1 /* 2 * Kernel Probes (KProbes) 3 * 4 * This program is free software; you can redistribute it and/or modify 5 * it under the terms of the GNU General Public License as published by 6 * the Free Software Foundation; either version 2 of the License, or 7 * (at your option) any later version. 8 * 9 * This program is distributed in the hope that it will be useful, 10 * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 * GNU General Public License for more details. 13 * 14 * You should have received a copy of the GNU General Public License 15 * along with this program; if not, write to the Free Software 16 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 17 * 18 * Copyright (C) IBM Corporation, 2002, 2006 19 * 20 * s390 port, used ppc64 as template. Mike Grundy <grundym@us.ibm.com> 21 */ 22 23 #include <linux/kprobes.h> 24 #include <linux/ptrace.h> 25 #include <linux/preempt.h> 26 #include <linux/stop_machine.h> 27 #include <linux/kdebug.h> 28 #include <linux/uaccess.h> 29 #include <asm/cacheflush.h> 30 #include <asm/sections.h> 31 #include <linux/module.h> 32 #include <linux/slab.h> 33 #include <linux/hardirq.h> 34 35 DEFINE_PER_CPU(struct kprobe *, current_kprobe); 36 DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk); 37 38 struct kretprobe_blackpoint kretprobe_blacklist[] = { }; 39 40 static int __kprobes is_prohibited_opcode(kprobe_opcode_t *insn) 41 { 42 switch (insn[0] >> 8) { 43 case 0x0c: /* bassm */ 44 case 0x0b: /* bsm */ 45 case 0x83: /* diag */ 46 case 0x44: /* ex */ 47 case 0xac: /* stnsm */ 48 case 0xad: /* stosm */ 49 return -EINVAL; 50 } 51 switch (insn[0]) { 52 case 0x0101: /* pr */ 53 case 0xb25a: /* bsa */ 54 case 0xb240: /* bakr */ 55 case 0xb258: /* bsg */ 56 case 0xb218: /* pc */ 57 case 0xb228: /* pt */ 58 case 0xb98d: /* epsw */ 59 return -EINVAL; 60 } 61 return 0; 62 } 63 64 static int __kprobes get_fixup_type(kprobe_opcode_t *insn) 65 { 66 /* default fixup method */ 67 int fixup = FIXUP_PSW_NORMAL; 68 69 switch (insn[0] >> 8) { 70 case 0x05: /* balr */ 71 case 0x0d: /* basr */ 72 fixup = FIXUP_RETURN_REGISTER; 73 /* if r2 = 0, no branch will be taken */ 74 if ((insn[0] & 0x0f) == 0) 75 fixup |= FIXUP_BRANCH_NOT_TAKEN; 76 break; 77 case 0x06: /* bctr */ 78 case 0x07: /* bcr */ 79 fixup = FIXUP_BRANCH_NOT_TAKEN; 80 break; 81 case 0x45: /* bal */ 82 case 0x4d: /* bas */ 83 fixup = FIXUP_RETURN_REGISTER; 84 break; 85 case 0x47: /* bc */ 86 case 0x46: /* bct */ 87 case 0x86: /* bxh */ 88 case 0x87: /* bxle */ 89 fixup = FIXUP_BRANCH_NOT_TAKEN; 90 break; 91 case 0x82: /* lpsw */ 92 fixup = FIXUP_NOT_REQUIRED; 93 break; 94 case 0xb2: /* lpswe */ 95 if ((insn[0] & 0xff) == 0xb2) 96 fixup = FIXUP_NOT_REQUIRED; 97 break; 98 case 0xa7: /* bras */ 99 if ((insn[0] & 0x0f) == 0x05) 100 fixup |= FIXUP_RETURN_REGISTER; 101 break; 102 case 0xc0: 103 if ((insn[0] & 0x0f) == 0x00 || /* larl */ 104 (insn[0] & 0x0f) == 0x05) /* brasl */ 105 fixup |= FIXUP_RETURN_REGISTER; 106 break; 107 case 0xeb: 108 if ((insn[2] & 0xff) == 0x44 || /* bxhg */ 109 (insn[2] & 0xff) == 0x45) /* bxleg */ 110 fixup = FIXUP_BRANCH_NOT_TAKEN; 111 break; 112 case 0xe3: /* bctg */ 113 if ((insn[2] & 0xff) == 0x46) 114 fixup = FIXUP_BRANCH_NOT_TAKEN; 115 break; 116 } 117 return fixup; 118 } 119 120 int __kprobes arch_prepare_kprobe(struct kprobe *p) 121 { 122 if ((unsigned long) p->addr & 0x01) 123 return -EINVAL; 124 125 /* Make sure the probe isn't going on a difficult instruction */ 126 if (is_prohibited_opcode(p->addr)) 127 return -EINVAL; 128 129 p->opcode = *p->addr; 130 memcpy(p->ainsn.insn, p->addr, ((p->opcode >> 14) + 3) & -2); 131 132 return 0; 133 } 134 135 struct ins_replace_args { 136 kprobe_opcode_t *ptr; 137 kprobe_opcode_t opcode; 138 }; 139 140 static int __kprobes swap_instruction(void *aref) 141 { 142 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); 143 unsigned long status = kcb->kprobe_status; 144 struct ins_replace_args *args = aref; 145 146 kcb->kprobe_status = KPROBE_SWAP_INST; 147 probe_kernel_write(args->ptr, &args->opcode, sizeof(args->opcode)); 148 kcb->kprobe_status = status; 149 return 0; 150 } 151 152 void __kprobes arch_arm_kprobe(struct kprobe *p) 153 { 154 struct ins_replace_args args; 155 156 args.ptr = p->addr; 157 args.opcode = BREAKPOINT_INSTRUCTION; 158 stop_machine(swap_instruction, &args, NULL); 159 } 160 161 void __kprobes arch_disarm_kprobe(struct kprobe *p) 162 { 163 struct ins_replace_args args; 164 165 args.ptr = p->addr; 166 args.opcode = p->opcode; 167 stop_machine(swap_instruction, &args, NULL); 168 } 169 170 void __kprobes arch_remove_kprobe(struct kprobe *p) 171 { 172 } 173 174 static void __kprobes enable_singlestep(struct kprobe_ctlblk *kcb, 175 struct pt_regs *regs, 176 unsigned long ip) 177 { 178 struct per_regs per_kprobe; 179 180 /* Set up the PER control registers %cr9-%cr11 */ 181 per_kprobe.control = PER_EVENT_IFETCH; 182 per_kprobe.start = ip; 183 per_kprobe.end = ip; 184 185 /* Save control regs and psw mask */ 186 __ctl_store(kcb->kprobe_saved_ctl, 9, 11); 187 kcb->kprobe_saved_imask = regs->psw.mask & 188 (PSW_MASK_PER | PSW_MASK_IO | PSW_MASK_EXT); 189 190 /* Set PER control regs, turns on single step for the given address */ 191 __ctl_load(per_kprobe, 9, 11); 192 regs->psw.mask |= PSW_MASK_PER; 193 regs->psw.mask &= ~(PSW_MASK_IO | PSW_MASK_EXT); 194 regs->psw.addr = ip | PSW_ADDR_AMODE; 195 } 196 197 static void __kprobes disable_singlestep(struct kprobe_ctlblk *kcb, 198 struct pt_regs *regs, 199 unsigned long ip) 200 { 201 /* Restore control regs and psw mask, set new psw address */ 202 __ctl_load(kcb->kprobe_saved_ctl, 9, 11); 203 regs->psw.mask &= ~PSW_MASK_PER; 204 regs->psw.mask |= kcb->kprobe_saved_imask; 205 regs->psw.addr = ip | PSW_ADDR_AMODE; 206 } 207 208 /* 209 * Activate a kprobe by storing its pointer to current_kprobe. The 210 * previous kprobe is stored in kcb->prev_kprobe. A stack of up to 211 * two kprobes can be active, see KPROBE_REENTER. 212 */ 213 static void __kprobes push_kprobe(struct kprobe_ctlblk *kcb, struct kprobe *p) 214 { 215 kcb->prev_kprobe.kp = __get_cpu_var(current_kprobe); 216 kcb->prev_kprobe.status = kcb->kprobe_status; 217 __get_cpu_var(current_kprobe) = p; 218 } 219 220 /* 221 * Deactivate a kprobe by backing up to the previous state. If the 222 * current state is KPROBE_REENTER prev_kprobe.kp will be non-NULL, 223 * for any other state prev_kprobe.kp will be NULL. 224 */ 225 static void __kprobes pop_kprobe(struct kprobe_ctlblk *kcb) 226 { 227 __get_cpu_var(current_kprobe) = kcb->prev_kprobe.kp; 228 kcb->kprobe_status = kcb->prev_kprobe.status; 229 } 230 231 void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri, 232 struct pt_regs *regs) 233 { 234 ri->ret_addr = (kprobe_opcode_t *) regs->gprs[14]; 235 236 /* Replace the return addr with trampoline addr */ 237 regs->gprs[14] = (unsigned long) &kretprobe_trampoline; 238 } 239 240 static void __kprobes kprobe_reenter_check(struct kprobe_ctlblk *kcb, 241 struct kprobe *p) 242 { 243 switch (kcb->kprobe_status) { 244 case KPROBE_HIT_SSDONE: 245 case KPROBE_HIT_ACTIVE: 246 kprobes_inc_nmissed_count(p); 247 break; 248 case KPROBE_HIT_SS: 249 case KPROBE_REENTER: 250 default: 251 /* 252 * A kprobe on the code path to single step an instruction 253 * is a BUG. The code path resides in the .kprobes.text 254 * section and is executed with interrupts disabled. 255 */ 256 printk(KERN_EMERG "Invalid kprobe detected at %p.\n", p->addr); 257 dump_kprobe(p); 258 BUG(); 259 } 260 } 261 262 static int __kprobes kprobe_handler(struct pt_regs *regs) 263 { 264 struct kprobe_ctlblk *kcb; 265 struct kprobe *p; 266 267 /* 268 * We want to disable preemption for the entire duration of kprobe 269 * processing. That includes the calls to the pre/post handlers 270 * and single stepping the kprobe instruction. 271 */ 272 preempt_disable(); 273 kcb = get_kprobe_ctlblk(); 274 p = get_kprobe((void *)((regs->psw.addr & PSW_ADDR_INSN) - 2)); 275 276 if (p) { 277 if (kprobe_running()) { 278 /* 279 * We have hit a kprobe while another is still 280 * active. This can happen in the pre and post 281 * handler. Single step the instruction of the 282 * new probe but do not call any handler function 283 * of this secondary kprobe. 284 * push_kprobe and pop_kprobe saves and restores 285 * the currently active kprobe. 286 */ 287 kprobe_reenter_check(kcb, p); 288 push_kprobe(kcb, p); 289 kcb->kprobe_status = KPROBE_REENTER; 290 } else { 291 /* 292 * If we have no pre-handler or it returned 0, we 293 * continue with single stepping. If we have a 294 * pre-handler and it returned non-zero, it prepped 295 * for calling the break_handler below on re-entry 296 * for jprobe processing, so get out doing nothing 297 * more here. 298 */ 299 push_kprobe(kcb, p); 300 kcb->kprobe_status = KPROBE_HIT_ACTIVE; 301 if (p->pre_handler && p->pre_handler(p, regs)) 302 return 1; 303 kcb->kprobe_status = KPROBE_HIT_SS; 304 } 305 enable_singlestep(kcb, regs, (unsigned long) p->ainsn.insn); 306 return 1; 307 } else if (kprobe_running()) { 308 p = __get_cpu_var(current_kprobe); 309 if (p->break_handler && p->break_handler(p, regs)) { 310 /* 311 * Continuation after the jprobe completed and 312 * caused the jprobe_return trap. The jprobe 313 * break_handler "returns" to the original 314 * function that still has the kprobe breakpoint 315 * installed. We continue with single stepping. 316 */ 317 kcb->kprobe_status = KPROBE_HIT_SS; 318 enable_singlestep(kcb, regs, 319 (unsigned long) p->ainsn.insn); 320 return 1; 321 } /* else: 322 * No kprobe at this address and the current kprobe 323 * has no break handler (no jprobe!). The kernel just 324 * exploded, let the standard trap handler pick up the 325 * pieces. 326 */ 327 } /* else: 328 * No kprobe at this address and no active kprobe. The trap has 329 * not been caused by a kprobe breakpoint. The race of breakpoint 330 * vs. kprobe remove does not exist because on s390 as we use 331 * stop_machine to arm/disarm the breakpoints. 332 */ 333 preempt_enable_no_resched(); 334 return 0; 335 } 336 337 /* 338 * Function return probe trampoline: 339 * - init_kprobes() establishes a probepoint here 340 * - When the probed function returns, this probe 341 * causes the handlers to fire 342 */ 343 static void __used kretprobe_trampoline_holder(void) 344 { 345 asm volatile(".global kretprobe_trampoline\n" 346 "kretprobe_trampoline: bcr 0,0\n"); 347 } 348 349 /* 350 * Called when the probe at kretprobe trampoline is hit 351 */ 352 static int __kprobes trampoline_probe_handler(struct kprobe *p, 353 struct pt_regs *regs) 354 { 355 struct kretprobe_instance *ri; 356 struct hlist_head *head, empty_rp; 357 struct hlist_node *node, *tmp; 358 unsigned long flags, orig_ret_address; 359 unsigned long trampoline_address; 360 kprobe_opcode_t *correct_ret_addr; 361 362 INIT_HLIST_HEAD(&empty_rp); 363 kretprobe_hash_lock(current, &head, &flags); 364 365 /* 366 * It is possible to have multiple instances associated with a given 367 * task either because an multiple functions in the call path 368 * have a return probe installed on them, and/or more than one return 369 * return probe was registered for a target function. 370 * 371 * We can handle this because: 372 * - instances are always inserted at the head of the list 373 * - when multiple return probes are registered for the same 374 * function, the first instance's ret_addr will point to the 375 * real return address, and all the rest will point to 376 * kretprobe_trampoline 377 */ 378 ri = NULL; 379 orig_ret_address = 0; 380 correct_ret_addr = NULL; 381 trampoline_address = (unsigned long) &kretprobe_trampoline; 382 hlist_for_each_entry_safe(ri, node, tmp, head, hlist) { 383 if (ri->task != current) 384 /* another task is sharing our hash bucket */ 385 continue; 386 387 orig_ret_address = (unsigned long) ri->ret_addr; 388 389 if (orig_ret_address != trampoline_address) 390 /* 391 * This is the real return address. Any other 392 * instances associated with this task are for 393 * other calls deeper on the call stack 394 */ 395 break; 396 } 397 398 kretprobe_assert(ri, orig_ret_address, trampoline_address); 399 400 correct_ret_addr = ri->ret_addr; 401 hlist_for_each_entry_safe(ri, node, tmp, head, hlist) { 402 if (ri->task != current) 403 /* another task is sharing our hash bucket */ 404 continue; 405 406 orig_ret_address = (unsigned long) ri->ret_addr; 407 408 if (ri->rp && ri->rp->handler) { 409 ri->ret_addr = correct_ret_addr; 410 ri->rp->handler(ri, regs); 411 } 412 413 recycle_rp_inst(ri, &empty_rp); 414 415 if (orig_ret_address != trampoline_address) 416 /* 417 * This is the real return address. Any other 418 * instances associated with this task are for 419 * other calls deeper on the call stack 420 */ 421 break; 422 } 423 424 regs->psw.addr = orig_ret_address | PSW_ADDR_AMODE; 425 426 pop_kprobe(get_kprobe_ctlblk()); 427 kretprobe_hash_unlock(current, &flags); 428 preempt_enable_no_resched(); 429 430 hlist_for_each_entry_safe(ri, node, tmp, &empty_rp, hlist) { 431 hlist_del(&ri->hlist); 432 kfree(ri); 433 } 434 /* 435 * By returning a non-zero value, we are telling 436 * kprobe_handler() that we don't want the post_handler 437 * to run (and have re-enabled preemption) 438 */ 439 return 1; 440 } 441 442 /* 443 * Called after single-stepping. p->addr is the address of the 444 * instruction whose first byte has been replaced by the "breakpoint" 445 * instruction. To avoid the SMP problems that can occur when we 446 * temporarily put back the original opcode to single-step, we 447 * single-stepped a copy of the instruction. The address of this 448 * copy is p->ainsn.insn. 449 */ 450 static void __kprobes resume_execution(struct kprobe *p, struct pt_regs *regs) 451 { 452 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); 453 unsigned long ip = regs->psw.addr & PSW_ADDR_INSN; 454 int fixup = get_fixup_type(p->ainsn.insn); 455 456 if (fixup & FIXUP_PSW_NORMAL) 457 ip += (unsigned long) p->addr - (unsigned long) p->ainsn.insn; 458 459 if (fixup & FIXUP_BRANCH_NOT_TAKEN) { 460 int ilen = ((p->ainsn.insn[0] >> 14) + 3) & -2; 461 if (ip - (unsigned long) p->ainsn.insn == ilen) 462 ip = (unsigned long) p->addr + ilen; 463 } 464 465 if (fixup & FIXUP_RETURN_REGISTER) { 466 int reg = (p->ainsn.insn[0] & 0xf0) >> 4; 467 regs->gprs[reg] += (unsigned long) p->addr - 468 (unsigned long) p->ainsn.insn; 469 } 470 471 disable_singlestep(kcb, regs, ip); 472 } 473 474 static int __kprobes post_kprobe_handler(struct pt_regs *regs) 475 { 476 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); 477 struct kprobe *p = kprobe_running(); 478 479 if (!p) 480 return 0; 481 482 if (kcb->kprobe_status != KPROBE_REENTER && p->post_handler) { 483 kcb->kprobe_status = KPROBE_HIT_SSDONE; 484 p->post_handler(p, regs, 0); 485 } 486 487 resume_execution(p, regs); 488 pop_kprobe(kcb); 489 preempt_enable_no_resched(); 490 491 /* 492 * if somebody else is singlestepping across a probe point, psw mask 493 * will have PER set, in which case, continue the remaining processing 494 * of do_single_step, as if this is not a probe hit. 495 */ 496 if (regs->psw.mask & PSW_MASK_PER) 497 return 0; 498 499 return 1; 500 } 501 502 static int __kprobes kprobe_trap_handler(struct pt_regs *regs, int trapnr) 503 { 504 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); 505 struct kprobe *p = kprobe_running(); 506 const struct exception_table_entry *entry; 507 508 switch(kcb->kprobe_status) { 509 case KPROBE_SWAP_INST: 510 /* We are here because the instruction replacement failed */ 511 return 0; 512 case KPROBE_HIT_SS: 513 case KPROBE_REENTER: 514 /* 515 * We are here because the instruction being single 516 * stepped caused a page fault. We reset the current 517 * kprobe and the nip points back to the probe address 518 * and allow the page fault handler to continue as a 519 * normal page fault. 520 */ 521 disable_singlestep(kcb, regs, (unsigned long) p->addr); 522 pop_kprobe(kcb); 523 preempt_enable_no_resched(); 524 break; 525 case KPROBE_HIT_ACTIVE: 526 case KPROBE_HIT_SSDONE: 527 /* 528 * We increment the nmissed count for accounting, 529 * we can also use npre/npostfault count for accouting 530 * these specific fault cases. 531 */ 532 kprobes_inc_nmissed_count(p); 533 534 /* 535 * We come here because instructions in the pre/post 536 * handler caused the page_fault, this could happen 537 * if handler tries to access user space by 538 * copy_from_user(), get_user() etc. Let the 539 * user-specified handler try to fix it first. 540 */ 541 if (p->fault_handler && p->fault_handler(p, regs, trapnr)) 542 return 1; 543 544 /* 545 * In case the user-specified fault handler returned 546 * zero, try to fix up. 547 */ 548 entry = search_exception_tables(regs->psw.addr & PSW_ADDR_INSN); 549 if (entry) { 550 regs->psw.addr = entry->fixup | PSW_ADDR_AMODE; 551 return 1; 552 } 553 554 /* 555 * fixup_exception() could not handle it, 556 * Let do_page_fault() fix it. 557 */ 558 break; 559 default: 560 break; 561 } 562 return 0; 563 } 564 565 int __kprobes kprobe_fault_handler(struct pt_regs *regs, int trapnr) 566 { 567 int ret; 568 569 if (regs->psw.mask & (PSW_MASK_IO | PSW_MASK_EXT)) 570 local_irq_disable(); 571 ret = kprobe_trap_handler(regs, trapnr); 572 if (regs->psw.mask & (PSW_MASK_IO | PSW_MASK_EXT)) 573 local_irq_restore(regs->psw.mask & ~PSW_MASK_PER); 574 return ret; 575 } 576 577 /* 578 * Wrapper routine to for handling exceptions. 579 */ 580 int __kprobes kprobe_exceptions_notify(struct notifier_block *self, 581 unsigned long val, void *data) 582 { 583 struct die_args *args = (struct die_args *) data; 584 struct pt_regs *regs = args->regs; 585 int ret = NOTIFY_DONE; 586 587 if (regs->psw.mask & (PSW_MASK_IO | PSW_MASK_EXT)) 588 local_irq_disable(); 589 590 switch (val) { 591 case DIE_BPT: 592 if (kprobe_handler(regs)) 593 ret = NOTIFY_STOP; 594 break; 595 case DIE_SSTEP: 596 if (post_kprobe_handler(regs)) 597 ret = NOTIFY_STOP; 598 break; 599 case DIE_TRAP: 600 if (!preemptible() && kprobe_running() && 601 kprobe_trap_handler(regs, args->trapnr)) 602 ret = NOTIFY_STOP; 603 break; 604 default: 605 break; 606 } 607 608 if (regs->psw.mask & (PSW_MASK_IO | PSW_MASK_EXT)) 609 local_irq_restore(regs->psw.mask & ~PSW_MASK_PER); 610 611 return ret; 612 } 613 614 int __kprobes setjmp_pre_handler(struct kprobe *p, struct pt_regs *regs) 615 { 616 struct jprobe *jp = container_of(p, struct jprobe, kp); 617 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); 618 unsigned long stack; 619 620 memcpy(&kcb->jprobe_saved_regs, regs, sizeof(struct pt_regs)); 621 622 /* setup return addr to the jprobe handler routine */ 623 regs->psw.addr = (unsigned long) jp->entry | PSW_ADDR_AMODE; 624 regs->psw.mask &= ~(PSW_MASK_IO | PSW_MASK_EXT); 625 626 /* r15 is the stack pointer */ 627 stack = (unsigned long) regs->gprs[15]; 628 629 memcpy(kcb->jprobes_stack, (void *) stack, MIN_STACK_SIZE(stack)); 630 return 1; 631 } 632 633 void __kprobes jprobe_return(void) 634 { 635 asm volatile(".word 0x0002"); 636 } 637 638 void __kprobes jprobe_return_end(void) 639 { 640 asm volatile("bcr 0,0"); 641 } 642 643 int __kprobes longjmp_break_handler(struct kprobe *p, struct pt_regs *regs) 644 { 645 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); 646 unsigned long stack; 647 648 stack = (unsigned long) kcb->jprobe_saved_regs.gprs[15]; 649 650 /* Put the regs back */ 651 memcpy(regs, &kcb->jprobe_saved_regs, sizeof(struct pt_regs)); 652 /* put the stack back */ 653 memcpy((void *) stack, kcb->jprobes_stack, MIN_STACK_SIZE(stack)); 654 preempt_enable_no_resched(); 655 return 1; 656 } 657 658 static struct kprobe trampoline = { 659 .addr = (kprobe_opcode_t *) &kretprobe_trampoline, 660 .pre_handler = trampoline_probe_handler 661 }; 662 663 int __init arch_init_kprobes(void) 664 { 665 return register_kprobe(&trampoline); 666 } 667 668 int __kprobes arch_trampoline_kprobe(struct kprobe *p) 669 { 670 return p->addr == (kprobe_opcode_t *) &kretprobe_trampoline; 671 } 672