bpf: Do not use ax register in interpreter on div/mod

Commit c348d806ed1d3075af52345344243824d72c4945 upstream.

Partially undo old commit 144cd91c4c2b ("bpf: move tmp variable into ax
register in interpreter"). The reason we need this here is because ax
register will be used for holding temporary state for div/mod instruction
which otherwise interpreter would corrupt. This will cause a small +8 byte
stack increase for interpreter, but with the gain that we can use it from
verifier rewrites as scratch register.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: John Fastabend <john.fastabend@gmail.com>
[cascardo: This partial revert is needed in order to support using AX for
the following two commits, as there is no JMP32 on 4.19.y]
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
[edliaw: Removed redeclaration of tmp introduced by patch differences
between 4.14 and 4.19]
Signed-off-by: Edward Liaw <edliaw@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 2a7b95570e1d4b1a7769e780ac8f2152055bc809..c5892d3902c8d2c5f1cc8008f266b9b054e7b7bf 100644 (file)
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -672,9 +672,6 @@ static int bpf_jit_blind_insn(const struct bpf_insn *from,
         * below.
         *
         * Constant blinding is only used by JITs, not in the interpreter.
-        * The interpreter uses AX in some occasions as a local temporary
-        * register e.g. in DIV or MOD instructions.
-        *
         * In restricted circumstances, the verifier can also use the AX
         * register for rewrites as long as they do not interfere with
         * the above cases!
@@ -1069,22 +1066,22 @@ select_insn:
        ALU64_MOD_X:
                if (unlikely(SRC == 0))
                        return 0;
-               div64_u64_rem(DST, SRC, &AX);
-               DST = AX;
+               div64_u64_rem(DST, SRC, &tmp);
+               DST = tmp;
                CONT;
        ALU_MOD_X:
                if (unlikely((u32)SRC == 0))
                        return 0;
-               AX = (u32) DST;
-               DST = do_div(AX, (u32) SRC);
+               tmp = (u32) DST;
+               DST = do_div(tmp, (u32) SRC);
                CONT;
        ALU64_MOD_K:
-               div64_u64_rem(DST, IMM, &AX);
-               DST = AX;
+               div64_u64_rem(DST, IMM, &tmp);
+               DST = tmp;
                CONT;
        ALU_MOD_K:
-               AX = (u32) DST;
-               DST = do_div(AX, (u32) IMM);
+               tmp = (u32) DST;
+               DST = do_div(tmp, (u32) IMM);
                CONT;
        ALU64_DIV_X:
                if (unlikely(SRC == 0))
@@ -1094,17 +1091,17 @@ select_insn:
        ALU_DIV_X:
                if (unlikely((u32)SRC == 0))
                        return 0;
-               AX = (u32) DST;
-               do_div(AX, (u32) SRC);
-               DST = (u32) AX;
+               tmp = (u32) DST;
+               do_div(tmp, (u32) SRC);
+               DST = (u32) tmp;
                CONT;
        ALU64_DIV_K:
                DST = div64_u64(DST, IMM);
                CONT;
        ALU_DIV_K:
-               AX = (u32) DST;
-               do_div(AX, (u32) IMM);
-               DST = (u32) AX;
+               tmp = (u32) DST;
+               do_div(tmp, (u32) IMM);
+               DST = (u32) tmp;
                CONT;
        ALU_END_TO_BE:
                switch (IMM) {