tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
1/*
2 * arch/arm/kernel/kprobes.c
3 *
4 * Kprobes on ARM
5 *
6 * Abhishek Sagar <sagar.abhishek@gmail.com>
7 * Copyright (C) 2006, 2007 Motorola Inc.
8 *
9 * Nicolas Pitre <nico@marvell.com>
10 * Copyright (C) 2007 Marvell Ltd.
11 *
12 * This program is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License version 2 as
14 * published by the Free Software Foundation.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
19 * General Public License for more details.
20 */
21
22#include <linux/kernel.h>
23#include <linux/kprobes.h>
24#include <linux/module.h>
25#include <linux/slab.h>
26#include <linux/stop_machine.h>
27#include <linux/stringify.h>
28#include <asm/traps.h>
29#include <asm/cacheflush.h>
30
31#include "kprobes.h"
32#include "patch.h"
33
34#define MIN_STACK_SIZE(addr) \
35 min((unsigned long)MAX_STACK_SIZE, \
36 (unsigned long)current_thread_info() + THREAD_START_SP - (addr))
37
38#define flush_insns(addr, size) \
39 flush_icache_range((unsigned long)(addr), \
40 (unsigned long)(addr) + \
41 (size))
42
43/* Used as a marker in ARM_pc to note when we're in a jprobe. */
44#define JPROBE_MAGIC_ADDR 0xffffffff
45
46DEFINE_PER_CPU(struct kprobe *, current_kprobe) = NULL;
47DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk);
48
49
50int __kprobes arch_prepare_kprobe(struct kprobe *p)
51{
52 kprobe_opcode_t insn;
53 kprobe_opcode_t tmp_insn[MAX_INSN_SIZE];
54 unsigned long addr = (unsigned long)p->addr;
55 bool thumb;
56 kprobe_decode_insn_t *decode_insn;
57 int is;
58
59 if (in_exception_text(addr))
60 return -EINVAL;
61
62#ifdef CONFIG_THUMB2_KERNEL
63 thumb = true;
64 addr &= ~1; /* Bit 0 would normally be set to indicate Thumb code */
65 insn = ((u16 *)addr)[0];
66 if (is_wide_instruction(insn)) {
67 insn <<= 16;
68 insn |= ((u16 *)addr)[1];
69 decode_insn = thumb32_kprobe_decode_insn;
70 } else
71 decode_insn = thumb16_kprobe_decode_insn;
72#else /* !CONFIG_THUMB2_KERNEL */
73 thumb = false;
74 if (addr & 0x3)
75 return -EINVAL;
76 insn = *p->addr;
77 decode_insn = arm_kprobe_decode_insn;
78#endif
79
80 p->opcode = insn;
81 p->ainsn.insn = tmp_insn;
82
83 switch ((*decode_insn)(insn, &p->ainsn)) {
84 case INSN_REJECTED: /* not supported */
85 return -EINVAL;
86
87 case INSN_GOOD: /* instruction uses slot */
88 p->ainsn.insn = get_insn_slot();
89 if (!p->ainsn.insn)
90 return -ENOMEM;
91 for (is = 0; is < MAX_INSN_SIZE; ++is)
92 p->ainsn.insn[is] = tmp_insn[is];
93 flush_insns(p->ainsn.insn,
94 sizeof(p->ainsn.insn[0]) * MAX_INSN_SIZE);
95 p->ainsn.insn_fn = (kprobe_insn_fn_t *)
96 ((uintptr_t)p->ainsn.insn | thumb);
97 break;
98
99 case INSN_GOOD_NO_SLOT: /* instruction doesn't need insn slot */
100 p->ainsn.insn = NULL;
101 break;
102 }
103
104 return 0;
105}
106
107void __kprobes arch_arm_kprobe(struct kprobe *p)
108{
109 unsigned int brkp;
110 void *addr;
111
112 if (IS_ENABLED(CONFIG_THUMB2_KERNEL)) {
113 /* Remove any Thumb flag */
114 addr = (void *)((uintptr_t)p->addr & ~1);
115
116 if (is_wide_instruction(p->opcode))
117 brkp = KPROBE_THUMB32_BREAKPOINT_INSTRUCTION;
118 else
119 brkp = KPROBE_THUMB16_BREAKPOINT_INSTRUCTION;
120 } else {
121 kprobe_opcode_t insn = p->opcode;
122
123 addr = p->addr;
124 brkp = KPROBE_ARM_BREAKPOINT_INSTRUCTION;
125
126 if (insn >= 0xe0000000)
127 brkp |= 0xe0000000; /* Unconditional instruction */
128 else
129 brkp |= insn & 0xf0000000; /* Copy condition from insn */
130 }
131
132 patch_text(addr, brkp);
133}
134
135/*
136 * The actual disarming is done here on each CPU and synchronized using
137 * stop_machine. This synchronization is necessary on SMP to avoid removing
138 * a probe between the moment the 'Undefined Instruction' exception is raised
139 * and the moment the exception handler reads the faulting instruction from
140 * memory. It is also needed to atomically set the two half-words of a 32-bit
141 * Thumb breakpoint.
142 */
143int __kprobes __arch_disarm_kprobe(void *p)
144{
145 struct kprobe *kp = p;
146 void *addr = (void *)((uintptr_t)kp->addr & ~1);
147
148 __patch_text(addr, kp->opcode);
149
150 return 0;
151}
152
153void __kprobes arch_disarm_kprobe(struct kprobe *p)
154{
155 stop_machine(__arch_disarm_kprobe, p, cpu_online_mask);
156}
157
158void __kprobes arch_remove_kprobe(struct kprobe *p)
159{
160 if (p->ainsn.insn) {
161 free_insn_slot(p->ainsn.insn, 0);
162 p->ainsn.insn = NULL;
163 }
164}
165
166static void __kprobes save_previous_kprobe(struct kprobe_ctlblk *kcb)
167{
168 kcb->prev_kprobe.kp = kprobe_running();
169 kcb->prev_kprobe.status = kcb->kprobe_status;
170}
171
172static void __kprobes restore_previous_kprobe(struct kprobe_ctlblk *kcb)
173{
174 __this_cpu_write(current_kprobe, kcb->prev_kprobe.kp);
175 kcb->kprobe_status = kcb->prev_kprobe.status;
176}
177
178static void __kprobes set_current_kprobe(struct kprobe *p)
179{
180 __this_cpu_write(current_kprobe, p);
181}
182
183static void __kprobes
184singlestep_skip(struct kprobe *p, struct pt_regs *regs)
185{
186#ifdef CONFIG_THUMB2_KERNEL
187 regs->ARM_cpsr = it_advance(regs->ARM_cpsr);
188 if (is_wide_instruction(p->opcode))
189 regs->ARM_pc += 4;
190 else
191 regs->ARM_pc += 2;
192#else
193 regs->ARM_pc += 4;
194#endif
195}
196
197static inline void __kprobes
198singlestep(struct kprobe *p, struct pt_regs *regs, struct kprobe_ctlblk *kcb)
199{
200 p->ainsn.insn_singlestep(p, regs);
201}
202
203/*
204 * Called with IRQs disabled. IRQs must remain disabled from that point
205 * all the way until processing this kprobe is complete. The current
206 * kprobes implementation cannot process more than one nested level of
207 * kprobe, and that level is reserved for user kprobe handlers, so we can't
208 * risk encountering a new kprobe in an interrupt handler.
209 */
210void __kprobes kprobe_handler(struct pt_regs *regs)
211{
212 struct kprobe *p, *cur;
213 struct kprobe_ctlblk *kcb;
214
215 kcb = get_kprobe_ctlblk();
216 cur = kprobe_running();
217
218#ifdef CONFIG_THUMB2_KERNEL
219 /*
220 * First look for a probe which was registered using an address with
221 * bit 0 set, this is the usual situation for pointers to Thumb code.
222 * If not found, fallback to looking for one with bit 0 clear.
223 */
224 p = get_kprobe((kprobe_opcode_t *)(regs->ARM_pc | 1));
225 if (!p)
226 p = get_kprobe((kprobe_opcode_t *)regs->ARM_pc);
227
228#else /* ! CONFIG_THUMB2_KERNEL */
229 p = get_kprobe((kprobe_opcode_t *)regs->ARM_pc);
230#endif
231
232 if (p) {
233 if (cur) {
234 /* Kprobe is pending, so we're recursing. */
235 switch (kcb->kprobe_status) {
236 case KPROBE_HIT_ACTIVE:
237 case KPROBE_HIT_SSDONE:
238 /* A pre- or post-handler probe got us here. */
239 kprobes_inc_nmissed_count(p);
240 save_previous_kprobe(kcb);
241 set_current_kprobe(p);
242 kcb->kprobe_status = KPROBE_REENTER;
243 singlestep(p, regs, kcb);
244 restore_previous_kprobe(kcb);
245 break;
246 default:
247 /* impossible cases */
248 BUG();
249 }
250 } else if (p->ainsn.insn_check_cc(regs->ARM_cpsr)) {
251 /* Probe hit and conditional execution check ok. */
252 set_current_kprobe(p);
253 kcb->kprobe_status = KPROBE_HIT_ACTIVE;
254
255 /*
256 * If we have no pre-handler or it returned 0, we
257 * continue with normal processing. If we have a
258 * pre-handler and it returned non-zero, it prepped
259 * for calling the break_handler below on re-entry,
260 * so get out doing nothing more here.
261 */
262 if (!p->pre_handler || !p->pre_handler(p, regs)) {
263 kcb->kprobe_status = KPROBE_HIT_SS;
264 singlestep(p, regs, kcb);
265 if (p->post_handler) {
266 kcb->kprobe_status = KPROBE_HIT_SSDONE;
267 p->post_handler(p, regs, 0);
268 }
269 reset_current_kprobe();
270 }
271 } else {
272 /*
273 * Probe hit but conditional execution check failed,
274 * so just skip the instruction and continue as if
275 * nothing had happened.
276 */
277 singlestep_skip(p, regs);
278 }
279 } else if (cur) {
280 /* We probably hit a jprobe. Call its break handler. */
281 if (cur->break_handler && cur->break_handler(cur, regs)) {
282 kcb->kprobe_status = KPROBE_HIT_SS;
283 singlestep(cur, regs, kcb);
284 if (cur->post_handler) {
285 kcb->kprobe_status = KPROBE_HIT_SSDONE;
286 cur->post_handler(cur, regs, 0);
287 }
288 }
289 reset_current_kprobe();
290 } else {
291 /*
292 * The probe was removed and a race is in progress.
293 * There is nothing we can do about it. Let's restart
294 * the instruction. By the time we can restart, the
295 * real instruction will be there.
296 */
297 }
298}
299
300static int __kprobes kprobe_trap_handler(struct pt_regs *regs, unsigned int instr)
301{
302 unsigned long flags;
303 local_irq_save(flags);
304 kprobe_handler(regs);
305 local_irq_restore(flags);
306 return 0;
307}
308
309int __kprobes kprobe_fault_handler(struct pt_regs *regs, unsigned int fsr)
310{
311 struct kprobe *cur = kprobe_running();
312 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
313
314 switch (kcb->kprobe_status) {
315 case KPROBE_HIT_SS:
316 case KPROBE_REENTER:
317 /*
318 * We are here because the instruction being single
319 * stepped caused a page fault. We reset the current
320 * kprobe and the PC to point back to the probe address
321 * and allow the page fault handler to continue as a
322 * normal page fault.
323 */
324 regs->ARM_pc = (long)cur->addr;
325 if (kcb->kprobe_status == KPROBE_REENTER) {
326 restore_previous_kprobe(kcb);
327 } else {
328 reset_current_kprobe();
329 }
330 break;
331
332 case KPROBE_HIT_ACTIVE:
333 case KPROBE_HIT_SSDONE:
334 /*
335 * We increment the nmissed count for accounting,
336 * we can also use npre/npostfault count for accounting
337 * these specific fault cases.
338 */
339 kprobes_inc_nmissed_count(cur);
340
341 /*
342 * We come here because instructions in the pre/post
343 * handler caused the page_fault, this could happen
344 * if handler tries to access user space by
345 * copy_from_user(), get_user() etc. Let the
346 * user-specified handler try to fix it.
347 */
348 if (cur->fault_handler && cur->fault_handler(cur, regs, fsr))
349 return 1;
350 break;
351
352 default:
353 break;
354 }
355
356 return 0;
357}
358
359int __kprobes kprobe_exceptions_notify(struct notifier_block *self,
360 unsigned long val, void *data)
361{
362 /*
363 * notify_die() is currently never called on ARM,
364 * so this callback is currently empty.
365 */
366 return NOTIFY_DONE;
367}
368
369/*
370 * When a retprobed function returns, trampoline_handler() is called,
371 * calling the kretprobe's handler. We construct a struct pt_regs to
372 * give a view of registers r0-r11 to the user return-handler. This is
373 * not a complete pt_regs structure, but that should be plenty sufficient
374 * for kretprobe handlers which should normally be interested in r0 only
375 * anyway.
376 */
377void __naked __kprobes kretprobe_trampoline(void)
378{
379 __asm__ __volatile__ (
380 "stmdb sp!, {r0 - r11} \n\t"
381 "mov r0, sp \n\t"
382 "bl trampoline_handler \n\t"
383 "mov lr, r0 \n\t"
384 "ldmia sp!, {r0 - r11} \n\t"
385#ifdef CONFIG_THUMB2_KERNEL
386 "bx lr \n\t"
387#else
388 "mov pc, lr \n\t"
389#endif
390 : : : "memory");
391}
392
393/* Called from kretprobe_trampoline */
394static __used __kprobes void *trampoline_handler(struct pt_regs *regs)
395{
396 struct kretprobe_instance *ri = NULL;
397 struct hlist_head *head, empty_rp;
398 struct hlist_node *tmp;
399 unsigned long flags, orig_ret_address = 0;
400 unsigned long trampoline_address = (unsigned long)&kretprobe_trampoline;
401
402 INIT_HLIST_HEAD(&empty_rp);
403 kretprobe_hash_lock(current, &head, &flags);
404
405 /*
406 * It is possible to have multiple instances associated with a given
407 * task either because multiple functions in the call path have
408 * a return probe installed on them, and/or more than one return
409 * probe was registered for a target function.
410 *
411 * We can handle this because:
412 * - instances are always inserted at the head of the list
413 * - when multiple return probes are registered for the same
414 * function, the first instance's ret_addr will point to the
415 * real return address, and all the rest will point to
416 * kretprobe_trampoline
417 */
418 hlist_for_each_entry_safe(ri, tmp, head, hlist) {
419 if (ri->task != current)
420 /* another task is sharing our hash bucket */
421 continue;
422
423 if (ri->rp && ri->rp->handler) {
424 __this_cpu_write(current_kprobe, &ri->rp->kp);
425 get_kprobe_ctlblk()->kprobe_status = KPROBE_HIT_ACTIVE;
426 ri->rp->handler(ri, regs);
427 __this_cpu_write(current_kprobe, NULL);
428 }
429
430 orig_ret_address = (unsigned long)ri->ret_addr;
431 recycle_rp_inst(ri, &empty_rp);
432
433 if (orig_ret_address != trampoline_address)
434 /*
435 * This is the real return address. Any other
436 * instances associated with this task are for
437 * other calls deeper on the call stack
438 */
439 break;
440 }
441
442 kretprobe_assert(ri, orig_ret_address, trampoline_address);
443 kretprobe_hash_unlock(current, &flags);
444
445 hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) {
446 hlist_del(&ri->hlist);
447 kfree(ri);
448 }
449
450 return (void *)orig_ret_address;
451}
452
453void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
454 struct pt_regs *regs)
455{
456 ri->ret_addr = (kprobe_opcode_t *)regs->ARM_lr;
457
458 /* Replace the return addr with trampoline addr. */
459 regs->ARM_lr = (unsigned long)&kretprobe_trampoline;
460}
461
462int __kprobes setjmp_pre_handler(struct kprobe *p, struct pt_regs *regs)
463{
464 struct jprobe *jp = container_of(p, struct jprobe, kp);
465 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
466 long sp_addr = regs->ARM_sp;
467 long cpsr;
468
469 kcb->jprobe_saved_regs = *regs;
470 memcpy(kcb->jprobes_stack, (void *)sp_addr, MIN_STACK_SIZE(sp_addr));
471 regs->ARM_pc = (long)jp->entry;
472
473 cpsr = regs->ARM_cpsr | PSR_I_BIT;
474#ifdef CONFIG_THUMB2_KERNEL
475 /* Set correct Thumb state in cpsr */
476 if (regs->ARM_pc & 1)
477 cpsr |= PSR_T_BIT;
478 else
479 cpsr &= ~PSR_T_BIT;
480#endif
481 regs->ARM_cpsr = cpsr;
482
483 preempt_disable();
484 return 1;
485}
486
487void __kprobes jprobe_return(void)
488{
489 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
490
491 __asm__ __volatile__ (
492 /*
493 * Setup an empty pt_regs. Fill SP and PC fields as
494 * they're needed by longjmp_break_handler.
495 *
496 * We allocate some slack between the original SP and start of
497 * our fabricated regs. To be precise we want to have worst case
498 * covered which is STMFD with all 16 regs so we allocate 2 *
499 * sizeof(struct_pt_regs)).
500 *
501 * This is to prevent any simulated instruction from writing
502 * over the regs when they are accessing the stack.
503 */
504#ifdef CONFIG_THUMB2_KERNEL
505 "sub r0, %0, %1 \n\t"
506 "mov sp, r0 \n\t"
507#else
508 "sub sp, %0, %1 \n\t"
509#endif
510 "ldr r0, ="__stringify(JPROBE_MAGIC_ADDR)"\n\t"
511 "str %0, [sp, %2] \n\t"
512 "str r0, [sp, %3] \n\t"
513 "mov r0, sp \n\t"
514 "bl kprobe_handler \n\t"
515
516 /*
517 * Return to the context saved by setjmp_pre_handler
518 * and restored by longjmp_break_handler.
519 */
520#ifdef CONFIG_THUMB2_KERNEL
521 "ldr lr, [sp, %2] \n\t" /* lr = saved sp */
522 "ldrd r0, r1, [sp, %5] \n\t" /* r0,r1 = saved lr,pc */
523 "ldr r2, [sp, %4] \n\t" /* r2 = saved psr */
524 "stmdb lr!, {r0, r1, r2} \n\t" /* push saved lr and */
525 /* rfe context */
526 "ldmia sp, {r0 - r12} \n\t"
527 "mov sp, lr \n\t"
528 "ldr lr, [sp], #4 \n\t"
529 "rfeia sp! \n\t"
530#else
531 "ldr r0, [sp, %4] \n\t"
532 "msr cpsr_cxsf, r0 \n\t"
533 "ldmia sp, {r0 - pc} \n\t"
534#endif
535 :
536 : "r" (kcb->jprobe_saved_regs.ARM_sp),
537 "I" (sizeof(struct pt_regs) * 2),
538 "J" (offsetof(struct pt_regs, ARM_sp)),
539 "J" (offsetof(struct pt_regs, ARM_pc)),
540 "J" (offsetof(struct pt_regs, ARM_cpsr)),
541 "J" (offsetof(struct pt_regs, ARM_lr))
542 : "memory", "cc");
543}
544
545int __kprobes longjmp_break_handler(struct kprobe *p, struct pt_regs *regs)
546{
547 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
548 long stack_addr = kcb->jprobe_saved_regs.ARM_sp;
549 long orig_sp = regs->ARM_sp;
550 struct jprobe *jp = container_of(p, struct jprobe, kp);
551
552 if (regs->ARM_pc == JPROBE_MAGIC_ADDR) {
553 if (orig_sp != stack_addr) {
554 struct pt_regs *saved_regs =
555 (struct pt_regs *)kcb->jprobe_saved_regs.ARM_sp;
556 printk("current sp %lx does not match saved sp %lx\n",
557 orig_sp, stack_addr);
558 printk("Saved registers for jprobe %p\n", jp);
559 show_regs(saved_regs);
560 printk("Current registers\n");
561 show_regs(regs);
562 BUG();
563 }
564 *regs = kcb->jprobe_saved_regs;
565 memcpy((void *)stack_addr, kcb->jprobes_stack,
566 MIN_STACK_SIZE(stack_addr));
567 preempt_enable_no_resched();
568 return 1;
569 }
570 return 0;
571}
572
573int __kprobes arch_trampoline_kprobe(struct kprobe *p)
574{
575 return 0;
576}
577
578#ifdef CONFIG_THUMB2_KERNEL
579
580static struct undef_hook kprobes_thumb16_break_hook = {
581 .instr_mask = 0xffff,
582 .instr_val = KPROBE_THUMB16_BREAKPOINT_INSTRUCTION,
583 .cpsr_mask = MODE_MASK,
584 .cpsr_val = SVC_MODE,
585 .fn = kprobe_trap_handler,
586};
587
588static struct undef_hook kprobes_thumb32_break_hook = {
589 .instr_mask = 0xffffffff,
590 .instr_val = KPROBE_THUMB32_BREAKPOINT_INSTRUCTION,
591 .cpsr_mask = MODE_MASK,
592 .cpsr_val = SVC_MODE,
593 .fn = kprobe_trap_handler,
594};
595
596#else /* !CONFIG_THUMB2_KERNEL */
597
598static struct undef_hook kprobes_arm_break_hook = {
599 .instr_mask = 0x0fffffff,
600 .instr_val = KPROBE_ARM_BREAKPOINT_INSTRUCTION,
601 .cpsr_mask = MODE_MASK,
602 .cpsr_val = SVC_MODE,
603 .fn = kprobe_trap_handler,
604};
605
606#endif /* !CONFIG_THUMB2_KERNEL */
607
608int __init arch_init_kprobes()
609{
610 arm_kprobe_decode_init();
611#ifdef CONFIG_THUMB2_KERNEL
612 register_undef_hook(&kprobes_thumb16_break_hook);
613 register_undef_hook(&kprobes_thumb32_break_hook);
614#else
615 register_undef_hook(&kprobes_arm_break_hook);
616#endif
617 return 0;
618}