1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * arch/arm/probes/kprobes/actions-arm.c
4 *
5 * Copyright (C) 2006, 2007 Motorola Inc.
6 */
7
8 /*
9 * We do not have hardware single-stepping on ARM, This
10 * effort is further complicated by the ARM not having a
11 * "next PC" register. Instructions that change the PC
12 * can't be safely single-stepped in a MP environment, so
13 * we have a lot of work to do:
14 *
15 * In the prepare phase:
16 * *) If it is an instruction that does anything
17 * with the CPU mode, we reject it for a kprobe.
18 * (This is out of laziness rather than need. The
19 * instructions could be simulated.)
20 *
21 * *) Otherwise, decode the instruction rewriting its
22 * registers to take fixed, ordered registers and
23 * setting a handler for it to run the instruction.
24 *
25 * In the execution phase by an instruction's handler:
26 *
27 * *) If the PC is written to by the instruction, the
28 * instruction must be fully simulated in software.
29 *
30 * *) Otherwise, a modified form of the instruction is
31 * directly executed. Its handler calls the
32 * instruction in insn[0]. In insn[1] is a
33 * "mov pc, lr" to return.
34 *
35 * Before calling, load up the reordered registers
36 * from the original instruction's registers. If one
37 * of the original input registers is the PC, compute
38 * and adjust the appropriate input register.
39 *
40 * After call completes, copy the output registers to
41 * the original instruction's original registers.
42 *
43 * We don't use a real breakpoint instruction since that
44 * would have us in the kernel go from SVC mode to SVC
45 * mode losing the link register. Instead we use an
46 * undefined instruction. To simplify processing, the
47 * undefined instruction used for kprobes must be reserved
48 * exclusively for kprobes use.
49 *
50 * TODO: ifdef out some instruction decoding based on architecture.
51 */
52
53 #include <linux/kernel.h>
54 #include <linux/kprobes.h>
55 #include <linux/ptrace.h>
56
57 #include "../decode-arm.h"
58 #include "core.h"
59 #include "checkers.h"
60
61 #if __LINUX_ARM_ARCH__ >= 6
62 #define BLX(reg) "blx "reg" \n\t"
63 #else
64 #define BLX(reg) "mov lr, pc \n\t" \
65 "mov pc, "reg" \n\t"
66 #endif
67
68 static void __kprobes
emulate_ldrdstrd(probes_opcode_t insn,struct arch_probes_insn * asi,struct pt_regs * regs)69 emulate_ldrdstrd(probes_opcode_t insn,
70 struct arch_probes_insn *asi, struct pt_regs *regs)
71 {
72 unsigned long pc = regs->ARM_pc + 4;
73 int rt = (insn >> 12) & 0xf;
74 int rn = (insn >> 16) & 0xf;
75 int rm = insn & 0xf;
76
77 register unsigned long rtv asm("r0") = regs->uregs[rt];
78 register unsigned long rt2v asm("r1") = regs->uregs[rt+1];
79 register unsigned long rnv asm("r2") = (rn == 15) ? pc
80 : regs->uregs[rn];
81 register unsigned long rmv asm("r3") = regs->uregs[rm];
82
83 __asm__ __volatile__ (
84 BLX("%[fn]")
85 : "=r" (rtv), "=r" (rt2v), "=r" (rnv)
86 : "0" (rtv), "1" (rt2v), "2" (rnv), "r" (rmv),
87 [fn] "r" (asi->insn_fn)
88 : "lr", "memory", "cc"
89 );
90
91 regs->uregs[rt] = rtv;
92 regs->uregs[rt+1] = rt2v;
93 if (is_writeback(insn))
94 regs->uregs[rn] = rnv;
95 }
96
97 static void __kprobes
emulate_ldr(probes_opcode_t insn,struct arch_probes_insn * asi,struct pt_regs * regs)98 emulate_ldr(probes_opcode_t insn,
99 struct arch_probes_insn *asi, struct pt_regs *regs)
100 {
101 unsigned long pc = regs->ARM_pc + 4;
102 int rt = (insn >> 12) & 0xf;
103 int rn = (insn >> 16) & 0xf;
104 int rm = insn & 0xf;
105
106 register unsigned long rtv asm("r0");
107 register unsigned long rnv asm("r2") = (rn == 15) ? pc
108 : regs->uregs[rn];
109 register unsigned long rmv asm("r3") = regs->uregs[rm];
110
111 __asm__ __volatile__ (
112 BLX("%[fn]")
113 : "=r" (rtv), "=r" (rnv)
114 : "1" (rnv), "r" (rmv), [fn] "r" (asi->insn_fn)
115 : "lr", "memory", "cc"
116 );
117
118 if (rt == 15)
119 load_write_pc(rtv, regs);
120 else
121 regs->uregs[rt] = rtv;
122
123 if (is_writeback(insn))
124 regs->uregs[rn] = rnv;
125 }
126
127 static void __kprobes
emulate_str(probes_opcode_t insn,struct arch_probes_insn * asi,struct pt_regs * regs)128 emulate_str(probes_opcode_t insn,
129 struct arch_probes_insn *asi, struct pt_regs *regs)
130 {
131 unsigned long rtpc = regs->ARM_pc - 4 + str_pc_offset;
132 unsigned long rnpc = regs->ARM_pc + 4;
133 int rt = (insn >> 12) & 0xf;
134 int rn = (insn >> 16) & 0xf;
135 int rm = insn & 0xf;
136
137 register unsigned long rtv asm("r0") = (rt == 15) ? rtpc
138 : regs->uregs[rt];
139 register unsigned long rnv asm("r2") = (rn == 15) ? rnpc
140 : regs->uregs[rn];
141 register unsigned long rmv asm("r3") = regs->uregs[rm];
142
143 __asm__ __volatile__ (
144 BLX("%[fn]")
145 : "=r" (rnv)
146 : "r" (rtv), "0" (rnv), "r" (rmv), [fn] "r" (asi->insn_fn)
147 : "lr", "memory", "cc"
148 );
149
150 if (is_writeback(insn))
151 regs->uregs[rn] = rnv;
152 }
153
154 static void __kprobes
emulate_rd12rn16rm0rs8_rwflags(probes_opcode_t insn,struct arch_probes_insn * asi,struct pt_regs * regs)155 emulate_rd12rn16rm0rs8_rwflags(probes_opcode_t insn,
156 struct arch_probes_insn *asi, struct pt_regs *regs)
157 {
158 unsigned long pc = regs->ARM_pc + 4;
159 int rd = (insn >> 12) & 0xf;
160 int rn = (insn >> 16) & 0xf;
161 int rm = insn & 0xf;
162 int rs = (insn >> 8) & 0xf;
163
164 register unsigned long rdv asm("r0") = regs->uregs[rd];
165 register unsigned long rnv asm("r2") = (rn == 15) ? pc
166 : regs->uregs[rn];
167 register unsigned long rmv asm("r3") = (rm == 15) ? pc
168 : regs->uregs[rm];
169 register unsigned long rsv asm("r1") = regs->uregs[rs];
170 unsigned long cpsr = regs->ARM_cpsr;
171
172 __asm__ __volatile__ (
173 "msr cpsr_fs, %[cpsr] \n\t"
174 BLX("%[fn]")
175 "mrs %[cpsr], cpsr \n\t"
176 : "=r" (rdv), [cpsr] "=r" (cpsr)
177 : "0" (rdv), "r" (rnv), "r" (rmv), "r" (rsv),
178 "1" (cpsr), [fn] "r" (asi->insn_fn)
179 : "lr", "memory", "cc"
180 );
181
182 if (rd == 15)
183 alu_write_pc(rdv, regs);
184 else
185 regs->uregs[rd] = rdv;
186 regs->ARM_cpsr = (regs->ARM_cpsr & ~APSR_MASK) | (cpsr & APSR_MASK);
187 }
188
189 static void __kprobes
emulate_rd12rn16rm0_rwflags_nopc(probes_opcode_t insn,struct arch_probes_insn * asi,struct pt_regs * regs)190 emulate_rd12rn16rm0_rwflags_nopc(probes_opcode_t insn,
191 struct arch_probes_insn *asi, struct pt_regs *regs)
192 {
193 int rd = (insn >> 12) & 0xf;
194 int rn = (insn >> 16) & 0xf;
195 int rm = insn & 0xf;
196
197 register unsigned long rdv asm("r0") = regs->uregs[rd];
198 register unsigned long rnv asm("r2") = regs->uregs[rn];
199 register unsigned long rmv asm("r3") = regs->uregs[rm];
200 unsigned long cpsr = regs->ARM_cpsr;
201
202 __asm__ __volatile__ (
203 "msr cpsr_fs, %[cpsr] \n\t"
204 BLX("%[fn]")
205 "mrs %[cpsr], cpsr \n\t"
206 : "=r" (rdv), [cpsr] "=r" (cpsr)
207 : "0" (rdv), "r" (rnv), "r" (rmv),
208 "1" (cpsr), [fn] "r" (asi->insn_fn)
209 : "lr", "memory", "cc"
210 );
211
212 regs->uregs[rd] = rdv;
213 regs->ARM_cpsr = (regs->ARM_cpsr & ~APSR_MASK) | (cpsr & APSR_MASK);
214 }
215
216 static void __kprobes
emulate_rd16rn12rm0rs8_rwflags_nopc(probes_opcode_t insn,struct arch_probes_insn * asi,struct pt_regs * regs)217 emulate_rd16rn12rm0rs8_rwflags_nopc(probes_opcode_t insn,
218 struct arch_probes_insn *asi,
219 struct pt_regs *regs)
220 {
221 int rd = (insn >> 16) & 0xf;
222 int rn = (insn >> 12) & 0xf;
223 int rm = insn & 0xf;
224 int rs = (insn >> 8) & 0xf;
225
226 register unsigned long rdv asm("r2") = regs->uregs[rd];
227 register unsigned long rnv asm("r0") = regs->uregs[rn];
228 register unsigned long rmv asm("r3") = regs->uregs[rm];
229 register unsigned long rsv asm("r1") = regs->uregs[rs];
230 unsigned long cpsr = regs->ARM_cpsr;
231
232 __asm__ __volatile__ (
233 "msr cpsr_fs, %[cpsr] \n\t"
234 BLX("%[fn]")
235 "mrs %[cpsr], cpsr \n\t"
236 : "=r" (rdv), [cpsr] "=r" (cpsr)
237 : "0" (rdv), "r" (rnv), "r" (rmv), "r" (rsv),
238 "1" (cpsr), [fn] "r" (asi->insn_fn)
239 : "lr", "memory", "cc"
240 );
241
242 regs->uregs[rd] = rdv;
243 regs->ARM_cpsr = (regs->ARM_cpsr & ~APSR_MASK) | (cpsr & APSR_MASK);
244 }
245
246 static void __kprobes
emulate_rd12rm0_noflags_nopc(probes_opcode_t insn,struct arch_probes_insn * asi,struct pt_regs * regs)247 emulate_rd12rm0_noflags_nopc(probes_opcode_t insn,
248 struct arch_probes_insn *asi, struct pt_regs *regs)
249 {
250 int rd = (insn >> 12) & 0xf;
251 int rm = insn & 0xf;
252
253 register unsigned long rdv asm("r0") = regs->uregs[rd];
254 register unsigned long rmv asm("r3") = regs->uregs[rm];
255
256 __asm__ __volatile__ (
257 BLX("%[fn]")
258 : "=r" (rdv)
259 : "0" (rdv), "r" (rmv), [fn] "r" (asi->insn_fn)
260 : "lr", "memory", "cc"
261 );
262
263 regs->uregs[rd] = rdv;
264 }
265
266 static void __kprobes
emulate_rdlo12rdhi16rn0rm8_rwflags_nopc(probes_opcode_t insn,struct arch_probes_insn * asi,struct pt_regs * regs)267 emulate_rdlo12rdhi16rn0rm8_rwflags_nopc(probes_opcode_t insn,
268 struct arch_probes_insn *asi,
269 struct pt_regs *regs)
270 {
271 int rdlo = (insn >> 12) & 0xf;
272 int rdhi = (insn >> 16) & 0xf;
273 int rn = insn & 0xf;
274 int rm = (insn >> 8) & 0xf;
275
276 register unsigned long rdlov asm("r0") = regs->uregs[rdlo];
277 register unsigned long rdhiv asm("r2") = regs->uregs[rdhi];
278 register unsigned long rnv asm("r3") = regs->uregs[rn];
279 register unsigned long rmv asm("r1") = regs->uregs[rm];
280 unsigned long cpsr = regs->ARM_cpsr;
281
282 __asm__ __volatile__ (
283 "msr cpsr_fs, %[cpsr] \n\t"
284 BLX("%[fn]")
285 "mrs %[cpsr], cpsr \n\t"
286 : "=r" (rdlov), "=r" (rdhiv), [cpsr] "=r" (cpsr)
287 : "0" (rdlov), "1" (rdhiv), "r" (rnv), "r" (rmv),
288 "2" (cpsr), [fn] "r" (asi->insn_fn)
289 : "lr", "memory", "cc"
290 );
291
292 regs->uregs[rdlo] = rdlov;
293 regs->uregs[rdhi] = rdhiv;
294 regs->ARM_cpsr = (regs->ARM_cpsr & ~APSR_MASK) | (cpsr & APSR_MASK);
295 }
296
297 const union decode_action kprobes_arm_actions[NUM_PROBES_ARM_ACTIONS] = {
298 [PROBES_PRELOAD_IMM] = {.handler = probes_simulate_nop},
299 [PROBES_PRELOAD_REG] = {.handler = probes_simulate_nop},
300 [PROBES_BRANCH_IMM] = {.handler = simulate_blx1},
301 [PROBES_MRS] = {.handler = simulate_mrs},
302 [PROBES_BRANCH_REG] = {.handler = simulate_blx2bx},
303 [PROBES_CLZ] = {.handler = emulate_rd12rm0_noflags_nopc},
304 [PROBES_SATURATING_ARITHMETIC] = {
305 .handler = emulate_rd12rn16rm0_rwflags_nopc},
306 [PROBES_MUL1] = {.handler = emulate_rdlo12rdhi16rn0rm8_rwflags_nopc},
307 [PROBES_MUL2] = {.handler = emulate_rd16rn12rm0rs8_rwflags_nopc},
308 [PROBES_SWP] = {.handler = emulate_rd12rn16rm0_rwflags_nopc},
309 [PROBES_LDRSTRD] = {.handler = emulate_ldrdstrd},
310 [PROBES_LOAD_EXTRA] = {.handler = emulate_ldr},
311 [PROBES_LOAD] = {.handler = emulate_ldr},
312 [PROBES_STORE_EXTRA] = {.handler = emulate_str},
313 [PROBES_STORE] = {.handler = emulate_str},
314 [PROBES_MOV_IP_SP] = {.handler = simulate_mov_ipsp},
315 [PROBES_DATA_PROCESSING_REG] = {
316 .handler = emulate_rd12rn16rm0rs8_rwflags},
317 [PROBES_DATA_PROCESSING_IMM] = {
318 .handler = emulate_rd12rn16rm0rs8_rwflags},
319 [PROBES_MOV_HALFWORD] = {.handler = emulate_rd12rm0_noflags_nopc},
320 [PROBES_SEV] = {.handler = probes_emulate_none},
321 [PROBES_WFE] = {.handler = probes_simulate_nop},
322 [PROBES_SATURATE] = {.handler = emulate_rd12rn16rm0_rwflags_nopc},
323 [PROBES_REV] = {.handler = emulate_rd12rm0_noflags_nopc},
324 [PROBES_MMI] = {.handler = emulate_rd12rn16rm0_rwflags_nopc},
325 [PROBES_PACK] = {.handler = emulate_rd12rn16rm0_rwflags_nopc},
326 [PROBES_EXTEND] = {.handler = emulate_rd12rm0_noflags_nopc},
327 [PROBES_EXTEND_ADD] = {.handler = emulate_rd12rn16rm0_rwflags_nopc},
328 [PROBES_MUL_ADD_LONG] = {
329 .handler = emulate_rdlo12rdhi16rn0rm8_rwflags_nopc},
330 [PROBES_MUL_ADD] = {.handler = emulate_rd16rn12rm0rs8_rwflags_nopc},
331 [PROBES_BITFIELD] = {.handler = emulate_rd12rm0_noflags_nopc},
332 [PROBES_BRANCH] = {.handler = simulate_bbl},
333 [PROBES_LDMSTM] = {.decoder = kprobe_decode_ldmstm}
334 };
335
336 const struct decode_checker *kprobes_arm_checkers[] = {arm_stack_checker, arm_regs_checker, NULL};
337