1 // SPDX-License-Identifier: GPL-2.0-or-later 2 3 #include <linux/context_tracking.h> 4 #include <linux/entry-common.h> 5 #include <linux/err.h> 6 #include <linux/compat.h> 7 #include <linux/rseq.h> 8 #include <linux/sched/debug.h> /* for show_regs */ 9 10 #include <asm/kup.h> 11 #include <asm/cputime.h> 12 #include <asm/hw_irq.h> 13 #include <asm/interrupt.h> 14 #include <asm/kprobes.h> 15 #include <asm/paca.h> 16 #include <asm/ptrace.h> 17 #include <asm/reg.h> 18 #include <asm/signal.h> 19 #include <asm/switch_to.h> 20 #include <asm/syscall.h> 21 #include <asm/time.h> 22 #include <asm/tm.h> 23 #include <asm/unistd.h> 24 25 #if defined(CONFIG_PPC_ADV_DEBUG_REGS) && defined(CONFIG_PPC32) 26 unsigned long global_dbcr0[NR_CPUS]; 27 #endif 28 29 #ifdef CONFIG_PPC_BOOK3S_64 30 DEFINE_STATIC_KEY_FALSE(interrupt_exit_not_reentrant); 31 static inline bool exit_must_hard_disable(void) 32 { 33 return static_branch_unlikely(&interrupt_exit_not_reentrant); 34 } 35 #else 36 static inline bool exit_must_hard_disable(void) 37 { 38 return true; 39 } 40 #endif 41 42 /* 43 * local irqs must be disabled. Returns false if the caller must re-enable 44 * them, check for new work, and try again. 45 * 46 * This should be called with local irqs disabled, but if they were previously 47 * enabled when the interrupt handler returns (indicating a process-context / 48 * synchronous interrupt) then irqs_enabled should be true. 49 * 50 * restartable is true then EE/RI can be left on because interrupts are handled 51 * with a restart sequence. 52 */ 53 static notrace __always_inline bool prep_irq_for_enabled_exit(bool restartable) 54 { 55 bool must_hard_disable = (exit_must_hard_disable() || !restartable); 56 57 /* This must be done with RI=1 because tracing may touch vmaps */ 58 trace_hardirqs_on(); 59 60 if (must_hard_disable) 61 __hard_EE_RI_disable(); 62 63 #ifdef CONFIG_PPC64 64 /* This pattern matches prep_irq_for_idle */ 65 if (unlikely(lazy_irq_pending_nocheck())) { 66 if (must_hard_disable) { 67 local_paca->irq_happened |= PACA_IRQ_HARD_DIS; 68 __hard_RI_enable(); 69 } 70 trace_hardirqs_off(); 71 72 return false; 73 } 74 #endif 75 return true; 76 } 77 78 /* 79 * This should be called after a syscall returns, with r3 the return value 80 * from the syscall. If this function returns non-zero, the system call 81 * exit assembly should additionally load all GPR registers and CTR and XER 82 * from the interrupt frame. 83 * 84 * The function graph tracer can not trace the return side of this function, 85 * because RI=0 and soft mask state is "unreconciled", so it is marked notrace. 86 */ 87 notrace unsigned long syscall_exit_prepare(unsigned long r3, 88 struct pt_regs *regs, 89 long scv) 90 { 91 unsigned long ti_flags; 92 bool is_not_scv = !IS_ENABLED(CONFIG_PPC_BOOK3S_64) || !scv; 93 94 kuap_assert_locked(); 95 96 regs->result = r3; 97 regs->exit_flags = 0; 98 99 ti_flags = read_thread_flags(); 100 101 if (unlikely(r3 >= (unsigned long)-MAX_ERRNO) && is_not_scv) { 102 if (likely(!(ti_flags & (_TIF_NOERROR | _TIF_RESTOREALL)))) { 103 r3 = -r3; 104 regs->ccr |= 0x10000000; /* Set SO bit in CR */ 105 } 106 } 107 108 if (unlikely(ti_flags & _TIF_PERSYSCALL_MASK)) { 109 if (ti_flags & _TIF_RESTOREALL) 110 regs->exit_flags = _TIF_RESTOREALL; 111 else 112 regs->gpr[3] = r3; 113 clear_bits(_TIF_PERSYSCALL_MASK, ¤t_thread_info()->flags); 114 } else { 115 regs->gpr[3] = r3; 116 } 117 118 if (unlikely(ti_flags & _TIF_SYSCALL_DOTRACE)) { 119 regs->exit_flags |= _TIF_RESTOREALL; 120 } 121 122 syscall_exit_to_user_mode(regs); 123 124 again: 125 user_enter_irqoff(); 126 if (!prep_irq_for_enabled_exit(true)) { 127 user_exit_irqoff(); 128 local_irq_enable(); 129 local_irq_disable(); 130 goto again; 131 } 132 133 /* Restore user access locks last */ 134 kuap_user_restore(regs); 135 136 #ifdef CONFIG_PPC64 137 regs->exit_result = regs->exit_flags; 138 #endif 139 140 return regs->exit_flags; 141 } 142 143 #ifdef CONFIG_PPC64 144 notrace unsigned long syscall_exit_restart(unsigned long r3, struct pt_regs *regs) 145 { 146 /* 147 * This is called when detecting a soft-pending interrupt as well as 148 * an alternate-return interrupt. So we can't just have the alternate 149 * return path clear SRR1[MSR] and set PACA_IRQ_HARD_DIS (unless 150 * the soft-pending case were to fix things up as well). RI might be 151 * disabled, in which case it gets re-enabled by __hard_irq_disable(). 152 */ 153 __hard_irq_disable(); 154 local_paca->irq_happened |= PACA_IRQ_HARD_DIS; 155 156 #ifdef CONFIG_PPC_BOOK3S_64 157 set_kuap(AMR_KUAP_BLOCKED); 158 #endif 159 160 again: 161 user_enter_irqoff(); 162 if (!prep_irq_for_enabled_exit(true)) { 163 user_exit_irqoff(); 164 local_irq_enable(); 165 local_irq_disable(); 166 goto again; 167 } 168 169 kuap_user_restore(regs); 170 regs->exit_result |= regs->exit_flags; 171 172 return regs->exit_result; 173 } 174 #endif 175 176 notrace unsigned long interrupt_exit_user_prepare(struct pt_regs *regs) 177 { 178 unsigned long ret; 179 180 BUG_ON(regs_is_unrecoverable(regs)); 181 BUG_ON(regs_irqs_disabled(regs)); 182 183 /* 184 * We don't need to restore AMR on the way back to userspace for KUAP. 185 * AMR can only have been unlocked if we interrupted the kernel. 186 */ 187 kuap_assert_locked(); 188 189 local_irq_disable(); 190 regs->exit_flags = 0; 191 again: 192 check_return_regs_valid(regs); 193 user_enter_irqoff(); 194 if (!prep_irq_for_enabled_exit(true)) { 195 user_exit_irqoff(); 196 local_irq_enable(); 197 local_irq_disable(); 198 goto again; 199 } 200 201 /* Restore user access locks last */ 202 kuap_user_restore(regs); 203 204 ret = regs->exit_flags; 205 206 #ifdef CONFIG_PPC64 207 regs->exit_result = ret; 208 #endif 209 210 return ret; 211 } 212 213 void preempt_schedule_irq(void); 214 215 notrace unsigned long interrupt_exit_kernel_prepare(struct pt_regs *regs) 216 { 217 unsigned long ret = 0; 218 unsigned long kuap; 219 bool stack_store = read_thread_flags() & _TIF_EMULATE_STACK_STORE; 220 221 if (regs_is_unrecoverable(regs)) 222 unrecoverable_exception(regs); 223 /* 224 * CT_WARN_ON comes here via program_check_exception, so avoid 225 * recursion. 226 * 227 * Skip the assertion on PMIs on 64e to work around a problem caused 228 * by NMI PMIs incorrectly taking this interrupt return path, it's 229 * possible for this to hit after interrupt exit to user switches 230 * context to user. See also the comment in the performance monitor 231 * handler in exceptions-64e.S 232 */ 233 if (!IS_ENABLED(CONFIG_PPC_BOOK3E_64) && 234 TRAP(regs) != INTERRUPT_PROGRAM && 235 TRAP(regs) != INTERRUPT_PERFMON) 236 CT_WARN_ON(ct_state() == CT_STATE_USER); 237 238 kuap = kuap_get_and_assert_locked(); 239 240 local_irq_disable(); 241 242 if (!regs_irqs_disabled(regs)) { 243 /* Returning to a kernel context with local irqs enabled. */ 244 WARN_ON_ONCE(!(regs->msr & MSR_EE)); 245 again: 246 247 check_return_regs_valid(regs); 248 249 /* 250 * Stack store exit can't be restarted because the interrupt 251 * stack frame might have been clobbered. 252 */ 253 if (!prep_irq_for_enabled_exit(unlikely(stack_store))) { 254 /* 255 * Replay pending soft-masked interrupts now. Don't 256 * just local_irq_enabe(); local_irq_disable(); because 257 * if we are returning from an asynchronous interrupt 258 * here, another one might hit after irqs are enabled, 259 * and it would exit via this same path allowing 260 * another to fire, and so on unbounded. 261 */ 262 hard_irq_disable(); 263 replay_soft_interrupts(); 264 /* Took an interrupt, may have more exit work to do. */ 265 goto again; 266 } 267 #ifdef CONFIG_PPC64 268 /* 269 * An interrupt may clear MSR[EE] and set this concurrently, 270 * but it will be marked pending and the exit will be retried. 271 * This leaves a racy window where MSR[EE]=0 and HARD_DIS is 272 * clear, until interrupt_exit_kernel_restart() calls 273 * hard_irq_disable(), which will set HARD_DIS again. 274 */ 275 local_paca->irq_happened &= ~PACA_IRQ_HARD_DIS; 276 277 } else { 278 check_return_regs_valid(regs); 279 280 if (unlikely(stack_store)) 281 __hard_EE_RI_disable(); 282 #else 283 } else { 284 __hard_EE_RI_disable(); 285 #endif /* CONFIG_PPC64 */ 286 } 287 288 if (unlikely(stack_store)) { 289 clear_bits(_TIF_EMULATE_STACK_STORE, ¤t_thread_info()->flags); 290 ret = 1; 291 } 292 293 #ifdef CONFIG_PPC_TRANSACTIONAL_MEM 294 local_paca->tm_scratch = regs->msr; 295 #endif 296 297 /* 298 * 64s does not want to mfspr(SPRN_AMR) here, because this comes after 299 * mtmsr, which would cause Read-After-Write stalls. Hence, take the 300 * AMR value from the check above. 301 */ 302 kuap_kernel_restore(regs, kuap); 303 304 return ret; 305 } 306 307 #ifdef CONFIG_PPC64 308 notrace unsigned long interrupt_exit_user_restart(struct pt_regs *regs) 309 { 310 __hard_irq_disable(); 311 local_paca->irq_happened |= PACA_IRQ_HARD_DIS; 312 313 #ifdef CONFIG_PPC_BOOK3S_64 314 set_kuap(AMR_KUAP_BLOCKED); 315 #endif 316 317 trace_hardirqs_off(); 318 account_cpu_user_entry(); 319 320 BUG_ON(!user_mode(regs)); 321 322 regs->exit_result |= interrupt_exit_user_prepare(regs); 323 324 return regs->exit_result; 325 } 326 327 /* 328 * No real need to return a value here because the stack store case does not 329 * get restarted. 330 */ 331 notrace unsigned long interrupt_exit_kernel_restart(struct pt_regs *regs) 332 { 333 __hard_irq_disable(); 334 local_paca->irq_happened |= PACA_IRQ_HARD_DIS; 335 336 #ifdef CONFIG_PPC_BOOK3S_64 337 set_kuap(AMR_KUAP_BLOCKED); 338 #endif 339 340 if (regs->softe == IRQS_ENABLED) 341 trace_hardirqs_off(); 342 343 BUG_ON(user_mode(regs)); 344 345 return interrupt_exit_kernel_prepare(regs); 346 } 347 #endif 348