LXR linux/arch/arm64/kernel/armv8

   1// SPDX-License-Identifier: GPL-2.0-only
   2/*
   3 *  Copyright (C) 2014 ARM Limited
   4 */
   5
   6#include <linux/cpu.h>
   7#include <linux/init.h>
   8#include <linux/list.h>
   9#include <linux/perf_event.h>
  10#include <linux/sched.h>
  11#include <linux/slab.h>
  12#include <linux/sysctl.h>
  13#include <linux/uaccess.h>
  14
  15#include <asm/cpufeature.h>
  16#include <asm/insn.h>
  17#include <asm/sysreg.h>
  18#include <asm/system_misc.h>
  19#include <asm/traps.h>
  20#include <asm/kprobes.h>
  21
  22#define CREATE_TRACE_POINTS
  23#include "trace-events-emulation.h"
  24
  25/*
  26 * The runtime support for deprecated instruction support can be in one of
  27 * following three states -
  28 *
  29 * 0 = undef
  30 * 1 = emulate (software emulation)
  31 * 2 = hw (supported in hardware)
  32 */
  33enum insn_emulation_mode {
  34        INSN_UNDEF,
  35        INSN_EMULATE,
  36        INSN_HW,
  37};
  38
  39enum legacy_insn_status {
  40        INSN_DEPRECATED,
  41        INSN_OBSOLETE,
  42};
  43
  44struct insn_emulation_ops {
  45        const char              *name;
  46        enum legacy_insn_status status;
  47        struct undef_hook       *hooks;
  48        int                     (*set_hw_mode)(bool enable);
  49};
  50
  51struct insn_emulation {
  52        struct list_head node;
  53        struct insn_emulation_ops *ops;
  54        int current_mode;
  55        int min;
  56        int max;
  57};
  58
  59static LIST_HEAD(insn_emulation);
  60static int nr_insn_emulated __initdata;
  61static DEFINE_RAW_SPINLOCK(insn_emulation_lock);
  62
  63static void register_emulation_hooks(struct insn_emulation_ops *ops)
  64{
  65        struct undef_hook *hook;
  66
  67        BUG_ON(!ops->hooks);
  68
  69        for (hook = ops->hooks; hook->instr_mask; hook++)
  70                register_undef_hook(hook);
  71
  72        pr_notice("Registered %s emulation handler\n", ops->name);
  73}
  74
  75static void remove_emulation_hooks(struct insn_emulation_ops *ops)
  76{
  77        struct undef_hook *hook;
  78
  79        BUG_ON(!ops->hooks);
  80
  81        for (hook = ops->hooks; hook->instr_mask; hook++)
  82                unregister_undef_hook(hook);
  83
  84        pr_notice("Removed %s emulation handler\n", ops->name);
  85}
  86
  87static void enable_insn_hw_mode(void *data)
  88{
  89        struct insn_emulation *insn = (struct insn_emulation *)data;
  90        if (insn->ops->set_hw_mode)
  91                insn->ops->set_hw_mode(true);
  92}
  93
  94static void disable_insn_hw_mode(void *data)
  95{
  96        struct insn_emulation *insn = (struct insn_emulation *)data;
  97        if (insn->ops->set_hw_mode)
  98                insn->ops->set_hw_mode(false);
  99}
 100
 101/* Run set_hw_mode(mode) on all active CPUs */
 102static int run_all_cpu_set_hw_mode(struct insn_emulation *insn, bool enable)
 103{
 104        if (!insn->ops->set_hw_mode)
 105                return -EINVAL;
 106        if (enable)
 107                on_each_cpu(enable_insn_hw_mode, (void *)insn, true);
 108        else
 109                on_each_cpu(disable_insn_hw_mode, (void *)insn, true);
 110        return 0;
 111}
 112
 113/*
 114 * Run set_hw_mode for all insns on a starting CPU.
 115 * Returns:
 116 *  0           - If all the hooks ran successfully.
 117 * -EINVAL      - At least one hook is not supported by the CPU.
 118 */
 119static int run_all_insn_set_hw_mode(unsigned int cpu)
 120{
 121        int rc = 0;
 122        unsigned long flags;
 123        struct insn_emulation *insn;
 124
 125        raw_spin_lock_irqsave(&insn_emulation_lock, flags);
 126        list_for_each_entry(insn, &insn_emulation, node) {
 127                bool enable = (insn->current_mode == INSN_HW);
 128                if (insn->ops->set_hw_mode && insn->ops->set_hw_mode(enable)) {
 129                        pr_warn("CPU[%u] cannot support the emulation of %s",
 130                                cpu, insn->ops->name);
 131                        rc = -EINVAL;
 132                }
 133        }
 134        raw_spin_unlock_irqrestore(&insn_emulation_lock, flags);
 135        return rc;
 136}
 137
 138static int update_insn_emulation_mode(struct insn_emulation *insn,
 139                                       enum insn_emulation_mode prev)
 140{
 141        int ret = 0;
 142
 143        switch (prev) {
 144        case INSN_UNDEF: /* Nothing to be done */
 145                break;
 146        case INSN_EMULATE:
 147                remove_emulation_hooks(insn->ops);
 148                break;
 149        case INSN_HW:
 150                if (!run_all_cpu_set_hw_mode(insn, false))
 151                        pr_notice("Disabled %s support\n", insn->ops->name);
 152                break;
 153        }
 154
 155        switch (insn->current_mode) {
 156        case INSN_UNDEF:
 157                break;
 158        case INSN_EMULATE:
 159                register_emulation_hooks(insn->ops);
 160                break;
 161        case INSN_HW:
 162                ret = run_all_cpu_set_hw_mode(insn, true);
 163                if (!ret)
 164                        pr_notice("Enabled %s support\n", insn->ops->name);
 165                break;
 166        }
 167
 168        return ret;
 169}
 170
 171static void __init register_insn_emulation(struct insn_emulation_ops *ops)
 172{
 173        unsigned long flags;
 174        struct insn_emulation *insn;
 175
 176        insn = kzalloc(sizeof(*insn), GFP_KERNEL);
 177        insn->ops = ops;
 178        insn->min = INSN_UNDEF;
 179
 180        switch (ops->status) {
 181        case INSN_DEPRECATED:
 182                insn->current_mode = INSN_EMULATE;
 183                /* Disable the HW mode if it was turned on at early boot time */
 184                run_all_cpu_set_hw_mode(insn, false);
 185                insn->max = INSN_HW;
 186                break;
 187        case INSN_OBSOLETE:
 188                insn->current_mode = INSN_UNDEF;
 189                insn->max = INSN_EMULATE;
 190                break;
 191        }
 192
 193        raw_spin_lock_irqsave(&insn_emulation_lock, flags);
 194        list_add(&insn->node, &insn_emulation);
 195        nr_insn_emulated++;
 196        raw_spin_unlock_irqrestore(&insn_emulation_lock, flags);
 197
 198        /* Register any handlers if required */
 199        update_insn_emulation_mode(insn, INSN_UNDEF);
 200}
 201
 202static int emulation_proc_handler(struct ctl_table *table, int write,
 203                                  void __user *buffer, size_t *lenp,
 204                                  loff_t *ppos)
 205{
 206        int ret = 0;
 207        struct insn_emulation *insn = (struct insn_emulation *) table->data;
 208        enum insn_emulation_mode prev_mode = insn->current_mode;
 209
 210        table->data = &insn->current_mode;
 211        ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
 212
 213        if (ret || !write || prev_mode == insn->current_mode)
 214                goto ret;
 215
 216        ret = update_insn_emulation_mode(insn, prev_mode);
 217        if (ret) {
 218                /* Mode change failed, revert to previous mode. */
 219                insn->current_mode = prev_mode;
 220                update_insn_emulation_mode(insn, INSN_UNDEF);
 221        }
 222ret:
 223        table->data = insn;
 224        return ret;
 225}
 226
 227static void __init register_insn_emulation_sysctl(void)
 228{
 229        unsigned long flags;
 230        int i = 0;
 231        struct insn_emulation *insn;
 232        struct ctl_table *insns_sysctl, *sysctl;
 233
 234        insns_sysctl = kcalloc(nr_insn_emulated + 1, sizeof(*sysctl),
 235                               GFP_KERNEL);
 236
 237        raw_spin_lock_irqsave(&insn_emulation_lock, flags);
 238        list_for_each_entry(insn, &insn_emulation, node) {
 239                sysctl = &insns_sysctl[i];
 240
 241                sysctl->mode = 0644;
 242                sysctl->maxlen = sizeof(int);
 243
 244                sysctl->procname = insn->ops->name;
 245                sysctl->data = insn;
 246                sysctl->extra1 = &insn->min;
 247                sysctl->extra2 = &insn->max;
 248                sysctl->proc_handler = emulation_proc_handler;
 249                i++;
 250        }
 251        raw_spin_unlock_irqrestore(&insn_emulation_lock, flags);
 252
 253        register_sysctl("abi", insns_sysctl);
 254}
 255
 256/*
 257 *  Implement emulation of the SWP/SWPB instructions using load-exclusive and
 258 *  store-exclusive.
 259 *
 260 *  Syntax of SWP{B} instruction: SWP{B}<c> <Rt>, <Rt2>, [<Rn>]
 261 *  Where: Rt  = destination
 262 *         Rt2 = source
 263 *         Rn  = address
 264 */
 265
 266/*
 267 * Error-checking SWP macros implemented using ldxr{b}/stxr{b}
 268 */
 269
 270/* Arbitrary constant to ensure forward-progress of the LL/SC loop */
 271#define __SWP_LL_SC_LOOPS       4
 272
 273#define __user_swpX_asm(data, addr, res, temp, temp2, B)        \
 274do {                                                            \
 275        uaccess_enable();                                       \
 276        __asm__ __volatile__(                                   \
 277        "       mov             %w3, %w7\n"                     \
 278        "0:     ldxr"B"         %w2, [%4]\n"                    \
 279        "1:     stxr"B"         %w0, %w1, [%4]\n"               \
 280        "       cbz             %w0, 2f\n"                      \
 281        "       sub             %w3, %w3, #1\n"                 \
 282        "       cbnz            %w3, 0b\n"                      \
 283        "       mov             %w0, %w5\n"                     \
 284        "       b               3f\n"                           \
 285        "2:\n"                                                  \
 286        "       mov             %w1, %w2\n"                     \
 287        "3:\n"                                                  \
 288        "       .pushsection     .fixup,\"ax\"\n"               \
 289        "       .align          2\n"                            \
 290        "4:     mov             %w0, %w6\n"                     \
 291        "       b               3b\n"                           \
 292        "       .popsection"                                    \
 293        _ASM_EXTABLE(0b, 4b)                                    \
 294        _ASM_EXTABLE(1b, 4b)                                    \
 295        : "=&r" (res), "+r" (data), "=&r" (temp), "=&r" (temp2) \
 296        : "r" ((unsigned long)addr), "i" (-EAGAIN),             \
 297          "i" (-EFAULT),                                        \
 298          "i" (__SWP_LL_SC_LOOPS)                               \
 299        : "memory");                                            \
 300        uaccess_disable();                                      \
 301} while (0)
 302
 303#define __user_swp_asm(data, addr, res, temp, temp2) \
 304        __user_swpX_asm(data, addr, res, temp, temp2, "")
 305#define __user_swpb_asm(data, addr, res, temp, temp2) \
 306        __user_swpX_asm(data, addr, res, temp, temp2, "b")
 307
 308/*
 309 * Bit 22 of the instruction encoding distinguishes between
 310 * the SWP and SWPB variants (bit set means SWPB).
 311 */
 312#define TYPE_SWPB (1 << 22)
 313
 314static int emulate_swpX(unsigned int address, unsigned int *data,
 315                        unsigned int type)
 316{
 317        unsigned int res = 0;
 318
 319        if ((type != TYPE_SWPB) && (address & 0x3)) {
 320                /* SWP to unaligned address not permitted */
 321                pr_debug("SWP instruction on unaligned pointer!\n");
 322                return -EFAULT;
 323        }
 324
 325        while (1) {
 326                unsigned long temp, temp2;
 327
 328                if (type == TYPE_SWPB)
 329                        __user_swpb_asm(*data, address, res, temp, temp2);
 330                else
 331                        __user_swp_asm(*data, address, res, temp, temp2);
 332
 333                if (likely(res != -EAGAIN) || signal_pending(current))
 334                        break;
 335
 336                cond_resched();
 337        }
 338
 339        return res;
 340}
 341
 342#define ARM_OPCODE_CONDTEST_FAIL   0
 343#define ARM_OPCODE_CONDTEST_PASS   1
 344#define ARM_OPCODE_CONDTEST_UNCOND 2
 345
 346#define ARM_OPCODE_CONDITION_UNCOND     0xf
 347
 348static unsigned int __kprobes aarch32_check_condition(u32 opcode, u32 psr)
 349{
 350        u32 cc_bits  = opcode >> 28;
 351
 352        if (cc_bits != ARM_OPCODE_CONDITION_UNCOND) {
 353                if ((*aarch32_opcode_cond_checks[cc_bits])(psr))
 354                        return ARM_OPCODE_CONDTEST_PASS;
 355                else
 356                        return ARM_OPCODE_CONDTEST_FAIL;
 357        }
 358        return ARM_OPCODE_CONDTEST_UNCOND;
 359}
 360
 361/*
 362 * swp_handler logs the id of calling process, dissects the instruction, sanity
 363 * checks the memory location, calls emulate_swpX for the actual operation and
 364 * deals with fixup/error handling before returning
 365 */
 366static int swp_handler(struct pt_regs *regs, u32 instr)
 367{
 368        u32 destreg, data, type, address = 0;
 369        const void __user *user_ptr;
 370        int rn, rt2, res = 0;
 371
 372        perf_sw_event(PERF_COUNT_SW_EMULATION_FAULTS, 1, regs, regs->pc);
 373
 374        type = instr & TYPE_SWPB;
 375
 376        switch (aarch32_check_condition(instr, regs->pstate)) {
 377        case ARM_OPCODE_CONDTEST_PASS:
 378                break;
 379        case ARM_OPCODE_CONDTEST_FAIL:
 380                /* Condition failed - return to next instruction */
 381                goto ret;
 382        case ARM_OPCODE_CONDTEST_UNCOND:
 383                /* If unconditional encoding - not a SWP, undef */
 384                return -EFAULT;
 385        default:
 386                return -EINVAL;
 387        }
 388
 389        rn = aarch32_insn_extract_reg_num(instr, A32_RN_OFFSET);
 390        rt2 = aarch32_insn_extract_reg_num(instr, A32_RT2_OFFSET);
 391
 392        address = (u32)regs->user_regs.regs[rn];
 393        data    = (u32)regs->user_regs.regs[rt2];
 394        destreg = aarch32_insn_extract_reg_num(instr, A32_RT_OFFSET);
 395
 396        pr_debug("addr in r%d->0x%08x, dest is r%d, source in r%d->0x%08x)\n",
 397                rn, address, destreg,
 398                aarch32_insn_extract_reg_num(instr, A32_RT2_OFFSET), data);
 399
 400        /* Check access in reasonable access range for both SWP and SWPB */
 401        user_ptr = (const void __user *)(unsigned long)(address & ~3);
 402        if (!access_ok(user_ptr, 4)) {
 403                pr_debug("SWP{B} emulation: access to 0x%08x not allowed!\n",
 404                        address);
 405                goto fault;
 406        }
 407
 408        res = emulate_swpX(address, &data, type);
 409        if (res == -EFAULT)
 410                goto fault;
 411        else if (res == 0)
 412                regs->user_regs.regs[destreg] = data;
 413
 414ret:
 415        if (type == TYPE_SWPB)
 416                trace_instruction_emulation("swpb", regs->pc);
 417        else
 418                trace_instruction_emulation("swp", regs->pc);
 419
 420        pr_warn_ratelimited("\"%s\" (%ld) uses obsolete SWP{B} instruction at 0x%llx\n",
 421                        current->comm, (unsigned long)current->pid, regs->pc);
 422
 423        arm64_skip_faulting_instruction(regs, 4);
 424        return 0;
 425
 426fault:
 427        pr_debug("SWP{B} emulation: access caused memory abort!\n");
 428        arm64_notify_segfault(address);
 429
 430        return 0;
 431}
 432
 433/*
 434 * Only emulate SWP/SWPB executed in ARM state/User mode.
 435 * The kernel must be SWP free and SWP{B} does not exist in Thumb.
 436 */
 437static struct undef_hook swp_hooks[] = {
 438        {
 439                .instr_mask     = 0x0fb00ff0,
 440                .instr_val      = 0x01000090,
 441                .pstate_mask    = PSR_AA32_MODE_MASK,
 442                .pstate_val     = PSR_AA32_MODE_USR,
 443                .fn             = swp_handler
 444        },
 445        { }
 446};
 447
 448static struct insn_emulation_ops swp_ops = {
 449        .name = "swp",
 450        .status = INSN_OBSOLETE,
 451        .hooks = swp_hooks,
 452        .set_hw_mode = NULL,
 453};
 454
 455static int cp15barrier_handler(struct pt_regs *regs, u32 instr)
 456{
 457        perf_sw_event(PERF_COUNT_SW_EMULATION_FAULTS, 1, regs, regs->pc);
 458
 459        switch (aarch32_check_condition(instr, regs->pstate)) {
 460        case ARM_OPCODE_CONDTEST_PASS:
 461                break;
 462        case ARM_OPCODE_CONDTEST_FAIL:
 463                /* Condition failed - return to next instruction */
 464                goto ret;
 465        case ARM_OPCODE_CONDTEST_UNCOND:
 466                /* If unconditional encoding - not a barrier instruction */
 467                return -EFAULT;
 468        default:
 469                return -EINVAL;
 470        }
 471
 472        switch (aarch32_insn_mcr_extract_crm(instr)) {
 473        case 10:
 474                /*
 475                 * dmb - mcr p15, 0, Rt, c7, c10, 5
 476                 * dsb - mcr p15, 0, Rt, c7, c10, 4
 477                 */
 478                if (aarch32_insn_mcr_extract_opc2(instr) == 5) {
 479                        dmb(sy);
 480                        trace_instruction_emulation(
 481                                "mcr p15, 0, Rt, c7, c10, 5 ; dmb", regs->pc);
 482                } else {
 483                        dsb(sy);
 484                        trace_instruction_emulation(
 485                                "mcr p15, 0, Rt, c7, c10, 4 ; dsb", regs->pc);
 486                }
 487                break;
 488        case 5:
 489                /*
 490                 * isb - mcr p15, 0, Rt, c7, c5, 4
 491                 *
 492                 * Taking an exception or returning from one acts as an
 493                 * instruction barrier. So no explicit barrier needed here.
 494                 */
 495                trace_instruction_emulation(
 496                        "mcr p15, 0, Rt, c7, c5, 4 ; isb", regs->pc);
 497                break;
 498        }
 499
 500ret:
 501        pr_warn_ratelimited("\"%s\" (%ld) uses deprecated CP15 Barrier instruction at 0x%llx\n",
 502                        current->comm, (unsigned long)current->pid, regs->pc);
 503
 504        arm64_skip_faulting_instruction(regs, 4);
 505        return 0;
 506}
 507
 508static int cp15_barrier_set_hw_mode(bool enable)
 509{
 510        if (enable)
 511                sysreg_clear_set(sctlr_el1, 0, SCTLR_EL1_CP15BEN);
 512        else
 513                sysreg_clear_set(sctlr_el1, SCTLR_EL1_CP15BEN, 0);
 514        return 0;
 515}
 516
 517static struct undef_hook cp15_barrier_hooks[] = {
 518        {
 519                .instr_mask     = 0x0fff0fdf,
 520                .instr_val      = 0x0e070f9a,
 521                .pstate_mask    = PSR_AA32_MODE_MASK,
 522                .pstate_val     = PSR_AA32_MODE_USR,
 523                .fn             = cp15barrier_handler,
 524        },
 525        {
 526                .instr_mask     = 0x0fff0fff,
 527                .instr_val      = 0x0e070f95,
 528                .pstate_mask    = PSR_AA32_MODE_MASK,
 529                .pstate_val     = PSR_AA32_MODE_USR,
 530                .fn             = cp15barrier_handler,
 531        },
 532        { }
 533};
 534
 535static struct insn_emulation_ops cp15_barrier_ops = {
 536        .name = "cp15_barrier",
 537        .status = INSN_DEPRECATED,
 538        .hooks = cp15_barrier_hooks,
 539        .set_hw_mode = cp15_barrier_set_hw_mode,
 540};
 541
 542static int setend_set_hw_mode(bool enable)
 543{
 544        if (!cpu_supports_mixed_endian_el0())
 545                return -EINVAL;
 546
 547        if (enable)
 548                sysreg_clear_set(sctlr_el1, SCTLR_EL1_SED, 0);
 549        else
 550                sysreg_clear_set(sctlr_el1, 0, SCTLR_EL1_SED);
 551        return 0;
 552}
 553
 554static int compat_setend_handler(struct pt_regs *regs, u32 big_endian)
 555{
 556        char *insn;
 557
 558        perf_sw_event(PERF_COUNT_SW_EMULATION_FAULTS, 1, regs, regs->pc);
 559
 560        if (big_endian) {
 561                insn = "setend be";
 562                regs->pstate |= PSR_AA32_E_BIT;
 563        } else {
 564                insn = "setend le";
 565                regs->pstate &= ~PSR_AA32_E_BIT;
 566        }
 567
 568        trace_instruction_emulation(insn, regs->pc);
 569        pr_warn_ratelimited("\"%s\" (%ld) uses deprecated setend instruction at 0x%llx\n",
 570                        current->comm, (unsigned long)current->pid, regs->pc);
 571
 572        return 0;
 573}
 574
 575static int a32_setend_handler(struct pt_regs *regs, u32 instr)
 576{
 577        int rc = compat_setend_handler(regs, (instr >> 9) & 1);
 578        arm64_skip_faulting_instruction(regs, 4);
 579        return rc;
 580}
 581
 582static int t16_setend_handler(struct pt_regs *regs, u32 instr)
 583{
 584        int rc = compat_setend_handler(regs, (instr >> 3) & 1);
 585        arm64_skip_faulting_instruction(regs, 2);
 586        return rc;
 587}
 588
 589static struct undef_hook setend_hooks[] = {
 590        {
 591                .instr_mask     = 0xfffffdff,
 592                .instr_val      = 0xf1010000,
 593                .pstate_mask    = PSR_AA32_MODE_MASK,
 594                .pstate_val     = PSR_AA32_MODE_USR,
 595                .fn             = a32_setend_handler,
 596        },
 597        {
 598                /* Thumb mode */
 599                .instr_mask     = 0x0000fff7,
 600                .instr_val      = 0x0000b650,
 601                .pstate_mask    = (PSR_AA32_T_BIT | PSR_AA32_MODE_MASK),
 602                .pstate_val     = (PSR_AA32_T_BIT | PSR_AA32_MODE_USR),
 603                .fn             = t16_setend_handler,
 604        },
 605        {}
 606};
 607
 608static struct insn_emulation_ops setend_ops = {
 609        .name = "setend",
 610        .status = INSN_DEPRECATED,
 611        .hooks = setend_hooks,
 612        .set_hw_mode = setend_set_hw_mode,
 613};
 614
 615/*
 616 * Invoked as late_initcall, since not needed before init spawned.
 617 */
 618static int __init armv8_deprecated_init(void)
 619{
 620        if (IS_ENABLED(CONFIG_SWP_EMULATION))
 621                register_insn_emulation(&swp_ops);
 622
 623        if (IS_ENABLED(CONFIG_CP15_BARRIER_EMULATION))
 624                register_insn_emulation(&cp15_barrier_ops);
 625
 626        if (IS_ENABLED(CONFIG_SETEND_EMULATION)) {
 627                if(system_supports_mixed_endian_el0())
 628                        register_insn_emulation(&setend_ops);
 629                else
 630                        pr_info("setend instruction emulation is not supported on this system\n");
 631        }
 632
 633        cpuhp_setup_state_nocalls(CPUHP_AP_ARM64_ISNDEP_STARTING,
 634                                  "arm64/isndep:starting",
 635                                  run_all_insn_set_hw_mode, NULL);
 636        register_insn_emulation_sysctl();
 637
 638        return 0;
 639}
 640
 641core_initcall(armv8_deprecated_init);
 642