1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * AArch64 loadable module support. 4 * 5 * Copyright (C) 2012 ARM Limited 6 * 7 * Author: Will Deacon <will.deacon@arm.com> 8 */ 9 10 #define pr_fmt(fmt) "Modules: " fmt 11 12 #include <linux/bitops.h> 13 #include <linux/elf.h> 14 #include <linux/ftrace.h> 15 #include <linux/gfp.h> 16 #include <linux/kasan.h> 17 #include <linux/kernel.h> 18 #include <linux/mm.h> 19 #include <linux/moduleloader.h> 20 #include <linux/random.h> 21 #include <linux/scs.h> 22 #include <linux/vmalloc.h> 23 #include <linux/execmem.h> 24 25 #include <asm/alternative.h> 26 #include <asm/insn.h> 27 #include <asm/scs.h> 28 #include <asm/sections.h> 29 30 static u64 module_direct_base __ro_after_init = 0; 31 static u64 module_plt_base __ro_after_init = 0; 32 33 /* 34 * Choose a random page-aligned base address for a window of 'size' bytes which 35 * entirely contains the interval [start, end - 1]. 36 */ 37 static u64 __init random_bounding_box(u64 size, u64 start, u64 end) 38 { 39 u64 max_pgoff, pgoff; 40 41 if ((end - start) >= size) 42 return 0; 43 44 max_pgoff = (size - (end - start)) / PAGE_SIZE; 45 pgoff = get_random_u32_inclusive(0, max_pgoff); 46 47 return start - pgoff * PAGE_SIZE; 48 } 49 50 /* 51 * Modules may directly reference data and text anywhere within the kernel 52 * image and other modules. References using PREL32 relocations have a +/-2G 53 * range, and so we need to ensure that the entire kernel image and all modules 54 * fall within a 2G window such that these are always within range. 55 * 56 * Modules may directly branch to functions and code within the kernel text, 57 * and to functions and code within other modules. These branches will use 58 * CALL26/JUMP26 relocations with a +/-128M range. Without PLTs, we must ensure 59 * that the entire kernel text and all module text falls within a 128M window 60 * such that these are always within range. With PLTs, we can expand this to a 61 * 2G window. 62 * 63 * We chose the 128M region to surround the entire kernel image (rather than 64 * just the text) as using the same bounds for the 128M and 2G regions ensures 65 * by construction that we never select a 128M region that is not a subset of 66 * the 2G region. For very large and unusual kernel configurations this means 67 * we may fall back to PLTs where they could have been avoided, but this keeps 68 * the logic significantly simpler. 69 */ 70 static int __init module_init_limits(void) 71 { 72 u64 kernel_end = (u64)_end; 73 u64 kernel_start = (u64)_text; 74 u64 kernel_size = kernel_end - kernel_start; 75 76 /* 77 * The default modules region is placed immediately below the kernel 78 * image, and is large enough to use the full 2G relocation range. 79 */ 80 BUILD_BUG_ON(KIMAGE_VADDR != MODULES_END); 81 BUILD_BUG_ON(MODULES_VSIZE < SZ_2G); 82 83 if (!kaslr_enabled()) { 84 if (kernel_size < SZ_128M) 85 module_direct_base = kernel_end - SZ_128M; 86 if (kernel_size < SZ_2G) 87 module_plt_base = kernel_end - SZ_2G; 88 } else { 89 u64 min = kernel_start; 90 u64 max = kernel_end; 91 92 if (IS_ENABLED(CONFIG_RANDOMIZE_MODULE_REGION_FULL)) { 93 pr_info("2G module region forced by RANDOMIZE_MODULE_REGION_FULL\n"); 94 } else { 95 module_direct_base = random_bounding_box(SZ_128M, min, max); 96 if (module_direct_base) { 97 min = module_direct_base; 98 max = module_direct_base + SZ_128M; 99 } 100 } 101 102 module_plt_base = random_bounding_box(SZ_2G, min, max); 103 } 104 105 pr_info("%llu pages in range for non-PLT usage", 106 module_direct_base ? (SZ_128M - kernel_size) / PAGE_SIZE : 0); 107 pr_info("%llu pages in range for PLT usage", 108 module_plt_base ? (SZ_2G - kernel_size) / PAGE_SIZE : 0); 109 110 return 0; 111 } 112 113 static struct execmem_info execmem_info __ro_after_init; 114 115 struct execmem_info __init *execmem_arch_setup(void) 116 { 117 unsigned long fallback_start = 0, fallback_end = 0; 118 unsigned long start = 0, end = 0; 119 120 module_init_limits(); 121 122 /* 123 * Where possible, prefer to allocate within direct branch range of the 124 * kernel such that no PLTs are necessary. 125 */ 126 if (module_direct_base) { 127 start = module_direct_base; 128 end = module_direct_base + SZ_128M; 129 130 if (module_plt_base) { 131 fallback_start = module_plt_base; 132 fallback_end = module_plt_base + SZ_2G; 133 } 134 } else if (module_plt_base) { 135 start = module_plt_base; 136 end = module_plt_base + SZ_2G; 137 } 138 139 execmem_info = (struct execmem_info){ 140 .ranges = { 141 [EXECMEM_DEFAULT] = { 142 .start = start, 143 .end = end, 144 .pgprot = PAGE_KERNEL, 145 .alignment = 1, 146 .fallback_start = fallback_start, 147 .fallback_end = fallback_end, 148 }, 149 }, 150 }; 151 152 return &execmem_info; 153 } 154 155 enum aarch64_reloc_op { 156 RELOC_OP_NONE, 157 RELOC_OP_ABS, 158 RELOC_OP_PREL, 159 RELOC_OP_PAGE, 160 }; 161 162 static u64 do_reloc(enum aarch64_reloc_op reloc_op, __le32 *place, u64 val) 163 { 164 switch (reloc_op) { 165 case RELOC_OP_ABS: 166 return val; 167 case RELOC_OP_PREL: 168 return val - (u64)place; 169 case RELOC_OP_PAGE: 170 return (val & ~0xfff) - ((u64)place & ~0xfff); 171 case RELOC_OP_NONE: 172 return 0; 173 } 174 175 pr_err("do_reloc: unknown relocation operation %d\n", reloc_op); 176 return 0; 177 } 178 179 static int reloc_data(enum aarch64_reloc_op op, void *place, u64 val, int len) 180 { 181 s64 sval = do_reloc(op, place, val); 182 183 /* 184 * The ELF psABI for AArch64 documents the 16-bit and 32-bit place 185 * relative and absolute relocations as having a range of [-2^15, 2^16) 186 * or [-2^31, 2^32), respectively. However, in order to be able to 187 * detect overflows reliably, we have to choose whether we interpret 188 * such quantities as signed or as unsigned, and stick with it. 189 * The way we organize our address space requires a signed 190 * interpretation of 32-bit relative references, so let's use that 191 * for all R_AARCH64_PRELxx relocations. This means our upper 192 * bound for overflow detection should be Sxx_MAX rather than Uxx_MAX. 193 */ 194 195 switch (len) { 196 case 16: 197 *(s16 *)place = sval; 198 switch (op) { 199 case RELOC_OP_ABS: 200 if (sval < 0 || sval > U16_MAX) 201 return -ERANGE; 202 break; 203 case RELOC_OP_PREL: 204 if (sval < S16_MIN || sval > S16_MAX) 205 return -ERANGE; 206 break; 207 default: 208 pr_err("Invalid 16-bit data relocation (%d)\n", op); 209 return 0; 210 } 211 break; 212 case 32: 213 *(s32 *)place = sval; 214 switch (op) { 215 case RELOC_OP_ABS: 216 if (sval < 0 || sval > U32_MAX) 217 return -ERANGE; 218 break; 219 case RELOC_OP_PREL: 220 if (sval < S32_MIN || sval > S32_MAX) 221 return -ERANGE; 222 break; 223 default: 224 pr_err("Invalid 32-bit data relocation (%d)\n", op); 225 return 0; 226 } 227 break; 228 case 64: 229 *(s64 *)place = sval; 230 break; 231 default: 232 pr_err("Invalid length (%d) for data relocation\n", len); 233 return 0; 234 } 235 return 0; 236 } 237 238 enum aarch64_insn_movw_imm_type { 239 AARCH64_INSN_IMM_MOVNZ, 240 AARCH64_INSN_IMM_MOVKZ, 241 }; 242 243 static int reloc_insn_movw(enum aarch64_reloc_op op, __le32 *place, u64 val, 244 int lsb, enum aarch64_insn_movw_imm_type imm_type) 245 { 246 u64 imm; 247 s64 sval; 248 u32 insn = le32_to_cpu(*place); 249 250 sval = do_reloc(op, place, val); 251 imm = sval >> lsb; 252 253 if (imm_type == AARCH64_INSN_IMM_MOVNZ) { 254 /* 255 * For signed MOVW relocations, we have to manipulate the 256 * instruction encoding depending on whether or not the 257 * immediate is less than zero. 258 */ 259 insn &= ~(3 << 29); 260 if (sval >= 0) { 261 /* >=0: Set the instruction to MOVZ (opcode 10b). */ 262 insn |= 2 << 29; 263 } else { 264 /* 265 * <0: Set the instruction to MOVN (opcode 00b). 266 * Since we've masked the opcode already, we 267 * don't need to do anything other than 268 * inverting the new immediate field. 269 */ 270 imm = ~imm; 271 } 272 } 273 274 /* Update the instruction with the new encoding. */ 275 insn = aarch64_insn_encode_immediate(AARCH64_INSN_IMM_16, insn, imm); 276 *place = cpu_to_le32(insn); 277 278 if (imm > U16_MAX) 279 return -ERANGE; 280 281 return 0; 282 } 283 284 static int reloc_insn_imm(enum aarch64_reloc_op op, __le32 *place, u64 val, 285 int lsb, int len, enum aarch64_insn_imm_type imm_type) 286 { 287 u64 imm, imm_mask; 288 s64 sval; 289 u32 insn = le32_to_cpu(*place); 290 291 /* Calculate the relocation value. */ 292 sval = do_reloc(op, place, val); 293 sval >>= lsb; 294 295 /* Extract the value bits and shift them to bit 0. */ 296 imm_mask = (BIT(lsb + len) - 1) >> lsb; 297 imm = sval & imm_mask; 298 299 /* Update the instruction's immediate field. */ 300 insn = aarch64_insn_encode_immediate(imm_type, insn, imm); 301 *place = cpu_to_le32(insn); 302 303 /* 304 * Extract the upper value bits (including the sign bit) and 305 * shift them to bit 0. 306 */ 307 sval = (s64)(sval & ~(imm_mask >> 1)) >> (len - 1); 308 309 /* 310 * Overflow has occurred if the upper bits are not all equal to 311 * the sign bit of the value. 312 */ 313 if ((u64)(sval + 1) >= 2) 314 return -ERANGE; 315 316 return 0; 317 } 318 319 static int reloc_insn_adrp(struct module *mod, Elf64_Shdr *sechdrs, 320 __le32 *place, u64 val) 321 { 322 u32 insn; 323 324 if (!is_forbidden_offset_for_adrp(place)) 325 return reloc_insn_imm(RELOC_OP_PAGE, place, val, 12, 21, 326 AARCH64_INSN_IMM_ADR); 327 328 /* patch ADRP to ADR if it is in range */ 329 if (!reloc_insn_imm(RELOC_OP_PREL, place, val & ~0xfff, 0, 21, 330 AARCH64_INSN_IMM_ADR)) { 331 insn = le32_to_cpu(*place); 332 insn &= ~BIT(31); 333 } else { 334 /* out of range for ADR -> emit a veneer */ 335 val = module_emit_veneer_for_adrp(mod, sechdrs, place, val & ~0xfff); 336 if (!val) 337 return -ENOEXEC; 338 insn = aarch64_insn_gen_branch_imm((u64)place, val, 339 AARCH64_INSN_BRANCH_NOLINK); 340 } 341 342 *place = cpu_to_le32(insn); 343 return 0; 344 } 345 346 int apply_relocate_add(Elf64_Shdr *sechdrs, 347 const char *strtab, 348 unsigned int symindex, 349 unsigned int relsec, 350 struct module *me) 351 { 352 unsigned int i; 353 int ovf; 354 bool overflow_check; 355 Elf64_Sym *sym; 356 void *loc; 357 u64 val; 358 Elf64_Rela *rel = (void *)sechdrs[relsec].sh_addr; 359 360 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) { 361 /* loc corresponds to P in the AArch64 ELF document. */ 362 loc = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr 363 + rel[i].r_offset; 364 365 /* sym is the ELF symbol we're referring to. */ 366 sym = (Elf64_Sym *)sechdrs[symindex].sh_addr 367 + ELF64_R_SYM(rel[i].r_info); 368 369 /* val corresponds to (S + A) in the AArch64 ELF document. */ 370 val = sym->st_value + rel[i].r_addend; 371 372 /* Check for overflow by default. */ 373 overflow_check = true; 374 375 /* Perform the static relocation. */ 376 switch (ELF64_R_TYPE(rel[i].r_info)) { 377 /* Null relocations. */ 378 case R_ARM_NONE: 379 case R_AARCH64_NONE: 380 ovf = 0; 381 break; 382 383 /* Data relocations. */ 384 case R_AARCH64_ABS64: 385 overflow_check = false; 386 ovf = reloc_data(RELOC_OP_ABS, loc, val, 64); 387 break; 388 case R_AARCH64_ABS32: 389 ovf = reloc_data(RELOC_OP_ABS, loc, val, 32); 390 break; 391 case R_AARCH64_ABS16: 392 ovf = reloc_data(RELOC_OP_ABS, loc, val, 16); 393 break; 394 case R_AARCH64_PREL64: 395 overflow_check = false; 396 ovf = reloc_data(RELOC_OP_PREL, loc, val, 64); 397 break; 398 case R_AARCH64_PREL32: 399 ovf = reloc_data(RELOC_OP_PREL, loc, val, 32); 400 break; 401 case R_AARCH64_PREL16: 402 ovf = reloc_data(RELOC_OP_PREL, loc, val, 16); 403 break; 404 405 /* MOVW instruction relocations. */ 406 case R_AARCH64_MOVW_UABS_G0_NC: 407 overflow_check = false; 408 fallthrough; 409 case R_AARCH64_MOVW_UABS_G0: 410 ovf = reloc_insn_movw(RELOC_OP_ABS, loc, val, 0, 411 AARCH64_INSN_IMM_MOVKZ); 412 break; 413 case R_AARCH64_MOVW_UABS_G1_NC: 414 overflow_check = false; 415 fallthrough; 416 case R_AARCH64_MOVW_UABS_G1: 417 ovf = reloc_insn_movw(RELOC_OP_ABS, loc, val, 16, 418 AARCH64_INSN_IMM_MOVKZ); 419 break; 420 case R_AARCH64_MOVW_UABS_G2_NC: 421 overflow_check = false; 422 fallthrough; 423 case R_AARCH64_MOVW_UABS_G2: 424 ovf = reloc_insn_movw(RELOC_OP_ABS, loc, val, 32, 425 AARCH64_INSN_IMM_MOVKZ); 426 break; 427 case R_AARCH64_MOVW_UABS_G3: 428 /* We're using the top bits so we can't overflow. */ 429 overflow_check = false; 430 ovf = reloc_insn_movw(RELOC_OP_ABS, loc, val, 48, 431 AARCH64_INSN_IMM_MOVKZ); 432 break; 433 case R_AARCH64_MOVW_SABS_G0: 434 ovf = reloc_insn_movw(RELOC_OP_ABS, loc, val, 0, 435 AARCH64_INSN_IMM_MOVNZ); 436 break; 437 case R_AARCH64_MOVW_SABS_G1: 438 ovf = reloc_insn_movw(RELOC_OP_ABS, loc, val, 16, 439 AARCH64_INSN_IMM_MOVNZ); 440 break; 441 case R_AARCH64_MOVW_SABS_G2: 442 ovf = reloc_insn_movw(RELOC_OP_ABS, loc, val, 32, 443 AARCH64_INSN_IMM_MOVNZ); 444 break; 445 case R_AARCH64_MOVW_PREL_G0_NC: 446 overflow_check = false; 447 ovf = reloc_insn_movw(RELOC_OP_PREL, loc, val, 0, 448 AARCH64_INSN_IMM_MOVKZ); 449 break; 450 case R_AARCH64_MOVW_PREL_G0: 451 ovf = reloc_insn_movw(RELOC_OP_PREL, loc, val, 0, 452 AARCH64_INSN_IMM_MOVNZ); 453 break; 454 case R_AARCH64_MOVW_PREL_G1_NC: 455 overflow_check = false; 456 ovf = reloc_insn_movw(RELOC_OP_PREL, loc, val, 16, 457 AARCH64_INSN_IMM_MOVKZ); 458 break; 459 case R_AARCH64_MOVW_PREL_G1: 460 ovf = reloc_insn_movw(RELOC_OP_PREL, loc, val, 16, 461 AARCH64_INSN_IMM_MOVNZ); 462 break; 463 case R_AARCH64_MOVW_PREL_G2_NC: 464 overflow_check = false; 465 ovf = reloc_insn_movw(RELOC_OP_PREL, loc, val, 32, 466 AARCH64_INSN_IMM_MOVKZ); 467 break; 468 case R_AARCH64_MOVW_PREL_G2: 469 ovf = reloc_insn_movw(RELOC_OP_PREL, loc, val, 32, 470 AARCH64_INSN_IMM_MOVNZ); 471 break; 472 case R_AARCH64_MOVW_PREL_G3: 473 /* We're using the top bits so we can't overflow. */ 474 overflow_check = false; 475 ovf = reloc_insn_movw(RELOC_OP_PREL, loc, val, 48, 476 AARCH64_INSN_IMM_MOVNZ); 477 break; 478 479 /* Immediate instruction relocations. */ 480 case R_AARCH64_LD_PREL_LO19: 481 ovf = reloc_insn_imm(RELOC_OP_PREL, loc, val, 2, 19, 482 AARCH64_INSN_IMM_19); 483 break; 484 case R_AARCH64_ADR_PREL_LO21: 485 ovf = reloc_insn_imm(RELOC_OP_PREL, loc, val, 0, 21, 486 AARCH64_INSN_IMM_ADR); 487 break; 488 case R_AARCH64_ADR_PREL_PG_HI21_NC: 489 overflow_check = false; 490 fallthrough; 491 case R_AARCH64_ADR_PREL_PG_HI21: 492 ovf = reloc_insn_adrp(me, sechdrs, loc, val); 493 if (ovf && ovf != -ERANGE) 494 return ovf; 495 break; 496 case R_AARCH64_ADD_ABS_LO12_NC: 497 case R_AARCH64_LDST8_ABS_LO12_NC: 498 overflow_check = false; 499 ovf = reloc_insn_imm(RELOC_OP_ABS, loc, val, 0, 12, 500 AARCH64_INSN_IMM_12); 501 break; 502 case R_AARCH64_LDST16_ABS_LO12_NC: 503 overflow_check = false; 504 ovf = reloc_insn_imm(RELOC_OP_ABS, loc, val, 1, 11, 505 AARCH64_INSN_IMM_12); 506 break; 507 case R_AARCH64_LDST32_ABS_LO12_NC: 508 overflow_check = false; 509 ovf = reloc_insn_imm(RELOC_OP_ABS, loc, val, 2, 10, 510 AARCH64_INSN_IMM_12); 511 break; 512 case R_AARCH64_LDST64_ABS_LO12_NC: 513 overflow_check = false; 514 ovf = reloc_insn_imm(RELOC_OP_ABS, loc, val, 3, 9, 515 AARCH64_INSN_IMM_12); 516 break; 517 case R_AARCH64_LDST128_ABS_LO12_NC: 518 overflow_check = false; 519 ovf = reloc_insn_imm(RELOC_OP_ABS, loc, val, 4, 8, 520 AARCH64_INSN_IMM_12); 521 break; 522 case R_AARCH64_TSTBR14: 523 ovf = reloc_insn_imm(RELOC_OP_PREL, loc, val, 2, 14, 524 AARCH64_INSN_IMM_14); 525 break; 526 case R_AARCH64_CONDBR19: 527 ovf = reloc_insn_imm(RELOC_OP_PREL, loc, val, 2, 19, 528 AARCH64_INSN_IMM_19); 529 break; 530 case R_AARCH64_JUMP26: 531 case R_AARCH64_CALL26: 532 ovf = reloc_insn_imm(RELOC_OP_PREL, loc, val, 2, 26, 533 AARCH64_INSN_IMM_26); 534 if (ovf == -ERANGE) { 535 val = module_emit_plt_entry(me, sechdrs, loc, &rel[i], sym); 536 if (!val) 537 return -ENOEXEC; 538 ovf = reloc_insn_imm(RELOC_OP_PREL, loc, val, 2, 539 26, AARCH64_INSN_IMM_26); 540 } 541 break; 542 543 default: 544 pr_err("module %s: unsupported RELA relocation: %llu\n", 545 me->name, ELF64_R_TYPE(rel[i].r_info)); 546 return -ENOEXEC; 547 } 548 549 if (overflow_check && ovf == -ERANGE) 550 goto overflow; 551 552 } 553 554 return 0; 555 556 overflow: 557 pr_err("module %s: overflow in relocation type %d val %Lx\n", 558 me->name, (int)ELF64_R_TYPE(rel[i].r_info), val); 559 return -ENOEXEC; 560 } 561 562 static inline void __init_plt(struct plt_entry *plt, unsigned long addr) 563 { 564 *plt = get_plt_entry(addr, plt); 565 } 566 567 static int module_init_ftrace_plt(const Elf_Ehdr *hdr, 568 const Elf_Shdr *sechdrs, 569 struct module *mod) 570 { 571 #if defined(CONFIG_DYNAMIC_FTRACE) 572 const Elf_Shdr *s; 573 struct plt_entry *plts; 574 575 s = find_section(hdr, sechdrs, ".text.ftrace_trampoline"); 576 if (!s) 577 return -ENOEXEC; 578 579 plts = (void *)s->sh_addr; 580 581 __init_plt(&plts[FTRACE_PLT_IDX], FTRACE_ADDR); 582 583 mod->arch.ftrace_trampolines = plts; 584 #endif 585 return 0; 586 } 587 588 int module_finalize(const Elf_Ehdr *hdr, 589 const Elf_Shdr *sechdrs, 590 struct module *me) 591 { 592 const Elf_Shdr *s; 593 s = find_section(hdr, sechdrs, ".altinstructions"); 594 if (s) 595 apply_alternatives_module((void *)s->sh_addr, s->sh_size); 596 597 if (scs_is_dynamic()) { 598 s = find_section(hdr, sechdrs, ".init.eh_frame"); 599 if (s) 600 __pi_scs_patch((void *)s->sh_addr, s->sh_size); 601 } 602 603 return module_init_ftrace_plt(hdr, sechdrs, me); 604 } 605