1/*
2 * common.c - C code for kernel entry and exit
3 * Copyright (c) 2015 Andrew Lutomirski
4 * GPL v2
5 *
6 * Based on asm and ptrace code by many authors. The code here originated
7 * in ptrace.c and signal.c.
8 */
9
10#include <linux/kernel.h>
11#include <linux/sched.h>
12#include <linux/sched/task_stack.h>
13#include <linux/mm.h>
14#include <linux/smp.h>
15#include <linux/errno.h>
16#include <linux/ptrace.h>
17#include <linux/tracehook.h>
18#include <linux/audit.h>
19#include <linux/seccomp.h>
20#include <linux/signal.h>
21#include <linux/export.h>
22#include <linux/context_tracking.h>
23#include <linux/user-return-notifier.h>
24#include <linux/nospec.h>
25#include <linux/uprobes.h>
26#include <linux/livepatch.h>
27#include <linux/syscalls.h>
28
29#include <asm/desc.h>
30#include <asm/traps.h>
31#include <asm/vdso.h>
32#include <linux/uaccess.h>
33#include <asm/cpufeature.h>
34
35#define CREATE_TRACE_POINTS
36#include <trace/events/syscalls.h>
37
38#ifdef CONFIG_CONTEXT_TRACKING
39/* Called on entry from user mode with IRQs off. */
40__visible inline void enter_from_user_mode(void)
41{
42 CT_WARN_ON(ct_state() != CONTEXT_USER);
43 user_exit_irqoff();
44}
45#else
46static inline void enter_from_user_mode(void) {}
47#endif
48
49static void do_audit_syscall_entry(struct pt_regs *regs, u32 arch)
50{
51#ifdef CONFIG_X86_64
52 if (arch == AUDIT_ARCH_X86_64) {
53 audit_syscall_entry(regs->orig_ax, regs->di,
54 regs->si, regs->dx, regs->r10);
55 } else
56#endif
57 {
58 audit_syscall_entry(regs->orig_ax, regs->bx,
59 regs->cx, regs->dx, regs->si);
60 }
61}
62
63/*
64 * Returns the syscall nr to run (which should match regs->orig_ax) or -1
65 * to skip the syscall.
66 */
67static long syscall_trace_enter(struct pt_regs *regs)
68{
69 u32 arch = in_ia32_syscall() ? AUDIT_ARCH_I386 : AUDIT_ARCH_X86_64;
70
71 struct thread_info *ti = current_thread_info();
72 unsigned long ret = 0;
73 bool emulated = false;
74 u32 work;
75
76 if (IS_ENABLED(CONFIG_DEBUG_ENTRY))
77 BUG_ON(regs != task_pt_regs(current));
78
79 work = READ_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY;
80
81 if (unlikely(work & _TIF_SYSCALL_EMU))
82 emulated = true;
83
84 if ((emulated || (work & _TIF_SYSCALL_TRACE)) &&
85 tracehook_report_syscall_entry(regs))
86 return -1L;
87
88 if (emulated)
89 return -1L;
90
91#ifdef CONFIG_SECCOMP
92 /*
93 * Do seccomp after ptrace, to catch any tracer changes.
94 */
95 if (work & _TIF_SECCOMP) {
96 struct seccomp_data sd;
97
98 sd.arch = arch;
99 sd.nr = regs->orig_ax;
100 sd.instruction_pointer = regs->ip;
101#ifdef CONFIG_X86_64
102 if (arch == AUDIT_ARCH_X86_64) {
103 sd.args[0] = regs->di;
104 sd.args[1] = regs->si;
105 sd.args[2] = regs->dx;
106 sd.args[3] = regs->r10;
107 sd.args[4] = regs->r8;
108 sd.args[5] = regs->r9;
109 } else
110#endif
111 {
112 sd.args[0] = regs->bx;
113 sd.args[1] = regs->cx;
114 sd.args[2] = regs->dx;
115 sd.args[3] = regs->si;
116 sd.args[4] = regs->di;
117 sd.args[5] = regs->bp;
118 }
119
120 ret = __secure_computing(&sd);
121 if (ret == -1)
122 return ret;
123 }
124#endif
125
126 if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
127 trace_sys_enter(regs, regs->orig_ax);
128
129 do_audit_syscall_entry(regs, arch);
130
131 return ret ?: regs->orig_ax;
132}
133
134#define EXIT_TO_USERMODE_LOOP_FLAGS \
135 (_TIF_SIGPENDING | _TIF_NOTIFY_RESUME | _TIF_UPROBE | \
136 _TIF_NEED_RESCHED | _TIF_USER_RETURN_NOTIFY | _TIF_PATCH_PENDING)
137
138static void exit_to_usermode_loop(struct pt_regs *regs, u32 cached_flags)
139{
140 /*
141 * In order to return to user mode, we need to have IRQs off with
142 * none of EXIT_TO_USERMODE_LOOP_FLAGS set. Several of these flags
143 * can be set at any time on preemptible kernels if we have IRQs on,
144 * so we need to loop. Disabling preemption wouldn't help: doing the
145 * work to clear some of the flags can sleep.
146 */
147 while (true) {
148 /* We have work to do. */
149 local_irq_enable();
150
151 if (cached_flags & _TIF_NEED_RESCHED)
152 schedule();
153
154 if (cached_flags & _TIF_UPROBE)
155 uprobe_notify_resume(regs);
156
157 if (cached_flags & _TIF_PATCH_PENDING)
158 klp_update_patch_state(current);
159
160 /* deal with pending signal delivery */
161 if (cached_flags & _TIF_SIGPENDING)
162 do_signal(regs);
163
164 if (cached_flags & _TIF_NOTIFY_RESUME) {
165 clear_thread_flag(TIF_NOTIFY_RESUME);
166 tracehook_notify_resume(regs);
167 rseq_handle_notify_resume(NULL, regs);
168 }
169
170 if (cached_flags & _TIF_USER_RETURN_NOTIFY)
171 fire_user_return_notifiers();
172
173 /* Disable IRQs and retry */
174 local_irq_disable();
175
176 cached_flags = READ_ONCE(current_thread_info()->flags);
177
178 if (!(cached_flags & EXIT_TO_USERMODE_LOOP_FLAGS))
179 break;
180 }
181}
182
183/* Called with IRQs disabled. */
184__visible inline void prepare_exit_to_usermode(struct pt_regs *regs)
185{
186 struct thread_info *ti = current_thread_info();
187 u32 cached_flags;
188
189 addr_limit_user_check();
190
191 lockdep_assert_irqs_disabled();
192 lockdep_sys_exit();
193
194 cached_flags = READ_ONCE(ti->flags);
195
196 if (unlikely(cached_flags & EXIT_TO_USERMODE_LOOP_FLAGS))
197 exit_to_usermode_loop(regs, cached_flags);
198
199#ifdef CONFIG_COMPAT
200 /*
201 * Compat syscalls set TS_COMPAT. Make sure we clear it before
202 * returning to user mode. We need to clear it *after* signal
203 * handling, because syscall restart has a fixup for compat
204 * syscalls. The fixup is exercised by the ptrace_syscall_32
205 * selftest.
206 *
207 * We also need to clear TS_REGS_POKED_I386: the 32-bit tracer
208 * special case only applies after poking regs and before the
209 * very next return to user mode.
210 */
211 ti->status &= ~(TS_COMPAT|TS_I386_REGS_POKED);
212#endif
213
214 user_enter_irqoff();
215}
216
217#define SYSCALL_EXIT_WORK_FLAGS \
218 (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
219 _TIF_SINGLESTEP | _TIF_SYSCALL_TRACEPOINT)
220
221static void syscall_slow_exit_work(struct pt_regs *regs, u32 cached_flags)
222{
223 bool step;
224
225 audit_syscall_exit(regs);
226
227 if (cached_flags & _TIF_SYSCALL_TRACEPOINT)
228 trace_sys_exit(regs, regs->ax);
229
230 /*
231 * If TIF_SYSCALL_EMU is set, we only get here because of
232 * TIF_SINGLESTEP (i.e. this is PTRACE_SYSEMU_SINGLESTEP).
233 * We already reported this syscall instruction in
234 * syscall_trace_enter().
235 */
236 step = unlikely(
237 (cached_flags & (_TIF_SINGLESTEP | _TIF_SYSCALL_EMU))
238 == _TIF_SINGLESTEP);
239 if (step || cached_flags & _TIF_SYSCALL_TRACE)
240 tracehook_report_syscall_exit(regs, step);
241}
242
243/*
244 * Called with IRQs on and fully valid regs. Returns with IRQs off in a
245 * state such that we can immediately switch to user mode.
246 */
247__visible inline void syscall_return_slowpath(struct pt_regs *regs)
248{
249 struct thread_info *ti = current_thread_info();
250 u32 cached_flags = READ_ONCE(ti->flags);
251
252 CT_WARN_ON(ct_state() != CONTEXT_KERNEL);
253
254 if (IS_ENABLED(CONFIG_PROVE_LOCKING) &&
255 WARN(irqs_disabled(), "syscall %ld left IRQs disabled", regs->orig_ax))
256 local_irq_enable();
257
258 rseq_syscall(regs);
259
260 /*
261 * First do one-time work. If these work items are enabled, we
262 * want to run them exactly once per syscall exit with IRQs on.
263 */
264 if (unlikely(cached_flags & SYSCALL_EXIT_WORK_FLAGS))
265 syscall_slow_exit_work(regs, cached_flags);
266
267 local_irq_disable();
268 prepare_exit_to_usermode(regs);
269}
270
271#ifdef CONFIG_X86_64
272__visible void do_syscall_64(unsigned long nr, struct pt_regs *regs)
273{
274 struct thread_info *ti;
275
276 enter_from_user_mode();
277 local_irq_enable();
278 ti = current_thread_info();
279 if (READ_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY)
280 nr = syscall_trace_enter(regs);
281
282 /*
283 * NB: Native and x32 syscalls are dispatched from the same
284 * table. The only functional difference is the x32 bit in
285 * regs->orig_ax, which changes the behavior of some syscalls.
286 */
287 nr &= __SYSCALL_MASK;
288 if (likely(nr < NR_syscalls)) {
289 nr = array_index_nospec(nr, NR_syscalls);
290 regs->ax = sys_call_table[nr](regs);
291 }
292
293 syscall_return_slowpath(regs);
294}
295#endif
296
297#if defined(CONFIG_X86_32) || defined(CONFIG_IA32_EMULATION)
298/*
299 * Does a 32-bit syscall. Called with IRQs on in CONTEXT_KERNEL. Does
300 * all entry and exit work and returns with IRQs off. This function is
301 * extremely hot in workloads that use it, and it's usually called from
302 * do_fast_syscall_32, so forcibly inline it to improve performance.
303 */
304static __always_inline void do_syscall_32_irqs_on(struct pt_regs *regs)
305{
306 struct thread_info *ti = current_thread_info();
307 unsigned int nr = (unsigned int)regs->orig_ax;
308
309#ifdef CONFIG_IA32_EMULATION
310 ti->status |= TS_COMPAT;
311#endif
312
313 if (READ_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY) {
314 /*
315 * Subtlety here: if ptrace pokes something larger than
316 * 2^32-1 into orig_ax, this truncates it. This may or
317 * may not be necessary, but it matches the old asm
318 * behavior.
319 */
320 nr = syscall_trace_enter(regs);
321 }
322
323 if (likely(nr < IA32_NR_syscalls)) {
324 nr = array_index_nospec(nr, IA32_NR_syscalls);
325#ifdef CONFIG_IA32_EMULATION
326 regs->ax = ia32_sys_call_table[nr](regs);
327#else
328 /*
329 * It's possible that a 32-bit syscall implementation
330 * takes a 64-bit parameter but nonetheless assumes that
331 * the high bits are zero. Make sure we zero-extend all
332 * of the args.
333 */
334 regs->ax = ia32_sys_call_table[nr](
335 (unsigned int)regs->bx, (unsigned int)regs->cx,
336 (unsigned int)regs->dx, (unsigned int)regs->si,
337 (unsigned int)regs->di, (unsigned int)regs->bp);
338#endif /* CONFIG_IA32_EMULATION */
339 }
340
341 syscall_return_slowpath(regs);
342}
343
344/* Handles int $0x80 */
345__visible void do_int80_syscall_32(struct pt_regs *regs)
346{
347 enter_from_user_mode();
348 local_irq_enable();
349 do_syscall_32_irqs_on(regs);
350}
351
352/* Returns 0 to return using IRET or 1 to return using SYSEXIT/SYSRETL. */
353__visible long do_fast_syscall_32(struct pt_regs *regs)
354{
355 /*
356 * Called using the internal vDSO SYSENTER/SYSCALL32 calling
357 * convention. Adjust regs so it looks like we entered using int80.
358 */
359
360 unsigned long landing_pad = (unsigned long)current->mm->context.vdso +
361 vdso_image_32.sym_int80_landing_pad;
362
363 /*
364 * SYSENTER loses EIP, and even SYSCALL32 needs us to skip forward
365 * so that 'regs->ip -= 2' lands back on an int $0x80 instruction.
366 * Fix it up.
367 */
368 regs->ip = landing_pad;
369
370 enter_from_user_mode();
371
372 local_irq_enable();
373
374 /* Fetch EBP from where the vDSO stashed it. */
375 if (
376#ifdef CONFIG_X86_64
377 /*
378 * Micro-optimization: the pointer we're following is explicitly
379 * 32 bits, so it can't be out of range.
380 */
381 __get_user(*(u32 *)&regs->bp,
382 (u32 __user __force *)(unsigned long)(u32)regs->sp)
383#else
384 get_user(*(u32 *)&regs->bp,
385 (u32 __user __force *)(unsigned long)(u32)regs->sp)
386#endif
387 ) {
388
389 /* User code screwed up. */
390 local_irq_disable();
391 regs->ax = -EFAULT;
392 prepare_exit_to_usermode(regs);
393 return 0; /* Keep it simple: use IRET. */
394 }
395
396 /* Now this is just like a normal syscall. */
397 do_syscall_32_irqs_on(regs);
398
399#ifdef CONFIG_X86_64
400 /*
401 * Opportunistic SYSRETL: if possible, try to return using SYSRETL.
402 * SYSRETL is available on all 64-bit CPUs, so we don't need to
403 * bother with SYSEXIT.
404 *
405 * Unlike 64-bit opportunistic SYSRET, we can't check that CX == IP,
406 * because the ECX fixup above will ensure that this is essentially
407 * never the case.
408 */
409 return regs->cs == __USER32_CS && regs->ss == __USER_DS &&
410 regs->ip == landing_pad &&
411 (regs->flags & (X86_EFLAGS_RF | X86_EFLAGS_TF)) == 0;
412#else
413 /*
414 * Opportunistic SYSEXIT: if possible, try to return using SYSEXIT.
415 *
416 * Unlike 64-bit opportunistic SYSRET, we can't check that CX == IP,
417 * because the ECX fixup above will ensure that this is essentially
418 * never the case.
419 *
420 * We don't allow syscalls at all from VM86 mode, but we still
421 * need to check VM, because we might be returning from sys_vm86.
422 */
423 return static_cpu_has(X86_FEATURE_SEP) &&
424 regs->cs == __USER_CS && regs->ss == __USER_DS &&
425 regs->ip == landing_pad &&
426 (regs->flags & (X86_EFLAGS_RF | X86_EFLAGS_TF | X86_EFLAGS_VM)) == 0;
427#endif
428}
429#endif
430