@@ -193,6 +193,7 @@ config ARM64
select HAVE_PERF_USER_STACK_DUMP
select HAVE_PREEMPT_DYNAMIC
select HAVE_REGS_AND_STACK_ACCESS_API
+ select HAVE_STATIC_CALL
select HAVE_FUNCTION_ARG_ACCESS_API
select HAVE_FUTEX_CMPXCHG if FUTEX
select MMU_GATHER_RCU_TABLE_FREE
new file mode 100644
@@ -0,0 +1,40 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef _ASM_STATIC_CALL_H
+#define _ASM_STATIC_CALL_H
+
+/*
+ * The sequence below is laid out in a way that guarantees that the literal and
+ * the instruction are always covered by the same cacheline, and can be updated
+ * using a single store-pair instruction (if we rewrite the BTI C instruction
+ * as well). This means the literal and the instruction are always in sync when
+ * observed via the D-side.
+ *
+ * However, this does not guarantee that the I-side will catch up immediately
+ * as well: until the I-cache maintenance completes, CPUs may branch to the old
+ * target, or execute a stale NOP or RET. We deal with this by writing the
+ * literal unconditionally, even if it is 0x0 or the branch is in range. That
+ * way, a stale NOP will fall through and call the new target via an indirect
+ * call. Stale RETs or Bs will be taken as before, and branch to the old
+ * target until the I-side catches up.
+ */
+#define __ARCH_DEFINE_STATIC_CALL_TRAMP(name, insn) \
+ asm(" .pushsection .static_call.text, \"ax\" \n" \
+ " .align 4 \n" \
+ " .globl " STATIC_CALL_TRAMP_STR(name) " \n" \
+ "0: .quad 0x0 \n" \
+ STATIC_CALL_TRAMP_STR(name) ": \n" \
+ " hint 34 /* BTI C */ \n" \
+ insn " \n" \
+ " ldr x16, 0b \n" \
+ " cbz x16, 1f \n" \
+ " br x16 \n" \
+ "1: ret \n" \
+ " .popsection \n")
+
+#define ARCH_DEFINE_STATIC_CALL_TRAMP(name, func) \
+ __ARCH_DEFINE_STATIC_CALL_TRAMP(name, "b " #func)
+
+#define ARCH_DEFINE_STATIC_CALL_NULL_TRAMP(name) \
+ __ARCH_DEFINE_STATIC_CALL_TRAMP(name, "ret")
+
+#endif /* _ASM_STATIC_CALL_H */
@@ -66,7 +66,7 @@ int __kprobes aarch64_insn_read(void *addr, u32 *insnp)
return ret;
}
-static int __kprobes __aarch64_insn_write(void *addr, __le32 insn)
+static int __kprobes __aarch64_insn_write(void *addr, void *insn, int size)
{
void *waddr = addr;
unsigned long flags = 0;
@@ -75,7 +75,7 @@ static int __kprobes __aarch64_insn_write(void *addr, __le32 insn)
raw_spin_lock_irqsave(&patch_lock, flags);
waddr = patch_map(addr, FIX_TEXT_POKE0);
- ret = copy_to_kernel_nofault(waddr, &insn, AARCH64_INSN_SIZE);
+ ret = copy_to_kernel_nofault(waddr, insn, size);
patch_unmap(FIX_TEXT_POKE0);
raw_spin_unlock_irqrestore(&patch_lock, flags);
@@ -85,7 +85,73 @@ static int __kprobes __aarch64_insn_write(void *addr, __le32 insn)
int __kprobes aarch64_insn_write(void *addr, u32 insn)
{
- return __aarch64_insn_write(addr, cpu_to_le32(insn));
+ __le32 i = cpu_to_le32(insn);
+
+ return __aarch64_insn_write(addr, &i, AARCH64_INSN_SIZE);
+}
+
+static void *strip_cfi_jt(void *addr)
+{
+ if (IS_ENABLED(CONFIG_CFI_CLANG)) {
+ /*
+ * Taking the address of a function produces the address of the
+ * jump table entry when Clang CFI is enabled. Such entries are
+ * ordinary jump instructions, so if we spot one of those, we
+ * should decode it and use the address of the target instead.
+ */
+ u32 br = le32_to_cpup(addr);
+
+ if (aarch64_insn_is_b(br))
+ return addr + aarch64_get_branch_offset(br);
+ }
+ return addr;
+}
+
+void arch_static_call_transform(void *site, void *tramp, void *func, bool tail)
+{
+ /*
+ * -0x8 <literal>
+ * 0x0 bti c <--- trampoline entry point
+ * 0x4 <branch or nop>
+ * 0x8 ldr x16, <literal>
+ * 0xc cbz x16, 20
+ * 0x10 br x16
+ * 0x14 ret
+ */
+ struct {
+ u64 literal;
+ __le32 insn[2];
+ } insns;
+ u32 insn;
+ int ret;
+
+ tramp = strip_cfi_jt(tramp);
+
+ insn = aarch64_insn_gen_hint(AARCH64_INSN_HINT_BTIC);
+ insns.literal = (u64)func;
+ insns.insn[0] = cpu_to_le32(insn);
+
+ if (!func) {
+ insn = aarch64_insn_gen_branch_reg(AARCH64_INSN_REG_LR,
+ AARCH64_INSN_BRANCH_RETURN);
+ } else {
+ func = strip_cfi_jt(func);
+
+ insn = aarch64_insn_gen_branch_imm((u64)tramp + 4, (u64)func,
+ AARCH64_INSN_BRANCH_NOLINK);
+
+ /*
+ * Use a NOP if the branch target is out of range, and rely on
+ * the indirect call instead.
+ */
+ if (insn == AARCH64_BREAK_FAULT)
+ insn = aarch64_insn_gen_hint(AARCH64_INSN_HINT_NOP);
+ }
+ insns.insn[1] = cpu_to_le32(insn);
+
+ ret = __aarch64_insn_write(tramp - 8, &insns, sizeof(insns));
+ if (!WARN_ON(ret))
+ caches_clean_inval_pou((u64)tramp - 8, sizeof(insns));
}
int __kprobes aarch64_insn_patch_text_nosync(void *addr, u32 insn)
@@ -161,6 +161,7 @@ SECTIONS
IDMAP_TEXT
HIBERNATE_TEXT
TRAMP_TEXT
+ STATIC_CALL_TEXT
*(.fixup)
*(.gnu.warning)
. = ALIGN(16);