Revert "x86/module: prepare module loading for ROX allocations of text"

	os_check_bugs();

}

void apply_seal_endbr(s32 *start, s32 *end, struct module *mod)

void apply_seal_endbr(s32 *start, s32 *end)

{

}

void apply_retpolines(s32 *start, s32 *end, struct module *mod)

void apply_retpolines(s32 *start, s32 *end)

{

}

void apply_returns(s32 *start, s32 *end, struct module *mod)

void apply_returns(s32 *start, s32 *end)

{

}

void apply_fineibt(s32 *start_retpoline, s32 *end_retpoline,

		   s32 *start_cfi, s32 *end_cfi, struct module *mod)

		   s32 *start_cfi, s32 *end_cfi)

{

}

void apply_alternatives(struct alt_instr *start, struct alt_instr *end,

			struct module *mod)

void apply_alternatives(struct alt_instr *start, struct alt_instr *end)

{

}

	apply_alternatives((struct alt_instr *)(image->data + image->alt),

			   (struct alt_instr *)(image->data + image->alt +

						image->alt_len),

			   NULL);

						image->alt_len));

	return 0;

}

 * instructions were patched in already:

 */

extern int alternatives_patched;

struct module;

extern void alternative_instructions(void);

extern void apply_alternatives(struct alt_instr *start, struct alt_instr *end,

			       struct module *mod);

extern void apply_retpolines(s32 *start, s32 *end, struct module *mod);

extern void apply_returns(s32 *start, s32 *end, struct module *mod);

extern void apply_seal_endbr(s32 *start, s32 *end, struct module *mod);

extern void apply_alternatives(struct alt_instr *start, struct alt_instr *end);

extern void apply_retpolines(s32 *start, s32 *end);

extern void apply_returns(s32 *start, s32 *end);

extern void apply_seal_endbr(s32 *start, s32 *end);

extern void apply_fineibt(s32 *start_retpoline, s32 *end_retpoine,

			  s32 *start_cfi, s32 *end_cfi, struct module *mod);

			  s32 *start_cfi, s32 *end_cfi);

struct module;

struct callthunk_sites {

	s32				*call_start, *call_end;

 * Rewrite the "call BUG_func" replacement to point to the target of the

 * indirect pv_ops call "call *disp(%ip)".

 */

static int alt_replace_call(u8 *instr, u8 *insn_buff, struct alt_instr *a,

			    struct module *mod)

static int alt_replace_call(u8 *instr, u8 *insn_buff, struct alt_instr *a)

{

	u8 *wr_instr = module_writable_address(mod, instr);

	void *target, *bug = &BUG_func;

	s32 disp;

	}

	if (a->instrlen != 6 ||

	    wr_instr[0] != CALL_RIP_REL_OPCODE ||

	    wr_instr[1] != CALL_RIP_REL_MODRM) {

	    instr[0] != CALL_RIP_REL_OPCODE ||

	    instr[1] != CALL_RIP_REL_MODRM) {

		pr_err("ALT_FLAG_DIRECT_CALL set for unrecognized indirect call\n");

		BUG();

	}

	/* Skip CALL_RIP_REL_OPCODE and CALL_RIP_REL_MODRM */

	disp = *(s32 *)(wr_instr + 2);

	disp = *(s32 *)(instr + 2);

#ifdef CONFIG_X86_64

	/* ff 15 00 00 00 00   call   *0x0(%rip) */

	/* target address is stored at "next instruction + disp". */

 * to refetch changed I$ lines.

 */

void __init_or_module noinline apply_alternatives(struct alt_instr *start,

						  struct alt_instr *end,

						  struct module *mod)

						  struct alt_instr *end)

{

	u8 insn_buff[MAX_PATCH_LEN];

	u8 *instr, *replacement;

	 */

	for (a = start; a < end; a++) {

		int insn_buff_sz = 0;

		u8 *wr_instr, *wr_replacement;

		/*

		 * In case of nested ALTERNATIVE()s the outer alternative might

		}

		instr = instr_va(a);

		wr_instr = module_writable_address(mod, instr);

		replacement = (u8 *)&a->repl_offset + a->repl_offset;

		wr_replacement = module_writable_address(mod, replacement);

		BUG_ON(a->instrlen > sizeof(insn_buff));

		BUG_ON(a->cpuid >= (NCAPINTS + NBUGINTS) * 32);

		 *   patch if feature is *NOT* present.

		 */

		if (!boot_cpu_has(a->cpuid) == !(a->flags & ALT_FLAG_NOT)) {

			memcpy(insn_buff, wr_instr, a->instrlen);

			memcpy(insn_buff, instr, a->instrlen);

			optimize_nops(instr, insn_buff, a->instrlen);

			text_poke_early(wr_instr, insn_buff, a->instrlen);

			text_poke_early(instr, insn_buff, a->instrlen);

			continue;

		}

			instr, instr, a->instrlen,

			replacement, a->replacementlen, a->flags);

		memcpy(insn_buff, wr_replacement, a->replacementlen);

		memcpy(insn_buff, replacement, a->replacementlen);

		insn_buff_sz = a->replacementlen;

		if (a->flags & ALT_FLAG_DIRECT_CALL) {

			insn_buff_sz = alt_replace_call(instr, insn_buff, a,

							mod);

			insn_buff_sz = alt_replace_call(instr, insn_buff, a);

			if (insn_buff_sz < 0)

				continue;

		}

		apply_relocation(insn_buff, instr, a->instrlen, replacement, a->replacementlen);

		DUMP_BYTES(ALT, wr_instr, a->instrlen, "%px:   old_insn: ", instr);

		DUMP_BYTES(ALT, instr, a->instrlen, "%px:   old_insn: ", instr);

		DUMP_BYTES(ALT, replacement, a->replacementlen, "%px:   rpl_insn: ", replacement);

		DUMP_BYTES(ALT, insn_buff, insn_buff_sz, "%px: final_insn: ", instr);

		text_poke_early(wr_instr, insn_buff, insn_buff_sz);

		text_poke_early(instr, insn_buff, insn_buff_sz);

	}

	kasan_enable_current();

/*

 * Generated by 'objtool --retpoline'.

 */

void __init_or_module noinline apply_retpolines(s32 *start, s32 *end,

						struct module *mod)

void __init_or_module noinline apply_retpolines(s32 *start, s32 *end)

{

	s32 *s;

	for (s = start; s < end; s++) {

		void *addr = (void *)s + *s;

		void *wr_addr = module_writable_address(mod, addr);

		struct insn insn;

		int len, ret;

		u8 bytes[16];

		u8 op1, op2;

		ret = insn_decode_kernel(&insn, wr_addr);

		ret = insn_decode_kernel(&insn, addr);

		if (WARN_ON_ONCE(ret < 0))

			continue;

		len = patch_retpoline(addr, &insn, bytes);

		if (len == insn.length) {

			optimize_nops(addr, bytes, len);

			DUMP_BYTES(RETPOLINE, ((u8*)wr_addr),  len, "%px: orig: ", addr);

			DUMP_BYTES(RETPOLINE, ((u8*)addr),  len, "%px: orig: ", addr);

			DUMP_BYTES(RETPOLINE, ((u8*)bytes), len, "%px: repl: ", addr);

			text_poke_early(wr_addr, bytes, len);

			text_poke_early(addr, bytes, len);

		}

	}

}

	return i;

}

void __init_or_module noinline apply_returns(s32 *start, s32 *end,

					     struct module *mod)

void __init_or_module noinline apply_returns(s32 *start, s32 *end)

{

	s32 *s;

	for (s = start; s < end; s++) {

		void *dest = NULL, *addr = (void *)s + *s;

		void *wr_addr = module_writable_address(mod, addr);

		struct insn insn;

		int len, ret;

		u8 bytes[16];

		u8 op;

		ret = insn_decode_kernel(&insn, wr_addr);

		ret = insn_decode_kernel(&insn, addr);

		if (WARN_ON_ONCE(ret < 0))

			continue;

		len = patch_return(addr, &insn, bytes);

		if (len == insn.length) {

			DUMP_BYTES(RET, ((u8*)wr_addr),  len, "%px: orig: ", addr);

			DUMP_BYTES(RET, ((u8*)addr),  len, "%px: orig: ", addr);

			DUMP_BYTES(RET, ((u8*)bytes), len, "%px: repl: ", addr);

			text_poke_early(wr_addr, bytes, len);

			text_poke_early(addr, bytes, len);

		}

	}

}

#else

void __init_or_module noinline apply_returns(s32 *start, s32 *end,

					     struct module *mod) { }

void __init_or_module noinline apply_returns(s32 *start, s32 *end) { }

#endif /* CONFIG_MITIGATION_RETHUNK */

#else /* !CONFIG_MITIGATION_RETPOLINE || !CONFIG_OBJTOOL */

void __init_or_module noinline apply_retpolines(s32 *start, s32 *end,

						struct module *mod) { }

void __init_or_module noinline apply_returns(s32 *start, s32 *end,

					     struct module *mod) { }

void __init_or_module noinline apply_retpolines(s32 *start, s32 *end) { }

void __init_or_module noinline apply_returns(s32 *start, s32 *end) { }

#endif /* CONFIG_MITIGATION_RETPOLINE && CONFIG_OBJTOOL */

#ifdef CONFIG_X86_KERNEL_IBT

static void poison_cfi(void *addr, void *wr_addr);

static void poison_cfi(void *addr);

static void __init_or_module poison_endbr(void *addr, void *wr_addr, bool warn)

static void __init_or_module poison_endbr(void *addr, bool warn)

{

	u32 endbr, poison = gen_endbr_poison();

	if (WARN_ON_ONCE(get_kernel_nofault(endbr, wr_addr)))

	if (WARN_ON_ONCE(get_kernel_nofault(endbr, addr)))

		return;

	if (!is_endbr(endbr)) {

	 */

	DUMP_BYTES(ENDBR, ((u8*)addr), 4, "%px: orig: ", addr);

	DUMP_BYTES(ENDBR, ((u8*)&poison), 4, "%px: repl: ", addr);

	text_poke_early(wr_addr, &poison, 4);

	text_poke_early(addr, &poison, 4);

}

/*

 * Seal the functions for indirect calls by clobbering the ENDBR instructions

 * and the kCFI hash value.

 */

void __init_or_module noinline apply_seal_endbr(s32 *start, s32 *end, struct module *mod)

void __init_or_module noinline apply_seal_endbr(s32 *start, s32 *end)

{

	s32 *s;

	for (s = start; s < end; s++) {

		void *addr = (void *)s + *s;

		void *wr_addr = module_writable_address(mod, addr);

		poison_endbr(addr, wr_addr, true);

		poison_endbr(addr, true);

		if (IS_ENABLED(CONFIG_FINEIBT))

			poison_cfi(addr - 16, wr_addr - 16);

			poison_cfi(addr - 16);

	}

}

#else

void __init_or_module apply_seal_endbr(s32 *start, s32 *end, struct module *mod) { }

void __init_or_module apply_seal_endbr(s32 *start, s32 *end) { }

#endif /* CONFIG_X86_KERNEL_IBT */

}

/* .retpoline_sites */

static int cfi_disable_callers(s32 *start, s32 *end, struct module *mod)

static int cfi_disable_callers(s32 *start, s32 *end)

{

	/*

	 * Disable kCFI by patching in a JMP.d8, this leaves the hash immediate

	for (s = start; s < end; s++) {

		void *addr = (void *)s + *s;

		void *wr_addr;

		u32 hash;

		addr -= fineibt_caller_size;

		wr_addr = module_writable_address(mod, addr);

		hash = decode_caller_hash(wr_addr);

		hash = decode_caller_hash(addr);

		if (!hash) /* nocfi callers */

			continue;

		text_poke_early(wr_addr, jmp, 2);

		text_poke_early(addr, jmp, 2);

	}

	return 0;

}

static int cfi_enable_callers(s32 *start, s32 *end, struct module *mod)

static int cfi_enable_callers(s32 *start, s32 *end)

{

	/*

	 * Re-enable kCFI, undo what cfi_disable_callers() did.

	for (s = start; s < end; s++) {

		void *addr = (void *)s + *s;

		void *wr_addr;

		u32 hash;

		addr -= fineibt_caller_size;

		wr_addr = module_writable_address(mod, addr);

		hash = decode_caller_hash(wr_addr);

		hash = decode_caller_hash(addr);

		if (!hash) /* nocfi callers */

			continue;

		text_poke_early(wr_addr, mov, 2);

		text_poke_early(addr, mov, 2);

	}

	return 0;

}

/* .cfi_sites */

static int cfi_rand_preamble(s32 *start, s32 *end, struct module *mod)

static int cfi_rand_preamble(s32 *start, s32 *end)

{

	s32 *s;

	for (s = start; s < end; s++) {

		void *addr = (void *)s + *s;

		void *wr_addr = module_writable_address(mod, addr);

		u32 hash;

		hash = decode_preamble_hash(wr_addr);

		hash = decode_preamble_hash(addr);

		if (WARN(!hash, "no CFI hash found at: %pS %px %*ph\n",

			 addr, addr, 5, addr))

			return -EINVAL;

		hash = cfi_rehash(hash);

		text_poke_early(wr_addr + 1, &hash, 4);

		text_poke_early(addr + 1, &hash, 4);

	}

	return 0;

}

static int cfi_rewrite_preamble(s32 *start, s32 *end, struct module *mod)

static int cfi_rewrite_preamble(s32 *start, s32 *end)

{

	s32 *s;

	for (s = start; s < end; s++) {

		void *addr = (void *)s + *s;

		void *wr_addr = module_writable_address(mod, addr);

		u32 hash;

		hash = decode_preamble_hash(wr_addr);

		hash = decode_preamble_hash(addr);

		if (WARN(!hash, "no CFI hash found at: %pS %px %*ph\n",

			 addr, addr, 5, addr))

			return -EINVAL;

		text_poke_early(wr_addr, fineibt_preamble_start, fineibt_preamble_size);

		WARN_ON(*(u32 *)(wr_addr + fineibt_preamble_hash) != 0x12345678);

		text_poke_early(wr_addr + fineibt_preamble_hash, &hash, 4);

		text_poke_early(addr, fineibt_preamble_start, fineibt_preamble_size);

		WARN_ON(*(u32 *)(addr + fineibt_preamble_hash) != 0x12345678);

		text_poke_early(addr + fineibt_preamble_hash, &hash, 4);

	}

	return 0;

}

static void cfi_rewrite_endbr(s32 *start, s32 *end, struct module *mod)

static void cfi_rewrite_endbr(s32 *start, s32 *end)

{

	s32 *s;

	for (s = start; s < end; s++) {

		void *addr = (void *)s + *s;

		void *wr_addr = module_writable_address(mod, addr);

		poison_endbr(addr + 16, wr_addr + 16, false);

		poison_endbr(addr+16, false);

	}

}

/* .retpoline_sites */

static int cfi_rand_callers(s32 *start, s32 *end, struct module *mod)

static int cfi_rand_callers(s32 *start, s32 *end)

{

	s32 *s;

	for (s = start; s < end; s++) {

		void *addr = (void *)s + *s;

		void *wr_addr;

		u32 hash;

		addr -= fineibt_caller_size;

		wr_addr = module_writable_address(mod, addr);

		hash = decode_caller_hash(wr_addr);

		hash = decode_caller_hash(addr);

		if (hash) {

			hash = -cfi_rehash(hash);

			text_poke_early(wr_addr + 2, &hash, 4);

			text_poke_early(addr + 2, &hash, 4);

		}

	}

	return 0;

}

static int cfi_rewrite_callers(s32 *start, s32 *end, struct module *mod)

static int cfi_rewrite_callers(s32 *start, s32 *end)

{

	s32 *s;

	for (s = start; s < end; s++) {

		void *addr = (void *)s + *s;

		void *wr_addr;

		u32 hash;

		addr -= fineibt_caller_size;

		wr_addr = module_writable_address(mod, addr);

		hash = decode_caller_hash(wr_addr);

		hash = decode_caller_hash(addr);

		if (hash) {

			text_poke_early(wr_addr, fineibt_caller_start, fineibt_caller_size);

			WARN_ON(*(u32 *)(wr_addr + fineibt_caller_hash) != 0x12345678);

			text_poke_early(wr_addr + fineibt_caller_hash, &hash, 4);

			text_poke_early(addr, fineibt_caller_start, fineibt_caller_size);

			WARN_ON(*(u32 *)(addr + fineibt_caller_hash) != 0x12345678);

			text_poke_early(addr + fineibt_caller_hash, &hash, 4);

		}

		/* rely on apply_retpolines() */

	}

}

static void __apply_fineibt(s32 *start_retpoline, s32 *end_retpoline,

			    s32 *start_cfi, s32 *end_cfi, struct module *mod)

			    s32 *start_cfi, s32 *end_cfi, bool builtin)

{

	bool builtin = mod ? false : true;

	int ret;

	if (WARN_ONCE(fineibt_preamble_size != 16,

	 * rewrite them. This disables all CFI. If this succeeds but any of the

	 * later stages fails, we're without CFI.

	 */

	ret = cfi_disable_callers(start_retpoline, end_retpoline, mod);

	ret = cfi_disable_callers(start_retpoline, end_retpoline);

	if (ret)

		goto err;

			cfi_bpf_subprog_hash = cfi_rehash(cfi_bpf_subprog_hash);

		}

		ret = cfi_rand_preamble(start_cfi, end_cfi, mod);

		ret = cfi_rand_preamble(start_cfi, end_cfi);

		if (ret)

			goto err;

		ret = cfi_rand_callers(start_retpoline, end_retpoline, mod);

		ret = cfi_rand_callers(start_retpoline, end_retpoline);

		if (ret)

			goto err;

	}

		return;

	case CFI_KCFI:

		ret = cfi_enable_callers(start_retpoline, end_retpoline, mod);

		ret = cfi_enable_callers(start_retpoline, end_retpoline);

		if (ret)

			goto err;

	case CFI_FINEIBT:

		/* place the FineIBT preamble at func()-16 */

		ret = cfi_rewrite_preamble(start_cfi, end_cfi, mod);

		ret = cfi_rewrite_preamble(start_cfi, end_cfi);

		if (ret)

			goto err;

		/* rewrite the callers to target func()-16 */

		ret = cfi_rewrite_callers(start_retpoline, end_retpoline, mod);

		ret = cfi_rewrite_callers(start_retpoline, end_retpoline);

		if (ret)

			goto err;

		/* now that nobody targets func()+0, remove ENDBR there */

		cfi_rewrite_endbr(start_cfi, end_cfi, mod);

		cfi_rewrite_endbr(start_cfi, end_cfi);

		if (builtin)

			pr_info("Using FineIBT CFI\n");

	*(u32 *)addr = 0;

}

static void poison_cfi(void *addr, void *wr_addr)

static void poison_cfi(void *addr)

{

	switch (cfi_mode) {

	case CFI_FINEIBT:

		 *	ud2

		 * 1:	nop

		 */

		poison_endbr(addr, wr_addr, false);

		poison_hash(wr_addr + fineibt_preamble_hash);

		poison_endbr(addr, false);

		poison_hash(addr + fineibt_preamble_hash);

		break;

	case CFI_KCFI:

		 *	movl	$0, %eax

		 *	.skip	11, 0x90

		 */