1 // SPDX-License-Identifier: GPL-2.0
2 #include <linux/static_call.h>
3 #include <linux/memory.h>
5 #include <asm/text-patching.h>
8 CALL = 0, /* site call */
9 NOP = 1, /* site cond-call */
10 JMP = 2, /* tramp / site tail-call */
11 RET = 3, /* tramp / site cond-tail-call */
16 * ud1 %esp, %ecx - a 3 byte #UD that is unique to trampolines, chosen such
17 * that there is no false-positive trampoline identification while also being a
20 static const u8 tramp_ud[] = { 0x0f, 0xb9, 0xcc };
23 * cs cs cs xorl %eax, %eax - a single 5 byte instruction that clears %[er]ax
25 static const u8 xor5rax[] = { 0x2e, 0x2e, 0x2e, 0x31, 0xc0 };
27 static const u8 retinsn[] = { RET_INSN_OPCODE, 0xcc, 0xcc, 0xcc, 0xcc };
29 static u8 __is_Jcc(u8 *insn) /* Jcc.d32 */
33 if (insn[0] == 0x0f) {
35 if ((tmp & 0xf0) == 0x80)
42 extern void __static_call_return(void);
44 asm (".global __static_call_return\n\t"
45 ".type __static_call_return, @function\n\t"
47 "__static_call_return:\n\t"
49 ANNOTATE_RETPOLINE_SAFE
51 ".size __static_call_return, . - __static_call_return \n\t");
53 static void __ref __static_call_transform(void *insn, enum insn_type type,
54 void *func, bool modinit)
56 const void *emulate = NULL;
57 int size = CALL_INSN_SIZE;
61 if ((type == JMP || type == RET) && (op = __is_Jcc(insn)))
66 func = callthunks_translate_call_dest(func);
67 code = text_gen_insn(CALL_INSN_OPCODE, insn, func);
68 if (func == &__static_call_return0) {
80 code = text_gen_insn(JMP32_INSN_OPCODE, insn, func);
84 if (cpu_feature_enabled(X86_FEATURE_RETHUNK))
85 code = text_gen_insn(JMP32_INSN_OPCODE, insn, x86_return_thunk);
92 func = __static_call_return;
93 if (cpu_feature_enabled(X86_FEATURE_RETHUNK))
94 func = x86_return_thunk;
98 __text_gen_insn(buf+1, op, insn+1, func, 5);
105 if (memcmp(insn, code, size) == 0)
108 if (system_state == SYSTEM_BOOTING || modinit)
109 return text_poke_early(insn, code, size);
111 text_poke_bp(insn, code, size, emulate);
114 static void __static_call_validate(u8 *insn, bool tail, bool tramp)
118 if (tramp && memcmp(insn+5, tramp_ud, 3)) {
119 pr_err("trampoline signature fail");
124 if (opcode == JMP32_INSN_OPCODE ||
125 opcode == RET_INSN_OPCODE ||
129 if (opcode == CALL_INSN_OPCODE ||
130 !memcmp(insn, x86_nops[5], 5) ||
131 !memcmp(insn, xor5rax, 5))
136 * If we ever trigger this, our text is corrupt, we'll probably not live long.
138 pr_err("unexpected static_call insn opcode 0x%x at %pS\n", opcode, insn);
142 static inline enum insn_type __sc_insn(bool null, bool tail)
145 * Encode the following table without branches:
148 * -----+-------+------
154 return 2*tail + null;
157 void arch_static_call_transform(void *site, void *tramp, void *func, bool tail)
159 mutex_lock(&text_mutex);
162 __static_call_validate(tramp, true, true);
163 __static_call_transform(tramp, __sc_insn(!func, true), func, false);
166 if (IS_ENABLED(CONFIG_HAVE_STATIC_CALL_INLINE) && site) {
167 __static_call_validate(site, tail, false);
168 __static_call_transform(site, __sc_insn(!func, tail), func, false);
171 mutex_unlock(&text_mutex);
173 EXPORT_SYMBOL_GPL(arch_static_call_transform);
175 #ifdef CONFIG_MITIGATION_RETHUNK
177 * This is called by apply_returns() to fix up static call trampolines,
178 * specifically ARCH_DEFINE_STATIC_CALL_NULL_TRAMP which is recorded as
179 * having a return trampoline.
181 * The problem is that static_call() is available before determining
182 * X86_FEATURE_RETHUNK and, by implication, running alternatives.
184 * This means that __static_call_transform() above can have overwritten the
185 * return trampoline and we now need to fix things up to be consistent.
187 bool __static_call_fixup(void *tramp, u8 op, void *dest)
189 unsigned long addr = (unsigned long)tramp;
191 * Not all .return_sites are a static_call trampoline (most are not).
192 * Check if the 3 bytes after the return are still kernel text, if not,
193 * then this definitely is not a trampoline and we need not worry
196 * This avoids the memcmp() below tripping over pagefaults etc..
198 if (((addr >> PAGE_SHIFT) != ((addr + 7) >> PAGE_SHIFT)) &&
199 !kernel_text_address(addr + 7))
202 if (memcmp(tramp+5, tramp_ud, 3)) {
203 /* Not a trampoline site, not our problem. */
207 mutex_lock(&text_mutex);
208 if (op == RET_INSN_OPCODE || dest == &__x86_return_thunk)
209 __static_call_transform(tramp, RET, NULL, true);
210 mutex_unlock(&text_mutex);