bpf, arm64: Fix address emission with tag-based KASAN enabled

mainline inclusion
from mainline-v6.12-rc5
commit a552e2ef5fd1a6c78267cd4ec5a9b49aa11bbb1c
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB2YVC
CVE: CVE-2024-50203

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a552e2ef5fd1a6c78267cd4ec5a9b49aa11bbb1c



--------------------------------

When BPF_TRAMP_F_CALL_ORIG is enabled, the address of a bpf_tramp_image
struct on the stack is passed during the size calculation pass and
an address on the heap is passed during code generation. This may
cause a heap buffer overflow if the heap address is tagged because
emit_a64_mov_i64() will emit longer code than it did during the size
calculation pass. The same problem could occur without tag-based
KASAN if one of the 16-bit words of the stack address happened to
be all-ones during the size calculation pass. Fix the problem by
assuming the worst case (4 instructions) when calculating the size
of the bpf_tramp_image address emission.

Fixes: 19d3c179a377 ("bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG")
Signed-off-by: Peter Collingbourne <pcc@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Xu Kuohai <xukuohai@huawei.com>
Link: https://linux-review.googlesource.com/id/I1496f2bc24fba7a1d492e16e2b94cf43714f2d3c
Link: https://lore.kernel.org/bpf/20241018221644.3240898-1-pcc@google.com



Conflicts:
	arch/arm64/net/bpf_jit_comp.c
[This conflict arises from the fact that the previous patch, 2a5ab77a
("bpf, arm64: Add bpf trampoline for arm64"), made some minor adjustments
for version 5.10 without fully aligning with the community]
Signed-off-by: Tengda Wu <wutengda2@huawei.com>