On Fri, Nov 06, 2015 at 09:36:17PM -0800, Yang Shi wrote:
ARM64 JIT used FP (x29) as eBPF fp register, but FP is subjected to change during function call so it may cause the BPF prog stack base address change too. Whenever, it pointed to the bottom of BPF prog stack instead of the top.
So, when copying data via bpf_probe_read, it will be copied to (SP - offset), then it may overwrite the saved FP/LR.
Use x25 to replace FP as BPF stack base register (fp). Since x25 is callee saved register, so it will keep intact during function call. It is initialized in BPF prog prologue when BPF prog is started to run everytime. When BPF prog exits, it could be just tossed.
Other than this the BPf prog stack base need to be setup before function call stack.
So, the BPF stack layout looks like:
high original A64_SP => 0:+-----+ BPF prologue | | FP/LR and callee saved registers BPF fp register => +64:+-----+ | | | ... | BPF prog stack | | | | current A64_SP => +-----+ | | | ... | Function call stack | | +-----+ lowSigned-off-by: Yang Shi yang.shi@linaro.org CC: Zi Shen Lim zlim.lnx@gmail.com CC: Xi Wang xi.wang@gmail.com
Thanks for tracking it down. That looks like fundamental bug in arm64 jit. I'm surprised function calls worked at all. Zi please review.