1	// SPDX-License-Identifier: GPL-2.0-only
2	#define pr_fmt(fmt) "SMP alternatives: " fmt
3
4	#include <linux/mmu_context.h>
5	#include <linux/perf_event.h>
6	#include <linux/vmalloc.h>
7	#include <linux/memory.h>
8	#include <linux/execmem.h>
9
10	#include <asm/text-patching.h>
11	#include <asm/insn.h>
12	#include <asm/insn-eval.h>
13	#include <asm/ibt.h>
14	#include <asm/set_memory.h>
15	#include <asm/nmi.h>
16
17	int __read_mostly alternatives_patched;
18
19	EXPORT_SYMBOL_GPL(alternatives_patched);
20
21	#define MAX_PATCH_LEN (255-1)
22
23	#define DA_ALL (~0)
24	#define DA_ALT 0x01
25	#define DA_RET 0x02
26	#define DA_RETPOLINE 0x04
27	#define DA_ENDBR 0x08
28	#define DA_SMP 0x10
29
30	static unsigned int debug_alternative;
31
32	static int __init debug_alt(char *str)
33	{
34	if (str && *str == '=')
35	str++;
36
37	if (!str || kstrtouint(s: str, base: 0, res: &debug_alternative))
38	debug_alternative = DA_ALL;
39
40	return 1;
41	}
42	__setup("debug-alternative", debug_alt);
43
44	static int noreplace_smp;
45
46	static int __init setup_noreplace_smp(char *str)
47	{
48	noreplace_smp = 1;
49	return 1;
50	}
51	__setup("noreplace-smp", setup_noreplace_smp);
52
53	#define DPRINTK(type, fmt, args...) \
54	do { \
55	if (debug_alternative & DA_##type) \
56	printk(KERN_DEBUG pr_fmt(fmt) "\n", ##args); \
57	} while (0)
58
59	#define DUMP_BYTES(type, buf, len, fmt, args...) \
60	do { \
61	if (unlikely(debug_alternative & DA_##type)) { \
62	int j; \
63	\
64	if (!(len)) \
65	break; \
66	\
67	printk(KERN_DEBUG pr_fmt(fmt), ##args); \
68	for (j = 0; j < (len) - 1; j++) \
69	printk(KERN_CONT "%02hhx ", buf[j]); \
70	printk(KERN_CONT "%02hhx\n", buf[j]); \
71	} \
72	} while (0)
73
74	static const unsigned char x86nops[] =
75	{
76	BYTES_NOP1,
77	BYTES_NOP2,
78	BYTES_NOP3,
79	BYTES_NOP4,
80	BYTES_NOP5,
81	BYTES_NOP6,
82	BYTES_NOP7,
83	BYTES_NOP8,
84	#ifdef CONFIG_64BIT
85	BYTES_NOP9,
86	BYTES_NOP10,
87	BYTES_NOP11,
88	#endif
89	};
90
91	const unsigned char * const x86_nops[ASM_NOP_MAX+1] =
92	{
93	NULL,
94	x86nops,
95	x86nops + 1,
96	x86nops + 1 + 2,
97	x86nops + 1 + 2 + 3,
98	x86nops + 1 + 2 + 3 + 4,
99	x86nops + 1 + 2 + 3 + 4 + 5,
100	x86nops + 1 + 2 + 3 + 4 + 5 + 6,
101	x86nops + 1 + 2 + 3 + 4 + 5 + 6 + 7,
102	#ifdef CONFIG_64BIT
103	x86nops + 1 + 2 + 3 + 4 + 5 + 6 + 7 + 8,
104	x86nops + 1 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9,
105	x86nops + 1 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 10,
106	#endif
107	};
108
109	#ifdef CONFIG_FINEIBT
110	static bool cfi_paranoid __ro_after_init;
111	#endif
112
113	#ifdef CONFIG_MITIGATION_ITS
114
115	#ifdef CONFIG_MODULES
116	static struct module *its_mod;
117	#endif
118	static void *its_page;
119	static unsigned int its_offset;
120	struct its_array its_pages;
121
122	static void *__its_alloc(struct its_array *pages)
123	{
124	void *page __free(execmem) = execmem_alloc_rw(type: EXECMEM_MODULE_TEXT, PAGE_SIZE);
125	if (!page)
126	return NULL;
127
128	void *tmp = krealloc(pages->pages, (pages->num+1) * sizeof(void *),
129	GFP_KERNEL);
130	if (!tmp)
131	return NULL;
132
133	pages->pages = tmp;
134	pages->pages[pages->num++] = page;
135
136	return no_free_ptr(page);
137	}
138
139	/* Initialize a thunk with the "jmp *reg; int3" instructions. */
140	static void *its_init_thunk(void *thunk, int reg)
141	{
142	u8 *bytes = thunk;
143	int offset = 0;
144	int i = 0;
145
146	#ifdef CONFIG_FINEIBT
147	if (cfi_paranoid) {
148	/*
149	* When ITS uses indirect branch thunk the fineibt_paranoid
150	* caller sequence doesn't fit in the caller site. So put the
151	* remaining part of the sequence (UDB + JNE) into the ITS
152	* thunk.
153	*/
154	bytes[i++] = 0xd6; /* UDB */
155	bytes[i++] = 0x75; /* JNE */
156	bytes[i++] = 0xfd;
157
158	offset = 1;
159	}
160	#endif
161
162	if (reg >= 8) {
163	bytes[i++] = 0x41; /* REX.B prefix */
164	reg -= 8;
165	}
166	bytes[i++] = 0xff;
167	bytes[i++] = 0xe0 + reg; /* JMP *reg */
168	bytes[i++] = 0xcc;
169
170	return thunk + offset;
171	}
172
173	static void its_pages_protect(struct its_array *pages)
174	{
175	for (int i = 0; i < pages->num; i++) {
176	void *page = pages->pages[i];
177	execmem_restore_rox(ptr: page, PAGE_SIZE);
178	}
179	}
180
181	static void its_fini_core(void)
182	{
183	if (IS_ENABLED(CONFIG_STRICT_KERNEL_RWX))
184	its_pages_protect(pages: &its_pages);
185	kfree(objp: its_pages.pages);
186	}
187
188	#ifdef CONFIG_MODULES
189	void its_init_mod(struct module *mod)
190	{
191	if (!cpu_feature_enabled(X86_FEATURE_INDIRECT_THUNK_ITS))
192	return;
193
194	mutex_lock(&text_mutex);
195	its_mod = mod;
196	its_page = NULL;
197	}
198
199	void its_fini_mod(struct module *mod)
200	{
201	if (!cpu_feature_enabled(X86_FEATURE_INDIRECT_THUNK_ITS))
202	return;
203
204	WARN_ON_ONCE(its_mod != mod);
205
206	its_mod = NULL;
207	its_page = NULL;
208	mutex_unlock(lock: &text_mutex);
209
210	if (IS_ENABLED(CONFIG_STRICT_MODULE_RWX))
211	its_pages_protect(pages: &mod->arch.its_pages);
212	}
213
214	void its_free_mod(struct module *mod)
215	{
216	if (!cpu_feature_enabled(X86_FEATURE_INDIRECT_THUNK_ITS))
217	return;
218
219	for (int i = 0; i < mod->arch.its_pages.num; i++) {
220	void *page = mod->arch.its_pages.pages[i];
221	execmem_free(ptr: page);
222	}
223	kfree(objp: mod->arch.its_pages.pages);
224	}
225	#endif /* CONFIG_MODULES */
226
227	static void *its_alloc(void)
228	{
229	struct its_array *pages = &its_pages;
230	void *page;
231
232	#ifdef CONFIG_MODULES
233	if (its_mod)
234	pages = &its_mod->arch.its_pages;
235	#endif
236
237	page = __its_alloc(pages);
238	if (!page)
239	return NULL;
240
241	if (pages == &its_pages)
242	set_memory_x(addr: (unsigned long)page, numpages: 1);
243
244	return page;
245	}
246
247	static void *its_allocate_thunk(int reg)
248	{
249	int size = 3 + (reg / 8);
250	void *thunk;
251
252	#ifdef CONFIG_FINEIBT
253	/*
254	* The ITS thunk contains an indirect jump and an int3 instruction so
255	* its size is 3 or 4 bytes depending on the register used. If CFI
256	* paranoid is used then 3 extra bytes are added in the ITS thunk to
257	* complete the fineibt_paranoid caller sequence.
258	*/
259	if (cfi_paranoid)
260	size += 3;
261	#endif
262
263	if (!its_page || (its_offset + size - 1) >= PAGE_SIZE) {
264	its_page = its_alloc();
265	if (!its_page) {
266	pr_err("ITS page allocation failed\n");
267	return NULL;
268	}
269	memset(its_page, INT3_INSN_OPCODE, PAGE_SIZE);
270	its_offset = 32;
271	}
272
273	/*
274	* If the indirect branch instruction will be in the lower half
275	* of a cacheline, then update the offset to reach the upper half.
276	*/
277	if ((its_offset + size - 1) % 64 < 32)
278	its_offset = ((its_offset - 1) | 0x3F) + 33;
279
280	thunk = its_page + its_offset;
281	its_offset += size;
282
283	return its_init_thunk(thunk, reg);
284	}
285
286	u8 *its_static_thunk(int reg)
287	{
288	u8 *thunk = __x86_indirect_its_thunk_array[reg];
289
290	#ifdef CONFIG_FINEIBT
291	/* Paranoid thunk starts 2 bytes before */
292	if (cfi_paranoid)
293	return thunk - 2;
294	#endif
295	return thunk;
296	}
297
298	#else
299	static inline void its_fini_core(void) {}
300	#endif /* CONFIG_MITIGATION_ITS */
301
302	/*
303	* Nomenclature for variable names to simplify and clarify this code and ease
304	* any potential staring at it:
305	*
306	* @instr: source address of the original instructions in the kernel text as
307	* generated by the compiler.
308	*
309	* @buf: temporary buffer on which the patching operates. This buffer is
310	* eventually text-poked into the kernel image.
311	*
312	* @replacement/@repl: pointer to the opcodes which are replacing @instr, located
313	* in the .altinstr_replacement section.
314	*/
315
316	/*
317	* Fill the buffer with a single effective instruction of size @len.
318	*
319	* In order not to issue an ORC stack depth tracking CFI entry (Call Frame Info)
320	* for every single-byte NOP, try to generate the maximally available NOP of
321	* size <= ASM_NOP_MAX such that only a single CFI entry is generated (vs one for
322	* each single-byte NOPs). If @len to fill out is > ASM_NOP_MAX, pad with INT3 and
323	* *jump* over instead of executing long and daft NOPs.
324	*/
325	static void add_nop(u8 *buf, unsigned int len)
326	{
327	u8 *target = buf + len;
328
329	if (!len)
330	return;
331
332	if (len <= ASM_NOP_MAX) {
333	memcpy(buf, x86_nops[len], len);
334	return;
335	}
336
337	if (len < 128) {
338	__text_gen_insn(buf, JMP8_INSN_OPCODE, addr: buf, dest: target, JMP8_INSN_SIZE);
339	buf += JMP8_INSN_SIZE;
340	} else {
341	__text_gen_insn(buf, JMP32_INSN_OPCODE, addr: buf, dest: target, JMP32_INSN_SIZE);
342	buf += JMP32_INSN_SIZE;
343	}
344
345	for (;buf < target; buf++)
346	*buf = INT3_INSN_OPCODE;
347	}
348
349	/*
350	* Find the offset of the first non-NOP instruction starting at @offset
351	* but no further than @len.
352	*/
353	static int skip_nops(u8 *buf, int offset, int len)
354	{
355	struct insn insn;
356
357	for (; offset < len; offset += insn.length) {
358	if (insn_decode_kernel(&insn, &buf[offset]))
359	break;
360
361	if (!insn_is_nop(insn: &insn))
362	break;
363	}
364
365	return offset;
366	}
367
368	/*
369	* "noinline" to cause control flow change and thus invalidate I$ and
370	* cause refetch after modification.
371	*/
372	static void noinline optimize_nops(const u8 * const instr, u8 *buf, size_t len)
373	{
374	for (int next, i = 0; i < len; i = next) {
375	struct insn insn;
376
377	if (insn_decode_kernel(&insn, &buf[i]))
378	return;
379
380	next = i + insn.length;
381
382	if (insn_is_nop(insn: &insn)) {
383	int nop = i;
384
385	/* Has the NOP already been optimized? */
386	if (i + insn.length == len)
387	return;
388
389	next = skip_nops(buf, offset: next, len);
390
391	add_nop(buf: buf + nop, len: next - nop);
392	DUMP_BYTES(ALT, buf, len, "%px: [%d:%d) optimized NOPs: ", instr, nop, next);
393	}
394	}
395	}
396
397	/*
398	* In this context, "source" is where the instructions are placed in the
399	* section .altinstr_replacement, for example during kernel build by the
400	* toolchain.
401	* "Destination" is where the instructions are being patched in by this
402	* machinery.
403	*
404	* The source offset is:
405	*
406	* src_imm = target - src_next_ip (1)
407	*
408	* and the target offset is:
409	*
410	* dst_imm = target - dst_next_ip (2)
411	*
412	* so rework (1) as an expression for target like:
413	*
414	* target = src_imm + src_next_ip (1a)
415	*
416	* and substitute in (2) to get:
417	*
418	* dst_imm = (src_imm + src_next_ip) - dst_next_ip (3)
419	*
420	* Now, since the instruction stream is 'identical' at src and dst (it
421	* is being copied after all) it can be stated that:
422	*
423	* src_next_ip = src + ip_offset
424	* dst_next_ip = dst + ip_offset (4)
425	*
426	* Substitute (4) in (3) and observe ip_offset being cancelled out to
427	* obtain:
428	*
429	* dst_imm = src_imm + (src + ip_offset) - (dst + ip_offset)
430	* = src_imm + src - dst + ip_offset - ip_offset
431	* = src_imm + src - dst (5)
432	*
433	* IOW, only the relative displacement of the code block matters.
434	*/
435
436	#define apply_reloc_n(n_, p_, d_) \
437	do { \
438	s32 v = *(s##n_ *)(p_); \
439	v += (d_); \
440	BUG_ON((v >> 31) != (v >> (n_-1))); \
441	*(s##n_ *)(p_) = (s##n_)v; \
442	} while (0)
443
444
445	static __always_inline
446	void apply_reloc(int n, void *ptr, uintptr_t diff)
447	{
448	switch (n) {
449	case 1: apply_reloc_n(8, ptr, diff); break;
450	case 2: apply_reloc_n(16, ptr, diff); break;
451	case 4: apply_reloc_n(32, ptr, diff); break;
452	default: BUG();
453	}
454	}
455
456	static __always_inline
457	bool need_reloc(unsigned long offset, u8 *src, size_t src_len)
458	{
459	u8 *target = src + offset;
460	/*
461	* If the target is inside the patched block, it's relative to the
462	* block itself and does not need relocation.
463	*/
464	return (target < src || target > src + src_len);
465	}
466
467	static void __apply_relocation(u8 *buf, const u8 * const instr, size_t instrlen, u8 *repl, size_t repl_len)
468	{
469	for (int next, i = 0; i < instrlen; i = next) {
470	struct insn insn;
471
472	if (WARN_ON_ONCE(insn_decode_kernel(&insn, &buf[i])))
473	return;
474
475	next = i + insn.length;
476
477	switch (insn.opcode.bytes[0]) {
478	case 0x0f:
479	if (insn.opcode.bytes[1] < 0x80 ||
480	insn.opcode.bytes[1] > 0x8f)
481	break;
482
483	fallthrough; /* Jcc.d32 */
484	case 0x70 ... 0x7f: /* Jcc.d8 */
485	case JMP8_INSN_OPCODE:
486	case JMP32_INSN_OPCODE:
487	case CALL_INSN_OPCODE:
488	if (need_reloc(offset: next + insn.immediate.value, src: repl, src_len: repl_len)) {
489	apply_reloc(n: insn.immediate.nbytes,
490	ptr: buf + i + insn_offset_immediate(insn: &insn),
491	diff: repl - instr);
492	}
493
494	/*
495	* Where possible, convert JMP.d32 into JMP.d8.
496	*/
497	if (insn.opcode.bytes[0] == JMP32_INSN_OPCODE) {
498	s32 imm = insn.immediate.value;
499	imm += repl - instr;
500	imm += JMP32_INSN_SIZE - JMP8_INSN_SIZE;
501	if ((imm >> 31) == (imm >> 7)) {
502	buf[i+0] = JMP8_INSN_OPCODE;
503	buf[i+1] = (s8)imm;
504
505	memset(&buf[i+2], INT3_INSN_OPCODE, insn.length - 2);
506	}
507	}
508	break;
509	}
510
511	if (insn_rip_relative(insn: &insn)) {
512	if (need_reloc(offset: next + insn.displacement.value, src: repl, src_len: repl_len)) {
513	apply_reloc(n: insn.displacement.nbytes,
514	ptr: buf + i + insn_offset_displacement(insn: &insn),
515	diff: repl - instr);
516	}
517	}
518	}
519	}
520
521	void text_poke_apply_relocation(u8 *buf, const u8 * const instr, size_t instrlen, u8 *repl, size_t repl_len)
522	{
523	__apply_relocation(buf, instr, instrlen, repl, repl_len);
524	optimize_nops(instr, buf, len: instrlen);
525	}
526
527	/* Low-level backend functions usable from alternative code replacements. */
528	DEFINE_ASM_FUNC(nop_func, "", .entry.text);
529	EXPORT_SYMBOL_GPL(nop_func);
530
531	noinstr void BUG_func(void)
532	{
533	BUG();
534	}
535	EXPORT_SYMBOL(BUG_func);
536
537	#define CALL_RIP_REL_OPCODE 0xff
538	#define CALL_RIP_REL_MODRM 0x15
539
540	/*
541	* Rewrite the "call BUG_func" replacement to point to the target of the
542	* indirect pv_ops call "call *disp(%ip)".
543	*/
544	static unsigned int alt_replace_call(u8 *instr, u8 *insn_buff, struct alt_instr *a)
545	{
546	void *target, *bug = &BUG_func;
547	s32 disp;
548
549	if (a->replacementlen != 5 || insn_buff[0] != CALL_INSN_OPCODE) {
550	pr_err("ALT_FLAG_DIRECT_CALL set for a non-call replacement instruction\n");
551	BUG();
552	}
553
554	if (a->instrlen != 6 ||
555	instr[0] != CALL_RIP_REL_OPCODE ||
556	instr[1] != CALL_RIP_REL_MODRM) {
557	pr_err("ALT_FLAG_DIRECT_CALL set for unrecognized indirect call\n");
558	BUG();
559	}
560
561	/* Skip CALL_RIP_REL_OPCODE and CALL_RIP_REL_MODRM */
562	disp = *(s32 *)(instr + 2);
563	#ifdef CONFIG_X86_64
564	/* ff 15 00 00 00 00 call *0x0(%rip) */
565	/* target address is stored at "next instruction + disp". */
566	target = *(void **)(instr + a->instrlen + disp);
567	#else
568	/* ff 15 00 00 00 00 call *0x0 */
569	/* target address is stored at disp. */
570	target = *(void **)disp;
571	#endif
572	if (!target)
573	target = bug;
574
575	/* (BUG_func - .) + (target - BUG_func) := target - . */
576	*(s32 *)(insn_buff + 1) += target - bug;
577
578	if (target == &nop_func)
579	return 0;
580
581	return 5;
582	}
583
584	static inline u8 * instr_va(struct alt_instr *i)
585	{
586	return (u8 *)&i->instr_offset + i->instr_offset;
587	}
588
589	/*
590	* Replace instructions with better alternatives for this CPU type. This runs
591	* before SMP is initialized to avoid SMP problems with self modifying code.
592	* This implies that asymmetric systems where APs have less capabilities than
593	* the boot processor are not handled. Tough. Make sure you disable such
594	* features by hand.
595	*
596	* Marked "noinline" to cause control flow change and thus insn cache
597	* to refetch changed I$ lines.
598	*/
599	void __init_or_module noinline apply_alternatives(struct alt_instr *start,
600	struct alt_instr *end)
601	{
602	u8 insn_buff[MAX_PATCH_LEN];
603	u8 *instr, *replacement;
604	struct alt_instr *a, *b;
605
606	DPRINTK(ALT, "alt table %px, -> %px", start, end);
607
608	/*
609	* KASAN_SHADOW_START is defined using
610	* cpu_feature_enabled(X86_FEATURE_LA57) and is therefore patched here.
611	* During the process, KASAN becomes confused seeing partial LA57
612	* conversion and triggers a false-positive out-of-bound report.
613	*
614	* Disable KASAN until the patching is complete.
615	*/
616	kasan_disable_current();
617
618	/*
619	* The scan order should be from start to end. A later scanned
620	* alternative code can overwrite previously scanned alternative code.
621	* Some kernel functions (e.g. memcpy, memset, etc) use this order to
622	* patch code.
623	*
624	* So be careful if you want to change the scan order to any other
625	* order.
626	*/
627	for (a = start; a < end; a++) {
628	unsigned int insn_buff_sz = 0;
629
630	/*
631	* In case of nested ALTERNATIVE()s the outer alternative might
632	* add more padding. To ensure consistent patching find the max
633	* padding for all alt_instr entries for this site (nested
634	* alternatives result in consecutive entries).
635	*/
636	for (b = a+1; b < end && instr_va(i: b) == instr_va(i: a); b++) {
637	u8 len = max(a->instrlen, b->instrlen);
638	a->instrlen = b->instrlen = len;
639	}
640
641	instr = instr_va(i: a);
642	replacement = (u8 *)&a->repl_offset + a->repl_offset;
643	BUG_ON(a->instrlen > sizeof(insn_buff));
644	BUG_ON(a->cpuid >= (NCAPINTS + NBUGINTS) * 32);
645
646	/*
647	* Patch if either:
648	* - feature is present
649	* - feature not present but ALT_FLAG_NOT is set to mean,
650	* patch if feature is *NOT* present.
651	*/
652	if (!boot_cpu_has(a->cpuid) == !(a->flags & ALT_FLAG_NOT)) {
653	memcpy(insn_buff, instr, a->instrlen);
654	optimize_nops(instr, buf: insn_buff, len: a->instrlen);
655	text_poke_early(addr: instr, opcode: insn_buff, len: a->instrlen);
656	continue;
657	}
658
659	DPRINTK(ALT, "feat: %d*32+%d, old: (%pS (%px) len: %d), repl: (%px, len: %d) flags: 0x%x",
660	a->cpuid >> 5,
661	a->cpuid & 0x1f,
662	instr, instr, a->instrlen,
663	replacement, a->replacementlen, a->flags);
664
665	memcpy(insn_buff, replacement, a->replacementlen);
666	insn_buff_sz = a->replacementlen;
667
668	if (a->flags & ALT_FLAG_DIRECT_CALL)
669	insn_buff_sz = alt_replace_call(instr, insn_buff, a);
670
671	for (; insn_buff_sz < a->instrlen; insn_buff_sz++)
672	insn_buff[insn_buff_sz] = 0x90;
673
674	text_poke_apply_relocation(buf: insn_buff, instr, instrlen: a->instrlen, repl: replacement, repl_len: a->replacementlen);
675
676	DUMP_BYTES(ALT, instr, a->instrlen, "%px: old_insn: ", instr);
677	DUMP_BYTES(ALT, replacement, a->replacementlen, "%px: rpl_insn: ", replacement);
678	DUMP_BYTES(ALT, insn_buff, insn_buff_sz, "%px: final_insn: ", instr);
679
680	text_poke_early(addr: instr, opcode: insn_buff, len: insn_buff_sz);
681	}
682
683	kasan_enable_current();
684	}
685
686	static inline bool is_jcc32(struct insn *insn)
687	{
688	/* Jcc.d32 second opcode byte is in the range: 0x80-0x8f */
689	return insn->opcode.bytes[0] == 0x0f && (insn->opcode.bytes[1] & 0xf0) == 0x80;
690	}
691
692	#if defined(CONFIG_MITIGATION_RETPOLINE) && defined(CONFIG_OBJTOOL)
693
694	/*
695	* [CS]{,3} CALL/JMP *%\reg [INT3]*
696	*/
697	static int emit_indirect(int op, int reg, u8 *bytes, int len)
698	{
699	int cs = 0, bp = 0;
700	int i = 0;
701	u8 modrm;
702
703	/*
704	* Set @len to the excess bytes after writing the instruction.
705	*/
706	len -= 2 + (reg >= 8);
707	WARN_ON_ONCE(len < 0);
708
709	switch (op) {
710	case CALL_INSN_OPCODE:
711	modrm = 0x10; /* Reg = 2; CALL r/m */
712	/*
713	* Additional NOP is better than prefix decode penalty.
714	*/
715	if (len <= 3)
716	cs = len;
717	break;
718
719	case JMP32_INSN_OPCODE:
720	modrm = 0x20; /* Reg = 4; JMP r/m */
721	bp = len;
722	break;
723
724	default:
725	WARN_ON_ONCE(1);
726	return -1;
727	}
728
729	while (cs--)
730	bytes[i++] = 0x2e; /* CS-prefix */
731
732	if (reg >= 8) {
733	bytes[i++] = 0x41; /* REX.B prefix */
734	reg -= 8;
735	}
736
737	modrm |= 0xc0; /* Mod = 3 */
738	modrm += reg;
739
740	bytes[i++] = 0xff; /* opcode */
741	bytes[i++] = modrm;
742
743	while (bp--)
744	bytes[i++] = 0xcc; /* INT3 */
745
746	return i;
747	}
748
749	static int __emit_trampoline(void *addr, struct insn *insn, u8 *bytes,
750	void *call_dest, void *jmp_dest)
751	{
752	u8 op = insn->opcode.bytes[0];
753	int i = 0;
754
755	/*
756	* Clang does 'weird' Jcc __x86_indirect_thunk_r11 conditional
757	* tail-calls. Deal with them.
758	*/
759	if (is_jcc32(insn)) {
760	bytes[i++] = op;
761	op = insn->opcode.bytes[1];
762	goto clang_jcc;
763	}
764
765	if (insn->length == 6)
766	bytes[i++] = 0x2e; /* CS-prefix */
767
768	switch (op) {
769	case CALL_INSN_OPCODE:
770	__text_gen_insn(buf: bytes+i, opcode: op, addr: addr+i,
771	dest: call_dest,
772	CALL_INSN_SIZE);
773	i += CALL_INSN_SIZE;
774	break;
775
776	case JMP32_INSN_OPCODE:
777	clang_jcc:
778	__text_gen_insn(buf: bytes+i, opcode: op, addr: addr+i,
779	dest: jmp_dest,
780	JMP32_INSN_SIZE);
781	i += JMP32_INSN_SIZE;
782	break;
783
784	default:
785	WARN(1, "%pS %px %*ph\n", addr, addr, 6, addr);
786	return -1;
787	}
788
789	WARN_ON_ONCE(i != insn->length);
790
791	return i;
792	}
793
794	static int emit_call_track_retpoline(void *addr, struct insn *insn, int reg, u8 *bytes)
795	{
796	return __emit_trampoline(addr, insn, bytes,
797	call_dest: __x86_indirect_call_thunk_array[reg],
798	jmp_dest: __x86_indirect_jump_thunk_array[reg]);
799	}
800
801	#ifdef CONFIG_MITIGATION_ITS
802	static int emit_its_trampoline(void *addr, struct insn *insn, int reg, u8 *bytes)
803	{
804	u8 *thunk = __x86_indirect_its_thunk_array[reg];
805	u8 *tmp = its_allocate_thunk(reg);
806
807	if (tmp)
808	thunk = tmp;
809
810	return __emit_trampoline(addr, insn, bytes, call_dest: thunk, jmp_dest: thunk);
811	}
812
813	/* Check if an indirect branch is at ITS-unsafe address */
814	static bool cpu_wants_indirect_its_thunk_at(unsigned long addr, int reg)
815	{
816	if (!cpu_feature_enabled(X86_FEATURE_INDIRECT_THUNK_ITS))
817	return false;
818
819	/* Indirect branch opcode is 2 or 3 bytes depending on reg */
820	addr += 1 + reg / 8;
821
822	/* Lower-half of the cacheline? */
823	return !(addr & 0x20);
824	}
825	#else /* CONFIG_MITIGATION_ITS */
826
827	#ifdef CONFIG_FINEIBT
828	static bool cpu_wants_indirect_its_thunk_at(unsigned long addr, int reg)
829	{
830	return false;
831	}
832	#endif
833
834	#endif /* CONFIG_MITIGATION_ITS */
835
836	/*
837	* Rewrite the compiler generated retpoline thunk calls.
838	*
839	* For spectre_v2=off (!X86_FEATURE_RETPOLINE), rewrite them into immediate
840	* indirect instructions, avoiding the extra indirection.
841	*
842	* For example, convert:
843	*
844	* CALL __x86_indirect_thunk_\reg
845	*
846	* into:
847	*
848	* CALL *%\reg
849	*
850	* It also tries to inline spectre_v2=retpoline,lfence when size permits.
851	*/
852	static int patch_retpoline(void *addr, struct insn *insn, u8 *bytes)
853	{
854	retpoline_thunk_t *target;
855	int reg, ret, i = 0;
856	u8 op, cc;
857
858	target = addr + insn->length + insn->immediate.value;
859	reg = target - __x86_indirect_thunk_array;
860
861	if (WARN_ON_ONCE(reg & ~0xf))
862	return -1;
863
864	/* If anyone ever does: CALL/JMP *%rsp, we're in deep trouble. */
865	BUG_ON(reg == 4);
866
867	if (cpu_feature_enabled(X86_FEATURE_RETPOLINE) &&
868	!cpu_feature_enabled(X86_FEATURE_RETPOLINE_LFENCE)) {
869	if (cpu_feature_enabled(X86_FEATURE_CALL_DEPTH))
870	return emit_call_track_retpoline(addr, insn, reg, bytes);
871
872	return -1;
873	}
874
875	op = insn->opcode.bytes[0];
876
877	/*
878	* Convert:
879	*
880	* Jcc.d32 __x86_indirect_thunk_\reg
881	*
882	* into:
883	*
884	* Jncc.d8 1f
885	* [ LFENCE ]
886	* JMP *%\reg
887	* [ NOP ]
888	* 1:
889	*/
890	if (is_jcc32(insn)) {
891	cc = insn->opcode.bytes[1] & 0xf;
892	cc ^= 1; /* invert condition */
893
894	bytes[i++] = 0x70 + cc; /* Jcc.d8 */
895	bytes[i++] = insn->length - 2; /* sizeof(Jcc.d8) == 2 */
896
897	/* Continue as if: JMP.d32 __x86_indirect_thunk_\reg */
898	op = JMP32_INSN_OPCODE;
899	}
900
901	/*
902	* For RETPOLINE_LFENCE: prepend the indirect CALL/JMP with an LFENCE.
903	*/
904	if (cpu_feature_enabled(X86_FEATURE_RETPOLINE_LFENCE)) {
905	bytes[i++] = 0x0f;
906	bytes[i++] = 0xae;
907	bytes[i++] = 0xe8; /* LFENCE */
908	}
909
910	#ifdef CONFIG_MITIGATION_ITS
911	/*
912	* Check if the address of last byte of emitted-indirect is in
913	* lower-half of the cacheline. Such branches need ITS mitigation.
914	*/
915	if (cpu_wants_indirect_its_thunk_at(addr: (unsigned long)addr + i, reg))
916	return emit_its_trampoline(addr, insn, reg, bytes);
917	#endif
918
919	ret = emit_indirect(op, reg, bytes: bytes + i, len: insn->length - i);
920	if (ret < 0)
921	return ret;
922	i += ret;
923
924	for (; i < insn->length;)
925	bytes[i++] = BYTES_NOP1;
926
927	return i;
928	}
929
930	/*
931	* Generated by 'objtool --retpoline'.
932	*/
933	void __init_or_module noinline apply_retpolines(s32 *start, s32 *end)
934	{
935	s32 *s;
936
937	for (s = start; s < end; s++) {
938	void *addr = (void *)s + *s;
939	struct insn insn;
940	int len, ret;
941	u8 bytes[16];
942	u8 op1, op2;
943	u8 *dest;
944
945	ret = insn_decode_kernel(&insn, addr);
946	if (WARN_ON_ONCE(ret < 0))
947	continue;
948
949	op1 = insn.opcode.bytes[0];
950	op2 = insn.opcode.bytes[1];
951
952	switch (op1) {
953	case 0x70 ... 0x7f: /* Jcc.d8 */
954	/* See cfi_paranoid. */
955	WARN_ON_ONCE(cfi_mode != CFI_FINEIBT);
956	continue;
957
958	case CALL_INSN_OPCODE:
959	case JMP32_INSN_OPCODE:
960	/* Check for cfi_paranoid + ITS */
961	dest = addr + insn.length + insn.immediate.value;
962	if (dest[-1] == 0xd6 && (dest[0] & 0xf0) == 0x70) {
963	WARN_ON_ONCE(cfi_mode != CFI_FINEIBT);
964	continue;
965	}
966	break;
967
968	case 0x0f: /* escape */
969	if (op2 >= 0x80 && op2 <= 0x8f)
970	break;
971	fallthrough;
972	default:
973	WARN_ON_ONCE(1);
974	continue;
975	}
976
977	DPRINTK(RETPOLINE, "retpoline at: %pS (%px) len: %d to: %pS",
978	addr, addr, insn.length,
979	addr + insn.length + insn.immediate.value);
980
981	len = patch_retpoline(addr, insn: &insn, bytes);
982	if (len == insn.length) {
983	optimize_nops(instr: addr, buf: bytes, len);
984	DUMP_BYTES(RETPOLINE, ((u8*)addr), len, "%px: orig: ", addr);
985	DUMP_BYTES(RETPOLINE, ((u8*)bytes), len, "%px: repl: ", addr);
986	text_poke_early(addr, opcode: bytes, len);
987	}
988	}
989	}
990
991	#ifdef CONFIG_MITIGATION_RETHUNK
992
993	bool cpu_wants_rethunk(void)
994	{
995	return cpu_feature_enabled(X86_FEATURE_RETHUNK);
996	}
997
998	bool cpu_wants_rethunk_at(void *addr)
999	{
1000	if (!cpu_feature_enabled(X86_FEATURE_RETHUNK))
1001	return false;
1002	if (x86_return_thunk != its_return_thunk)
1003	return true;
1004
1005	return !((unsigned long)addr & 0x20);
1006	}
1007
1008	/*
1009	* Rewrite the compiler generated return thunk tail-calls.
1010	*
1011	* For example, convert:
1012	*
1013	* JMP __x86_return_thunk
1014	*
1015	* into:
1016	*
1017	* RET
1018	*/
1019	static int patch_return(void *addr, struct insn *insn, u8 *bytes)
1020	{
1021	int i = 0;
1022
1023	/* Patch the custom return thunks... */
1024	if (cpu_wants_rethunk_at(addr)) {
1025	i = JMP32_INSN_SIZE;
1026	__text_gen_insn(buf: bytes, JMP32_INSN_OPCODE, addr, dest: x86_return_thunk, size: i);
1027	} else {
1028	/* ... or patch them out if not needed. */
1029	bytes[i++] = RET_INSN_OPCODE;
1030	}
1031
1032	for (; i < insn->length;)
1033	bytes[i++] = INT3_INSN_OPCODE;
1034	return i;
1035	}
1036
1037	void __init_or_module noinline apply_returns(s32 *start, s32 *end)
1038	{
1039	s32 *s;
1040
1041	if (cpu_wants_rethunk())
1042	static_call_force_reinit();
1043
1044	for (s = start; s < end; s++) {
1045	void *dest = NULL, *addr = (void *)s + *s;
1046	struct insn insn;
1047	int len, ret;
1048	u8 bytes[16];
1049	u8 op;
1050
1051	ret = insn_decode_kernel(&insn, addr);
1052	if (WARN_ON_ONCE(ret < 0))
1053	continue;
1054
1055	op = insn.opcode.bytes[0];
1056	if (op == JMP32_INSN_OPCODE)
1057	dest = addr + insn.length + insn.immediate.value;
1058
1059	if (__static_call_fixup(tramp: addr, op, dest) ||
1060	WARN_ONCE(dest != &__x86_return_thunk,
1061	"missing return thunk: %pS-%pS: %*ph",
1062	addr, dest, 5, addr))
1063	continue;
1064
1065	DPRINTK(RET, "return thunk at: %pS (%px) len: %d to: %pS",
1066	addr, addr, insn.length,
1067	addr + insn.length + insn.immediate.value);
1068
1069	len = patch_return(addr, insn: &insn, bytes);
1070	if (len == insn.length) {
1071	DUMP_BYTES(RET, ((u8*)addr), len, "%px: orig: ", addr);
1072	DUMP_BYTES(RET, ((u8*)bytes), len, "%px: repl: ", addr);
1073	text_poke_early(addr, opcode: bytes, len);
1074	}
1075	}
1076	}
1077	#else /* !CONFIG_MITIGATION_RETHUNK: */
1078	void __init_or_module noinline apply_returns(s32 *start, s32 *end) { }
1079	#endif /* !CONFIG_MITIGATION_RETHUNK */
1080
1081	#else /* !CONFIG_MITIGATION_RETPOLINE || !CONFIG_OBJTOOL */
1082
1083	void __init_or_module noinline apply_retpolines(s32 *start, s32 *end) { }
1084	void __init_or_module noinline apply_returns(s32 *start, s32 *end) { }
1085
1086	#endif /* !CONFIG_MITIGATION_RETPOLINE || !CONFIG_OBJTOOL */
1087
1088	#ifdef CONFIG_X86_KERNEL_IBT
1089
1090	__noendbr bool is_endbr(u32 *val)
1091	{
1092	u32 endbr;
1093
1094	__get_kernel_nofault(&endbr, val, u32, Efault);
1095	return __is_endbr(val: endbr);
1096
1097	Efault:
1098	return false;
1099	}
1100
1101	#ifdef CONFIG_FINEIBT
1102
1103	static __noendbr bool exact_endbr(u32 *val)
1104	{
1105	u32 endbr;
1106
1107	__get_kernel_nofault(&endbr, val, u32, Efault);
1108	return endbr == gen_endbr();
1109
1110	Efault:
1111	return false;
1112	}
1113
1114	#endif
1115
1116	static void poison_cfi(void *addr);
1117
1118	static void __init_or_module poison_endbr(void *addr)
1119	{
1120	u32 poison = gen_endbr_poison();
1121
1122	if (WARN_ON_ONCE(!is_endbr(addr)))
1123	return;
1124
1125	DPRINTK(ENDBR, "ENDBR at: %pS (%px)", addr, addr);
1126
1127	/*
1128	* When we have IBT, the lack of ENDBR will trigger #CP
1129	*/
1130	DUMP_BYTES(ENDBR, ((u8*)addr), 4, "%px: orig: ", addr);
1131	DUMP_BYTES(ENDBR, ((u8*)&poison), 4, "%px: repl: ", addr);
1132	text_poke_early(addr, opcode: &poison, len: 4);
1133	}
1134
1135	/*
1136	* Generated by: objtool --ibt
1137	*
1138	* Seal the functions for indirect calls by clobbering the ENDBR instructions
1139	* and the kCFI hash value.
1140	*/
1141	void __init_or_module noinline apply_seal_endbr(s32 *start, s32 *end)
1142	{
1143	s32 *s;
1144
1145	for (s = start; s < end; s++) {
1146	void *addr = (void *)s + *s;
1147
1148	poison_endbr(addr);
1149	if (IS_ENABLED(CONFIG_FINEIBT))
1150	poison_cfi(addr: addr - 16);
1151	}
1152	}
1153
1154	#else /* !CONFIG_X86_KERNEL_IBT: */
1155
1156	void __init_or_module apply_seal_endbr(s32 *start, s32 *end) { }
1157
1158	#endif /* !CONFIG_X86_KERNEL_IBT */
1159
1160	#ifdef CONFIG_CFI_AUTO_DEFAULT
1161	# define __CFI_DEFAULT CFI_AUTO
1162	#elif defined(CONFIG_CFI)
1163	# define __CFI_DEFAULT CFI_KCFI
1164	#else
1165	# define __CFI_DEFAULT CFI_OFF
1166	#endif
1167
1168	enum cfi_mode cfi_mode __ro_after_init = __CFI_DEFAULT;
1169	static bool cfi_debug __ro_after_init;
1170
1171	#ifdef CONFIG_FINEIBT_BHI
1172	bool cfi_bhi __ro_after_init = false;
1173	#endif
1174
1175	#ifdef CONFIG_CFI
1176	u32 cfi_get_func_hash(void *func)
1177	{
1178	u32 hash;
1179
1180	func -= cfi_get_offset();
1181	switch (cfi_mode) {
1182	case CFI_FINEIBT:
1183	func += 7;
1184	break;
1185	case CFI_KCFI:
1186	func += 1;
1187	break;
1188	default:
1189	return 0;
1190	}
1191
1192	if (get_kernel_nofault(hash, func))
1193	return 0;
1194
1195	return hash;
1196	}
1197
1198	int cfi_get_func_arity(void *func)
1199	{
1200	bhi_thunk *target;
1201	s32 disp;
1202
1203	if (cfi_mode != CFI_FINEIBT && !cfi_bhi)
1204	return 0;
1205
1206	if (get_kernel_nofault(disp, func - 4))
1207	return 0;
1208
1209	target = func + disp;
1210	return target - __bhi_args;
1211	}
1212	#endif
1213
1214	#ifdef CONFIG_FINEIBT
1215
1216	static bool cfi_rand __ro_after_init = true;
1217	static u32 cfi_seed __ro_after_init;
1218
1219	/*
1220	* Re-hash the CFI hash with a boot-time seed while making sure the result is
1221	* not a valid ENDBR instruction.
1222	*/
1223	static u32 cfi_rehash(u32 hash)
1224	{
1225	hash ^= cfi_seed;
1226	while (unlikely(__is_endbr(hash) || __is_endbr(-hash))) {
1227	bool lsb = hash & 1;
1228	hash >>= 1;
1229	if (lsb)
1230	hash ^= 0x80200003;
1231	}
1232	return hash;
1233	}
1234
1235	static __init int cfi_parse_cmdline(char *str)
1236	{
1237	if (!str)
1238	return -EINVAL;
1239
1240	while (str) {
1241	char *next = strchr(str, ',');
1242	if (next) {
1243	*next = 0;
1244	next++;
1245	}
1246
1247	if (!strcmp(str, "auto")) {
1248	cfi_mode = CFI_AUTO;
1249	} else if (!strcmp(str, "off")) {
1250	cfi_mode = CFI_OFF;
1251	cfi_rand = false;
1252	} else if (!strcmp(str, "debug")) {
1253	cfi_debug = true;
1254	} else if (!strcmp(str, "kcfi")) {
1255	cfi_mode = CFI_KCFI;
1256	} else if (!strcmp(str, "fineibt")) {
1257	cfi_mode = CFI_FINEIBT;
1258	} else if (!strcmp(str, "norand")) {
1259	cfi_rand = false;
1260	} else if (!strcmp(str, "warn")) {
1261	pr_alert("CFI: mismatch non-fatal!\n");
1262	cfi_warn = true;
1263	} else if (!strcmp(str, "paranoid")) {
1264	if (cfi_mode == CFI_FINEIBT) {
1265	cfi_paranoid = true;
1266	} else {
1267	pr_err("CFI: ignoring paranoid; depends on fineibt.\n");
1268	}
1269	} else if (!strcmp(str, "bhi")) {
1270	#ifdef CONFIG_FINEIBT_BHI
1271	if (cfi_mode == CFI_FINEIBT) {
1272	cfi_bhi = true;
1273	} else {
1274	pr_err("CFI: ignoring bhi; depends on fineibt.\n");
1275	}
1276	#else
1277	pr_err("CFI: ignoring bhi; depends on FINEIBT_BHI=y.\n");
1278	#endif
1279	} else {
1280	pr_err("CFI: Ignoring unknown option (%s).", str);
1281	}
1282
1283	str = next;
1284	}
1285
1286	return 0;
1287	}
1288	early_param("cfi", cfi_parse_cmdline);
1289
1290	/*
1291	* kCFI FineIBT
1292	*
1293	* __cfi_\func: __cfi_\func:
1294	* movl $0x12345678,%eax // 5 endbr64 // 4
1295	* nop subl $0x12345678,%eax // 5
1296	* nop jne.d32,pn \func+3 // 7
1297	* nop
1298	* nop
1299	* nop
1300	* nop
1301	* nop
1302	* nop
1303	* nop
1304	* nop
1305	* nop
1306	* \func: \func:
1307	* endbr64 nopl -42(%rax)
1308	*
1309	*
1310	* caller: caller:
1311	* movl $(-0x12345678),%r10d // 6 movl $0x12345678,%eax // 5
1312	* addl $-15(%r11),%r10d // 4 lea -0x10(%r11),%r11 // 4
1313	* je 1f // 2 nop5 // 5
1314	* ud2 // 2
1315	* 1: cs call __x86_indirect_thunk_r11 // 6 call *%r11; nop3; // 6
1316	*
1317	*
1318	* Notably, the FineIBT sequences are crafted such that branches are presumed
1319	* non-taken. This is based on Agner Fog's optimization manual, which states:
1320	*
1321	* "Make conditional jumps most often not taken: The efficiency and throughput
1322	* for not-taken branches is better than for taken branches on most
1323	* processors. Therefore, it is good to place the most frequent branch first"
1324	*/
1325
1326	/*
1327	* <fineibt_preamble_start>:
1328	* 0: f3 0f 1e fa endbr64
1329	* 4: 2d 78 56 34 12 sub $0x12345678, %eax
1330	* 9: 2e 0f 85 03 00 00 00 jne,pn 13 <fineibt_preamble_start+0x13>
1331	* 10: 0f 1f 40 d6 nopl -0x2a(%rax)
1332	*
1333	* Note that the JNE target is the 0xD6 byte inside the NOPL, this decodes as
1334	* UDB on x86_64 and raises #UD.
1335	*/
1336	asm( ".pushsection .rodata \n"
1337	"fineibt_preamble_start: \n"
1338	" endbr64 \n"
1339	" subl $0x12345678, %eax \n"
1340	"fineibt_preamble_bhi: \n"
1341	" cs jne.d32 fineibt_preamble_start+0x13 \n"
1342	"#fineibt_func: \n"
1343	" nopl -42(%rax) \n"
1344	"fineibt_preamble_end: \n"
1345	".popsection\n"
1346	);
1347
1348	extern u8 fineibt_preamble_start[];
1349	extern u8 fineibt_preamble_bhi[];
1350	extern u8 fineibt_preamble_end[];
1351
1352	#define fineibt_preamble_size (fineibt_preamble_end - fineibt_preamble_start)
1353	#define fineibt_preamble_bhi (fineibt_preamble_bhi - fineibt_preamble_start)
1354	#define fineibt_preamble_ud 0x13
1355	#define fineibt_preamble_hash 5
1356
1357	/*
1358	* <fineibt_caller_start>:
1359	* 0: b8 78 56 34 12 mov $0x12345678, %eax
1360	* 5: 4d 8d 5b f0 lea -0x10(%r11), %r11
1361	* 9: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
1362	*/
1363	asm( ".pushsection .rodata \n"
1364	"fineibt_caller_start: \n"
1365	" movl $0x12345678, %eax \n"
1366	" lea -0x10(%r11), %r11 \n"
1367	ASM_NOP5
1368	"fineibt_caller_end: \n"
1369	".popsection \n"
1370	);
1371
1372	extern u8 fineibt_caller_start[];
1373	extern u8 fineibt_caller_end[];
1374
1375	#define fineibt_caller_size (fineibt_caller_end - fineibt_caller_start)
1376	#define fineibt_caller_hash 1
1377
1378	#define fineibt_caller_jmp (fineibt_caller_size - 2)
1379
1380	/*
1381	* Since FineIBT does hash validation on the callee side it is prone to
1382	* circumvention attacks where a 'naked' ENDBR instruction exists that
1383	* is not part of the fineibt_preamble sequence.
1384	*
1385	* Notably the x86 entry points must be ENDBR and equally cannot be
1386	* fineibt_preamble.
1387	*
1388	* The fineibt_paranoid caller sequence adds additional caller side
1389	* hash validation. This stops such circumvention attacks dead, but at the cost
1390	* of adding a load.
1391	*
1392	* <fineibt_paranoid_start>:
1393	* 0: b8 78 56 34 12 mov $0x12345678, %eax
1394	* 5: 41 3b 43 f5 cmp -0x11(%r11), %eax
1395	* 9: 2e 4d 8d 5b <f0> cs lea -0x10(%r11), %r11
1396	* e: 75 fd jne d <fineibt_paranoid_start+0xd>
1397	* 10: 41 ff d3 call *%r11
1398	* 13: 90 nop
1399	*
1400	* Notably LEA does not modify flags and can be reordered with the CMP,
1401	* avoiding a dependency. Again, using a non-taken (backwards) branch
1402	* for the failure case, abusing LEA's immediate 0xf0 as LOCK prefix for the
1403	* Jcc.d8, causing #UD.
1404	*/
1405	asm( ".pushsection .rodata \n"
1406	"fineibt_paranoid_start: \n"
1407	" mov $0x12345678, %eax \n"
1408	" cmpl -11(%r11), %eax \n"
1409	" cs lea -0x10(%r11), %r11 \n"
1410	"#fineibt_caller_size: \n"
1411	" jne fineibt_paranoid_start+0xd \n"
1412	"fineibt_paranoid_ind: \n"
1413	" cs call *%r11 \n"
1414	"fineibt_paranoid_end: \n"
1415	".popsection \n"
1416	);
1417
1418	extern u8 fineibt_paranoid_start[];
1419	extern u8 fineibt_paranoid_ind[];
1420	extern u8 fineibt_paranoid_end[];
1421
1422	#define fineibt_paranoid_size (fineibt_paranoid_end - fineibt_paranoid_start)
1423	#define fineibt_paranoid_ind (fineibt_paranoid_ind - fineibt_paranoid_start)
1424	#define fineibt_paranoid_ud 0xd
1425
1426	static u32 decode_preamble_hash(void *addr, int *reg)
1427	{
1428	u8 *p = addr;
1429
1430	/* b8+reg 78 56 34 12 movl $0x12345678,\reg */
1431	if (p[0] >= 0xb8 && p[0] < 0xc0) {
1432	if (reg)
1433	*reg = p[0] - 0xb8;
1434	return *(u32 *)(addr + 1);
1435	}
1436
1437	return 0; /* invalid hash value */
1438	}
1439
1440	static u32 decode_caller_hash(void *addr)
1441	{
1442	u8 *p = addr;
1443
1444	/* 41 ba 88 a9 cb ed mov $(-0x12345678),%r10d */
1445	if (p[0] == 0x41 && p[1] == 0xba)
1446	return -*(u32 *)(addr + 2);
1447
1448	/* e8 0c 88 a9 cb ed jmp.d8 +12 */
1449	if (p[0] == JMP8_INSN_OPCODE && p[1] == fineibt_caller_jmp)
1450	return -*(u32 *)(addr + 2);
1451
1452	return 0; /* invalid hash value */
1453	}
1454
1455	/* .retpoline_sites */
1456	static int cfi_disable_callers(s32 *start, s32 *end)
1457	{
1458	/*
1459	* Disable kCFI by patching in a JMP.d8, this leaves the hash immediate
1460	* in tact for later usage. Also see decode_caller_hash() and
1461	* cfi_rewrite_callers().
1462	*/
1463	const u8 jmp[] = { JMP8_INSN_OPCODE, fineibt_caller_jmp };
1464	s32 *s;
1465
1466	for (s = start; s < end; s++) {
1467	void *addr = (void *)s + *s;
1468	u32 hash;
1469
1470	addr -= fineibt_caller_size;
1471	hash = decode_caller_hash(addr);
1472	if (!hash) /* nocfi callers */
1473	continue;
1474
1475	text_poke_early(addr, jmp, 2);
1476	}
1477
1478	return 0;
1479	}
1480
1481	static int cfi_enable_callers(s32 *start, s32 *end)
1482	{
1483	/*
1484	* Re-enable kCFI, undo what cfi_disable_callers() did.
1485	*/
1486	const u8 mov[] = { 0x41, 0xba };
1487	s32 *s;
1488
1489	for (s = start; s < end; s++) {
1490	void *addr = (void *)s + *s;
1491	u32 hash;
1492
1493	addr -= fineibt_caller_size;
1494	hash = decode_caller_hash(addr);
1495	if (!hash) /* nocfi callers */
1496	continue;
1497
1498	text_poke_early(addr, mov, 2);
1499	}
1500
1501	return 0;
1502	}
1503
1504	/* .cfi_sites */
1505	static int cfi_rand_preamble(s32 *start, s32 *end)
1506	{
1507	s32 *s;
1508
1509	for (s = start; s < end; s++) {
1510	void *addr = (void *)s + *s;
1511	u32 hash;
1512
1513	hash = decode_preamble_hash(addr, NULL);
1514	if (WARN(!hash, "no CFI hash found at: %pS %px %*ph\n",
1515	addr, addr, 5, addr))
1516	return -EINVAL;
1517
1518	hash = cfi_rehash(hash);
1519	text_poke_early(addr + 1, &hash, 4);
1520	}
1521
1522	return 0;
1523	}
1524
1525	/*
1526	* Inline the bhi-arity 1 case:
1527	*
1528	* __cfi_foo:
1529	* 0: f3 0f 1e fa endbr64
1530	* 4: 2d 78 56 34 12 sub $0x12345678, %eax
1531	* 9: 49 0f 45 fa cmovne %rax, %rdi
1532	* d: 2e 75 03 jne,pn foo+0x3
1533	*
1534	* foo:
1535	* 10: 0f 1f 40 <d6> nopl -42(%rax)
1536	*
1537	* Notably, this scheme is incompatible with permissive CFI
1538	* because the CMOVcc is unconditional and RDI will have been
1539	* clobbered.
1540	*/
1541	asm( ".pushsection .rodata \n"
1542	"fineibt_bhi1_start: \n"
1543	" cmovne %rax, %rdi \n"
1544	" cs jne fineibt_bhi1_func + 0x3 \n"
1545	"fineibt_bhi1_func: \n"
1546	" nopl -42(%rax) \n"
1547	"fineibt_bhi1_end: \n"
1548	".popsection \n"
1549	);
1550
1551	extern u8 fineibt_bhi1_start[];
1552	extern u8 fineibt_bhi1_end[];
1553
1554	#define fineibt_bhi1_size (fineibt_bhi1_end - fineibt_bhi1_start)
1555
1556	static void cfi_fineibt_bhi_preamble(void *addr, int arity)
1557	{
1558	u8 bytes[MAX_INSN_SIZE];
1559
1560	if (!arity)
1561	return;
1562
1563	if (!cfi_warn && arity == 1) {
1564	text_poke_early(addr + fineibt_preamble_bhi,
1565	fineibt_bhi1_start, fineibt_bhi1_size);
1566	return;
1567	}
1568
1569	/*
1570	* Replace the bytes at fineibt_preamble_bhi with a CALL instruction
1571	* that lines up exactly with the end of the preamble, such that the
1572	* return address will be foo+0.
1573	*
1574	* __cfi_foo:
1575	* 0: f3 0f 1e fa endbr64
1576	* 4: 2d 78 56 34 12 sub $0x12345678, %eax
1577	* 9: 2e 2e e8 DD DD DD DD cs cs call __bhi_args[arity]
1578	*/
1579	bytes[0] = 0x2e;
1580	bytes[1] = 0x2e;
1581	__text_gen_insn(bytes + 2, CALL_INSN_OPCODE,
1582	addr + fineibt_preamble_bhi + 2,
1583	__bhi_args[arity], CALL_INSN_SIZE);
1584
1585	text_poke_early(addr + fineibt_preamble_bhi, bytes, 7);
1586	}
1587
1588	static int cfi_rewrite_preamble(s32 *start, s32 *end)
1589	{
1590	s32 *s;
1591
1592	for (s = start; s < end; s++) {
1593	void *addr = (void *)s + *s;
1594	int arity;
1595	u32 hash;
1596
1597	/*
1598	* When the function doesn't start with ENDBR the compiler will
1599	* have determined there are no indirect calls to it and we
1600	* don't need no CFI either.
1601	*/
1602	if (!is_endbr(addr + 16))
1603	continue;
1604
1605	hash = decode_preamble_hash(addr, &arity);
1606	if (WARN(!hash, "no CFI hash found at: %pS %px %*ph\n",
1607	addr, addr, 5, addr))
1608	return -EINVAL;
1609
1610	text_poke_early(addr, fineibt_preamble_start, fineibt_preamble_size);
1611	WARN_ON(*(u32 *)(addr + fineibt_preamble_hash) != 0x12345678);
1612	text_poke_early(addr + fineibt_preamble_hash, &hash, 4);
1613
1614	WARN_ONCE(!IS_ENABLED(CONFIG_FINEIBT_BHI) && arity,
1615	"kCFI preamble has wrong register at: %pS %*ph\n",
1616	addr, 5, addr);
1617
1618	if (cfi_bhi)
1619	cfi_fineibt_bhi_preamble(addr, arity);
1620	}
1621
1622	return 0;
1623	}
1624
1625	static void cfi_rewrite_endbr(s32 *start, s32 *end)
1626	{
1627	s32 *s;
1628
1629	for (s = start; s < end; s++) {
1630	void *addr = (void *)s + *s;
1631
1632	if (!exact_endbr(addr + 16))
1633	continue;
1634
1635	poison_endbr(addr + 16);
1636	}
1637	}
1638
1639	/* .retpoline_sites */
1640	static int cfi_rand_callers(s32 *start, s32 *end)
1641	{
1642	s32 *s;
1643
1644	for (s = start; s < end; s++) {
1645	void *addr = (void *)s + *s;
1646	u32 hash;
1647
1648	addr -= fineibt_caller_size;
1649	hash = decode_caller_hash(addr);
1650	if (hash) {
1651	hash = -cfi_rehash(hash);
1652	text_poke_early(addr + 2, &hash, 4);
1653	}
1654	}
1655
1656	return 0;
1657	}
1658
1659	static int emit_paranoid_trampoline(void *addr, struct insn *insn, int reg, u8 *bytes)
1660	{
1661	u8 *thunk = (void *)__x86_indirect_its_thunk_array[reg] - 2;
1662
1663	#ifdef CONFIG_MITIGATION_ITS
1664	u8 *tmp = its_allocate_thunk(reg);
1665	if (tmp)
1666	thunk = tmp;
1667	#endif
1668
1669	return __emit_trampoline(addr, insn, bytes, thunk, thunk);
1670	}
1671
1672	static int cfi_rewrite_callers(s32 *start, s32 *end)
1673	{
1674	s32 *s;
1675
1676	for (s = start; s < end; s++) {
1677	void *addr = (void *)s + *s;
1678	struct insn insn;
1679	u8 bytes[20];
1680	u32 hash;
1681	int ret;
1682	u8 op;
1683
1684	addr -= fineibt_caller_size;
1685	hash = decode_caller_hash(addr);
1686	if (!hash)
1687	continue;
1688
1689	if (!cfi_paranoid) {
1690	text_poke_early(addr, fineibt_caller_start, fineibt_caller_size);
1691	WARN_ON(*(u32 *)(addr + fineibt_caller_hash) != 0x12345678);
1692	text_poke_early(addr + fineibt_caller_hash, &hash, 4);
1693	/* rely on apply_retpolines() */
1694	continue;
1695	}
1696
1697	/* cfi_paranoid */
1698	ret = insn_decode_kernel(&insn, addr + fineibt_caller_size);
1699	if (WARN_ON_ONCE(ret < 0))
1700	continue;
1701
1702	op = insn.opcode.bytes[0];
1703	if (op != CALL_INSN_OPCODE && op != JMP32_INSN_OPCODE) {
1704	WARN_ON_ONCE(1);
1705	continue;
1706	}
1707
1708	memcpy(bytes, fineibt_paranoid_start, fineibt_paranoid_size);
1709	memcpy(bytes + fineibt_caller_hash, &hash, 4);
1710
1711	if (cpu_wants_indirect_its_thunk_at((unsigned long)addr + fineibt_paranoid_ind, 11)) {
1712	emit_paranoid_trampoline(addr + fineibt_caller_size,
1713	&insn, 11, bytes + fineibt_caller_size);
1714	} else {
1715	int len = fineibt_paranoid_size - fineibt_paranoid_ind;
1716	ret = emit_indirect(op, 11, bytes + fineibt_paranoid_ind, len);
1717	if (WARN_ON_ONCE(ret != len))
1718	continue;
1719	}
1720
1721	text_poke_early(addr, bytes, fineibt_paranoid_size);
1722	}
1723
1724	return 0;
1725	}
1726
1727	#define pr_cfi_debug(X...) if (cfi_debug) pr_info(X)
1728
1729	#define FINEIBT_WARN(_f, _v) \
1730	WARN_ONCE((_f) != (_v), "FineIBT: " #_f " %ld != %d\n", _f, _v)
1731
1732	static void __apply_fineibt(s32 *start_retpoline, s32 *end_retpoline,
1733	s32 *start_cfi, s32 *end_cfi, bool builtin)
1734	{
1735	int ret;
1736
1737	if (FINEIBT_WARN(fineibt_preamble_size, 20) ||
1738	FINEIBT_WARN(fineibt_preamble_bhi + fineibt_bhi1_size, 20) ||
1739	FINEIBT_WARN(fineibt_caller_size, 14) ||
1740	FINEIBT_WARN(fineibt_paranoid_size, 20))
1741	return;
1742
1743	if (cfi_mode == CFI_AUTO) {
1744	cfi_mode = CFI_KCFI;
1745	if (HAS_KERNEL_IBT && cpu_feature_enabled(X86_FEATURE_IBT)) {
1746	/*
1747	* FRED has much saner context on exception entry and
1748	* is less easy to take advantage of.
1749	*/
1750	if (!cpu_feature_enabled(X86_FEATURE_FRED))
1751	cfi_paranoid = true;
1752	cfi_mode = CFI_FINEIBT;
1753	}
1754	}
1755
1756	/*
1757	* Rewrite the callers to not use the __cfi_ stubs, such that we might
1758	* rewrite them. This disables all CFI. If this succeeds but any of the
1759	* later stages fails, we're without CFI.
1760	*/
1761	pr_cfi_debug("CFI: disabling all indirect call checking\n");
1762	ret = cfi_disable_callers(start_retpoline, end_retpoline);
1763	if (ret)
1764	goto err;
1765
1766	if (cfi_rand) {
1767	if (builtin) {
1768	cfi_seed = get_random_u32();
1769	cfi_bpf_hash = cfi_rehash(cfi_bpf_hash);
1770	cfi_bpf_subprog_hash = cfi_rehash(cfi_bpf_subprog_hash);
1771	}
1772	pr_cfi_debug("CFI: cfi_seed: 0x%08x\n", cfi_seed);
1773
1774	pr_cfi_debug("CFI: rehashing all preambles\n");
1775	ret = cfi_rand_preamble(start_cfi, end_cfi);
1776	if (ret)
1777	goto err;
1778
1779	pr_cfi_debug("CFI: rehashing all indirect calls\n");
1780	ret = cfi_rand_callers(start_retpoline, end_retpoline);
1781	if (ret)
1782	goto err;
1783	} else {
1784	pr_cfi_debug("CFI: rehashing disabled\n");
1785	}
1786
1787	switch (cfi_mode) {
1788	case CFI_OFF:
1789	if (builtin)
1790	pr_info("CFI: disabled\n");
1791	return;
1792
1793	case CFI_KCFI:
1794	pr_cfi_debug("CFI: re-enabling all indirect call checking\n");
1795	ret = cfi_enable_callers(start_retpoline, end_retpoline);
1796	if (ret)
1797	goto err;
1798
1799	if (builtin)
1800	pr_info("CFI: Using %sretpoline kCFI\n",
1801	cfi_rand ? "rehashed " : "");
1802	return;
1803
1804	case CFI_FINEIBT:
1805	pr_cfi_debug("CFI: adding FineIBT to all preambles\n");
1806	/* place the FineIBT preamble at func()-16 */
1807	ret = cfi_rewrite_preamble(start_cfi, end_cfi);
1808	if (ret)
1809	goto err;
1810
1811	/* rewrite the callers to target func()-16 */
1812	pr_cfi_debug("CFI: rewriting indirect call sites to use FineIBT\n");
1813	ret = cfi_rewrite_callers(start_retpoline, end_retpoline);
1814	if (ret)
1815	goto err;
1816
1817	/* now that nobody targets func()+0, remove ENDBR there */
1818	pr_cfi_debug("CFI: removing old endbr insns\n");
1819	cfi_rewrite_endbr(start_cfi, end_cfi);
1820
1821	if (builtin) {
1822	pr_info("Using %sFineIBT%s CFI\n",
1823	cfi_paranoid ? "paranoid " : "",
1824	cfi_bhi ? "+BHI" : "");
1825	}
1826	return;
1827
1828	default:
1829	break;
1830	}
1831
1832	err:
1833	pr_err("Something went horribly wrong trying to rewrite the CFI implementation.\n");
1834	}
1835
1836	static inline void poison_hash(void *addr)
1837	{
1838	*(u32 *)addr = 0;
1839	}
1840
1841	static void poison_cfi(void *addr)
1842	{
1843	/*
1844	* Compilers manage to be inconsistent with ENDBR vs __cfi prefixes,
1845	* some (static) functions for which they can determine the address
1846	* is never taken do not get a __cfi prefix, but *DO* get an ENDBR.
1847	*
1848	* As such, these functions will get sealed, but we need to be careful
1849	* to not unconditionally scribble the previous function.
1850	*/
1851	switch (cfi_mode) {
1852	case CFI_FINEIBT:
1853	/*
1854	* FineIBT prefix should start with an ENDBR.
1855	*/
1856	if (!is_endbr(addr))
1857	break;
1858
1859	/*
1860	* __cfi_\func:
1861	* nopl -42(%rax)
1862	* sub $0, %eax
1863	* jne \func+3
1864	* \func:
1865	* nopl -42(%rax)
1866	*/
1867	poison_endbr(addr);
1868	poison_hash(addr + fineibt_preamble_hash);
1869	break;
1870
1871	case CFI_KCFI:
1872	/*
1873	* kCFI prefix should start with a valid hash.
1874	*/
1875	if (!decode_preamble_hash(addr, NULL))
1876	break;
1877
1878	/*
1879	* __cfi_\func:
1880	* movl $0, %eax
1881	* .skip 11, 0x90
1882	*/
1883	poison_hash(addr + 1);
1884	break;
1885
1886	default:
1887	break;
1888	}
1889	}
1890
1891	#define fineibt_prefix_size (fineibt_preamble_size - ENDBR_INSN_SIZE)
1892
1893	/*
1894	* When regs->ip points to a 0xD6 byte in the FineIBT preamble,
1895	* return true and fill out target and type.
1896	*
1897	* We check the preamble by checking for the ENDBR instruction relative to the
1898	* UDB instruction.
1899	*/
1900	static bool decode_fineibt_preamble(struct pt_regs *regs, unsigned long *target, u32 *type)
1901	{
1902	unsigned long addr = regs->ip - fineibt_preamble_ud;
1903	u32 hash;
1904
1905	if (!exact_endbr((void *)addr))
1906	return false;
1907
1908	*target = addr + fineibt_prefix_size;
1909
1910	__get_kernel_nofault(&hash, addr + fineibt_preamble_hash, u32, Efault);
1911	*type = (u32)regs->ax + hash;
1912
1913	/*
1914	* Since regs->ip points to the middle of an instruction; it cannot
1915	* continue with the normal fixup.
1916	*/
1917	regs->ip = *target;
1918
1919	return true;
1920
1921	Efault:
1922	return false;
1923	}
1924
1925	/*
1926	* regs->ip points to one of the UD2 in __bhi_args[].
1927	*/
1928	static bool decode_fineibt_bhi(struct pt_regs *regs, unsigned long *target, u32 *type)
1929	{
1930	unsigned long addr;
1931	u32 hash;
1932
1933	if (!cfi_bhi)
1934	return false;
1935
1936	if (regs->ip < (unsigned long)__bhi_args ||
1937	regs->ip >= (unsigned long)__bhi_args_end)
1938	return false;
1939
1940	/*
1941	* Fetch the return address from the stack, this points to the
1942	* FineIBT preamble. Since the CALL instruction is in the 5 last
1943	* bytes of the preamble, the return address is in fact the target
1944	* address.
1945	*/
1946	__get_kernel_nofault(&addr, regs->sp, unsigned long, Efault);
1947	*target = addr;
1948
1949	addr -= fineibt_prefix_size;
1950	if (!exact_endbr((void *)addr))
1951	return false;
1952
1953	__get_kernel_nofault(&hash, addr + fineibt_preamble_hash, u32, Efault);
1954	*type = (u32)regs->ax + hash;
1955
1956	/*
1957	* The UD2 sites are constructed with a RET immediately following,
1958	* as such the non-fatal case can use the regular fixup.
1959	*/
1960	return true;
1961
1962	Efault:
1963	return false;
1964	}
1965
1966	static bool is_paranoid_thunk(unsigned long addr)
1967	{
1968	u32 thunk;
1969
1970	__get_kernel_nofault(&thunk, (u32 *)addr, u32, Efault);
1971	return (thunk & 0x00FFFFFF) == 0xfd75d6;
1972
1973	Efault:
1974	return false;
1975	}
1976
1977	/*
1978	* regs->ip points to a LOCK Jcc.d8 instruction from the fineibt_paranoid_start[]
1979	* sequence, or to UDB + Jcc.d8 for cfi_paranoid + ITS thunk.
1980	*/
1981	static bool decode_fineibt_paranoid(struct pt_regs *regs, unsigned long *target, u32 *type)
1982	{
1983	unsigned long addr = regs->ip - fineibt_paranoid_ud;
1984
1985	if (!cfi_paranoid)
1986	return false;
1987
1988	if (is_cfi_trap(addr + fineibt_caller_size - LEN_UD2)) {
1989	*target = regs->r11 + fineibt_prefix_size;
1990	*type = regs->ax;
1991
1992	/*
1993	* Since the trapping instruction is the exact, but LOCK prefixed,
1994	* Jcc.d8 that got us here, the normal fixup will work.
1995	*/
1996	return true;
1997	}
1998
1999	/*
2000	* The cfi_paranoid + ITS thunk combination results in:
2001	*
2002	* 0: b8 78 56 34 12 mov $0x12345678, %eax
2003	* 5: 41 3b 43 f7 cmp -11(%r11), %eax
2004	* a: 2e 3d 8d 5b f0 cs lea -0x10(%r11), %r11
2005	* e: 2e e8 XX XX XX XX cs call __x86_indirect_paranoid_thunk_r11
2006	*
2007	* Where the paranoid_thunk looks like:
2008	*
2009	* 1d: <d6> udb
2010	* __x86_indirect_paranoid_thunk_r11:
2011	* 1e: 75 fd jne 1d
2012	* __x86_indirect_its_thunk_r11:
2013	* 20: 41 ff eb jmp *%r11
2014	* 23: cc int3
2015	*
2016	*/
2017	if (is_paranoid_thunk(regs->ip)) {
2018	*target = regs->r11 + fineibt_prefix_size;
2019	*type = regs->ax;
2020
2021	regs->ip = *target;
2022	return true;
2023	}
2024
2025	return false;
2026	}
2027
2028	bool decode_fineibt_insn(struct pt_regs *regs, unsigned long *target, u32 *type)
2029	{
2030	if (decode_fineibt_paranoid(regs, target, type))
2031	return true;
2032
2033	if (decode_fineibt_bhi(regs, target, type))
2034	return true;
2035
2036	return decode_fineibt_preamble(regs, target, type);
2037	}
2038
2039	#else /* !CONFIG_FINEIBT: */
2040
2041	static void __apply_fineibt(s32 *start_retpoline, s32 *end_retpoline,
2042	s32 *start_cfi, s32 *end_cfi, bool builtin)
2043	{
2044	if (IS_ENABLED(CONFIG_CFI) && builtin)
2045	pr_info("CFI: Using standard kCFI\n");
2046	}
2047
2048	#ifdef CONFIG_X86_KERNEL_IBT
2049	static void poison_cfi(void *addr) { }
2050	#endif
2051
2052	#endif /* !CONFIG_FINEIBT */
2053
2054	void apply_fineibt(s32 *start_retpoline, s32 *end_retpoline,
2055	s32 *start_cfi, s32 *end_cfi)
2056	{
2057	return __apply_fineibt(start_retpoline, end_retpoline,
2058	start_cfi, end_cfi,
2059	/* .builtin = */ false);
2060	}
2061
2062	#ifdef CONFIG_SMP
2063	static void alternatives_smp_lock(const s32 *start, const s32 *end,
2064	u8 *text, u8 *text_end)
2065	{
2066	const s32 *poff;
2067
2068	for (poff = start; poff < end; poff++) {
2069	u8 *ptr = (u8 *)poff + *poff;
2070
2071	if (!*poff || ptr < text || ptr >= text_end)
2072	continue;
2073	/* turn DS segment override prefix into lock prefix */
2074	if (*ptr == 0x3e)
2075	text_poke(addr: ptr, opcode: ((unsigned char []){0xf0}), len: 1);
2076	}
2077	}
2078
2079	static void alternatives_smp_unlock(const s32 *start, const s32 *end,
2080	u8 *text, u8 *text_end)
2081	{
2082	const s32 *poff;
2083
2084	for (poff = start; poff < end; poff++) {
2085	u8 *ptr = (u8 *)poff + *poff;
2086
2087	if (!*poff || ptr < text || ptr >= text_end)
2088	continue;
2089	/* turn lock prefix into DS segment override prefix */
2090	if (*ptr == 0xf0)
2091	text_poke(addr: ptr, opcode: ((unsigned char []){0x3E}), len: 1);
2092	}
2093	}
2094
2095	struct smp_alt_module {
2096	/* what is this ??? */
2097	struct module *mod;
2098	char *name;
2099
2100	/* ptrs to lock prefixes */
2101	const s32 *locks;
2102	const s32 *locks_end;
2103
2104	/* .text segment, needed to avoid patching init code ;) */
2105	u8 *text;
2106	u8 *text_end;
2107
2108	struct list_head next;
2109	};
2110	static LIST_HEAD(smp_alt_modules);
2111	static bool uniproc_patched = false; /* protected by text_mutex */
2112
2113	void __init_or_module alternatives_smp_module_add(struct module *mod,
2114	char *name,
2115	void *locks, void *locks_end,
2116	void *text, void *text_end)
2117	{
2118	struct smp_alt_module *smp;
2119
2120	mutex_lock(&text_mutex);
2121	if (!uniproc_patched)
2122	goto unlock;
2123
2124	if (num_possible_cpus() == 1)
2125	/* Don't bother remembering, we'll never have to undo it. */
2126	goto smp_unlock;
2127
2128	smp = kzalloc(sizeof(*smp), GFP_KERNEL);
2129	if (NULL == smp)
2130	/* we'll run the (safe but slow) SMP code then ... */
2131	goto unlock;
2132
2133	smp->mod = mod;
2134	smp->name = name;
2135	smp->locks = locks;
2136	smp->locks_end = locks_end;
2137	smp->text = text;
2138	smp->text_end = text_end;
2139	DPRINTK(SMP, "locks %p -> %p, text %p -> %p, name %s\n",
2140	smp->locks, smp->locks_end,
2141	smp->text, smp->text_end, smp->name);
2142
2143	list_add_tail(new: &smp->next, head: &smp_alt_modules);
2144	smp_unlock:
2145	alternatives_smp_unlock(start: locks, end: locks_end, text, text_end);
2146	unlock:
2147	mutex_unlock(lock: &text_mutex);
2148	}
2149
2150	void __init_or_module alternatives_smp_module_del(struct module *mod)
2151	{
2152	struct smp_alt_module *item;
2153
2154	mutex_lock(&text_mutex);
2155	list_for_each_entry(item, &smp_alt_modules, next) {
2156	if (mod != item->mod)
2157	continue;
2158	list_del(entry: &item->next);
2159	kfree(objp: item);
2160	break;
2161	}
2162	mutex_unlock(lock: &text_mutex);
2163	}
2164
2165	void alternatives_enable_smp(void)
2166	{
2167	struct smp_alt_module *mod;
2168
2169	/* Why bother if there are no other CPUs? */
2170	BUG_ON(num_possible_cpus() == 1);
2171
2172	mutex_lock(&text_mutex);
2173
2174	if (uniproc_patched) {
2175	pr_info("switching to SMP code\n");
2176	BUG_ON(num_online_cpus() != 1);
2177	clear_cpu_cap(c: &boot_cpu_data, X86_FEATURE_UP);
2178	clear_cpu_cap(c: &cpu_data(0), X86_FEATURE_UP);
2179	list_for_each_entry(mod, &smp_alt_modules, next)
2180	alternatives_smp_lock(start: mod->locks, end: mod->locks_end,
2181	text: mod->text, text_end: mod->text_end);
2182	uniproc_patched = false;
2183	}
2184	mutex_unlock(lock: &text_mutex);
2185	}
2186
2187	/*
2188	* Return 1 if the address range is reserved for SMP-alternatives.
2189	* Must hold text_mutex.
2190	*/
2191	int alternatives_text_reserved(void *start, void *end)
2192	{
2193	struct smp_alt_module *mod;
2194	const s32 *poff;
2195	u8 *text_start = start;
2196	u8 *text_end = end;
2197
2198	lockdep_assert_held(&text_mutex);
2199
2200	list_for_each_entry(mod, &smp_alt_modules, next) {
2201	if (mod->text > text_end || mod->text_end < text_start)
2202	continue;
2203	for (poff = mod->locks; poff < mod->locks_end; poff++) {
2204	const u8 *ptr = (const u8 *)poff + *poff;
2205
2206	if (text_start <= ptr && text_end > ptr)
2207	return 1;
2208	}
2209	}
2210
2211	return 0;
2212	}
2213	#endif /* CONFIG_SMP */
2214
2215	/*
2216	* Self-test for the INT3 based CALL emulation code.
2217	*
2218	* This exercises int3_emulate_call() to make sure INT3 pt_regs are set up
2219	* properly and that there is a stack gap between the INT3 frame and the
2220	* previous context. Without this gap doing a virtual PUSH on the interrupted
2221	* stack would corrupt the INT3 IRET frame.
2222	*
2223	* See entry_{32,64}.S for more details.
2224	*/
2225
2226	extern void int3_selftest_asm(unsigned int *ptr);
2227
2228	asm (
2229	" .pushsection .init.text, \"ax\", @progbits\n"
2230	" .type int3_selftest_asm, @function\n"
2231	"int3_selftest_asm:\n"
2232	ANNOTATE_NOENDBR "\n"
2233	/*
2234	* INT3 padded with NOP to CALL_INSN_SIZE. The INT3 triggers an
2235	* exception, then the int3_exception_nb notifier emulates a call to
2236	* int3_selftest_callee().
2237	*/
2238	" int3; nop; nop; nop; nop\n"
2239	ASM_RET
2240	" .size int3_selftest_asm, . - int3_selftest_asm\n"
2241	" .popsection\n"
2242	);
2243
2244	extern void int3_selftest_callee(unsigned int *ptr);
2245
2246	asm (
2247	" .pushsection .init.text, \"ax\", @progbits\n"
2248	" .type int3_selftest_callee, @function\n"
2249	"int3_selftest_callee:\n"
2250	ANNOTATE_NOENDBR "\n"
2251	" movl $0x1234, (%" _ASM_ARG1 ")\n"
2252	ASM_RET
2253	" .size int3_selftest_callee, . - int3_selftest_callee\n"
2254	" .popsection\n"
2255	);
2256
2257	extern void int3_selftest_ip(void); /* defined in asm below */
2258
2259	static int __init
2260	int3_exception_notify(struct notifier_block *self, unsigned long val, void *data)
2261	{
2262	unsigned long selftest = (unsigned long)&int3_selftest_asm;
2263	struct die_args *args = data;
2264	struct pt_regs *regs = args->regs;
2265
2266	OPTIMIZER_HIDE_VAR(selftest);
2267
2268	if (!regs || user_mode(regs))
2269	return NOTIFY_DONE;
2270
2271	if (val != DIE_INT3)
2272	return NOTIFY_DONE;
2273
2274	if (regs->ip - INT3_INSN_SIZE != selftest)
2275	return NOTIFY_DONE;
2276
2277	int3_emulate_call(regs, func: (unsigned long)&int3_selftest_callee);
2278	return NOTIFY_STOP;
2279	}
2280
2281	/* Must be noinline to ensure uniqueness of int3_selftest_ip. */
2282	static noinline void __init int3_selftest(void)
2283	{
2284	static __initdata struct notifier_block int3_exception_nb = {
2285	.notifier_call = int3_exception_notify,
2286	.priority = INT_MAX-1, /* last */
2287	};
2288	unsigned int val = 0;
2289
2290	BUG_ON(register_die_notifier(&int3_exception_nb));
2291
2292	/*
2293	* Basically: int3_selftest_callee(&val); but really complicated :-)
2294	*/
2295	int3_selftest_asm(ptr: &val);
2296
2297	BUG_ON(val != 0x1234);
2298
2299	unregister_die_notifier(nb: &int3_exception_nb);
2300	}
2301
2302	static __initdata int __alt_reloc_selftest_addr;
2303
2304	extern void __init __alt_reloc_selftest(void *arg);
2305	__visible noinline void __init __alt_reloc_selftest(void *arg)
2306	{
2307	WARN_ON(arg != &__alt_reloc_selftest_addr);
2308	}
2309
2310	static noinline void __init alt_reloc_selftest(void)
2311	{
2312	/*
2313	* Tests text_poke_apply_relocation().
2314	*
2315	* This has a relative immediate (CALL) in a place other than the first
2316	* instruction and additionally on x86_64 we get a RIP-relative LEA:
2317	*
2318	* lea 0x0(%rip),%rdi # 5d0: R_X86_64_PC32 .init.data+0x5566c
2319	* call +0 # 5d5: R_X86_64_PLT32 __alt_reloc_selftest-0x4
2320	*
2321	* Getting this wrong will either crash and burn or tickle the WARN
2322	* above.
2323	*/
2324	asm_inline volatile (
2325	ALTERNATIVE("", "lea %[mem], %%" _ASM_ARG1 "; call __alt_reloc_selftest;", X86_FEATURE_ALWAYS)
2326	: ASM_CALL_CONSTRAINT
2327	: [mem] "m" (__alt_reloc_selftest_addr)
2328	: _ASM_ARG1
2329	);
2330	}
2331
2332	void __init alternative_instructions(void)
2333	{
2334	u64 ibt;
2335
2336	int3_selftest();
2337
2338	/*
2339	* The patching is not fully atomic, so try to avoid local
2340	* interruptions that might execute the to be patched code.
2341	* Other CPUs are not running.
2342	*/
2343	stop_nmi();
2344
2345	/*
2346	* Don't stop machine check exceptions while patching.
2347	* MCEs only happen when something got corrupted and in this
2348	* case we must do something about the corruption.
2349	* Ignoring it is worse than an unlikely patching race.
2350	* Also machine checks tend to be broadcast and if one CPU
2351	* goes into machine check the others follow quickly, so we don't
2352	* expect a machine check to cause undue problems during to code
2353	* patching.
2354	*/
2355
2356	/*
2357	* Make sure to set (artificial) features depending on used paravirt
2358	* functions which can later influence alternative patching.
2359	*/
2360	paravirt_set_cap();
2361
2362	/* Keep CET-IBT disabled until caller/callee are patched */
2363	ibt = ibt_save(/*disable*/ true);
2364
2365	__apply_fineibt(start_retpoline: __retpoline_sites, end_retpoline: __retpoline_sites_end,
2366	start_cfi: __cfi_sites, end_cfi: __cfi_sites_end, builtin: true);
2367	cfi_debug = false;
2368
2369	/*
2370	* Rewrite the retpolines, must be done before alternatives since
2371	* those can rewrite the retpoline thunks.
2372	*/
2373	apply_retpolines(start: __retpoline_sites, end: __retpoline_sites_end);
2374	apply_returns(start: __return_sites, end: __return_sites_end);
2375
2376	its_fini_core();
2377
2378	/*
2379	* Adjust all CALL instructions to point to func()-10, including
2380	* those in .altinstr_replacement.
2381	*/
2382	callthunks_patch_builtin_calls();
2383
2384	apply_alternatives(start: __alt_instructions, end: __alt_instructions_end);
2385
2386	/*
2387	* Seal all functions that do not have their address taken.
2388	*/
2389	apply_seal_endbr(start: __ibt_endbr_seal, end: __ibt_endbr_seal_end);
2390
2391	ibt_restore(save: ibt);
2392
2393	#ifdef CONFIG_SMP
2394	/* Patch to UP if other cpus not imminent. */
2395	if (!noreplace_smp && (num_present_cpus() == 1 || setup_max_cpus <= 1)) {
2396	uniproc_patched = true;
2397	alternatives_smp_module_add(NULL, name: "core kernel",
2398	locks: __smp_locks, locks_end: __smp_locks_end,
2399	text: _text, text_end: _etext);
2400	}
2401
2402	if (!uniproc_patched || num_possible_cpus() == 1) {
2403	free_init_pages(what: "SMP alternatives",
2404	begin: (unsigned long)__smp_locks,
2405	end: (unsigned long)__smp_locks_end);
2406	}
2407	#endif
2408
2409	restart_nmi();
2410	alternatives_patched = 1;
2411
2412	alt_reloc_selftest();
2413	}
2414
2415	/**
2416	* text_poke_early - Update instructions on a live kernel at boot time
2417	* @addr: address to modify
2418	* @opcode: source of the copy
2419	* @len: length to copy
2420	*
2421	* When you use this code to patch more than one byte of an instruction
2422	* you need to make sure that other CPUs cannot execute this code in parallel.
2423	* Also no thread must be currently preempted in the middle of these
2424	* instructions. And on the local CPU you need to be protected against NMI or
2425	* MCE handlers seeing an inconsistent instruction while you patch.
2426	*/
2427	void __init_or_module text_poke_early(void *addr, const void *opcode,
2428	size_t len)
2429	{
2430	unsigned long flags;
2431
2432	if (boot_cpu_has(X86_FEATURE_NX) &&
2433	is_module_text_address(addr: (unsigned long)addr)) {
2434	/*
2435	* Modules text is marked initially as non-executable, so the
2436	* code cannot be running and speculative code-fetches are
2437	* prevented. Just change the code.
2438	*/
2439	memcpy(addr, opcode, len);
2440	} else {
2441	local_irq_save(flags);
2442	memcpy(addr, opcode, len);
2443	sync_core();
2444	local_irq_restore(flags);
2445
2446	/*
2447	* Could also do a CLFLUSH here to speed up CPU recovery; but
2448	* that causes hangs on some VIA CPUs.
2449	*/
2450	}
2451	}
2452
2453	__ro_after_init struct mm_struct *text_poke_mm;
2454	__ro_after_init unsigned long text_poke_mm_addr;
2455
2456	/*
2457	* Text poking creates and uses a mapping in the lower half of the
2458	* address space. Relax LASS enforcement when accessing the poking
2459	* address.
2460	*
2461	* objtool enforces a strict policy of "no function calls within AC=1
2462	* regions". Adhere to the policy by using inline versions of
2463	* memcpy()/memset() that will never result in a function call.
2464	*/
2465
2466	static void text_poke_memcpy(void *dst, const void *src, size_t len)
2467	{
2468	lass_stac();
2469	__inline_memcpy(to: dst, from: src, len);
2470	lass_clac();
2471	}
2472
2473	static void text_poke_memset(void *dst, const void *src, size_t len)
2474	{
2475	int c = *(const int *)src;
2476
2477	lass_stac();
2478	__inline_memset(s: dst, v: c, n: len);
2479	lass_clac();
2480	}
2481
2482	typedef void text_poke_f(void *dst, const void *src, size_t len);
2483
2484	static void *__text_poke(text_poke_f func, void *addr, const void *src, size_t len)
2485	{
2486	bool cross_page_boundary = offset_in_page(addr) + len > PAGE_SIZE;
2487	struct page *pages[2] = {NULL};
2488	struct mm_struct *prev_mm;
2489	unsigned long flags;
2490	pte_t pte, *ptep;
2491	spinlock_t *ptl;
2492	pgprot_t pgprot;
2493
2494	/*
2495	* While boot memory allocator is running we cannot use struct pages as
2496	* they are not yet initialized. There is no way to recover.
2497	*/
2498	BUG_ON(!after_bootmem);
2499
2500	if (!core_kernel_text(addr: (unsigned long)addr)) {
2501	pages[0] = vmalloc_to_page(addr);
2502	if (cross_page_boundary)
2503	pages[1] = vmalloc_to_page(addr: addr + PAGE_SIZE);
2504	} else {
2505	pages[0] = virt_to_page(addr);
2506	WARN_ON(!PageReserved(pages[0]));
2507	if (cross_page_boundary)
2508	pages[1] = virt_to_page(addr + PAGE_SIZE);
2509	}
2510	/*
2511	* If something went wrong, crash and burn since recovery paths are not
2512	* implemented.
2513	*/
2514	BUG_ON(!pages[0] || (cross_page_boundary && !pages[1]));
2515
2516	/*
2517	* Map the page without the global bit, as TLB flushing is done with
2518	* flush_tlb_mm_range(), which is intended for non-global PTEs.
2519	*/
2520	pgprot = __pgprot(pgprot_val(PAGE_KERNEL) & ~_PAGE_GLOBAL);
2521
2522	/*
2523	* The lock is not really needed, but this allows to avoid open-coding.
2524	*/
2525	ptep = get_locked_pte(mm: text_poke_mm, addr: text_poke_mm_addr, ptl: &ptl);
2526
2527	/*
2528	* This must not fail; preallocated in poking_init().
2529	*/
2530	VM_BUG_ON(!ptep);
2531
2532	local_irq_save(flags);
2533
2534	pte = mk_pte(page: pages[0], pgprot);
2535	set_pte_at(text_poke_mm, text_poke_mm_addr, ptep, pte);
2536
2537	if (cross_page_boundary) {
2538	pte = mk_pte(page: pages[1], pgprot);
2539	set_pte_at(text_poke_mm, text_poke_mm_addr + PAGE_SIZE, ptep + 1, pte);
2540	}
2541
2542	/*
2543	* Loading the temporary mm behaves as a compiler barrier, which
2544	* guarantees that the PTE will be set at the time memcpy() is done.
2545	*/
2546	prev_mm = use_temporary_mm(temp_mm: text_poke_mm);
2547
2548	kasan_disable_current();
2549	func((u8 *)text_poke_mm_addr + offset_in_page(addr), src, len);
2550	kasan_enable_current();
2551
2552	/*
2553	* Ensure that the PTE is only cleared after the instructions of memcpy
2554	* were issued by using a compiler barrier.
2555	*/
2556	barrier();
2557
2558	pte_clear(mm: text_poke_mm, addr: text_poke_mm_addr, ptep);
2559	if (cross_page_boundary)
2560	pte_clear(mm: text_poke_mm, addr: text_poke_mm_addr + PAGE_SIZE, ptep: ptep + 1);
2561
2562	/*
2563	* Loading the previous page-table hierarchy requires a serializing
2564	* instruction that already allows the core to see the updated version.
2565	* Xen-PV is assumed to serialize execution in a similar manner.
2566	*/
2567	unuse_temporary_mm(prev_mm);
2568
2569	/*
2570	* Flushing the TLB might involve IPIs, which would require enabled
2571	* IRQs, but not if the mm is not used, as it is in this point.
2572	*/
2573	flush_tlb_mm_range(mm: text_poke_mm, start: text_poke_mm_addr, end: text_poke_mm_addr +
2574	(cross_page_boundary ? 2 : 1) * PAGE_SIZE,
2575	PAGE_SHIFT, freed_tables: false);
2576
2577	if (func == text_poke_memcpy) {
2578	/*
2579	* If the text does not match what we just wrote then something is
2580	* fundamentally screwy; there's nothing we can really do about that.
2581	*/
2582	BUG_ON(memcmp(addr, src, len));
2583	}
2584
2585	local_irq_restore(flags);
2586	pte_unmap_unlock(ptep, ptl);
2587	return addr;
2588	}
2589
2590	/**
2591	* text_poke - Update instructions on a live kernel
2592	* @addr: address to modify
2593	* @opcode: source of the copy
2594	* @len: length to copy
2595	*
2596	* Only atomic text poke/set should be allowed when not doing early patching.
2597	* It means the size must be writable atomically and the address must be aligned
2598	* in a way that permits an atomic write. It also makes sure we fit on a single
2599	* page.
2600	*
2601	* Note that the caller must ensure that if the modified code is part of a
2602	* module, the module would not be removed during poking. This can be achieved
2603	* by registering a module notifier, and ordering module removal and patching
2604	* through a mutex.
2605	*/
2606	void *text_poke(void *addr, const void *opcode, size_t len)
2607	{
2608	lockdep_assert_held(&text_mutex);
2609
2610	return __text_poke(func: text_poke_memcpy, addr, src: opcode, len);
2611	}
2612
2613	/**
2614	* text_poke_kgdb - Update instructions on a live kernel by kgdb
2615	* @addr: address to modify
2616	* @opcode: source of the copy
2617	* @len: length to copy
2618	*
2619	* Only atomic text poke/set should be allowed when not doing early patching.
2620	* It means the size must be writable atomically and the address must be aligned
2621	* in a way that permits an atomic write. It also makes sure we fit on a single
2622	* page.
2623	*
2624	* Context: should only be used by kgdb, which ensures no other core is running,
2625	* despite the fact it does not hold the text_mutex.
2626	*/
2627	void *text_poke_kgdb(void *addr, const void *opcode, size_t len)
2628	{
2629	return __text_poke(func: text_poke_memcpy, addr, src: opcode, len);
2630	}
2631
2632	void *text_poke_copy_locked(void *addr, const void *opcode, size_t len,
2633	bool core_ok)
2634	{
2635	unsigned long start = (unsigned long)addr;
2636	size_t patched = 0;
2637
2638	if (WARN_ON_ONCE(!core_ok && core_kernel_text(start)))
2639	return NULL;
2640
2641	while (patched < len) {
2642	unsigned long ptr = start + patched;
2643	size_t s;
2644
2645	s = min_t(size_t, PAGE_SIZE * 2 - offset_in_page(ptr), len - patched);
2646
2647	__text_poke(func: text_poke_memcpy, addr: (void *)ptr, src: opcode + patched, len: s);
2648	patched += s;
2649	}
2650	return addr;
2651	}
2652
2653	/**
2654	* text_poke_copy - Copy instructions into (an unused part of) RX memory
2655	* @addr: address to modify
2656	* @opcode: source of the copy
2657	* @len: length to copy, could be more than 2x PAGE_SIZE
2658	*
2659	* Not safe against concurrent execution; useful for JITs to dump
2660	* new code blocks into unused regions of RX memory. Can be used in
2661	* conjunction with synchronize_rcu_tasks() to wait for existing
2662	* execution to quiesce after having made sure no existing functions
2663	* pointers are live.
2664	*/
2665	void *text_poke_copy(void *addr, const void *opcode, size_t len)
2666	{
2667	mutex_lock(&text_mutex);
2668	addr = text_poke_copy_locked(addr, opcode, len, core_ok: false);
2669	mutex_unlock(lock: &text_mutex);
2670	return addr;
2671	}
2672
2673	/**
2674	* text_poke_set - memset into (an unused part of) RX memory
2675	* @addr: address to modify
2676	* @c: the byte to fill the area with
2677	* @len: length to copy, could be more than 2x PAGE_SIZE
2678	*
2679	* This is useful to overwrite unused regions of RX memory with illegal
2680	* instructions.
2681	*/
2682	void *text_poke_set(void *addr, int c, size_t len)
2683	{
2684	unsigned long start = (unsigned long)addr;
2685	size_t patched = 0;
2686
2687	if (WARN_ON_ONCE(core_kernel_text(start)))
2688	return NULL;
2689
2690	mutex_lock(&text_mutex);
2691	while (patched < len) {
2692	unsigned long ptr = start + patched;
2693	size_t s;
2694
2695	s = min_t(size_t, PAGE_SIZE * 2 - offset_in_page(ptr), len - patched);
2696
2697	__text_poke(func: text_poke_memset, addr: (void *)ptr, src: (void *)&c, len: s);
2698	patched += s;
2699	}
2700	mutex_unlock(lock: &text_mutex);
2701	return addr;
2702	}
2703
2704	static void do_sync_core(void *info)
2705	{
2706	sync_core();
2707	}
2708
2709	void smp_text_poke_sync_each_cpu(void)
2710	{
2711	on_each_cpu(func: do_sync_core, NULL, wait: 1);
2712	}
2713
2714	/*
2715	* NOTE: crazy scheme to allow patching Jcc.d32 but not increase the size of
2716	* this thing. When len == 6 everything is prefixed with 0x0f and we map
2717	* opcode to Jcc.d8, using len to distinguish.
2718	*/
2719	struct smp_text_poke_loc {
2720	/* addr := _stext + rel_addr */
2721	s32 rel_addr;
2722	s32 disp;
2723	u8 len;
2724	u8 opcode;
2725	const u8 text[TEXT_POKE_MAX_OPCODE_SIZE];
2726	/* see smp_text_poke_batch_finish() */
2727	u8 old;
2728	};
2729
2730	#define TEXT_POKE_ARRAY_MAX (PAGE_SIZE / sizeof(struct smp_text_poke_loc))
2731
2732	static struct smp_text_poke_array {
2733	struct smp_text_poke_loc vec[TEXT_POKE_ARRAY_MAX];
2734	int nr_entries;
2735	} text_poke_array;
2736
2737	static DEFINE_PER_CPU(atomic_t, text_poke_array_refs);
2738
2739	/*
2740	* These four __always_inline annotations imply noinstr, necessary
2741	* due to smp_text_poke_int3_handler() being noinstr:
2742	*/
2743
2744	static __always_inline bool try_get_text_poke_array(void)
2745	{
2746	atomic_t *refs = this_cpu_ptr(&text_poke_array_refs);
2747
2748	if (!raw_atomic_inc_not_zero(v: refs))
2749	return false;
2750
2751	return true;
2752	}
2753
2754	static __always_inline void put_text_poke_array(void)
2755	{
2756	atomic_t *refs = this_cpu_ptr(&text_poke_array_refs);
2757
2758	smp_mb__before_atomic();
2759	raw_atomic_dec(v: refs);
2760	}
2761
2762	static __always_inline void *text_poke_addr(const struct smp_text_poke_loc *tpl)
2763	{
2764	return _stext + tpl->rel_addr;
2765	}
2766
2767	static __always_inline int patch_cmp(const void *tpl_a, const void *tpl_b)
2768	{
2769	if (tpl_a < text_poke_addr(tpl: tpl_b))
2770	return -1;
2771	if (tpl_a > text_poke_addr(tpl: tpl_b))
2772	return 1;
2773	return 0;
2774	}
2775
2776	noinstr int smp_text_poke_int3_handler(struct pt_regs *regs)
2777	{
2778	struct smp_text_poke_loc *tpl;
2779	int ret = 0;
2780	void *ip;
2781
2782	if (user_mode(regs))
2783	return 0;
2784
2785	/*
2786	* Having observed our INT3 instruction, we now must observe
2787	* text_poke_array with non-zero refcount:
2788	*
2789	* text_poke_array_refs = 1 INT3
2790	* WMB RMB
2791	* write INT3 if (text_poke_array_refs != 0)
2792	*/
2793	smp_rmb();
2794
2795	if (!try_get_text_poke_array())
2796	return 0;
2797
2798	/*
2799	* Discount the INT3. See smp_text_poke_batch_finish().
2800	*/
2801	ip = (void *) regs->ip - INT3_INSN_SIZE;
2802
2803	/*
2804	* Skip the binary search if there is a single member in the vector.
2805	*/
2806	if (unlikely(text_poke_array.nr_entries > 1)) {
2807	tpl = __inline_bsearch(key: ip, base: text_poke_array.vec, num: text_poke_array.nr_entries,
2808	size: sizeof(struct smp_text_poke_loc),
2809	cmp: patch_cmp);
2810	if (!tpl)
2811	goto out_put;
2812	} else {
2813	tpl = text_poke_array.vec;
2814	if (text_poke_addr(tpl) != ip)
2815	goto out_put;
2816	}
2817
2818	ip += tpl->len;
2819
2820	switch (tpl->opcode) {
2821	case INT3_INSN_OPCODE:
2822	/*
2823	* Someone poked an explicit INT3, they'll want to handle it,
2824	* do not consume.
2825	*/
2826	goto out_put;
2827
2828	case RET_INSN_OPCODE:
2829	int3_emulate_ret(regs);
2830	break;
2831
2832	case CALL_INSN_OPCODE:
2833	int3_emulate_call(regs, func: (long)ip + tpl->disp);
2834	break;
2835
2836	case JMP32_INSN_OPCODE:
2837	case JMP8_INSN_OPCODE:
2838	int3_emulate_jmp(regs, ip: (long)ip + tpl->disp);
2839	break;
2840
2841	case 0x70 ... 0x7f: /* Jcc */
2842	int3_emulate_jcc(regs, cc: tpl->opcode & 0xf, ip: (long)ip, disp: tpl->disp);
2843	break;
2844
2845	default:
2846	BUG();
2847	}
2848
2849	ret = 1;
2850
2851	out_put:
2852	put_text_poke_array();
2853	return ret;
2854	}
2855
2856	/**
2857	* smp_text_poke_batch_finish() -- update instructions on live kernel on SMP
2858	*
2859	* Input state:
2860	* text_poke_array.vec: vector of instructions to patch
2861	* text_poke_array.nr_entries: number of entries in the vector
2862	*
2863	* Modify multi-byte instructions by using INT3 breakpoints on SMP.
2864	* We completely avoid using stop_machine() here, and achieve the
2865	* synchronization using INT3 breakpoints and SMP cross-calls.
2866	*
2867	* The way it is done:
2868	* - For each entry in the vector:
2869	* - add an INT3 trap to the address that will be patched
2870	* - SMP sync all CPUs
2871	* - For each entry in the vector:
2872	* - update all but the first byte of the patched range
2873	* - SMP sync all CPUs
2874	* - For each entry in the vector:
2875	* - replace the first byte (INT3) by the first byte of the
2876	* replacing opcode
2877	* - SMP sync all CPUs
2878	*/
2879	void smp_text_poke_batch_finish(void)
2880	{
2881	unsigned char int3 = INT3_INSN_OPCODE;
2882	unsigned int i;
2883	int do_sync;
2884
2885	if (!text_poke_array.nr_entries)
2886	return;
2887
2888	lockdep_assert_held(&text_mutex);
2889
2890	/*
2891	* Corresponds to the implicit memory barrier in try_get_text_poke_array() to
2892	* ensure reading a non-zero refcount provides up to date text_poke_array data.
2893	*/
2894	for_each_possible_cpu(i)
2895	atomic_set_release(per_cpu_ptr(&text_poke_array_refs, i), i: 1);
2896
2897	/*
2898	* Function tracing can enable thousands of places that need to be
2899	* updated. This can take quite some time, and with full kernel debugging
2900	* enabled, this could cause the softlockup watchdog to trigger.
2901	* This function gets called every 256 entries added to be patched.
2902	* Call cond_resched() here to make sure that other tasks can get scheduled
2903	* while processing all the functions being patched.
2904	*/
2905	cond_resched();
2906
2907	/*
2908	* Corresponding read barrier in INT3 notifier for making sure the
2909	* text_poke_array.nr_entries and handler are correctly ordered wrt. patching.
2910	*/
2911	smp_wmb();
2912
2913	/*
2914	* First step: add a INT3 trap to the address that will be patched.
2915	*/
2916	for (i = 0; i < text_poke_array.nr_entries; i++) {
2917	text_poke_array.vec[i].old = *(u8 *)text_poke_addr(tpl: &text_poke_array.vec[i]);
2918	text_poke(addr: text_poke_addr(tpl: &text_poke_array.vec[i]), opcode: &int3, INT3_INSN_SIZE);
2919	}
2920
2921	smp_text_poke_sync_each_cpu();
2922
2923	/*
2924	* Second step: update all but the first byte of the patched range.
2925	*/
2926	for (do_sync = 0, i = 0; i < text_poke_array.nr_entries; i++) {
2927	u8 old[TEXT_POKE_MAX_OPCODE_SIZE+1] = { text_poke_array.vec[i].old, };
2928	u8 _new[TEXT_POKE_MAX_OPCODE_SIZE+1];
2929	const u8 *new = text_poke_array.vec[i].text;
2930	int len = text_poke_array.vec[i].len;
2931
2932	if (len - INT3_INSN_SIZE > 0) {
2933	memcpy(old + INT3_INSN_SIZE,
2934	text_poke_addr(&text_poke_array.vec[i]) + INT3_INSN_SIZE,
2935	len - INT3_INSN_SIZE);
2936
2937	if (len == 6) {
2938	_new[0] = 0x0f;
2939	memcpy(_new + 1, new, 5);
2940	new = _new;
2941	}
2942
2943	text_poke(addr: text_poke_addr(tpl: &text_poke_array.vec[i]) + INT3_INSN_SIZE,
2944	opcode: new + INT3_INSN_SIZE,
2945	len: len - INT3_INSN_SIZE);
2946
2947	do_sync++;
2948	}
2949
2950	/*
2951	* Emit a perf event to record the text poke, primarily to
2952	* support Intel PT decoding which must walk the executable code
2953	* to reconstruct the trace. The flow up to here is:
2954	* - write INT3 byte
2955	* - IPI-SYNC
2956	* - write instruction tail
2957	* At this point the actual control flow will be through the
2958	* INT3 and handler and not hit the old or new instruction.
2959	* Intel PT outputs FUP/TIP packets for the INT3, so the flow
2960	* can still be decoded. Subsequently:
2961	* - emit RECORD_TEXT_POKE with the new instruction
2962	* - IPI-SYNC
2963	* - write first byte
2964	* - IPI-SYNC
2965	* So before the text poke event timestamp, the decoder will see
2966	* either the old instruction flow or FUP/TIP of INT3. After the
2967	* text poke event timestamp, the decoder will see either the
2968	* new instruction flow or FUP/TIP of INT3. Thus decoders can
2969	* use the timestamp as the point at which to modify the
2970	* executable code.
2971	* The old instruction is recorded so that the event can be
2972	* processed forwards or backwards.
2973	*/
2974	perf_event_text_poke(addr: text_poke_addr(tpl: &text_poke_array.vec[i]), old_bytes: old, old_len: len, new_bytes: new, new_len: len);
2975	}
2976
2977	if (do_sync) {
2978	/*
2979	* According to Intel, this core syncing is very likely
2980	* not necessary and we'd be safe even without it. But
2981	* better safe than sorry (plus there's not only Intel).
2982	*/
2983	smp_text_poke_sync_each_cpu();
2984	}
2985
2986	/*
2987	* Third step: replace the first byte (INT3) by the first byte of the
2988	* replacing opcode.
2989	*/
2990	for (do_sync = 0, i = 0; i < text_poke_array.nr_entries; i++) {
2991	u8 byte = text_poke_array.vec[i].text[0];
2992
2993	if (text_poke_array.vec[i].len == 6)
2994	byte = 0x0f;
2995
2996	if (byte == INT3_INSN_OPCODE)
2997	continue;
2998
2999	text_poke(addr: text_poke_addr(tpl: &text_poke_array.vec[i]), opcode: &byte, INT3_INSN_SIZE);
3000	do_sync++;
3001	}
3002
3003	if (do_sync)
3004	smp_text_poke_sync_each_cpu();
3005
3006	/*
3007	* Remove and wait for refs to be zero.
3008	*
3009	* Notably, if after step-3 above the INT3 got removed, then the
3010	* smp_text_poke_sync_each_cpu() will have serialized against any running INT3
3011	* handlers and the below spin-wait will not happen.
3012	*
3013	* IOW. unless the replacement instruction is INT3, this case goes
3014	* unused.
3015	*/
3016	for_each_possible_cpu(i) {
3017	atomic_t *refs = per_cpu_ptr(&text_poke_array_refs, i);
3018
3019	if (unlikely(!atomic_dec_and_test(refs)))
3020	atomic_cond_read_acquire(refs, !VAL);
3021	}
3022
3023	/* They are all completed: */
3024	text_poke_array.nr_entries = 0;
3025	}
3026
3027	static void __smp_text_poke_batch_add(void *addr, const void *opcode, size_t len, const void *emulate)
3028	{
3029	struct smp_text_poke_loc *tpl;
3030	struct insn insn;
3031	int ret, i = 0;
3032
3033	tpl = &text_poke_array.vec[text_poke_array.nr_entries++];
3034
3035	if (len == 6)
3036	i = 1;
3037	memcpy((void *)tpl->text, opcode+i, len-i);
3038	if (!emulate)
3039	emulate = opcode;
3040
3041	ret = insn_decode_kernel(&insn, emulate);
3042	BUG_ON(ret < 0);
3043
3044	tpl->rel_addr = addr - (void *)_stext;
3045	tpl->len = len;
3046	tpl->opcode = insn.opcode.bytes[0];
3047
3048	if (is_jcc32(insn: &insn)) {
3049	/*
3050	* Map Jcc.d32 onto Jcc.d8 and use len to distinguish.
3051	*/
3052	tpl->opcode = insn.opcode.bytes[1] - 0x10;
3053	}
3054
3055	switch (tpl->opcode) {
3056	case RET_INSN_OPCODE:
3057	case JMP32_INSN_OPCODE:
3058	case JMP8_INSN_OPCODE:
3059	/*
3060	* Control flow instructions without implied execution of the
3061	* next instruction can be padded with INT3.
3062	*/
3063	for (i = insn.length; i < len; i++)
3064	BUG_ON(tpl->text[i] != INT3_INSN_OPCODE);
3065	break;
3066
3067	default:
3068	BUG_ON(len != insn.length);
3069	}
3070
3071	switch (tpl->opcode) {
3072	case INT3_INSN_OPCODE:
3073	case RET_INSN_OPCODE:
3074	break;
3075
3076	case CALL_INSN_OPCODE:
3077	case JMP32_INSN_OPCODE:
3078	case JMP8_INSN_OPCODE:
3079	case 0x70 ... 0x7f: /* Jcc */
3080	tpl->disp = insn.immediate.value;
3081	break;
3082
3083	default: /* assume NOP */
3084	switch (len) {
3085	case 2: /* NOP2 -- emulate as JMP8+0 */
3086	BUG_ON(memcmp(emulate, x86_nops[len], len));
3087	tpl->opcode = JMP8_INSN_OPCODE;
3088	tpl->disp = 0;
3089	break;
3090
3091	case 5: /* NOP5 -- emulate as JMP32+0 */
3092	BUG_ON(memcmp(emulate, x86_nops[len], len));
3093	tpl->opcode = JMP32_INSN_OPCODE;
3094	tpl->disp = 0;
3095	break;
3096
3097	default: /* unknown instruction */
3098	BUG();
3099	}
3100	break;
3101	}
3102	}
3103
3104	/*
3105	* We hard rely on the text_poke_array.vec being ordered; ensure this is so by flushing
3106	* early if needed.
3107	*/
3108	static bool text_poke_addr_ordered(void *addr)
3109	{
3110	WARN_ON_ONCE(!addr);
3111
3112	if (!text_poke_array.nr_entries)
3113	return true;
3114
3115	/*
3116	* If the last current entry's address is higher than the
3117	* new entry's address we'd like to add, then ordering
3118	* is violated and we must first flush all pending patching
3119	* requests:
3120	*/
3121	if (text_poke_addr(tpl: text_poke_array.vec + text_poke_array.nr_entries-1) > addr)
3122	return false;
3123
3124	return true;
3125	}
3126
3127	/**
3128	* smp_text_poke_batch_add() -- update instruction on live kernel on SMP, batched
3129	* @addr: address to patch
3130	* @opcode: opcode of new instruction
3131	* @len: length to copy
3132	* @emulate: instruction to be emulated
3133	*
3134	* Add a new instruction to the current queue of to-be-patched instructions
3135	* the kernel maintains. The patching request will not be executed immediately,
3136	* but becomes part of an array of patching requests, optimized for batched
3137	* execution. All pending patching requests will be executed on the next
3138	* smp_text_poke_batch_finish() call.
3139	*/
3140	void __ref smp_text_poke_batch_add(void *addr, const void *opcode, size_t len, const void *emulate)
3141	{
3142	if (text_poke_array.nr_entries == TEXT_POKE_ARRAY_MAX || !text_poke_addr_ordered(addr))
3143	smp_text_poke_batch_finish();
3144	__smp_text_poke_batch_add(addr, opcode, len, emulate);
3145	}
3146
3147	/**
3148	* smp_text_poke_single() -- update instruction on live kernel on SMP immediately
3149	* @addr: address to patch
3150	* @opcode: opcode of new instruction
3151	* @len: length to copy
3152	* @emulate: instruction to be emulated
3153	*
3154	* Update a single instruction with the vector in the stack, avoiding
3155	* dynamically allocated memory. This function should be used when it is
3156	* not possible to allocate memory for a vector. The single instruction
3157	* is patched in immediately.
3158	*/
3159	void __ref smp_text_poke_single(void *addr, const void *opcode, size_t len, const void *emulate)
3160	{
3161	smp_text_poke_batch_add(addr, opcode, len, emulate);
3162	smp_text_poke_batch_finish();
3163	}
3164