xref: /openbmc/linux/arch/arc/kernel/kprobes.c (revision 95298d63)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Copyright (C) 2004, 2007-2010, 2011-2012 Synopsys, Inc. (www.synopsys.com)
4  */
5 
6 #include <linux/types.h>
7 #include <linux/kprobes.h>
8 #include <linux/slab.h>
9 #include <linux/module.h>
10 #include <linux/kdebug.h>
11 #include <linux/sched.h>
12 #include <linux/uaccess.h>
13 #include <asm/cacheflush.h>
14 #include <asm/current.h>
15 #include <asm/disasm.h>
16 
17 #define MIN_STACK_SIZE(addr)	min((unsigned long)MAX_STACK_SIZE, \
18 		(unsigned long)current_thread_info() + THREAD_SIZE - (addr))
19 
20 DEFINE_PER_CPU(struct kprobe *, current_kprobe) = NULL;
21 DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk);
22 
23 int __kprobes arch_prepare_kprobe(struct kprobe *p)
24 {
25 	/* Attempt to probe at unaligned address */
26 	if ((unsigned long)p->addr & 0x01)
27 		return -EINVAL;
28 
29 	/* Address should not be in exception handling code */
30 
31 	p->ainsn.is_short = is_short_instr((unsigned long)p->addr);
32 	p->opcode = *p->addr;
33 
34 	return 0;
35 }
36 
37 void __kprobes arch_arm_kprobe(struct kprobe *p)
38 {
39 	*p->addr = UNIMP_S_INSTRUCTION;
40 
41 	flush_icache_range((unsigned long)p->addr,
42 			   (unsigned long)p->addr + sizeof(kprobe_opcode_t));
43 }
44 
45 void __kprobes arch_disarm_kprobe(struct kprobe *p)
46 {
47 	*p->addr = p->opcode;
48 
49 	flush_icache_range((unsigned long)p->addr,
50 			   (unsigned long)p->addr + sizeof(kprobe_opcode_t));
51 }
52 
53 void __kprobes arch_remove_kprobe(struct kprobe *p)
54 {
55 	arch_disarm_kprobe(p);
56 
57 	/* Can we remove the kprobe in the middle of kprobe handling? */
58 	if (p->ainsn.t1_addr) {
59 		*(p->ainsn.t1_addr) = p->ainsn.t1_opcode;
60 
61 		flush_icache_range((unsigned long)p->ainsn.t1_addr,
62 				   (unsigned long)p->ainsn.t1_addr +
63 				   sizeof(kprobe_opcode_t));
64 
65 		p->ainsn.t1_addr = NULL;
66 	}
67 
68 	if (p->ainsn.t2_addr) {
69 		*(p->ainsn.t2_addr) = p->ainsn.t2_opcode;
70 
71 		flush_icache_range((unsigned long)p->ainsn.t2_addr,
72 				   (unsigned long)p->ainsn.t2_addr +
73 				   sizeof(kprobe_opcode_t));
74 
75 		p->ainsn.t2_addr = NULL;
76 	}
77 }
78 
79 static void __kprobes save_previous_kprobe(struct kprobe_ctlblk *kcb)
80 {
81 	kcb->prev_kprobe.kp = kprobe_running();
82 	kcb->prev_kprobe.status = kcb->kprobe_status;
83 }
84 
85 static void __kprobes restore_previous_kprobe(struct kprobe_ctlblk *kcb)
86 {
87 	__this_cpu_write(current_kprobe, kcb->prev_kprobe.kp);
88 	kcb->kprobe_status = kcb->prev_kprobe.status;
89 }
90 
91 static inline void __kprobes set_current_kprobe(struct kprobe *p)
92 {
93 	__this_cpu_write(current_kprobe, p);
94 }
95 
96 static void __kprobes resume_execution(struct kprobe *p, unsigned long addr,
97 				       struct pt_regs *regs)
98 {
99 	/* Remove the trap instructions inserted for single step and
100 	 * restore the original instructions
101 	 */
102 	if (p->ainsn.t1_addr) {
103 		*(p->ainsn.t1_addr) = p->ainsn.t1_opcode;
104 
105 		flush_icache_range((unsigned long)p->ainsn.t1_addr,
106 				   (unsigned long)p->ainsn.t1_addr +
107 				   sizeof(kprobe_opcode_t));
108 
109 		p->ainsn.t1_addr = NULL;
110 	}
111 
112 	if (p->ainsn.t2_addr) {
113 		*(p->ainsn.t2_addr) = p->ainsn.t2_opcode;
114 
115 		flush_icache_range((unsigned long)p->ainsn.t2_addr,
116 				   (unsigned long)p->ainsn.t2_addr +
117 				   sizeof(kprobe_opcode_t));
118 
119 		p->ainsn.t2_addr = NULL;
120 	}
121 
122 	return;
123 }
124 
125 static void __kprobes setup_singlestep(struct kprobe *p, struct pt_regs *regs)
126 {
127 	unsigned long next_pc;
128 	unsigned long tgt_if_br = 0;
129 	int is_branch;
130 	unsigned long bta;
131 
132 	/* Copy the opcode back to the kprobe location and execute the
133 	 * instruction. Because of this we will not be able to get into the
134 	 * same kprobe until this kprobe is done
135 	 */
136 	*(p->addr) = p->opcode;
137 
138 	flush_icache_range((unsigned long)p->addr,
139 			   (unsigned long)p->addr + sizeof(kprobe_opcode_t));
140 
141 	/* Now we insert the trap at the next location after this instruction to
142 	 * single step. If it is a branch we insert the trap at possible branch
143 	 * targets
144 	 */
145 
146 	bta = regs->bta;
147 
148 	if (regs->status32 & 0x40) {
149 		/* We are in a delay slot with the branch taken */
150 
151 		next_pc = bta & ~0x01;
152 
153 		if (!p->ainsn.is_short) {
154 			if (bta & 0x01)
155 				regs->blink += 2;
156 			else {
157 				/* Branch not taken */
158 				next_pc += 2;
159 
160 				/* next pc is taken from bta after executing the
161 				 * delay slot instruction
162 				 */
163 				regs->bta += 2;
164 			}
165 		}
166 
167 		is_branch = 0;
168 	} else
169 		is_branch =
170 		    disasm_next_pc((unsigned long)p->addr, regs,
171 			(struct callee_regs *) current->thread.callee_reg,
172 			&next_pc, &tgt_if_br);
173 
174 	p->ainsn.t1_addr = (kprobe_opcode_t *) next_pc;
175 	p->ainsn.t1_opcode = *(p->ainsn.t1_addr);
176 	*(p->ainsn.t1_addr) = TRAP_S_2_INSTRUCTION;
177 
178 	flush_icache_range((unsigned long)p->ainsn.t1_addr,
179 			   (unsigned long)p->ainsn.t1_addr +
180 			   sizeof(kprobe_opcode_t));
181 
182 	if (is_branch) {
183 		p->ainsn.t2_addr = (kprobe_opcode_t *) tgt_if_br;
184 		p->ainsn.t2_opcode = *(p->ainsn.t2_addr);
185 		*(p->ainsn.t2_addr) = TRAP_S_2_INSTRUCTION;
186 
187 		flush_icache_range((unsigned long)p->ainsn.t2_addr,
188 				   (unsigned long)p->ainsn.t2_addr +
189 				   sizeof(kprobe_opcode_t));
190 	}
191 }
192 
193 int __kprobes arc_kprobe_handler(unsigned long addr, struct pt_regs *regs)
194 {
195 	struct kprobe *p;
196 	struct kprobe_ctlblk *kcb;
197 
198 	preempt_disable();
199 
200 	kcb = get_kprobe_ctlblk();
201 	p = get_kprobe((unsigned long *)addr);
202 
203 	if (p) {
204 		/*
205 		 * We have reentered the kprobe_handler, since another kprobe
206 		 * was hit while within the handler, we save the original
207 		 * kprobes and single step on the instruction of the new probe
208 		 * without calling any user handlers to avoid recursive
209 		 * kprobes.
210 		 */
211 		if (kprobe_running()) {
212 			save_previous_kprobe(kcb);
213 			set_current_kprobe(p);
214 			kprobes_inc_nmissed_count(p);
215 			setup_singlestep(p, regs);
216 			kcb->kprobe_status = KPROBE_REENTER;
217 			return 1;
218 		}
219 
220 		set_current_kprobe(p);
221 		kcb->kprobe_status = KPROBE_HIT_ACTIVE;
222 
223 		/* If we have no pre-handler or it returned 0, we continue with
224 		 * normal processing. If we have a pre-handler and it returned
225 		 * non-zero - which means user handler setup registers to exit
226 		 * to another instruction, we must skip the single stepping.
227 		 */
228 		if (!p->pre_handler || !p->pre_handler(p, regs)) {
229 			setup_singlestep(p, regs);
230 			kcb->kprobe_status = KPROBE_HIT_SS;
231 		} else {
232 			reset_current_kprobe();
233 			preempt_enable_no_resched();
234 		}
235 
236 		return 1;
237 	}
238 
239 	/* no_kprobe: */
240 	preempt_enable_no_resched();
241 	return 0;
242 }
243 
244 static int __kprobes arc_post_kprobe_handler(unsigned long addr,
245 					 struct pt_regs *regs)
246 {
247 	struct kprobe *cur = kprobe_running();
248 	struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
249 
250 	if (!cur)
251 		return 0;
252 
253 	resume_execution(cur, addr, regs);
254 
255 	/* Rearm the kprobe */
256 	arch_arm_kprobe(cur);
257 
258 	/*
259 	 * When we return from trap instruction we go to the next instruction
260 	 * We restored the actual instruction in resume_exectuiont and we to
261 	 * return to the same address and execute it
262 	 */
263 	regs->ret = addr;
264 
265 	if ((kcb->kprobe_status != KPROBE_REENTER) && cur->post_handler) {
266 		kcb->kprobe_status = KPROBE_HIT_SSDONE;
267 		cur->post_handler(cur, regs, 0);
268 	}
269 
270 	if (kcb->kprobe_status == KPROBE_REENTER) {
271 		restore_previous_kprobe(kcb);
272 		goto out;
273 	}
274 
275 	reset_current_kprobe();
276 
277 out:
278 	preempt_enable_no_resched();
279 	return 1;
280 }
281 
282 /*
283  * Fault can be for the instruction being single stepped or for the
284  * pre/post handlers in the module.
285  * This is applicable for applications like user probes, where we have the
286  * probe in user space and the handlers in the kernel
287  */
288 
289 int __kprobes kprobe_fault_handler(struct pt_regs *regs, unsigned long trapnr)
290 {
291 	struct kprobe *cur = kprobe_running();
292 	struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
293 
294 	switch (kcb->kprobe_status) {
295 	case KPROBE_HIT_SS:
296 	case KPROBE_REENTER:
297 		/*
298 		 * We are here because the instruction being single stepped
299 		 * caused the fault. We reset the current kprobe and allow the
300 		 * exception handler as if it is regular exception. In our
301 		 * case it doesn't matter because the system will be halted
302 		 */
303 		resume_execution(cur, (unsigned long)cur->addr, regs);
304 
305 		if (kcb->kprobe_status == KPROBE_REENTER)
306 			restore_previous_kprobe(kcb);
307 		else
308 			reset_current_kprobe();
309 
310 		preempt_enable_no_resched();
311 		break;
312 
313 	case KPROBE_HIT_ACTIVE:
314 	case KPROBE_HIT_SSDONE:
315 		/*
316 		 * We are here because the instructions in the pre/post handler
317 		 * caused the fault.
318 		 */
319 
320 		/* We increment the nmissed count for accounting,
321 		 * we can also use npre/npostfault count for accounting
322 		 * these specific fault cases.
323 		 */
324 		kprobes_inc_nmissed_count(cur);
325 
326 		/*
327 		 * We come here because instructions in the pre/post
328 		 * handler caused the page_fault, this could happen
329 		 * if handler tries to access user space by
330 		 * copy_from_user(), get_user() etc. Let the
331 		 * user-specified handler try to fix it first.
332 		 */
333 		if (cur->fault_handler && cur->fault_handler(cur, regs, trapnr))
334 			return 1;
335 
336 		/*
337 		 * In case the user-specified fault handler returned zero,
338 		 * try to fix up.
339 		 */
340 		if (fixup_exception(regs))
341 			return 1;
342 
343 		/*
344 		 * fixup_exception() could not handle it,
345 		 * Let do_page_fault() fix it.
346 		 */
347 		break;
348 
349 	default:
350 		break;
351 	}
352 	return 0;
353 }
354 
355 int __kprobes kprobe_exceptions_notify(struct notifier_block *self,
356 				       unsigned long val, void *data)
357 {
358 	struct die_args *args = data;
359 	unsigned long addr = args->err;
360 	int ret = NOTIFY_DONE;
361 
362 	switch (val) {
363 	case DIE_IERR:
364 		if (arc_kprobe_handler(addr, args->regs))
365 			return NOTIFY_STOP;
366 		break;
367 
368 	case DIE_TRAP:
369 		if (arc_post_kprobe_handler(addr, args->regs))
370 			return NOTIFY_STOP;
371 		break;
372 
373 	default:
374 		break;
375 	}
376 
377 	return ret;
378 }
379 
380 static void __used kretprobe_trampoline_holder(void)
381 {
382 	__asm__ __volatile__(".global kretprobe_trampoline\n"
383 			     "kretprobe_trampoline:\n" "nop\n");
384 }
385 
386 void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
387 				      struct pt_regs *regs)
388 {
389 
390 	ri->ret_addr = (kprobe_opcode_t *) regs->blink;
391 
392 	/* Replace the return addr with trampoline addr */
393 	regs->blink = (unsigned long)&kretprobe_trampoline;
394 }
395 
396 static int __kprobes trampoline_probe_handler(struct kprobe *p,
397 					      struct pt_regs *regs)
398 {
399 	struct kretprobe_instance *ri = NULL;
400 	struct hlist_head *head, empty_rp;
401 	struct hlist_node *tmp;
402 	unsigned long flags, orig_ret_address = 0;
403 	unsigned long trampoline_address = (unsigned long)&kretprobe_trampoline;
404 
405 	INIT_HLIST_HEAD(&empty_rp);
406 	kretprobe_hash_lock(current, &head, &flags);
407 
408 	/*
409 	 * It is possible to have multiple instances associated with a given
410 	 * task either because an multiple functions in the call path
411 	 * have a return probe installed on them, and/or more than one return
412 	 * return probe was registered for a target function.
413 	 *
414 	 * We can handle this because:
415 	 *     - instances are always inserted at the head of the list
416 	 *     - when multiple return probes are registered for the same
417 	 *       function, the first instance's ret_addr will point to the
418 	 *       real return address, and all the rest will point to
419 	 *       kretprobe_trampoline
420 	 */
421 	hlist_for_each_entry_safe(ri, tmp, head, hlist) {
422 		if (ri->task != current)
423 			/* another task is sharing our hash bucket */
424 			continue;
425 
426 		if (ri->rp && ri->rp->handler)
427 			ri->rp->handler(ri, regs);
428 
429 		orig_ret_address = (unsigned long)ri->ret_addr;
430 		recycle_rp_inst(ri, &empty_rp);
431 
432 		if (orig_ret_address != trampoline_address) {
433 			/*
434 			 * This is the real return address. Any other
435 			 * instances associated with this task are for
436 			 * other calls deeper on the call stack
437 			 */
438 			break;
439 		}
440 	}
441 
442 	kretprobe_assert(ri, orig_ret_address, trampoline_address);
443 	regs->ret = orig_ret_address;
444 
445 	kretprobe_hash_unlock(current, &flags);
446 
447 	hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) {
448 		hlist_del(&ri->hlist);
449 		kfree(ri);
450 	}
451 
452 	/* By returning a non zero value, we are telling the kprobe handler
453 	 * that we don't want the post_handler to run
454 	 */
455 	return 1;
456 }
457 
458 static struct kprobe trampoline_p = {
459 	.addr = (kprobe_opcode_t *) &kretprobe_trampoline,
460 	.pre_handler = trampoline_probe_handler
461 };
462 
463 int __init arch_init_kprobes(void)
464 {
465 	/* Registering the trampoline code for the kret probe */
466 	return register_kprobe(&trampoline_p);
467 }
468 
469 int __kprobes arch_trampoline_kprobe(struct kprobe *p)
470 {
471 	if (p->addr == (kprobe_opcode_t *) &kretprobe_trampoline)
472 		return 1;
473 
474 	return 0;
475 }
476 
477 void trap_is_kprobe(unsigned long address, struct pt_regs *regs)
478 {
479 	notify_die(DIE_TRAP, "kprobe_trap", regs, address, 0, SIGTRAP);
480 }
481