1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * HW_breakpoint: a unified kernel/user-space hardware breakpoint facility,
4 * using the CPU's debug registers.
5 *
6 * Copyright (C) 2012 ARM Limited
7 * Author: Will Deacon <will.deacon@arm.com>
8 */
9
10 #define pr_fmt(fmt) "hw-breakpoint: " fmt
11
12 #include <linux/compat.h>
13 #include <linux/cpu_pm.h>
14 #include <linux/errno.h>
15 #include <linux/hw_breakpoint.h>
16 #include <linux/kprobes.h>
17 #include <linux/perf_event.h>
18 #include <linux/ptrace.h>
19 #include <linux/smp.h>
20 #include <linux/uaccess.h>
21
22 #include <asm/current.h>
23 #include <asm/debug-monitors.h>
24 #include <asm/esr.h>
25 #include <asm/hw_breakpoint.h>
26 #include <asm/traps.h>
27 #include <asm/cputype.h>
28 #include <asm/system_misc.h>
29
30 /* Breakpoint currently in use for each BRP. */
31 static DEFINE_PER_CPU(struct perf_event *, bp_on_reg[ARM_MAX_BRP]);
32
33 /* Watchpoint currently in use for each WRP. */
34 static DEFINE_PER_CPU(struct perf_event *, wp_on_reg[ARM_MAX_WRP]);
35
36 /* Currently stepping a per-CPU kernel breakpoint. */
37 static DEFINE_PER_CPU(int, stepping_kernel_bp);
38
39 /* Number of BRP/WRP registers on this CPU. */
40 static int core_num_brps;
41 static int core_num_wrps;
42
hw_breakpoint_slots(int type)43 int hw_breakpoint_slots(int type)
44 {
45 /*
46 * We can be called early, so don't rely on
47 * our static variables being initialised.
48 */
49 switch (type) {
50 case TYPE_INST:
51 return get_num_brps();
52 case TYPE_DATA:
53 return get_num_wrps();
54 default:
55 pr_warn("unknown slot type: %d\n", type);
56 return 0;
57 }
58 }
59
60 #define READ_WB_REG_CASE(OFF, N, REG, VAL) \
61 case (OFF + N): \
62 AARCH64_DBG_READ(N, REG, VAL); \
63 break
64
65 #define WRITE_WB_REG_CASE(OFF, N, REG, VAL) \
66 case (OFF + N): \
67 AARCH64_DBG_WRITE(N, REG, VAL); \
68 break
69
70 #define GEN_READ_WB_REG_CASES(OFF, REG, VAL) \
71 READ_WB_REG_CASE(OFF, 0, REG, VAL); \
72 READ_WB_REG_CASE(OFF, 1, REG, VAL); \
73 READ_WB_REG_CASE(OFF, 2, REG, VAL); \
74 READ_WB_REG_CASE(OFF, 3, REG, VAL); \
75 READ_WB_REG_CASE(OFF, 4, REG, VAL); \
76 READ_WB_REG_CASE(OFF, 5, REG, VAL); \
77 READ_WB_REG_CASE(OFF, 6, REG, VAL); \
78 READ_WB_REG_CASE(OFF, 7, REG, VAL); \
79 READ_WB_REG_CASE(OFF, 8, REG, VAL); \
80 READ_WB_REG_CASE(OFF, 9, REG, VAL); \
81 READ_WB_REG_CASE(OFF, 10, REG, VAL); \
82 READ_WB_REG_CASE(OFF, 11, REG, VAL); \
83 READ_WB_REG_CASE(OFF, 12, REG, VAL); \
84 READ_WB_REG_CASE(OFF, 13, REG, VAL); \
85 READ_WB_REG_CASE(OFF, 14, REG, VAL); \
86 READ_WB_REG_CASE(OFF, 15, REG, VAL)
87
88 #define GEN_WRITE_WB_REG_CASES(OFF, REG, VAL) \
89 WRITE_WB_REG_CASE(OFF, 0, REG, VAL); \
90 WRITE_WB_REG_CASE(OFF, 1, REG, VAL); \
91 WRITE_WB_REG_CASE(OFF, 2, REG, VAL); \
92 WRITE_WB_REG_CASE(OFF, 3, REG, VAL); \
93 WRITE_WB_REG_CASE(OFF, 4, REG, VAL); \
94 WRITE_WB_REG_CASE(OFF, 5, REG, VAL); \
95 WRITE_WB_REG_CASE(OFF, 6, REG, VAL); \
96 WRITE_WB_REG_CASE(OFF, 7, REG, VAL); \
97 WRITE_WB_REG_CASE(OFF, 8, REG, VAL); \
98 WRITE_WB_REG_CASE(OFF, 9, REG, VAL); \
99 WRITE_WB_REG_CASE(OFF, 10, REG, VAL); \
100 WRITE_WB_REG_CASE(OFF, 11, REG, VAL); \
101 WRITE_WB_REG_CASE(OFF, 12, REG, VAL); \
102 WRITE_WB_REG_CASE(OFF, 13, REG, VAL); \
103 WRITE_WB_REG_CASE(OFF, 14, REG, VAL); \
104 WRITE_WB_REG_CASE(OFF, 15, REG, VAL)
105
read_wb_reg(int reg,int n)106 static u64 read_wb_reg(int reg, int n)
107 {
108 u64 val = 0;
109
110 switch (reg + n) {
111 GEN_READ_WB_REG_CASES(AARCH64_DBG_REG_BVR, AARCH64_DBG_REG_NAME_BVR, val);
112 GEN_READ_WB_REG_CASES(AARCH64_DBG_REG_BCR, AARCH64_DBG_REG_NAME_BCR, val);
113 GEN_READ_WB_REG_CASES(AARCH64_DBG_REG_WVR, AARCH64_DBG_REG_NAME_WVR, val);
114 GEN_READ_WB_REG_CASES(AARCH64_DBG_REG_WCR, AARCH64_DBG_REG_NAME_WCR, val);
115 default:
116 pr_warn("attempt to read from unknown breakpoint register %d\n", n);
117 }
118
119 return val;
120 }
121 NOKPROBE_SYMBOL(read_wb_reg);
122
write_wb_reg(int reg,int n,u64 val)123 static void write_wb_reg(int reg, int n, u64 val)
124 {
125 switch (reg + n) {
126 GEN_WRITE_WB_REG_CASES(AARCH64_DBG_REG_BVR, AARCH64_DBG_REG_NAME_BVR, val);
127 GEN_WRITE_WB_REG_CASES(AARCH64_DBG_REG_BCR, AARCH64_DBG_REG_NAME_BCR, val);
128 GEN_WRITE_WB_REG_CASES(AARCH64_DBG_REG_WVR, AARCH64_DBG_REG_NAME_WVR, val);
129 GEN_WRITE_WB_REG_CASES(AARCH64_DBG_REG_WCR, AARCH64_DBG_REG_NAME_WCR, val);
130 default:
131 pr_warn("attempt to write to unknown breakpoint register %d\n", n);
132 }
133 isb();
134 }
135 NOKPROBE_SYMBOL(write_wb_reg);
136
137 /*
138 * Convert a breakpoint privilege level to the corresponding exception
139 * level.
140 */
debug_exception_level(int privilege)141 static enum dbg_active_el debug_exception_level(int privilege)
142 {
143 switch (privilege) {
144 case AARCH64_BREAKPOINT_EL0:
145 return DBG_ACTIVE_EL0;
146 case AARCH64_BREAKPOINT_EL1:
147 return DBG_ACTIVE_EL1;
148 default:
149 pr_warn("invalid breakpoint privilege level %d\n", privilege);
150 return -EINVAL;
151 }
152 }
153 NOKPROBE_SYMBOL(debug_exception_level);
154
155 enum hw_breakpoint_ops {
156 HW_BREAKPOINT_INSTALL,
157 HW_BREAKPOINT_UNINSTALL,
158 HW_BREAKPOINT_RESTORE
159 };
160
is_compat_bp(struct perf_event * bp)161 static int is_compat_bp(struct perf_event *bp)
162 {
163 struct task_struct *tsk = bp->hw.target;
164
165 /*
166 * tsk can be NULL for per-cpu (non-ptrace) breakpoints.
167 * In this case, use the native interface, since we don't have
168 * the notion of a "compat CPU" and could end up relying on
169 * deprecated behaviour if we use unaligned watchpoints in
170 * AArch64 state.
171 */
172 return tsk && is_compat_thread(task_thread_info(tsk));
173 }
174
175 /**
176 * hw_breakpoint_slot_setup - Find and setup a perf slot according to
177 * operations
178 *
179 * @slots: pointer to array of slots
180 * @max_slots: max number of slots
181 * @bp: perf_event to setup
182 * @ops: operation to be carried out on the slot
183 *
184 * Return:
185 * slot index on success
186 * -ENOSPC if no slot is available/matches
187 * -EINVAL on wrong operations parameter
188 */
hw_breakpoint_slot_setup(struct perf_event ** slots,int max_slots,struct perf_event * bp,enum hw_breakpoint_ops ops)189 static int hw_breakpoint_slot_setup(struct perf_event **slots, int max_slots,
190 struct perf_event *bp,
191 enum hw_breakpoint_ops ops)
192 {
193 int i;
194 struct perf_event **slot;
195
196 for (i = 0; i < max_slots; ++i) {
197 slot = &slots[i];
198 switch (ops) {
199 case HW_BREAKPOINT_INSTALL:
200 if (!*slot) {
201 *slot = bp;
202 return i;
203 }
204 break;
205 case HW_BREAKPOINT_UNINSTALL:
206 if (*slot == bp) {
207 *slot = NULL;
208 return i;
209 }
210 break;
211 case HW_BREAKPOINT_RESTORE:
212 if (*slot == bp)
213 return i;
214 break;
215 default:
216 pr_warn_once("Unhandled hw breakpoint ops %d\n", ops);
217 return -EINVAL;
218 }
219 }
220 return -ENOSPC;
221 }
222
hw_breakpoint_control(struct perf_event * bp,enum hw_breakpoint_ops ops)223 static int hw_breakpoint_control(struct perf_event *bp,
224 enum hw_breakpoint_ops ops)
225 {
226 struct arch_hw_breakpoint *info = counter_arch_bp(bp);
227 struct perf_event **slots;
228 struct debug_info *debug_info = ¤t->thread.debug;
229 int i, max_slots, ctrl_reg, val_reg, reg_enable;
230 enum dbg_active_el dbg_el = debug_exception_level(info->ctrl.privilege);
231 u32 ctrl;
232
233 if (info->ctrl.type == ARM_BREAKPOINT_EXECUTE) {
234 /* Breakpoint */
235 ctrl_reg = AARCH64_DBG_REG_BCR;
236 val_reg = AARCH64_DBG_REG_BVR;
237 slots = this_cpu_ptr(bp_on_reg);
238 max_slots = core_num_brps;
239 reg_enable = !debug_info->bps_disabled;
240 } else {
241 /* Watchpoint */
242 ctrl_reg = AARCH64_DBG_REG_WCR;
243 val_reg = AARCH64_DBG_REG_WVR;
244 slots = this_cpu_ptr(wp_on_reg);
245 max_slots = core_num_wrps;
246 reg_enable = !debug_info->wps_disabled;
247 }
248
249 i = hw_breakpoint_slot_setup(slots, max_slots, bp, ops);
250
251 if (WARN_ONCE(i < 0, "Can't find any breakpoint slot"))
252 return i;
253
254 switch (ops) {
255 case HW_BREAKPOINT_INSTALL:
256 /*
257 * Ensure debug monitors are enabled at the correct exception
258 * level.
259 */
260 enable_debug_monitors(dbg_el);
261 fallthrough;
262 case HW_BREAKPOINT_RESTORE:
263 /* Setup the address register. */
264 write_wb_reg(val_reg, i, info->address);
265
266 /* Setup the control register. */
267 ctrl = encode_ctrl_reg(info->ctrl);
268 write_wb_reg(ctrl_reg, i,
269 reg_enable ? ctrl | 0x1 : ctrl & ~0x1);
270 break;
271 case HW_BREAKPOINT_UNINSTALL:
272 /* Reset the control register. */
273 write_wb_reg(ctrl_reg, i, 0);
274
275 /*
276 * Release the debug monitors for the correct exception
277 * level.
278 */
279 disable_debug_monitors(dbg_el);
280 break;
281 }
282
283 return 0;
284 }
285
286 /*
287 * Install a perf counter breakpoint.
288 */
arch_install_hw_breakpoint(struct perf_event * bp)289 int arch_install_hw_breakpoint(struct perf_event *bp)
290 {
291 return hw_breakpoint_control(bp, HW_BREAKPOINT_INSTALL);
292 }
293
arch_uninstall_hw_breakpoint(struct perf_event * bp)294 void arch_uninstall_hw_breakpoint(struct perf_event *bp)
295 {
296 hw_breakpoint_control(bp, HW_BREAKPOINT_UNINSTALL);
297 }
298
get_hbp_len(u8 hbp_len)299 static int get_hbp_len(u8 hbp_len)
300 {
301 unsigned int len_in_bytes = 0;
302
303 switch (hbp_len) {
304 case ARM_BREAKPOINT_LEN_1:
305 len_in_bytes = 1;
306 break;
307 case ARM_BREAKPOINT_LEN_2:
308 len_in_bytes = 2;
309 break;
310 case ARM_BREAKPOINT_LEN_3:
311 len_in_bytes = 3;
312 break;
313 case ARM_BREAKPOINT_LEN_4:
314 len_in_bytes = 4;
315 break;
316 case ARM_BREAKPOINT_LEN_5:
317 len_in_bytes = 5;
318 break;
319 case ARM_BREAKPOINT_LEN_6:
320 len_in_bytes = 6;
321 break;
322 case ARM_BREAKPOINT_LEN_7:
323 len_in_bytes = 7;
324 break;
325 case ARM_BREAKPOINT_LEN_8:
326 len_in_bytes = 8;
327 break;
328 }
329
330 return len_in_bytes;
331 }
332
333 /*
334 * Check whether bp virtual address is in kernel space.
335 */
arch_check_bp_in_kernelspace(struct arch_hw_breakpoint * hw)336 int arch_check_bp_in_kernelspace(struct arch_hw_breakpoint *hw)
337 {
338 unsigned int len;
339 unsigned long va;
340
341 va = hw->address;
342 len = get_hbp_len(hw->ctrl.len);
343
344 return (va >= TASK_SIZE) && ((va + len - 1) >= TASK_SIZE);
345 }
346
347 /*
348 * Extract generic type and length encodings from an arch_hw_breakpoint_ctrl.
349 * Hopefully this will disappear when ptrace can bypass the conversion
350 * to generic breakpoint descriptions.
351 */
arch_bp_generic_fields(struct arch_hw_breakpoint_ctrl ctrl,int * gen_len,int * gen_type,int * offset)352 int arch_bp_generic_fields(struct arch_hw_breakpoint_ctrl ctrl,
353 int *gen_len, int *gen_type, int *offset)
354 {
355 /* Type */
356 switch (ctrl.type) {
357 case ARM_BREAKPOINT_EXECUTE:
358 *gen_type = HW_BREAKPOINT_X;
359 break;
360 case ARM_BREAKPOINT_LOAD:
361 *gen_type = HW_BREAKPOINT_R;
362 break;
363 case ARM_BREAKPOINT_STORE:
364 *gen_type = HW_BREAKPOINT_W;
365 break;
366 case ARM_BREAKPOINT_LOAD | ARM_BREAKPOINT_STORE:
367 *gen_type = HW_BREAKPOINT_RW;
368 break;
369 default:
370 return -EINVAL;
371 }
372
373 if (!ctrl.len)
374 return -EINVAL;
375 *offset = __ffs(ctrl.len);
376
377 /* Len */
378 switch (ctrl.len >> *offset) {
379 case ARM_BREAKPOINT_LEN_1:
380 *gen_len = HW_BREAKPOINT_LEN_1;
381 break;
382 case ARM_BREAKPOINT_LEN_2:
383 *gen_len = HW_BREAKPOINT_LEN_2;
384 break;
385 case ARM_BREAKPOINT_LEN_3:
386 *gen_len = HW_BREAKPOINT_LEN_3;
387 break;
388 case ARM_BREAKPOINT_LEN_4:
389 *gen_len = HW_BREAKPOINT_LEN_4;
390 break;
391 case ARM_BREAKPOINT_LEN_5:
392 *gen_len = HW_BREAKPOINT_LEN_5;
393 break;
394 case ARM_BREAKPOINT_LEN_6:
395 *gen_len = HW_BREAKPOINT_LEN_6;
396 break;
397 case ARM_BREAKPOINT_LEN_7:
398 *gen_len = HW_BREAKPOINT_LEN_7;
399 break;
400 case ARM_BREAKPOINT_LEN_8:
401 *gen_len = HW_BREAKPOINT_LEN_8;
402 break;
403 default:
404 return -EINVAL;
405 }
406
407 return 0;
408 }
409
410 /*
411 * Construct an arch_hw_breakpoint from a perf_event.
412 */
arch_build_bp_info(struct perf_event * bp,const struct perf_event_attr * attr,struct arch_hw_breakpoint * hw)413 static int arch_build_bp_info(struct perf_event *bp,
414 const struct perf_event_attr *attr,
415 struct arch_hw_breakpoint *hw)
416 {
417 /* Type */
418 switch (attr->bp_type) {
419 case HW_BREAKPOINT_X:
420 hw->ctrl.type = ARM_BREAKPOINT_EXECUTE;
421 break;
422 case HW_BREAKPOINT_R:
423 hw->ctrl.type = ARM_BREAKPOINT_LOAD;
424 break;
425 case HW_BREAKPOINT_W:
426 hw->ctrl.type = ARM_BREAKPOINT_STORE;
427 break;
428 case HW_BREAKPOINT_RW:
429 hw->ctrl.type = ARM_BREAKPOINT_LOAD | ARM_BREAKPOINT_STORE;
430 break;
431 default:
432 return -EINVAL;
433 }
434
435 /* Len */
436 switch (attr->bp_len) {
437 case HW_BREAKPOINT_LEN_1:
438 hw->ctrl.len = ARM_BREAKPOINT_LEN_1;
439 break;
440 case HW_BREAKPOINT_LEN_2:
441 hw->ctrl.len = ARM_BREAKPOINT_LEN_2;
442 break;
443 case HW_BREAKPOINT_LEN_3:
444 hw->ctrl.len = ARM_BREAKPOINT_LEN_3;
445 break;
446 case HW_BREAKPOINT_LEN_4:
447 hw->ctrl.len = ARM_BREAKPOINT_LEN_4;
448 break;
449 case HW_BREAKPOINT_LEN_5:
450 hw->ctrl.len = ARM_BREAKPOINT_LEN_5;
451 break;
452 case HW_BREAKPOINT_LEN_6:
453 hw->ctrl.len = ARM_BREAKPOINT_LEN_6;
454 break;
455 case HW_BREAKPOINT_LEN_7:
456 hw->ctrl.len = ARM_BREAKPOINT_LEN_7;
457 break;
458 case HW_BREAKPOINT_LEN_8:
459 hw->ctrl.len = ARM_BREAKPOINT_LEN_8;
460 break;
461 default:
462 return -EINVAL;
463 }
464
465 /*
466 * On AArch64, we only permit breakpoints of length 4, whereas
467 * AArch32 also requires breakpoints of length 2 for Thumb.
468 * Watchpoints can be of length 1, 2, 4 or 8 bytes.
469 */
470 if (hw->ctrl.type == ARM_BREAKPOINT_EXECUTE) {
471 if (is_compat_bp(bp)) {
472 if (hw->ctrl.len != ARM_BREAKPOINT_LEN_2 &&
473 hw->ctrl.len != ARM_BREAKPOINT_LEN_4)
474 return -EINVAL;
475 } else if (hw->ctrl.len != ARM_BREAKPOINT_LEN_4) {
476 /*
477 * FIXME: Some tools (I'm looking at you perf) assume
478 * that breakpoints should be sizeof(long). This
479 * is nonsense. For now, we fix up the parameter
480 * but we should probably return -EINVAL instead.
481 */
482 hw->ctrl.len = ARM_BREAKPOINT_LEN_4;
483 }
484 }
485
486 /* Address */
487 hw->address = attr->bp_addr;
488
489 /*
490 * Privilege
491 * Note that we disallow combined EL0/EL1 breakpoints because
492 * that would complicate the stepping code.
493 */
494 if (arch_check_bp_in_kernelspace(hw))
495 hw->ctrl.privilege = AARCH64_BREAKPOINT_EL1;
496 else
497 hw->ctrl.privilege = AARCH64_BREAKPOINT_EL0;
498
499 /* Enabled? */
500 hw->ctrl.enabled = !attr->disabled;
501
502 return 0;
503 }
504
505 /*
506 * Validate the arch-specific HW Breakpoint register settings.
507 */
hw_breakpoint_arch_parse(struct perf_event * bp,const struct perf_event_attr * attr,struct arch_hw_breakpoint * hw)508 int hw_breakpoint_arch_parse(struct perf_event *bp,
509 const struct perf_event_attr *attr,
510 struct arch_hw_breakpoint *hw)
511 {
512 int ret;
513 u64 alignment_mask, offset;
514
515 /* Build the arch_hw_breakpoint. */
516 ret = arch_build_bp_info(bp, attr, hw);
517 if (ret)
518 return ret;
519
520 /*
521 * Check address alignment.
522 * We don't do any clever alignment correction for watchpoints
523 * because using 64-bit unaligned addresses is deprecated for
524 * AArch64.
525 *
526 * AArch32 tasks expect some simple alignment fixups, so emulate
527 * that here.
528 */
529 if (is_compat_bp(bp)) {
530 if (hw->ctrl.len == ARM_BREAKPOINT_LEN_8)
531 alignment_mask = 0x7;
532 else
533 alignment_mask = 0x3;
534 offset = hw->address & alignment_mask;
535 switch (offset) {
536 case 0:
537 /* Aligned */
538 break;
539 case 1:
540 case 2:
541 /* Allow halfword watchpoints and breakpoints. */
542 if (hw->ctrl.len == ARM_BREAKPOINT_LEN_2)
543 break;
544
545 fallthrough;
546 case 3:
547 /* Allow single byte watchpoint. */
548 if (hw->ctrl.len == ARM_BREAKPOINT_LEN_1)
549 break;
550
551 fallthrough;
552 default:
553 return -EINVAL;
554 }
555 } else {
556 if (hw->ctrl.type == ARM_BREAKPOINT_EXECUTE)
557 alignment_mask = 0x3;
558 else
559 alignment_mask = 0x7;
560 offset = hw->address & alignment_mask;
561 }
562
563 hw->address &= ~alignment_mask;
564 hw->ctrl.len <<= offset;
565
566 /*
567 * Disallow per-task kernel breakpoints since these would
568 * complicate the stepping code.
569 */
570 if (hw->ctrl.privilege == AARCH64_BREAKPOINT_EL1 && bp->hw.target)
571 return -EINVAL;
572
573 return 0;
574 }
575
576 /*
577 * Enable/disable all of the breakpoints active at the specified
578 * exception level at the register level.
579 * This is used when single-stepping after a breakpoint exception.
580 */
toggle_bp_registers(int reg,enum dbg_active_el el,int enable)581 static void toggle_bp_registers(int reg, enum dbg_active_el el, int enable)
582 {
583 int i, max_slots, privilege;
584 u32 ctrl;
585 struct perf_event **slots;
586
587 switch (reg) {
588 case AARCH64_DBG_REG_BCR:
589 slots = this_cpu_ptr(bp_on_reg);
590 max_slots = core_num_brps;
591 break;
592 case AARCH64_DBG_REG_WCR:
593 slots = this_cpu_ptr(wp_on_reg);
594 max_slots = core_num_wrps;
595 break;
596 default:
597 return;
598 }
599
600 for (i = 0; i < max_slots; ++i) {
601 if (!slots[i])
602 continue;
603
604 privilege = counter_arch_bp(slots[i])->ctrl.privilege;
605 if (debug_exception_level(privilege) != el)
606 continue;
607
608 ctrl = read_wb_reg(reg, i);
609 if (enable)
610 ctrl |= 0x1;
611 else
612 ctrl &= ~0x1;
613 write_wb_reg(reg, i, ctrl);
614 }
615 }
616 NOKPROBE_SYMBOL(toggle_bp_registers);
617
618 /*
619 * Debug exception handlers.
620 */
breakpoint_handler(unsigned long unused,unsigned long esr,struct pt_regs * regs)621 static int breakpoint_handler(unsigned long unused, unsigned long esr,
622 struct pt_regs *regs)
623 {
624 int i, step = 0, *kernel_step;
625 u32 ctrl_reg;
626 u64 addr, val;
627 struct perf_event *bp, **slots;
628 struct debug_info *debug_info;
629 struct arch_hw_breakpoint_ctrl ctrl;
630
631 slots = this_cpu_ptr(bp_on_reg);
632 addr = instruction_pointer(regs);
633 debug_info = ¤t->thread.debug;
634
635 for (i = 0; i < core_num_brps; ++i) {
636 rcu_read_lock();
637
638 bp = slots[i];
639
640 if (bp == NULL)
641 goto unlock;
642
643 /* Check if the breakpoint value matches. */
644 val = read_wb_reg(AARCH64_DBG_REG_BVR, i);
645 if (val != (addr & ~0x3))
646 goto unlock;
647
648 /* Possible match, check the byte address select to confirm. */
649 ctrl_reg = read_wb_reg(AARCH64_DBG_REG_BCR, i);
650 decode_ctrl_reg(ctrl_reg, &ctrl);
651 if (!((1 << (addr & 0x3)) & ctrl.len))
652 goto unlock;
653
654 counter_arch_bp(bp)->trigger = addr;
655 perf_bp_event(bp, regs);
656
657 /* Do we need to handle the stepping? */
658 if (is_default_overflow_handler(bp))
659 step = 1;
660 unlock:
661 rcu_read_unlock();
662 }
663
664 if (!step)
665 return 0;
666
667 if (user_mode(regs)) {
668 debug_info->bps_disabled = 1;
669 toggle_bp_registers(AARCH64_DBG_REG_BCR, DBG_ACTIVE_EL0, 0);
670
671 /* If we're already stepping a watchpoint, just return. */
672 if (debug_info->wps_disabled)
673 return 0;
674
675 if (test_thread_flag(TIF_SINGLESTEP))
676 debug_info->suspended_step = 1;
677 else
678 user_enable_single_step(current);
679 } else {
680 toggle_bp_registers(AARCH64_DBG_REG_BCR, DBG_ACTIVE_EL1, 0);
681 kernel_step = this_cpu_ptr(&stepping_kernel_bp);
682
683 if (*kernel_step != ARM_KERNEL_STEP_NONE)
684 return 0;
685
686 if (kernel_active_single_step()) {
687 *kernel_step = ARM_KERNEL_STEP_SUSPEND;
688 } else {
689 *kernel_step = ARM_KERNEL_STEP_ACTIVE;
690 kernel_enable_single_step(regs);
691 }
692 }
693
694 return 0;
695 }
696 NOKPROBE_SYMBOL(breakpoint_handler);
697
698 /*
699 * Arm64 hardware does not always report a watchpoint hit address that matches
700 * one of the watchpoints set. It can also report an address "near" the
701 * watchpoint if a single instruction access both watched and unwatched
702 * addresses. There is no straight-forward way, short of disassembling the
703 * offending instruction, to map that address back to the watchpoint. This
704 * function computes the distance of the memory access from the watchpoint as a
705 * heuristic for the likelihood that a given access triggered the watchpoint.
706 *
707 * See Section D2.10.5 "Determining the memory location that caused a Watchpoint
708 * exception" of ARMv8 Architecture Reference Manual for details.
709 *
710 * The function returns the distance of the address from the bytes watched by
711 * the watchpoint. In case of an exact match, it returns 0.
712 */
get_distance_from_watchpoint(unsigned long addr,u64 val,struct arch_hw_breakpoint_ctrl * ctrl)713 static u64 get_distance_from_watchpoint(unsigned long addr, u64 val,
714 struct arch_hw_breakpoint_ctrl *ctrl)
715 {
716 u64 wp_low, wp_high;
717 u32 lens, lene;
718
719 addr = untagged_addr(addr);
720
721 lens = __ffs(ctrl->len);
722 lene = __fls(ctrl->len);
723
724 wp_low = val + lens;
725 wp_high = val + lene;
726 if (addr < wp_low)
727 return wp_low - addr;
728 else if (addr > wp_high)
729 return addr - wp_high;
730 else
731 return 0;
732 }
733
watchpoint_report(struct perf_event * wp,unsigned long addr,struct pt_regs * regs)734 static int watchpoint_report(struct perf_event *wp, unsigned long addr,
735 struct pt_regs *regs)
736 {
737 int step = is_default_overflow_handler(wp);
738 struct arch_hw_breakpoint *info = counter_arch_bp(wp);
739
740 info->trigger = addr;
741
742 /*
743 * If we triggered a user watchpoint from a uaccess routine, then
744 * handle the stepping ourselves since userspace really can't help
745 * us with this.
746 */
747 if (!user_mode(regs) && info->ctrl.privilege == AARCH64_BREAKPOINT_EL0)
748 step = 1;
749 else
750 perf_bp_event(wp, regs);
751
752 return step;
753 }
754
watchpoint_handler(unsigned long addr,unsigned long esr,struct pt_regs * regs)755 static int watchpoint_handler(unsigned long addr, unsigned long esr,
756 struct pt_regs *regs)
757 {
758 int i, step = 0, *kernel_step, access, closest_match = 0;
759 u64 min_dist = -1, dist;
760 u32 ctrl_reg;
761 u64 val;
762 struct perf_event *wp, **slots;
763 struct debug_info *debug_info;
764 struct arch_hw_breakpoint_ctrl ctrl;
765
766 slots = this_cpu_ptr(wp_on_reg);
767 debug_info = ¤t->thread.debug;
768
769 /*
770 * Find all watchpoints that match the reported address. If no exact
771 * match is found. Attribute the hit to the closest watchpoint.
772 */
773 rcu_read_lock();
774 for (i = 0; i < core_num_wrps; ++i) {
775 wp = slots[i];
776 if (wp == NULL)
777 continue;
778
779 /*
780 * Check that the access type matches.
781 * 0 => load, otherwise => store
782 */
783 access = (esr & ESR_ELx_WNR) ? HW_BREAKPOINT_W :
784 HW_BREAKPOINT_R;
785 if (!(access & hw_breakpoint_type(wp)))
786 continue;
787
788 /* Check if the watchpoint value and byte select match. */
789 val = read_wb_reg(AARCH64_DBG_REG_WVR, i);
790 ctrl_reg = read_wb_reg(AARCH64_DBG_REG_WCR, i);
791 decode_ctrl_reg(ctrl_reg, &ctrl);
792 dist = get_distance_from_watchpoint(addr, val, &ctrl);
793 if (dist < min_dist) {
794 min_dist = dist;
795 closest_match = i;
796 }
797 /* Is this an exact match? */
798 if (dist != 0)
799 continue;
800
801 step = watchpoint_report(wp, addr, regs);
802 }
803
804 /* No exact match found? */
805 if (min_dist > 0 && min_dist != -1)
806 step = watchpoint_report(slots[closest_match], addr, regs);
807
808 rcu_read_unlock();
809
810 if (!step)
811 return 0;
812
813 /*
814 * We always disable EL0 watchpoints because the kernel can
815 * cause these to fire via an unprivileged access.
816 */
817 toggle_bp_registers(AARCH64_DBG_REG_WCR, DBG_ACTIVE_EL0, 0);
818
819 if (user_mode(regs)) {
820 debug_info->wps_disabled = 1;
821
822 /* If we're already stepping a breakpoint, just return. */
823 if (debug_info->bps_disabled)
824 return 0;
825
826 if (test_thread_flag(TIF_SINGLESTEP))
827 debug_info->suspended_step = 1;
828 else
829 user_enable_single_step(current);
830 } else {
831 toggle_bp_registers(AARCH64_DBG_REG_WCR, DBG_ACTIVE_EL1, 0);
832 kernel_step = this_cpu_ptr(&stepping_kernel_bp);
833
834 if (*kernel_step != ARM_KERNEL_STEP_NONE)
835 return 0;
836
837 if (kernel_active_single_step()) {
838 *kernel_step = ARM_KERNEL_STEP_SUSPEND;
839 } else {
840 *kernel_step = ARM_KERNEL_STEP_ACTIVE;
841 kernel_enable_single_step(regs);
842 }
843 }
844
845 return 0;
846 }
847 NOKPROBE_SYMBOL(watchpoint_handler);
848
849 /*
850 * Handle single-step exception.
851 */
reinstall_suspended_bps(struct pt_regs * regs)852 int reinstall_suspended_bps(struct pt_regs *regs)
853 {
854 struct debug_info *debug_info = ¤t->thread.debug;
855 int handled_exception = 0, *kernel_step;
856
857 kernel_step = this_cpu_ptr(&stepping_kernel_bp);
858
859 /*
860 * Called from single-step exception handler.
861 * Return 0 if execution can resume, 1 if a SIGTRAP should be
862 * reported.
863 */
864 if (user_mode(regs)) {
865 if (debug_info->bps_disabled) {
866 debug_info->bps_disabled = 0;
867 toggle_bp_registers(AARCH64_DBG_REG_BCR, DBG_ACTIVE_EL0, 1);
868 handled_exception = 1;
869 }
870
871 if (debug_info->wps_disabled) {
872 debug_info->wps_disabled = 0;
873 toggle_bp_registers(AARCH64_DBG_REG_WCR, DBG_ACTIVE_EL0, 1);
874 handled_exception = 1;
875 }
876
877 if (handled_exception) {
878 if (debug_info->suspended_step) {
879 debug_info->suspended_step = 0;
880 /* Allow exception handling to fall-through. */
881 handled_exception = 0;
882 } else {
883 user_disable_single_step(current);
884 }
885 }
886 } else if (*kernel_step != ARM_KERNEL_STEP_NONE) {
887 toggle_bp_registers(AARCH64_DBG_REG_BCR, DBG_ACTIVE_EL1, 1);
888 toggle_bp_registers(AARCH64_DBG_REG_WCR, DBG_ACTIVE_EL1, 1);
889
890 if (!debug_info->wps_disabled)
891 toggle_bp_registers(AARCH64_DBG_REG_WCR, DBG_ACTIVE_EL0, 1);
892
893 if (*kernel_step != ARM_KERNEL_STEP_SUSPEND) {
894 kernel_disable_single_step();
895 handled_exception = 1;
896 } else {
897 handled_exception = 0;
898 }
899
900 *kernel_step = ARM_KERNEL_STEP_NONE;
901 }
902
903 return !handled_exception;
904 }
905 NOKPROBE_SYMBOL(reinstall_suspended_bps);
906
907 /*
908 * Context-switcher for restoring suspended breakpoints.
909 */
hw_breakpoint_thread_switch(struct task_struct * next)910 void hw_breakpoint_thread_switch(struct task_struct *next)
911 {
912 /*
913 * current next
914 * disabled: 0 0 => The usual case, NOTIFY_DONE
915 * 0 1 => Disable the registers
916 * 1 0 => Enable the registers
917 * 1 1 => NOTIFY_DONE. per-task bps will
918 * get taken care of by perf.
919 */
920
921 struct debug_info *current_debug_info, *next_debug_info;
922
923 current_debug_info = ¤t->thread.debug;
924 next_debug_info = &next->thread.debug;
925
926 /* Update breakpoints. */
927 if (current_debug_info->bps_disabled != next_debug_info->bps_disabled)
928 toggle_bp_registers(AARCH64_DBG_REG_BCR,
929 DBG_ACTIVE_EL0,
930 !next_debug_info->bps_disabled);
931
932 /* Update watchpoints. */
933 if (current_debug_info->wps_disabled != next_debug_info->wps_disabled)
934 toggle_bp_registers(AARCH64_DBG_REG_WCR,
935 DBG_ACTIVE_EL0,
936 !next_debug_info->wps_disabled);
937 }
938
939 /*
940 * CPU initialisation.
941 */
hw_breakpoint_reset(unsigned int cpu)942 static int hw_breakpoint_reset(unsigned int cpu)
943 {
944 int i;
945 struct perf_event **slots;
946 /*
947 * When a CPU goes through cold-boot, it does not have any installed
948 * slot, so it is safe to share the same function for restoring and
949 * resetting breakpoints; when a CPU is hotplugged in, it goes
950 * through the slots, which are all empty, hence it just resets control
951 * and value for debug registers.
952 * When this function is triggered on warm-boot through a CPU PM
953 * notifier some slots might be initialized; if so they are
954 * reprogrammed according to the debug slots content.
955 */
956 for (slots = this_cpu_ptr(bp_on_reg), i = 0; i < core_num_brps; ++i) {
957 if (slots[i]) {
958 hw_breakpoint_control(slots[i], HW_BREAKPOINT_RESTORE);
959 } else {
960 write_wb_reg(AARCH64_DBG_REG_BCR, i, 0UL);
961 write_wb_reg(AARCH64_DBG_REG_BVR, i, 0UL);
962 }
963 }
964
965 for (slots = this_cpu_ptr(wp_on_reg), i = 0; i < core_num_wrps; ++i) {
966 if (slots[i]) {
967 hw_breakpoint_control(slots[i], HW_BREAKPOINT_RESTORE);
968 } else {
969 write_wb_reg(AARCH64_DBG_REG_WCR, i, 0UL);
970 write_wb_reg(AARCH64_DBG_REG_WVR, i, 0UL);
971 }
972 }
973
974 return 0;
975 }
976
977 /*
978 * One-time initialisation.
979 */
arch_hw_breakpoint_init(void)980 static int __init arch_hw_breakpoint_init(void)
981 {
982 int ret;
983
984 core_num_brps = get_num_brps();
985 core_num_wrps = get_num_wrps();
986
987 pr_info("found %d breakpoint and %d watchpoint registers.\n",
988 core_num_brps, core_num_wrps);
989
990 /* Register debug fault handlers. */
991 hook_debug_fault_code(DBG_ESR_EVT_HWBP, breakpoint_handler, SIGTRAP,
992 TRAP_HWBKPT, "hw-breakpoint handler");
993 hook_debug_fault_code(DBG_ESR_EVT_HWWP, watchpoint_handler, SIGTRAP,
994 TRAP_HWBKPT, "hw-watchpoint handler");
995
996 /*
997 * Reset the breakpoint resources. We assume that a halting
998 * debugger will leave the world in a nice state for us.
999 */
1000 ret = cpuhp_setup_state(CPUHP_AP_PERF_ARM_HW_BREAKPOINT_STARTING,
1001 "perf/arm64/hw_breakpoint:starting",
1002 hw_breakpoint_reset, NULL);
1003 if (ret)
1004 pr_err("failed to register CPU hotplug notifier: %d\n", ret);
1005
1006 /* Register cpu_suspend hw breakpoint restore hook */
1007 cpu_suspend_set_dbg_restorer(hw_breakpoint_reset);
1008
1009 return ret;
1010 }
1011 arch_initcall(arch_hw_breakpoint_init);
1012
hw_breakpoint_pmu_read(struct perf_event * bp)1013 void hw_breakpoint_pmu_read(struct perf_event *bp)
1014 {
1015 }
1016
1017 /*
1018 * Dummy function to register with die_notifier.
1019 */
hw_breakpoint_exceptions_notify(struct notifier_block * unused,unsigned long val,void * data)1020 int hw_breakpoint_exceptions_notify(struct notifier_block *unused,
1021 unsigned long val, void *data)
1022 {
1023 return NOTIFY_DONE;
1024 }
1025