (signed) */
  760. case BPF_JSGE:
  761. emit(ctx, slt, MIPS_R_T9, dst, src);
  762. emit(ctx, beqz, MIPS_R_T9, off);
  763. break;
  764. /* PC += off if dst < src (signed) */
  765. case BPF_JSLT:
  766. emit(ctx, slt, MIPS_R_T9, dst, src);
  767. emit(ctx, bnez, MIPS_R_T9, off);
  768. break;
  769. /* PC += off if dst <= src (signed) */
  770. case BPF_JSLE:
  771. emit(ctx, slt, MIPS_R_T9, src, dst);
  772. emit(ctx, beqz, MIPS_R_T9, off);
  773. break;
  774. }
  775. }
  776. /* Jump always */
  777. int emit_ja(struct jit_context *ctx, s16 off)
  778. {
  779. int target = get_target(ctx, ctx->bpf_index + off + 1);
  780. if (target < 0)
  781. return -1;
  782. emit(ctx, j, target);
  783. emit(ctx, nop);
  784. return 0;
  785. }
  786. /* Jump to epilogue */
  787. int emit_exit(struct jit_context *ctx)
  788. {
  789. int target = get_target(ctx, ctx->program->len);
  790. if (target < 0)
  791. return -1;
  792. emit(ctx, j, target);
  793. emit(ctx, nop);
  794. return 0;
  795. }
  796. /* Build the program body from eBPF bytecode */
  797. static int build_body(struct jit_context *ctx)
  798. {
  799. const struct bpf_prog *prog = ctx->program;
  800. unsigned int i;
  801. ctx->stack_used = 0;
  802. for (i = 0; i < prog->len; i++) {
  803. const struct bpf_insn *insn = &prog->insnsi[i];
  804. u32 *descp = &ctx->descriptors[i];
  805. int ret;
  806. access_reg(ctx, insn->src_reg);
  807. access_reg(ctx, insn->dst_reg);
  808. ctx->bpf_index = i;
  809. if (ctx->target == NULL) {
  810. ctx->changes += INDEX(*descp) != ctx->jit_index;
  811. *descp &= JIT_DESC_CONVERT;
  812. *descp |= ctx->jit_index;
  813. }
  814. ret = build_insn(insn, ctx);
  815. if (ret < 0)
  816. return ret;
  817. if (ret > 0) {
  818. i++;
  819. if (ctx->target == NULL)
  820. descp[1] = ctx->jit_index;
  821. }
  822. }
  823. /* Store the end offset, where the epilogue begins */
  824. ctx->descriptors[prog->len] = ctx->jit_index;
  825. return 0;
  826. }
  827. /* Set the branch conversion flag on all instructions */
  828. static void set_convert_flag(struct jit_context *ctx, bool enable)
  829. {
  830. const struct bpf_prog *prog = ctx->program;
  831. u32 flag = enable ? JIT_DESC_CONVERT : 0;
  832. unsigned int i;
  833. for (i = 0; i <= prog->len; i++)
  834. ctx->descriptors[i] = INDEX(ctx->descriptors[i]) | flag;
  835. }
  836. static void jit_fill_hole(void *area, unsigned int size)
  837. {
  838. u32 *p;
  839. /* We are guaranteed to have aligned memory. */
  840. for (p = area; size >= sizeof(u32); size -= sizeof(u32))
  841. uasm_i_break(&p, BRK_BUG); /* Increments p */
  842. }
  843. bool bpf_jit_needs_zext(void)
  844. {
  845. return true;
  846. }
  847. struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog)
  848. {
  849. struct bpf_prog *tmp, *orig_prog = prog;
  850. struct bpf_binary_header *header = NULL;
  851. struct jit_context ctx;
  852. bool tmp_blinded = false;
  853. unsigned int tmp_idx;
  854. unsigned int image_size;
  855. u8 *image_ptr;
  856. int tries;
  857. /*
  858. * If BPF JIT was not enabled then we must fall back to
  859. * the interpreter.
  860. */
  861. if (!prog->jit_requested)
  862. return orig_prog;
  863. /*
  864. * If constant blinding was enabled and we failed during blinding
  865. * then we must fall back to the interpreter. Otherwise, we save
  866. * the new JITed code.
  867. */
  868. tmp = bpf_jit_blind_constants(prog);
  869. if (IS_ERR(tmp))
  870. return orig_prog;
  871. if (tmp != prog) {
  872. tmp_blinded = true;
  873. prog = tmp;
  874. }
  875. memset(&ctx, 0, sizeof(ctx));
  876. ctx.program = prog;
  877. /*
  878. * Not able to allocate memory for descriptors[], then
  879. * we must fall back to the interpreter
  880. */
  881. ctx.descriptors = kcalloc(prog->len + 1, sizeof(*ctx.descriptors),
  882. GFP_KERNEL);
  883. if (ctx.descriptors == NULL)
  884. goto out_err;
  885. /* First pass discovers used resources */
  886. if (build_body(&ctx) < 0)
  887. goto out_err;
  888. /*
  889. * Second pass computes instruction offsets.
  890. * If any PC-relative branches are out of range, a sequence of
  891. * a PC-relative branch + a jump is generated, and we have to
  892. * try again from the beginning to generate the new offsets.
  893. * This is done until no additional conversions are necessary.
  894. * The last two iterations are done with all branches being
  895. * converted, to guarantee offset table convergence within a
  896. * fixed number of iterations.
  897. */
  898. ctx.jit_index = 0;
  899. build_prologue(&ctx);
  900. tmp_idx = ctx.jit_index;
  901. tries = JIT_MAX_ITERATIONS;
  902. do {
  903. ctx.jit_index = tmp_idx;
  904. ctx.changes = 0;
  905. if (tries == 2)
  906. set_convert_flag(&ctx, true);
  907. if (build_body(&ctx) < 0)
  908. goto out_err;
  909. } while (ctx.changes > 0 && --tries > 0);
  910. if (WARN_ONCE(ctx.changes > 0, "JIT offsets failed to converge"))
  911. goto out_err;
  912. build_epilogue(&ctx, MIPS_R_RA);
  913. /* Now we know the size of the structure to make */
  914. image_size = sizeof(u32) * ctx.jit_index;
  915. header = bpf_jit_binary_alloc(image_size, &image_ptr,
  916. sizeof(u32), jit_fill_hole);
  917. /*
  918. * Not able to allocate memory for the structure then
  919. * we must fall back to the interpretation
  920. */
  921. if (header == NULL)
  922. goto out_err;
  923. /* Actual pass to generate final JIT code */
  924. ctx.target = (u32 *)image_ptr;
  925. ctx.jit_index = 0;
  926. /*
  927. * If building the JITed code fails somehow,
  928. * we fall back to the interpretation.
  929. */
  930. build_prologue(&ctx);
  931. if (build_body(&ctx) < 0)
  932. goto out_err;
  933. build_epilogue(&ctx, MIPS_R_RA);
  934. /* Populate line info meta data */
  935. set_convert_flag(&ctx, false);
  936. bpf_prog_fill_jited_linfo(prog, &ctx.descriptors[1]);
  937. /* Set as read-only exec and flush instruction cache */
  938. if (bpf_jit_binary_lock_ro(header))
  939. goto out_err;
  940. flush_icache_range((unsigned long)header,
  941. (unsigned long)&ctx.target[ctx.jit_index]);
  942. if (bpf_jit_enable > 1)
  943. bpf_jit_dump(prog->len, image_size, 2, ctx.target);
  944. prog->bpf_func = (void *)ctx.target;
  945. prog->jited = 1;
  946. prog->jited_len = image_size;
  947. out:
  948. if (tmp_blinded)
  949. bpf_jit_prog_release_other(prog, prog == orig_prog ?
  950. tmp : orig_prog);
  951. kfree(ctx.descriptors);
  952. return prog;
  953. out_err:
  954. prog = orig_prog;
  955. if (header)
  956. bpf_jit_binary_free(header);
  957. goto out;
  958. }