1 /* 2 * Copyright 2008 Michael Ellerman, IBM Corporation. 3 * 4 * This program is free software; you can redistribute it and/or 5 * modify it under the terms of the GNU General Public License 6 * as published by the Free Software Foundation; either version 7 * 2 of the License, or (at your option) any later version. 8 */ 9 10 #include <linux/kernel.h> 11 #include <linux/kprobes.h> 12 #include <linux/vmalloc.h> 13 #include <linux/init.h> 14 #include <linux/mm.h> 15 #include <linux/cpuhotplug.h> 16 #include <linux/slab.h> 17 #include <linux/uaccess.h> 18 #include <linux/kprobes.h> 19 20 #include <asm/pgtable.h> 21 #include <asm/tlbflush.h> 22 #include <asm/page.h> 23 #include <asm/code-patching.h> 24 25 static int __patch_instruction(unsigned int *addr, unsigned int instr) 26 { 27 int err; 28 29 __put_user_size(instr, addr, 4, err); 30 if (err) 31 return err; 32 33 asm ("dcbst 0, %0; sync; icbi 0,%0; sync; isync" :: "r" (addr)); 34 35 return 0; 36 } 37 38 #ifdef CONFIG_STRICT_KERNEL_RWX 39 static DEFINE_PER_CPU(struct vm_struct *, text_poke_area); 40 41 static int text_area_cpu_up(unsigned int cpu) 42 { 43 struct vm_struct *area; 44 45 area = get_vm_area(PAGE_SIZE, VM_ALLOC); 46 if (!area) { 47 WARN_ONCE(1, "Failed to create text area for cpu %d\n", 48 cpu); 49 return -1; 50 } 51 this_cpu_write(text_poke_area, area); 52 53 return 0; 54 } 55 56 static int text_area_cpu_down(unsigned int cpu) 57 { 58 free_vm_area(this_cpu_read(text_poke_area)); 59 return 0; 60 } 61 62 /* 63 * Run as a late init call. This allows all the boot time patching to be done 64 * simply by patching the code, and then we're called here prior to 65 * mark_rodata_ro(), which happens after all init calls are run. Although 66 * BUG_ON() is rude, in this case it should only happen if ENOMEM, and we judge 67 * it as being preferable to a kernel that will crash later when someone tries 68 * to use patch_instruction(). 69 */ 70 static int __init setup_text_poke_area(void) 71 { 72 BUG_ON(!cpuhp_setup_state(CPUHP_AP_ONLINE_DYN, 73 "powerpc/text_poke:online", text_area_cpu_up, 74 text_area_cpu_down)); 75 76 return 0; 77 } 78 late_initcall(setup_text_poke_area); 79 80 /* 81 * This can be called for kernel text or a module. 82 */ 83 static int map_patch_area(void *addr, unsigned long text_poke_addr) 84 { 85 unsigned long pfn; 86 int err; 87 88 if (is_vmalloc_addr(addr)) 89 pfn = vmalloc_to_pfn(addr); 90 else 91 pfn = __pa_symbol(addr) >> PAGE_SHIFT; 92 93 err = map_kernel_page(text_poke_addr, (pfn << PAGE_SHIFT), 94 pgprot_val(PAGE_KERNEL)); 95 96 pr_devel("Mapped addr %lx with pfn %lx:%d\n", text_poke_addr, pfn, err); 97 if (err) 98 return -1; 99 100 return 0; 101 } 102 103 static inline int unmap_patch_area(unsigned long addr) 104 { 105 pte_t *ptep; 106 pmd_t *pmdp; 107 pud_t *pudp; 108 pgd_t *pgdp; 109 110 pgdp = pgd_offset_k(addr); 111 if (unlikely(!pgdp)) 112 return -EINVAL; 113 114 pudp = pud_offset(pgdp, addr); 115 if (unlikely(!pudp)) 116 return -EINVAL; 117 118 pmdp = pmd_offset(pudp, addr); 119 if (unlikely(!pmdp)) 120 return -EINVAL; 121 122 ptep = pte_offset_kernel(pmdp, addr); 123 if (unlikely(!ptep)) 124 return -EINVAL; 125 126 pr_devel("clearing mm %p, pte %p, addr %lx\n", &init_mm, ptep, addr); 127 128 /* 129 * In hash, pte_clear flushes the tlb, in radix, we have to 130 */ 131 pte_clear(&init_mm, addr, ptep); 132 flush_tlb_kernel_range(addr, addr + PAGE_SIZE); 133 134 return 0; 135 } 136 137 int patch_instruction(unsigned int *addr, unsigned int instr) 138 { 139 int err; 140 unsigned int *dest = NULL; 141 unsigned long flags; 142 unsigned long text_poke_addr; 143 unsigned long kaddr = (unsigned long)addr; 144 145 /* 146 * During early early boot patch_instruction is called 147 * when text_poke_area is not ready, but we still need 148 * to allow patching. We just do the plain old patching 149 * We use slab_is_available and per cpu read * via this_cpu_read 150 * of text_poke_area. Per-CPU areas might not be up early 151 * this can create problems with just using this_cpu_read() 152 */ 153 if (!slab_is_available() || !this_cpu_read(text_poke_area)) 154 return __patch_instruction(addr, instr); 155 156 local_irq_save(flags); 157 158 text_poke_addr = (unsigned long)__this_cpu_read(text_poke_area)->addr; 159 if (map_patch_area(addr, text_poke_addr)) { 160 err = -1; 161 goto out; 162 } 163 164 dest = (unsigned int *)(text_poke_addr) + 165 ((kaddr & ~PAGE_MASK) / sizeof(unsigned int)); 166 167 /* 168 * We use __put_user_size so that we can handle faults while 169 * writing to dest and return err to handle faults gracefully 170 */ 171 __put_user_size(instr, dest, 4, err); 172 if (!err) 173 asm ("dcbst 0, %0; sync; icbi 0,%0; icbi 0,%1; sync; isync" 174 ::"r" (dest), "r"(addr)); 175 176 err = unmap_patch_area(text_poke_addr); 177 if (err) 178 pr_warn("failed to unmap %lx\n", text_poke_addr); 179 180 out: 181 local_irq_restore(flags); 182 183 return err; 184 } 185 #else /* !CONFIG_STRICT_KERNEL_RWX */ 186 187 int patch_instruction(unsigned int *addr, unsigned int instr) 188 { 189 return __patch_instruction(addr, instr); 190 } 191 192 #endif /* CONFIG_STRICT_KERNEL_RWX */ 193 NOKPROBE_SYMBOL(patch_instruction); 194 195 int patch_branch(unsigned int *addr, unsigned long target, int flags) 196 { 197 return patch_instruction(addr, create_branch(addr, target, flags)); 198 } 199 200 bool is_offset_in_branch_range(long offset) 201 { 202 /* 203 * Powerpc branch instruction is : 204 * 205 * 0 6 30 31 206 * +---------+----------------+---+---+ 207 * | opcode | LI |AA |LK | 208 * +---------+----------------+---+---+ 209 * Where AA = 0 and LK = 0 210 * 211 * LI is a signed 24 bits integer. The real branch offset is computed 212 * by: imm32 = SignExtend(LI:'0b00', 32); 213 * 214 * So the maximum forward branch should be: 215 * (0x007fffff << 2) = 0x01fffffc = 0x1fffffc 216 * The maximum backward branch should be: 217 * (0xff800000 << 2) = 0xfe000000 = -0x2000000 218 */ 219 return (offset >= -0x2000000 && offset <= 0x1fffffc && !(offset & 0x3)); 220 } 221 222 /* 223 * Helper to check if a given instruction is a conditional branch 224 * Derived from the conditional checks in analyse_instr() 225 */ 226 bool is_conditional_branch(unsigned int instr) 227 { 228 unsigned int opcode = instr >> 26; 229 230 if (opcode == 16) /* bc, bca, bcl, bcla */ 231 return true; 232 if (opcode == 19) { 233 switch ((instr >> 1) & 0x3ff) { 234 case 16: /* bclr, bclrl */ 235 case 528: /* bcctr, bcctrl */ 236 case 560: /* bctar, bctarl */ 237 return true; 238 } 239 } 240 return false; 241 } 242 NOKPROBE_SYMBOL(is_conditional_branch); 243 244 unsigned int create_branch(const unsigned int *addr, 245 unsigned long target, int flags) 246 { 247 unsigned int instruction; 248 long offset; 249 250 offset = target; 251 if (! (flags & BRANCH_ABSOLUTE)) 252 offset = offset - (unsigned long)addr; 253 254 /* Check we can represent the target in the instruction format */ 255 if (!is_offset_in_branch_range(offset)) 256 return 0; 257 258 /* Mask out the flags and target, so they don't step on each other. */ 259 instruction = 0x48000000 | (flags & 0x3) | (offset & 0x03FFFFFC); 260 261 return instruction; 262 } 263 264 unsigned int create_cond_branch(const unsigned int *addr, 265 unsigned long target, int flags) 266 { 267 unsigned int instruction; 268 long offset; 269 270 offset = target; 271 if (! (flags & BRANCH_ABSOLUTE)) 272 offset = offset - (unsigned long)addr; 273 274 /* Check we can represent the target in the instruction format */ 275 if (offset < -0x8000 || offset > 0x7FFF || offset & 0x3) 276 return 0; 277 278 /* Mask out the flags and target, so they don't step on each other. */ 279 instruction = 0x40000000 | (flags & 0x3FF0003) | (offset & 0xFFFC); 280 281 return instruction; 282 } 283 284 static unsigned int branch_opcode(unsigned int instr) 285 { 286 return (instr >> 26) & 0x3F; 287 } 288 289 static int instr_is_branch_iform(unsigned int instr) 290 { 291 return branch_opcode(instr) == 18; 292 } 293 294 static int instr_is_branch_bform(unsigned int instr) 295 { 296 return branch_opcode(instr) == 16; 297 } 298 299 int instr_is_relative_branch(unsigned int instr) 300 { 301 if (instr & BRANCH_ABSOLUTE) 302 return 0; 303 304 return instr_is_branch_iform(instr) || instr_is_branch_bform(instr); 305 } 306 307 static unsigned long branch_iform_target(const unsigned int *instr) 308 { 309 signed long imm; 310 311 imm = *instr & 0x3FFFFFC; 312 313 /* If the top bit of the immediate value is set this is negative */ 314 if (imm & 0x2000000) 315 imm -= 0x4000000; 316 317 if ((*instr & BRANCH_ABSOLUTE) == 0) 318 imm += (unsigned long)instr; 319 320 return (unsigned long)imm; 321 } 322 323 static unsigned long branch_bform_target(const unsigned int *instr) 324 { 325 signed long imm; 326 327 imm = *instr & 0xFFFC; 328 329 /* If the top bit of the immediate value is set this is negative */ 330 if (imm & 0x8000) 331 imm -= 0x10000; 332 333 if ((*instr & BRANCH_ABSOLUTE) == 0) 334 imm += (unsigned long)instr; 335 336 return (unsigned long)imm; 337 } 338 339 unsigned long branch_target(const unsigned int *instr) 340 { 341 if (instr_is_branch_iform(*instr)) 342 return branch_iform_target(instr); 343 else if (instr_is_branch_bform(*instr)) 344 return branch_bform_target(instr); 345 346 return 0; 347 } 348 349 int instr_is_branch_to_addr(const unsigned int *instr, unsigned long addr) 350 { 351 if (instr_is_branch_iform(*instr) || instr_is_branch_bform(*instr)) 352 return branch_target(instr) == addr; 353 354 return 0; 355 } 356 357 unsigned int translate_branch(const unsigned int *dest, const unsigned int *src) 358 { 359 unsigned long target; 360 361 target = branch_target(src); 362 363 if (instr_is_branch_iform(*src)) 364 return create_branch(dest, target, *src); 365 else if (instr_is_branch_bform(*src)) 366 return create_cond_branch(dest, target, *src); 367 368 return 0; 369 } 370 371 #ifdef CONFIG_PPC_BOOK3E_64 372 void __patch_exception(int exc, unsigned long addr) 373 { 374 extern unsigned int interrupt_base_book3e; 375 unsigned int *ibase = &interrupt_base_book3e; 376 377 /* Our exceptions vectors start with a NOP and -then- a branch 378 * to deal with single stepping from userspace which stops on 379 * the second instruction. Thus we need to patch the second 380 * instruction of the exception, not the first one 381 */ 382 383 patch_branch(ibase + (exc / 4) + 1, addr, 0); 384 } 385 #endif 386 387 #ifdef CONFIG_CODE_PATCHING_SELFTEST 388 389 static void __init test_trampoline(void) 390 { 391 asm ("nop;\n"); 392 } 393 394 #define check(x) \ 395 if (!(x)) printk("code-patching: test failed at line %d\n", __LINE__); 396 397 static void __init test_branch_iform(void) 398 { 399 unsigned int instr; 400 unsigned long addr; 401 402 addr = (unsigned long)&instr; 403 404 /* The simplest case, branch to self, no flags */ 405 check(instr_is_branch_iform(0x48000000)); 406 /* All bits of target set, and flags */ 407 check(instr_is_branch_iform(0x4bffffff)); 408 /* High bit of opcode set, which is wrong */ 409 check(!instr_is_branch_iform(0xcbffffff)); 410 /* Middle bits of opcode set, which is wrong */ 411 check(!instr_is_branch_iform(0x7bffffff)); 412 413 /* Simplest case, branch to self with link */ 414 check(instr_is_branch_iform(0x48000001)); 415 /* All bits of targets set */ 416 check(instr_is_branch_iform(0x4bfffffd)); 417 /* Some bits of targets set */ 418 check(instr_is_branch_iform(0x4bff00fd)); 419 /* Must be a valid branch to start with */ 420 check(!instr_is_branch_iform(0x7bfffffd)); 421 422 /* Absolute branch to 0x100 */ 423 instr = 0x48000103; 424 check(instr_is_branch_to_addr(&instr, 0x100)); 425 /* Absolute branch to 0x420fc */ 426 instr = 0x480420ff; 427 check(instr_is_branch_to_addr(&instr, 0x420fc)); 428 /* Maximum positive relative branch, + 20MB - 4B */ 429 instr = 0x49fffffc; 430 check(instr_is_branch_to_addr(&instr, addr + 0x1FFFFFC)); 431 /* Smallest negative relative branch, - 4B */ 432 instr = 0x4bfffffc; 433 check(instr_is_branch_to_addr(&instr, addr - 4)); 434 /* Largest negative relative branch, - 32 MB */ 435 instr = 0x4a000000; 436 check(instr_is_branch_to_addr(&instr, addr - 0x2000000)); 437 438 /* Branch to self, with link */ 439 instr = create_branch(&instr, addr, BRANCH_SET_LINK); 440 check(instr_is_branch_to_addr(&instr, addr)); 441 442 /* Branch to self - 0x100, with link */ 443 instr = create_branch(&instr, addr - 0x100, BRANCH_SET_LINK); 444 check(instr_is_branch_to_addr(&instr, addr - 0x100)); 445 446 /* Branch to self + 0x100, no link */ 447 instr = create_branch(&instr, addr + 0x100, 0); 448 check(instr_is_branch_to_addr(&instr, addr + 0x100)); 449 450 /* Maximum relative negative offset, - 32 MB */ 451 instr = create_branch(&instr, addr - 0x2000000, BRANCH_SET_LINK); 452 check(instr_is_branch_to_addr(&instr, addr - 0x2000000)); 453 454 /* Out of range relative negative offset, - 32 MB + 4*/ 455 instr = create_branch(&instr, addr - 0x2000004, BRANCH_SET_LINK); 456 check(instr == 0); 457 458 /* Out of range relative positive offset, + 32 MB */ 459 instr = create_branch(&instr, addr + 0x2000000, BRANCH_SET_LINK); 460 check(instr == 0); 461 462 /* Unaligned target */ 463 instr = create_branch(&instr, addr + 3, BRANCH_SET_LINK); 464 check(instr == 0); 465 466 /* Check flags are masked correctly */ 467 instr = create_branch(&instr, addr, 0xFFFFFFFC); 468 check(instr_is_branch_to_addr(&instr, addr)); 469 check(instr == 0x48000000); 470 } 471 472 static void __init test_create_function_call(void) 473 { 474 unsigned int *iptr; 475 unsigned long dest; 476 477 /* Check we can create a function call */ 478 iptr = (unsigned int *)ppc_function_entry(test_trampoline); 479 dest = ppc_function_entry(test_create_function_call); 480 patch_instruction(iptr, create_branch(iptr, dest, BRANCH_SET_LINK)); 481 check(instr_is_branch_to_addr(iptr, dest)); 482 } 483 484 static void __init test_branch_bform(void) 485 { 486 unsigned long addr; 487 unsigned int *iptr, instr, flags; 488 489 iptr = &instr; 490 addr = (unsigned long)iptr; 491 492 /* The simplest case, branch to self, no flags */ 493 check(instr_is_branch_bform(0x40000000)); 494 /* All bits of target set, and flags */ 495 check(instr_is_branch_bform(0x43ffffff)); 496 /* High bit of opcode set, which is wrong */ 497 check(!instr_is_branch_bform(0xc3ffffff)); 498 /* Middle bits of opcode set, which is wrong */ 499 check(!instr_is_branch_bform(0x7bffffff)); 500 501 /* Absolute conditional branch to 0x100 */ 502 instr = 0x43ff0103; 503 check(instr_is_branch_to_addr(&instr, 0x100)); 504 /* Absolute conditional branch to 0x20fc */ 505 instr = 0x43ff20ff; 506 check(instr_is_branch_to_addr(&instr, 0x20fc)); 507 /* Maximum positive relative conditional branch, + 32 KB - 4B */ 508 instr = 0x43ff7ffc; 509 check(instr_is_branch_to_addr(&instr, addr + 0x7FFC)); 510 /* Smallest negative relative conditional branch, - 4B */ 511 instr = 0x43fffffc; 512 check(instr_is_branch_to_addr(&instr, addr - 4)); 513 /* Largest negative relative conditional branch, - 32 KB */ 514 instr = 0x43ff8000; 515 check(instr_is_branch_to_addr(&instr, addr - 0x8000)); 516 517 /* All condition code bits set & link */ 518 flags = 0x3ff000 | BRANCH_SET_LINK; 519 520 /* Branch to self */ 521 instr = create_cond_branch(iptr, addr, flags); 522 check(instr_is_branch_to_addr(&instr, addr)); 523 524 /* Branch to self - 0x100 */ 525 instr = create_cond_branch(iptr, addr - 0x100, flags); 526 check(instr_is_branch_to_addr(&instr, addr - 0x100)); 527 528 /* Branch to self + 0x100 */ 529 instr = create_cond_branch(iptr, addr + 0x100, flags); 530 check(instr_is_branch_to_addr(&instr, addr + 0x100)); 531 532 /* Maximum relative negative offset, - 32 KB */ 533 instr = create_cond_branch(iptr, addr - 0x8000, flags); 534 check(instr_is_branch_to_addr(&instr, addr - 0x8000)); 535 536 /* Out of range relative negative offset, - 32 KB + 4*/ 537 instr = create_cond_branch(iptr, addr - 0x8004, flags); 538 check(instr == 0); 539 540 /* Out of range relative positive offset, + 32 KB */ 541 instr = create_cond_branch(iptr, addr + 0x8000, flags); 542 check(instr == 0); 543 544 /* Unaligned target */ 545 instr = create_cond_branch(iptr, addr + 3, flags); 546 check(instr == 0); 547 548 /* Check flags are masked correctly */ 549 instr = create_cond_branch(iptr, addr, 0xFFFFFFFC); 550 check(instr_is_branch_to_addr(&instr, addr)); 551 check(instr == 0x43FF0000); 552 } 553 554 static void __init test_translate_branch(void) 555 { 556 unsigned long addr; 557 unsigned int *p, *q; 558 void *buf; 559 560 buf = vmalloc(PAGE_ALIGN(0x2000000 + 1)); 561 check(buf); 562 if (!buf) 563 return; 564 565 /* Simple case, branch to self moved a little */ 566 p = buf; 567 addr = (unsigned long)p; 568 patch_branch(p, addr, 0); 569 check(instr_is_branch_to_addr(p, addr)); 570 q = p + 1; 571 patch_instruction(q, translate_branch(q, p)); 572 check(instr_is_branch_to_addr(q, addr)); 573 574 /* Maximum negative case, move b . to addr + 32 MB */ 575 p = buf; 576 addr = (unsigned long)p; 577 patch_branch(p, addr, 0); 578 q = buf + 0x2000000; 579 patch_instruction(q, translate_branch(q, p)); 580 check(instr_is_branch_to_addr(p, addr)); 581 check(instr_is_branch_to_addr(q, addr)); 582 check(*q == 0x4a000000); 583 584 /* Maximum positive case, move x to x - 32 MB + 4 */ 585 p = buf + 0x2000000; 586 addr = (unsigned long)p; 587 patch_branch(p, addr, 0); 588 q = buf + 4; 589 patch_instruction(q, translate_branch(q, p)); 590 check(instr_is_branch_to_addr(p, addr)); 591 check(instr_is_branch_to_addr(q, addr)); 592 check(*q == 0x49fffffc); 593 594 /* Jump to x + 16 MB moved to x + 20 MB */ 595 p = buf; 596 addr = 0x1000000 + (unsigned long)buf; 597 patch_branch(p, addr, BRANCH_SET_LINK); 598 q = buf + 0x1400000; 599 patch_instruction(q, translate_branch(q, p)); 600 check(instr_is_branch_to_addr(p, addr)); 601 check(instr_is_branch_to_addr(q, addr)); 602 603 /* Jump to x + 16 MB moved to x - 16 MB + 4 */ 604 p = buf + 0x1000000; 605 addr = 0x2000000 + (unsigned long)buf; 606 patch_branch(p, addr, 0); 607 q = buf + 4; 608 patch_instruction(q, translate_branch(q, p)); 609 check(instr_is_branch_to_addr(p, addr)); 610 check(instr_is_branch_to_addr(q, addr)); 611 612 613 /* Conditional branch tests */ 614 615 /* Simple case, branch to self moved a little */ 616 p = buf; 617 addr = (unsigned long)p; 618 patch_instruction(p, create_cond_branch(p, addr, 0)); 619 check(instr_is_branch_to_addr(p, addr)); 620 q = p + 1; 621 patch_instruction(q, translate_branch(q, p)); 622 check(instr_is_branch_to_addr(q, addr)); 623 624 /* Maximum negative case, move b . to addr + 32 KB */ 625 p = buf; 626 addr = (unsigned long)p; 627 patch_instruction(p, create_cond_branch(p, addr, 0xFFFFFFFC)); 628 q = buf + 0x8000; 629 patch_instruction(q, translate_branch(q, p)); 630 check(instr_is_branch_to_addr(p, addr)); 631 check(instr_is_branch_to_addr(q, addr)); 632 check(*q == 0x43ff8000); 633 634 /* Maximum positive case, move x to x - 32 KB + 4 */ 635 p = buf + 0x8000; 636 addr = (unsigned long)p; 637 patch_instruction(p, create_cond_branch(p, addr, 0xFFFFFFFC)); 638 q = buf + 4; 639 patch_instruction(q, translate_branch(q, p)); 640 check(instr_is_branch_to_addr(p, addr)); 641 check(instr_is_branch_to_addr(q, addr)); 642 check(*q == 0x43ff7ffc); 643 644 /* Jump to x + 12 KB moved to x + 20 KB */ 645 p = buf; 646 addr = 0x3000 + (unsigned long)buf; 647 patch_instruction(p, create_cond_branch(p, addr, BRANCH_SET_LINK)); 648 q = buf + 0x5000; 649 patch_instruction(q, translate_branch(q, p)); 650 check(instr_is_branch_to_addr(p, addr)); 651 check(instr_is_branch_to_addr(q, addr)); 652 653 /* Jump to x + 8 KB moved to x - 8 KB + 4 */ 654 p = buf + 0x2000; 655 addr = 0x4000 + (unsigned long)buf; 656 patch_instruction(p, create_cond_branch(p, addr, 0)); 657 q = buf + 4; 658 patch_instruction(q, translate_branch(q, p)); 659 check(instr_is_branch_to_addr(p, addr)); 660 check(instr_is_branch_to_addr(q, addr)); 661 662 /* Free the buffer we were using */ 663 vfree(buf); 664 } 665 666 static int __init test_code_patching(void) 667 { 668 printk(KERN_DEBUG "Running code patching self-tests ...\n"); 669 670 test_branch_iform(); 671 test_branch_bform(); 672 test_create_function_call(); 673 test_translate_branch(); 674 675 return 0; 676 } 677 late_initcall(test_code_patching); 678 679 #endif /* CONFIG_CODE_PATCHING_SELFTEST */ 680