1// SPDX-License-Identifier: GPL-2.0-only
  2
  3#define pr_fmt(fmt) "callthunks: " fmt
  4
  5#include <linux/debugfs.h>
  6#include <linux/kallsyms.h>
  7#include <linux/memory.h>
  8#include <linux/moduleloader.h>
  9#include <linux/static_call.h>
 10
 11#include <asm/alternative.h>
 12#include <asm/asm-offsets.h>
 13#include <asm/cpu.h>
 14#include <asm/ftrace.h>
 15#include <asm/insn.h>
 16#include <asm/kexec.h>
 17#include <asm/nospec-branch.h>
 18#include <asm/paravirt.h>
 19#include <asm/sections.h>
 20#include <asm/switch_to.h>
 21#include <asm/sync_core.h>
 22#include <asm/text-patching.h>
 23#include <asm/xen/hypercall.h>
 24
 25static int __initdata_or_module debug_callthunks;
 26
 27#define prdbg(fmt, args...)					\
 28do {								\
 29	if (debug_callthunks)					\
 30		printk(KERN_DEBUG pr_fmt(fmt), ##args);		\
 31} while(0)
 32
 33static int __init debug_thunks(char *str)
 34{
 35	debug_callthunks = 1;
 36	return 1;
 37}
 38__setup("debug-callthunks", debug_thunks);
 39
 40#ifdef CONFIG_CALL_THUNKS_DEBUG
 41DEFINE_PER_CPU(u64, __x86_call_count);
 42DEFINE_PER_CPU(u64, __x86_ret_count);
 43DEFINE_PER_CPU(u64, __x86_stuffs_count);
 44DEFINE_PER_CPU(u64, __x86_ctxsw_count);
 45EXPORT_SYMBOL_GPL(__x86_ctxsw_count);
 46EXPORT_SYMBOL_GPL(__x86_call_count);
 47#endif
 48
 49extern s32 __call_sites[], __call_sites_end[];
 50
 51struct core_text {
 52	unsigned long	base;
 53	unsigned long	end;
 54	const char	*name;
 55};
 56
 57static bool thunks_initialized __ro_after_init;
 58
 59static const struct core_text builtin_coretext = {
 60	.base = (unsigned long)_text,
 61	.end  = (unsigned long)_etext,
 62	.name = "builtin",
 63};
 64
 65asm (
 66	".pushsection .rodata				\n"
 67	".global skl_call_thunk_template		\n"
 68	"skl_call_thunk_template:			\n"
 69		__stringify(INCREMENT_CALL_DEPTH)"	\n"
 70	".global skl_call_thunk_tail			\n"
 71	"skl_call_thunk_tail:				\n"
 72	".popsection					\n"
 73);
 74
 75extern u8 skl_call_thunk_template[];
 76extern u8 skl_call_thunk_tail[];
 77
 78#define SKL_TMPL_SIZE \
 79	((unsigned int)(skl_call_thunk_tail - skl_call_thunk_template))
 80
 81extern void error_entry(void);
 82extern void xen_error_entry(void);
 83extern void paranoid_entry(void);
 84
 85static inline bool within_coretext(const struct core_text *ct, void *addr)
 86{
 87	unsigned long p = (unsigned long)addr;
 88
 89	return ct->base <= p && p < ct->end;
 90}
 91
 92static inline bool within_module_coretext(void *addr)
 93{
 94	bool ret = false;
 95
 96#ifdef CONFIG_MODULES
 97	struct module *mod;
 98
 99	preempt_disable();
100	mod = __module_address((unsigned long)addr);
101	if (mod && within_module_core((unsigned long)addr, mod))
102		ret = true;
103	preempt_enable();
104#endif
105	return ret;
106}
107
108static bool is_coretext(const struct core_text *ct, void *addr)
109{
110	if (ct && within_coretext(ct, addr))
111		return true;
112	if (within_coretext(&builtin_coretext, addr))
113		return true;
114	return within_module_coretext(addr);
115}
116
117static bool skip_addr(void *dest)
118{
119	if (dest == error_entry)
120		return true;
121	if (dest == paranoid_entry)
122		return true;
123	if (dest == xen_error_entry)
124		return true;
125	/* Does FILL_RSB... */
126	if (dest == __switch_to_asm)
127		return true;
128	/* Accounts directly */
129	if (dest == ret_from_fork)
130		return true;
131#if defined(CONFIG_HOTPLUG_CPU) && defined(CONFIG_AMD_MEM_ENCRYPT)
132	if (dest == soft_restart_cpu)
133		return true;
134#endif
135#ifdef CONFIG_FUNCTION_TRACER
136	if (dest == __fentry__)
137		return true;
138#endif
139#ifdef CONFIG_KEXEC_CORE
140	if (dest >= (void *)relocate_kernel &&
141	    dest < (void*)relocate_kernel + KEXEC_CONTROL_CODE_MAX_SIZE)
142		return true;
143#endif
144#ifdef CONFIG_XEN
145	if (dest >= (void *)hypercall_page &&
146	    dest < (void*)hypercall_page + PAGE_SIZE)
147		return true;
148#endif
149	return false;
150}
151
152static __init_or_module void *call_get_dest(void *addr)
153{
154	struct insn insn;
155	void *dest;
156	int ret;
157
158	ret = insn_decode_kernel(&insn, addr);
159	if (ret)
160		return ERR_PTR(ret);
161
162	/* Patched out call? */
163	if (insn.opcode.bytes[0] != CALL_INSN_OPCODE)
164		return NULL;
165
166	dest = addr + insn.length + insn.immediate.value;
167	if (skip_addr(dest))
168		return NULL;
169	return dest;
170}
171
172static const u8 nops[] = {
173	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
174	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
175	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
176	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
177};
178
179static void *patch_dest(void *dest, bool direct)
180{
181	unsigned int tsize = SKL_TMPL_SIZE;
182	u8 *pad = dest - tsize;
183
184	/* Already patched? */
185	if (!bcmp(pad, skl_call_thunk_template, tsize))
186		return pad;
187
188	/* Ensure there are nops */
189	if (bcmp(pad, nops, tsize)) {
190		pr_warn_once("Invalid padding area for %pS\n", dest);
191		return NULL;
192	}
193
194	if (direct)
195		memcpy(pad, skl_call_thunk_template, tsize);
196	else
197		text_poke_copy_locked(pad, skl_call_thunk_template, tsize, true);
198	return pad;
199}
200
201static __init_or_module void patch_call(void *addr, const struct core_text *ct)
202{
203	void *pad, *dest;
204	u8 bytes[8];
205
206	if (!within_coretext(ct, addr))
207		return;
208
209	dest = call_get_dest(addr);
210	if (!dest || WARN_ON_ONCE(IS_ERR(dest)))
211		return;
212
213	if (!is_coretext(ct, dest))
214		return;
215
216	pad = patch_dest(dest, within_coretext(ct, dest));
217	if (!pad)
218		return;
219
220	prdbg("Patch call at: %pS %px to %pS %px -> %px \n", addr, addr,
221		dest, dest, pad);
222	__text_gen_insn(bytes, CALL_INSN_OPCODE, addr, pad, CALL_INSN_SIZE);
223	text_poke_early(addr, bytes, CALL_INSN_SIZE);
224}
225
226static __init_or_module void
227patch_call_sites(s32 *start, s32 *end, const struct core_text *ct)
228{
229	s32 *s;
230
231	for (s = start; s < end; s++)
232		patch_call((void *)s + *s, ct);
233}
234
235static __init_or_module void
236patch_alt_call_sites(struct alt_instr *start, struct alt_instr *end,
237		     const struct core_text *ct)
238{
239	struct alt_instr *a;
240
241	for (a = start; a < end; a++)
242		patch_call((void *)&a->instr_offset + a->instr_offset, ct);
243}
244
245static __init_or_module void
246callthunks_setup(struct callthunk_sites *cs, const struct core_text *ct)
247{
248	prdbg("Patching call sites %s\n", ct->name);
249	patch_call_sites(cs->call_start, cs->call_end, ct);
250	patch_alt_call_sites(cs->alt_start, cs->alt_end, ct);
251	prdbg("Patching call sites done%s\n", ct->name);
252}
253
254void __init callthunks_patch_builtin_calls(void)
255{
256	struct callthunk_sites cs = {
257		.call_start	= __call_sites,
258		.call_end	= __call_sites_end,
259		.alt_start	= __alt_instructions,
260		.alt_end	= __alt_instructions_end
261	};
262
263	if (!cpu_feature_enabled(X86_FEATURE_CALL_DEPTH))
264		return;
265
266	pr_info("Setting up call depth tracking\n");
267	mutex_lock(&text_mutex);
268	callthunks_setup(&cs, &builtin_coretext);
269	thunks_initialized = true;
270	mutex_unlock(&text_mutex);
271}
272
273void *callthunks_translate_call_dest(void *dest)
274{
275	void *target;
276
277	lockdep_assert_held(&text_mutex);
278
279	if (!thunks_initialized || skip_addr(dest))
280		return dest;
281
282	if (!is_coretext(NULL, dest))
283		return dest;
284
285	target = patch_dest(dest, false);
286	return target ? : dest;
287}
288
289#ifdef CONFIG_BPF_JIT
290static bool is_callthunk(void *addr)
291{
292	unsigned int tmpl_size = SKL_TMPL_SIZE;
293	void *tmpl = skl_call_thunk_template;
294	unsigned long dest;
295
296	dest = roundup((unsigned long)addr, CONFIG_FUNCTION_ALIGNMENT);
297	if (!thunks_initialized || skip_addr((void *)dest))
298		return false;
299
300	return !bcmp((void *)(dest - tmpl_size), tmpl, tmpl_size);
301}
302
303int x86_call_depth_emit_accounting(u8 **pprog, void *func)
304{
305	unsigned int tmpl_size = SKL_TMPL_SIZE;
306	void *tmpl = skl_call_thunk_template;
307
308	if (!thunks_initialized)
309		return 0;
310
311	/* Is function call target a thunk? */
312	if (func && is_callthunk(func))
313		return 0;
314
315	memcpy(*pprog, tmpl, tmpl_size);
316	*pprog += tmpl_size;
317	return tmpl_size;
318}
319#endif
320
321#ifdef CONFIG_MODULES
322void noinline callthunks_patch_module_calls(struct callthunk_sites *cs,
323					    struct module *mod)
324{
325	struct core_text ct = {
326		.base = (unsigned long)mod->mem[MOD_TEXT].base,
327		.end  = (unsigned long)mod->mem[MOD_TEXT].base + mod->mem[MOD_TEXT].size,
328		.name = mod->name,
329	};
330
331	if (!thunks_initialized)
332		return;
333
334	mutex_lock(&text_mutex);
335	callthunks_setup(cs, &ct);
336	mutex_unlock(&text_mutex);
337}
338#endif /* CONFIG_MODULES */
339
340#if defined(CONFIG_CALL_THUNKS_DEBUG) && defined(CONFIG_DEBUG_FS)
341static int callthunks_debug_show(struct seq_file *m, void *p)
342{
343	unsigned long cpu = (unsigned long)m->private;
344
345	seq_printf(m, "C: %16llu R: %16llu S: %16llu X: %16llu\n,",
346		   per_cpu(__x86_call_count, cpu),
347		   per_cpu(__x86_ret_count, cpu),
348		   per_cpu(__x86_stuffs_count, cpu),
349		   per_cpu(__x86_ctxsw_count, cpu));
350	return 0;
351}
352
353static int callthunks_debug_open(struct inode *inode, struct file *file)
354{
355	return single_open(file, callthunks_debug_show, inode->i_private);
356}
357
358static const struct file_operations dfs_ops = {
359	.open		= callthunks_debug_open,
360	.read		= seq_read,
361	.llseek		= seq_lseek,
362	.release	= single_release,
363};
364
365static int __init callthunks_debugfs_init(void)
366{
367	struct dentry *dir;
368	unsigned long cpu;
369
370	dir = debugfs_create_dir("callthunks", NULL);
371	for_each_possible_cpu(cpu) {
372		void *arg = (void *)cpu;
373		char name [10];
374
375		sprintf(name, "cpu%lu", cpu);
376		debugfs_create_file(name, 0644, dir, arg, &dfs_ops);
377	}
378	return 0;
379}
380__initcall(callthunks_debugfs_init);
381#endif