[bug report] MIPS: net: Add BPF JIT

Dan Carpenter dan.carpenter at oracle.com
Thu Jul 14 00:07:12 AEST 2016


Hello Markos Chandras,

The patch c6610de353da: "MIPS: net: Add BPF JIT" from Apr 8, 2014,
leads to the following static checker warning:

	arch/mips/net/bpf_jit.c:1185 build_body()
	warn: potential off by one 'ctx->offsets[]' limit 'prog->len'

arch/mips/net/bpf_jit.c
   652  static int build_body(struct jit_ctx *ctx)
   653  {
   654          const struct bpf_prog *prog = ctx->skf;
   655          const struct sock_filter *inst;
   656          unsigned int i, off, condt;
   657          u32 k, b_off __maybe_unused;
   658          u8 (*sk_load_func)(unsigned long *skb, int offset);
   659  
   660          for (i = 0; i < prog->len; i++) {
   661                  u16 code;
   662  
   663                  inst = &(prog->insns[i]);
   664                  pr_debug("%s: code->0x%02x, jt->0x%x, jf->0x%x, k->0x%x\n",
   665                           __func__, inst->code, inst->jt, inst->jf, inst->k);
   666                  k = inst->k;
   667                  code = bpf_anc_helper(inst);
   668  
   669                  if (ctx->target == NULL)
   670                          ctx->offsets[i] = ctx->idx * 4;

We have this so we don't need the other assignment.

   671  
   672                  switch (code) {

[ snipped big switch statement ]

  1176                  default:
  1177                          pr_debug("%s: Unhandled opcode: 0x%02x\n", __FILE__,
  1178                                   inst->code);
  1179                          return -1;
  1180                  }
  1181          }
  1182  
  1183          /* compute offsets only during the first pass */
  1184          if (ctx->target == NULL)
  1185                  ctx->offsets[i] = ctx->idx * 4;

i is always one step beyond the end of the array here.

  1186  
  1187          return 0;
  1188  }

That arm and powerpc implementations have the same issue.

regards,
dan carpenter


More information about the Linuxppc-dev mailing list