Add tests for SCS (Shadow Call Stack) based backward CFI.Hi, Kees,
+
+#ifdef CONFIG_ARM64
+/*
+ * This function is used to modify its return address. The PAC needs to be turned
+ * off here to ensure that the modification of the return address will not be blocked.
+ */
+static noinline __no_ptrauth
+void lkdtm_scs_set_lr(unsigned long *expected, unsigned long *addr)
+{
+ /* Use of volatile is to make sure final write isn't seen as a dead store. */
+ unsigned long * volatile *ret_addr = (unsigned long **)__builtin_frame_address(0) + 1;
+
+ /* Make sure we've found the right place on the stack before writing it. */
+ if (*ret_addr == expected)
+ *ret_addr = addr;
+}
+
+/* Function with __noscs attribute attempts to modify its return address. */
+static noinline __no_ptrauth __noscs
+void lkdtm_noscs_set_lr(unsigned long *expected, unsigned long *addr)
+{
+ /* Use of volatile is to make sure final write isn't seen as a dead store. */
+ unsigned long * volatile *ret_addr = (unsigned long **)__builtin_frame_address(0) + 1;
+
+ /* Make sure we've found the right place on the stack before writing it. */
+ if (*ret_addr == expected)
+ *ret_addr = addr;
+}
+#else
+static inline void lkdtm_noscs_set_lr(unsigned long *expected, unsigned long *addr) { }
+static inline void lkdtm_scs_set_lr(unsigned long *expected, unsigned long *addr) { }
+#endif
+
+static volatile unsigned int force_label;
+
+/*
+ * This first checks whether a function with the __noscs attribute under
+ * the current platform can directly modify its return address, and if so,
+ * checks whether scs takes effect.
+ */
+void __no_optimize lkdtm_CFI_BACKWARD_SHADOW(void)
+{
+ void *array[] = {&&unexpected, &&expected, &&good_scs, &&bad_scs};
+
+ if (force_label && (force_label < sizeof(array))) {
+ /*
+ * Call them with "NULL" first to avoid
+ * arguments being treated as constants in -02.
+ */
+ lkdtm_noscs_set_lr(NULL, NULL);
+ lkdtm_scs_set_lr(NULL, NULL);
+ goto *array[force_label];
+ }
+
+ /* Keep labels in scope to avoid compiler warnings. */
+ do {
+ /* Verify the "normal" condition of LR corruption working. */
+ pr_info("Trying to corrupt lr in a function without scs protection ...\n");
+ lkdtm_noscs_set_lr(&&unexpected, &&expected);
+
+unexpected:
+ /*
+ * If lr cannot be modified, the following check is meaningless,
+ * returns directly.
+ */
+ pr_err("XPASS: Unexpectedly survived lr corruption without scs?!\n");
+ break;
+
+expected:
+ pr_info("ok: lr corruption redirected without scs.\n");
+
+ /* Verify that SCS is in effect. */
+ pr_info("Trying to corrupt lr in a function with scs protection ...\n");
+ lkdtm_scs_set_lr(&&good_scs, &&bad_scs);
+
+good_scs:
+ pr_info("ok: scs takes effect.\n");
+ break;
+
+bad_scs:
+ pr_err("FAIL: return address rewritten!\n");
+ pr_expected_config(CONFIG_SHADOW_CALL_STACK);
+ } while (0);
+}