1// SPDX-License-Identifier: GPL-2.0-only
  2#include <byteswap.h>
  3#include <elf.h>
  4#include <endian.h>
  5#include <errno.h>
  6#include <fcntl.h>
  7#include <inttypes.h>
  8#include <stdbool.h>
  9#include <stdio.h>
 10#include <stdlib.h>
 11#include <string.h>
 12#include <sys/mman.h>
 13#include <sys/types.h>
 14#include <sys/stat.h>
 15#include <unistd.h>
 16
 17#ifdef be32toh
 18/* If libc provides le{16,32,64}toh() then we'll use them */
 19#elif BYTE_ORDER == LITTLE_ENDIAN
 20# define le16toh(x)	(x)
 21# define le32toh(x)	(x)
 22# define le64toh(x)	(x)
 23#elif BYTE_ORDER == BIG_ENDIAN
 24# define le16toh(x)	bswap_16(x)
 25# define le32toh(x)	bswap_32(x)
 26# define le64toh(x)	bswap_64(x)
 27#endif
 28
 29/* MIPS opcodes, in bits 31:26 of an instruction */
 30#define OP_SPECIAL	0x00
 31#define OP_REGIMM	0x01
 32#define OP_BEQ		0x04
 33#define OP_BNE		0x05
 34#define OP_BLEZ		0x06
 35#define OP_BGTZ		0x07
 36#define OP_BEQL		0x14
 37#define OP_BNEL		0x15
 38#define OP_BLEZL	0x16
 39#define OP_BGTZL	0x17
 40#define OP_LL		0x30
 41#define OP_LLD		0x34
 42#define OP_SC		0x38
 43#define OP_SCD		0x3c
 44
 45/* Bits 20:16 of OP_REGIMM instructions */
 46#define REGIMM_BLTZ	0x00
 47#define REGIMM_BGEZ	0x01
 48#define REGIMM_BLTZL	0x02
 49#define REGIMM_BGEZL	0x03
 50#define REGIMM_BLTZAL	0x10
 51#define REGIMM_BGEZAL	0x11
 52#define REGIMM_BLTZALL	0x12
 53#define REGIMM_BGEZALL	0x13
 54
 55/* Bits 5:0 of OP_SPECIAL instructions */
 56#define SPECIAL_SYNC	0x0f
 57
 58static void usage(FILE *f)
 59{
 60	fprintf(f, "Usage: loongson3-llsc-check /path/to/vmlinux\n");
 61}
 62
 63static int se16(uint16_t x)
 64{
 65	return (int16_t)x;
 66}
 67
 68static bool is_ll(uint32_t insn)
 69{
 70	switch (insn >> 26) {
 71	case OP_LL:
 72	case OP_LLD:
 73		return true;
 74
 75	default:
 76		return false;
 77	}
 78}
 79
 80static bool is_sc(uint32_t insn)
 81{
 82	switch (insn >> 26) {
 83	case OP_SC:
 84	case OP_SCD:
 85		return true;
 86
 87	default:
 88		return false;
 89	}
 90}
 91
 92static bool is_sync(uint32_t insn)
 93{
 94	/* Bits 31:11 should all be zeroes */
 95	if (insn >> 11)
 96		return false;
 97
 98	/* Bits 5:0 specify the SYNC special encoding */
 99	if ((insn & 0x3f) != SPECIAL_SYNC)
100		return false;
101
102	return true;
103}
104
105static bool is_branch(uint32_t insn, int *off)
106{
107	switch (insn >> 26) {
108	case OP_BEQ:
109	case OP_BEQL:
110	case OP_BNE:
111	case OP_BNEL:
112	case OP_BGTZ:
113	case OP_BGTZL:
114	case OP_BLEZ:
115	case OP_BLEZL:
116		*off = se16(insn) + 1;
117		return true;
118
119	case OP_REGIMM:
120		switch ((insn >> 16) & 0x1f) {
121		case REGIMM_BGEZ:
122		case REGIMM_BGEZL:
123		case REGIMM_BGEZAL:
124		case REGIMM_BGEZALL:
125		case REGIMM_BLTZ:
126		case REGIMM_BLTZL:
127		case REGIMM_BLTZAL:
128		case REGIMM_BLTZALL:
129			*off = se16(insn) + 1;
130			return true;
131
132		default:
133			return false;
134		}
135
136	default:
137		return false;
138	}
139}
140
141static int check_ll(uint64_t pc, uint32_t *code, size_t sz)
142{
143	ssize_t i, max, sc_pos;
144	int off;
145
146	/*
147	 * Every LL must be preceded by a sync instruction in order to ensure
148	 * that instruction reordering doesn't allow a prior memory access to
149	 * execute after the LL & cause erroneous results.
150	 */
151	if (!is_sync(le32toh(code[-1]))) {
152		fprintf(stderr, "%" PRIx64 ": LL not preceded by sync\n", pc);
153		return -EINVAL;
154	}
155
156	/* Find the matching SC instruction */
157	max = sz / 4;
158	for (sc_pos = 0; sc_pos < max; sc_pos++) {
159		if (is_sc(le32toh(code[sc_pos])))
160			break;
161	}
162	if (sc_pos >= max) {
163		fprintf(stderr, "%" PRIx64 ": LL has no matching SC\n", pc);
164		return -EINVAL;
165	}
166
167	/*
168	 * Check branches within the LL/SC loop target sync instructions,
169	 * ensuring that speculative execution can't generate memory accesses
170	 * due to instructions outside of the loop.
171	 */
172	for (i = 0; i < sc_pos; i++) {
173		if (!is_branch(le32toh(code[i]), &off))
174			continue;
175
176		/*
177		 * If the branch target is within the LL/SC loop then we don't
178		 * need to worry about it.
179		 */
180		if ((off >= -i) && (off <= sc_pos))
181			continue;
182
183		/* If the branch targets a sync instruction we're all good... */
184		if (is_sync(le32toh(code[i + off])))
185			continue;
186
187		/* ...but if not, we have a problem */
188		fprintf(stderr, "%" PRIx64 ": Branch target not a sync\n",
189			pc + (i * 4));
190		return -EINVAL;
191	}
192
193	return 0;
194}
195
196static int check_code(uint64_t pc, uint32_t *code, size_t sz)
197{
198	int err = 0;
199
200	if (sz % 4) {
201		fprintf(stderr, "%" PRIx64 ": Section size not a multiple of 4\n",
202			pc);
203		err = -EINVAL;
204		sz -= (sz % 4);
205	}
206
207	if (is_ll(le32toh(code[0]))) {
208		fprintf(stderr, "%" PRIx64 ": First instruction in section is an LL\n",
209			pc);
210		err = -EINVAL;
211	}
212
213#define advance() (	\
214	code++,		\
215	pc += 4,	\
216	sz -= 4		\
217)
218
219	/*
220	 * Skip the first instructionm allowing check_ll to look backwards
221	 * unconditionally.
222	 */
223	advance();
224
225	/* Now scan through the code looking for LL instructions */
226	for (; sz; advance()) {
227		if (is_ll(le32toh(code[0])))
228			err |= check_ll(pc, code, sz);
229	}
230
231	return err;
232}
233
234int main(int argc, char *argv[])
235{
236	int vmlinux_fd, status, err, i;
237	const char *vmlinux_path;
238	struct stat st;
239	Elf64_Ehdr *eh;
240	Elf64_Shdr *sh;
241	void *vmlinux;
242
243	status = EXIT_FAILURE;
244
245	if (argc < 2) {
246		usage(stderr);
247		goto out_ret;
248	}
249
250	vmlinux_path = argv[1];
251	vmlinux_fd = open(vmlinux_path, O_RDONLY);
252	if (vmlinux_fd == -1) {
253		perror("Unable to open vmlinux");
254		goto out_ret;
255	}
256
257	err = fstat(vmlinux_fd, &st);
258	if (err) {
259		perror("Unable to stat vmlinux");
260		goto out_close;
261	}
262
263	vmlinux = mmap(NULL, st.st_size, PROT_READ, MAP_PRIVATE, vmlinux_fd, 0);
264	if (vmlinux == MAP_FAILED) {
265		perror("Unable to mmap vmlinux");
266		goto out_close;
267	}
268
269	eh = vmlinux;
270	if (memcmp(eh->e_ident, ELFMAG, SELFMAG)) {
271		fprintf(stderr, "vmlinux is not an ELF?\n");
272		goto out_munmap;
273	}
274
275	if (eh->e_ident[EI_CLASS] != ELFCLASS64) {
276		fprintf(stderr, "vmlinux is not 64b?\n");
277		goto out_munmap;
278	}
279
280	if (eh->e_ident[EI_DATA] != ELFDATA2LSB) {
281		fprintf(stderr, "vmlinux is not little endian?\n");
282		goto out_munmap;
283	}
284
285	for (i = 0; i < le16toh(eh->e_shnum); i++) {
286		sh = vmlinux + le64toh(eh->e_shoff) + (i * le16toh(eh->e_shentsize));
287
288		if (sh->sh_type != SHT_PROGBITS)
289			continue;
290		if (!(sh->sh_flags & SHF_EXECINSTR))
291			continue;
292
293		err = check_code(le64toh(sh->sh_addr),
294				 vmlinux + le64toh(sh->sh_offset),
295				 le64toh(sh->sh_size));
296		if (err)
297			goto out_munmap;
298	}
299
300	status = EXIT_SUCCESS;
301out_munmap:
302	munmap(vmlinux, st.st_size);
303out_close:
304	close(vmlinux_fd);
305out_ret:
306	fprintf(stdout, "loongson3-llsc-check returns %s\n",
307		status ? "failure" : "success");
308	return status;
309}