xref: /openbmc/linux/arch/arm/probes/kprobes/core.c (revision e7bae9bb)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * arch/arm/kernel/kprobes.c
4  *
5  * Kprobes on ARM
6  *
7  * Abhishek Sagar <sagar.abhishek@gmail.com>
8  * Copyright (C) 2006, 2007 Motorola Inc.
9  *
10  * Nicolas Pitre <nico@marvell.com>
11  * Copyright (C) 2007 Marvell Ltd.
12  */
13 
14 #include <linux/kernel.h>
15 #include <linux/kprobes.h>
16 #include <linux/module.h>
17 #include <linux/slab.h>
18 #include <linux/stop_machine.h>
19 #include <linux/sched/debug.h>
20 #include <linux/stringify.h>
21 #include <asm/traps.h>
22 #include <asm/opcodes.h>
23 #include <asm/cacheflush.h>
24 #include <linux/percpu.h>
25 #include <linux/bug.h>
26 #include <asm/patch.h>
27 #include <asm/sections.h>
28 
29 #include "../decode-arm.h"
30 #include "../decode-thumb.h"
31 #include "core.h"
32 
33 #define MIN_STACK_SIZE(addr) 				\
34 	min((unsigned long)MAX_STACK_SIZE,		\
35 	    (unsigned long)current_thread_info() + THREAD_START_SP - (addr))
36 
37 #define flush_insns(addr, size)				\
38 	flush_icache_range((unsigned long)(addr),	\
39 			   (unsigned long)(addr) +	\
40 			   (size))
41 
42 DEFINE_PER_CPU(struct kprobe *, current_kprobe) = NULL;
43 DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk);
44 
45 
46 int __kprobes arch_prepare_kprobe(struct kprobe *p)
47 {
48 	kprobe_opcode_t insn;
49 	kprobe_opcode_t tmp_insn[MAX_INSN_SIZE];
50 	unsigned long addr = (unsigned long)p->addr;
51 	bool thumb;
52 	kprobe_decode_insn_t *decode_insn;
53 	const union decode_action *actions;
54 	int is;
55 	const struct decode_checker **checkers;
56 
57 #ifdef CONFIG_THUMB2_KERNEL
58 	thumb = true;
59 	addr &= ~1; /* Bit 0 would normally be set to indicate Thumb code */
60 	insn = __mem_to_opcode_thumb16(((u16 *)addr)[0]);
61 	if (is_wide_instruction(insn)) {
62 		u16 inst2 = __mem_to_opcode_thumb16(((u16 *)addr)[1]);
63 		insn = __opcode_thumb32_compose(insn, inst2);
64 		decode_insn = thumb32_probes_decode_insn;
65 		actions = kprobes_t32_actions;
66 		checkers = kprobes_t32_checkers;
67 	} else {
68 		decode_insn = thumb16_probes_decode_insn;
69 		actions = kprobes_t16_actions;
70 		checkers = kprobes_t16_checkers;
71 	}
72 #else /* !CONFIG_THUMB2_KERNEL */
73 	thumb = false;
74 	if (addr & 0x3)
75 		return -EINVAL;
76 	insn = __mem_to_opcode_arm(*p->addr);
77 	decode_insn = arm_probes_decode_insn;
78 	actions = kprobes_arm_actions;
79 	checkers = kprobes_arm_checkers;
80 #endif
81 
82 	p->opcode = insn;
83 	p->ainsn.insn = tmp_insn;
84 
85 	switch ((*decode_insn)(insn, &p->ainsn, true, actions, checkers)) {
86 	case INSN_REJECTED:	/* not supported */
87 		return -EINVAL;
88 
89 	case INSN_GOOD:		/* instruction uses slot */
90 		p->ainsn.insn = get_insn_slot();
91 		if (!p->ainsn.insn)
92 			return -ENOMEM;
93 		for (is = 0; is < MAX_INSN_SIZE; ++is)
94 			p->ainsn.insn[is] = tmp_insn[is];
95 		flush_insns(p->ainsn.insn,
96 				sizeof(p->ainsn.insn[0]) * MAX_INSN_SIZE);
97 		p->ainsn.insn_fn = (probes_insn_fn_t *)
98 					((uintptr_t)p->ainsn.insn | thumb);
99 		break;
100 
101 	case INSN_GOOD_NO_SLOT:	/* instruction doesn't need insn slot */
102 		p->ainsn.insn = NULL;
103 		break;
104 	}
105 
106 	/*
107 	 * Never instrument insn like 'str r0, [sp, +/-r1]'. Also, insn likes
108 	 * 'str r0, [sp, #-68]' should also be prohibited.
109 	 * See __und_svc.
110 	 */
111 	if ((p->ainsn.stack_space < 0) ||
112 			(p->ainsn.stack_space > MAX_STACK_SIZE))
113 		return -EINVAL;
114 
115 	return 0;
116 }
117 
118 void __kprobes arch_arm_kprobe(struct kprobe *p)
119 {
120 	unsigned int brkp;
121 	void *addr;
122 
123 	if (IS_ENABLED(CONFIG_THUMB2_KERNEL)) {
124 		/* Remove any Thumb flag */
125 		addr = (void *)((uintptr_t)p->addr & ~1);
126 
127 		if (is_wide_instruction(p->opcode))
128 			brkp = KPROBE_THUMB32_BREAKPOINT_INSTRUCTION;
129 		else
130 			brkp = KPROBE_THUMB16_BREAKPOINT_INSTRUCTION;
131 	} else {
132 		kprobe_opcode_t insn = p->opcode;
133 
134 		addr = p->addr;
135 		brkp = KPROBE_ARM_BREAKPOINT_INSTRUCTION;
136 
137 		if (insn >= 0xe0000000)
138 			brkp |= 0xe0000000;  /* Unconditional instruction */
139 		else
140 			brkp |= insn & 0xf0000000;  /* Copy condition from insn */
141 	}
142 
143 	patch_text(addr, brkp);
144 }
145 
146 /*
147  * The actual disarming is done here on each CPU and synchronized using
148  * stop_machine. This synchronization is necessary on SMP to avoid removing
149  * a probe between the moment the 'Undefined Instruction' exception is raised
150  * and the moment the exception handler reads the faulting instruction from
151  * memory. It is also needed to atomically set the two half-words of a 32-bit
152  * Thumb breakpoint.
153  */
154 struct patch {
155 	void *addr;
156 	unsigned int insn;
157 };
158 
159 static int __kprobes_remove_breakpoint(void *data)
160 {
161 	struct patch *p = data;
162 	__patch_text(p->addr, p->insn);
163 	return 0;
164 }
165 
166 void __kprobes kprobes_remove_breakpoint(void *addr, unsigned int insn)
167 {
168 	struct patch p = {
169 		.addr = addr,
170 		.insn = insn,
171 	};
172 	stop_machine_cpuslocked(__kprobes_remove_breakpoint, &p,
173 				cpu_online_mask);
174 }
175 
176 void __kprobes arch_disarm_kprobe(struct kprobe *p)
177 {
178 	kprobes_remove_breakpoint((void *)((uintptr_t)p->addr & ~1),
179 			p->opcode);
180 }
181 
182 void __kprobes arch_remove_kprobe(struct kprobe *p)
183 {
184 	if (p->ainsn.insn) {
185 		free_insn_slot(p->ainsn.insn, 0);
186 		p->ainsn.insn = NULL;
187 	}
188 }
189 
190 static void __kprobes save_previous_kprobe(struct kprobe_ctlblk *kcb)
191 {
192 	kcb->prev_kprobe.kp = kprobe_running();
193 	kcb->prev_kprobe.status = kcb->kprobe_status;
194 }
195 
196 static void __kprobes restore_previous_kprobe(struct kprobe_ctlblk *kcb)
197 {
198 	__this_cpu_write(current_kprobe, kcb->prev_kprobe.kp);
199 	kcb->kprobe_status = kcb->prev_kprobe.status;
200 }
201 
202 static void __kprobes set_current_kprobe(struct kprobe *p)
203 {
204 	__this_cpu_write(current_kprobe, p);
205 }
206 
207 static void __kprobes
208 singlestep_skip(struct kprobe *p, struct pt_regs *regs)
209 {
210 #ifdef CONFIG_THUMB2_KERNEL
211 	regs->ARM_cpsr = it_advance(regs->ARM_cpsr);
212 	if (is_wide_instruction(p->opcode))
213 		regs->ARM_pc += 4;
214 	else
215 		regs->ARM_pc += 2;
216 #else
217 	regs->ARM_pc += 4;
218 #endif
219 }
220 
221 static inline void __kprobes
222 singlestep(struct kprobe *p, struct pt_regs *regs, struct kprobe_ctlblk *kcb)
223 {
224 	p->ainsn.insn_singlestep(p->opcode, &p->ainsn, regs);
225 }
226 
227 /*
228  * Called with IRQs disabled. IRQs must remain disabled from that point
229  * all the way until processing this kprobe is complete.  The current
230  * kprobes implementation cannot process more than one nested level of
231  * kprobe, and that level is reserved for user kprobe handlers, so we can't
232  * risk encountering a new kprobe in an interrupt handler.
233  */
234 void __kprobes kprobe_handler(struct pt_regs *regs)
235 {
236 	struct kprobe *p, *cur;
237 	struct kprobe_ctlblk *kcb;
238 
239 	kcb = get_kprobe_ctlblk();
240 	cur = kprobe_running();
241 
242 #ifdef CONFIG_THUMB2_KERNEL
243 	/*
244 	 * First look for a probe which was registered using an address with
245 	 * bit 0 set, this is the usual situation for pointers to Thumb code.
246 	 * If not found, fallback to looking for one with bit 0 clear.
247 	 */
248 	p = get_kprobe((kprobe_opcode_t *)(regs->ARM_pc | 1));
249 	if (!p)
250 		p = get_kprobe((kprobe_opcode_t *)regs->ARM_pc);
251 
252 #else /* ! CONFIG_THUMB2_KERNEL */
253 	p = get_kprobe((kprobe_opcode_t *)regs->ARM_pc);
254 #endif
255 
256 	if (p) {
257 		if (!p->ainsn.insn_check_cc(regs->ARM_cpsr)) {
258 			/*
259 			 * Probe hit but conditional execution check failed,
260 			 * so just skip the instruction and continue as if
261 			 * nothing had happened.
262 			 * In this case, we can skip recursing check too.
263 			 */
264 			singlestep_skip(p, regs);
265 		} else if (cur) {
266 			/* Kprobe is pending, so we're recursing. */
267 			switch (kcb->kprobe_status) {
268 			case KPROBE_HIT_ACTIVE:
269 			case KPROBE_HIT_SSDONE:
270 			case KPROBE_HIT_SS:
271 				/* A pre- or post-handler probe got us here. */
272 				kprobes_inc_nmissed_count(p);
273 				save_previous_kprobe(kcb);
274 				set_current_kprobe(p);
275 				kcb->kprobe_status = KPROBE_REENTER;
276 				singlestep(p, regs, kcb);
277 				restore_previous_kprobe(kcb);
278 				break;
279 			case KPROBE_REENTER:
280 				/* A nested probe was hit in FIQ, it is a BUG */
281 				pr_warn("Unrecoverable kprobe detected.\n");
282 				dump_kprobe(p);
283 				fallthrough;
284 			default:
285 				/* impossible cases */
286 				BUG();
287 			}
288 		} else {
289 			/* Probe hit and conditional execution check ok. */
290 			set_current_kprobe(p);
291 			kcb->kprobe_status = KPROBE_HIT_ACTIVE;
292 
293 			/*
294 			 * If we have no pre-handler or it returned 0, we
295 			 * continue with normal processing. If we have a
296 			 * pre-handler and it returned non-zero, it will
297 			 * modify the execution path and no need to single
298 			 * stepping. Let's just reset current kprobe and exit.
299 			 */
300 			if (!p->pre_handler || !p->pre_handler(p, regs)) {
301 				kcb->kprobe_status = KPROBE_HIT_SS;
302 				singlestep(p, regs, kcb);
303 				if (p->post_handler) {
304 					kcb->kprobe_status = KPROBE_HIT_SSDONE;
305 					p->post_handler(p, regs, 0);
306 				}
307 			}
308 			reset_current_kprobe();
309 		}
310 	} else {
311 		/*
312 		 * The probe was removed and a race is in progress.
313 		 * There is nothing we can do about it.  Let's restart
314 		 * the instruction.  By the time we can restart, the
315 		 * real instruction will be there.
316 		 */
317 	}
318 }
319 
320 static int __kprobes kprobe_trap_handler(struct pt_regs *regs, unsigned int instr)
321 {
322 	unsigned long flags;
323 	local_irq_save(flags);
324 	kprobe_handler(regs);
325 	local_irq_restore(flags);
326 	return 0;
327 }
328 
329 int __kprobes kprobe_fault_handler(struct pt_regs *regs, unsigned int fsr)
330 {
331 	struct kprobe *cur = kprobe_running();
332 	struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
333 
334 	switch (kcb->kprobe_status) {
335 	case KPROBE_HIT_SS:
336 	case KPROBE_REENTER:
337 		/*
338 		 * We are here because the instruction being single
339 		 * stepped caused a page fault. We reset the current
340 		 * kprobe and the PC to point back to the probe address
341 		 * and allow the page fault handler to continue as a
342 		 * normal page fault.
343 		 */
344 		regs->ARM_pc = (long)cur->addr;
345 		if (kcb->kprobe_status == KPROBE_REENTER) {
346 			restore_previous_kprobe(kcb);
347 		} else {
348 			reset_current_kprobe();
349 		}
350 		break;
351 
352 	case KPROBE_HIT_ACTIVE:
353 	case KPROBE_HIT_SSDONE:
354 		/*
355 		 * We increment the nmissed count for accounting,
356 		 * we can also use npre/npostfault count for accounting
357 		 * these specific fault cases.
358 		 */
359 		kprobes_inc_nmissed_count(cur);
360 
361 		/*
362 		 * We come here because instructions in the pre/post
363 		 * handler caused the page_fault, this could happen
364 		 * if handler tries to access user space by
365 		 * copy_from_user(), get_user() etc. Let the
366 		 * user-specified handler try to fix it.
367 		 */
368 		if (cur->fault_handler && cur->fault_handler(cur, regs, fsr))
369 			return 1;
370 		break;
371 
372 	default:
373 		break;
374 	}
375 
376 	return 0;
377 }
378 
379 int __kprobes kprobe_exceptions_notify(struct notifier_block *self,
380 				       unsigned long val, void *data)
381 {
382 	/*
383 	 * notify_die() is currently never called on ARM,
384 	 * so this callback is currently empty.
385 	 */
386 	return NOTIFY_DONE;
387 }
388 
389 /*
390  * When a retprobed function returns, trampoline_handler() is called,
391  * calling the kretprobe's handler. We construct a struct pt_regs to
392  * give a view of registers r0-r11 to the user return-handler.  This is
393  * not a complete pt_regs structure, but that should be plenty sufficient
394  * for kretprobe handlers which should normally be interested in r0 only
395  * anyway.
396  */
397 void __naked __kprobes kretprobe_trampoline(void)
398 {
399 	__asm__ __volatile__ (
400 		"stmdb	sp!, {r0 - r11}		\n\t"
401 		"mov	r0, sp			\n\t"
402 		"bl	trampoline_handler	\n\t"
403 		"mov	lr, r0			\n\t"
404 		"ldmia	sp!, {r0 - r11}		\n\t"
405 #ifdef CONFIG_THUMB2_KERNEL
406 		"bx	lr			\n\t"
407 #else
408 		"mov	pc, lr			\n\t"
409 #endif
410 		: : : "memory");
411 }
412 
413 /* Called from kretprobe_trampoline */
414 static __used __kprobes void *trampoline_handler(struct pt_regs *regs)
415 {
416 	struct kretprobe_instance *ri = NULL;
417 	struct hlist_head *head, empty_rp;
418 	struct hlist_node *tmp;
419 	unsigned long flags, orig_ret_address = 0;
420 	unsigned long trampoline_address = (unsigned long)&kretprobe_trampoline;
421 	kprobe_opcode_t *correct_ret_addr = NULL;
422 
423 	INIT_HLIST_HEAD(&empty_rp);
424 	kretprobe_hash_lock(current, &head, &flags);
425 
426 	/*
427 	 * It is possible to have multiple instances associated with a given
428 	 * task either because multiple functions in the call path have
429 	 * a return probe installed on them, and/or more than one return
430 	 * probe was registered for a target function.
431 	 *
432 	 * We can handle this because:
433 	 *     - instances are always inserted at the head of the list
434 	 *     - when multiple return probes are registered for the same
435 	 *       function, the first instance's ret_addr will point to the
436 	 *       real return address, and all the rest will point to
437 	 *       kretprobe_trampoline
438 	 */
439 	hlist_for_each_entry_safe(ri, tmp, head, hlist) {
440 		if (ri->task != current)
441 			/* another task is sharing our hash bucket */
442 			continue;
443 
444 		orig_ret_address = (unsigned long)ri->ret_addr;
445 
446 		if (orig_ret_address != trampoline_address)
447 			/*
448 			 * This is the real return address. Any other
449 			 * instances associated with this task are for
450 			 * other calls deeper on the call stack
451 			 */
452 			break;
453 	}
454 
455 	kretprobe_assert(ri, orig_ret_address, trampoline_address);
456 
457 	correct_ret_addr = ri->ret_addr;
458 	hlist_for_each_entry_safe(ri, tmp, head, hlist) {
459 		if (ri->task != current)
460 			/* another task is sharing our hash bucket */
461 			continue;
462 
463 		orig_ret_address = (unsigned long)ri->ret_addr;
464 		if (ri->rp && ri->rp->handler) {
465 			__this_cpu_write(current_kprobe, &ri->rp->kp);
466 			get_kprobe_ctlblk()->kprobe_status = KPROBE_HIT_ACTIVE;
467 			ri->ret_addr = correct_ret_addr;
468 			ri->rp->handler(ri, regs);
469 			__this_cpu_write(current_kprobe, NULL);
470 		}
471 
472 		recycle_rp_inst(ri, &empty_rp);
473 
474 		if (orig_ret_address != trampoline_address)
475 			/*
476 			 * This is the real return address. Any other
477 			 * instances associated with this task are for
478 			 * other calls deeper on the call stack
479 			 */
480 			break;
481 	}
482 
483 	kretprobe_hash_unlock(current, &flags);
484 
485 	hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) {
486 		hlist_del(&ri->hlist);
487 		kfree(ri);
488 	}
489 
490 	return (void *)orig_ret_address;
491 }
492 
493 void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
494 				      struct pt_regs *regs)
495 {
496 	ri->ret_addr = (kprobe_opcode_t *)regs->ARM_lr;
497 
498 	/* Replace the return addr with trampoline addr. */
499 	regs->ARM_lr = (unsigned long)&kretprobe_trampoline;
500 }
501 
502 int __kprobes arch_trampoline_kprobe(struct kprobe *p)
503 {
504 	return 0;
505 }
506 
507 #ifdef CONFIG_THUMB2_KERNEL
508 
509 static struct undef_hook kprobes_thumb16_break_hook = {
510 	.instr_mask	= 0xffff,
511 	.instr_val	= KPROBE_THUMB16_BREAKPOINT_INSTRUCTION,
512 	.cpsr_mask	= MODE_MASK,
513 	.cpsr_val	= SVC_MODE,
514 	.fn		= kprobe_trap_handler,
515 };
516 
517 static struct undef_hook kprobes_thumb32_break_hook = {
518 	.instr_mask	= 0xffffffff,
519 	.instr_val	= KPROBE_THUMB32_BREAKPOINT_INSTRUCTION,
520 	.cpsr_mask	= MODE_MASK,
521 	.cpsr_val	= SVC_MODE,
522 	.fn		= kprobe_trap_handler,
523 };
524 
525 #else  /* !CONFIG_THUMB2_KERNEL */
526 
527 static struct undef_hook kprobes_arm_break_hook = {
528 	.instr_mask	= 0x0fffffff,
529 	.instr_val	= KPROBE_ARM_BREAKPOINT_INSTRUCTION,
530 	.cpsr_mask	= MODE_MASK,
531 	.cpsr_val	= SVC_MODE,
532 	.fn		= kprobe_trap_handler,
533 };
534 
535 #endif /* !CONFIG_THUMB2_KERNEL */
536 
537 int __init arch_init_kprobes()
538 {
539 	arm_probes_decode_init();
540 #ifdef CONFIG_THUMB2_KERNEL
541 	register_undef_hook(&kprobes_thumb16_break_hook);
542 	register_undef_hook(&kprobes_thumb32_break_hook);
543 #else
544 	register_undef_hook(&kprobes_arm_break_hook);
545 #endif
546 	return 0;
547 }
548 
549 bool arch_within_kprobe_blacklist(unsigned long addr)
550 {
551 	void *a = (void *)addr;
552 
553 	return __in_irqentry_text(addr) ||
554 	       in_entry_text(addr) ||
555 	       in_idmap_text(addr) ||
556 	       memory_contains(__kprobes_text_start, __kprobes_text_end, a, 1);
557 }
558