218 lines
5.4 KiB
C
218 lines
5.4 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
#include <asm/insn.h>
|
|
#include <linux/mm.h>
|
|
|
|
#include "perf_event.h"
|
|
|
|
/*
|
|
* return the type of control flow change at address "from"
|
|
* instruction is not necessarily a branch (in case of interrupt).
|
|
*
|
|
* The branch type returned also includes the priv level of the
|
|
* target of the control flow change (X86_BR_USER, X86_BR_KERNEL).
|
|
*
|
|
* If a branch type is unknown OR the instruction cannot be
|
|
* decoded (e.g., text page not present), then X86_BR_NONE is
|
|
* returned.
|
|
*/
|
|
int branch_type(unsigned long from, unsigned long to, int abort)
|
|
{
|
|
struct insn insn;
|
|
void *addr;
|
|
int bytes_read, bytes_left;
|
|
int ret = X86_BR_NONE;
|
|
int ext, to_plm, from_plm;
|
|
u8 buf[MAX_INSN_SIZE];
|
|
int is64 = 0;
|
|
|
|
to_plm = kernel_ip(to) ? X86_BR_KERNEL : X86_BR_USER;
|
|
from_plm = kernel_ip(from) ? X86_BR_KERNEL : X86_BR_USER;
|
|
|
|
/*
|
|
* maybe zero if lbr did not fill up after a reset by the time
|
|
* we get a PMU interrupt
|
|
*/
|
|
if (from == 0 || to == 0)
|
|
return X86_BR_NONE;
|
|
|
|
if (abort)
|
|
return X86_BR_ABORT | to_plm;
|
|
|
|
if (from_plm == X86_BR_USER) {
|
|
/*
|
|
* can happen if measuring at the user level only
|
|
* and we interrupt in a kernel thread, e.g., idle.
|
|
*/
|
|
if (!current->mm)
|
|
return X86_BR_NONE;
|
|
|
|
/* may fail if text not present */
|
|
bytes_left = copy_from_user_nmi(buf, (void __user *)from,
|
|
MAX_INSN_SIZE);
|
|
bytes_read = MAX_INSN_SIZE - bytes_left;
|
|
if (!bytes_read)
|
|
return X86_BR_NONE;
|
|
|
|
addr = buf;
|
|
} else {
|
|
/*
|
|
* The LBR logs any address in the IP, even if the IP just
|
|
* faulted. This means userspace can control the from address.
|
|
* Ensure we don't blindly read any address by validating it is
|
|
* a known text address and not a vsyscall address.
|
|
*/
|
|
if (kernel_text_address(from) && !in_gate_area_no_mm(from)) {
|
|
addr = (void *)from;
|
|
/*
|
|
* Assume we can get the maximum possible size
|
|
* when grabbing kernel data. This is not
|
|
* _strictly_ true since we could possibly be
|
|
* executing up next to a memory hole, but
|
|
* it is very unlikely to be a problem.
|
|
*/
|
|
bytes_read = MAX_INSN_SIZE;
|
|
} else {
|
|
return X86_BR_NONE;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* decoder needs to know the ABI especially
|
|
* on 64-bit systems running 32-bit apps
|
|
*/
|
|
#ifdef CONFIG_X86_64
|
|
is64 = kernel_ip((unsigned long)addr) || any_64bit_mode(current_pt_regs());
|
|
#endif
|
|
insn_init(&insn, addr, bytes_read, is64);
|
|
if (insn_get_opcode(&insn))
|
|
return X86_BR_ABORT;
|
|
|
|
switch (insn.opcode.bytes[0]) {
|
|
case 0xf:
|
|
switch (insn.opcode.bytes[1]) {
|
|
case 0x05: /* syscall */
|
|
case 0x34: /* sysenter */
|
|
ret = X86_BR_SYSCALL;
|
|
break;
|
|
case 0x07: /* sysret */
|
|
case 0x35: /* sysexit */
|
|
ret = X86_BR_SYSRET;
|
|
break;
|
|
case 0x80 ... 0x8f: /* conditional */
|
|
ret = X86_BR_JCC;
|
|
break;
|
|
default:
|
|
ret = X86_BR_NONE;
|
|
}
|
|
break;
|
|
case 0x70 ... 0x7f: /* conditional */
|
|
ret = X86_BR_JCC;
|
|
break;
|
|
case 0xc2: /* near ret */
|
|
case 0xc3: /* near ret */
|
|
case 0xca: /* far ret */
|
|
case 0xcb: /* far ret */
|
|
ret = X86_BR_RET;
|
|
break;
|
|
case 0xcf: /* iret */
|
|
ret = X86_BR_IRET;
|
|
break;
|
|
case 0xcc ... 0xce: /* int */
|
|
ret = X86_BR_INT;
|
|
break;
|
|
case 0xe8: /* call near rel */
|
|
if (insn_get_immediate(&insn) || insn.immediate1.value == 0) {
|
|
/* zero length call */
|
|
ret = X86_BR_ZERO_CALL;
|
|
break;
|
|
}
|
|
fallthrough;
|
|
case 0x9a: /* call far absolute */
|
|
ret = X86_BR_CALL;
|
|
break;
|
|
case 0xe0 ... 0xe3: /* loop jmp */
|
|
ret = X86_BR_JCC;
|
|
break;
|
|
case 0xe9 ... 0xeb: /* jmp */
|
|
ret = X86_BR_JMP;
|
|
break;
|
|
case 0xff: /* call near absolute, call far absolute ind */
|
|
if (insn_get_modrm(&insn))
|
|
return X86_BR_ABORT;
|
|
|
|
ext = (insn.modrm.bytes[0] >> 3) & 0x7;
|
|
switch (ext) {
|
|
case 2: /* near ind call */
|
|
case 3: /* far ind call */
|
|
ret = X86_BR_IND_CALL;
|
|
break;
|
|
case 4:
|
|
case 5:
|
|
ret = X86_BR_IND_JMP;
|
|
break;
|
|
}
|
|
break;
|
|
default:
|
|
ret = X86_BR_NONE;
|
|
}
|
|
/*
|
|
* interrupts, traps, faults (and thus ring transition) may
|
|
* occur on any instructions. Thus, to classify them correctly,
|
|
* we need to first look at the from and to priv levels. If they
|
|
* are different and to is in the kernel, then it indicates
|
|
* a ring transition. If the from instruction is not a ring
|
|
* transition instr (syscall, systenter, int), then it means
|
|
* it was a irq, trap or fault.
|
|
*
|
|
* we have no way of detecting kernel to kernel faults.
|
|
*/
|
|
if (from_plm == X86_BR_USER && to_plm == X86_BR_KERNEL
|
|
&& ret != X86_BR_SYSCALL && ret != X86_BR_INT)
|
|
ret = X86_BR_IRQ;
|
|
|
|
/*
|
|
* branch priv level determined by target as
|
|
* is done by HW when LBR_SELECT is implemented
|
|
*/
|
|
if (ret != X86_BR_NONE)
|
|
ret |= to_plm;
|
|
|
|
return ret;
|
|
}
|
|
|
|
#define X86_BR_TYPE_MAP_MAX 16
|
|
|
|
static int branch_map[X86_BR_TYPE_MAP_MAX] = {
|
|
PERF_BR_CALL, /* X86_BR_CALL */
|
|
PERF_BR_RET, /* X86_BR_RET */
|
|
PERF_BR_SYSCALL, /* X86_BR_SYSCALL */
|
|
PERF_BR_SYSRET, /* X86_BR_SYSRET */
|
|
PERF_BR_UNKNOWN, /* X86_BR_INT */
|
|
PERF_BR_ERET, /* X86_BR_IRET */
|
|
PERF_BR_COND, /* X86_BR_JCC */
|
|
PERF_BR_UNCOND, /* X86_BR_JMP */
|
|
PERF_BR_IRQ, /* X86_BR_IRQ */
|
|
PERF_BR_IND_CALL, /* X86_BR_IND_CALL */
|
|
PERF_BR_UNKNOWN, /* X86_BR_ABORT */
|
|
PERF_BR_UNKNOWN, /* X86_BR_IN_TX */
|
|
PERF_BR_UNKNOWN, /* X86_BR_NO_TX */
|
|
PERF_BR_CALL, /* X86_BR_ZERO_CALL */
|
|
PERF_BR_UNKNOWN, /* X86_BR_CALL_STACK */
|
|
PERF_BR_IND, /* X86_BR_IND_JMP */
|
|
};
|
|
|
|
int common_branch_type(int type)
|
|
{
|
|
int i;
|
|
|
|
type >>= 2; /* skip X86_BR_USER and X86_BR_KERNEL */
|
|
|
|
if (type) {
|
|
i = __ffs(type);
|
|
if (i < X86_BR_TYPE_MAP_MAX)
|
|
return branch_map[i];
|
|
}
|
|
|
|
return PERF_BR_UNKNOWN;
|
|
}
|