1 // SPDX-License-Identifier: GPL-2.0-only
2 #define pr_fmt(fmt) "SMP alternatives: " fmt
4 #include <linux/mmu_context.h>
5 #include <linux/perf_event.h>
6 #include <linux/vmalloc.h>
7 #include <linux/memory.h>
8 #include <linux/execmem.h>
10 #include <asm/text-patching.h>
13 #include <asm/set_memory.h>
16 int __read_mostly alternatives_patched;
18 EXPORT_SYMBOL_GPL(alternatives_patched);
20 #define MAX_PATCH_LEN (255-1)
25 #define DA_RETPOLINE 0x04
29 static unsigned int debug_alternative;
31 static int __init debug_alt(char *str)
33 if (str && *str == '=')
36 if (!str || kstrtouint(str, 0, &debug_alternative))
37 debug_alternative = DA_ALL;
41 __setup("debug-alternative", debug_alt);
43 static int noreplace_smp;
45 static int __init setup_noreplace_smp(char *str)
50 __setup("noreplace-smp", setup_noreplace_smp);
52 #define DPRINTK(type, fmt, args...) \
54 if (debug_alternative & DA_##type) \
55 printk(KERN_DEBUG pr_fmt(fmt) "\n", ##args); \
58 #define DUMP_BYTES(type, buf, len, fmt, args...) \
60 if (unlikely(debug_alternative & DA_##type)) { \
66 printk(KERN_DEBUG pr_fmt(fmt), ##args); \
67 for (j = 0; j < (len) - 1; j++) \
68 printk(KERN_CONT "%02hhx ", buf[j]); \
69 printk(KERN_CONT "%02hhx\n", buf[j]); \
73 static const unsigned char x86nops[] =
90 const unsigned char * const x86_nops[ASM_NOP_MAX+1] =
97 x86nops + 1 + 2 + 3 + 4,
98 x86nops + 1 + 2 + 3 + 4 + 5,
99 x86nops + 1 + 2 + 3 + 4 + 5 + 6,
100 x86nops + 1 + 2 + 3 + 4 + 5 + 6 + 7,
102 x86nops + 1 + 2 + 3 + 4 + 5 + 6 + 7 + 8,
103 x86nops + 1 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9,
104 x86nops + 1 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 10,
108 #ifdef CONFIG_FINEIBT
109 static bool cfi_paranoid __ro_after_init;
112 #ifdef CONFIG_MITIGATION_ITS
114 #ifdef CONFIG_MODULES
115 static struct module *its_mod;
117 static void *its_page;
118 static unsigned int its_offset;
119 struct its_array its_pages;
121 static void *__its_alloc(struct its_array *pages)
123 void *page __free(execmem) = execmem_alloc(EXECMEM_MODULE_TEXT, PAGE_SIZE);
127 void *tmp = krealloc(pages->pages, (pages->num+1) * sizeof(void *),
133 pages->pages[pages->num++] = page;
135 return no_free_ptr(page);
138 /* Initialize a thunk with the "jmp *reg; int3" instructions. */
139 static void *its_init_thunk(void *thunk, int reg)
145 #ifdef CONFIG_FINEIBT
148 * When ITS uses indirect branch thunk the fineibt_paranoid
149 * caller sequence doesn't fit in the caller site. So put the
150 * remaining part of the sequence (<ea> + JNE) into the ITS
153 bytes[i++] = 0xea; /* invalid instruction */
154 bytes[i++] = 0x75; /* JNE */
162 bytes[i++] = 0x41; /* REX.B prefix */
166 bytes[i++] = 0xe0 + reg; /* jmp *reg */
169 return thunk + offset;
172 static void its_pages_protect(struct its_array *pages)
174 for (int i = 0; i < pages->num; i++) {
175 void *page = pages->pages[i];
176 execmem_restore_rox(page, PAGE_SIZE);
180 static void its_fini_core(void)
182 if (IS_ENABLED(CONFIG_STRICT_KERNEL_RWX))
183 its_pages_protect(&its_pages);
184 kfree(its_pages.pages);
187 #ifdef CONFIG_MODULES
188 void its_init_mod(struct module *mod)
190 if (!cpu_feature_enabled(X86_FEATURE_INDIRECT_THUNK_ITS))
193 mutex_lock(&text_mutex);
198 void its_fini_mod(struct module *mod)
200 if (!cpu_feature_enabled(X86_FEATURE_INDIRECT_THUNK_ITS))
203 WARN_ON_ONCE(its_mod != mod);
207 mutex_unlock(&text_mutex);
209 if (IS_ENABLED(CONFIG_STRICT_MODULE_RWX))
210 its_pages_protect(&mod->arch.its_pages);
213 void its_free_mod(struct module *mod)
215 if (!cpu_feature_enabled(X86_FEATURE_INDIRECT_THUNK_ITS))
218 for (int i = 0; i < mod->arch.its_pages.num; i++) {
219 void *page = mod->arch.its_pages.pages[i];
222 kfree(mod->arch.its_pages.pages);
224 #endif /* CONFIG_MODULES */
226 static void *its_alloc(void)
228 struct its_array *pages = &its_pages;
231 #ifdef CONFIG_MODULES
233 pages = &its_mod->arch.its_pages;
236 page = __its_alloc(pages);
240 execmem_make_temp_rw(page, PAGE_SIZE);
241 if (pages == &its_pages)
242 set_memory_x((unsigned long)page, 1);
247 static void *its_allocate_thunk(int reg)
249 int size = 3 + (reg / 8);
252 #ifdef CONFIG_FINEIBT
254 * The ITS thunk contains an indirect jump and an int3 instruction so
255 * its size is 3 or 4 bytes depending on the register used. If CFI
256 * paranoid is used then 3 extra bytes are added in the ITS thunk to
257 * complete the fineibt_paranoid caller sequence.
263 if (!its_page || (its_offset + size - 1) >= PAGE_SIZE) {
264 its_page = its_alloc();
266 pr_err("ITS page allocation failed\n");
269 memset(its_page, INT3_INSN_OPCODE, PAGE_SIZE);
274 * If the indirect branch instruction will be in the lower half
275 * of a cacheline, then update the offset to reach the upper half.
277 if ((its_offset + size - 1) % 64 < 32)
278 its_offset = ((its_offset - 1) | 0x3F) + 33;
280 thunk = its_page + its_offset;
283 return its_init_thunk(thunk, reg);
286 u8 *its_static_thunk(int reg)
288 u8 *thunk = __x86_indirect_its_thunk_array[reg];
290 #ifdef CONFIG_FINEIBT
291 /* Paranoid thunk starts 2 bytes before */
299 static inline void its_fini_core(void) {}
300 #endif /* CONFIG_MITIGATION_ITS */
303 * Nomenclature for variable names to simplify and clarify this code and ease
304 * any potential staring at it:
306 * @instr: source address of the original instructions in the kernel text as
307 * generated by the compiler.
309 * @buf: temporary buffer on which the patching operates. This buffer is
310 * eventually text-poked into the kernel image.
312 * @replacement/@repl: pointer to the opcodes which are replacing @instr, located
313 * in the .altinstr_replacement section.
317 * Fill the buffer with a single effective instruction of size @len.
319 * In order not to issue an ORC stack depth tracking CFI entry (Call Frame Info)
320 * for every single-byte NOP, try to generate the maximally available NOP of
321 * size <= ASM_NOP_MAX such that only a single CFI entry is generated (vs one for
322 * each single-byte NOPs). If @len to fill out is > ASM_NOP_MAX, pad with INT3 and
323 * *jump* over instead of executing long and daft NOPs.
325 static void add_nop(u8 *buf, unsigned int len)
327 u8 *target = buf + len;
332 if (len <= ASM_NOP_MAX) {
333 memcpy(buf, x86_nops[len], len);
338 __text_gen_insn(buf, JMP8_INSN_OPCODE, buf, target, JMP8_INSN_SIZE);
339 buf += JMP8_INSN_SIZE;
341 __text_gen_insn(buf, JMP32_INSN_OPCODE, buf, target, JMP32_INSN_SIZE);
342 buf += JMP32_INSN_SIZE;
345 for (;buf < target; buf++)
346 *buf = INT3_INSN_OPCODE;
350 * Matches NOP and NOPL, not any of the other possible NOPs.
352 static bool insn_is_nop(struct insn *insn)
354 /* Anything NOP, but no REP NOP */
355 if (insn->opcode.bytes[0] == 0x90 &&
356 (!insn->prefixes.nbytes || insn->prefixes.bytes[0] != 0xF3))
360 if (insn->opcode.bytes[0] == 0x0F && insn->opcode.bytes[1] == 0x1F)
363 /* TODO: more nops */
369 * Find the offset of the first non-NOP instruction starting at @offset
370 * but no further than @len.
372 static int skip_nops(u8 *buf, int offset, int len)
376 for (; offset < len; offset += insn.length) {
377 if (insn_decode_kernel(&insn, &buf[offset]))
380 if (!insn_is_nop(&insn))
388 * "noinline" to cause control flow change and thus invalidate I$ and
389 * cause refetch after modification.
391 static void noinline optimize_nops(const u8 * const instr, u8 *buf, size_t len)
393 for (int next, i = 0; i < len; i = next) {
396 if (insn_decode_kernel(&insn, &buf[i]))
399 next = i + insn.length;
401 if (insn_is_nop(&insn)) {
404 /* Has the NOP already been optimized? */
405 if (i + insn.length == len)
408 next = skip_nops(buf, next, len);
410 add_nop(buf + nop, next - nop);
411 DUMP_BYTES(ALT, buf, len, "%px: [%d:%d) optimized NOPs: ", instr, nop, next);
417 * In this context, "source" is where the instructions are placed in the
418 * section .altinstr_replacement, for example during kernel build by the
420 * "Destination" is where the instructions are being patched in by this
423 * The source offset is:
425 * src_imm = target - src_next_ip (1)
427 * and the target offset is:
429 * dst_imm = target - dst_next_ip (2)
431 * so rework (1) as an expression for target like:
433 * target = src_imm + src_next_ip (1a)
435 * and substitute in (2) to get:
437 * dst_imm = (src_imm + src_next_ip) - dst_next_ip (3)
439 * Now, since the instruction stream is 'identical' at src and dst (it
440 * is being copied after all) it can be stated that:
442 * src_next_ip = src + ip_offset
443 * dst_next_ip = dst + ip_offset (4)
445 * Substitute (4) in (3) and observe ip_offset being cancelled out to
448 * dst_imm = src_imm + (src + ip_offset) - (dst + ip_offset)
449 * = src_imm + src - dst + ip_offset - ip_offset
450 * = src_imm + src - dst (5)
452 * IOW, only the relative displacement of the code block matters.
455 #define apply_reloc_n(n_, p_, d_) \
457 s32 v = *(s##n_ *)(p_); \
459 BUG_ON((v >> 31) != (v >> (n_-1))); \
460 *(s##n_ *)(p_) = (s##n_)v; \
464 static __always_inline
465 void apply_reloc(int n, void *ptr, uintptr_t diff)
468 case 1: apply_reloc_n(8, ptr, diff); break;
469 case 2: apply_reloc_n(16, ptr, diff); break;
470 case 4: apply_reloc_n(32, ptr, diff); break;
475 static __always_inline
476 bool need_reloc(unsigned long offset, u8 *src, size_t src_len)
478 u8 *target = src + offset;
480 * If the target is inside the patched block, it's relative to the
481 * block itself and does not need relocation.
483 return (target < src || target > src + src_len);
486 static void __apply_relocation(u8 *buf, const u8 * const instr, size_t instrlen, u8 *repl, size_t repl_len)
488 for (int next, i = 0; i < instrlen; i = next) {
491 if (WARN_ON_ONCE(insn_decode_kernel(&insn, &buf[i])))
494 next = i + insn.length;
496 switch (insn.opcode.bytes[0]) {
498 if (insn.opcode.bytes[1] < 0x80 ||
499 insn.opcode.bytes[1] > 0x8f)
502 fallthrough; /* Jcc.d32 */
503 case 0x70 ... 0x7f: /* Jcc.d8 */
504 case JMP8_INSN_OPCODE:
505 case JMP32_INSN_OPCODE:
506 case CALL_INSN_OPCODE:
507 if (need_reloc(next + insn.immediate.value, repl, repl_len)) {
508 apply_reloc(insn.immediate.nbytes,
509 buf + i + insn_offset_immediate(&insn),
514 * Where possible, convert JMP.d32 into JMP.d8.
516 if (insn.opcode.bytes[0] == JMP32_INSN_OPCODE) {
517 s32 imm = insn.immediate.value;
519 imm += JMP32_INSN_SIZE - JMP8_INSN_SIZE;
520 if ((imm >> 31) == (imm >> 7)) {
521 buf[i+0] = JMP8_INSN_OPCODE;
524 memset(&buf[i+2], INT3_INSN_OPCODE, insn.length - 2);
530 if (insn_rip_relative(&insn)) {
531 if (need_reloc(next + insn.displacement.value, repl, repl_len)) {
532 apply_reloc(insn.displacement.nbytes,
533 buf + i + insn_offset_displacement(&insn),
540 void text_poke_apply_relocation(u8 *buf, const u8 * const instr, size_t instrlen, u8 *repl, size_t repl_len)
542 __apply_relocation(buf, instr, instrlen, repl, repl_len);
543 optimize_nops(instr, buf, instrlen);
546 /* Low-level backend functions usable from alternative code replacements. */
547 DEFINE_ASM_FUNC(nop_func, "", .entry.text);
548 EXPORT_SYMBOL_GPL(nop_func);
550 noinstr void BUG_func(void)
554 EXPORT_SYMBOL(BUG_func);
556 #define CALL_RIP_REL_OPCODE 0xff
557 #define CALL_RIP_REL_MODRM 0x15
560 * Rewrite the "call BUG_func" replacement to point to the target of the
561 * indirect pv_ops call "call *disp(%ip)".
563 static int alt_replace_call(u8 *instr, u8 *insn_buff, struct alt_instr *a)
565 void *target, *bug = &BUG_func;
568 if (a->replacementlen != 5 || insn_buff[0] != CALL_INSN_OPCODE) {
569 pr_err("ALT_FLAG_DIRECT_CALL set for a non-call replacement instruction\n");
573 if (a->instrlen != 6 ||
574 instr[0] != CALL_RIP_REL_OPCODE ||
575 instr[1] != CALL_RIP_REL_MODRM) {
576 pr_err("ALT_FLAG_DIRECT_CALL set for unrecognized indirect call\n");
580 /* Skip CALL_RIP_REL_OPCODE and CALL_RIP_REL_MODRM */
581 disp = *(s32 *)(instr + 2);
583 /* ff 15 00 00 00 00 call *0x0(%rip) */
584 /* target address is stored at "next instruction + disp". */
585 target = *(void **)(instr + a->instrlen + disp);
587 /* ff 15 00 00 00 00 call *0x0 */
588 /* target address is stored at disp. */
589 target = *(void **)disp;
594 /* (BUG_func - .) + (target - BUG_func) := target - . */
595 *(s32 *)(insn_buff + 1) += target - bug;
597 if (target == &nop_func)
603 static inline u8 * instr_va(struct alt_instr *i)
605 return (u8 *)&i->instr_offset + i->instr_offset;
609 * Replace instructions with better alternatives for this CPU type. This runs
610 * before SMP is initialized to avoid SMP problems with self modifying code.
611 * This implies that asymmetric systems where APs have less capabilities than
612 * the boot processor are not handled. Tough. Make sure you disable such
615 * Marked "noinline" to cause control flow change and thus insn cache
616 * to refetch changed I$ lines.
618 void __init_or_module noinline apply_alternatives(struct alt_instr *start,
619 struct alt_instr *end)
621 u8 insn_buff[MAX_PATCH_LEN];
622 u8 *instr, *replacement;
623 struct alt_instr *a, *b;
625 DPRINTK(ALT, "alt table %px, -> %px", start, end);
628 * KASAN_SHADOW_START is defined using
629 * cpu_feature_enabled(X86_FEATURE_LA57) and is therefore patched here.
630 * During the process, KASAN becomes confused seeing partial LA57
631 * conversion and triggers a false-positive out-of-bound report.
633 * Disable KASAN until the patching is complete.
635 kasan_disable_current();
638 * The scan order should be from start to end. A later scanned
639 * alternative code can overwrite previously scanned alternative code.
640 * Some kernel functions (e.g. memcpy, memset, etc) use this order to
643 * So be careful if you want to change the scan order to any other
646 for (a = start; a < end; a++) {
647 int insn_buff_sz = 0;
650 * In case of nested ALTERNATIVE()s the outer alternative might
651 * add more padding. To ensure consistent patching find the max
652 * padding for all alt_instr entries for this site (nested
653 * alternatives result in consecutive entries).
655 for (b = a+1; b < end && instr_va(b) == instr_va(a); b++) {
656 u8 len = max(a->instrlen, b->instrlen);
657 a->instrlen = b->instrlen = len;
661 replacement = (u8 *)&a->repl_offset + a->repl_offset;
662 BUG_ON(a->instrlen > sizeof(insn_buff));
663 BUG_ON(a->cpuid >= (NCAPINTS + NBUGINTS) * 32);
667 * - feature is present
668 * - feature not present but ALT_FLAG_NOT is set to mean,
669 * patch if feature is *NOT* present.
671 if (!boot_cpu_has(a->cpuid) == !(a->flags & ALT_FLAG_NOT)) {
672 memcpy(insn_buff, instr, a->instrlen);
673 optimize_nops(instr, insn_buff, a->instrlen);
674 text_poke_early(instr, insn_buff, a->instrlen);
678 DPRINTK(ALT, "feat: %d*32+%d, old: (%pS (%px) len: %d), repl: (%px, len: %d) flags: 0x%x",
681 instr, instr, a->instrlen,
682 replacement, a->replacementlen, a->flags);
684 memcpy(insn_buff, replacement, a->replacementlen);
685 insn_buff_sz = a->replacementlen;
687 if (a->flags & ALT_FLAG_DIRECT_CALL) {
688 insn_buff_sz = alt_replace_call(instr, insn_buff, a);
689 if (insn_buff_sz < 0)
693 for (; insn_buff_sz < a->instrlen; insn_buff_sz++)
694 insn_buff[insn_buff_sz] = 0x90;
696 text_poke_apply_relocation(insn_buff, instr, a->instrlen, replacement, a->replacementlen);
698 DUMP_BYTES(ALT, instr, a->instrlen, "%px: old_insn: ", instr);
699 DUMP_BYTES(ALT, replacement, a->replacementlen, "%px: rpl_insn: ", replacement);
700 DUMP_BYTES(ALT, insn_buff, insn_buff_sz, "%px: final_insn: ", instr);
702 text_poke_early(instr, insn_buff, insn_buff_sz);
705 kasan_enable_current();
708 static inline bool is_jcc32(struct insn *insn)
710 /* Jcc.d32 second opcode byte is in the range: 0x80-0x8f */
711 return insn->opcode.bytes[0] == 0x0f && (insn->opcode.bytes[1] & 0xf0) == 0x80;
714 #if defined(CONFIG_MITIGATION_RETPOLINE) && defined(CONFIG_OBJTOOL)
719 static int emit_indirect(int op, int reg, u8 *bytes)
725 case CALL_INSN_OPCODE:
726 modrm = 0x10; /* Reg = 2; CALL r/m */
729 case JMP32_INSN_OPCODE:
730 modrm = 0x20; /* Reg = 4; JMP r/m */
739 bytes[i++] = 0x41; /* REX.B prefix */
743 modrm |= 0xc0; /* Mod = 3 */
746 bytes[i++] = 0xff; /* opcode */
752 static int __emit_trampoline(void *addr, struct insn *insn, u8 *bytes,
753 void *call_dest, void *jmp_dest)
755 u8 op = insn->opcode.bytes[0];
759 * Clang does 'weird' Jcc __x86_indirect_thunk_r11 conditional
760 * tail-calls. Deal with them.
762 if (is_jcc32(insn)) {
764 op = insn->opcode.bytes[1];
768 if (insn->length == 6)
769 bytes[i++] = 0x2e; /* CS-prefix */
772 case CALL_INSN_OPCODE:
773 __text_gen_insn(bytes+i, op, addr+i,
779 case JMP32_INSN_OPCODE:
781 __text_gen_insn(bytes+i, op, addr+i,
784 i += JMP32_INSN_SIZE;
788 WARN(1, "%pS %px %*ph\n", addr, addr, 6, addr);
792 WARN_ON_ONCE(i != insn->length);
797 static int emit_call_track_retpoline(void *addr, struct insn *insn, int reg, u8 *bytes)
799 return __emit_trampoline(addr, insn, bytes,
800 __x86_indirect_call_thunk_array[reg],
801 __x86_indirect_jump_thunk_array[reg]);
804 #ifdef CONFIG_MITIGATION_ITS
805 static int emit_its_trampoline(void *addr, struct insn *insn, int reg, u8 *bytes)
807 u8 *thunk = __x86_indirect_its_thunk_array[reg];
808 u8 *tmp = its_allocate_thunk(reg);
813 return __emit_trampoline(addr, insn, bytes, thunk, thunk);
816 /* Check if an indirect branch is at ITS-unsafe address */
817 static bool cpu_wants_indirect_its_thunk_at(unsigned long addr, int reg)
819 if (!cpu_feature_enabled(X86_FEATURE_INDIRECT_THUNK_ITS))
822 /* Indirect branch opcode is 2 or 3 bytes depending on reg */
825 /* Lower-half of the cacheline? */
826 return !(addr & 0x20);
828 #else /* CONFIG_MITIGATION_ITS */
830 #ifdef CONFIG_FINEIBT
831 static bool cpu_wants_indirect_its_thunk_at(unsigned long addr, int reg)
837 #endif /* CONFIG_MITIGATION_ITS */
840 * Rewrite the compiler generated retpoline thunk calls.
842 * For spectre_v2=off (!X86_FEATURE_RETPOLINE), rewrite them into immediate
843 * indirect instructions, avoiding the extra indirection.
845 * For example, convert:
847 * CALL __x86_indirect_thunk_\reg
853 * It also tries to inline spectre_v2=retpoline,lfence when size permits.
855 static int patch_retpoline(void *addr, struct insn *insn, u8 *bytes)
857 retpoline_thunk_t *target;
861 target = addr + insn->length + insn->immediate.value;
862 reg = target - __x86_indirect_thunk_array;
864 if (WARN_ON_ONCE(reg & ~0xf))
867 /* If anyone ever does: CALL/JMP *%rsp, we're in deep trouble. */
870 if (cpu_feature_enabled(X86_FEATURE_RETPOLINE) &&
871 !cpu_feature_enabled(X86_FEATURE_RETPOLINE_LFENCE)) {
872 if (cpu_feature_enabled(X86_FEATURE_CALL_DEPTH))
873 return emit_call_track_retpoline(addr, insn, reg, bytes);
878 op = insn->opcode.bytes[0];
883 * Jcc.d32 __x86_indirect_thunk_\reg
893 if (is_jcc32(insn)) {
894 cc = insn->opcode.bytes[1] & 0xf;
895 cc ^= 1; /* invert condition */
897 bytes[i++] = 0x70 + cc; /* Jcc.d8 */
898 bytes[i++] = insn->length - 2; /* sizeof(Jcc.d8) == 2 */
900 /* Continue as if: JMP.d32 __x86_indirect_thunk_\reg */
901 op = JMP32_INSN_OPCODE;
905 * For RETPOLINE_LFENCE: prepend the indirect CALL/JMP with an LFENCE.
907 if (cpu_feature_enabled(X86_FEATURE_RETPOLINE_LFENCE)) {
910 bytes[i++] = 0xe8; /* LFENCE */
913 #ifdef CONFIG_MITIGATION_ITS
915 * Check if the address of last byte of emitted-indirect is in
916 * lower-half of the cacheline. Such branches need ITS mitigation.
918 if (cpu_wants_indirect_its_thunk_at((unsigned long)addr + i, reg))
919 return emit_its_trampoline(addr, insn, reg, bytes);
922 ret = emit_indirect(op, reg, bytes + i);
928 * The compiler is supposed to EMIT an INT3 after every unconditional
929 * JMP instruction due to AMD BTC. However, if the compiler is too old
930 * or MITIGATION_SLS isn't enabled, we still need an INT3 after
931 * indirect JMPs even on Intel.
933 if (op == JMP32_INSN_OPCODE && i < insn->length)
934 bytes[i++] = INT3_INSN_OPCODE;
936 for (; i < insn->length;)
937 bytes[i++] = BYTES_NOP1;
943 * Generated by 'objtool --retpoline'.
945 void __init_or_module noinline apply_retpolines(s32 *start, s32 *end)
949 for (s = start; s < end; s++) {
950 void *addr = (void *)s + *s;
957 ret = insn_decode_kernel(&insn, addr);
958 if (WARN_ON_ONCE(ret < 0))
961 op1 = insn.opcode.bytes[0];
962 op2 = insn.opcode.bytes[1];
965 case 0x70 ... 0x7f: /* Jcc.d8 */
966 /* See cfi_paranoid. */
967 WARN_ON_ONCE(cfi_mode != CFI_FINEIBT);
970 case CALL_INSN_OPCODE:
971 case JMP32_INSN_OPCODE:
972 /* Check for cfi_paranoid + ITS */
973 dest = addr + insn.length + insn.immediate.value;
974 if (dest[-1] == 0xea && (dest[0] & 0xf0) == 0x70) {
975 WARN_ON_ONCE(cfi_mode != CFI_FINEIBT);
980 case 0x0f: /* escape */
981 if (op2 >= 0x80 && op2 <= 0x8f)
989 DPRINTK(RETPOLINE, "retpoline at: %pS (%px) len: %d to: %pS",
990 addr, addr, insn.length,
991 addr + insn.length + insn.immediate.value);
993 len = patch_retpoline(addr, &insn, bytes);
994 if (len == insn.length) {
995 optimize_nops(addr, bytes, len);
996 DUMP_BYTES(RETPOLINE, ((u8*)addr), len, "%px: orig: ", addr);
997 DUMP_BYTES(RETPOLINE, ((u8*)bytes), len, "%px: repl: ", addr);
998 text_poke_early(addr, bytes, len);
1003 #ifdef CONFIG_MITIGATION_RETHUNK
1005 bool cpu_wants_rethunk(void)
1007 return cpu_feature_enabled(X86_FEATURE_RETHUNK);
1010 bool cpu_wants_rethunk_at(void *addr)
1012 if (!cpu_feature_enabled(X86_FEATURE_RETHUNK))
1014 if (x86_return_thunk != its_return_thunk)
1017 return !((unsigned long)addr & 0x20);
1021 * Rewrite the compiler generated return thunk tail-calls.
1023 * For example, convert:
1025 * JMP __x86_return_thunk
1031 static int patch_return(void *addr, struct insn *insn, u8 *bytes)
1035 /* Patch the custom return thunks... */
1036 if (cpu_wants_rethunk_at(addr)) {
1037 i = JMP32_INSN_SIZE;
1038 __text_gen_insn(bytes, JMP32_INSN_OPCODE, addr, x86_return_thunk, i);
1040 /* ... or patch them out if not needed. */
1041 bytes[i++] = RET_INSN_OPCODE;
1044 for (; i < insn->length;)
1045 bytes[i++] = INT3_INSN_OPCODE;
1049 void __init_or_module noinline apply_returns(s32 *start, s32 *end)
1053 if (cpu_wants_rethunk())
1054 static_call_force_reinit();
1056 for (s = start; s < end; s++) {
1057 void *dest = NULL, *addr = (void *)s + *s;
1063 ret = insn_decode_kernel(&insn, addr);
1064 if (WARN_ON_ONCE(ret < 0))
1067 op = insn.opcode.bytes[0];
1068 if (op == JMP32_INSN_OPCODE)
1069 dest = addr + insn.length + insn.immediate.value;
1071 if (__static_call_fixup(addr, op, dest) ||
1072 WARN_ONCE(dest != &__x86_return_thunk,
1073 "missing return thunk: %pS-%pS: %*ph",
1074 addr, dest, 5, addr))
1077 DPRINTK(RET, "return thunk at: %pS (%px) len: %d to: %pS",
1078 addr, addr, insn.length,
1079 addr + insn.length + insn.immediate.value);
1081 len = patch_return(addr, &insn, bytes);
1082 if (len == insn.length) {
1083 DUMP_BYTES(RET, ((u8*)addr), len, "%px: orig: ", addr);
1084 DUMP_BYTES(RET, ((u8*)bytes), len, "%px: repl: ", addr);
1085 text_poke_early(addr, bytes, len);
1089 #else /* !CONFIG_MITIGATION_RETHUNK: */
1090 void __init_or_module noinline apply_returns(s32 *start, s32 *end) { }
1091 #endif /* !CONFIG_MITIGATION_RETHUNK */
1093 #else /* !CONFIG_MITIGATION_RETPOLINE || !CONFIG_OBJTOOL */
1095 void __init_or_module noinline apply_retpolines(s32 *start, s32 *end) { }
1096 void __init_or_module noinline apply_returns(s32 *start, s32 *end) { }
1098 #endif /* !CONFIG_MITIGATION_RETPOLINE || !CONFIG_OBJTOOL */
1100 #ifdef CONFIG_X86_KERNEL_IBT
1102 __noendbr bool is_endbr(u32 *val)
1106 __get_kernel_nofault(&endbr, val, u32, Efault);
1107 return __is_endbr(endbr);
1113 #ifdef CONFIG_FINEIBT
1115 static __noendbr bool exact_endbr(u32 *val)
1119 __get_kernel_nofault(&endbr, val, u32, Efault);
1120 return endbr == gen_endbr();
1128 static void poison_cfi(void *addr);
1130 static void __init_or_module poison_endbr(void *addr)
1132 u32 poison = gen_endbr_poison();
1134 if (WARN_ON_ONCE(!is_endbr(addr)))
1137 DPRINTK(ENDBR, "ENDBR at: %pS (%px)", addr, addr);
1140 * When we have IBT, the lack of ENDBR will trigger #CP
1142 DUMP_BYTES(ENDBR, ((u8*)addr), 4, "%px: orig: ", addr);
1143 DUMP_BYTES(ENDBR, ((u8*)&poison), 4, "%px: repl: ", addr);
1144 text_poke_early(addr, &poison, 4);
1148 * Generated by: objtool --ibt
1150 * Seal the functions for indirect calls by clobbering the ENDBR instructions
1151 * and the kCFI hash value.
1153 void __init_or_module noinline apply_seal_endbr(s32 *start, s32 *end)
1157 for (s = start; s < end; s++) {
1158 void *addr = (void *)s + *s;
1161 if (IS_ENABLED(CONFIG_FINEIBT))
1162 poison_cfi(addr - 16);
1166 #else /* !CONFIG_X86_KERNEL_IBT: */
1168 void __init_or_module apply_seal_endbr(s32 *start, s32 *end) { }
1170 #endif /* !CONFIG_X86_KERNEL_IBT */
1172 #ifdef CONFIG_CFI_AUTO_DEFAULT
1173 # define __CFI_DEFAULT CFI_AUTO
1174 #elif defined(CONFIG_CFI_CLANG)
1175 # define __CFI_DEFAULT CFI_KCFI
1177 # define __CFI_DEFAULT CFI_OFF
1180 enum cfi_mode cfi_mode __ro_after_init = __CFI_DEFAULT;
1182 #ifdef CONFIG_FINEIBT_BHI
1183 bool cfi_bhi __ro_after_init = false;
1186 #ifdef CONFIG_CFI_CLANG
1189 /* Must match bpf_func_t / DEFINE_BPF_PROG_RUN() */
1190 extern unsigned int __bpf_prog_runX(const void *ctx,
1191 const struct bpf_insn *insn);
1193 KCFI_REFERENCE(__bpf_prog_runX);
1195 /* u32 __ro_after_init cfi_bpf_hash = __kcfi_typeid___bpf_prog_runX; */
1197 " .pushsection .data..ro_after_init,\"aw\",@progbits \n"
1198 " .type cfi_bpf_hash,@object \n"
1199 " .globl cfi_bpf_hash \n"
1200 " .p2align 2, 0x0 \n"
1202 " .long __kcfi_typeid___bpf_prog_runX \n"
1203 " .size cfi_bpf_hash, 4 \n"
1207 /* Must match bpf_callback_t */
1208 extern u64 __bpf_callback_fn(u64, u64, u64, u64, u64);
1210 KCFI_REFERENCE(__bpf_callback_fn);
1212 /* u32 __ro_after_init cfi_bpf_subprog_hash = __kcfi_typeid___bpf_callback_fn; */
1214 " .pushsection .data..ro_after_init,\"aw\",@progbits \n"
1215 " .type cfi_bpf_subprog_hash,@object \n"
1216 " .globl cfi_bpf_subprog_hash \n"
1217 " .p2align 2, 0x0 \n"
1218 "cfi_bpf_subprog_hash: \n"
1219 " .long __kcfi_typeid___bpf_callback_fn \n"
1220 " .size cfi_bpf_subprog_hash, 4 \n"
1224 u32 cfi_get_func_hash(void *func)
1228 func -= cfi_get_offset();
1240 if (get_kernel_nofault(hash, func))
1246 int cfi_get_func_arity(void *func)
1251 if (cfi_mode != CFI_FINEIBT && !cfi_bhi)
1254 if (get_kernel_nofault(disp, func - 4))
1257 target = func + disp;
1258 return target - __bhi_args;
1262 #ifdef CONFIG_FINEIBT
1264 static bool cfi_rand __ro_after_init = true;
1265 static u32 cfi_seed __ro_after_init;
1268 * Re-hash the CFI hash with a boot-time seed while making sure the result is
1269 * not a valid ENDBR instruction.
1271 static u32 cfi_rehash(u32 hash)
1274 while (unlikely(__is_endbr(hash) || __is_endbr(-hash))) {
1275 bool lsb = hash & 1;
1283 static __init int cfi_parse_cmdline(char *str)
1289 char *next = strchr(str, ',');
1295 if (!strcmp(str, "auto")) {
1296 cfi_mode = CFI_AUTO;
1297 } else if (!strcmp(str, "off")) {
1300 } else if (!strcmp(str, "kcfi")) {
1301 cfi_mode = CFI_KCFI;
1302 } else if (!strcmp(str, "fineibt")) {
1303 cfi_mode = CFI_FINEIBT;
1304 } else if (!strcmp(str, "norand")) {
1306 } else if (!strcmp(str, "warn")) {
1307 pr_alert("CFI mismatch non-fatal!\n");
1309 } else if (!strcmp(str, "paranoid")) {
1310 if (cfi_mode == CFI_FINEIBT) {
1311 cfi_paranoid = true;
1313 pr_err("Ignoring paranoid; depends on fineibt.\n");
1315 } else if (!strcmp(str, "bhi")) {
1316 #ifdef CONFIG_FINEIBT_BHI
1317 if (cfi_mode == CFI_FINEIBT) {
1320 pr_err("Ignoring bhi; depends on fineibt.\n");
1323 pr_err("Ignoring bhi; depends on FINEIBT_BHI=y.\n");
1326 pr_err("Ignoring unknown cfi option (%s).", str);
1334 early_param("cfi", cfi_parse_cmdline);
1339 * __cfi_\func: __cfi_\func:
1340 * movl $0x12345678,%eax // 5 endbr64 // 4
1341 * nop subl $0x12345678,%r10d // 7
1342 * nop jne __cfi_\func+6 // 2
1355 * movl $(-0x12345678),%r10d // 6 movl $0x12345678,%r10d // 6
1356 * addl $-15(%r11),%r10d // 4 lea -0x10(%r11),%r11 // 4
1357 * je 1f // 2 nop4 // 4
1359 * 1: cs call __x86_indirect_thunk_r11 // 6 call *%r11; nop3; // 6
1364 * <fineibt_preamble_start>:
1365 * 0: f3 0f 1e fa endbr64
1366 * 4: 41 81 <ea> 78 56 34 12 sub $0x12345678, %r10d
1367 * b: 75 f9 jne 6 <fineibt_preamble_start+0x6>
1368 * d: 0f 1f 00 nopl (%rax)
1370 * Note that the JNE target is the 0xEA byte inside the SUB, this decodes as
1371 * (bad) on x86_64 and raises #UD.
1373 asm( ".pushsection .rodata \n"
1374 "fineibt_preamble_start: \n"
1376 " subl $0x12345678, %r10d \n"
1377 "fineibt_preamble_bhi: \n"
1378 " jne fineibt_preamble_start+6 \n"
1380 "fineibt_preamble_end: \n"
1384 extern u8 fineibt_preamble_start[];
1385 extern u8 fineibt_preamble_bhi[];
1386 extern u8 fineibt_preamble_end[];
1388 #define fineibt_preamble_size (fineibt_preamble_end - fineibt_preamble_start)
1389 #define fineibt_preamble_bhi (fineibt_preamble_bhi - fineibt_preamble_start)
1390 #define fineibt_preamble_ud 6
1391 #define fineibt_preamble_hash 7
1394 * <fineibt_caller_start>:
1395 * 0: 41 ba 78 56 34 12 mov $0x12345678, %r10d
1396 * 6: 4d 8d 5b f0 lea -0x10(%r11), %r11
1397 * a: 0f 1f 40 00 nopl 0x0(%rax)
1399 asm( ".pushsection .rodata \n"
1400 "fineibt_caller_start: \n"
1401 " movl $0x12345678, %r10d \n"
1402 " lea -0x10(%r11), %r11 \n"
1404 "fineibt_caller_end: \n"
1408 extern u8 fineibt_caller_start[];
1409 extern u8 fineibt_caller_end[];
1411 #define fineibt_caller_size (fineibt_caller_end - fineibt_caller_start)
1412 #define fineibt_caller_hash 2
1414 #define fineibt_caller_jmp (fineibt_caller_size - 2)
1417 * Since FineIBT does hash validation on the callee side it is prone to
1418 * circumvention attacks where a 'naked' ENDBR instruction exists that
1419 * is not part of the fineibt_preamble sequence.
1421 * Notably the x86 entry points must be ENDBR and equally cannot be
1424 * The fineibt_paranoid caller sequence adds additional caller side
1425 * hash validation. This stops such circumvention attacks dead, but at the cost
1428 * <fineibt_paranoid_start>:
1429 * 0: 41 ba 78 56 34 12 mov $0x12345678, %r10d
1430 * 6: 45 3b 53 f7 cmp -0x9(%r11), %r10d
1431 * a: 4d 8d 5b <f0> lea -0x10(%r11), %r11
1432 * e: 75 fd jne d <fineibt_paranoid_start+0xd>
1433 * 10: 41 ff d3 call *%r11
1436 * Notably LEA does not modify flags and can be reordered with the CMP,
1437 * avoiding a dependency. Again, using a non-taken (backwards) branch
1438 * for the failure case, abusing LEA's immediate 0xf0 as LOCK prefix for the
1439 * Jcc.d8, causing #UD.
1441 asm( ".pushsection .rodata \n"
1442 "fineibt_paranoid_start: \n"
1443 " movl $0x12345678, %r10d \n"
1444 " cmpl -9(%r11), %r10d \n"
1445 " lea -0x10(%r11), %r11 \n"
1446 " jne fineibt_paranoid_start+0xd \n"
1447 "fineibt_paranoid_ind: \n"
1450 "fineibt_paranoid_end: \n"
1454 extern u8 fineibt_paranoid_start[];
1455 extern u8 fineibt_paranoid_ind[];
1456 extern u8 fineibt_paranoid_end[];
1458 #define fineibt_paranoid_size (fineibt_paranoid_end - fineibt_paranoid_start)
1459 #define fineibt_paranoid_ind (fineibt_paranoid_ind - fineibt_paranoid_start)
1460 #define fineibt_paranoid_ud 0xd
1462 static u32 decode_preamble_hash(void *addr, int *reg)
1466 /* b8+reg 78 56 34 12 movl $0x12345678,\reg */
1467 if (p[0] >= 0xb8 && p[0] < 0xc0) {
1470 return *(u32 *)(addr + 1);
1473 return 0; /* invalid hash value */
1476 static u32 decode_caller_hash(void *addr)
1480 /* 41 ba 88 a9 cb ed mov $(-0x12345678),%r10d */
1481 if (p[0] == 0x41 && p[1] == 0xba)
1482 return -*(u32 *)(addr + 2);
1484 /* e8 0c 88 a9 cb ed jmp.d8 +12 */
1485 if (p[0] == JMP8_INSN_OPCODE && p[1] == fineibt_caller_jmp)
1486 return -*(u32 *)(addr + 2);
1488 return 0; /* invalid hash value */
1491 /* .retpoline_sites */
1492 static int cfi_disable_callers(s32 *start, s32 *end)
1495 * Disable kCFI by patching in a JMP.d8, this leaves the hash immediate
1496 * in tact for later usage. Also see decode_caller_hash() and
1497 * cfi_rewrite_callers().
1499 const u8 jmp[] = { JMP8_INSN_OPCODE, fineibt_caller_jmp };
1502 for (s = start; s < end; s++) {
1503 void *addr = (void *)s + *s;
1506 addr -= fineibt_caller_size;
1507 hash = decode_caller_hash(addr);
1508 if (!hash) /* nocfi callers */
1511 text_poke_early(addr, jmp, 2);
1517 static int cfi_enable_callers(s32 *start, s32 *end)
1520 * Re-enable kCFI, undo what cfi_disable_callers() did.
1522 const u8 mov[] = { 0x41, 0xba };
1525 for (s = start; s < end; s++) {
1526 void *addr = (void *)s + *s;
1529 addr -= fineibt_caller_size;
1530 hash = decode_caller_hash(addr);
1531 if (!hash) /* nocfi callers */
1534 text_poke_early(addr, mov, 2);
1541 static int cfi_rand_preamble(s32 *start, s32 *end)
1545 for (s = start; s < end; s++) {
1546 void *addr = (void *)s + *s;
1549 hash = decode_preamble_hash(addr, NULL);
1550 if (WARN(!hash, "no CFI hash found at: %pS %px %*ph\n",
1551 addr, addr, 5, addr))
1554 hash = cfi_rehash(hash);
1555 text_poke_early(addr + 1, &hash, 4);
1561 static void cfi_fineibt_bhi_preamble(void *addr, int arity)
1566 if (!cfi_warn && arity == 1) {
1568 * Crazy scheme to allow arity-1 inline:
1571 * 0: f3 0f 1e fa endbr64
1572 * 4: 41 81 <ea> 78 56 34 12 sub 0x12345678, %r10d
1573 * b: 49 0f 45 fa cmovne %r10, %rdi
1574 * f: 75 f5 jne __cfi_foo+6
1575 * 11: 0f 1f 00 nopl (%rax)
1577 * Code that direct calls to foo()+0, decodes the tail end as:
1581 * 1: 0f 1f 00 nopl (%rax)
1583 * which clobbers CF, but does not affect anything ABI
1586 * Notably, this scheme is incompatible with permissive CFI
1587 * because the CMOVcc is unconditional and RDI will have been
1590 const u8 magic[9] = {
1591 0x49, 0x0f, 0x45, 0xfa,
1596 text_poke_early(addr + fineibt_preamble_bhi, magic, 9);
1601 text_poke_early(addr + fineibt_preamble_bhi,
1602 text_gen_insn(CALL_INSN_OPCODE,
1603 addr + fineibt_preamble_bhi,
1608 static int cfi_rewrite_preamble(s32 *start, s32 *end)
1612 for (s = start; s < end; s++) {
1613 void *addr = (void *)s + *s;
1618 * When the function doesn't start with ENDBR the compiler will
1619 * have determined there are no indirect calls to it and we
1620 * don't need no CFI either.
1622 if (!is_endbr(addr + 16))
1625 hash = decode_preamble_hash(addr, &arity);
1626 if (WARN(!hash, "no CFI hash found at: %pS %px %*ph\n",
1627 addr, addr, 5, addr))
1630 text_poke_early(addr, fineibt_preamble_start, fineibt_preamble_size);
1631 WARN_ON(*(u32 *)(addr + fineibt_preamble_hash) != 0x12345678);
1632 text_poke_early(addr + fineibt_preamble_hash, &hash, 4);
1634 WARN_ONCE(!IS_ENABLED(CONFIG_FINEIBT_BHI) && arity,
1635 "kCFI preamble has wrong register at: %pS %*ph\n",
1639 cfi_fineibt_bhi_preamble(addr, arity);
1645 static void cfi_rewrite_endbr(s32 *start, s32 *end)
1649 for (s = start; s < end; s++) {
1650 void *addr = (void *)s + *s;
1652 if (!exact_endbr(addr + 16))
1655 poison_endbr(addr + 16);
1659 /* .retpoline_sites */
1660 static int cfi_rand_callers(s32 *start, s32 *end)
1664 for (s = start; s < end; s++) {
1665 void *addr = (void *)s + *s;
1668 addr -= fineibt_caller_size;
1669 hash = decode_caller_hash(addr);
1671 hash = -cfi_rehash(hash);
1672 text_poke_early(addr + 2, &hash, 4);
1679 static int emit_paranoid_trampoline(void *addr, struct insn *insn, int reg, u8 *bytes)
1681 u8 *thunk = (void *)__x86_indirect_its_thunk_array[reg] - 2;
1683 #ifdef CONFIG_MITIGATION_ITS
1684 u8 *tmp = its_allocate_thunk(reg);
1689 return __emit_trampoline(addr, insn, bytes, thunk, thunk);
1692 static int cfi_rewrite_callers(s32 *start, s32 *end)
1696 BUG_ON(fineibt_paranoid_size != 20);
1698 for (s = start; s < end; s++) {
1699 void *addr = (void *)s + *s;
1706 addr -= fineibt_caller_size;
1707 hash = decode_caller_hash(addr);
1711 if (!cfi_paranoid) {
1712 text_poke_early(addr, fineibt_caller_start, fineibt_caller_size);
1713 WARN_ON(*(u32 *)(addr + fineibt_caller_hash) != 0x12345678);
1714 text_poke_early(addr + fineibt_caller_hash, &hash, 4);
1715 /* rely on apply_retpolines() */
1720 ret = insn_decode_kernel(&insn, addr + fineibt_caller_size);
1721 if (WARN_ON_ONCE(ret < 0))
1724 op = insn.opcode.bytes[0];
1725 if (op != CALL_INSN_OPCODE && op != JMP32_INSN_OPCODE) {
1730 memcpy(bytes, fineibt_paranoid_start, fineibt_paranoid_size);
1731 memcpy(bytes + fineibt_caller_hash, &hash, 4);
1733 if (cpu_wants_indirect_its_thunk_at((unsigned long)addr + fineibt_paranoid_ind, 11)) {
1734 emit_paranoid_trampoline(addr + fineibt_caller_size,
1735 &insn, 11, bytes + fineibt_caller_size);
1737 ret = emit_indirect(op, 11, bytes + fineibt_paranoid_ind);
1738 if (WARN_ON_ONCE(ret != 3))
1742 text_poke_early(addr, bytes, fineibt_paranoid_size);
1748 static void __apply_fineibt(s32 *start_retpoline, s32 *end_retpoline,
1749 s32 *start_cfi, s32 *end_cfi, bool builtin)
1753 if (WARN_ONCE(fineibt_preamble_size != 16,
1754 "FineIBT preamble wrong size: %ld", fineibt_preamble_size))
1757 if (cfi_mode == CFI_AUTO) {
1758 cfi_mode = CFI_KCFI;
1759 if (HAS_KERNEL_IBT && cpu_feature_enabled(X86_FEATURE_IBT)) {
1761 * FRED has much saner context on exception entry and
1762 * is less easy to take advantage of.
1764 if (!cpu_feature_enabled(X86_FEATURE_FRED))
1765 cfi_paranoid = true;
1766 cfi_mode = CFI_FINEIBT;
1771 * Rewrite the callers to not use the __cfi_ stubs, such that we might
1772 * rewrite them. This disables all CFI. If this succeeds but any of the
1773 * later stages fails, we're without CFI.
1775 ret = cfi_disable_callers(start_retpoline, end_retpoline);
1781 cfi_seed = get_random_u32();
1782 cfi_bpf_hash = cfi_rehash(cfi_bpf_hash);
1783 cfi_bpf_subprog_hash = cfi_rehash(cfi_bpf_subprog_hash);
1786 ret = cfi_rand_preamble(start_cfi, end_cfi);
1790 ret = cfi_rand_callers(start_retpoline, end_retpoline);
1798 pr_info("Disabling CFI\n");
1802 ret = cfi_enable_callers(start_retpoline, end_retpoline);
1807 pr_info("Using kCFI\n");
1811 /* place the FineIBT preamble at func()-16 */
1812 ret = cfi_rewrite_preamble(start_cfi, end_cfi);
1816 /* rewrite the callers to target func()-16 */
1817 ret = cfi_rewrite_callers(start_retpoline, end_retpoline);
1821 /* now that nobody targets func()+0, remove ENDBR there */
1822 cfi_rewrite_endbr(start_cfi, end_cfi);
1825 pr_info("Using %sFineIBT%s CFI\n",
1826 cfi_paranoid ? "paranoid " : "",
1827 cfi_bhi ? "+BHI" : "");
1836 pr_err("Something went horribly wrong trying to rewrite the CFI implementation.\n");
1839 static inline void poison_hash(void *addr)
1844 static void poison_cfi(void *addr)
1847 * Compilers manage to be inconsistent with ENDBR vs __cfi prefixes,
1848 * some (static) functions for which they can determine the address
1849 * is never taken do not get a __cfi prefix, but *DO* get an ENDBR.
1851 * As such, these functions will get sealed, but we need to be careful
1852 * to not unconditionally scribble the previous function.
1857 * FineIBT prefix should start with an ENDBR.
1859 if (!is_endbr(addr))
1871 poison_hash(addr + fineibt_preamble_hash);
1876 * kCFI prefix should start with a valid hash.
1878 if (!decode_preamble_hash(addr, NULL))
1886 poison_hash(addr + 1);
1895 * When regs->ip points to a 0xEA byte in the FineIBT preamble,
1896 * return true and fill out target and type.
1898 * We check the preamble by checking for the ENDBR instruction relative to the
1901 static bool decode_fineibt_preamble(struct pt_regs *regs, unsigned long *target, u32 *type)
1903 unsigned long addr = regs->ip - fineibt_preamble_ud;
1906 if (!exact_endbr((void *)addr))
1909 *target = addr + fineibt_preamble_size;
1911 __get_kernel_nofault(&hash, addr + fineibt_preamble_hash, u32, Efault);
1912 *type = (u32)regs->r10 + hash;
1915 * Since regs->ip points to the middle of an instruction; it cannot
1916 * continue with the normal fixup.
1927 * regs->ip points to one of the UD2 in __bhi_args[].
1929 static bool decode_fineibt_bhi(struct pt_regs *regs, unsigned long *target, u32 *type)
1937 if (regs->ip < (unsigned long)__bhi_args ||
1938 regs->ip >= (unsigned long)__bhi_args_end)
1942 * Fetch the return address from the stack, this points to the
1943 * FineIBT preamble. Since the CALL instruction is in the 5 last
1944 * bytes of the preamble, the return address is in fact the target
1947 __get_kernel_nofault(&addr, regs->sp, unsigned long, Efault);
1950 addr -= fineibt_preamble_size;
1951 if (!exact_endbr((void *)addr))
1954 __get_kernel_nofault(&hash, addr + fineibt_preamble_hash, u32, Efault);
1955 *type = (u32)regs->r10 + hash;
1958 * The UD2 sites are constructed with a RET immediately following,
1959 * as such the non-fatal case can use the regular fixup.
1967 static bool is_paranoid_thunk(unsigned long addr)
1971 __get_kernel_nofault(&thunk, (u32 *)addr, u32, Efault);
1972 return (thunk & 0x00FFFFFF) == 0xfd75ea;
1979 * regs->ip points to a LOCK Jcc.d8 instruction from the fineibt_paranoid_start[]
1980 * sequence, or to an invalid instruction (0xea) + Jcc.d8 for cfi_paranoid + ITS
1983 static bool decode_fineibt_paranoid(struct pt_regs *regs, unsigned long *target, u32 *type)
1985 unsigned long addr = regs->ip - fineibt_paranoid_ud;
1990 if (is_cfi_trap(addr + fineibt_caller_size - LEN_UD2)) {
1991 *target = regs->r11 + fineibt_preamble_size;
1995 * Since the trapping instruction is the exact, but LOCK prefixed,
1996 * Jcc.d8 that got us here, the normal fixup will work.
2002 * The cfi_paranoid + ITS thunk combination results in:
2004 * 0: 41 ba 78 56 34 12 mov $0x12345678, %r10d
2005 * 6: 45 3b 53 f7 cmp -0x9(%r11), %r10d
2006 * a: 4d 8d 5b f0 lea -0x10(%r11), %r11
2007 * e: 2e e8 XX XX XX XX cs call __x86_indirect_paranoid_thunk_r11
2009 * Where the paranoid_thunk looks like:
2012 * __x86_indirect_paranoid_thunk_r11:
2014 * __x86_indirect_its_thunk_r11:
2015 * 20: 41 ff eb jmp *%r11
2019 if (is_paranoid_thunk(regs->ip)) {
2020 *target = regs->r11 + fineibt_preamble_size;
2030 bool decode_fineibt_insn(struct pt_regs *regs, unsigned long *target, u32 *type)
2032 if (decode_fineibt_paranoid(regs, target, type))
2035 if (decode_fineibt_bhi(regs, target, type))
2038 return decode_fineibt_preamble(regs, target, type);
2041 #else /* !CONFIG_FINEIBT: */
2043 static void __apply_fineibt(s32 *start_retpoline, s32 *end_retpoline,
2044 s32 *start_cfi, s32 *end_cfi, bool builtin)
2048 #ifdef CONFIG_X86_KERNEL_IBT
2049 static void poison_cfi(void *addr) { }
2052 #endif /* !CONFIG_FINEIBT */
2054 void apply_fineibt(s32 *start_retpoline, s32 *end_retpoline,
2055 s32 *start_cfi, s32 *end_cfi)
2057 return __apply_fineibt(start_retpoline, end_retpoline,
2059 /* .builtin = */ false);
2063 static void alternatives_smp_lock(const s32 *start, const s32 *end,
2064 u8 *text, u8 *text_end)
2068 for (poff = start; poff < end; poff++) {
2069 u8 *ptr = (u8 *)poff + *poff;
2071 if (!*poff || ptr < text || ptr >= text_end)
2073 /* turn DS segment override prefix into lock prefix */
2075 text_poke(ptr, ((unsigned char []){0xf0}), 1);
2079 static void alternatives_smp_unlock(const s32 *start, const s32 *end,
2080 u8 *text, u8 *text_end)
2084 for (poff = start; poff < end; poff++) {
2085 u8 *ptr = (u8 *)poff + *poff;
2087 if (!*poff || ptr < text || ptr >= text_end)
2089 /* turn lock prefix into DS segment override prefix */
2091 text_poke(ptr, ((unsigned char []){0x3E}), 1);
2095 struct smp_alt_module {
2096 /* what is this ??? */
2100 /* ptrs to lock prefixes */
2102 const s32 *locks_end;
2104 /* .text segment, needed to avoid patching init code ;) */
2108 struct list_head next;
2110 static LIST_HEAD(smp_alt_modules);
2111 static bool uniproc_patched = false; /* protected by text_mutex */
2113 void __init_or_module alternatives_smp_module_add(struct module *mod,
2115 void *locks, void *locks_end,
2116 void *text, void *text_end)
2118 struct smp_alt_module *smp;
2120 mutex_lock(&text_mutex);
2121 if (!uniproc_patched)
2124 if (num_possible_cpus() == 1)
2125 /* Don't bother remembering, we'll never have to undo it. */
2128 smp = kzalloc(sizeof(*smp), GFP_KERNEL);
2130 /* we'll run the (safe but slow) SMP code then ... */
2136 smp->locks_end = locks_end;
2138 smp->text_end = text_end;
2139 DPRINTK(SMP, "locks %p -> %p, text %p -> %p, name %s\n",
2140 smp->locks, smp->locks_end,
2141 smp->text, smp->text_end, smp->name);
2143 list_add_tail(&smp->next, &smp_alt_modules);
2145 alternatives_smp_unlock(locks, locks_end, text, text_end);
2147 mutex_unlock(&text_mutex);
2150 void __init_or_module alternatives_smp_module_del(struct module *mod)
2152 struct smp_alt_module *item;
2154 mutex_lock(&text_mutex);
2155 list_for_each_entry(item, &smp_alt_modules, next) {
2156 if (mod != item->mod)
2158 list_del(&item->next);
2162 mutex_unlock(&text_mutex);
2165 void alternatives_enable_smp(void)
2167 struct smp_alt_module *mod;
2169 /* Why bother if there are no other CPUs? */
2170 BUG_ON(num_possible_cpus() == 1);
2172 mutex_lock(&text_mutex);
2174 if (uniproc_patched) {
2175 pr_info("switching to SMP code\n");
2176 BUG_ON(num_online_cpus() != 1);
2177 clear_cpu_cap(&boot_cpu_data, X86_FEATURE_UP);
2178 clear_cpu_cap(&cpu_data(0), X86_FEATURE_UP);
2179 list_for_each_entry(mod, &smp_alt_modules, next)
2180 alternatives_smp_lock(mod->locks, mod->locks_end,
2181 mod->text, mod->text_end);
2182 uniproc_patched = false;
2184 mutex_unlock(&text_mutex);
2188 * Return 1 if the address range is reserved for SMP-alternatives.
2189 * Must hold text_mutex.
2191 int alternatives_text_reserved(void *start, void *end)
2193 struct smp_alt_module *mod;
2195 u8 *text_start = start;
2198 lockdep_assert_held(&text_mutex);
2200 list_for_each_entry(mod, &smp_alt_modules, next) {
2201 if (mod->text > text_end || mod->text_end < text_start)
2203 for (poff = mod->locks; poff < mod->locks_end; poff++) {
2204 const u8 *ptr = (const u8 *)poff + *poff;
2206 if (text_start <= ptr && text_end > ptr)
2213 #endif /* CONFIG_SMP */
2216 * Self-test for the INT3 based CALL emulation code.
2218 * This exercises int3_emulate_call() to make sure INT3 pt_regs are set up
2219 * properly and that there is a stack gap between the INT3 frame and the
2220 * previous context. Without this gap doing a virtual PUSH on the interrupted
2221 * stack would corrupt the INT3 IRET frame.
2223 * See entry_{32,64}.S for more details.
2227 * We define the int3_magic() function in assembly to control the calling
2228 * convention such that we can 'call' it from assembly.
2231 extern void int3_magic(unsigned int *ptr); /* defined in asm */
2234 " .pushsection .init.text, \"ax\", @progbits\n"
2235 " .type int3_magic, @function\n"
2238 " movl $1, (%" _ASM_ARG1 ")\n"
2240 " .size int3_magic, .-int3_magic\n"
2244 extern void int3_selftest_ip(void); /* defined in asm below */
2247 int3_exception_notify(struct notifier_block *self, unsigned long val, void *data)
2249 unsigned long selftest = (unsigned long)&int3_selftest_ip;
2250 struct die_args *args = data;
2251 struct pt_regs *regs = args->regs;
2253 OPTIMIZER_HIDE_VAR(selftest);
2255 if (!regs || user_mode(regs))
2258 if (val != DIE_INT3)
2261 if (regs->ip - INT3_INSN_SIZE != selftest)
2264 int3_emulate_call(regs, (unsigned long)&int3_magic);
2268 /* Must be noinline to ensure uniqueness of int3_selftest_ip. */
2269 static noinline void __init int3_selftest(void)
2271 static __initdata struct notifier_block int3_exception_nb = {
2272 .notifier_call = int3_exception_notify,
2273 .priority = INT_MAX-1, /* last */
2275 unsigned int val = 0;
2277 BUG_ON(register_die_notifier(&int3_exception_nb));
2280 * Basically: int3_magic(&val); but really complicated :-)
2282 * INT3 padded with NOP to CALL_INSN_SIZE. The int3_exception_nb
2283 * notifier above will emulate CALL for us.
2285 asm volatile ("int3_selftest_ip:\n\t"
2287 " int3; nop; nop; nop; nop\n\t"
2288 : ASM_CALL_CONSTRAINT
2289 : __ASM_SEL_RAW(a, D) (&val)
2294 unregister_die_notifier(&int3_exception_nb);
2297 static __initdata int __alt_reloc_selftest_addr;
2299 extern void __init __alt_reloc_selftest(void *arg);
2300 __visible noinline void __init __alt_reloc_selftest(void *arg)
2302 WARN_ON(arg != &__alt_reloc_selftest_addr);
2305 static noinline void __init alt_reloc_selftest(void)
2308 * Tests text_poke_apply_relocation().
2310 * This has a relative immediate (CALL) in a place other than the first
2311 * instruction and additionally on x86_64 we get a RIP-relative LEA:
2313 * lea 0x0(%rip),%rdi # 5d0: R_X86_64_PC32 .init.data+0x5566c
2314 * call +0 # 5d5: R_X86_64_PLT32 __alt_reloc_selftest-0x4
2316 * Getting this wrong will either crash and burn or tickle the WARN
2319 asm_inline volatile (
2320 ALTERNATIVE("", "lea %[mem], %%" _ASM_ARG1 "; call __alt_reloc_selftest;", X86_FEATURE_ALWAYS)
2321 : ASM_CALL_CONSTRAINT
2322 : [mem] "m" (__alt_reloc_selftest_addr)
2327 void __init alternative_instructions(void)
2334 * The patching is not fully atomic, so try to avoid local
2335 * interruptions that might execute the to be patched code.
2336 * Other CPUs are not running.
2341 * Don't stop machine check exceptions while patching.
2342 * MCEs only happen when something got corrupted and in this
2343 * case we must do something about the corruption.
2344 * Ignoring it is worse than an unlikely patching race.
2345 * Also machine checks tend to be broadcast and if one CPU
2346 * goes into machine check the others follow quickly, so we don't
2347 * expect a machine check to cause undue problems during to code
2352 * Make sure to set (artificial) features depending on used paravirt
2353 * functions which can later influence alternative patching.
2357 /* Keep CET-IBT disabled until caller/callee are patched */
2358 ibt = ibt_save(/*disable*/ true);
2360 __apply_fineibt(__retpoline_sites, __retpoline_sites_end,
2361 __cfi_sites, __cfi_sites_end, true);
2364 * Rewrite the retpolines, must be done before alternatives since
2365 * those can rewrite the retpoline thunks.
2367 apply_retpolines(__retpoline_sites, __retpoline_sites_end);
2368 apply_returns(__return_sites, __return_sites_end);
2373 * Adjust all CALL instructions to point to func()-10, including
2374 * those in .altinstr_replacement.
2376 callthunks_patch_builtin_calls();
2378 apply_alternatives(__alt_instructions, __alt_instructions_end);
2381 * Seal all functions that do not have their address taken.
2383 apply_seal_endbr(__ibt_endbr_seal, __ibt_endbr_seal_end);
2388 /* Patch to UP if other cpus not imminent. */
2389 if (!noreplace_smp && (num_present_cpus() == 1 || setup_max_cpus <= 1)) {
2390 uniproc_patched = true;
2391 alternatives_smp_module_add(NULL, "core kernel",
2392 __smp_locks, __smp_locks_end,
2396 if (!uniproc_patched || num_possible_cpus() == 1) {
2397 free_init_pages("SMP alternatives",
2398 (unsigned long)__smp_locks,
2399 (unsigned long)__smp_locks_end);
2404 alternatives_patched = 1;
2406 alt_reloc_selftest();
2410 * text_poke_early - Update instructions on a live kernel at boot time
2411 * @addr: address to modify
2412 * @opcode: source of the copy
2413 * @len: length to copy
2415 * When you use this code to patch more than one byte of an instruction
2416 * you need to make sure that other CPUs cannot execute this code in parallel.
2417 * Also no thread must be currently preempted in the middle of these
2418 * instructions. And on the local CPU you need to be protected against NMI or
2419 * MCE handlers seeing an inconsistent instruction while you patch.
2421 void __init_or_module text_poke_early(void *addr, const void *opcode,
2424 unsigned long flags;
2426 if (boot_cpu_has(X86_FEATURE_NX) &&
2427 is_module_text_address((unsigned long)addr)) {
2429 * Modules text is marked initially as non-executable, so the
2430 * code cannot be running and speculative code-fetches are
2431 * prevented. Just change the code.
2433 memcpy(addr, opcode, len);
2435 local_irq_save(flags);
2436 memcpy(addr, opcode, len);
2438 local_irq_restore(flags);
2441 * Could also do a CLFLUSH here to speed up CPU recovery; but
2442 * that causes hangs on some VIA CPUs.
2447 __ro_after_init struct mm_struct *text_poke_mm;
2448 __ro_after_init unsigned long text_poke_mm_addr;
2450 static void text_poke_memcpy(void *dst, const void *src, size_t len)
2452 memcpy(dst, src, len);
2455 static void text_poke_memset(void *dst, const void *src, size_t len)
2457 int c = *(const int *)src;
2459 memset(dst, c, len);
2462 typedef void text_poke_f(void *dst, const void *src, size_t len);
2464 static void *__text_poke(text_poke_f func, void *addr, const void *src, size_t len)
2466 bool cross_page_boundary = offset_in_page(addr) + len > PAGE_SIZE;
2467 struct page *pages[2] = {NULL};
2468 struct mm_struct *prev_mm;
2469 unsigned long flags;
2475 * While boot memory allocator is running we cannot use struct pages as
2476 * they are not yet initialized. There is no way to recover.
2478 BUG_ON(!after_bootmem);
2480 if (!core_kernel_text((unsigned long)addr)) {
2481 pages[0] = vmalloc_to_page(addr);
2482 if (cross_page_boundary)
2483 pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
2485 pages[0] = virt_to_page(addr);
2486 WARN_ON(!PageReserved(pages[0]));
2487 if (cross_page_boundary)
2488 pages[1] = virt_to_page(addr + PAGE_SIZE);
2491 * If something went wrong, crash and burn since recovery paths are not
2494 BUG_ON(!pages[0] || (cross_page_boundary && !pages[1]));
2497 * Map the page without the global bit, as TLB flushing is done with
2498 * flush_tlb_mm_range(), which is intended for non-global PTEs.
2500 pgprot = __pgprot(pgprot_val(PAGE_KERNEL) & ~_PAGE_GLOBAL);
2503 * The lock is not really needed, but this allows to avoid open-coding.
2505 ptep = get_locked_pte(text_poke_mm, text_poke_mm_addr, &ptl);
2508 * This must not fail; preallocated in poking_init().
2512 local_irq_save(flags);
2514 pte = mk_pte(pages[0], pgprot);
2515 set_pte_at(text_poke_mm, text_poke_mm_addr, ptep, pte);
2517 if (cross_page_boundary) {
2518 pte = mk_pte(pages[1], pgprot);
2519 set_pte_at(text_poke_mm, text_poke_mm_addr + PAGE_SIZE, ptep + 1, pte);
2523 * Loading the temporary mm behaves as a compiler barrier, which
2524 * guarantees that the PTE will be set at the time memcpy() is done.
2526 prev_mm = use_temporary_mm(text_poke_mm);
2528 kasan_disable_current();
2529 func((u8 *)text_poke_mm_addr + offset_in_page(addr), src, len);
2530 kasan_enable_current();
2533 * Ensure that the PTE is only cleared after the instructions of memcpy
2534 * were issued by using a compiler barrier.
2538 pte_clear(text_poke_mm, text_poke_mm_addr, ptep);
2539 if (cross_page_boundary)
2540 pte_clear(text_poke_mm, text_poke_mm_addr + PAGE_SIZE, ptep + 1);
2543 * Loading the previous page-table hierarchy requires a serializing
2544 * instruction that already allows the core to see the updated version.
2545 * Xen-PV is assumed to serialize execution in a similar manner.
2547 unuse_temporary_mm(prev_mm);
2550 * Flushing the TLB might involve IPIs, which would require enabled
2551 * IRQs, but not if the mm is not used, as it is in this point.
2553 flush_tlb_mm_range(text_poke_mm, text_poke_mm_addr, text_poke_mm_addr +
2554 (cross_page_boundary ? 2 : 1) * PAGE_SIZE,
2557 if (func == text_poke_memcpy) {
2559 * If the text does not match what we just wrote then something is
2560 * fundamentally screwy; there's nothing we can really do about that.
2562 BUG_ON(memcmp(addr, src, len));
2565 local_irq_restore(flags);
2566 pte_unmap_unlock(ptep, ptl);
2571 * text_poke - Update instructions on a live kernel
2572 * @addr: address to modify
2573 * @opcode: source of the copy
2574 * @len: length to copy
2576 * Only atomic text poke/set should be allowed when not doing early patching.
2577 * It means the size must be writable atomically and the address must be aligned
2578 * in a way that permits an atomic write. It also makes sure we fit on a single
2581 * Note that the caller must ensure that if the modified code is part of a
2582 * module, the module would not be removed during poking. This can be achieved
2583 * by registering a module notifier, and ordering module removal and patching
2586 void *text_poke(void *addr, const void *opcode, size_t len)
2588 lockdep_assert_held(&text_mutex);
2590 return __text_poke(text_poke_memcpy, addr, opcode, len);
2594 * text_poke_kgdb - Update instructions on a live kernel by kgdb
2595 * @addr: address to modify
2596 * @opcode: source of the copy
2597 * @len: length to copy
2599 * Only atomic text poke/set should be allowed when not doing early patching.
2600 * It means the size must be writable atomically and the address must be aligned
2601 * in a way that permits an atomic write. It also makes sure we fit on a single
2604 * Context: should only be used by kgdb, which ensures no other core is running,
2605 * despite the fact it does not hold the text_mutex.
2607 void *text_poke_kgdb(void *addr, const void *opcode, size_t len)
2609 return __text_poke(text_poke_memcpy, addr, opcode, len);
2612 void *text_poke_copy_locked(void *addr, const void *opcode, size_t len,
2615 unsigned long start = (unsigned long)addr;
2618 if (WARN_ON_ONCE(!core_ok && core_kernel_text(start)))
2621 while (patched < len) {
2622 unsigned long ptr = start + patched;
2625 s = min_t(size_t, PAGE_SIZE * 2 - offset_in_page(ptr), len - patched);
2627 __text_poke(text_poke_memcpy, (void *)ptr, opcode + patched, s);
2634 * text_poke_copy - Copy instructions into (an unused part of) RX memory
2635 * @addr: address to modify
2636 * @opcode: source of the copy
2637 * @len: length to copy, could be more than 2x PAGE_SIZE
2639 * Not safe against concurrent execution; useful for JITs to dump
2640 * new code blocks into unused regions of RX memory. Can be used in
2641 * conjunction with synchronize_rcu_tasks() to wait for existing
2642 * execution to quiesce after having made sure no existing functions
2643 * pointers are live.
2645 void *text_poke_copy(void *addr, const void *opcode, size_t len)
2647 mutex_lock(&text_mutex);
2648 addr = text_poke_copy_locked(addr, opcode, len, false);
2649 mutex_unlock(&text_mutex);
2654 * text_poke_set - memset into (an unused part of) RX memory
2655 * @addr: address to modify
2656 * @c: the byte to fill the area with
2657 * @len: length to copy, could be more than 2x PAGE_SIZE
2659 * This is useful to overwrite unused regions of RX memory with illegal
2662 void *text_poke_set(void *addr, int c, size_t len)
2664 unsigned long start = (unsigned long)addr;
2667 if (WARN_ON_ONCE(core_kernel_text(start)))
2670 mutex_lock(&text_mutex);
2671 while (patched < len) {
2672 unsigned long ptr = start + patched;
2675 s = min_t(size_t, PAGE_SIZE * 2 - offset_in_page(ptr), len - patched);
2677 __text_poke(text_poke_memset, (void *)ptr, (void *)&c, s);
2680 mutex_unlock(&text_mutex);
2684 static void do_sync_core(void *info)
2689 void smp_text_poke_sync_each_cpu(void)
2691 on_each_cpu(do_sync_core, NULL, 1);
2695 * NOTE: crazy scheme to allow patching Jcc.d32 but not increase the size of
2696 * this thing. When len == 6 everything is prefixed with 0x0f and we map
2697 * opcode to Jcc.d8, using len to distinguish.
2699 struct smp_text_poke_loc {
2700 /* addr := _stext + rel_addr */
2705 const u8 text[TEXT_POKE_MAX_OPCODE_SIZE];
2706 /* see smp_text_poke_batch_finish() */
2710 #define TEXT_POKE_ARRAY_MAX (PAGE_SIZE / sizeof(struct smp_text_poke_loc))
2712 static struct smp_text_poke_array {
2713 struct smp_text_poke_loc vec[TEXT_POKE_ARRAY_MAX];
2717 static DEFINE_PER_CPU(atomic_t, text_poke_array_refs);
2720 * These four __always_inline annotations imply noinstr, necessary
2721 * due to smp_text_poke_int3_handler() being noinstr:
2724 static __always_inline bool try_get_text_poke_array(void)
2726 atomic_t *refs = this_cpu_ptr(&text_poke_array_refs);
2728 if (!raw_atomic_inc_not_zero(refs))
2734 static __always_inline void put_text_poke_array(void)
2736 atomic_t *refs = this_cpu_ptr(&text_poke_array_refs);
2738 smp_mb__before_atomic();
2739 raw_atomic_dec(refs);
2742 static __always_inline void *text_poke_addr(const struct smp_text_poke_loc *tpl)
2744 return _stext + tpl->rel_addr;
2747 static __always_inline int patch_cmp(const void *tpl_a, const void *tpl_b)
2749 if (tpl_a < text_poke_addr(tpl_b))
2751 if (tpl_a > text_poke_addr(tpl_b))
2756 noinstr int smp_text_poke_int3_handler(struct pt_regs *regs)
2758 struct smp_text_poke_loc *tpl;
2762 if (user_mode(regs))
2766 * Having observed our INT3 instruction, we now must observe
2767 * text_poke_array with non-zero refcount:
2769 * text_poke_array_refs = 1 INT3
2771 * write INT3 if (text_poke_array_refs != 0)
2775 if (!try_get_text_poke_array())
2779 * Discount the INT3. See smp_text_poke_batch_finish().
2781 ip = (void *) regs->ip - INT3_INSN_SIZE;
2784 * Skip the binary search if there is a single member in the vector.
2786 if (unlikely(text_poke_array.nr_entries > 1)) {
2787 tpl = __inline_bsearch(ip, text_poke_array.vec, text_poke_array.nr_entries,
2788 sizeof(struct smp_text_poke_loc),
2793 tpl = text_poke_array.vec;
2794 if (text_poke_addr(tpl) != ip)
2800 switch (tpl->opcode) {
2801 case INT3_INSN_OPCODE:
2803 * Someone poked an explicit INT3, they'll want to handle it,
2808 case RET_INSN_OPCODE:
2809 int3_emulate_ret(regs);
2812 case CALL_INSN_OPCODE:
2813 int3_emulate_call(regs, (long)ip + tpl->disp);
2816 case JMP32_INSN_OPCODE:
2817 case JMP8_INSN_OPCODE:
2818 int3_emulate_jmp(regs, (long)ip + tpl->disp);
2821 case 0x70 ... 0x7f: /* Jcc */
2822 int3_emulate_jcc(regs, tpl->opcode & 0xf, (long)ip, tpl->disp);
2832 put_text_poke_array();
2837 * smp_text_poke_batch_finish() -- update instructions on live kernel on SMP
2840 * text_poke_array.vec: vector of instructions to patch
2841 * text_poke_array.nr_entries: number of entries in the vector
2843 * Modify multi-byte instructions by using INT3 breakpoints on SMP.
2844 * We completely avoid using stop_machine() here, and achieve the
2845 * synchronization using INT3 breakpoints and SMP cross-calls.
2847 * The way it is done:
2848 * - For each entry in the vector:
2849 * - add an INT3 trap to the address that will be patched
2850 * - SMP sync all CPUs
2851 * - For each entry in the vector:
2852 * - update all but the first byte of the patched range
2853 * - SMP sync all CPUs
2854 * - For each entry in the vector:
2855 * - replace the first byte (INT3) by the first byte of the
2857 * - SMP sync all CPUs
2859 void smp_text_poke_batch_finish(void)
2861 unsigned char int3 = INT3_INSN_OPCODE;
2865 if (!text_poke_array.nr_entries)
2868 lockdep_assert_held(&text_mutex);
2871 * Corresponds to the implicit memory barrier in try_get_text_poke_array() to
2872 * ensure reading a non-zero refcount provides up to date text_poke_array data.
2874 for_each_possible_cpu(i)
2875 atomic_set_release(per_cpu_ptr(&text_poke_array_refs, i), 1);
2878 * Function tracing can enable thousands of places that need to be
2879 * updated. This can take quite some time, and with full kernel debugging
2880 * enabled, this could cause the softlockup watchdog to trigger.
2881 * This function gets called every 256 entries added to be patched.
2882 * Call cond_resched() here to make sure that other tasks can get scheduled
2883 * while processing all the functions being patched.
2888 * Corresponding read barrier in INT3 notifier for making sure the
2889 * text_poke_array.nr_entries and handler are correctly ordered wrt. patching.
2894 * First step: add a INT3 trap to the address that will be patched.
2896 for (i = 0; i < text_poke_array.nr_entries; i++) {
2897 text_poke_array.vec[i].old = *(u8 *)text_poke_addr(&text_poke_array.vec[i]);
2898 text_poke(text_poke_addr(&text_poke_array.vec[i]), &int3, INT3_INSN_SIZE);
2901 smp_text_poke_sync_each_cpu();
2904 * Second step: update all but the first byte of the patched range.
2906 for (do_sync = 0, i = 0; i < text_poke_array.nr_entries; i++) {
2907 u8 old[TEXT_POKE_MAX_OPCODE_SIZE+1] = { text_poke_array.vec[i].old, };
2908 u8 _new[TEXT_POKE_MAX_OPCODE_SIZE+1];
2909 const u8 *new = text_poke_array.vec[i].text;
2910 int len = text_poke_array.vec[i].len;
2912 if (len - INT3_INSN_SIZE > 0) {
2913 memcpy(old + INT3_INSN_SIZE,
2914 text_poke_addr(&text_poke_array.vec[i]) + INT3_INSN_SIZE,
2915 len - INT3_INSN_SIZE);
2919 memcpy(_new + 1, new, 5);
2923 text_poke(text_poke_addr(&text_poke_array.vec[i]) + INT3_INSN_SIZE,
2924 new + INT3_INSN_SIZE,
2925 len - INT3_INSN_SIZE);
2931 * Emit a perf event to record the text poke, primarily to
2932 * support Intel PT decoding which must walk the executable code
2933 * to reconstruct the trace. The flow up to here is:
2936 * - write instruction tail
2937 * At this point the actual control flow will be through the
2938 * INT3 and handler and not hit the old or new instruction.
2939 * Intel PT outputs FUP/TIP packets for the INT3, so the flow
2940 * can still be decoded. Subsequently:
2941 * - emit RECORD_TEXT_POKE with the new instruction
2943 * - write first byte
2945 * So before the text poke event timestamp, the decoder will see
2946 * either the old instruction flow or FUP/TIP of INT3. After the
2947 * text poke event timestamp, the decoder will see either the
2948 * new instruction flow or FUP/TIP of INT3. Thus decoders can
2949 * use the timestamp as the point at which to modify the
2951 * The old instruction is recorded so that the event can be
2952 * processed forwards or backwards.
2954 perf_event_text_poke(text_poke_addr(&text_poke_array.vec[i]), old, len, new, len);
2959 * According to Intel, this core syncing is very likely
2960 * not necessary and we'd be safe even without it. But
2961 * better safe than sorry (plus there's not only Intel).
2963 smp_text_poke_sync_each_cpu();
2967 * Third step: replace the first byte (INT3) by the first byte of the
2970 for (do_sync = 0, i = 0; i < text_poke_array.nr_entries; i++) {
2971 u8 byte = text_poke_array.vec[i].text[0];
2973 if (text_poke_array.vec[i].len == 6)
2976 if (byte == INT3_INSN_OPCODE)
2979 text_poke(text_poke_addr(&text_poke_array.vec[i]), &byte, INT3_INSN_SIZE);
2984 smp_text_poke_sync_each_cpu();
2987 * Remove and wait for refs to be zero.
2989 * Notably, if after step-3 above the INT3 got removed, then the
2990 * smp_text_poke_sync_each_cpu() will have serialized against any running INT3
2991 * handlers and the below spin-wait will not happen.
2993 * IOW. unless the replacement instruction is INT3, this case goes
2996 for_each_possible_cpu(i) {
2997 atomic_t *refs = per_cpu_ptr(&text_poke_array_refs, i);
2999 if (unlikely(!atomic_dec_and_test(refs)))
3000 atomic_cond_read_acquire(refs, !VAL);
3003 /* They are all completed: */
3004 text_poke_array.nr_entries = 0;
3007 static void __smp_text_poke_batch_add(void *addr, const void *opcode, size_t len, const void *emulate)
3009 struct smp_text_poke_loc *tpl;
3013 tpl = &text_poke_array.vec[text_poke_array.nr_entries++];
3017 memcpy((void *)tpl->text, opcode+i, len-i);
3021 ret = insn_decode_kernel(&insn, emulate);
3024 tpl->rel_addr = addr - (void *)_stext;
3026 tpl->opcode = insn.opcode.bytes[0];
3028 if (is_jcc32(&insn)) {
3030 * Map Jcc.d32 onto Jcc.d8 and use len to distinguish.
3032 tpl->opcode = insn.opcode.bytes[1] - 0x10;
3035 switch (tpl->opcode) {
3036 case RET_INSN_OPCODE:
3037 case JMP32_INSN_OPCODE:
3038 case JMP8_INSN_OPCODE:
3040 * Control flow instructions without implied execution of the
3041 * next instruction can be padded with INT3.
3043 for (i = insn.length; i < len; i++)
3044 BUG_ON(tpl->text[i] != INT3_INSN_OPCODE);
3048 BUG_ON(len != insn.length);
3051 switch (tpl->opcode) {
3052 case INT3_INSN_OPCODE:
3053 case RET_INSN_OPCODE:
3056 case CALL_INSN_OPCODE:
3057 case JMP32_INSN_OPCODE:
3058 case JMP8_INSN_OPCODE:
3059 case 0x70 ... 0x7f: /* Jcc */
3060 tpl->disp = insn.immediate.value;
3063 default: /* assume NOP */
3065 case 2: /* NOP2 -- emulate as JMP8+0 */
3066 BUG_ON(memcmp(emulate, x86_nops[len], len));
3067 tpl->opcode = JMP8_INSN_OPCODE;
3071 case 5: /* NOP5 -- emulate as JMP32+0 */
3072 BUG_ON(memcmp(emulate, x86_nops[len], len));
3073 tpl->opcode = JMP32_INSN_OPCODE;
3077 default: /* unknown instruction */
3085 * We hard rely on the text_poke_array.vec being ordered; ensure this is so by flushing
3088 static bool text_poke_addr_ordered(void *addr)
3090 WARN_ON_ONCE(!addr);
3092 if (!text_poke_array.nr_entries)
3096 * If the last current entry's address is higher than the
3097 * new entry's address we'd like to add, then ordering
3098 * is violated and we must first flush all pending patching
3101 if (text_poke_addr(text_poke_array.vec + text_poke_array.nr_entries-1) > addr)
3108 * smp_text_poke_batch_add() -- update instruction on live kernel on SMP, batched
3109 * @addr: address to patch
3110 * @opcode: opcode of new instruction
3111 * @len: length to copy
3112 * @emulate: instruction to be emulated
3114 * Add a new instruction to the current queue of to-be-patched instructions
3115 * the kernel maintains. The patching request will not be executed immediately,
3116 * but becomes part of an array of patching requests, optimized for batched
3117 * execution. All pending patching requests will be executed on the next
3118 * smp_text_poke_batch_finish() call.
3120 void __ref smp_text_poke_batch_add(void *addr, const void *opcode, size_t len, const void *emulate)
3122 if (text_poke_array.nr_entries == TEXT_POKE_ARRAY_MAX || !text_poke_addr_ordered(addr))
3123 smp_text_poke_batch_finish();
3124 __smp_text_poke_batch_add(addr, opcode, len, emulate);
3128 * smp_text_poke_single() -- update instruction on live kernel on SMP immediately
3129 * @addr: address to patch
3130 * @opcode: opcode of new instruction
3131 * @len: length to copy
3132 * @emulate: instruction to be emulated
3134 * Update a single instruction with the vector in the stack, avoiding
3135 * dynamically allocated memory. This function should be used when it is
3136 * not possible to allocate memory for a vector. The single instruction
3137 * is patched in immediately.
3139 void __ref smp_text_poke_single(void *addr, const void *opcode, size_t len, const void *emulate)
3141 smp_text_poke_batch_add(addr, opcode, len, emulate);
3142 smp_text_poke_batch_finish();
projects / linux-2.6-block.git / blob