1 // SPDX-License-Identifier: GPL-2.0+ 2 3 #define pr_fmt(fmt) "kprobes: " fmt 4 5 #include <linux/kprobes.h> 6 #include <linux/extable.h> 7 #include <linux/slab.h> 8 #include <linux/stop_machine.h> 9 #include <linux/vmalloc.h> 10 #include <asm/ptrace.h> 11 #include <linux/uaccess.h> 12 #include <asm/sections.h> 13 #include <asm/cacheflush.h> 14 #include <asm/bug.h> 15 #include <asm/patch.h> 16 17 #include "decode-insn.h" 18 19 DEFINE_PER_CPU(struct kprobe *, current_kprobe) = NULL; 20 DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk); 21 22 static void __kprobes 23 post_kprobe_handler(struct kprobe *, struct kprobe_ctlblk *, struct pt_regs *); 24 25 static void __kprobes arch_prepare_ss_slot(struct kprobe *p) 26 { 27 u32 insn = __BUG_INSN_32; 28 unsigned long offset = GET_INSN_LENGTH(p->opcode); 29 30 p->ainsn.api.restore = (unsigned long)p->addr + offset; 31 32 patch_text(p->ainsn.api.insn, &p->opcode, 1); 33 patch_text((void *)((unsigned long)(p->ainsn.api.insn) + offset), 34 &insn, 1); 35 } 36 37 static void __kprobes arch_prepare_simulate(struct kprobe *p) 38 { 39 p->ainsn.api.restore = 0; 40 } 41 42 static void __kprobes arch_simulate_insn(struct kprobe *p, struct pt_regs *regs) 43 { 44 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); 45 46 if (p->ainsn.api.handler) 47 p->ainsn.api.handler((u32)p->opcode, 48 (unsigned long)p->addr, regs); 49 50 post_kprobe_handler(p, kcb, regs); 51 } 52 53 static bool __kprobes arch_check_kprobe(struct kprobe *p) 54 { 55 unsigned long tmp = (unsigned long)p->addr - p->offset; 56 unsigned long addr = (unsigned long)p->addr; 57 58 while (tmp <= addr) { 59 if (tmp == addr) 60 return true; 61 62 tmp += GET_INSN_LENGTH(*(u16 *)tmp); 63 } 64 65 return false; 66 } 67 68 int __kprobes arch_prepare_kprobe(struct kprobe *p) 69 { 70 u16 *insn = (u16 *)p->addr; 71 72 if ((unsigned long)insn & 0x1) 73 return -EILSEQ; 74 75 if (!arch_check_kprobe(p)) 76 return -EILSEQ; 77 78 /* copy instruction */ 79 p->opcode = (kprobe_opcode_t)(*insn++); 80 if (GET_INSN_LENGTH(p->opcode) == 4) 81 p->opcode |= (kprobe_opcode_t)(*insn) << 16; 82 83 /* decode instruction */ 84 switch (riscv_probe_decode_insn(p->addr, &p->ainsn.api)) { 85 case INSN_REJECTED: /* insn not supported */ 86 return -EINVAL; 87 88 case INSN_GOOD_NO_SLOT: /* insn need simulation */ 89 p->ainsn.api.insn = NULL; 90 break; 91 92 case INSN_GOOD: /* instruction uses slot */ 93 p->ainsn.api.insn = get_insn_slot(); 94 if (!p->ainsn.api.insn) 95 return -ENOMEM; 96 break; 97 } 98 99 /* prepare the instruction */ 100 if (p->ainsn.api.insn) 101 arch_prepare_ss_slot(p); 102 else 103 arch_prepare_simulate(p); 104 105 return 0; 106 } 107 108 /* install breakpoint in text */ 109 void __kprobes arch_arm_kprobe(struct kprobe *p) 110 { 111 u32 insn = (p->opcode & __INSN_LENGTH_MASK) == __INSN_LENGTH_32 ? 112 __BUG_INSN_32 : __BUG_INSN_16; 113 114 patch_text(p->addr, &insn, 1); 115 } 116 117 /* remove breakpoint from text */ 118 void __kprobes arch_disarm_kprobe(struct kprobe *p) 119 { 120 patch_text(p->addr, &p->opcode, 1); 121 } 122 123 void __kprobes arch_remove_kprobe(struct kprobe *p) 124 { 125 } 126 127 static void __kprobes save_previous_kprobe(struct kprobe_ctlblk *kcb) 128 { 129 kcb->prev_kprobe.kp = kprobe_running(); 130 kcb->prev_kprobe.status = kcb->kprobe_status; 131 } 132 133 static void __kprobes restore_previous_kprobe(struct kprobe_ctlblk *kcb) 134 { 135 __this_cpu_write(current_kprobe, kcb->prev_kprobe.kp); 136 kcb->kprobe_status = kcb->prev_kprobe.status; 137 } 138 139 static void __kprobes set_current_kprobe(struct kprobe *p) 140 { 141 __this_cpu_write(current_kprobe, p); 142 } 143 144 /* 145 * Interrupts need to be disabled before single-step mode is set, and not 146 * reenabled until after single-step mode ends. 147 * Without disabling interrupt on local CPU, there is a chance of 148 * interrupt occurrence in the period of exception return and start of 149 * out-of-line single-step, that result in wrongly single stepping 150 * into the interrupt handler. 151 */ 152 static void __kprobes kprobes_save_local_irqflag(struct kprobe_ctlblk *kcb, 153 struct pt_regs *regs) 154 { 155 kcb->saved_status = regs->status; 156 regs->status &= ~SR_SPIE; 157 } 158 159 static void __kprobes kprobes_restore_local_irqflag(struct kprobe_ctlblk *kcb, 160 struct pt_regs *regs) 161 { 162 regs->status = kcb->saved_status; 163 } 164 165 static void __kprobes setup_singlestep(struct kprobe *p, 166 struct pt_regs *regs, 167 struct kprobe_ctlblk *kcb, int reenter) 168 { 169 unsigned long slot; 170 171 if (reenter) { 172 save_previous_kprobe(kcb); 173 set_current_kprobe(p); 174 kcb->kprobe_status = KPROBE_REENTER; 175 } else { 176 kcb->kprobe_status = KPROBE_HIT_SS; 177 } 178 179 if (p->ainsn.api.insn) { 180 /* prepare for single stepping */ 181 slot = (unsigned long)p->ainsn.api.insn; 182 183 /* IRQs and single stepping do not mix well. */ 184 kprobes_save_local_irqflag(kcb, regs); 185 186 instruction_pointer_set(regs, slot); 187 } else { 188 /* insn simulation */ 189 arch_simulate_insn(p, regs); 190 } 191 } 192 193 static int __kprobes reenter_kprobe(struct kprobe *p, 194 struct pt_regs *regs, 195 struct kprobe_ctlblk *kcb) 196 { 197 switch (kcb->kprobe_status) { 198 case KPROBE_HIT_SSDONE: 199 case KPROBE_HIT_ACTIVE: 200 kprobes_inc_nmissed_count(p); 201 setup_singlestep(p, regs, kcb, 1); 202 break; 203 case KPROBE_HIT_SS: 204 case KPROBE_REENTER: 205 pr_warn("Failed to recover from reentered kprobes.\n"); 206 dump_kprobe(p); 207 BUG(); 208 break; 209 default: 210 WARN_ON(1); 211 return 0; 212 } 213 214 return 1; 215 } 216 217 static void __kprobes 218 post_kprobe_handler(struct kprobe *cur, struct kprobe_ctlblk *kcb, struct pt_regs *regs) 219 { 220 /* return addr restore if non-branching insn */ 221 if (cur->ainsn.api.restore != 0) 222 regs->epc = cur->ainsn.api.restore; 223 224 /* restore back original saved kprobe variables and continue */ 225 if (kcb->kprobe_status == KPROBE_REENTER) { 226 restore_previous_kprobe(kcb); 227 return; 228 } 229 230 /* call post handler */ 231 kcb->kprobe_status = KPROBE_HIT_SSDONE; 232 if (cur->post_handler) { 233 /* post_handler can hit breakpoint and single step 234 * again, so we enable D-flag for recursive exception. 235 */ 236 cur->post_handler(cur, regs, 0); 237 } 238 239 reset_current_kprobe(); 240 } 241 242 int __kprobes kprobe_fault_handler(struct pt_regs *regs, unsigned int trapnr) 243 { 244 struct kprobe *cur = kprobe_running(); 245 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); 246 247 switch (kcb->kprobe_status) { 248 case KPROBE_HIT_SS: 249 case KPROBE_REENTER: 250 /* 251 * We are here because the instruction being single 252 * stepped caused a page fault. We reset the current 253 * kprobe and the ip points back to the probe address 254 * and allow the page fault handler to continue as a 255 * normal page fault. 256 */ 257 regs->epc = (unsigned long) cur->addr; 258 BUG_ON(!instruction_pointer(regs)); 259 260 if (kcb->kprobe_status == KPROBE_REENTER) 261 restore_previous_kprobe(kcb); 262 else { 263 kprobes_restore_local_irqflag(kcb, regs); 264 reset_current_kprobe(); 265 } 266 267 break; 268 case KPROBE_HIT_ACTIVE: 269 case KPROBE_HIT_SSDONE: 270 /* 271 * In case the user-specified fault handler returned 272 * zero, try to fix up. 273 */ 274 if (fixup_exception(regs)) 275 return 1; 276 } 277 return 0; 278 } 279 280 bool __kprobes 281 kprobe_breakpoint_handler(struct pt_regs *regs) 282 { 283 struct kprobe *p, *cur_kprobe; 284 struct kprobe_ctlblk *kcb; 285 unsigned long addr = instruction_pointer(regs); 286 287 kcb = get_kprobe_ctlblk(); 288 cur_kprobe = kprobe_running(); 289 290 p = get_kprobe((kprobe_opcode_t *) addr); 291 292 if (p) { 293 if (cur_kprobe) { 294 if (reenter_kprobe(p, regs, kcb)) 295 return true; 296 } else { 297 /* Probe hit */ 298 set_current_kprobe(p); 299 kcb->kprobe_status = KPROBE_HIT_ACTIVE; 300 301 /* 302 * If we have no pre-handler or it returned 0, we 303 * continue with normal processing. If we have a 304 * pre-handler and it returned non-zero, it will 305 * modify the execution path and no need to single 306 * stepping. Let's just reset current kprobe and exit. 307 * 308 * pre_handler can hit a breakpoint and can step thru 309 * before return. 310 */ 311 if (!p->pre_handler || !p->pre_handler(p, regs)) 312 setup_singlestep(p, regs, kcb, 0); 313 else 314 reset_current_kprobe(); 315 } 316 return true; 317 } 318 319 /* 320 * The breakpoint instruction was removed right 321 * after we hit it. Another cpu has removed 322 * either a probepoint or a debugger breakpoint 323 * at this address. In either case, no further 324 * handling of this interrupt is appropriate. 325 * Return back to original instruction, and continue. 326 */ 327 return false; 328 } 329 330 bool __kprobes 331 kprobe_single_step_handler(struct pt_regs *regs) 332 { 333 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); 334 unsigned long addr = instruction_pointer(regs); 335 struct kprobe *cur = kprobe_running(); 336 337 if (cur && (kcb->kprobe_status & (KPROBE_HIT_SS | KPROBE_REENTER)) && 338 ((unsigned long)&cur->ainsn.api.insn[0] + GET_INSN_LENGTH(cur->opcode) == addr)) { 339 kprobes_restore_local_irqflag(kcb, regs); 340 post_kprobe_handler(cur, kcb, regs); 341 return true; 342 } 343 /* not ours, kprobes should ignore it */ 344 return false; 345 } 346 347 /* 348 * Provide a blacklist of symbols identifying ranges which cannot be kprobed. 349 * This blacklist is exposed to userspace via debugfs (kprobes/blacklist). 350 */ 351 int __init arch_populate_kprobe_blacklist(void) 352 { 353 int ret; 354 355 ret = kprobe_add_area_blacklist((unsigned long)__irqentry_text_start, 356 (unsigned long)__irqentry_text_end); 357 return ret; 358 } 359 360 int __kprobes arch_trampoline_kprobe(struct kprobe *p) 361 { 362 return 0; 363 } 364 365 int __init arch_init_kprobes(void) 366 { 367 return 0; 368 } 369