xref: /openbmc/linux/arch/powerpc/net/bpf_jit_comp.c (revision 55fd7e02)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /* bpf_jit_comp.c: BPF JIT compiler
3  *
4  * Copyright 2011 Matt Evans <matt@ozlabs.org>, IBM Corporation
5  *
6  * Based on the x86 BPF compiler, by Eric Dumazet (eric.dumazet@gmail.com)
7  * Ported to ppc32 by Denis Kirjanov <kda@linux-powerpc.org>
8  */
9 #include <linux/moduleloader.h>
10 #include <asm/cacheflush.h>
11 #include <asm/asm-compat.h>
12 #include <linux/netdevice.h>
13 #include <linux/filter.h>
14 #include <linux/if_vlan.h>
15 
16 #include "bpf_jit32.h"
17 
18 static inline void bpf_flush_icache(void *start, void *end)
19 {
20 	smp_wmb();
21 	flush_icache_range((unsigned long)start, (unsigned long)end);
22 }
23 
24 static void bpf_jit_build_prologue(struct bpf_prog *fp, u32 *image,
25 				   struct codegen_context *ctx)
26 {
27 	int i;
28 	const struct sock_filter *filter = fp->insns;
29 
30 	if (ctx->seen & (SEEN_MEM | SEEN_DATAREF)) {
31 		/* Make stackframe */
32 		if (ctx->seen & SEEN_DATAREF) {
33 			/* If we call any helpers (for loads), save LR */
34 			EMIT(PPC_INST_MFLR | __PPC_RT(R0));
35 			PPC_BPF_STL(0, 1, PPC_LR_STKOFF);
36 
37 			/* Back up non-volatile regs. */
38 			PPC_BPF_STL(r_D, 1, -(REG_SZ*(32-r_D)));
39 			PPC_BPF_STL(r_HL, 1, -(REG_SZ*(32-r_HL)));
40 		}
41 		if (ctx->seen & SEEN_MEM) {
42 			/*
43 			 * Conditionally save regs r15-r31 as some will be used
44 			 * for M[] data.
45 			 */
46 			for (i = r_M; i < (r_M+16); i++) {
47 				if (ctx->seen & (1 << (i-r_M)))
48 					PPC_BPF_STL(i, 1, -(REG_SZ*(32-i)));
49 			}
50 		}
51 		PPC_BPF_STLU(1, 1, -BPF_PPC_STACKFRAME);
52 	}
53 
54 	if (ctx->seen & SEEN_DATAREF) {
55 		/*
56 		 * If this filter needs to access skb data,
57 		 * prepare r_D and r_HL:
58 		 *  r_HL = skb->len - skb->data_len
59 		 *  r_D	 = skb->data
60 		 */
61 		PPC_LWZ_OFFS(r_scratch1, r_skb, offsetof(struct sk_buff,
62 							 data_len));
63 		PPC_LWZ_OFFS(r_HL, r_skb, offsetof(struct sk_buff, len));
64 		PPC_SUB(r_HL, r_HL, r_scratch1);
65 		PPC_LL_OFFS(r_D, r_skb, offsetof(struct sk_buff, data));
66 	}
67 
68 	if (ctx->seen & SEEN_XREG) {
69 		/*
70 		 * TODO: Could also detect whether first instr. sets X and
71 		 * avoid this (as below, with A).
72 		 */
73 		PPC_LI(r_X, 0);
74 	}
75 
76 	/* make sure we dont leak kernel information to user */
77 	if (bpf_needs_clear_a(&filter[0]))
78 		PPC_LI(r_A, 0);
79 }
80 
81 static void bpf_jit_build_epilogue(u32 *image, struct codegen_context *ctx)
82 {
83 	int i;
84 
85 	if (ctx->seen & (SEEN_MEM | SEEN_DATAREF)) {
86 		PPC_ADDI(1, 1, BPF_PPC_STACKFRAME);
87 		if (ctx->seen & SEEN_DATAREF) {
88 			PPC_BPF_LL(0, 1, PPC_LR_STKOFF);
89 			PPC_MTLR(0);
90 			PPC_BPF_LL(r_D, 1, -(REG_SZ*(32-r_D)));
91 			PPC_BPF_LL(r_HL, 1, -(REG_SZ*(32-r_HL)));
92 		}
93 		if (ctx->seen & SEEN_MEM) {
94 			/* Restore any saved non-vol registers */
95 			for (i = r_M; i < (r_M+16); i++) {
96 				if (ctx->seen & (1 << (i-r_M)))
97 					PPC_BPF_LL(i, 1, -(REG_SZ*(32-i)));
98 			}
99 		}
100 	}
101 	/* The RETs have left a return value in R3. */
102 
103 	PPC_BLR();
104 }
105 
106 #define CHOOSE_LOAD_FUNC(K, func) \
107 	((int)K < 0 ? ((int)K >= SKF_LL_OFF ? func##_negative_offset : func) : func##_positive_offset)
108 
109 /* Assemble the body code between the prologue & epilogue. */
110 static int bpf_jit_build_body(struct bpf_prog *fp, u32 *image,
111 			      struct codegen_context *ctx,
112 			      unsigned int *addrs)
113 {
114 	const struct sock_filter *filter = fp->insns;
115 	int flen = fp->len;
116 	u8 *func;
117 	unsigned int true_cond;
118 	int i;
119 
120 	/* Start of epilogue code */
121 	unsigned int exit_addr = addrs[flen];
122 
123 	for (i = 0; i < flen; i++) {
124 		unsigned int K = filter[i].k;
125 		u16 code = bpf_anc_helper(&filter[i]);
126 
127 		/*
128 		 * addrs[] maps a BPF bytecode address into a real offset from
129 		 * the start of the body code.
130 		 */
131 		addrs[i] = ctx->idx * 4;
132 
133 		switch (code) {
134 			/*** ALU ops ***/
135 		case BPF_ALU | BPF_ADD | BPF_X: /* A += X; */
136 			ctx->seen |= SEEN_XREG;
137 			PPC_ADD(r_A, r_A, r_X);
138 			break;
139 		case BPF_ALU | BPF_ADD | BPF_K: /* A += K; */
140 			if (!K)
141 				break;
142 			PPC_ADDI(r_A, r_A, IMM_L(K));
143 			if (K >= 32768)
144 				PPC_ADDIS(r_A, r_A, IMM_HA(K));
145 			break;
146 		case BPF_ALU | BPF_SUB | BPF_X: /* A -= X; */
147 			ctx->seen |= SEEN_XREG;
148 			PPC_SUB(r_A, r_A, r_X);
149 			break;
150 		case BPF_ALU | BPF_SUB | BPF_K: /* A -= K */
151 			if (!K)
152 				break;
153 			PPC_ADDI(r_A, r_A, IMM_L(-K));
154 			if (K >= 32768)
155 				PPC_ADDIS(r_A, r_A, IMM_HA(-K));
156 			break;
157 		case BPF_ALU | BPF_MUL | BPF_X: /* A *= X; */
158 			ctx->seen |= SEEN_XREG;
159 			PPC_MULW(r_A, r_A, r_X);
160 			break;
161 		case BPF_ALU | BPF_MUL | BPF_K: /* A *= K */
162 			if (K < 32768)
163 				PPC_MULI(r_A, r_A, K);
164 			else {
165 				PPC_LI32(r_scratch1, K);
166 				PPC_MULW(r_A, r_A, r_scratch1);
167 			}
168 			break;
169 		case BPF_ALU | BPF_MOD | BPF_X: /* A %= X; */
170 		case BPF_ALU | BPF_DIV | BPF_X: /* A /= X; */
171 			ctx->seen |= SEEN_XREG;
172 			PPC_CMPWI(r_X, 0);
173 			if (ctx->pc_ret0 != -1) {
174 				PPC_BCC(COND_EQ, addrs[ctx->pc_ret0]);
175 			} else {
176 				PPC_BCC_SHORT(COND_NE, (ctx->idx*4)+12);
177 				PPC_LI(r_ret, 0);
178 				PPC_JMP(exit_addr);
179 			}
180 			if (code == (BPF_ALU | BPF_MOD | BPF_X)) {
181 				PPC_DIVWU(r_scratch1, r_A, r_X);
182 				PPC_MULW(r_scratch1, r_X, r_scratch1);
183 				PPC_SUB(r_A, r_A, r_scratch1);
184 			} else {
185 				PPC_DIVWU(r_A, r_A, r_X);
186 			}
187 			break;
188 		case BPF_ALU | BPF_MOD | BPF_K: /* A %= K; */
189 			PPC_LI32(r_scratch2, K);
190 			PPC_DIVWU(r_scratch1, r_A, r_scratch2);
191 			PPC_MULW(r_scratch1, r_scratch2, r_scratch1);
192 			PPC_SUB(r_A, r_A, r_scratch1);
193 			break;
194 		case BPF_ALU | BPF_DIV | BPF_K: /* A /= K */
195 			if (K == 1)
196 				break;
197 			PPC_LI32(r_scratch1, K);
198 			PPC_DIVWU(r_A, r_A, r_scratch1);
199 			break;
200 		case BPF_ALU | BPF_AND | BPF_X:
201 			ctx->seen |= SEEN_XREG;
202 			PPC_AND(r_A, r_A, r_X);
203 			break;
204 		case BPF_ALU | BPF_AND | BPF_K:
205 			if (!IMM_H(K))
206 				PPC_ANDI(r_A, r_A, K);
207 			else {
208 				PPC_LI32(r_scratch1, K);
209 				PPC_AND(r_A, r_A, r_scratch1);
210 			}
211 			break;
212 		case BPF_ALU | BPF_OR | BPF_X:
213 			ctx->seen |= SEEN_XREG;
214 			PPC_OR(r_A, r_A, r_X);
215 			break;
216 		case BPF_ALU | BPF_OR | BPF_K:
217 			if (IMM_L(K))
218 				PPC_ORI(r_A, r_A, IMM_L(K));
219 			if (K >= 65536)
220 				PPC_ORIS(r_A, r_A, IMM_H(K));
221 			break;
222 		case BPF_ANC | SKF_AD_ALU_XOR_X:
223 		case BPF_ALU | BPF_XOR | BPF_X: /* A ^= X */
224 			ctx->seen |= SEEN_XREG;
225 			PPC_XOR(r_A, r_A, r_X);
226 			break;
227 		case BPF_ALU | BPF_XOR | BPF_K: /* A ^= K */
228 			if (IMM_L(K))
229 				PPC_XORI(r_A, r_A, IMM_L(K));
230 			if (K >= 65536)
231 				PPC_XORIS(r_A, r_A, IMM_H(K));
232 			break;
233 		case BPF_ALU | BPF_LSH | BPF_X: /* A <<= X; */
234 			ctx->seen |= SEEN_XREG;
235 			PPC_SLW(r_A, r_A, r_X);
236 			break;
237 		case BPF_ALU | BPF_LSH | BPF_K:
238 			if (K == 0)
239 				break;
240 			else
241 				PPC_SLWI(r_A, r_A, K);
242 			break;
243 		case BPF_ALU | BPF_RSH | BPF_X: /* A >>= X; */
244 			ctx->seen |= SEEN_XREG;
245 			PPC_SRW(r_A, r_A, r_X);
246 			break;
247 		case BPF_ALU | BPF_RSH | BPF_K: /* A >>= K; */
248 			if (K == 0)
249 				break;
250 			else
251 				PPC_SRWI(r_A, r_A, K);
252 			break;
253 		case BPF_ALU | BPF_NEG:
254 			PPC_NEG(r_A, r_A);
255 			break;
256 		case BPF_RET | BPF_K:
257 			PPC_LI32(r_ret, K);
258 			if (!K) {
259 				if (ctx->pc_ret0 == -1)
260 					ctx->pc_ret0 = i;
261 			}
262 			/*
263 			 * If this isn't the very last instruction, branch to
264 			 * the epilogue if we've stuff to clean up.  Otherwise,
265 			 * if there's nothing to tidy, just return.  If we /are/
266 			 * the last instruction, we're about to fall through to
267 			 * the epilogue to return.
268 			 */
269 			if (i != flen - 1) {
270 				/*
271 				 * Note: 'seen' is properly valid only on pass
272 				 * #2.	Both parts of this conditional are the
273 				 * same instruction size though, meaning the
274 				 * first pass will still correctly determine the
275 				 * code size/addresses.
276 				 */
277 				if (ctx->seen)
278 					PPC_JMP(exit_addr);
279 				else
280 					PPC_BLR();
281 			}
282 			break;
283 		case BPF_RET | BPF_A:
284 			PPC_MR(r_ret, r_A);
285 			if (i != flen - 1) {
286 				if (ctx->seen)
287 					PPC_JMP(exit_addr);
288 				else
289 					PPC_BLR();
290 			}
291 			break;
292 		case BPF_MISC | BPF_TAX: /* X = A */
293 			PPC_MR(r_X, r_A);
294 			break;
295 		case BPF_MISC | BPF_TXA: /* A = X */
296 			ctx->seen |= SEEN_XREG;
297 			PPC_MR(r_A, r_X);
298 			break;
299 
300 			/*** Constant loads/M[] access ***/
301 		case BPF_LD | BPF_IMM: /* A = K */
302 			PPC_LI32(r_A, K);
303 			break;
304 		case BPF_LDX | BPF_IMM: /* X = K */
305 			PPC_LI32(r_X, K);
306 			break;
307 		case BPF_LD | BPF_MEM: /* A = mem[K] */
308 			PPC_MR(r_A, r_M + (K & 0xf));
309 			ctx->seen |= SEEN_MEM | (1<<(K & 0xf));
310 			break;
311 		case BPF_LDX | BPF_MEM: /* X = mem[K] */
312 			PPC_MR(r_X, r_M + (K & 0xf));
313 			ctx->seen |= SEEN_MEM | (1<<(K & 0xf));
314 			break;
315 		case BPF_ST: /* mem[K] = A */
316 			PPC_MR(r_M + (K & 0xf), r_A);
317 			ctx->seen |= SEEN_MEM | (1<<(K & 0xf));
318 			break;
319 		case BPF_STX: /* mem[K] = X */
320 			PPC_MR(r_M + (K & 0xf), r_X);
321 			ctx->seen |= SEEN_XREG | SEEN_MEM | (1<<(K & 0xf));
322 			break;
323 		case BPF_LD | BPF_W | BPF_LEN: /*	A = skb->len; */
324 			BUILD_BUG_ON(sizeof_field(struct sk_buff, len) != 4);
325 			PPC_LWZ_OFFS(r_A, r_skb, offsetof(struct sk_buff, len));
326 			break;
327 		case BPF_LDX | BPF_W | BPF_ABS: /* A = *((u32 *)(seccomp_data + K)); */
328 			PPC_LWZ_OFFS(r_A, r_skb, K);
329 			break;
330 		case BPF_LDX | BPF_W | BPF_LEN: /* X = skb->len; */
331 			PPC_LWZ_OFFS(r_X, r_skb, offsetof(struct sk_buff, len));
332 			break;
333 
334 			/*** Ancillary info loads ***/
335 		case BPF_ANC | SKF_AD_PROTOCOL: /* A = ntohs(skb->protocol); */
336 			BUILD_BUG_ON(sizeof_field(struct sk_buff,
337 						  protocol) != 2);
338 			PPC_NTOHS_OFFS(r_A, r_skb, offsetof(struct sk_buff,
339 							    protocol));
340 			break;
341 		case BPF_ANC | SKF_AD_IFINDEX:
342 		case BPF_ANC | SKF_AD_HATYPE:
343 			BUILD_BUG_ON(sizeof_field(struct net_device,
344 						ifindex) != 4);
345 			BUILD_BUG_ON(sizeof_field(struct net_device,
346 						type) != 2);
347 			PPC_LL_OFFS(r_scratch1, r_skb, offsetof(struct sk_buff,
348 								dev));
349 			PPC_CMPDI(r_scratch1, 0);
350 			if (ctx->pc_ret0 != -1) {
351 				PPC_BCC(COND_EQ, addrs[ctx->pc_ret0]);
352 			} else {
353 				/* Exit, returning 0; first pass hits here. */
354 				PPC_BCC_SHORT(COND_NE, ctx->idx * 4 + 12);
355 				PPC_LI(r_ret, 0);
356 				PPC_JMP(exit_addr);
357 			}
358 			if (code == (BPF_ANC | SKF_AD_IFINDEX)) {
359 				PPC_LWZ_OFFS(r_A, r_scratch1,
360 				     offsetof(struct net_device, ifindex));
361 			} else {
362 				PPC_LHZ_OFFS(r_A, r_scratch1,
363 				     offsetof(struct net_device, type));
364 			}
365 
366 			break;
367 		case BPF_ANC | SKF_AD_MARK:
368 			BUILD_BUG_ON(sizeof_field(struct sk_buff, mark) != 4);
369 			PPC_LWZ_OFFS(r_A, r_skb, offsetof(struct sk_buff,
370 							  mark));
371 			break;
372 		case BPF_ANC | SKF_AD_RXHASH:
373 			BUILD_BUG_ON(sizeof_field(struct sk_buff, hash) != 4);
374 			PPC_LWZ_OFFS(r_A, r_skb, offsetof(struct sk_buff,
375 							  hash));
376 			break;
377 		case BPF_ANC | SKF_AD_VLAN_TAG:
378 			BUILD_BUG_ON(sizeof_field(struct sk_buff, vlan_tci) != 2);
379 
380 			PPC_LHZ_OFFS(r_A, r_skb, offsetof(struct sk_buff,
381 							  vlan_tci));
382 			break;
383 		case BPF_ANC | SKF_AD_VLAN_TAG_PRESENT:
384 			PPC_LBZ_OFFS(r_A, r_skb, PKT_VLAN_PRESENT_OFFSET());
385 			if (PKT_VLAN_PRESENT_BIT)
386 				PPC_SRWI(r_A, r_A, PKT_VLAN_PRESENT_BIT);
387 			if (PKT_VLAN_PRESENT_BIT < 7)
388 				PPC_ANDI(r_A, r_A, 1);
389 			break;
390 		case BPF_ANC | SKF_AD_QUEUE:
391 			BUILD_BUG_ON(sizeof_field(struct sk_buff,
392 						  queue_mapping) != 2);
393 			PPC_LHZ_OFFS(r_A, r_skb, offsetof(struct sk_buff,
394 							  queue_mapping));
395 			break;
396 		case BPF_ANC | SKF_AD_PKTTYPE:
397 			PPC_LBZ_OFFS(r_A, r_skb, PKT_TYPE_OFFSET());
398 			PPC_ANDI(r_A, r_A, PKT_TYPE_MAX);
399 			PPC_SRWI(r_A, r_A, 5);
400 			break;
401 		case BPF_ANC | SKF_AD_CPU:
402 			PPC_BPF_LOAD_CPU(r_A);
403 			break;
404 			/*** Absolute loads from packet header/data ***/
405 		case BPF_LD | BPF_W | BPF_ABS:
406 			func = CHOOSE_LOAD_FUNC(K, sk_load_word);
407 			goto common_load;
408 		case BPF_LD | BPF_H | BPF_ABS:
409 			func = CHOOSE_LOAD_FUNC(K, sk_load_half);
410 			goto common_load;
411 		case BPF_LD | BPF_B | BPF_ABS:
412 			func = CHOOSE_LOAD_FUNC(K, sk_load_byte);
413 		common_load:
414 			/* Load from [K]. */
415 			ctx->seen |= SEEN_DATAREF;
416 			PPC_FUNC_ADDR(r_scratch1, func);
417 			PPC_MTLR(r_scratch1);
418 			PPC_LI32(r_addr, K);
419 			PPC_BLRL();
420 			/*
421 			 * Helper returns 'lt' condition on error, and an
422 			 * appropriate return value in r3
423 			 */
424 			PPC_BCC(COND_LT, exit_addr);
425 			break;
426 
427 			/*** Indirect loads from packet header/data ***/
428 		case BPF_LD | BPF_W | BPF_IND:
429 			func = sk_load_word;
430 			goto common_load_ind;
431 		case BPF_LD | BPF_H | BPF_IND:
432 			func = sk_load_half;
433 			goto common_load_ind;
434 		case BPF_LD | BPF_B | BPF_IND:
435 			func = sk_load_byte;
436 		common_load_ind:
437 			/*
438 			 * Load from [X + K].  Negative offsets are tested for
439 			 * in the helper functions.
440 			 */
441 			ctx->seen |= SEEN_DATAREF | SEEN_XREG;
442 			PPC_FUNC_ADDR(r_scratch1, func);
443 			PPC_MTLR(r_scratch1);
444 			PPC_ADDI(r_addr, r_X, IMM_L(K));
445 			if (K >= 32768)
446 				PPC_ADDIS(r_addr, r_addr, IMM_HA(K));
447 			PPC_BLRL();
448 			/* If error, cr0.LT set */
449 			PPC_BCC(COND_LT, exit_addr);
450 			break;
451 
452 		case BPF_LDX | BPF_B | BPF_MSH:
453 			func = CHOOSE_LOAD_FUNC(K, sk_load_byte_msh);
454 			goto common_load;
455 			break;
456 
457 			/*** Jump and branches ***/
458 		case BPF_JMP | BPF_JA:
459 			if (K != 0)
460 				PPC_JMP(addrs[i + 1 + K]);
461 			break;
462 
463 		case BPF_JMP | BPF_JGT | BPF_K:
464 		case BPF_JMP | BPF_JGT | BPF_X:
465 			true_cond = COND_GT;
466 			goto cond_branch;
467 		case BPF_JMP | BPF_JGE | BPF_K:
468 		case BPF_JMP | BPF_JGE | BPF_X:
469 			true_cond = COND_GE;
470 			goto cond_branch;
471 		case BPF_JMP | BPF_JEQ | BPF_K:
472 		case BPF_JMP | BPF_JEQ | BPF_X:
473 			true_cond = COND_EQ;
474 			goto cond_branch;
475 		case BPF_JMP | BPF_JSET | BPF_K:
476 		case BPF_JMP | BPF_JSET | BPF_X:
477 			true_cond = COND_NE;
478 			/* Fall through */
479 		cond_branch:
480 			/* same targets, can avoid doing the test :) */
481 			if (filter[i].jt == filter[i].jf) {
482 				if (filter[i].jt > 0)
483 					PPC_JMP(addrs[i + 1 + filter[i].jt]);
484 				break;
485 			}
486 
487 			switch (code) {
488 			case BPF_JMP | BPF_JGT | BPF_X:
489 			case BPF_JMP | BPF_JGE | BPF_X:
490 			case BPF_JMP | BPF_JEQ | BPF_X:
491 				ctx->seen |= SEEN_XREG;
492 				PPC_CMPLW(r_A, r_X);
493 				break;
494 			case BPF_JMP | BPF_JSET | BPF_X:
495 				ctx->seen |= SEEN_XREG;
496 				PPC_AND_DOT(r_scratch1, r_A, r_X);
497 				break;
498 			case BPF_JMP | BPF_JEQ | BPF_K:
499 			case BPF_JMP | BPF_JGT | BPF_K:
500 			case BPF_JMP | BPF_JGE | BPF_K:
501 				if (K < 32768)
502 					PPC_CMPLWI(r_A, K);
503 				else {
504 					PPC_LI32(r_scratch1, K);
505 					PPC_CMPLW(r_A, r_scratch1);
506 				}
507 				break;
508 			case BPF_JMP | BPF_JSET | BPF_K:
509 				if (K < 32768)
510 					/* PPC_ANDI is /only/ dot-form */
511 					PPC_ANDI(r_scratch1, r_A, K);
512 				else {
513 					PPC_LI32(r_scratch1, K);
514 					PPC_AND_DOT(r_scratch1, r_A,
515 						    r_scratch1);
516 				}
517 				break;
518 			}
519 			/* Sometimes branches are constructed "backward", with
520 			 * the false path being the branch and true path being
521 			 * a fallthrough to the next instruction.
522 			 */
523 			if (filter[i].jt == 0)
524 				/* Swap the sense of the branch */
525 				PPC_BCC(true_cond ^ COND_CMP_TRUE,
526 					addrs[i + 1 + filter[i].jf]);
527 			else {
528 				PPC_BCC(true_cond, addrs[i + 1 + filter[i].jt]);
529 				if (filter[i].jf != 0)
530 					PPC_JMP(addrs[i + 1 + filter[i].jf]);
531 			}
532 			break;
533 		default:
534 			/* The filter contains something cruel & unusual.
535 			 * We don't handle it, but also there shouldn't be
536 			 * anything missing from our list.
537 			 */
538 			if (printk_ratelimit())
539 				pr_err("BPF filter opcode %04x (@%d) unsupported\n",
540 				       filter[i].code, i);
541 			return -ENOTSUPP;
542 		}
543 
544 	}
545 	/* Set end-of-body-code address for exit. */
546 	addrs[i] = ctx->idx * 4;
547 
548 	return 0;
549 }
550 
551 void bpf_jit_compile(struct bpf_prog *fp)
552 {
553 	unsigned int proglen;
554 	unsigned int alloclen;
555 	u32 *image = NULL;
556 	u32 *code_base;
557 	unsigned int *addrs;
558 	struct codegen_context cgctx;
559 	int pass;
560 	int flen = fp->len;
561 
562 	if (!bpf_jit_enable)
563 		return;
564 
565 	addrs = kcalloc(flen + 1, sizeof(*addrs), GFP_KERNEL);
566 	if (addrs == NULL)
567 		return;
568 
569 	/*
570 	 * There are multiple assembly passes as the generated code will change
571 	 * size as it settles down, figuring out the max branch offsets/exit
572 	 * paths required.
573 	 *
574 	 * The range of standard conditional branches is +/- 32Kbytes.	Since
575 	 * BPF_MAXINSNS = 4096, we can only jump from (worst case) start to
576 	 * finish with 8 bytes/instruction.  Not feasible, so long jumps are
577 	 * used, distinct from short branches.
578 	 *
579 	 * Current:
580 	 *
581 	 * For now, both branch types assemble to 2 words (short branches padded
582 	 * with a NOP); this is less efficient, but assembly will always complete
583 	 * after exactly 3 passes:
584 	 *
585 	 * First pass: No code buffer; Program is "faux-generated" -- no code
586 	 * emitted but maximum size of output determined (and addrs[] filled
587 	 * in).	 Also, we note whether we use M[], whether we use skb data, etc.
588 	 * All generation choices assumed to be 'worst-case', e.g. branches all
589 	 * far (2 instructions), return path code reduction not available, etc.
590 	 *
591 	 * Second pass: Code buffer allocated with size determined previously.
592 	 * Prologue generated to support features we have seen used.  Exit paths
593 	 * determined and addrs[] is filled in again, as code may be slightly
594 	 * smaller as a result.
595 	 *
596 	 * Third pass: Code generated 'for real', and branch destinations
597 	 * determined from now-accurate addrs[] map.
598 	 *
599 	 * Ideal:
600 	 *
601 	 * If we optimise this, near branches will be shorter.	On the
602 	 * first assembly pass, we should err on the side of caution and
603 	 * generate the biggest code.  On subsequent passes, branches will be
604 	 * generated short or long and code size will reduce.  With smaller
605 	 * code, more branches may fall into the short category, and code will
606 	 * reduce more.
607 	 *
608 	 * Finally, if we see one pass generate code the same size as the
609 	 * previous pass we have converged and should now generate code for
610 	 * real.  Allocating at the end will also save the memory that would
611 	 * otherwise be wasted by the (small) current code shrinkage.
612 	 * Preferably, we should do a small number of passes (e.g. 5) and if we
613 	 * haven't converged by then, get impatient and force code to generate
614 	 * as-is, even if the odd branch would be left long.  The chances of a
615 	 * long jump are tiny with all but the most enormous of BPF filter
616 	 * inputs, so we should usually converge on the third pass.
617 	 */
618 
619 	cgctx.idx = 0;
620 	cgctx.seen = 0;
621 	cgctx.pc_ret0 = -1;
622 	/* Scouting faux-generate pass 0 */
623 	if (bpf_jit_build_body(fp, 0, &cgctx, addrs))
624 		/* We hit something illegal or unsupported. */
625 		goto out;
626 
627 	/*
628 	 * Pretend to build prologue, given the features we've seen.  This will
629 	 * update ctgtx.idx as it pretends to output instructions, then we can
630 	 * calculate total size from idx.
631 	 */
632 	bpf_jit_build_prologue(fp, 0, &cgctx);
633 	bpf_jit_build_epilogue(0, &cgctx);
634 
635 	proglen = cgctx.idx * 4;
636 	alloclen = proglen + FUNCTION_DESCR_SIZE;
637 	image = module_alloc(alloclen);
638 	if (!image)
639 		goto out;
640 
641 	code_base = image + (FUNCTION_DESCR_SIZE/4);
642 
643 	/* Code generation passes 1-2 */
644 	for (pass = 1; pass < 3; pass++) {
645 		/* Now build the prologue, body code & epilogue for real. */
646 		cgctx.idx = 0;
647 		bpf_jit_build_prologue(fp, code_base, &cgctx);
648 		bpf_jit_build_body(fp, code_base, &cgctx, addrs);
649 		bpf_jit_build_epilogue(code_base, &cgctx);
650 
651 		if (bpf_jit_enable > 1)
652 			pr_info("Pass %d: shrink = %d, seen = 0x%x\n", pass,
653 				proglen - (cgctx.idx * 4), cgctx.seen);
654 	}
655 
656 	if (bpf_jit_enable > 1)
657 		/* Note that we output the base address of the code_base
658 		 * rather than image, since opcodes are in code_base.
659 		 */
660 		bpf_jit_dump(flen, proglen, pass, code_base);
661 
662 	bpf_flush_icache(code_base, code_base + (proglen/4));
663 
664 #ifdef CONFIG_PPC64
665 	/* Function descriptor nastiness: Address + TOC */
666 	((u64 *)image)[0] = (u64)code_base;
667 	((u64 *)image)[1] = local_paca->kernel_toc;
668 #endif
669 
670 	fp->bpf_func = (void *)image;
671 	fp->jited = 1;
672 
673 out:
674 	kfree(addrs);
675 	return;
676 }
677 
678 void bpf_jit_free(struct bpf_prog *fp)
679 {
680 	if (fp->jited)
681 		module_memfree(fp->bpf_func);
682 
683 	bpf_prog_unlock_free(fp);
684 }
685