summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNicolas Schichan <nschichan@freebox.fr>2015-07-21 15:14:12 +0300
committerDavid S. Miller <davem@davemloft.net>2015-07-22 08:19:55 +0300
commit7aed35cb65348fc8b9ce0c2394ff675e5fc750da (patch)
tree0094201f3bfae8b3ddc1bccd45817284b43534bc
parent89e478a2aa58af2548b7f316e4d5b6bcc9eade5b (diff)
downloadlinux-7aed35cb65348fc8b9ce0c2394ff675e5fc750da.tar.xz
ARM: net: fix condition for load_order > 0 when translating load instructions.
To check whether the load should take the fast path or not, the code would check that (r_skb_hlen - load_order) is greater than the offset of the access using an "Unsigned higher or same" condition. For halfword accesses and an skb length of 1 at offset 0, that test is valid, as we end up comparing 0xffffffff(-1) and 0, so the fast path is taken and the filter allows the load to wrongly succeed. A similar issue exists for word loads at offset 0 and an skb length of less than 4. Fix that by using the condition "Signed greater than or equal" condition for the fast path code for load orders greater than 0. Signed-off-by: Nicolas Schichan <nschichan@freebox.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--arch/arm/net/bpf_jit_32.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c
index 4550d247e308..21f5ace156fd 100644
--- a/arch/arm/net/bpf_jit_32.c
+++ b/arch/arm/net/bpf_jit_32.c
@@ -547,7 +547,7 @@ load_common:
emit(ARM_SUB_I(r_scratch, r_skb_hl,
1 << load_order), ctx);
emit(ARM_CMP_R(r_scratch, r_off), ctx);
- condt = ARM_COND_HS;
+ condt = ARM_COND_GE;
} else {
emit(ARM_CMP_R(r_skb_hl, r_off), ctx);
condt = ARM_COND_HI;