1
// SPDX-License-Identifier: GPL-2.0-only
2
/*
3
 * bpf_jit_comp64.c: eBPF JIT compiler
4
 *
5
 * Copyright 2016 Naveen N. Rao <[email protected]>
6
 *		  IBM Corporation
7
 *
8
 * Based on the powerpc classic BPF JIT compiler by Matt Evans
9
 */
10
#include <linux/moduleloader.h>
11
#include <asm/cacheflush.h>
12
#include <asm/asm-compat.h>
13
#include <linux/netdevice.h>
14
#include <linux/filter.h>
15
#include <linux/if_vlan.h>
16
#include <asm/kprobes.h>
17
#include <linux/bpf.h>
18
#include <asm/security_features.h>
19

20
#include "bpf_jit.h"
21

22
/*
23
 * Stack layout:
24
 * Ensure the top half (upto local_tmp_var) stays consistent
25
 * with our redzone usage.
26
 *
27
 *		[	prev sp		] <-------------
28
 *		[   nv gpr save area	] 5*8		|
29
 *		[    tail_call_cnt	] 8		|
30
 *		[    local_tmp_var	] 16		|
31
 * fp (r31) -->	[   ebpf stack space	] upto 512	|
32
 *		[     frame header	] 32/112	|
33
 * sp (r1) --->	[    stack pointer	] --------------
34
 */
35

36
/* for gpr non volatile registers BPG_REG_6 to 10 */
37
#define BPF_PPC_STACK_SAVE	(5*8)
38
/* for bpf JIT code internal usage */
39
#define BPF_PPC_STACK_LOCALS	24
40
/* stack frame excluding BPF stack, ensure this is quadword aligned */
41
#define BPF_PPC_STACKFRAME	(STACK_FRAME_MIN_SIZE + \
42
				 BPF_PPC_STACK_LOCALS + BPF_PPC_STACK_SAVE)
43

44
/* BPF register usage */
45
#define TMP_REG_1	(MAX_BPF_JIT_REG + 0)
46
#define TMP_REG_2	(MAX_BPF_JIT_REG + 1)
47

48
/* BPF to ppc register mappings */
49
void bpf_jit_init_reg_mapping(struct codegen_context *ctx)
50
{
51
	/* function return value */
52
	ctx->b2p[BPF_REG_0] = _R8;
53
	/* function arguments */
54
	ctx->b2p[BPF_REG_1] = _R3;
55
	ctx->b2p[BPF_REG_2] = _R4;
56
	ctx->b2p[BPF_REG_3] = _R5;
57
	ctx->b2p[BPF_REG_4] = _R6;
58
	ctx->b2p[BPF_REG_5] = _R7;
59
	/* non volatile registers */
60
	ctx->b2p[BPF_REG_6] = _R27;
61
	ctx->b2p[BPF_REG_7] = _R28;
62
	ctx->b2p[BPF_REG_8] = _R29;
63
	ctx->b2p[BPF_REG_9] = _R30;
64
	/* frame pointer aka BPF_REG_10 */
65
	ctx->b2p[BPF_REG_FP] = _R31;
66
	/* eBPF jit internal registers */
67
	ctx->b2p[BPF_REG_AX] = _R12;
68
	ctx->b2p[TMP_REG_1] = _R9;
69
	ctx->b2p[TMP_REG_2] = _R10;
70
}
71

72
/* PPC NVR range -- update this if we ever use NVRs below r27 */
73
#define BPF_PPC_NVR_MIN		_R27
74

75
static inline bool bpf_has_stack_frame(struct codegen_context *ctx)
76
{
77
	/*
78
	 * We only need a stack frame if:
79
	 * - we call other functions (kernel helpers), or
80
	 * - the bpf program uses its stack area
81
	 * The latter condition is deduced from the usage of BPF_REG_FP
82
	 */
83
	return ctx->seen & SEEN_FUNC || bpf_is_seen_register(ctx, bpf_to_ppc(BPF_REG_FP));
84
}
85

86
/*
87
 * When not setting up our own stackframe, the redzone (288 bytes) usage is:
88
 *
89
 *		[	prev sp		] <-------------
90
 *		[	  ...       	] 		|
91
 * sp (r1) --->	[    stack pointer	] --------------
92
 *		[   nv gpr save area	] 5*8
93
 *		[    tail_call_cnt	] 8
94
 *		[    local_tmp_var	] 16
95
 *		[   unused red zone	] 224
96
 */
97
static int bpf_jit_stack_local(struct codegen_context *ctx)
98
{
99
	if (bpf_has_stack_frame(ctx))
100
		return STACK_FRAME_MIN_SIZE + ctx->stack_size;
101
	else
102
		return -(BPF_PPC_STACK_SAVE + 24);
103
}
104

105
static int bpf_jit_stack_tailcallcnt(struct codegen_context *ctx)
106
{
107
	return bpf_jit_stack_local(ctx) + 16;
108
}
109

110
static int bpf_jit_stack_offsetof(struct codegen_context *ctx, int reg)
111
{
112
	if (reg >= BPF_PPC_NVR_MIN && reg < 32)
113
		return (bpf_has_stack_frame(ctx) ?
114
			(BPF_PPC_STACKFRAME + ctx->stack_size) : 0)
115
				- (8 * (32 - reg));
116

117
	pr_err("BPF JIT is asking about unknown registers");
118
	BUG();
119
}
120

121
void bpf_jit_realloc_regs(struct codegen_context *ctx)
122
{
123
}
124

125
void bpf_jit_build_prologue(u32 *image, struct codegen_context *ctx)
126
{
127
	int i;
128

129
	/* Instruction for trampoline attach */
130
	EMIT(PPC_RAW_NOP());
131

132
#ifndef CONFIG_PPC_KERNEL_PCREL
133
	if (IS_ENABLED(CONFIG_PPC64_ELF_ABI_V2))
134
		EMIT(PPC_RAW_LD(_R2, _R13, offsetof(struct paca_struct, kernel_toc)));
135
#endif
136

137
	/*
138
	 * Initialize tail_call_cnt if we do tail calls.
139
	 * Otherwise, put in NOPs so that it can be skipped when we are
140
	 * invoked through a tail call.
141
	 */
142
	if (ctx->seen & SEEN_TAILCALL) {
143
		EMIT(PPC_RAW_LI(bpf_to_ppc(TMP_REG_1), 0));
144
		/* this goes in the redzone */
145
		EMIT(PPC_RAW_STD(bpf_to_ppc(TMP_REG_1), _R1, -(BPF_PPC_STACK_SAVE + 8)));
146
	} else {
147
		EMIT(PPC_RAW_NOP());
148
		EMIT(PPC_RAW_NOP());
149
	}
150

151
	if (bpf_has_stack_frame(ctx)) {
152
		/*
153
		 * We need a stack frame, but we don't necessarily need to
154
		 * save/restore LR unless we call other functions
155
		 */
156
		if (ctx->seen & SEEN_FUNC) {
157
			EMIT(PPC_RAW_MFLR(_R0));
158
			EMIT(PPC_RAW_STD(_R0, _R1, PPC_LR_STKOFF));
159
		}
160

161
		EMIT(PPC_RAW_STDU(_R1, _R1, -(BPF_PPC_STACKFRAME + ctx->stack_size)));
162
	}
163

164
	/*
165
	 * Back up non-volatile regs -- BPF registers 6-10
166
	 * If we haven't created our own stack frame, we save these
167
	 * in the protected zone below the previous stack frame
168
	 */
169
	for (i = BPF_REG_6; i <= BPF_REG_10; i++)
170
		if (bpf_is_seen_register(ctx, bpf_to_ppc(i)))
171
			EMIT(PPC_RAW_STD(bpf_to_ppc(i), _R1, bpf_jit_stack_offsetof(ctx, bpf_to_ppc(i))));
172

173
	/* Setup frame pointer to point to the bpf stack area */
174
	if (bpf_is_seen_register(ctx, bpf_to_ppc(BPF_REG_FP)))
175
		EMIT(PPC_RAW_ADDI(bpf_to_ppc(BPF_REG_FP), _R1,
176
				STACK_FRAME_MIN_SIZE + ctx->stack_size));
177
}
178

179
static void bpf_jit_emit_common_epilogue(u32 *image, struct codegen_context *ctx)
180
{
181
	int i;
182

183
	/* Restore NVRs */
184
	for (i = BPF_REG_6; i <= BPF_REG_10; i++)
185
		if (bpf_is_seen_register(ctx, bpf_to_ppc(i)))
186
			EMIT(PPC_RAW_LD(bpf_to_ppc(i), _R1, bpf_jit_stack_offsetof(ctx, bpf_to_ppc(i))));
187

188
	/* Tear down our stack frame */
189
	if (bpf_has_stack_frame(ctx)) {
190
		EMIT(PPC_RAW_ADDI(_R1, _R1, BPF_PPC_STACKFRAME + ctx->stack_size));
191
		if (ctx->seen & SEEN_FUNC) {
192
			EMIT(PPC_RAW_LD(_R0, _R1, PPC_LR_STKOFF));
193
			EMIT(PPC_RAW_MTLR(_R0));
194
		}
195
	}
196
}
197

198
void bpf_jit_build_epilogue(u32 *image, struct codegen_context *ctx)
199
{
200
	bpf_jit_emit_common_epilogue(image, ctx);
201

202
	/* Move result to r3 */
203
	EMIT(PPC_RAW_MR(_R3, bpf_to_ppc(BPF_REG_0)));
204

205
	EMIT(PPC_RAW_BLR());
206

207
	bpf_jit_build_fentry_stubs(image, ctx);
208
}
209

210
int bpf_jit_emit_func_call_rel(u32 *image, u32 *fimage, struct codegen_context *ctx, u64 func)
211
{
212
	unsigned long func_addr = func ? ppc_function_entry((void *)func) : 0;
213
	long reladdr;
214

215
	/* bpf to bpf call, func is not known in the initial pass. Emit 5 nops as a placeholder */
216
	if (!func) {
217
		for (int i = 0; i < 5; i++)
218
			EMIT(PPC_RAW_NOP());
219
		/* elfv1 needs an additional instruction to load addr from descriptor */
220
		if (IS_ENABLED(CONFIG_PPC64_ELF_ABI_V1))
221
			EMIT(PPC_RAW_NOP());
222
		EMIT(PPC_RAW_MTCTR(_R12));
223
		EMIT(PPC_RAW_BCTRL());
224
		return 0;
225
	}
226

227
#ifdef CONFIG_PPC_KERNEL_PCREL
228
	reladdr = func_addr - local_paca->kernelbase;
229

230
	/*
231
	 * If fimage is NULL (the initial pass to find image size),
232
	 * account for the maximum no. of instructions possible.
233
	 */
234
	if (!fimage) {
235
		ctx->idx += 7;
236
		return 0;
237
	} else if (reladdr < (long)SZ_8G && reladdr >= -(long)SZ_8G) {
238
		EMIT(PPC_RAW_LD(_R12, _R13, offsetof(struct paca_struct, kernelbase)));
239
		/* Align for subsequent prefix instruction */
240
		if (!IS_ALIGNED((unsigned long)fimage + CTX_NIA(ctx), 8))
241
			EMIT(PPC_RAW_NOP());
242
		/* paddi r12,r12,addr */
243
		EMIT(PPC_PREFIX_MLS | __PPC_PRFX_R(0) | IMM_H18(reladdr));
244
		EMIT(PPC_INST_PADDI | ___PPC_RT(_R12) | ___PPC_RA(_R12) | IMM_L(reladdr));
245
	} else {
246
		unsigned long pc = (unsigned long)fimage + CTX_NIA(ctx);
247
		bool alignment_needed = !IS_ALIGNED(pc, 8);
248

249
		reladdr = func_addr - (alignment_needed ? pc + 4 :  pc);
250

251
		if (reladdr < (long)SZ_8G && reladdr >= -(long)SZ_8G) {
252
			if (alignment_needed)
253
				EMIT(PPC_RAW_NOP());
254
			/* pla r12,addr */
255
			EMIT(PPC_PREFIX_MLS | __PPC_PRFX_R(1) | IMM_H18(reladdr));
256
			EMIT(PPC_INST_PADDI | ___PPC_RT(_R12) | IMM_L(reladdr));
257
		} else {
258
			/* We can clobber r12 */
259
			PPC_LI64(_R12, func);
260
		}
261
	}
262
	EMIT(PPC_RAW_MTCTR(_R12));
263
	EMIT(PPC_RAW_BCTRL());
264
#else
265
	if (core_kernel_text(func_addr)) {
266
		reladdr = func_addr - kernel_toc_addr();
267
		if (reladdr > 0x7FFFFFFF || reladdr < -(0x80000000L)) {
268
			pr_err("eBPF: address of %ps out of range of kernel_toc.\n", (void *)func);
269
			return -ERANGE;
270
		}
271

272
		EMIT(PPC_RAW_ADDIS(_R12, _R2, PPC_HA(reladdr)));
273
		EMIT(PPC_RAW_ADDI(_R12, _R12, PPC_LO(reladdr)));
274
		EMIT(PPC_RAW_MTCTR(_R12));
275
		EMIT(PPC_RAW_BCTRL());
276
	} else {
277
		if (IS_ENABLED(CONFIG_PPC64_ELF_ABI_V1)) {
278
			/* func points to the function descriptor */
279
			PPC_LI64(bpf_to_ppc(TMP_REG_2), func);
280
			/* Load actual entry point from function descriptor */
281
			EMIT(PPC_RAW_LD(bpf_to_ppc(TMP_REG_1), bpf_to_ppc(TMP_REG_2), 0));
282
			/* ... and move it to CTR */
283
			EMIT(PPC_RAW_MTCTR(bpf_to_ppc(TMP_REG_1)));
284
			/*
285
			 * Load TOC from function descriptor at offset 8.
286
			 * We can clobber r2 since we get called through a
287
			 * function pointer (so caller will save/restore r2).
288
			 */
289
			if (is_module_text_address(func_addr))
290
				EMIT(PPC_RAW_LD(_R2, bpf_to_ppc(TMP_REG_2), 8));
291
		} else {
292
			PPC_LI64(_R12, func);
293
			EMIT(PPC_RAW_MTCTR(_R12));
294
		}
295
		EMIT(PPC_RAW_BCTRL());
296
		/*
297
		 * Load r2 with kernel TOC as kernel TOC is used if function address falls
298
		 * within core kernel text.
299
		 */
300
		if (is_module_text_address(func_addr))
301
			EMIT(PPC_RAW_LD(_R2, _R13, offsetof(struct paca_struct, kernel_toc)));
302
	}
303
#endif
304

305
	return 0;
306
}
307

308
static int bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32 out)
309
{
310
	/*
311
	 * By now, the eBPF program has already setup parameters in r3, r4 and r5
312
	 * r3/BPF_REG_1 - pointer to ctx -- passed as is to the next bpf program
313
	 * r4/BPF_REG_2 - pointer to bpf_array
314
	 * r5/BPF_REG_3 - index in bpf_array
315
	 */
316
	int b2p_bpf_array = bpf_to_ppc(BPF_REG_2);
317
	int b2p_index = bpf_to_ppc(BPF_REG_3);
318
	int bpf_tailcall_prologue_size = 12;
319

320
	if (!IS_ENABLED(CONFIG_PPC_KERNEL_PCREL) && IS_ENABLED(CONFIG_PPC64_ELF_ABI_V2))
321
		bpf_tailcall_prologue_size += 4; /* skip past the toc load */
322

323
	/*
324
	 * if (index >= array->map.max_entries)
325
	 *   goto out;
326
	 */
327
	EMIT(PPC_RAW_LWZ(bpf_to_ppc(TMP_REG_1), b2p_bpf_array, offsetof(struct bpf_array, map.max_entries)));
328
	EMIT(PPC_RAW_RLWINM(b2p_index, b2p_index, 0, 0, 31));
329
	EMIT(PPC_RAW_CMPLW(b2p_index, bpf_to_ppc(TMP_REG_1)));
330
	PPC_BCC_SHORT(COND_GE, out);
331

332
	/*
333
	 * if (tail_call_cnt >= MAX_TAIL_CALL_CNT)
334
	 *   goto out;
335
	 */
336
	EMIT(PPC_RAW_LD(bpf_to_ppc(TMP_REG_1), _R1, bpf_jit_stack_tailcallcnt(ctx)));
337
	EMIT(PPC_RAW_CMPLWI(bpf_to_ppc(TMP_REG_1), MAX_TAIL_CALL_CNT));
338
	PPC_BCC_SHORT(COND_GE, out);
339

340
	/*
341
	 * tail_call_cnt++;
342
	 */
343
	EMIT(PPC_RAW_ADDI(bpf_to_ppc(TMP_REG_1), bpf_to_ppc(TMP_REG_1), 1));
344
	EMIT(PPC_RAW_STD(bpf_to_ppc(TMP_REG_1), _R1, bpf_jit_stack_tailcallcnt(ctx)));
345

346
	/* prog = array->ptrs[index]; */
347
	EMIT(PPC_RAW_MULI(bpf_to_ppc(TMP_REG_1), b2p_index, 8));
348
	EMIT(PPC_RAW_ADD(bpf_to_ppc(TMP_REG_1), bpf_to_ppc(TMP_REG_1), b2p_bpf_array));
349
	EMIT(PPC_RAW_LD(bpf_to_ppc(TMP_REG_1), bpf_to_ppc(TMP_REG_1), offsetof(struct bpf_array, ptrs)));
350

351
	/*
352
	 * if (prog == NULL)
353
	 *   goto out;
354
	 */
355
	EMIT(PPC_RAW_CMPLDI(bpf_to_ppc(TMP_REG_1), 0));
356
	PPC_BCC_SHORT(COND_EQ, out);
357

358
	/* goto *(prog->bpf_func + prologue_size); */
359
	EMIT(PPC_RAW_LD(bpf_to_ppc(TMP_REG_1), bpf_to_ppc(TMP_REG_1), offsetof(struct bpf_prog, bpf_func)));
360
	EMIT(PPC_RAW_ADDI(bpf_to_ppc(TMP_REG_1), bpf_to_ppc(TMP_REG_1),
361
			FUNCTION_DESCR_SIZE + bpf_tailcall_prologue_size));
362
	EMIT(PPC_RAW_MTCTR(bpf_to_ppc(TMP_REG_1)));
363

364
	/* tear down stack, restore NVRs, ... */
365
	bpf_jit_emit_common_epilogue(image, ctx);
366

367
	EMIT(PPC_RAW_BCTR());
368

369
	/* out: */
370
	return 0;
371
}
372

373
bool bpf_jit_bypass_spec_v1(void)
374
{
375
#if defined(CONFIG_PPC_E500) || defined(CONFIG_PPC_BOOK3S_64)
376
	return !(security_ftr_enabled(SEC_FTR_FAVOUR_SECURITY) &&
377
		 security_ftr_enabled(SEC_FTR_BNDS_CHK_SPEC_BAR));
378
#else
379
	return true;
380
#endif
381
}
382

383
bool bpf_jit_bypass_spec_v4(void)
384
{
385
	return !(security_ftr_enabled(SEC_FTR_FAVOUR_SECURITY) &&
386
		 security_ftr_enabled(SEC_FTR_STF_BARRIER) &&
387
		 stf_barrier_type_get() != STF_BARRIER_NONE);
388
}
389

390
/*
391
 * We spill into the redzone always, even if the bpf program has its own stackframe.
392
 * Offsets hardcoded based on BPF_PPC_STACK_SAVE -- see bpf_jit_stack_local()
393
 */
394
void bpf_stf_barrier(void);
395

396
asm (
397
"		.global bpf_stf_barrier		;"
398
"	bpf_stf_barrier:			;"
399
"		std	21,-64(1)		;"
400
"		std	22,-56(1)		;"
401
"		sync				;"
402
"		ld	21,-64(1)		;"
403
"		ld	22,-56(1)		;"
404
"		ori	31,31,0			;"
405
"		.rept 14			;"
406
"		b	1f			;"
407
"	1:					;"
408
"		.endr				;"
409
"		blr				;"
410
);
411

412
static int emit_atomic_ld_st(const struct bpf_insn insn, struct codegen_context *ctx, u32 *image)
413
{
414
	u32 code = insn.code;
415
	u32 dst_reg = bpf_to_ppc(insn.dst_reg);
416
	u32 src_reg = bpf_to_ppc(insn.src_reg);
417
	u32 size = BPF_SIZE(code);
418
	u32 tmp1_reg = bpf_to_ppc(TMP_REG_1);
419
	u32 tmp2_reg = bpf_to_ppc(TMP_REG_2);
420
	s16 off = insn.off;
421
	s32 imm = insn.imm;
422

423
	switch (imm) {
424
	case BPF_LOAD_ACQ:
425
		switch (size) {
426
		case BPF_B:
427
			EMIT(PPC_RAW_LBZ(dst_reg, src_reg, off));
428
			break;
429
		case BPF_H:
430
			EMIT(PPC_RAW_LHZ(dst_reg, src_reg, off));
431
			break;
432
		case BPF_W:
433
			EMIT(PPC_RAW_LWZ(dst_reg, src_reg, off));
434
			break;
435
		case BPF_DW:
436
			if (off % 4) {
437
				EMIT(PPC_RAW_LI(tmp1_reg, off));
438
				EMIT(PPC_RAW_LDX(dst_reg, src_reg, tmp1_reg));
439
			} else {
440
				EMIT(PPC_RAW_LD(dst_reg, src_reg, off));
441
			}
442
			break;
443
		}
444
		EMIT(PPC_RAW_LWSYNC());
445
		break;
446
	case BPF_STORE_REL:
447
		EMIT(PPC_RAW_LWSYNC());
448
		switch (size) {
449
		case BPF_B:
450
			EMIT(PPC_RAW_STB(src_reg, dst_reg, off));
451
			break;
452
		case BPF_H:
453
			EMIT(PPC_RAW_STH(src_reg, dst_reg, off));
454
			break;
455
		case BPF_W:
456
			EMIT(PPC_RAW_STW(src_reg, dst_reg, off));
457
			break;
458
		case BPF_DW:
459
			if (off % 4) {
460
				EMIT(PPC_RAW_LI(tmp2_reg, off));
461
				EMIT(PPC_RAW_STDX(src_reg, dst_reg, tmp2_reg));
462
			} else {
463
				EMIT(PPC_RAW_STD(src_reg, dst_reg, off));
464
			}
465
			break;
466
		}
467
		break;
468
	default:
469
		pr_err_ratelimited("unexpected atomic load/store op code %02x\n",
470
				   imm);
471
		return -EINVAL;
472
	}
473

474
	return 0;
475
}
476

477
/* Assemble the body code between the prologue & epilogue */
478
int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, u32 *fimage, struct codegen_context *ctx,
479
		       u32 *addrs, int pass, bool extra_pass)
480
{
481
	enum stf_barrier_type stf_barrier = stf_barrier_type_get();
482
	bool sync_emitted, ori31_emitted;
483
	const struct bpf_insn *insn = fp->insnsi;
484
	int flen = fp->len;
485
	int i, ret;
486

487
	/* Start of epilogue code - will only be valid 2nd pass onwards */
488
	u32 exit_addr = addrs[flen];
489

490
	for (i = 0; i < flen; i++) {
491
		u32 code = insn[i].code;
492
		u32 dst_reg = bpf_to_ppc(insn[i].dst_reg);
493
		u32 src_reg = bpf_to_ppc(insn[i].src_reg);
494
		u32 size = BPF_SIZE(code);
495
		u32 tmp1_reg = bpf_to_ppc(TMP_REG_1);
496
		u32 tmp2_reg = bpf_to_ppc(TMP_REG_2);
497
		u32 save_reg, ret_reg;
498
		s16 off = insn[i].off;
499
		s32 imm = insn[i].imm;
500
		bool func_addr_fixed;
501
		u64 func_addr;
502
		u64 imm64;
503
		u32 true_cond;
504
		u32 tmp_idx;
505

506
		/*
507
		 * addrs[] maps a BPF bytecode address into a real offset from
508
		 * the start of the body code.
509
		 */
510
		addrs[i] = ctx->idx * 4;
511

512
		/*
513
		 * As an optimization, we note down which non-volatile registers
514
		 * are used so that we can only save/restore those in our
515
		 * prologue and epilogue. We do this here regardless of whether
516
		 * the actual BPF instruction uses src/dst registers or not
517
		 * (for instance, BPF_CALL does not use them). The expectation
518
		 * is that those instructions will have src_reg/dst_reg set to
519
		 * 0. Even otherwise, we just lose some prologue/epilogue
520
		 * optimization but everything else should work without
521
		 * any issues.
522
		 */
523
		if (dst_reg >= BPF_PPC_NVR_MIN && dst_reg < 32)
524
			bpf_set_seen_register(ctx, dst_reg);
525
		if (src_reg >= BPF_PPC_NVR_MIN && src_reg < 32)
526
			bpf_set_seen_register(ctx, src_reg);
527

528
		switch (code) {
529
		/*
530
		 * Arithmetic operations: ADD/SUB/MUL/DIV/MOD/NEG
531
		 */
532
		case BPF_ALU | BPF_ADD | BPF_X: /* (u32) dst += (u32) src */
533
		case BPF_ALU64 | BPF_ADD | BPF_X: /* dst += src */
534
			EMIT(PPC_RAW_ADD(dst_reg, dst_reg, src_reg));
535
			goto bpf_alu32_trunc;
536
		case BPF_ALU | BPF_SUB | BPF_X: /* (u32) dst -= (u32) src */
537
		case BPF_ALU64 | BPF_SUB | BPF_X: /* dst -= src */
538
			EMIT(PPC_RAW_SUB(dst_reg, dst_reg, src_reg));
539
			goto bpf_alu32_trunc;
540
		case BPF_ALU | BPF_ADD | BPF_K: /* (u32) dst += (u32) imm */
541
		case BPF_ALU64 | BPF_ADD | BPF_K: /* dst += imm */
542
			if (!imm) {
543
				goto bpf_alu32_trunc;
544
			} else if (imm >= -32768 && imm < 32768) {
545
				EMIT(PPC_RAW_ADDI(dst_reg, dst_reg, IMM_L(imm)));
546
			} else {
547
				PPC_LI32(tmp1_reg, imm);
548
				EMIT(PPC_RAW_ADD(dst_reg, dst_reg, tmp1_reg));
549
			}
550
			goto bpf_alu32_trunc;
551
		case BPF_ALU | BPF_SUB | BPF_K: /* (u32) dst -= (u32) imm */
552
		case BPF_ALU64 | BPF_SUB | BPF_K: /* dst -= imm */
553
			if (!imm) {
554
				goto bpf_alu32_trunc;
555
			} else if (imm > -32768 && imm <= 32768) {
556
				EMIT(PPC_RAW_ADDI(dst_reg, dst_reg, IMM_L(-imm)));
557
			} else {
558
				PPC_LI32(tmp1_reg, imm);
559
				EMIT(PPC_RAW_SUB(dst_reg, dst_reg, tmp1_reg));
560
			}
561
			goto bpf_alu32_trunc;
562
		case BPF_ALU | BPF_MUL | BPF_X: /* (u32) dst *= (u32) src */
563
		case BPF_ALU64 | BPF_MUL | BPF_X: /* dst *= src */
564
			if (BPF_CLASS(code) == BPF_ALU)
565
				EMIT(PPC_RAW_MULW(dst_reg, dst_reg, src_reg));
566
			else
567
				EMIT(PPC_RAW_MULD(dst_reg, dst_reg, src_reg));
568
			goto bpf_alu32_trunc;
569
		case BPF_ALU | BPF_MUL | BPF_K: /* (u32) dst *= (u32) imm */
570
		case BPF_ALU64 | BPF_MUL | BPF_K: /* dst *= imm */
571
			if (imm >= -32768 && imm < 32768)
572
				EMIT(PPC_RAW_MULI(dst_reg, dst_reg, IMM_L(imm)));
573
			else {
574
				PPC_LI32(tmp1_reg, imm);
575
				if (BPF_CLASS(code) == BPF_ALU)
576
					EMIT(PPC_RAW_MULW(dst_reg, dst_reg, tmp1_reg));
577
				else
578
					EMIT(PPC_RAW_MULD(dst_reg, dst_reg, tmp1_reg));
579
			}
580
			goto bpf_alu32_trunc;
581
		case BPF_ALU | BPF_DIV | BPF_X: /* (u32) dst /= (u32) src */
582
		case BPF_ALU | BPF_MOD | BPF_X: /* (u32) dst %= (u32) src */
583
			if (BPF_OP(code) == BPF_MOD) {
584
				if (off)
585
					EMIT(PPC_RAW_DIVW(tmp1_reg, dst_reg, src_reg));
586
				else
587
					EMIT(PPC_RAW_DIVWU(tmp1_reg, dst_reg, src_reg));
588

589
				EMIT(PPC_RAW_MULW(tmp1_reg, src_reg, tmp1_reg));
590
				EMIT(PPC_RAW_SUB(dst_reg, dst_reg, tmp1_reg));
591
			} else
592
				if (off)
593
					EMIT(PPC_RAW_DIVW(dst_reg, dst_reg, src_reg));
594
				else
595
					EMIT(PPC_RAW_DIVWU(dst_reg, dst_reg, src_reg));
596
			goto bpf_alu32_trunc;
597
		case BPF_ALU64 | BPF_DIV | BPF_X: /* dst /= src */
598
		case BPF_ALU64 | BPF_MOD | BPF_X: /* dst %= src */
599
			if (BPF_OP(code) == BPF_MOD) {
600
				if (off)
601
					EMIT(PPC_RAW_DIVD(tmp1_reg, dst_reg, src_reg));
602
				else
603
					EMIT(PPC_RAW_DIVDU(tmp1_reg, dst_reg, src_reg));
604
				EMIT(PPC_RAW_MULD(tmp1_reg, src_reg, tmp1_reg));
605
				EMIT(PPC_RAW_SUB(dst_reg, dst_reg, tmp1_reg));
606
			} else
607
				if (off)
608
					EMIT(PPC_RAW_DIVD(dst_reg, dst_reg, src_reg));
609
				else
610
					EMIT(PPC_RAW_DIVDU(dst_reg, dst_reg, src_reg));
611
			break;
612
		case BPF_ALU | BPF_MOD | BPF_K: /* (u32) dst %= (u32) imm */
613
		case BPF_ALU | BPF_DIV | BPF_K: /* (u32) dst /= (u32) imm */
614
		case BPF_ALU64 | BPF_MOD | BPF_K: /* dst %= imm */
615
		case BPF_ALU64 | BPF_DIV | BPF_K: /* dst /= imm */
616
			if (imm == 0)
617
				return -EINVAL;
618
			if (imm == 1) {
619
				if (BPF_OP(code) == BPF_DIV) {
620
					goto bpf_alu32_trunc;
621
				} else {
622
					EMIT(PPC_RAW_LI(dst_reg, 0));
623
					break;
624
				}
625
			}
626

627
			PPC_LI32(tmp1_reg, imm);
628
			switch (BPF_CLASS(code)) {
629
			case BPF_ALU:
630
				if (BPF_OP(code) == BPF_MOD) {
631
					if (off)
632
						EMIT(PPC_RAW_DIVW(tmp2_reg, dst_reg, tmp1_reg));
633
					else
634
						EMIT(PPC_RAW_DIVWU(tmp2_reg, dst_reg, tmp1_reg));
635
					EMIT(PPC_RAW_MULW(tmp1_reg, tmp1_reg, tmp2_reg));
636
					EMIT(PPC_RAW_SUB(dst_reg, dst_reg, tmp1_reg));
637
				} else
638
					if (off)
639
						EMIT(PPC_RAW_DIVW(dst_reg, dst_reg, tmp1_reg));
640
					else
641
						EMIT(PPC_RAW_DIVWU(dst_reg, dst_reg, tmp1_reg));
642
				break;
643
			case BPF_ALU64:
644
				if (BPF_OP(code) == BPF_MOD) {
645
					if (off)
646
						EMIT(PPC_RAW_DIVD(tmp2_reg, dst_reg, tmp1_reg));
647
					else
648
						EMIT(PPC_RAW_DIVDU(tmp2_reg, dst_reg, tmp1_reg));
649
					EMIT(PPC_RAW_MULD(tmp1_reg, tmp1_reg, tmp2_reg));
650
					EMIT(PPC_RAW_SUB(dst_reg, dst_reg, tmp1_reg));
651
				} else
652
					if (off)
653
						EMIT(PPC_RAW_DIVD(dst_reg, dst_reg, tmp1_reg));
654
					else
655
						EMIT(PPC_RAW_DIVDU(dst_reg, dst_reg, tmp1_reg));
656
				break;
657
			}
658
			goto bpf_alu32_trunc;
659
		case BPF_ALU | BPF_NEG: /* (u32) dst = -dst */
660
		case BPF_ALU64 | BPF_NEG: /* dst = -dst */
661
			EMIT(PPC_RAW_NEG(dst_reg, dst_reg));
662
			goto bpf_alu32_trunc;
663

664
		/*
665
		 * Logical operations: AND/OR/XOR/[A]LSH/[A]RSH
666
		 */
667
		case BPF_ALU | BPF_AND | BPF_X: /* (u32) dst = dst & src */
668
		case BPF_ALU64 | BPF_AND | BPF_X: /* dst = dst & src */
669
			EMIT(PPC_RAW_AND(dst_reg, dst_reg, src_reg));
670
			goto bpf_alu32_trunc;
671
		case BPF_ALU | BPF_AND | BPF_K: /* (u32) dst = dst & imm */
672
		case BPF_ALU64 | BPF_AND | BPF_K: /* dst = dst & imm */
673
			if (!IMM_H(imm))
674
				EMIT(PPC_RAW_ANDI(dst_reg, dst_reg, IMM_L(imm)));
675
			else {
676
				/* Sign-extended */
677
				PPC_LI32(tmp1_reg, imm);
678
				EMIT(PPC_RAW_AND(dst_reg, dst_reg, tmp1_reg));
679
			}
680
			goto bpf_alu32_trunc;
681
		case BPF_ALU | BPF_OR | BPF_X: /* dst = (u32) dst | (u32) src */
682
		case BPF_ALU64 | BPF_OR | BPF_X: /* dst = dst | src */
683
			EMIT(PPC_RAW_OR(dst_reg, dst_reg, src_reg));
684
			goto bpf_alu32_trunc;
685
		case BPF_ALU | BPF_OR | BPF_K:/* dst = (u32) dst | (u32) imm */
686
		case BPF_ALU64 | BPF_OR | BPF_K:/* dst = dst | imm */
687
			if (imm < 0 && BPF_CLASS(code) == BPF_ALU64) {
688
				/* Sign-extended */
689
				PPC_LI32(tmp1_reg, imm);
690
				EMIT(PPC_RAW_OR(dst_reg, dst_reg, tmp1_reg));
691
			} else {
692
				if (IMM_L(imm))
693
					EMIT(PPC_RAW_ORI(dst_reg, dst_reg, IMM_L(imm)));
694
				if (IMM_H(imm))
695
					EMIT(PPC_RAW_ORIS(dst_reg, dst_reg, IMM_H(imm)));
696
			}
697
			goto bpf_alu32_trunc;
698
		case BPF_ALU | BPF_XOR | BPF_X: /* (u32) dst ^= src */
699
		case BPF_ALU64 | BPF_XOR | BPF_X: /* dst ^= src */
700
			EMIT(PPC_RAW_XOR(dst_reg, dst_reg, src_reg));
701
			goto bpf_alu32_trunc;
702
		case BPF_ALU | BPF_XOR | BPF_K: /* (u32) dst ^= (u32) imm */
703
		case BPF_ALU64 | BPF_XOR | BPF_K: /* dst ^= imm */
704
			if (imm < 0 && BPF_CLASS(code) == BPF_ALU64) {
705
				/* Sign-extended */
706
				PPC_LI32(tmp1_reg, imm);
707
				EMIT(PPC_RAW_XOR(dst_reg, dst_reg, tmp1_reg));
708
			} else {
709
				if (IMM_L(imm))
710
					EMIT(PPC_RAW_XORI(dst_reg, dst_reg, IMM_L(imm)));
711
				if (IMM_H(imm))
712
					EMIT(PPC_RAW_XORIS(dst_reg, dst_reg, IMM_H(imm)));
713
			}
714
			goto bpf_alu32_trunc;
715
		case BPF_ALU | BPF_LSH | BPF_X: /* (u32) dst <<= (u32) src */
716
			/* slw clears top 32 bits */
717
			EMIT(PPC_RAW_SLW(dst_reg, dst_reg, src_reg));
718
			/* skip zero extension move, but set address map. */
719
			if (insn_is_zext(&insn[i + 1]))
720
				addrs[++i] = ctx->idx * 4;
721
			break;
722
		case BPF_ALU64 | BPF_LSH | BPF_X: /* dst <<= src; */
723
			EMIT(PPC_RAW_SLD(dst_reg, dst_reg, src_reg));
724
			break;
725
		case BPF_ALU | BPF_LSH | BPF_K: /* (u32) dst <<== (u32) imm */
726
			/* with imm 0, we still need to clear top 32 bits */
727
			EMIT(PPC_RAW_SLWI(dst_reg, dst_reg, imm));
728
			if (insn_is_zext(&insn[i + 1]))
729
				addrs[++i] = ctx->idx * 4;
730
			break;
731
		case BPF_ALU64 | BPF_LSH | BPF_K: /* dst <<== imm */
732
			if (imm != 0)
733
				EMIT(PPC_RAW_SLDI(dst_reg, dst_reg, imm));
734
			break;
735
		case BPF_ALU | BPF_RSH | BPF_X: /* (u32) dst >>= (u32) src */
736
			EMIT(PPC_RAW_SRW(dst_reg, dst_reg, src_reg));
737
			if (insn_is_zext(&insn[i + 1]))
738
				addrs[++i] = ctx->idx * 4;
739
			break;
740
		case BPF_ALU64 | BPF_RSH | BPF_X: /* dst >>= src */
741
			EMIT(PPC_RAW_SRD(dst_reg, dst_reg, src_reg));
742
			break;
743
		case BPF_ALU | BPF_RSH | BPF_K: /* (u32) dst >>= (u32) imm */
744
			EMIT(PPC_RAW_SRWI(dst_reg, dst_reg, imm));
745
			if (insn_is_zext(&insn[i + 1]))
746
				addrs[++i] = ctx->idx * 4;
747
			break;
748
		case BPF_ALU64 | BPF_RSH | BPF_K: /* dst >>= imm */
749
			if (imm != 0)
750
				EMIT(PPC_RAW_SRDI(dst_reg, dst_reg, imm));
751
			break;
752
		case BPF_ALU | BPF_ARSH | BPF_X: /* (s32) dst >>= src */
753
			EMIT(PPC_RAW_SRAW(dst_reg, dst_reg, src_reg));
754
			goto bpf_alu32_trunc;
755
		case BPF_ALU64 | BPF_ARSH | BPF_X: /* (s64) dst >>= src */
756
			EMIT(PPC_RAW_SRAD(dst_reg, dst_reg, src_reg));
757
			break;
758
		case BPF_ALU | BPF_ARSH | BPF_K: /* (s32) dst >>= imm */
759
			EMIT(PPC_RAW_SRAWI(dst_reg, dst_reg, imm));
760
			goto bpf_alu32_trunc;
761
		case BPF_ALU64 | BPF_ARSH | BPF_K: /* (s64) dst >>= imm */
762
			if (imm != 0)
763
				EMIT(PPC_RAW_SRADI(dst_reg, dst_reg, imm));
764
			break;
765

766
		/*
767
		 * MOV
768
		 */
769
		case BPF_ALU | BPF_MOV | BPF_X: /* (u32) dst = src */
770
		case BPF_ALU64 | BPF_MOV | BPF_X: /* dst = src */
771
			if (imm == 1) {
772
				/* special mov32 for zext */
773
				EMIT(PPC_RAW_RLWINM(dst_reg, dst_reg, 0, 0, 31));
774
				break;
775
			} else if (off == 8) {
776
				EMIT(PPC_RAW_EXTSB(dst_reg, src_reg));
777
			} else if (off == 16) {
778
				EMIT(PPC_RAW_EXTSH(dst_reg, src_reg));
779
			} else if (off == 32) {
780
				EMIT(PPC_RAW_EXTSW(dst_reg, src_reg));
781
			} else if (dst_reg != src_reg)
782
				EMIT(PPC_RAW_MR(dst_reg, src_reg));
783
			goto bpf_alu32_trunc;
784
		case BPF_ALU | BPF_MOV | BPF_K: /* (u32) dst = imm */
785
		case BPF_ALU64 | BPF_MOV | BPF_K: /* dst = (s64) imm */
786
			PPC_LI32(dst_reg, imm);
787
			if (imm < 0)
788
				goto bpf_alu32_trunc;
789
			else if (insn_is_zext(&insn[i + 1]))
790
				addrs[++i] = ctx->idx * 4;
791
			break;
792

793
bpf_alu32_trunc:
794
		/* Truncate to 32-bits */
795
		if (BPF_CLASS(code) == BPF_ALU && !fp->aux->verifier_zext)
796
			EMIT(PPC_RAW_RLWINM(dst_reg, dst_reg, 0, 0, 31));
797
		break;
798

799
		/*
800
		 * BPF_FROM_BE/LE
801
		 */
802
		case BPF_ALU | BPF_END | BPF_FROM_LE:
803
		case BPF_ALU | BPF_END | BPF_FROM_BE:
804
		case BPF_ALU64 | BPF_END | BPF_FROM_LE:
805
#ifdef __BIG_ENDIAN__
806
			if (BPF_SRC(code) == BPF_FROM_BE)
807
				goto emit_clear;
808
#else /* !__BIG_ENDIAN__ */
809
			if (BPF_CLASS(code) == BPF_ALU && BPF_SRC(code) == BPF_FROM_LE)
810
				goto emit_clear;
811
#endif
812
			switch (imm) {
813
			case 16:
814
				/* Rotate 8 bits left & mask with 0x0000ff00 */
815
				EMIT(PPC_RAW_RLWINM(tmp1_reg, dst_reg, 8, 16, 23));
816
				/* Rotate 8 bits right & insert LSB to reg */
817
				EMIT(PPC_RAW_RLWIMI(tmp1_reg, dst_reg, 24, 24, 31));
818
				/* Move result back to dst_reg */
819
				EMIT(PPC_RAW_MR(dst_reg, tmp1_reg));
820
				break;
821
			case 32:
822
				/*
823
				 * Rotate word left by 8 bits:
824
				 * 2 bytes are already in their final position
825
				 * -- byte 2 and 4 (of bytes 1, 2, 3 and 4)
826
				 */
827
				EMIT(PPC_RAW_RLWINM(tmp1_reg, dst_reg, 8, 0, 31));
828
				/* Rotate 24 bits and insert byte 1 */
829
				EMIT(PPC_RAW_RLWIMI(tmp1_reg, dst_reg, 24, 0, 7));
830
				/* Rotate 24 bits and insert byte 3 */
831
				EMIT(PPC_RAW_RLWIMI(tmp1_reg, dst_reg, 24, 16, 23));
832
				EMIT(PPC_RAW_MR(dst_reg, tmp1_reg));
833
				break;
834
			case 64:
835
				/* Store the value to stack and then use byte-reverse loads */
836
				EMIT(PPC_RAW_STD(dst_reg, _R1, bpf_jit_stack_local(ctx)));
837
				EMIT(PPC_RAW_ADDI(tmp1_reg, _R1, bpf_jit_stack_local(ctx)));
838
				if (cpu_has_feature(CPU_FTR_ARCH_206)) {
839
					EMIT(PPC_RAW_LDBRX(dst_reg, 0, tmp1_reg));
840
				} else {
841
					EMIT(PPC_RAW_LWBRX(dst_reg, 0, tmp1_reg));
842
					if (IS_ENABLED(CONFIG_CPU_LITTLE_ENDIAN))
843
						EMIT(PPC_RAW_SLDI(dst_reg, dst_reg, 32));
844
					EMIT(PPC_RAW_LI(tmp2_reg, 4));
845
					EMIT(PPC_RAW_LWBRX(tmp2_reg, tmp2_reg, tmp1_reg));
846
					if (IS_ENABLED(CONFIG_CPU_BIG_ENDIAN))
847
						EMIT(PPC_RAW_SLDI(tmp2_reg, tmp2_reg, 32));
848
					EMIT(PPC_RAW_OR(dst_reg, dst_reg, tmp2_reg));
849
				}
850
				break;
851
			}
852
			break;
853

854
emit_clear:
855
			switch (imm) {
856
			case 16:
857
				/* zero-extend 16 bits into 64 bits */
858
				EMIT(PPC_RAW_RLDICL(dst_reg, dst_reg, 0, 48));
859
				if (insn_is_zext(&insn[i + 1]))
860
					addrs[++i] = ctx->idx * 4;
861
				break;
862
			case 32:
863
				if (!fp->aux->verifier_zext)
864
					/* zero-extend 32 bits into 64 bits */
865
					EMIT(PPC_RAW_RLDICL(dst_reg, dst_reg, 0, 32));
866
				break;
867
			case 64:
868
				/* nop */
869
				break;
870
			}
871
			break;
872

873
		/*
874
		 * BPF_ST NOSPEC (speculation barrier)
875
		 *
876
		 * The following must act as a barrier against both Spectre v1
877
		 * and v4 if we requested both mitigations. Therefore, also emit
878
		 * 'isync; sync' on E500 or 'ori31' on BOOK3S_64 in addition to
879
		 * the insns needed for a Spectre v4 barrier.
880
		 *
881
		 * If we requested only !bypass_spec_v1 OR only !bypass_spec_v4,
882
		 * we can skip the respective other barrier type as an
883
		 * optimization.
884
		 */
885
		case BPF_ST | BPF_NOSPEC:
886
			sync_emitted = false;
887
			ori31_emitted = false;
888
			if (IS_ENABLED(CONFIG_PPC_E500) &&
889
			    !bpf_jit_bypass_spec_v1()) {
890
				EMIT(PPC_RAW_ISYNC());
891
				EMIT(PPC_RAW_SYNC());
892
				sync_emitted = true;
893
			}
894
			if (!bpf_jit_bypass_spec_v4()) {
895
				switch (stf_barrier) {
896
				case STF_BARRIER_EIEIO:
897
					EMIT(PPC_RAW_EIEIO() | 0x02000000);
898
					break;
899
				case STF_BARRIER_SYNC_ORI:
900
					if (!sync_emitted)
901
						EMIT(PPC_RAW_SYNC());
902
					EMIT(PPC_RAW_LD(tmp1_reg, _R13, 0));
903
					EMIT(PPC_RAW_ORI(_R31, _R31, 0));
904
					ori31_emitted = true;
905
					break;
906
				case STF_BARRIER_FALLBACK:
907
					ctx->seen |= SEEN_FUNC;
908
					PPC_LI64(_R12, dereference_kernel_function_descriptor(bpf_stf_barrier));
909
					EMIT(PPC_RAW_MTCTR(_R12));
910
					EMIT(PPC_RAW_BCTRL());
911
					break;
912
				case STF_BARRIER_NONE:
913
					break;
914
				}
915
			}
916
			if (IS_ENABLED(CONFIG_PPC_BOOK3S_64) &&
917
			    !bpf_jit_bypass_spec_v1() &&
918
			    !ori31_emitted)
919
				EMIT(PPC_RAW_ORI(_R31, _R31, 0));
920
			break;
921

922
		/*
923
		 * BPF_ST(X)
924
		 */
925
		case BPF_STX | BPF_MEM | BPF_B: /* *(u8 *)(dst + off) = src */
926
		case BPF_ST | BPF_MEM | BPF_B: /* *(u8 *)(dst + off) = imm */
927
			if (BPF_CLASS(code) == BPF_ST) {
928
				EMIT(PPC_RAW_LI(tmp1_reg, imm));
929
				src_reg = tmp1_reg;
930
			}
931
			EMIT(PPC_RAW_STB(src_reg, dst_reg, off));
932
			break;
933
		case BPF_STX | BPF_MEM | BPF_H: /* (u16 *)(dst + off) = src */
934
		case BPF_ST | BPF_MEM | BPF_H: /* (u16 *)(dst + off) = imm */
935
			if (BPF_CLASS(code) == BPF_ST) {
936
				EMIT(PPC_RAW_LI(tmp1_reg, imm));
937
				src_reg = tmp1_reg;
938
			}
939
			EMIT(PPC_RAW_STH(src_reg, dst_reg, off));
940
			break;
941
		case BPF_STX | BPF_MEM | BPF_W: /* *(u32 *)(dst + off) = src */
942
		case BPF_ST | BPF_MEM | BPF_W: /* *(u32 *)(dst + off) = imm */
943
			if (BPF_CLASS(code) == BPF_ST) {
944
				PPC_LI32(tmp1_reg, imm);
945
				src_reg = tmp1_reg;
946
			}
947
			EMIT(PPC_RAW_STW(src_reg, dst_reg, off));
948
			break;
949
		case BPF_STX | BPF_MEM | BPF_DW: /* (u64 *)(dst + off) = src */
950
		case BPF_ST | BPF_MEM | BPF_DW: /* *(u64 *)(dst + off) = imm */
951
			if (BPF_CLASS(code) == BPF_ST) {
952
				PPC_LI32(tmp1_reg, imm);
953
				src_reg = tmp1_reg;
954
			}
955
			if (off % 4) {
956
				EMIT(PPC_RAW_LI(tmp2_reg, off));
957
				EMIT(PPC_RAW_STDX(src_reg, dst_reg, tmp2_reg));
958
			} else {
959
				EMIT(PPC_RAW_STD(src_reg, dst_reg, off));
960
			}
961
			break;
962

963
		/*
964
		 * BPF_STX ATOMIC (atomic ops)
965
		 */
966
		case BPF_STX | BPF_ATOMIC | BPF_B:
967
		case BPF_STX | BPF_ATOMIC | BPF_H:
968
		case BPF_STX | BPF_ATOMIC | BPF_W:
969
		case BPF_STX | BPF_ATOMIC | BPF_DW:
970
			if (bpf_atomic_is_load_store(&insn[i])) {
971
				ret = emit_atomic_ld_st(insn[i], ctx, image);
972
				if (ret)
973
					return ret;
974

975
				if (size != BPF_DW && insn_is_zext(&insn[i + 1]))
976
					addrs[++i] = ctx->idx * 4;
977
				break;
978
			} else if (size == BPF_B || size == BPF_H) {
979
				pr_err_ratelimited(
980
					"eBPF filter atomic op code %02x (@%d) unsupported\n",
981
					code, i);
982
				return -EOPNOTSUPP;
983
			}
984

985
			save_reg = tmp2_reg;
986
			ret_reg = src_reg;
987

988
			/* Get offset into TMP_REG_1 */
989
			EMIT(PPC_RAW_LI(tmp1_reg, off));
990
			/*
991
			 * Enforce full ordering for operations with BPF_FETCH by emitting a 'sync'
992
			 * before and after the operation.
993
			 *
994
			 * This is a requirement in the Linux Kernel Memory Model.
995
			 * See __cmpxchg_u64() in asm/cmpxchg.h as an example.
996
			 */
997
			if ((imm & BPF_FETCH) && IS_ENABLED(CONFIG_SMP))
998
				EMIT(PPC_RAW_SYNC());
999
			tmp_idx = ctx->idx * 4;
1000
			/* load value from memory into TMP_REG_2 */
1001
			if (size == BPF_DW)
1002
				EMIT(PPC_RAW_LDARX(tmp2_reg, tmp1_reg, dst_reg, 0));
1003
			else
1004
				EMIT(PPC_RAW_LWARX(tmp2_reg, tmp1_reg, dst_reg, 0));
1005

1006
			/* Save old value in _R0 */
1007
			if (imm & BPF_FETCH)
1008
				EMIT(PPC_RAW_MR(_R0, tmp2_reg));
1009

1010
			switch (imm) {
1011
			case BPF_ADD:
1012
			case BPF_ADD | BPF_FETCH:
1013
				EMIT(PPC_RAW_ADD(tmp2_reg, tmp2_reg, src_reg));
1014
				break;
1015
			case BPF_AND:
1016
			case BPF_AND | BPF_FETCH:
1017
				EMIT(PPC_RAW_AND(tmp2_reg, tmp2_reg, src_reg));
1018
				break;
1019
			case BPF_OR:
1020
			case BPF_OR | BPF_FETCH:
1021
				EMIT(PPC_RAW_OR(tmp2_reg, tmp2_reg, src_reg));
1022
				break;
1023
			case BPF_XOR:
1024
			case BPF_XOR | BPF_FETCH:
1025
				EMIT(PPC_RAW_XOR(tmp2_reg, tmp2_reg, src_reg));
1026
				break;
1027
			case BPF_CMPXCHG:
1028
				/*
1029
				 * Return old value in BPF_REG_0 for BPF_CMPXCHG &
1030
				 * in src_reg for other cases.
1031
				 */
1032
				ret_reg = bpf_to_ppc(BPF_REG_0);
1033

1034
				/* Compare with old value in BPF_R0 */
1035
				if (size == BPF_DW)
1036
					EMIT(PPC_RAW_CMPD(bpf_to_ppc(BPF_REG_0), tmp2_reg));
1037
				else
1038
					EMIT(PPC_RAW_CMPW(bpf_to_ppc(BPF_REG_0), tmp2_reg));
1039
				/* Don't set if different from old value */
1040
				PPC_BCC_SHORT(COND_NE, (ctx->idx + 3) * 4);
1041
				fallthrough;
1042
			case BPF_XCHG:
1043
				save_reg = src_reg;
1044
				break;
1045
			default:
1046
				pr_err_ratelimited(
1047
					"eBPF filter atomic op code %02x (@%d) unsupported\n",
1048
					code, i);
1049
				return -EOPNOTSUPP;
1050
			}
1051

1052
			/* store new value */
1053
			if (size == BPF_DW)
1054
				EMIT(PPC_RAW_STDCX(save_reg, tmp1_reg, dst_reg));
1055
			else
1056
				EMIT(PPC_RAW_STWCX(save_reg, tmp1_reg, dst_reg));
1057
			/* we're done if this succeeded */
1058
			PPC_BCC_SHORT(COND_NE, tmp_idx);
1059

1060
			if (imm & BPF_FETCH) {
1061
				/* Emit 'sync' to enforce full ordering */
1062
				if (IS_ENABLED(CONFIG_SMP))
1063
					EMIT(PPC_RAW_SYNC());
1064
				EMIT(PPC_RAW_MR(ret_reg, _R0));
1065
				/*
1066
				 * Skip unnecessary zero-extension for 32-bit cmpxchg.
1067
				 * For context, see commit 39491867ace5.
1068
				 */
1069
				if (size != BPF_DW && imm == BPF_CMPXCHG &&
1070
				    insn_is_zext(&insn[i + 1]))
1071
					addrs[++i] = ctx->idx * 4;
1072
			}
1073
			break;
1074

1075
		/*
1076
		 * BPF_LDX
1077
		 */
1078
		/* dst = *(u8 *)(ul) (src + off) */
1079
		case BPF_LDX | BPF_MEM | BPF_B:
1080
		case BPF_LDX | BPF_MEMSX | BPF_B:
1081
		case BPF_LDX | BPF_PROBE_MEM | BPF_B:
1082
		case BPF_LDX | BPF_PROBE_MEMSX | BPF_B:
1083
		/* dst = *(u16 *)(ul) (src + off) */
1084
		case BPF_LDX | BPF_MEM | BPF_H:
1085
		case BPF_LDX | BPF_MEMSX | BPF_H:
1086
		case BPF_LDX | BPF_PROBE_MEM | BPF_H:
1087
		case BPF_LDX | BPF_PROBE_MEMSX | BPF_H:
1088
		/* dst = *(u32 *)(ul) (src + off) */
1089
		case BPF_LDX | BPF_MEM | BPF_W:
1090
		case BPF_LDX | BPF_MEMSX | BPF_W:
1091
		case BPF_LDX | BPF_PROBE_MEM | BPF_W:
1092
		case BPF_LDX | BPF_PROBE_MEMSX | BPF_W:
1093
		/* dst = *(u64 *)(ul) (src + off) */
1094
		case BPF_LDX | BPF_MEM | BPF_DW:
1095
		case BPF_LDX | BPF_PROBE_MEM | BPF_DW:
1096
			/*
1097
			 * As PTR_TO_BTF_ID that uses BPF_PROBE_MEM mode could either be a valid
1098
			 * kernel pointer or NULL but not a userspace address, execute BPF_PROBE_MEM
1099
			 * load only if addr is kernel address (see is_kernel_addr()), otherwise
1100
			 * set dst_reg=0 and move on.
1101
			 */
1102
			if (BPF_MODE(code) == BPF_PROBE_MEM || BPF_MODE(code) == BPF_PROBE_MEMSX) {
1103
				EMIT(PPC_RAW_ADDI(tmp1_reg, src_reg, off));
1104
				if (IS_ENABLED(CONFIG_PPC_BOOK3E_64))
1105
					PPC_LI64(tmp2_reg, 0x8000000000000000ul);
1106
				else /* BOOK3S_64 */
1107
					PPC_LI64(tmp2_reg, PAGE_OFFSET);
1108
				EMIT(PPC_RAW_CMPLD(tmp1_reg, tmp2_reg));
1109
				PPC_BCC_SHORT(COND_GT, (ctx->idx + 3) * 4);
1110
				EMIT(PPC_RAW_LI(dst_reg, 0));
1111
				/*
1112
				 * Check if 'off' is word aligned for BPF_DW, because
1113
				 * we might generate two instructions.
1114
				 */
1115
				if ((BPF_SIZE(code) == BPF_DW ||
1116
				    (BPF_SIZE(code) == BPF_B && BPF_MODE(code) == BPF_PROBE_MEMSX)) &&
1117
						(off & 3))
1118
					PPC_JMP((ctx->idx + 3) * 4);
1119
				else
1120
					PPC_JMP((ctx->idx + 2) * 4);
1121
			}
1122

1123
			if (BPF_MODE(code) == BPF_MEMSX || BPF_MODE(code) == BPF_PROBE_MEMSX) {
1124
				switch (size) {
1125
				case BPF_B:
1126
					EMIT(PPC_RAW_LBZ(dst_reg, src_reg, off));
1127
					EMIT(PPC_RAW_EXTSB(dst_reg, dst_reg));
1128
					break;
1129
				case BPF_H:
1130
					EMIT(PPC_RAW_LHA(dst_reg, src_reg, off));
1131
					break;
1132
				case BPF_W:
1133
					EMIT(PPC_RAW_LWA(dst_reg, src_reg, off));
1134
					break;
1135
				}
1136
			} else {
1137
				switch (size) {
1138
				case BPF_B:
1139
					EMIT(PPC_RAW_LBZ(dst_reg, src_reg, off));
1140
					break;
1141
				case BPF_H:
1142
					EMIT(PPC_RAW_LHZ(dst_reg, src_reg, off));
1143
					break;
1144
				case BPF_W:
1145
					EMIT(PPC_RAW_LWZ(dst_reg, src_reg, off));
1146
					break;
1147
				case BPF_DW:
1148
					if (off % 4) {
1149
						EMIT(PPC_RAW_LI(tmp1_reg, off));
1150
						EMIT(PPC_RAW_LDX(dst_reg, src_reg, tmp1_reg));
1151
					} else {
1152
						EMIT(PPC_RAW_LD(dst_reg, src_reg, off));
1153
					}
1154
					break;
1155
				}
1156
			}
1157

1158
			if (size != BPF_DW && insn_is_zext(&insn[i + 1]))
1159
				addrs[++i] = ctx->idx * 4;
1160

1161
			if (BPF_MODE(code) == BPF_PROBE_MEM) {
1162
				ret = bpf_add_extable_entry(fp, image, fimage, pass, ctx,
1163
							    ctx->idx - 1, 4, dst_reg);
1164
				if (ret)
1165
					return ret;
1166
			}
1167
			break;
1168

1169
		/*
1170
		 * Doubleword load
1171
		 * 16 byte instruction that uses two 'struct bpf_insn'
1172
		 */
1173
		case BPF_LD | BPF_IMM | BPF_DW: /* dst = (u64) imm */
1174
			imm64 = ((u64)(u32) insn[i].imm) |
1175
				    (((u64)(u32) insn[i+1].imm) << 32);
1176
			PPC_LI64(dst_reg, imm64);
1177
			/* Adjust for two bpf instructions */
1178
			addrs[++i] = ctx->idx * 4;
1179
			break;
1180

1181
		/*
1182
		 * Return/Exit
1183
		 */
1184
		case BPF_JMP | BPF_EXIT:
1185
			/*
1186
			 * If this isn't the very last instruction, branch to
1187
			 * the epilogue. If we _are_ the last instruction,
1188
			 * we'll just fall through to the epilogue.
1189
			 */
1190
			if (i != flen - 1) {
1191
				ret = bpf_jit_emit_exit_insn(image, ctx, tmp1_reg, exit_addr);
1192
				if (ret)
1193
					return ret;
1194
			}
1195
			/* else fall through to the epilogue */
1196
			break;
1197

1198
		/*
1199
		 * Call kernel helper or bpf function
1200
		 */
1201
		case BPF_JMP | BPF_CALL:
1202
			ctx->seen |= SEEN_FUNC;
1203

1204
			ret = bpf_jit_get_func_addr(fp, &insn[i], extra_pass,
1205
						    &func_addr, &func_addr_fixed);
1206
			if (ret < 0)
1207
				return ret;
1208

1209
			ret = bpf_jit_emit_func_call_rel(image, fimage, ctx, func_addr);
1210
			if (ret)
1211
				return ret;
1212

1213
			/* move return value from r3 to BPF_REG_0 */
1214
			EMIT(PPC_RAW_MR(bpf_to_ppc(BPF_REG_0), _R3));
1215
			break;
1216

1217
		/*
1218
		 * Jumps and branches
1219
		 */
1220
		case BPF_JMP | BPF_JA:
1221
			PPC_JMP(addrs[i + 1 + off]);
1222
			break;
1223
		case BPF_JMP32 | BPF_JA:
1224
			PPC_JMP(addrs[i + 1 + imm]);
1225
			break;
1226

1227
		case BPF_JMP | BPF_JGT | BPF_K:
1228
		case BPF_JMP | BPF_JGT | BPF_X:
1229
		case BPF_JMP | BPF_JSGT | BPF_K:
1230
		case BPF_JMP | BPF_JSGT | BPF_X:
1231
		case BPF_JMP32 | BPF_JGT | BPF_K:
1232
		case BPF_JMP32 | BPF_JGT | BPF_X:
1233
		case BPF_JMP32 | BPF_JSGT | BPF_K:
1234
		case BPF_JMP32 | BPF_JSGT | BPF_X:
1235
			true_cond = COND_GT;
1236
			goto cond_branch;
1237
		case BPF_JMP | BPF_JLT | BPF_K:
1238
		case BPF_JMP | BPF_JLT | BPF_X:
1239
		case BPF_JMP | BPF_JSLT | BPF_K:
1240
		case BPF_JMP | BPF_JSLT | BPF_X:
1241
		case BPF_JMP32 | BPF_JLT | BPF_K:
1242
		case BPF_JMP32 | BPF_JLT | BPF_X:
1243
		case BPF_JMP32 | BPF_JSLT | BPF_K:
1244
		case BPF_JMP32 | BPF_JSLT | BPF_X:
1245
			true_cond = COND_LT;
1246
			goto cond_branch;
1247
		case BPF_JMP | BPF_JGE | BPF_K:
1248
		case BPF_JMP | BPF_JGE | BPF_X:
1249
		case BPF_JMP | BPF_JSGE | BPF_K:
1250
		case BPF_JMP | BPF_JSGE | BPF_X:
1251
		case BPF_JMP32 | BPF_JGE | BPF_K:
1252
		case BPF_JMP32 | BPF_JGE | BPF_X:
1253
		case BPF_JMP32 | BPF_JSGE | BPF_K:
1254
		case BPF_JMP32 | BPF_JSGE | BPF_X:
1255
			true_cond = COND_GE;
1256
			goto cond_branch;
1257
		case BPF_JMP | BPF_JLE | BPF_K:
1258
		case BPF_JMP | BPF_JLE | BPF_X:
1259
		case BPF_JMP | BPF_JSLE | BPF_K:
1260
		case BPF_JMP | BPF_JSLE | BPF_X:
1261
		case BPF_JMP32 | BPF_JLE | BPF_K:
1262
		case BPF_JMP32 | BPF_JLE | BPF_X:
1263
		case BPF_JMP32 | BPF_JSLE | BPF_K:
1264
		case BPF_JMP32 | BPF_JSLE | BPF_X:
1265
			true_cond = COND_LE;
1266
			goto cond_branch;
1267
		case BPF_JMP | BPF_JEQ | BPF_K:
1268
		case BPF_JMP | BPF_JEQ | BPF_X:
1269
		case BPF_JMP32 | BPF_JEQ | BPF_K:
1270
		case BPF_JMP32 | BPF_JEQ | BPF_X:
1271
			true_cond = COND_EQ;
1272
			goto cond_branch;
1273
		case BPF_JMP | BPF_JNE | BPF_K:
1274
		case BPF_JMP | BPF_JNE | BPF_X:
1275
		case BPF_JMP32 | BPF_JNE | BPF_K:
1276
		case BPF_JMP32 | BPF_JNE | BPF_X:
1277
			true_cond = COND_NE;
1278
			goto cond_branch;
1279
		case BPF_JMP | BPF_JSET | BPF_K:
1280
		case BPF_JMP | BPF_JSET | BPF_X:
1281
		case BPF_JMP32 | BPF_JSET | BPF_K:
1282
		case BPF_JMP32 | BPF_JSET | BPF_X:
1283
			true_cond = COND_NE;
1284
			/* Fall through */
1285

1286
cond_branch:
1287
			switch (code) {
1288
			case BPF_JMP | BPF_JGT | BPF_X:
1289
			case BPF_JMP | BPF_JLT | BPF_X:
1290
			case BPF_JMP | BPF_JGE | BPF_X:
1291
			case BPF_JMP | BPF_JLE | BPF_X:
1292
			case BPF_JMP | BPF_JEQ | BPF_X:
1293
			case BPF_JMP | BPF_JNE | BPF_X:
1294
			case BPF_JMP32 | BPF_JGT | BPF_X:
1295
			case BPF_JMP32 | BPF_JLT | BPF_X:
1296
			case BPF_JMP32 | BPF_JGE | BPF_X:
1297
			case BPF_JMP32 | BPF_JLE | BPF_X:
1298
			case BPF_JMP32 | BPF_JEQ | BPF_X:
1299
			case BPF_JMP32 | BPF_JNE | BPF_X:
1300
				/* unsigned comparison */
1301
				if (BPF_CLASS(code) == BPF_JMP32)
1302
					EMIT(PPC_RAW_CMPLW(dst_reg, src_reg));
1303
				else
1304
					EMIT(PPC_RAW_CMPLD(dst_reg, src_reg));
1305
				break;
1306
			case BPF_JMP | BPF_JSGT | BPF_X:
1307
			case BPF_JMP | BPF_JSLT | BPF_X:
1308
			case BPF_JMP | BPF_JSGE | BPF_X:
1309
			case BPF_JMP | BPF_JSLE | BPF_X:
1310
			case BPF_JMP32 | BPF_JSGT | BPF_X:
1311
			case BPF_JMP32 | BPF_JSLT | BPF_X:
1312
			case BPF_JMP32 | BPF_JSGE | BPF_X:
1313
			case BPF_JMP32 | BPF_JSLE | BPF_X:
1314
				/* signed comparison */
1315
				if (BPF_CLASS(code) == BPF_JMP32)
1316
					EMIT(PPC_RAW_CMPW(dst_reg, src_reg));
1317
				else
1318
					EMIT(PPC_RAW_CMPD(dst_reg, src_reg));
1319
				break;
1320
			case BPF_JMP | BPF_JSET | BPF_X:
1321
			case BPF_JMP32 | BPF_JSET | BPF_X:
1322
				if (BPF_CLASS(code) == BPF_JMP) {
1323
					EMIT(PPC_RAW_AND_DOT(tmp1_reg, dst_reg, src_reg));
1324
				} else {
1325
					EMIT(PPC_RAW_AND(tmp1_reg, dst_reg, src_reg));
1326
					EMIT(PPC_RAW_RLWINM_DOT(tmp1_reg, tmp1_reg, 0, 0, 31));
1327
				}
1328
				break;
1329
			case BPF_JMP | BPF_JNE | BPF_K:
1330
			case BPF_JMP | BPF_JEQ | BPF_K:
1331
			case BPF_JMP | BPF_JGT | BPF_K:
1332
			case BPF_JMP | BPF_JLT | BPF_K:
1333
			case BPF_JMP | BPF_JGE | BPF_K:
1334
			case BPF_JMP | BPF_JLE | BPF_K:
1335
			case BPF_JMP32 | BPF_JNE | BPF_K:
1336
			case BPF_JMP32 | BPF_JEQ | BPF_K:
1337
			case BPF_JMP32 | BPF_JGT | BPF_K:
1338
			case BPF_JMP32 | BPF_JLT | BPF_K:
1339
			case BPF_JMP32 | BPF_JGE | BPF_K:
1340
			case BPF_JMP32 | BPF_JLE | BPF_K:
1341
			{
1342
				bool is_jmp32 = BPF_CLASS(code) == BPF_JMP32;
1343

1344
				/*
1345
				 * Need sign-extended load, so only positive
1346
				 * values can be used as imm in cmpldi
1347
				 */
1348
				if (imm >= 0 && imm < 32768) {
1349
					if (is_jmp32)
1350
						EMIT(PPC_RAW_CMPLWI(dst_reg, imm));
1351
					else
1352
						EMIT(PPC_RAW_CMPLDI(dst_reg, imm));
1353
				} else {
1354
					/* sign-extending load */
1355
					PPC_LI32(tmp1_reg, imm);
1356
					/* ... but unsigned comparison */
1357
					if (is_jmp32)
1358
						EMIT(PPC_RAW_CMPLW(dst_reg, tmp1_reg));
1359
					else
1360
						EMIT(PPC_RAW_CMPLD(dst_reg, tmp1_reg));
1361
				}
1362
				break;
1363
			}
1364
			case BPF_JMP | BPF_JSGT | BPF_K:
1365
			case BPF_JMP | BPF_JSLT | BPF_K:
1366
			case BPF_JMP | BPF_JSGE | BPF_K:
1367
			case BPF_JMP | BPF_JSLE | BPF_K:
1368
			case BPF_JMP32 | BPF_JSGT | BPF_K:
1369
			case BPF_JMP32 | BPF_JSLT | BPF_K:
1370
			case BPF_JMP32 | BPF_JSGE | BPF_K:
1371
			case BPF_JMP32 | BPF_JSLE | BPF_K:
1372
			{
1373
				bool is_jmp32 = BPF_CLASS(code) == BPF_JMP32;
1374

1375
				/*
1376
				 * signed comparison, so any 16-bit value
1377
				 * can be used in cmpdi
1378
				 */
1379
				if (imm >= -32768 && imm < 32768) {
1380
					if (is_jmp32)
1381
						EMIT(PPC_RAW_CMPWI(dst_reg, imm));
1382
					else
1383
						EMIT(PPC_RAW_CMPDI(dst_reg, imm));
1384
				} else {
1385
					PPC_LI32(tmp1_reg, imm);
1386
					if (is_jmp32)
1387
						EMIT(PPC_RAW_CMPW(dst_reg, tmp1_reg));
1388
					else
1389
						EMIT(PPC_RAW_CMPD(dst_reg, tmp1_reg));
1390
				}
1391
				break;
1392
			}
1393
			case BPF_JMP | BPF_JSET | BPF_K:
1394
			case BPF_JMP32 | BPF_JSET | BPF_K:
1395
				/* andi does not sign-extend the immediate */
1396
				if (imm >= 0 && imm < 32768)
1397
					/* PPC_ANDI is _only/always_ dot-form */
1398
					EMIT(PPC_RAW_ANDI(tmp1_reg, dst_reg, imm));
1399
				else {
1400
					PPC_LI32(tmp1_reg, imm);
1401
					if (BPF_CLASS(code) == BPF_JMP) {
1402
						EMIT(PPC_RAW_AND_DOT(tmp1_reg, dst_reg,
1403
								     tmp1_reg));
1404
					} else {
1405
						EMIT(PPC_RAW_AND(tmp1_reg, dst_reg, tmp1_reg));
1406
						EMIT(PPC_RAW_RLWINM_DOT(tmp1_reg, tmp1_reg,
1407
									0, 0, 31));
1408
					}
1409
				}
1410
				break;
1411
			}
1412
			PPC_BCC(true_cond, addrs[i + 1 + off]);
1413
			break;
1414

1415
		/*
1416
		 * Tail call
1417
		 */
1418
		case BPF_JMP | BPF_TAIL_CALL:
1419
			ctx->seen |= SEEN_TAILCALL;
1420
			ret = bpf_jit_emit_tail_call(image, ctx, addrs[i + 1]);
1421
			if (ret < 0)
1422
				return ret;
1423
			break;
1424

1425
		default:
1426
			/*
1427
			 * The filter contains something cruel & unusual.
1428
			 * We don't handle it, but also there shouldn't be
1429
			 * anything missing from our list.
1430
			 */
1431
			pr_err_ratelimited("eBPF filter opcode %04x (@%d) unsupported\n",
1432
					code, i);
1433
			return -ENOTSUPP;
1434
		}
1435
	}
1436

1437
	/* Set end-of-body-code address for exit. */
1438
	addrs[i] = ctx->idx * 4;
1439

1440
	return 0;
1441
}
1442

1443