1 /* 2 * Kernel Probes (KProbes) 3 * 4 * This program is free software; you can redistribute it and/or modify 5 * it under the terms of the GNU General Public License as published by 6 * the Free Software Foundation; either version 2 of the License, or 7 * (at your option) any later version. 8 * 9 * This program is distributed in the hope that it will be useful, 10 * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 * GNU General Public License for more details. 13 * 14 * You should have received a copy of the GNU General Public License 15 * along with this program; if not, write to the Free Software 16 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 17 * 18 * Copyright (C) IBM Corporation, 2002, 2006 19 * 20 * s390 port, used ppc64 as template. Mike Grundy <grundym@us.ibm.com> 21 */ 22 23 #include <linux/kprobes.h> 24 #include <linux/ptrace.h> 25 #include <linux/preempt.h> 26 #include <linux/stop_machine.h> 27 #include <linux/kdebug.h> 28 #include <linux/uaccess.h> 29 #include <asm/cacheflush.h> 30 #include <asm/sections.h> 31 #include <linux/module.h> 32 #include <linux/slab.h> 33 34 DEFINE_PER_CPU(struct kprobe *, current_kprobe) = NULL; 35 DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk); 36 37 struct kretprobe_blackpoint kretprobe_blacklist[] = {{NULL, NULL}}; 38 39 int __kprobes arch_prepare_kprobe(struct kprobe *p) 40 { 41 /* Make sure the probe isn't going on a difficult instruction */ 42 if (is_prohibited_opcode((kprobe_opcode_t *) p->addr)) 43 return -EINVAL; 44 45 if ((unsigned long)p->addr & 0x01) 46 return -EINVAL; 47 48 /* Use the get_insn_slot() facility for correctness */ 49 if (!(p->ainsn.insn = get_insn_slot())) 50 return -ENOMEM; 51 52 memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t)); 53 54 get_instruction_type(&p->ainsn); 55 p->opcode = *p->addr; 56 return 0; 57 } 58 59 int __kprobes is_prohibited_opcode(kprobe_opcode_t *instruction) 60 { 61 switch (*(__u8 *) instruction) { 62 case 0x0c: /* bassm */ 63 case 0x0b: /* bsm */ 64 case 0x83: /* diag */ 65 case 0x44: /* ex */ 66 case 0xac: /* stnsm */ 67 case 0xad: /* stosm */ 68 return -EINVAL; 69 } 70 switch (*(__u16 *) instruction) { 71 case 0x0101: /* pr */ 72 case 0xb25a: /* bsa */ 73 case 0xb240: /* bakr */ 74 case 0xb258: /* bsg */ 75 case 0xb218: /* pc */ 76 case 0xb228: /* pt */ 77 case 0xb98d: /* epsw */ 78 return -EINVAL; 79 } 80 return 0; 81 } 82 83 void __kprobes get_instruction_type(struct arch_specific_insn *ainsn) 84 { 85 /* default fixup method */ 86 ainsn->fixup = FIXUP_PSW_NORMAL; 87 88 /* save r1 operand */ 89 ainsn->reg = (*ainsn->insn & 0xf0) >> 4; 90 91 /* save the instruction length (pop 5-5) in bytes */ 92 switch (*(__u8 *) (ainsn->insn) >> 6) { 93 case 0: 94 ainsn->ilen = 2; 95 break; 96 case 1: 97 case 2: 98 ainsn->ilen = 4; 99 break; 100 case 3: 101 ainsn->ilen = 6; 102 break; 103 } 104 105 switch (*(__u8 *) ainsn->insn) { 106 case 0x05: /* balr */ 107 case 0x0d: /* basr */ 108 ainsn->fixup = FIXUP_RETURN_REGISTER; 109 /* if r2 = 0, no branch will be taken */ 110 if ((*ainsn->insn & 0x0f) == 0) 111 ainsn->fixup |= FIXUP_BRANCH_NOT_TAKEN; 112 break; 113 case 0x06: /* bctr */ 114 case 0x07: /* bcr */ 115 ainsn->fixup = FIXUP_BRANCH_NOT_TAKEN; 116 break; 117 case 0x45: /* bal */ 118 case 0x4d: /* bas */ 119 ainsn->fixup = FIXUP_RETURN_REGISTER; 120 break; 121 case 0x47: /* bc */ 122 case 0x46: /* bct */ 123 case 0x86: /* bxh */ 124 case 0x87: /* bxle */ 125 ainsn->fixup = FIXUP_BRANCH_NOT_TAKEN; 126 break; 127 case 0x82: /* lpsw */ 128 ainsn->fixup = FIXUP_NOT_REQUIRED; 129 break; 130 case 0xb2: /* lpswe */ 131 if (*(((__u8 *) ainsn->insn) + 1) == 0xb2) { 132 ainsn->fixup = FIXUP_NOT_REQUIRED; 133 } 134 break; 135 case 0xa7: /* bras */ 136 if ((*ainsn->insn & 0x0f) == 0x05) { 137 ainsn->fixup |= FIXUP_RETURN_REGISTER; 138 } 139 break; 140 case 0xc0: 141 if ((*ainsn->insn & 0x0f) == 0x00 /* larl */ 142 || (*ainsn->insn & 0x0f) == 0x05) /* brasl */ 143 ainsn->fixup |= FIXUP_RETURN_REGISTER; 144 break; 145 case 0xeb: 146 if (*(((__u8 *) ainsn->insn) + 5 ) == 0x44 || /* bxhg */ 147 *(((__u8 *) ainsn->insn) + 5) == 0x45) {/* bxleg */ 148 ainsn->fixup = FIXUP_BRANCH_NOT_TAKEN; 149 } 150 break; 151 case 0xe3: /* bctg */ 152 if (*(((__u8 *) ainsn->insn) + 5) == 0x46) { 153 ainsn->fixup = FIXUP_BRANCH_NOT_TAKEN; 154 } 155 break; 156 } 157 } 158 159 static int __kprobes swap_instruction(void *aref) 160 { 161 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); 162 unsigned long status = kcb->kprobe_status; 163 struct ins_replace_args *args = aref; 164 int rc; 165 166 kcb->kprobe_status = KPROBE_SWAP_INST; 167 rc = probe_kernel_write(args->ptr, &args->new, sizeof(args->new)); 168 kcb->kprobe_status = status; 169 return rc; 170 } 171 172 void __kprobes arch_arm_kprobe(struct kprobe *p) 173 { 174 struct ins_replace_args args; 175 176 args.ptr = p->addr; 177 args.old = p->opcode; 178 args.new = BREAKPOINT_INSTRUCTION; 179 stop_machine(swap_instruction, &args, NULL); 180 } 181 182 void __kprobes arch_disarm_kprobe(struct kprobe *p) 183 { 184 struct ins_replace_args args; 185 186 args.ptr = p->addr; 187 args.old = BREAKPOINT_INSTRUCTION; 188 args.new = p->opcode; 189 stop_machine(swap_instruction, &args, NULL); 190 } 191 192 void __kprobes arch_remove_kprobe(struct kprobe *p) 193 { 194 if (p->ainsn.insn) { 195 free_insn_slot(p->ainsn.insn, 0); 196 p->ainsn.insn = NULL; 197 } 198 } 199 200 static void __kprobes prepare_singlestep(struct kprobe *p, struct pt_regs *regs) 201 { 202 per_cr_bits kprobe_per_regs[1]; 203 204 memset(kprobe_per_regs, 0, sizeof(per_cr_bits)); 205 regs->psw.addr = (unsigned long)p->ainsn.insn | PSW_ADDR_AMODE; 206 207 /* Set up the per control reg info, will pass to lctl */ 208 kprobe_per_regs[0].em_instruction_fetch = 1; 209 kprobe_per_regs[0].starting_addr = (unsigned long)p->ainsn.insn; 210 kprobe_per_regs[0].ending_addr = (unsigned long)p->ainsn.insn + 1; 211 212 /* Set the PER control regs, turns on single step for this address */ 213 __ctl_load(kprobe_per_regs, 9, 11); 214 regs->psw.mask |= PSW_MASK_PER; 215 regs->psw.mask &= ~(PSW_MASK_IO | PSW_MASK_EXT | PSW_MASK_MCHECK); 216 } 217 218 static void __kprobes save_previous_kprobe(struct kprobe_ctlblk *kcb) 219 { 220 kcb->prev_kprobe.kp = kprobe_running(); 221 kcb->prev_kprobe.status = kcb->kprobe_status; 222 kcb->prev_kprobe.kprobe_saved_imask = kcb->kprobe_saved_imask; 223 memcpy(kcb->prev_kprobe.kprobe_saved_ctl, kcb->kprobe_saved_ctl, 224 sizeof(kcb->kprobe_saved_ctl)); 225 } 226 227 static void __kprobes restore_previous_kprobe(struct kprobe_ctlblk *kcb) 228 { 229 __get_cpu_var(current_kprobe) = kcb->prev_kprobe.kp; 230 kcb->kprobe_status = kcb->prev_kprobe.status; 231 kcb->kprobe_saved_imask = kcb->prev_kprobe.kprobe_saved_imask; 232 memcpy(kcb->kprobe_saved_ctl, kcb->prev_kprobe.kprobe_saved_ctl, 233 sizeof(kcb->kprobe_saved_ctl)); 234 } 235 236 static void __kprobes set_current_kprobe(struct kprobe *p, struct pt_regs *regs, 237 struct kprobe_ctlblk *kcb) 238 { 239 __get_cpu_var(current_kprobe) = p; 240 /* Save the interrupt and per flags */ 241 kcb->kprobe_saved_imask = regs->psw.mask & 242 (PSW_MASK_PER | PSW_MASK_IO | PSW_MASK_EXT | PSW_MASK_MCHECK); 243 /* Save the control regs that govern PER */ 244 __ctl_store(kcb->kprobe_saved_ctl, 9, 11); 245 } 246 247 void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri, 248 struct pt_regs *regs) 249 { 250 ri->ret_addr = (kprobe_opcode_t *) regs->gprs[14]; 251 252 /* Replace the return addr with trampoline addr */ 253 regs->gprs[14] = (unsigned long)&kretprobe_trampoline; 254 } 255 256 static int __kprobes kprobe_handler(struct pt_regs *regs) 257 { 258 struct kprobe *p; 259 int ret = 0; 260 unsigned long *addr = (unsigned long *) 261 ((regs->psw.addr & PSW_ADDR_INSN) - 2); 262 struct kprobe_ctlblk *kcb; 263 264 /* 265 * We don't want to be preempted for the entire 266 * duration of kprobe processing 267 */ 268 preempt_disable(); 269 kcb = get_kprobe_ctlblk(); 270 271 /* Check we're not actually recursing */ 272 if (kprobe_running()) { 273 p = get_kprobe(addr); 274 if (p) { 275 if (kcb->kprobe_status == KPROBE_HIT_SS && 276 *p->ainsn.insn == BREAKPOINT_INSTRUCTION) { 277 regs->psw.mask &= ~PSW_MASK_PER; 278 regs->psw.mask |= kcb->kprobe_saved_imask; 279 goto no_kprobe; 280 } 281 /* We have reentered the kprobe_handler(), since 282 * another probe was hit while within the handler. 283 * We here save the original kprobes variables and 284 * just single step on the instruction of the new probe 285 * without calling any user handlers. 286 */ 287 save_previous_kprobe(kcb); 288 set_current_kprobe(p, regs, kcb); 289 kprobes_inc_nmissed_count(p); 290 prepare_singlestep(p, regs); 291 kcb->kprobe_status = KPROBE_REENTER; 292 return 1; 293 } else { 294 p = __get_cpu_var(current_kprobe); 295 if (p->break_handler && p->break_handler(p, regs)) { 296 goto ss_probe; 297 } 298 } 299 goto no_kprobe; 300 } 301 302 p = get_kprobe(addr); 303 if (!p) 304 /* 305 * No kprobe at this address. The fault has not been 306 * caused by a kprobe breakpoint. The race of breakpoint 307 * vs. kprobe remove does not exist because on s390 we 308 * use stop_machine to arm/disarm the breakpoints. 309 */ 310 goto no_kprobe; 311 312 kcb->kprobe_status = KPROBE_HIT_ACTIVE; 313 set_current_kprobe(p, regs, kcb); 314 if (p->pre_handler && p->pre_handler(p, regs)) 315 /* handler has already set things up, so skip ss setup */ 316 return 1; 317 318 ss_probe: 319 if (regs->psw.mask & (PSW_MASK_PER | PSW_MASK_IO)) 320 local_irq_disable(); 321 prepare_singlestep(p, regs); 322 kcb->kprobe_status = KPROBE_HIT_SS; 323 return 1; 324 325 no_kprobe: 326 preempt_enable_no_resched(); 327 return ret; 328 } 329 330 /* 331 * Function return probe trampoline: 332 * - init_kprobes() establishes a probepoint here 333 * - When the probed function returns, this probe 334 * causes the handlers to fire 335 */ 336 static void __used kretprobe_trampoline_holder(void) 337 { 338 asm volatile(".global kretprobe_trampoline\n" 339 "kretprobe_trampoline: bcr 0,0\n"); 340 } 341 342 /* 343 * Called when the probe at kretprobe trampoline is hit 344 */ 345 static int __kprobes trampoline_probe_handler(struct kprobe *p, 346 struct pt_regs *regs) 347 { 348 struct kretprobe_instance *ri = NULL; 349 struct hlist_head *head, empty_rp; 350 struct hlist_node *node, *tmp; 351 unsigned long flags, orig_ret_address = 0; 352 unsigned long trampoline_address = (unsigned long)&kretprobe_trampoline; 353 354 INIT_HLIST_HEAD(&empty_rp); 355 kretprobe_hash_lock(current, &head, &flags); 356 357 /* 358 * It is possible to have multiple instances associated with a given 359 * task either because an multiple functions in the call path 360 * have a return probe installed on them, and/or more than one return 361 * return probe was registered for a target function. 362 * 363 * We can handle this because: 364 * - instances are always inserted at the head of the list 365 * - when multiple return probes are registered for the same 366 * function, the first instance's ret_addr will point to the 367 * real return address, and all the rest will point to 368 * kretprobe_trampoline 369 */ 370 hlist_for_each_entry_safe(ri, node, tmp, head, hlist) { 371 if (ri->task != current) 372 /* another task is sharing our hash bucket */ 373 continue; 374 375 if (ri->rp && ri->rp->handler) 376 ri->rp->handler(ri, regs); 377 378 orig_ret_address = (unsigned long)ri->ret_addr; 379 recycle_rp_inst(ri, &empty_rp); 380 381 if (orig_ret_address != trampoline_address) { 382 /* 383 * This is the real return address. Any other 384 * instances associated with this task are for 385 * other calls deeper on the call stack 386 */ 387 break; 388 } 389 } 390 kretprobe_assert(ri, orig_ret_address, trampoline_address); 391 regs->psw.addr = orig_ret_address | PSW_ADDR_AMODE; 392 393 reset_current_kprobe(); 394 kretprobe_hash_unlock(current, &flags); 395 preempt_enable_no_resched(); 396 397 hlist_for_each_entry_safe(ri, node, tmp, &empty_rp, hlist) { 398 hlist_del(&ri->hlist); 399 kfree(ri); 400 } 401 /* 402 * By returning a non-zero value, we are telling 403 * kprobe_handler() that we don't want the post_handler 404 * to run (and have re-enabled preemption) 405 */ 406 return 1; 407 } 408 409 /* 410 * Called after single-stepping. p->addr is the address of the 411 * instruction whose first byte has been replaced by the "breakpoint" 412 * instruction. To avoid the SMP problems that can occur when we 413 * temporarily put back the original opcode to single-step, we 414 * single-stepped a copy of the instruction. The address of this 415 * copy is p->ainsn.insn. 416 */ 417 static void __kprobes resume_execution(struct kprobe *p, struct pt_regs *regs) 418 { 419 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); 420 421 regs->psw.addr &= PSW_ADDR_INSN; 422 423 if (p->ainsn.fixup & FIXUP_PSW_NORMAL) 424 regs->psw.addr = (unsigned long)p->addr + 425 ((unsigned long)regs->psw.addr - 426 (unsigned long)p->ainsn.insn); 427 428 if (p->ainsn.fixup & FIXUP_BRANCH_NOT_TAKEN) 429 if ((unsigned long)regs->psw.addr - 430 (unsigned long)p->ainsn.insn == p->ainsn.ilen) 431 regs->psw.addr = (unsigned long)p->addr + p->ainsn.ilen; 432 433 if (p->ainsn.fixup & FIXUP_RETURN_REGISTER) 434 regs->gprs[p->ainsn.reg] = ((unsigned long)p->addr + 435 (regs->gprs[p->ainsn.reg] - 436 (unsigned long)p->ainsn.insn)) 437 | PSW_ADDR_AMODE; 438 439 regs->psw.addr |= PSW_ADDR_AMODE; 440 /* turn off PER mode */ 441 regs->psw.mask &= ~PSW_MASK_PER; 442 /* Restore the original per control regs */ 443 __ctl_load(kcb->kprobe_saved_ctl, 9, 11); 444 regs->psw.mask |= kcb->kprobe_saved_imask; 445 } 446 447 static int __kprobes post_kprobe_handler(struct pt_regs *regs) 448 { 449 struct kprobe *cur = kprobe_running(); 450 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); 451 452 if (!cur) 453 return 0; 454 455 if ((kcb->kprobe_status != KPROBE_REENTER) && cur->post_handler) { 456 kcb->kprobe_status = KPROBE_HIT_SSDONE; 457 cur->post_handler(cur, regs, 0); 458 } 459 460 resume_execution(cur, regs); 461 462 /*Restore back the original saved kprobes variables and continue. */ 463 if (kcb->kprobe_status == KPROBE_REENTER) { 464 restore_previous_kprobe(kcb); 465 goto out; 466 } 467 reset_current_kprobe(); 468 if (regs->psw.mask & (PSW_MASK_PER | PSW_MASK_IO)) 469 local_irq_enable(); 470 out: 471 preempt_enable_no_resched(); 472 473 /* 474 * if somebody else is singlestepping across a probe point, psw mask 475 * will have PER set, in which case, continue the remaining processing 476 * of do_single_step, as if this is not a probe hit. 477 */ 478 if (regs->psw.mask & PSW_MASK_PER) { 479 return 0; 480 } 481 482 return 1; 483 } 484 485 int __kprobes kprobe_fault_handler(struct pt_regs *regs, int trapnr) 486 { 487 struct kprobe *cur = kprobe_running(); 488 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); 489 const struct exception_table_entry *entry; 490 491 switch(kcb->kprobe_status) { 492 case KPROBE_SWAP_INST: 493 /* We are here because the instruction replacement failed */ 494 return 0; 495 case KPROBE_HIT_SS: 496 case KPROBE_REENTER: 497 /* 498 * We are here because the instruction being single 499 * stepped caused a page fault. We reset the current 500 * kprobe and the nip points back to the probe address 501 * and allow the page fault handler to continue as a 502 * normal page fault. 503 */ 504 regs->psw.addr = (unsigned long)cur->addr | PSW_ADDR_AMODE; 505 regs->psw.mask &= ~PSW_MASK_PER; 506 regs->psw.mask |= kcb->kprobe_saved_imask; 507 if (kcb->kprobe_status == KPROBE_REENTER) 508 restore_previous_kprobe(kcb); 509 else { 510 reset_current_kprobe(); 511 if (regs->psw.mask & (PSW_MASK_PER | PSW_MASK_IO)) 512 local_irq_enable(); 513 } 514 preempt_enable_no_resched(); 515 break; 516 case KPROBE_HIT_ACTIVE: 517 case KPROBE_HIT_SSDONE: 518 /* 519 * We increment the nmissed count for accounting, 520 * we can also use npre/npostfault count for accouting 521 * these specific fault cases. 522 */ 523 kprobes_inc_nmissed_count(cur); 524 525 /* 526 * We come here because instructions in the pre/post 527 * handler caused the page_fault, this could happen 528 * if handler tries to access user space by 529 * copy_from_user(), get_user() etc. Let the 530 * user-specified handler try to fix it first. 531 */ 532 if (cur->fault_handler && cur->fault_handler(cur, regs, trapnr)) 533 return 1; 534 535 /* 536 * In case the user-specified fault handler returned 537 * zero, try to fix up. 538 */ 539 entry = search_exception_tables(regs->psw.addr & PSW_ADDR_INSN); 540 if (entry) { 541 regs->psw.addr = entry->fixup | PSW_ADDR_AMODE; 542 return 1; 543 } 544 545 /* 546 * fixup_exception() could not handle it, 547 * Let do_page_fault() fix it. 548 */ 549 break; 550 default: 551 break; 552 } 553 return 0; 554 } 555 556 /* 557 * Wrapper routine to for handling exceptions. 558 */ 559 int __kprobes kprobe_exceptions_notify(struct notifier_block *self, 560 unsigned long val, void *data) 561 { 562 struct die_args *args = (struct die_args *)data; 563 int ret = NOTIFY_DONE; 564 565 switch (val) { 566 case DIE_BPT: 567 if (kprobe_handler(args->regs)) 568 ret = NOTIFY_STOP; 569 break; 570 case DIE_SSTEP: 571 if (post_kprobe_handler(args->regs)) 572 ret = NOTIFY_STOP; 573 break; 574 case DIE_TRAP: 575 /* kprobe_running() needs smp_processor_id() */ 576 preempt_disable(); 577 if (kprobe_running() && 578 kprobe_fault_handler(args->regs, args->trapnr)) 579 ret = NOTIFY_STOP; 580 preempt_enable(); 581 break; 582 default: 583 break; 584 } 585 return ret; 586 } 587 588 int __kprobes setjmp_pre_handler(struct kprobe *p, struct pt_regs *regs) 589 { 590 struct jprobe *jp = container_of(p, struct jprobe, kp); 591 unsigned long addr; 592 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); 593 594 memcpy(&kcb->jprobe_saved_regs, regs, sizeof(struct pt_regs)); 595 596 /* setup return addr to the jprobe handler routine */ 597 regs->psw.addr = (unsigned long)(jp->entry) | PSW_ADDR_AMODE; 598 599 /* r14 is the function return address */ 600 kcb->jprobe_saved_r14 = (unsigned long)regs->gprs[14]; 601 /* r15 is the stack pointer */ 602 kcb->jprobe_saved_r15 = (unsigned long)regs->gprs[15]; 603 addr = (unsigned long)kcb->jprobe_saved_r15; 604 605 memcpy(kcb->jprobes_stack, (kprobe_opcode_t *) addr, 606 MIN_STACK_SIZE(addr)); 607 return 1; 608 } 609 610 void __kprobes jprobe_return(void) 611 { 612 asm volatile(".word 0x0002"); 613 } 614 615 void __kprobes jprobe_return_end(void) 616 { 617 asm volatile("bcr 0,0"); 618 } 619 620 int __kprobes longjmp_break_handler(struct kprobe *p, struct pt_regs *regs) 621 { 622 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); 623 unsigned long stack_addr = (unsigned long)(kcb->jprobe_saved_r15); 624 625 /* Put the regs back */ 626 memcpy(regs, &kcb->jprobe_saved_regs, sizeof(struct pt_regs)); 627 /* put the stack back */ 628 memcpy((kprobe_opcode_t *) stack_addr, kcb->jprobes_stack, 629 MIN_STACK_SIZE(stack_addr)); 630 preempt_enable_no_resched(); 631 return 1; 632 } 633 634 static struct kprobe trampoline_p = { 635 .addr = (kprobe_opcode_t *) & kretprobe_trampoline, 636 .pre_handler = trampoline_probe_handler 637 }; 638 639 int __init arch_init_kprobes(void) 640 { 641 return register_kprobe(&trampoline_p); 642 } 643 644 int __kprobes arch_trampoline_kprobe(struct kprobe *p) 645 { 646 if (p->addr == (kprobe_opcode_t *) & kretprobe_trampoline) 647 return 1; 648 return 0; 649 } 650