1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * arch/arm/probes/kprobes/actions-arm.c
4  *
5  * Copyright (C) 2006, 2007 Motorola Inc.
6  */
7 
8 /*
9  * We do not have hardware single-stepping on ARM, This
10  * effort is further complicated by the ARM not having a
11  * "next PC" register.  Instructions that change the PC
12  * can't be safely single-stepped in a MP environment, so
13  * we have a lot of work to do:
14  *
15  * In the prepare phase:
16  *   *) If it is an instruction that does anything
17  *      with the CPU mode, we reject it for a kprobe.
18  *      (This is out of laziness rather than need.  The
19  *      instructions could be simulated.)
20  *
21  *   *) Otherwise, decode the instruction rewriting its
22  *      registers to take fixed, ordered registers and
23  *      setting a handler for it to run the instruction.
24  *
25  * In the execution phase by an instruction's handler:
26  *
27  *   *) If the PC is written to by the instruction, the
28  *      instruction must be fully simulated in software.
29  *
30  *   *) Otherwise, a modified form of the instruction is
31  *      directly executed.  Its handler calls the
32  *      instruction in insn[0].  In insn[1] is a
33  *      "mov pc, lr" to return.
34  *
35  *      Before calling, load up the reordered registers
36  *      from the original instruction's registers.  If one
37  *      of the original input registers is the PC, compute
38  *      and adjust the appropriate input register.
39  *
40  *	After call completes, copy the output registers to
41  *      the original instruction's original registers.
42  *
43  * We don't use a real breakpoint instruction since that
44  * would have us in the kernel go from SVC mode to SVC
45  * mode losing the link register.  Instead we use an
46  * undefined instruction.  To simplify processing, the
47  * undefined instruction used for kprobes must be reserved
48  * exclusively for kprobes use.
49  *
50  * TODO: ifdef out some instruction decoding based on architecture.
51  */
52 
53 #include <linux/kernel.h>
54 #include <linux/kprobes.h>
55 #include <linux/ptrace.h>
56 
57 #include "../decode-arm.h"
58 #include "core.h"
59 #include "checkers.h"
60 
61 #if  __LINUX_ARM_ARCH__ >= 6
62 #define BLX(reg)	"blx	"reg"		\n\t"
63 #else
64 #define BLX(reg)	"mov	lr, pc		\n\t"	\
65 			"mov	pc, "reg"	\n\t"
66 #endif
67 
68 static void __kprobes
69 emulate_ldrdstrd(probes_opcode_t insn,
70 	struct arch_probes_insn *asi, struct pt_regs *regs)
71 {
72 	unsigned long pc = regs->ARM_pc + 4;
73 	int rt = (insn >> 12) & 0xf;
74 	int rn = (insn >> 16) & 0xf;
75 	int rm = insn & 0xf;
76 
77 	register unsigned long rtv asm("r0") = regs->uregs[rt];
78 	register unsigned long rt2v asm("r1") = regs->uregs[rt+1];
79 	register unsigned long rnv asm("r2") = (rn == 15) ? pc
80 							  : regs->uregs[rn];
81 	register unsigned long rmv asm("r3") = regs->uregs[rm];
82 
83 	__asm__ __volatile__ (
84 		BLX("%[fn]")
85 		: "=r" (rtv), "=r" (rt2v), "=r" (rnv)
86 		: "0" (rtv), "1" (rt2v), "2" (rnv), "r" (rmv),
87 		  [fn] "r" (asi->insn_fn)
88 		: "lr", "memory", "cc"
89 	);
90 
91 	regs->uregs[rt] = rtv;
92 	regs->uregs[rt+1] = rt2v;
93 	if (is_writeback(insn))
94 		regs->uregs[rn] = rnv;
95 }
96 
97 static void __kprobes
98 emulate_ldr(probes_opcode_t insn,
99 	struct arch_probes_insn *asi, struct pt_regs *regs)
100 {
101 	unsigned long pc = regs->ARM_pc + 4;
102 	int rt = (insn >> 12) & 0xf;
103 	int rn = (insn >> 16) & 0xf;
104 	int rm = insn & 0xf;
105 
106 	register unsigned long rtv asm("r0");
107 	register unsigned long rnv asm("r2") = (rn == 15) ? pc
108 							  : regs->uregs[rn];
109 	register unsigned long rmv asm("r3") = regs->uregs[rm];
110 
111 	__asm__ __volatile__ (
112 		BLX("%[fn]")
113 		: "=r" (rtv), "=r" (rnv)
114 		: "1" (rnv), "r" (rmv), [fn] "r" (asi->insn_fn)
115 		: "lr", "memory", "cc"
116 	);
117 
118 	if (rt == 15)
119 		load_write_pc(rtv, regs);
120 	else
121 		regs->uregs[rt] = rtv;
122 
123 	if (is_writeback(insn))
124 		regs->uregs[rn] = rnv;
125 }
126 
127 static void __kprobes
128 emulate_str(probes_opcode_t insn,
129 	struct arch_probes_insn *asi, struct pt_regs *regs)
130 {
131 	unsigned long rtpc = regs->ARM_pc - 4 + str_pc_offset;
132 	unsigned long rnpc = regs->ARM_pc + 4;
133 	int rt = (insn >> 12) & 0xf;
134 	int rn = (insn >> 16) & 0xf;
135 	int rm = insn & 0xf;
136 
137 	register unsigned long rtv asm("r0") = (rt == 15) ? rtpc
138 							  : regs->uregs[rt];
139 	register unsigned long rnv asm("r2") = (rn == 15) ? rnpc
140 							  : regs->uregs[rn];
141 	register unsigned long rmv asm("r3") = regs->uregs[rm];
142 
143 	__asm__ __volatile__ (
144 		BLX("%[fn]")
145 		: "=r" (rnv)
146 		: "r" (rtv), "0" (rnv), "r" (rmv), [fn] "r" (asi->insn_fn)
147 		: "lr", "memory", "cc"
148 	);
149 
150 	if (is_writeback(insn))
151 		regs->uregs[rn] = rnv;
152 }
153 
154 static void __kprobes
155 emulate_rd12rn16rm0rs8_rwflags(probes_opcode_t insn,
156 	struct arch_probes_insn *asi, struct pt_regs *regs)
157 {
158 	unsigned long pc = regs->ARM_pc + 4;
159 	int rd = (insn >> 12) & 0xf;
160 	int rn = (insn >> 16) & 0xf;
161 	int rm = insn & 0xf;
162 	int rs = (insn >> 8) & 0xf;
163 
164 	register unsigned long rdv asm("r0") = regs->uregs[rd];
165 	register unsigned long rnv asm("r2") = (rn == 15) ? pc
166 							  : regs->uregs[rn];
167 	register unsigned long rmv asm("r3") = (rm == 15) ? pc
168 							  : regs->uregs[rm];
169 	register unsigned long rsv asm("r1") = regs->uregs[rs];
170 	unsigned long cpsr = regs->ARM_cpsr;
171 
172 	__asm__ __volatile__ (
173 		"msr	cpsr_fs, %[cpsr]	\n\t"
174 		BLX("%[fn]")
175 		"mrs	%[cpsr], cpsr		\n\t"
176 		: "=r" (rdv), [cpsr] "=r" (cpsr)
177 		: "0" (rdv), "r" (rnv), "r" (rmv), "r" (rsv),
178 		  "1" (cpsr), [fn] "r" (asi->insn_fn)
179 		: "lr", "memory", "cc"
180 	);
181 
182 	if (rd == 15)
183 		alu_write_pc(rdv, regs);
184 	else
185 		regs->uregs[rd] = rdv;
186 	regs->ARM_cpsr = (regs->ARM_cpsr & ~APSR_MASK) | (cpsr & APSR_MASK);
187 }
188 
189 static void __kprobes
190 emulate_rd12rn16rm0_rwflags_nopc(probes_opcode_t insn,
191 	struct arch_probes_insn *asi, struct pt_regs *regs)
192 {
193 	int rd = (insn >> 12) & 0xf;
194 	int rn = (insn >> 16) & 0xf;
195 	int rm = insn & 0xf;
196 
197 	register unsigned long rdv asm("r0") = regs->uregs[rd];
198 	register unsigned long rnv asm("r2") = regs->uregs[rn];
199 	register unsigned long rmv asm("r3") = regs->uregs[rm];
200 	unsigned long cpsr = regs->ARM_cpsr;
201 
202 	__asm__ __volatile__ (
203 		"msr	cpsr_fs, %[cpsr]	\n\t"
204 		BLX("%[fn]")
205 		"mrs	%[cpsr], cpsr		\n\t"
206 		: "=r" (rdv), [cpsr] "=r" (cpsr)
207 		: "0" (rdv), "r" (rnv), "r" (rmv),
208 		  "1" (cpsr), [fn] "r" (asi->insn_fn)
209 		: "lr", "memory", "cc"
210 	);
211 
212 	regs->uregs[rd] = rdv;
213 	regs->ARM_cpsr = (regs->ARM_cpsr & ~APSR_MASK) | (cpsr & APSR_MASK);
214 }
215 
216 static void __kprobes
217 emulate_rd16rn12rm0rs8_rwflags_nopc(probes_opcode_t insn,
218 	struct arch_probes_insn *asi,
219 	struct pt_regs *regs)
220 {
221 	int rd = (insn >> 16) & 0xf;
222 	int rn = (insn >> 12) & 0xf;
223 	int rm = insn & 0xf;
224 	int rs = (insn >> 8) & 0xf;
225 
226 	register unsigned long rdv asm("r2") = regs->uregs[rd];
227 	register unsigned long rnv asm("r0") = regs->uregs[rn];
228 	register unsigned long rmv asm("r3") = regs->uregs[rm];
229 	register unsigned long rsv asm("r1") = regs->uregs[rs];
230 	unsigned long cpsr = regs->ARM_cpsr;
231 
232 	__asm__ __volatile__ (
233 		"msr	cpsr_fs, %[cpsr]	\n\t"
234 		BLX("%[fn]")
235 		"mrs	%[cpsr], cpsr		\n\t"
236 		: "=r" (rdv), [cpsr] "=r" (cpsr)
237 		: "0" (rdv), "r" (rnv), "r" (rmv), "r" (rsv),
238 		  "1" (cpsr), [fn] "r" (asi->insn_fn)
239 		: "lr", "memory", "cc"
240 	);
241 
242 	regs->uregs[rd] = rdv;
243 	regs->ARM_cpsr = (regs->ARM_cpsr & ~APSR_MASK) | (cpsr & APSR_MASK);
244 }
245 
246 static void __kprobes
247 emulate_rd12rm0_noflags_nopc(probes_opcode_t insn,
248 	struct arch_probes_insn *asi, struct pt_regs *regs)
249 {
250 	int rd = (insn >> 12) & 0xf;
251 	int rm = insn & 0xf;
252 
253 	register unsigned long rdv asm("r0") = regs->uregs[rd];
254 	register unsigned long rmv asm("r3") = regs->uregs[rm];
255 
256 	__asm__ __volatile__ (
257 		BLX("%[fn]")
258 		: "=r" (rdv)
259 		: "0" (rdv), "r" (rmv), [fn] "r" (asi->insn_fn)
260 		: "lr", "memory", "cc"
261 	);
262 
263 	regs->uregs[rd] = rdv;
264 }
265 
266 static void __kprobes
267 emulate_rdlo12rdhi16rn0rm8_rwflags_nopc(probes_opcode_t insn,
268 	struct arch_probes_insn *asi,
269 	struct pt_regs *regs)
270 {
271 	int rdlo = (insn >> 12) & 0xf;
272 	int rdhi = (insn >> 16) & 0xf;
273 	int rn = insn & 0xf;
274 	int rm = (insn >> 8) & 0xf;
275 
276 	register unsigned long rdlov asm("r0") = regs->uregs[rdlo];
277 	register unsigned long rdhiv asm("r2") = regs->uregs[rdhi];
278 	register unsigned long rnv asm("r3") = regs->uregs[rn];
279 	register unsigned long rmv asm("r1") = regs->uregs[rm];
280 	unsigned long cpsr = regs->ARM_cpsr;
281 
282 	__asm__ __volatile__ (
283 		"msr	cpsr_fs, %[cpsr]	\n\t"
284 		BLX("%[fn]")
285 		"mrs	%[cpsr], cpsr		\n\t"
286 		: "=r" (rdlov), "=r" (rdhiv), [cpsr] "=r" (cpsr)
287 		: "0" (rdlov), "1" (rdhiv), "r" (rnv), "r" (rmv),
288 		  "2" (cpsr), [fn] "r" (asi->insn_fn)
289 		: "lr", "memory", "cc"
290 	);
291 
292 	regs->uregs[rdlo] = rdlov;
293 	regs->uregs[rdhi] = rdhiv;
294 	regs->ARM_cpsr = (regs->ARM_cpsr & ~APSR_MASK) | (cpsr & APSR_MASK);
295 }
296 
297 const union decode_action kprobes_arm_actions[NUM_PROBES_ARM_ACTIONS] = {
298 	[PROBES_PRELOAD_IMM] = {.handler = probes_simulate_nop},
299 	[PROBES_PRELOAD_REG] = {.handler = probes_simulate_nop},
300 	[PROBES_BRANCH_IMM] = {.handler = simulate_blx1},
301 	[PROBES_MRS] = {.handler = simulate_mrs},
302 	[PROBES_BRANCH_REG] = {.handler = simulate_blx2bx},
303 	[PROBES_CLZ] = {.handler = emulate_rd12rm0_noflags_nopc},
304 	[PROBES_SATURATING_ARITHMETIC] = {
305 		.handler = emulate_rd12rn16rm0_rwflags_nopc},
306 	[PROBES_MUL1] = {.handler = emulate_rdlo12rdhi16rn0rm8_rwflags_nopc},
307 	[PROBES_MUL2] = {.handler = emulate_rd16rn12rm0rs8_rwflags_nopc},
308 	[PROBES_SWP] = {.handler = emulate_rd12rn16rm0_rwflags_nopc},
309 	[PROBES_LDRSTRD] = {.handler = emulate_ldrdstrd},
310 	[PROBES_LOAD_EXTRA] = {.handler = emulate_ldr},
311 	[PROBES_LOAD] = {.handler = emulate_ldr},
312 	[PROBES_STORE_EXTRA] = {.handler = emulate_str},
313 	[PROBES_STORE] = {.handler = emulate_str},
314 	[PROBES_MOV_IP_SP] = {.handler = simulate_mov_ipsp},
315 	[PROBES_DATA_PROCESSING_REG] = {
316 		.handler = emulate_rd12rn16rm0rs8_rwflags},
317 	[PROBES_DATA_PROCESSING_IMM] = {
318 		.handler = emulate_rd12rn16rm0rs8_rwflags},
319 	[PROBES_MOV_HALFWORD] = {.handler = emulate_rd12rm0_noflags_nopc},
320 	[PROBES_SEV] = {.handler = probes_emulate_none},
321 	[PROBES_WFE] = {.handler = probes_simulate_nop},
322 	[PROBES_SATURATE] = {.handler = emulate_rd12rn16rm0_rwflags_nopc},
323 	[PROBES_REV] = {.handler = emulate_rd12rm0_noflags_nopc},
324 	[PROBES_MMI] = {.handler = emulate_rd12rn16rm0_rwflags_nopc},
325 	[PROBES_PACK] = {.handler = emulate_rd12rn16rm0_rwflags_nopc},
326 	[PROBES_EXTEND] = {.handler = emulate_rd12rm0_noflags_nopc},
327 	[PROBES_EXTEND_ADD] = {.handler = emulate_rd12rn16rm0_rwflags_nopc},
328 	[PROBES_MUL_ADD_LONG] = {
329 		.handler = emulate_rdlo12rdhi16rn0rm8_rwflags_nopc},
330 	[PROBES_MUL_ADD] = {.handler = emulate_rd16rn12rm0rs8_rwflags_nopc},
331 	[PROBES_BITFIELD] = {.handler = emulate_rd12rm0_noflags_nopc},
332 	[PROBES_BRANCH] = {.handler = simulate_bbl},
333 	[PROBES_LDMSTM] = {.decoder = kprobe_decode_ldmstm}
334 };
335 
336 const struct decode_checker *kprobes_arm_checkers[] = {arm_stack_checker, arm_regs_checker, NULL};
337