1 // SPDX-License-Identifier: GPL-2.0-only
2
3 #define pr_fmt(fmt) "callthunks: " fmt
4
5 #include <linux/debugfs.h>
6 #include <linux/kallsyms.h>
7 #include <linux/memory.h>
8 #include <linux/moduleloader.h>
9 #include <linux/static_call.h>
10
11 #include <asm/alternative.h>
12 #include <asm/asm-offsets.h>
13 #include <asm/cpu.h>
14 #include <asm/ftrace.h>
15 #include <asm/insn.h>
16 #include <asm/kexec.h>
17 #include <asm/nospec-branch.h>
18 #include <asm/paravirt.h>
19 #include <asm/sections.h>
20 #include <asm/switch_to.h>
21 #include <asm/sync_core.h>
22 #include <asm/text-patching.h>
23 #include <asm/xen/hypercall.h>
24
25 static int __initdata_or_module debug_callthunks;
26
27 #define prdbg(fmt, args...) \
28 do { \
29 if (debug_callthunks) \
30 printk(KERN_DEBUG pr_fmt(fmt), ##args); \
31 } while(0)
32
debug_thunks(char * str)33 static int __init debug_thunks(char *str)
34 {
35 debug_callthunks = 1;
36 return 1;
37 }
38 __setup("debug-callthunks", debug_thunks);
39
40 #ifdef CONFIG_CALL_THUNKS_DEBUG
41 DEFINE_PER_CPU(u64, __x86_call_count);
42 DEFINE_PER_CPU(u64, __x86_ret_count);
43 DEFINE_PER_CPU(u64, __x86_stuffs_count);
44 DEFINE_PER_CPU(u64, __x86_ctxsw_count);
45 EXPORT_SYMBOL_GPL(__x86_ctxsw_count);
46 EXPORT_SYMBOL_GPL(__x86_call_count);
47 #endif
48
49 extern s32 __call_sites[], __call_sites_end[];
50
51 struct core_text {
52 unsigned long base;
53 unsigned long end;
54 const char *name;
55 };
56
57 static bool thunks_initialized __ro_after_init;
58
59 static const struct core_text builtin_coretext = {
60 .base = (unsigned long)_text,
61 .end = (unsigned long)_etext,
62 .name = "builtin",
63 };
64
65 asm (
66 ".pushsection .rodata \n"
67 ".global skl_call_thunk_template \n"
68 "skl_call_thunk_template: \n"
69 __stringify(INCREMENT_CALL_DEPTH)" \n"
70 ".global skl_call_thunk_tail \n"
71 "skl_call_thunk_tail: \n"
72 ".popsection \n"
73 );
74
75 extern u8 skl_call_thunk_template[];
76 extern u8 skl_call_thunk_tail[];
77
78 #define SKL_TMPL_SIZE \
79 ((unsigned int)(skl_call_thunk_tail - skl_call_thunk_template))
80
81 extern void error_entry(void);
82 extern void xen_error_entry(void);
83 extern void paranoid_entry(void);
84
within_coretext(const struct core_text * ct,void * addr)85 static inline bool within_coretext(const struct core_text *ct, void *addr)
86 {
87 unsigned long p = (unsigned long)addr;
88
89 return ct->base <= p && p < ct->end;
90 }
91
within_module_coretext(void * addr)92 static inline bool within_module_coretext(void *addr)
93 {
94 bool ret = false;
95
96 #ifdef CONFIG_MODULES
97 struct module *mod;
98
99 preempt_disable();
100 mod = __module_address((unsigned long)addr);
101 if (mod && within_module_core((unsigned long)addr, mod))
102 ret = true;
103 preempt_enable();
104 #endif
105 return ret;
106 }
107
is_coretext(const struct core_text * ct,void * addr)108 static bool is_coretext(const struct core_text *ct, void *addr)
109 {
110 if (ct && within_coretext(ct, addr))
111 return true;
112 if (within_coretext(&builtin_coretext, addr))
113 return true;
114 return within_module_coretext(addr);
115 }
116
skip_addr(void * dest)117 static bool skip_addr(void *dest)
118 {
119 if (dest == error_entry)
120 return true;
121 if (dest == paranoid_entry)
122 return true;
123 if (dest == xen_error_entry)
124 return true;
125 /* Does FILL_RSB... */
126 if (dest == __switch_to_asm)
127 return true;
128 /* Accounts directly */
129 if (dest == ret_from_fork)
130 return true;
131 #if defined(CONFIG_HOTPLUG_CPU) && defined(CONFIG_AMD_MEM_ENCRYPT)
132 if (dest == soft_restart_cpu)
133 return true;
134 #endif
135 #ifdef CONFIG_FUNCTION_TRACER
136 if (dest == __fentry__)
137 return true;
138 #endif
139 #ifdef CONFIG_KEXEC_CORE
140 if (dest >= (void *)relocate_kernel &&
141 dest < (void*)relocate_kernel + KEXEC_CONTROL_CODE_MAX_SIZE)
142 return true;
143 #endif
144 #ifdef CONFIG_XEN
145 if (dest >= (void *)hypercall_page &&
146 dest < (void*)hypercall_page + PAGE_SIZE)
147 return true;
148 #endif
149 return false;
150 }
151
call_get_dest(void * addr)152 static __init_or_module void *call_get_dest(void *addr)
153 {
154 struct insn insn;
155 void *dest;
156 int ret;
157
158 ret = insn_decode_kernel(&insn, addr);
159 if (ret)
160 return ERR_PTR(ret);
161
162 /* Patched out call? */
163 if (insn.opcode.bytes[0] != CALL_INSN_OPCODE)
164 return NULL;
165
166 dest = addr + insn.length + insn.immediate.value;
167 if (skip_addr(dest))
168 return NULL;
169 return dest;
170 }
171
172 static const u8 nops[] = {
173 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
174 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
175 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
176 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
177 };
178
patch_dest(void * dest,bool direct)179 static void *patch_dest(void *dest, bool direct)
180 {
181 unsigned int tsize = SKL_TMPL_SIZE;
182 u8 *pad = dest - tsize;
183
184 /* Already patched? */
185 if (!bcmp(pad, skl_call_thunk_template, tsize))
186 return pad;
187
188 /* Ensure there are nops */
189 if (bcmp(pad, nops, tsize)) {
190 pr_warn_once("Invalid padding area for %pS\n", dest);
191 return NULL;
192 }
193
194 if (direct)
195 memcpy(pad, skl_call_thunk_template, tsize);
196 else
197 text_poke_copy_locked(pad, skl_call_thunk_template, tsize, true);
198 return pad;
199 }
200
patch_call(void * addr,const struct core_text * ct)201 static __init_or_module void patch_call(void *addr, const struct core_text *ct)
202 {
203 void *pad, *dest;
204 u8 bytes[8];
205
206 if (!within_coretext(ct, addr))
207 return;
208
209 dest = call_get_dest(addr);
210 if (!dest || WARN_ON_ONCE(IS_ERR(dest)))
211 return;
212
213 if (!is_coretext(ct, dest))
214 return;
215
216 pad = patch_dest(dest, within_coretext(ct, dest));
217 if (!pad)
218 return;
219
220 prdbg("Patch call at: %pS %px to %pS %px -> %px \n", addr, addr,
221 dest, dest, pad);
222 __text_gen_insn(bytes, CALL_INSN_OPCODE, addr, pad, CALL_INSN_SIZE);
223 text_poke_early(addr, bytes, CALL_INSN_SIZE);
224 }
225
226 static __init_or_module void
patch_call_sites(s32 * start,s32 * end,const struct core_text * ct)227 patch_call_sites(s32 *start, s32 *end, const struct core_text *ct)
228 {
229 s32 *s;
230
231 for (s = start; s < end; s++)
232 patch_call((void *)s + *s, ct);
233 }
234
235 static __init_or_module void
patch_alt_call_sites(struct alt_instr * start,struct alt_instr * end,const struct core_text * ct)236 patch_alt_call_sites(struct alt_instr *start, struct alt_instr *end,
237 const struct core_text *ct)
238 {
239 struct alt_instr *a;
240
241 for (a = start; a < end; a++)
242 patch_call((void *)&a->instr_offset + a->instr_offset, ct);
243 }
244
245 static __init_or_module void
callthunks_setup(struct callthunk_sites * cs,const struct core_text * ct)246 callthunks_setup(struct callthunk_sites *cs, const struct core_text *ct)
247 {
248 prdbg("Patching call sites %s\n", ct->name);
249 patch_call_sites(cs->call_start, cs->call_end, ct);
250 patch_alt_call_sites(cs->alt_start, cs->alt_end, ct);
251 prdbg("Patching call sites done%s\n", ct->name);
252 }
253
callthunks_patch_builtin_calls(void)254 void __init callthunks_patch_builtin_calls(void)
255 {
256 struct callthunk_sites cs = {
257 .call_start = __call_sites,
258 .call_end = __call_sites_end,
259 .alt_start = __alt_instructions,
260 .alt_end = __alt_instructions_end
261 };
262
263 if (!cpu_feature_enabled(X86_FEATURE_CALL_DEPTH))
264 return;
265
266 pr_info("Setting up call depth tracking\n");
267 mutex_lock(&text_mutex);
268 callthunks_setup(&cs, &builtin_coretext);
269 thunks_initialized = true;
270 mutex_unlock(&text_mutex);
271 }
272
callthunks_translate_call_dest(void * dest)273 void *callthunks_translate_call_dest(void *dest)
274 {
275 void *target;
276
277 lockdep_assert_held(&text_mutex);
278
279 if (!thunks_initialized || skip_addr(dest))
280 return dest;
281
282 if (!is_coretext(NULL, dest))
283 return dest;
284
285 target = patch_dest(dest, false);
286 return target ? : dest;
287 }
288
289 #ifdef CONFIG_BPF_JIT
is_callthunk(void * addr)290 static bool is_callthunk(void *addr)
291 {
292 unsigned int tmpl_size = SKL_TMPL_SIZE;
293 void *tmpl = skl_call_thunk_template;
294 unsigned long dest;
295
296 dest = roundup((unsigned long)addr, CONFIG_FUNCTION_ALIGNMENT);
297 if (!thunks_initialized || skip_addr((void *)dest))
298 return false;
299
300 return !bcmp((void *)(dest - tmpl_size), tmpl, tmpl_size);
301 }
302
x86_call_depth_emit_accounting(u8 ** pprog,void * func)303 int x86_call_depth_emit_accounting(u8 **pprog, void *func)
304 {
305 unsigned int tmpl_size = SKL_TMPL_SIZE;
306 void *tmpl = skl_call_thunk_template;
307
308 if (!thunks_initialized)
309 return 0;
310
311 /* Is function call target a thunk? */
312 if (func && is_callthunk(func))
313 return 0;
314
315 memcpy(*pprog, tmpl, tmpl_size);
316 *pprog += tmpl_size;
317 return tmpl_size;
318 }
319 #endif
320
321 #ifdef CONFIG_MODULES
callthunks_patch_module_calls(struct callthunk_sites * cs,struct module * mod)322 void noinline callthunks_patch_module_calls(struct callthunk_sites *cs,
323 struct module *mod)
324 {
325 struct core_text ct = {
326 .base = (unsigned long)mod->mem[MOD_TEXT].base,
327 .end = (unsigned long)mod->mem[MOD_TEXT].base + mod->mem[MOD_TEXT].size,
328 .name = mod->name,
329 };
330
331 if (!thunks_initialized)
332 return;
333
334 mutex_lock(&text_mutex);
335 callthunks_setup(cs, &ct);
336 mutex_unlock(&text_mutex);
337 }
338 #endif /* CONFIG_MODULES */
339
340 #if defined(CONFIG_CALL_THUNKS_DEBUG) && defined(CONFIG_DEBUG_FS)
callthunks_debug_show(struct seq_file * m,void * p)341 static int callthunks_debug_show(struct seq_file *m, void *p)
342 {
343 unsigned long cpu = (unsigned long)m->private;
344
345 seq_printf(m, "C: %16llu R: %16llu S: %16llu X: %16llu\n,",
346 per_cpu(__x86_call_count, cpu),
347 per_cpu(__x86_ret_count, cpu),
348 per_cpu(__x86_stuffs_count, cpu),
349 per_cpu(__x86_ctxsw_count, cpu));
350 return 0;
351 }
352
callthunks_debug_open(struct inode * inode,struct file * file)353 static int callthunks_debug_open(struct inode *inode, struct file *file)
354 {
355 return single_open(file, callthunks_debug_show, inode->i_private);
356 }
357
358 static const struct file_operations dfs_ops = {
359 .open = callthunks_debug_open,
360 .read = seq_read,
361 .llseek = seq_lseek,
362 .release = single_release,
363 };
364
callthunks_debugfs_init(void)365 static int __init callthunks_debugfs_init(void)
366 {
367 struct dentry *dir;
368 unsigned long cpu;
369
370 dir = debugfs_create_dir("callthunks", NULL);
371 for_each_possible_cpu(cpu) {
372 void *arg = (void *)cpu;
373 char name [10];
374
375 sprintf(name, "cpu%lu", cpu);
376 debugfs_create_file(name, 0644, dir, arg, &dfs_ops);
377 }
378 return 0;
379 }
380 __initcall(callthunks_debugfs_init);
381 #endif
382