1 // SPDX-License-Identifier: GPL-2.0+ 2 /* 3 * Kernel Probes (KProbes) 4 * 5 * Copyright IBM Corp. 2002, 2006 6 * 7 * s390 port, used ppc64 as template. Mike Grundy <grundym@us.ibm.com> 8 */ 9 10 #include <linux/kprobes.h> 11 #include <linux/ptrace.h> 12 #include <linux/preempt.h> 13 #include <linux/stop_machine.h> 14 #include <linux/kdebug.h> 15 #include <linux/uaccess.h> 16 #include <linux/extable.h> 17 #include <linux/module.h> 18 #include <linux/slab.h> 19 #include <linux/hardirq.h> 20 #include <linux/ftrace.h> 21 #include <asm/set_memory.h> 22 #include <asm/sections.h> 23 #include <asm/dis.h> 24 25 DEFINE_PER_CPU(struct kprobe *, current_kprobe); 26 DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk); 27 28 struct kretprobe_blackpoint kretprobe_blacklist[] = { }; 29 30 DEFINE_INSN_CACHE_OPS(s390_insn); 31 32 static int insn_page_in_use; 33 static char insn_page[PAGE_SIZE] __aligned(PAGE_SIZE); 34 35 static void *alloc_s390_insn_page(void) 36 { 37 if (xchg(&insn_page_in_use, 1) == 1) 38 return NULL; 39 set_memory_x((unsigned long) &insn_page, 1); 40 return &insn_page; 41 } 42 43 static void free_s390_insn_page(void *page) 44 { 45 set_memory_nx((unsigned long) page, 1); 46 xchg(&insn_page_in_use, 0); 47 } 48 49 struct kprobe_insn_cache kprobe_s390_insn_slots = { 50 .mutex = __MUTEX_INITIALIZER(kprobe_s390_insn_slots.mutex), 51 .alloc = alloc_s390_insn_page, 52 .free = free_s390_insn_page, 53 .pages = LIST_HEAD_INIT(kprobe_s390_insn_slots.pages), 54 .insn_size = MAX_INSN_SIZE, 55 }; 56 57 static void copy_instruction(struct kprobe *p) 58 { 59 s64 disp, new_disp; 60 u64 addr, new_addr; 61 62 memcpy(p->ainsn.insn, p->addr, insn_length(*p->addr >> 8)); 63 p->opcode = p->ainsn.insn[0]; 64 if (!probe_is_insn_relative_long(p->ainsn.insn)) 65 return; 66 /* 67 * For pc-relative instructions in RIL-b or RIL-c format patch the 68 * RI2 displacement field. We have already made sure that the insn 69 * slot for the patched instruction is within the same 2GB area 70 * as the original instruction (either kernel image or module area). 71 * Therefore the new displacement will always fit. 72 */ 73 disp = *(s32 *)&p->ainsn.insn[1]; 74 addr = (u64)(unsigned long)p->addr; 75 new_addr = (u64)(unsigned long)p->ainsn.insn; 76 new_disp = ((addr + (disp * 2)) - new_addr) / 2; 77 *(s32 *)&p->ainsn.insn[1] = new_disp; 78 } 79 NOKPROBE_SYMBOL(copy_instruction); 80 81 static inline int is_kernel_addr(void *addr) 82 { 83 return addr < (void *)_end; 84 } 85 86 static int s390_get_insn_slot(struct kprobe *p) 87 { 88 /* 89 * Get an insn slot that is within the same 2GB area like the original 90 * instruction. That way instructions with a 32bit signed displacement 91 * field can be patched and executed within the insn slot. 92 */ 93 p->ainsn.insn = NULL; 94 if (is_kernel_addr(p->addr)) 95 p->ainsn.insn = get_s390_insn_slot(); 96 else if (is_module_addr(p->addr)) 97 p->ainsn.insn = get_insn_slot(); 98 return p->ainsn.insn ? 0 : -ENOMEM; 99 } 100 NOKPROBE_SYMBOL(s390_get_insn_slot); 101 102 static void s390_free_insn_slot(struct kprobe *p) 103 { 104 if (!p->ainsn.insn) 105 return; 106 if (is_kernel_addr(p->addr)) 107 free_s390_insn_slot(p->ainsn.insn, 0); 108 else 109 free_insn_slot(p->ainsn.insn, 0); 110 p->ainsn.insn = NULL; 111 } 112 NOKPROBE_SYMBOL(s390_free_insn_slot); 113 114 int arch_prepare_kprobe(struct kprobe *p) 115 { 116 if ((unsigned long) p->addr & 0x01) 117 return -EINVAL; 118 /* Make sure the probe isn't going on a difficult instruction */ 119 if (probe_is_prohibited_opcode(p->addr)) 120 return -EINVAL; 121 if (s390_get_insn_slot(p)) 122 return -ENOMEM; 123 copy_instruction(p); 124 return 0; 125 } 126 NOKPROBE_SYMBOL(arch_prepare_kprobe); 127 128 struct swap_insn_args { 129 struct kprobe *p; 130 unsigned int arm_kprobe : 1; 131 }; 132 133 static int swap_instruction(void *data) 134 { 135 struct swap_insn_args *args = data; 136 struct kprobe *p = args->p; 137 u16 opc; 138 139 opc = args->arm_kprobe ? BREAKPOINT_INSTRUCTION : p->opcode; 140 s390_kernel_write(p->addr, &opc, sizeof(opc)); 141 return 0; 142 } 143 NOKPROBE_SYMBOL(swap_instruction); 144 145 void arch_arm_kprobe(struct kprobe *p) 146 { 147 struct swap_insn_args args = {.p = p, .arm_kprobe = 1}; 148 149 stop_machine_cpuslocked(swap_instruction, &args, NULL); 150 } 151 NOKPROBE_SYMBOL(arch_arm_kprobe); 152 153 void arch_disarm_kprobe(struct kprobe *p) 154 { 155 struct swap_insn_args args = {.p = p, .arm_kprobe = 0}; 156 157 stop_machine_cpuslocked(swap_instruction, &args, NULL); 158 } 159 NOKPROBE_SYMBOL(arch_disarm_kprobe); 160 161 void arch_remove_kprobe(struct kprobe *p) 162 { 163 s390_free_insn_slot(p); 164 } 165 NOKPROBE_SYMBOL(arch_remove_kprobe); 166 167 static void enable_singlestep(struct kprobe_ctlblk *kcb, 168 struct pt_regs *regs, 169 unsigned long ip) 170 { 171 struct per_regs per_kprobe; 172 173 /* Set up the PER control registers %cr9-%cr11 */ 174 per_kprobe.control = PER_EVENT_IFETCH; 175 per_kprobe.start = ip; 176 per_kprobe.end = ip; 177 178 /* Save control regs and psw mask */ 179 __ctl_store(kcb->kprobe_saved_ctl, 9, 11); 180 kcb->kprobe_saved_imask = regs->psw.mask & 181 (PSW_MASK_PER | PSW_MASK_IO | PSW_MASK_EXT); 182 183 /* Set PER control regs, turns on single step for the given address */ 184 __ctl_load(per_kprobe, 9, 11); 185 regs->psw.mask |= PSW_MASK_PER; 186 regs->psw.mask &= ~(PSW_MASK_IO | PSW_MASK_EXT); 187 regs->psw.addr = ip; 188 } 189 NOKPROBE_SYMBOL(enable_singlestep); 190 191 static void disable_singlestep(struct kprobe_ctlblk *kcb, 192 struct pt_regs *regs, 193 unsigned long ip) 194 { 195 /* Restore control regs and psw mask, set new psw address */ 196 __ctl_load(kcb->kprobe_saved_ctl, 9, 11); 197 regs->psw.mask &= ~PSW_MASK_PER; 198 regs->psw.mask |= kcb->kprobe_saved_imask; 199 regs->psw.addr = ip; 200 } 201 NOKPROBE_SYMBOL(disable_singlestep); 202 203 /* 204 * Activate a kprobe by storing its pointer to current_kprobe. The 205 * previous kprobe is stored in kcb->prev_kprobe. A stack of up to 206 * two kprobes can be active, see KPROBE_REENTER. 207 */ 208 static void push_kprobe(struct kprobe_ctlblk *kcb, struct kprobe *p) 209 { 210 kcb->prev_kprobe.kp = __this_cpu_read(current_kprobe); 211 kcb->prev_kprobe.status = kcb->kprobe_status; 212 __this_cpu_write(current_kprobe, p); 213 } 214 NOKPROBE_SYMBOL(push_kprobe); 215 216 /* 217 * Deactivate a kprobe by backing up to the previous state. If the 218 * current state is KPROBE_REENTER prev_kprobe.kp will be non-NULL, 219 * for any other state prev_kprobe.kp will be NULL. 220 */ 221 static void pop_kprobe(struct kprobe_ctlblk *kcb) 222 { 223 __this_cpu_write(current_kprobe, kcb->prev_kprobe.kp); 224 kcb->kprobe_status = kcb->prev_kprobe.status; 225 } 226 NOKPROBE_SYMBOL(pop_kprobe); 227 228 void arch_prepare_kretprobe(struct kretprobe_instance *ri, struct pt_regs *regs) 229 { 230 ri->ret_addr = (kprobe_opcode_t *) regs->gprs[14]; 231 ri->fp = NULL; 232 233 /* Replace the return addr with trampoline addr */ 234 regs->gprs[14] = (unsigned long) &kretprobe_trampoline; 235 } 236 NOKPROBE_SYMBOL(arch_prepare_kretprobe); 237 238 static void kprobe_reenter_check(struct kprobe_ctlblk *kcb, struct kprobe *p) 239 { 240 switch (kcb->kprobe_status) { 241 case KPROBE_HIT_SSDONE: 242 case KPROBE_HIT_ACTIVE: 243 kprobes_inc_nmissed_count(p); 244 break; 245 case KPROBE_HIT_SS: 246 case KPROBE_REENTER: 247 default: 248 /* 249 * A kprobe on the code path to single step an instruction 250 * is a BUG. The code path resides in the .kprobes.text 251 * section and is executed with interrupts disabled. 252 */ 253 pr_err("Invalid kprobe detected.\n"); 254 dump_kprobe(p); 255 BUG(); 256 } 257 } 258 NOKPROBE_SYMBOL(kprobe_reenter_check); 259 260 static int kprobe_handler(struct pt_regs *regs) 261 { 262 struct kprobe_ctlblk *kcb; 263 struct kprobe *p; 264 265 /* 266 * We want to disable preemption for the entire duration of kprobe 267 * processing. That includes the calls to the pre/post handlers 268 * and single stepping the kprobe instruction. 269 */ 270 preempt_disable(); 271 kcb = get_kprobe_ctlblk(); 272 p = get_kprobe((void *)(regs->psw.addr - 2)); 273 274 if (p) { 275 if (kprobe_running()) { 276 /* 277 * We have hit a kprobe while another is still 278 * active. This can happen in the pre and post 279 * handler. Single step the instruction of the 280 * new probe but do not call any handler function 281 * of this secondary kprobe. 282 * push_kprobe and pop_kprobe saves and restores 283 * the currently active kprobe. 284 */ 285 kprobe_reenter_check(kcb, p); 286 push_kprobe(kcb, p); 287 kcb->kprobe_status = KPROBE_REENTER; 288 } else { 289 /* 290 * If we have no pre-handler or it returned 0, we 291 * continue with single stepping. If we have a 292 * pre-handler and it returned non-zero, it prepped 293 * for changing execution path, so get out doing 294 * nothing more here. 295 */ 296 push_kprobe(kcb, p); 297 kcb->kprobe_status = KPROBE_HIT_ACTIVE; 298 if (p->pre_handler && p->pre_handler(p, regs)) { 299 pop_kprobe(kcb); 300 preempt_enable_no_resched(); 301 return 1; 302 } 303 kcb->kprobe_status = KPROBE_HIT_SS; 304 } 305 enable_singlestep(kcb, regs, (unsigned long) p->ainsn.insn); 306 return 1; 307 } /* else: 308 * No kprobe at this address and no active kprobe. The trap has 309 * not been caused by a kprobe breakpoint. The race of breakpoint 310 * vs. kprobe remove does not exist because on s390 as we use 311 * stop_machine to arm/disarm the breakpoints. 312 */ 313 preempt_enable_no_resched(); 314 return 0; 315 } 316 NOKPROBE_SYMBOL(kprobe_handler); 317 318 /* 319 * Function return probe trampoline: 320 * - init_kprobes() establishes a probepoint here 321 * - When the probed function returns, this probe 322 * causes the handlers to fire 323 */ 324 static void __used kretprobe_trampoline_holder(void) 325 { 326 asm volatile(".global kretprobe_trampoline\n" 327 "kretprobe_trampoline: bcr 0,0\n"); 328 } 329 330 /* 331 * Called when the probe at kretprobe trampoline is hit 332 */ 333 static int trampoline_probe_handler(struct kprobe *p, struct pt_regs *regs) 334 { 335 regs->psw.addr = __kretprobe_trampoline_handler(regs, &kretprobe_trampoline, NULL); 336 /* 337 * By returning a non-zero value, we are telling 338 * kprobe_handler() that we don't want the post_handler 339 * to run (and have re-enabled preemption) 340 */ 341 return 1; 342 } 343 NOKPROBE_SYMBOL(trampoline_probe_handler); 344 345 /* 346 * Called after single-stepping. p->addr is the address of the 347 * instruction whose first byte has been replaced by the "breakpoint" 348 * instruction. To avoid the SMP problems that can occur when we 349 * temporarily put back the original opcode to single-step, we 350 * single-stepped a copy of the instruction. The address of this 351 * copy is p->ainsn.insn. 352 */ 353 static void resume_execution(struct kprobe *p, struct pt_regs *regs) 354 { 355 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); 356 unsigned long ip = regs->psw.addr; 357 int fixup = probe_get_fixup_type(p->ainsn.insn); 358 359 if (fixup & FIXUP_PSW_NORMAL) 360 ip += (unsigned long) p->addr - (unsigned long) p->ainsn.insn; 361 362 if (fixup & FIXUP_BRANCH_NOT_TAKEN) { 363 int ilen = insn_length(p->ainsn.insn[0] >> 8); 364 if (ip - (unsigned long) p->ainsn.insn == ilen) 365 ip = (unsigned long) p->addr + ilen; 366 } 367 368 if (fixup & FIXUP_RETURN_REGISTER) { 369 int reg = (p->ainsn.insn[0] & 0xf0) >> 4; 370 regs->gprs[reg] += (unsigned long) p->addr - 371 (unsigned long) p->ainsn.insn; 372 } 373 374 disable_singlestep(kcb, regs, ip); 375 } 376 NOKPROBE_SYMBOL(resume_execution); 377 378 static int post_kprobe_handler(struct pt_regs *regs) 379 { 380 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); 381 struct kprobe *p = kprobe_running(); 382 383 if (!p) 384 return 0; 385 386 if (kcb->kprobe_status != KPROBE_REENTER && p->post_handler) { 387 kcb->kprobe_status = KPROBE_HIT_SSDONE; 388 p->post_handler(p, regs, 0); 389 } 390 391 resume_execution(p, regs); 392 pop_kprobe(kcb); 393 preempt_enable_no_resched(); 394 395 /* 396 * if somebody else is singlestepping across a probe point, psw mask 397 * will have PER set, in which case, continue the remaining processing 398 * of do_single_step, as if this is not a probe hit. 399 */ 400 if (regs->psw.mask & PSW_MASK_PER) 401 return 0; 402 403 return 1; 404 } 405 NOKPROBE_SYMBOL(post_kprobe_handler); 406 407 static int kprobe_trap_handler(struct pt_regs *regs, int trapnr) 408 { 409 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); 410 struct kprobe *p = kprobe_running(); 411 const struct exception_table_entry *entry; 412 413 switch(kcb->kprobe_status) { 414 case KPROBE_HIT_SS: 415 case KPROBE_REENTER: 416 /* 417 * We are here because the instruction being single 418 * stepped caused a page fault. We reset the current 419 * kprobe and the nip points back to the probe address 420 * and allow the page fault handler to continue as a 421 * normal page fault. 422 */ 423 disable_singlestep(kcb, regs, (unsigned long) p->addr); 424 pop_kprobe(kcb); 425 preempt_enable_no_resched(); 426 break; 427 case KPROBE_HIT_ACTIVE: 428 case KPROBE_HIT_SSDONE: 429 /* 430 * We increment the nmissed count for accounting, 431 * we can also use npre/npostfault count for accounting 432 * these specific fault cases. 433 */ 434 kprobes_inc_nmissed_count(p); 435 436 /* 437 * We come here because instructions in the pre/post 438 * handler caused the page_fault, this could happen 439 * if handler tries to access user space by 440 * copy_from_user(), get_user() etc. Let the 441 * user-specified handler try to fix it first. 442 */ 443 if (p->fault_handler && p->fault_handler(p, regs, trapnr)) 444 return 1; 445 446 /* 447 * In case the user-specified fault handler returned 448 * zero, try to fix up. 449 */ 450 entry = s390_search_extables(regs->psw.addr); 451 if (entry && ex_handle(entry, regs)) 452 return 1; 453 454 /* 455 * fixup_exception() could not handle it, 456 * Let do_page_fault() fix it. 457 */ 458 break; 459 default: 460 break; 461 } 462 return 0; 463 } 464 NOKPROBE_SYMBOL(kprobe_trap_handler); 465 466 int kprobe_fault_handler(struct pt_regs *regs, int trapnr) 467 { 468 int ret; 469 470 if (regs->psw.mask & (PSW_MASK_IO | PSW_MASK_EXT)) 471 local_irq_disable(); 472 ret = kprobe_trap_handler(regs, trapnr); 473 if (regs->psw.mask & (PSW_MASK_IO | PSW_MASK_EXT)) 474 local_irq_restore(regs->psw.mask & ~PSW_MASK_PER); 475 return ret; 476 } 477 NOKPROBE_SYMBOL(kprobe_fault_handler); 478 479 /* 480 * Wrapper routine to for handling exceptions. 481 */ 482 int kprobe_exceptions_notify(struct notifier_block *self, 483 unsigned long val, void *data) 484 { 485 struct die_args *args = (struct die_args *) data; 486 struct pt_regs *regs = args->regs; 487 int ret = NOTIFY_DONE; 488 489 if (regs->psw.mask & (PSW_MASK_IO | PSW_MASK_EXT)) 490 local_irq_disable(); 491 492 switch (val) { 493 case DIE_BPT: 494 if (kprobe_handler(regs)) 495 ret = NOTIFY_STOP; 496 break; 497 case DIE_SSTEP: 498 if (post_kprobe_handler(regs)) 499 ret = NOTIFY_STOP; 500 break; 501 case DIE_TRAP: 502 if (!preemptible() && kprobe_running() && 503 kprobe_trap_handler(regs, args->trapnr)) 504 ret = NOTIFY_STOP; 505 break; 506 default: 507 break; 508 } 509 510 if (regs->psw.mask & (PSW_MASK_IO | PSW_MASK_EXT)) 511 local_irq_restore(regs->psw.mask & ~PSW_MASK_PER); 512 513 return ret; 514 } 515 NOKPROBE_SYMBOL(kprobe_exceptions_notify); 516 517 static struct kprobe trampoline = { 518 .addr = (kprobe_opcode_t *) &kretprobe_trampoline, 519 .pre_handler = trampoline_probe_handler 520 }; 521 522 int __init arch_init_kprobes(void) 523 { 524 return register_kprobe(&trampoline); 525 } 526 527 int arch_trampoline_kprobe(struct kprobe *p) 528 { 529 return p->addr == (kprobe_opcode_t *) &kretprobe_trampoline; 530 } 531 NOKPROBE_SYMBOL(arch_trampoline_kprobe); 532