Commit | Line | Data |
---|---|---|
432c6bac PB |
1 | #include <linux/err.h> |
2 | #include <linux/slab.h> | |
3 | ||
1da177e4 | 4 | #include <asm/branch.h> |
1da177e4 | 5 | #include <asm/cacheflush.h> |
1da177e4 | 6 | #include <asm/fpu_emulator.h> |
cd8ee345 RB |
7 | #include <asm/inst.h> |
8 | #include <asm/mipsregs.h> | |
7c0f6ba6 | 9 | #include <linux/uaccess.h> |
1da177e4 | 10 | |
432c6bac PB |
11 | /** |
12 | * struct emuframe - The 'emulation' frame structure | |
13 | * @emul: The instruction to 'emulate'. | |
14 | * @badinst: A break instruction to cause a return to the kernel. | |
1da177e4 | 15 | * |
432c6bac PB |
16 | * This structure defines the frames placed within the delay slot emulation |
17 | * page in response to a call to mips_dsemul(). Each thread may be allocated | |
18 | * only one frame at any given time. The kernel stores within it the | |
19 | * instruction to be 'emulated' followed by a break instruction, then | |
20 | * executes the frame in user mode. The break causes a trap to the kernel | |
21 | * which leads to do_dsemulret() being called unless the instruction in | |
22 | * @emul causes a trap itself, is a branch, or a signal is delivered to | |
23 | * the thread. In these cases the allocated frame will either be reused by | |
24 | * a subsequent delay slot 'emulation', or be freed during signal delivery or | |
25 | * upon thread exit. | |
26 | * | |
27 | * This approach is used because: | |
28 | * | |
29 | * - Actually emulating all instructions isn't feasible. We would need to | |
30 | * be able to handle instructions from all revisions of the MIPS ISA, | |
31 | * all ASEs & all vendor instruction set extensions. This would be a | |
32 | * whole lot of work & continual maintenance burden as new instructions | |
33 | * are introduced, and in the case of some vendor extensions may not | |
34 | * even be possible. Thus we need to take the approach of actually | |
35 | * executing the instruction. | |
36 | * | |
37 | * - We must execute the instruction within user context. If we were to | |
38 | * execute the instruction in kernel mode then it would have access to | |
39 | * kernel resources without very careful checks, leaving us with a | |
40 | * high potential for security or stability issues to arise. | |
41 | * | |
42 | * - We used to place the frame on the users stack, but this requires | |
43 | * that the stack be executable. This is bad for security so the | |
44 | * per-process page is now used instead. | |
45 | * | |
46 | * - The instruction in @emul may be something entirely invalid for a | |
47 | * delay slot. The user may (intentionally or otherwise) place a branch | |
48 | * in a delay slot, or a kernel mode instruction, or something else | |
49 | * which generates an exception. Thus we can't rely upon the break in | |
50 | * @badinst always being hit. For this reason we track the index of the | |
51 | * frame allocated to each thread, allowing us to clean it up at later | |
52 | * points such as signal delivery or thread exit. | |
53 | * | |
54 | * - The user may generate a fake struct emuframe if they wish, invoking | |
55 | * the BRK_MEMU break instruction themselves. We must therefore not | |
56 | * trust that BRK_MEMU means there's actually a valid frame allocated | |
57 | * to the thread, and must not allow the user to do anything they | |
58 | * couldn't already. | |
1da177e4 | 59 | */ |
1da177e4 LT |
60 | struct emuframe { |
61 | mips_instruction emul; | |
62 | mips_instruction badinst; | |
1da177e4 LT |
63 | }; |
64 | ||
432c6bac PB |
65 | static const int emupage_frame_count = PAGE_SIZE / sizeof(struct emuframe); |
66 | ||
67 | static inline __user struct emuframe *dsemul_page(void) | |
68 | { | |
69 | return (__user struct emuframe *)STACK_TOP; | |
70 | } | |
71 | ||
72 | static int alloc_emuframe(void) | |
73 | { | |
74 | mm_context_t *mm_ctx = ¤t->mm->context; | |
75 | int idx; | |
76 | ||
77 | retry: | |
78 | spin_lock(&mm_ctx->bd_emupage_lock); | |
79 | ||
80 | /* Ensure we have an allocation bitmap */ | |
81 | if (!mm_ctx->bd_emupage_allocmap) { | |
82 | mm_ctx->bd_emupage_allocmap = | |
83 | kcalloc(BITS_TO_LONGS(emupage_frame_count), | |
84 | sizeof(unsigned long), | |
85 | GFP_ATOMIC); | |
86 | ||
87 | if (!mm_ctx->bd_emupage_allocmap) { | |
88 | idx = BD_EMUFRAME_NONE; | |
89 | goto out_unlock; | |
90 | } | |
91 | } | |
92 | ||
93 | /* Attempt to allocate a single bit/frame */ | |
94 | idx = bitmap_find_free_region(mm_ctx->bd_emupage_allocmap, | |
95 | emupage_frame_count, 0); | |
96 | if (idx < 0) { | |
97 | /* | |
98 | * Failed to allocate a frame. We'll wait until one becomes | |
99 | * available. We unlock the page so that other threads actually | |
100 | * get the opportunity to free their frames, which means | |
101 | * technically the result of bitmap_full may be incorrect. | |
102 | * However the worst case is that we repeat all this and end up | |
103 | * back here again. | |
104 | */ | |
105 | spin_unlock(&mm_ctx->bd_emupage_lock); | |
106 | if (!wait_event_killable(mm_ctx->bd_emupage_queue, | |
107 | !bitmap_full(mm_ctx->bd_emupage_allocmap, | |
108 | emupage_frame_count))) | |
109 | goto retry; | |
110 | ||
111 | /* Received a fatal signal - just give in */ | |
112 | return BD_EMUFRAME_NONE; | |
113 | } | |
114 | ||
115 | /* Success! */ | |
116 | pr_debug("allocate emuframe %d to %d\n", idx, current->pid); | |
117 | out_unlock: | |
118 | spin_unlock(&mm_ctx->bd_emupage_lock); | |
119 | return idx; | |
120 | } | |
121 | ||
122 | static void free_emuframe(int idx, struct mm_struct *mm) | |
123 | { | |
124 | mm_context_t *mm_ctx = &mm->context; | |
125 | ||
126 | spin_lock(&mm_ctx->bd_emupage_lock); | |
127 | ||
128 | pr_debug("free emuframe %d from %d\n", idx, current->pid); | |
129 | bitmap_clear(mm_ctx->bd_emupage_allocmap, idx, 1); | |
130 | ||
131 | /* If some thread is waiting for a frame, now's its chance */ | |
132 | wake_up(&mm_ctx->bd_emupage_queue); | |
133 | ||
134 | spin_unlock(&mm_ctx->bd_emupage_lock); | |
135 | } | |
136 | ||
137 | static bool within_emuframe(struct pt_regs *regs) | |
138 | { | |
139 | unsigned long base = (unsigned long)dsemul_page(); | |
140 | ||
141 | if (regs->cp0_epc < base) | |
142 | return false; | |
143 | if (regs->cp0_epc >= (base + PAGE_SIZE)) | |
144 | return false; | |
145 | ||
146 | return true; | |
147 | } | |
148 | ||
149 | bool dsemul_thread_cleanup(struct task_struct *tsk) | |
150 | { | |
151 | int fr_idx; | |
152 | ||
153 | /* Clear any allocated frame, retrieving its index */ | |
154 | fr_idx = atomic_xchg(&tsk->thread.bd_emu_frame, BD_EMUFRAME_NONE); | |
155 | ||
156 | /* If no frame was allocated, we're done */ | |
157 | if (fr_idx == BD_EMUFRAME_NONE) | |
158 | return false; | |
159 | ||
160 | task_lock(tsk); | |
161 | ||
162 | /* Free the frame that this thread had allocated */ | |
163 | if (tsk->mm) | |
164 | free_emuframe(fr_idx, tsk->mm); | |
165 | ||
166 | task_unlock(tsk); | |
167 | return true; | |
168 | } | |
169 | ||
170 | bool dsemul_thread_rollback(struct pt_regs *regs) | |
171 | { | |
172 | struct emuframe __user *fr; | |
173 | int fr_idx; | |
174 | ||
175 | /* Do nothing if we're not executing from a frame */ | |
176 | if (!within_emuframe(regs)) | |
177 | return false; | |
178 | ||
179 | /* Find the frame being executed */ | |
180 | fr_idx = atomic_read(¤t->thread.bd_emu_frame); | |
181 | if (fr_idx == BD_EMUFRAME_NONE) | |
182 | return false; | |
183 | fr = &dsemul_page()[fr_idx]; | |
184 | ||
185 | /* | |
186 | * If the PC is at the emul instruction, roll back to the branch. If | |
187 | * PC is at the badinst (break) instruction, we've already emulated the | |
188 | * instruction so progress to the continue PC. If it's anything else | |
189 | * then something is amiss & the user has branched into some other area | |
190 | * of the emupage - we'll free the allocated frame anyway. | |
191 | */ | |
192 | if (msk_isa16_mode(regs->cp0_epc) == (unsigned long)&fr->emul) | |
193 | regs->cp0_epc = current->thread.bd_emu_branch_pc; | |
194 | else if (msk_isa16_mode(regs->cp0_epc) == (unsigned long)&fr->badinst) | |
195 | regs->cp0_epc = current->thread.bd_emu_cont_pc; | |
196 | ||
197 | atomic_set(¤t->thread.bd_emu_frame, BD_EMUFRAME_NONE); | |
198 | free_emuframe(fr_idx, current->mm); | |
199 | return true; | |
200 | } | |
201 | ||
202 | void dsemul_mm_cleanup(struct mm_struct *mm) | |
203 | { | |
204 | mm_context_t *mm_ctx = &mm->context; | |
205 | ||
206 | kfree(mm_ctx->bd_emupage_allocmap); | |
207 | } | |
208 | ||
209 | int mips_dsemul(struct pt_regs *regs, mips_instruction ir, | |
210 | unsigned long branch_pc, unsigned long cont_pc) | |
1da177e4 | 211 | { |
6d7b1415 | 212 | int isa16 = get_isa16_mode(regs->cp0_epc); |
733b8bc1 | 213 | mips_instruction break_math; |
5e0373b8 | 214 | struct emuframe __user *fr; |
432c6bac | 215 | int err, fr_idx; |
1da177e4 | 216 | |
e4553573 | 217 | /* NOP is easy */ |
69a1e6cb | 218 | if (ir == 0) |
e4553573 | 219 | return -1; |
1da177e4 | 220 | |
69a1e6cb | 221 | /* microMIPS instructions */ |
6d7b1415 | 222 | if (isa16) { |
69a1e6cb MR |
223 | union mips_instruction insn = { .word = ir }; |
224 | ||
225 | /* NOP16 aka MOVE16 $0, $0 */ | |
226 | if ((ir >> 16) == MM_NOP16) | |
227 | return -1; | |
228 | ||
229 | /* ADDIUPC */ | |
230 | if (insn.mm_a_format.opcode == mm_addiupc_op) { | |
231 | unsigned int rs; | |
232 | s32 v; | |
233 | ||
036aff91 | 234 | rs = (((insn.mm_a_format.rs + 0xe) & 0xf) + 2); |
69a1e6cb MR |
235 | v = regs->cp0_epc & ~3; |
236 | v += insn.mm_a_format.simmediate << 2; | |
237 | regs->regs[rs] = (long)v; | |
238 | return -1; | |
239 | } | |
240 | } | |
241 | ||
432c6bac | 242 | pr_debug("dsemul 0x%08lx cont at 0x%08lx\n", regs->cp0_epc, cont_pc); |
1da177e4 | 243 | |
432c6bac PB |
244 | /* Allocate a frame if we don't already have one */ |
245 | fr_idx = atomic_read(¤t->thread.bd_emu_frame); | |
246 | if (fr_idx == BD_EMUFRAME_NONE) | |
247 | fr_idx = alloc_emuframe(); | |
248 | if (fr_idx == BD_EMUFRAME_NONE) | |
1da177e4 | 249 | return SIGBUS; |
432c6bac PB |
250 | fr = &dsemul_page()[fr_idx]; |
251 | ||
252 | /* Retrieve the appropriately encoded break instruction */ | |
253 | break_math = BREAK_MATH(isa16); | |
1da177e4 | 254 | |
432c6bac | 255 | /* Write the instructions to the frame */ |
6d7b1415 | 256 | if (isa16) { |
a87265cf MR |
257 | err = __put_user(ir >> 16, |
258 | (u16 __user *)(&fr->emul)); | |
259 | err |= __put_user(ir & 0xffff, | |
260 | (u16 __user *)((long)(&fr->emul) + 2)); | |
733b8bc1 | 261 | err |= __put_user(break_math >> 16, |
a87265cf | 262 | (u16 __user *)(&fr->badinst)); |
733b8bc1 | 263 | err |= __put_user(break_math & 0xffff, |
a87265cf | 264 | (u16 __user *)((long)(&fr->badinst) + 2)); |
102cedc3 LY |
265 | } else { |
266 | err = __put_user(ir, &fr->emul); | |
733b8bc1 | 267 | err |= __put_user(break_math, &fr->badinst); |
102cedc3 LY |
268 | } |
269 | ||
1da177e4 | 270 | if (unlikely(err)) { |
b6ee75ed | 271 | MIPS_FPU_EMU_INC_STATS(errors); |
432c6bac | 272 | free_emuframe(fr_idx, current->mm); |
1da177e4 LT |
273 | return SIGBUS; |
274 | } | |
275 | ||
432c6bac PB |
276 | /* Record the PC of the branch, PC to continue from & frame index */ |
277 | current->thread.bd_emu_branch_pc = branch_pc; | |
278 | current->thread.bd_emu_cont_pc = cont_pc; | |
279 | atomic_set(¤t->thread.bd_emu_frame, fr_idx); | |
280 | ||
281 | /* Change user register context to execute the frame */ | |
6d7b1415 | 282 | regs->cp0_epc = (unsigned long)&fr->emul | isa16; |
1da177e4 | 283 | |
432c6bac | 284 | /* Ensure the icache observes our newly written frame */ |
7737b20b | 285 | flush_cache_sigtramp((unsigned long)&fr->emul); |
1da177e4 | 286 | |
9ab4471c | 287 | return 0; |
1da177e4 LT |
288 | } |
289 | ||
432c6bac | 290 | bool do_dsemulret(struct pt_regs *xcp) |
1da177e4 | 291 | { |
432c6bac PB |
292 | /* Cleanup the allocated frame, returning if there wasn't one */ |
293 | if (!dsemul_thread_cleanup(current)) { | |
b6ee75ed | 294 | MIPS_FPU_EMU_INC_STATS(errors); |
432c6bac | 295 | return false; |
1da177e4 LT |
296 | } |
297 | ||
298 | /* Set EPC to return to post-branch instruction */ | |
432c6bac PB |
299 | xcp->cp0_epc = current->thread.bd_emu_cont_pc; |
300 | pr_debug("dsemulret to 0x%08lx\n", xcp->cp0_epc); | |
116e7111 | 301 | MIPS_FPU_EMU_INC_STATS(ds_emul); |
432c6bac | 302 | return true; |
1da177e4 | 303 | } |