jitted eBPF code

I add yesterday disasm for jitted eBPF code. To put it mildly this code is very poor

Every function has 7 bytes of nops in prolog. Comment says that this is for BPF trampoline - well, ok

Lots of code like

 mov eax, 0x1

 cmp r14, 0x2

 jnz 0xc0561497

 xor eax, eax

0xc0561497:

 ...

Somebody - tell them about cmovXX instructions

Lots of code like

mov rdi, 0xffff8fd687f3e000

add rdi, 0x110

and related to get addresses of stack var:

mov rdi, rbp

add rdi, 0xffffffffffffffe0 

Perhaps it would be preferable to use lea rdi, [rbp-XX]

Slow inc/dec:

add r8, 0x1

sub rdi, 0x1

Lots of repeated instructions:
and rdi, 0xfff

and rdi, 0xfff

it's obvious bug

And finally

you can patch it. Sure it was protected with RO - see call to bpf_jit_binary_lock_ro in function bpf_int_jit_compile but

• you can use old trick with cr0
• you can call set_memory_rw

and yes - this patches is very hard to detect. Really HARD