1 // SPDX-License-Identifier: GPL-2.0
3 * Clang Control Flow Integrity (CFI) support.
5 * Copyright (C) 2023 Google LLC
11 * Returns the target address and the expected type when regs->epc points
12 * to a compiler-generated CFI trap.
14 static bool decode_cfi_insn(struct pt_regs *regs, unsigned long *target,
17 unsigned long *regs_ptr = (unsigned long *)regs;
24 * The compiler generates the following instruction sequence
25 * for indirect call checks:
29 * addiw t2, t2, <lo12>
31 * ebreak ; <- regs->epc
35 * We can read the expected type and the target address from the
36 * registers passed to the beq/jalr instructions.
38 if (get_kernel_nofault(insn, (void *)regs->epc - 4))
40 if (!riscv_insn_is_beq(insn))
43 *type = (u32)regs_ptr[RV_EXTRACT_RS1_REG(insn)];
45 if (get_kernel_nofault(insn, (void *)regs->epc) ||
46 get_kernel_nofault(insn, (void *)regs->epc + GET_INSN_LENGTH(insn)))
49 if (riscv_insn_is_jalr(insn))
50 rs1_num = RV_EXTRACT_RS1_REG(insn);
51 else if (riscv_insn_is_c_jalr(insn))
52 rs1_num = RVC_EXTRACT_C2_RS1_REG(insn);
56 *target = regs_ptr[rs1_num];
62 * Checks if the ebreak trap is because of a CFI failure, and handles the trap
63 * if needed. Returns a bug_trap_type value similarly to report_bug.
65 enum bug_trap_type handle_cfi_failure(struct pt_regs *regs)
70 if (!is_cfi_trap(regs->epc))
71 return BUG_TRAP_TYPE_NONE;
73 if (!decode_cfi_insn(regs, &target, &type))
74 return report_cfi_failure_noaddr(regs, regs->epc);
76 return report_cfi_failure(regs, regs->epc, &target, type);