1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * arch/arm64/kernel/probes/kprobes.c 4 * 5 * Kprobes support for ARM64 6 * 7 * Copyright (C) 2013 Linaro Limited. 8 * Author: Sandeepa Prabhu <sandeepa.prabhu@linaro.org> 9 */ 10 #include <linux/kasan.h> 11 #include <linux/kernel.h> 12 #include <linux/kprobes.h> 13 #include <linux/extable.h> 14 #include <linux/slab.h> 15 #include <linux/stop_machine.h> 16 #include <linux/sched/debug.h> 17 #include <linux/set_memory.h> 18 #include <linux/stringify.h> 19 #include <linux/vmalloc.h> 20 #include <asm/traps.h> 21 #include <asm/ptrace.h> 22 #include <asm/cacheflush.h> 23 #include <asm/debug-monitors.h> 24 #include <asm/daifflags.h> 25 #include <asm/system_misc.h> 26 #include <asm/insn.h> 27 #include <linux/uaccess.h> 28 #include <asm/irq.h> 29 #include <asm/sections.h> 30 31 #include "decode-insn.h" 32 33 DEFINE_PER_CPU(struct kprobe *, current_kprobe) = NULL; 34 DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk); 35 36 static void __kprobes 37 post_kprobe_handler(struct kprobe_ctlblk *, struct pt_regs *); 38 39 static int __kprobes patch_text(kprobe_opcode_t *addr, u32 opcode) 40 { 41 void *addrs[1]; 42 u32 insns[1]; 43 44 addrs[0] = addr; 45 insns[0] = opcode; 46 47 return aarch64_insn_patch_text(addrs, insns, 1); 48 } 49 50 static void __kprobes arch_prepare_ss_slot(struct kprobe *p) 51 { 52 /* prepare insn slot */ 53 patch_text(p->ainsn.api.insn, p->opcode); 54 55 flush_icache_range((uintptr_t) (p->ainsn.api.insn), 56 (uintptr_t) (p->ainsn.api.insn) + 57 MAX_INSN_SIZE * sizeof(kprobe_opcode_t)); 58 59 /* 60 * Needs restoring of return address after stepping xol. 61 */ 62 p->ainsn.api.restore = (unsigned long) p->addr + 63 sizeof(kprobe_opcode_t); 64 } 65 66 static void __kprobes arch_prepare_simulate(struct kprobe *p) 67 { 68 /* This instructions is not executed xol. No need to adjust the PC */ 69 p->ainsn.api.restore = 0; 70 } 71 72 static void __kprobes arch_simulate_insn(struct kprobe *p, struct pt_regs *regs) 73 { 74 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); 75 76 if (p->ainsn.api.handler) 77 p->ainsn.api.handler((u32)p->opcode, (long)p->addr, regs); 78 79 /* single step simulated, now go for post processing */ 80 post_kprobe_handler(kcb, regs); 81 } 82 83 int __kprobes arch_prepare_kprobe(struct kprobe *p) 84 { 85 unsigned long probe_addr = (unsigned long)p->addr; 86 87 if (probe_addr & 0x3) 88 return -EINVAL; 89 90 /* copy instruction */ 91 p->opcode = le32_to_cpu(*p->addr); 92 93 if (search_exception_tables(probe_addr)) 94 return -EINVAL; 95 96 /* decode instruction */ 97 switch (arm_kprobe_decode_insn(p->addr, &p->ainsn)) { 98 case INSN_REJECTED: /* insn not supported */ 99 return -EINVAL; 100 101 case INSN_GOOD_NO_SLOT: /* insn need simulation */ 102 p->ainsn.api.insn = NULL; 103 break; 104 105 case INSN_GOOD: /* instruction uses slot */ 106 p->ainsn.api.insn = get_insn_slot(); 107 if (!p->ainsn.api.insn) 108 return -ENOMEM; 109 break; 110 } 111 112 /* prepare the instruction */ 113 if (p->ainsn.api.insn) 114 arch_prepare_ss_slot(p); 115 else 116 arch_prepare_simulate(p); 117 118 return 0; 119 } 120 121 void *alloc_insn_page(void) 122 { 123 void *page; 124 125 page = vmalloc_exec(PAGE_SIZE); 126 if (page) { 127 set_memory_ro((unsigned long)page, 1); 128 set_vm_flush_reset_perms(page); 129 } 130 131 return page; 132 } 133 134 /* arm kprobe: install breakpoint in text */ 135 void __kprobes arch_arm_kprobe(struct kprobe *p) 136 { 137 patch_text(p->addr, BRK64_OPCODE_KPROBES); 138 } 139 140 /* disarm kprobe: remove breakpoint from text */ 141 void __kprobes arch_disarm_kprobe(struct kprobe *p) 142 { 143 patch_text(p->addr, p->opcode); 144 } 145 146 void __kprobes arch_remove_kprobe(struct kprobe *p) 147 { 148 if (p->ainsn.api.insn) { 149 free_insn_slot(p->ainsn.api.insn, 0); 150 p->ainsn.api.insn = NULL; 151 } 152 } 153 154 static void __kprobes save_previous_kprobe(struct kprobe_ctlblk *kcb) 155 { 156 kcb->prev_kprobe.kp = kprobe_running(); 157 kcb->prev_kprobe.status = kcb->kprobe_status; 158 } 159 160 static void __kprobes restore_previous_kprobe(struct kprobe_ctlblk *kcb) 161 { 162 __this_cpu_write(current_kprobe, kcb->prev_kprobe.kp); 163 kcb->kprobe_status = kcb->prev_kprobe.status; 164 } 165 166 static void __kprobes set_current_kprobe(struct kprobe *p) 167 { 168 __this_cpu_write(current_kprobe, p); 169 } 170 171 /* 172 * Interrupts need to be disabled before single-step mode is set, and not 173 * reenabled until after single-step mode ends. 174 * Without disabling interrupt on local CPU, there is a chance of 175 * interrupt occurrence in the period of exception return and start of 176 * out-of-line single-step, that result in wrongly single stepping 177 * into the interrupt handler. 178 */ 179 static void __kprobes kprobes_save_local_irqflag(struct kprobe_ctlblk *kcb, 180 struct pt_regs *regs) 181 { 182 kcb->saved_irqflag = regs->pstate & DAIF_MASK; 183 regs->pstate |= PSR_I_BIT; 184 /* Unmask PSTATE.D for enabling software step exceptions. */ 185 regs->pstate &= ~PSR_D_BIT; 186 } 187 188 static void __kprobes kprobes_restore_local_irqflag(struct kprobe_ctlblk *kcb, 189 struct pt_regs *regs) 190 { 191 regs->pstate &= ~DAIF_MASK; 192 regs->pstate |= kcb->saved_irqflag; 193 } 194 195 static void __kprobes 196 set_ss_context(struct kprobe_ctlblk *kcb, unsigned long addr) 197 { 198 kcb->ss_ctx.ss_pending = true; 199 kcb->ss_ctx.match_addr = addr + sizeof(kprobe_opcode_t); 200 } 201 202 static void __kprobes clear_ss_context(struct kprobe_ctlblk *kcb) 203 { 204 kcb->ss_ctx.ss_pending = false; 205 kcb->ss_ctx.match_addr = 0; 206 } 207 208 static void __kprobes setup_singlestep(struct kprobe *p, 209 struct pt_regs *regs, 210 struct kprobe_ctlblk *kcb, int reenter) 211 { 212 unsigned long slot; 213 214 if (reenter) { 215 save_previous_kprobe(kcb); 216 set_current_kprobe(p); 217 kcb->kprobe_status = KPROBE_REENTER; 218 } else { 219 kcb->kprobe_status = KPROBE_HIT_SS; 220 } 221 222 223 if (p->ainsn.api.insn) { 224 /* prepare for single stepping */ 225 slot = (unsigned long)p->ainsn.api.insn; 226 227 set_ss_context(kcb, slot); /* mark pending ss */ 228 229 /* IRQs and single stepping do not mix well. */ 230 kprobes_save_local_irqflag(kcb, regs); 231 kernel_enable_single_step(regs); 232 instruction_pointer_set(regs, slot); 233 } else { 234 /* insn simulation */ 235 arch_simulate_insn(p, regs); 236 } 237 } 238 239 static int __kprobes reenter_kprobe(struct kprobe *p, 240 struct pt_regs *regs, 241 struct kprobe_ctlblk *kcb) 242 { 243 switch (kcb->kprobe_status) { 244 case KPROBE_HIT_SSDONE: 245 case KPROBE_HIT_ACTIVE: 246 kprobes_inc_nmissed_count(p); 247 setup_singlestep(p, regs, kcb, 1); 248 break; 249 case KPROBE_HIT_SS: 250 case KPROBE_REENTER: 251 pr_warn("Unrecoverable kprobe detected.\n"); 252 dump_kprobe(p); 253 BUG(); 254 break; 255 default: 256 WARN_ON(1); 257 return 0; 258 } 259 260 return 1; 261 } 262 263 static void __kprobes 264 post_kprobe_handler(struct kprobe_ctlblk *kcb, struct pt_regs *regs) 265 { 266 struct kprobe *cur = kprobe_running(); 267 268 if (!cur) 269 return; 270 271 /* return addr restore if non-branching insn */ 272 if (cur->ainsn.api.restore != 0) 273 instruction_pointer_set(regs, cur->ainsn.api.restore); 274 275 /* restore back original saved kprobe variables and continue */ 276 if (kcb->kprobe_status == KPROBE_REENTER) { 277 restore_previous_kprobe(kcb); 278 return; 279 } 280 /* call post handler */ 281 kcb->kprobe_status = KPROBE_HIT_SSDONE; 282 if (cur->post_handler) { 283 /* post_handler can hit breakpoint and single step 284 * again, so we enable D-flag for recursive exception. 285 */ 286 cur->post_handler(cur, regs, 0); 287 } 288 289 reset_current_kprobe(); 290 } 291 292 int __kprobes kprobe_fault_handler(struct pt_regs *regs, unsigned int fsr) 293 { 294 struct kprobe *cur = kprobe_running(); 295 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); 296 297 switch (kcb->kprobe_status) { 298 case KPROBE_HIT_SS: 299 case KPROBE_REENTER: 300 /* 301 * We are here because the instruction being single 302 * stepped caused a page fault. We reset the current 303 * kprobe and the ip points back to the probe address 304 * and allow the page fault handler to continue as a 305 * normal page fault. 306 */ 307 instruction_pointer_set(regs, (unsigned long) cur->addr); 308 if (!instruction_pointer(regs)) 309 BUG(); 310 311 kernel_disable_single_step(); 312 313 if (kcb->kprobe_status == KPROBE_REENTER) 314 restore_previous_kprobe(kcb); 315 else 316 reset_current_kprobe(); 317 318 break; 319 case KPROBE_HIT_ACTIVE: 320 case KPROBE_HIT_SSDONE: 321 /* 322 * We increment the nmissed count for accounting, 323 * we can also use npre/npostfault count for accounting 324 * these specific fault cases. 325 */ 326 kprobes_inc_nmissed_count(cur); 327 328 /* 329 * We come here because instructions in the pre/post 330 * handler caused the page_fault, this could happen 331 * if handler tries to access user space by 332 * copy_from_user(), get_user() etc. Let the 333 * user-specified handler try to fix it first. 334 */ 335 if (cur->fault_handler && cur->fault_handler(cur, regs, fsr)) 336 return 1; 337 338 /* 339 * In case the user-specified fault handler returned 340 * zero, try to fix up. 341 */ 342 if (fixup_exception(regs)) 343 return 1; 344 } 345 return 0; 346 } 347 348 static void __kprobes kprobe_handler(struct pt_regs *regs) 349 { 350 struct kprobe *p, *cur_kprobe; 351 struct kprobe_ctlblk *kcb; 352 unsigned long addr = instruction_pointer(regs); 353 354 kcb = get_kprobe_ctlblk(); 355 cur_kprobe = kprobe_running(); 356 357 p = get_kprobe((kprobe_opcode_t *) addr); 358 359 if (p) { 360 if (cur_kprobe) { 361 if (reenter_kprobe(p, regs, kcb)) 362 return; 363 } else { 364 /* Probe hit */ 365 set_current_kprobe(p); 366 kcb->kprobe_status = KPROBE_HIT_ACTIVE; 367 368 /* 369 * If we have no pre-handler or it returned 0, we 370 * continue with normal processing. If we have a 371 * pre-handler and it returned non-zero, it will 372 * modify the execution path and no need to single 373 * stepping. Let's just reset current kprobe and exit. 374 * 375 * pre_handler can hit a breakpoint and can step thru 376 * before return, keep PSTATE D-flag enabled until 377 * pre_handler return back. 378 */ 379 if (!p->pre_handler || !p->pre_handler(p, regs)) { 380 setup_singlestep(p, regs, kcb, 0); 381 } else 382 reset_current_kprobe(); 383 } 384 } 385 /* 386 * The breakpoint instruction was removed right 387 * after we hit it. Another cpu has removed 388 * either a probepoint or a debugger breakpoint 389 * at this address. In either case, no further 390 * handling of this interrupt is appropriate. 391 * Return back to original instruction, and continue. 392 */ 393 } 394 395 static int __kprobes 396 kprobe_ss_hit(struct kprobe_ctlblk *kcb, unsigned long addr) 397 { 398 if ((kcb->ss_ctx.ss_pending) 399 && (kcb->ss_ctx.match_addr == addr)) { 400 clear_ss_context(kcb); /* clear pending ss */ 401 return DBG_HOOK_HANDLED; 402 } 403 /* not ours, kprobes should ignore it */ 404 return DBG_HOOK_ERROR; 405 } 406 407 static int __kprobes 408 kprobe_single_step_handler(struct pt_regs *regs, unsigned int esr) 409 { 410 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); 411 int retval; 412 413 /* return error if this is not our step */ 414 retval = kprobe_ss_hit(kcb, instruction_pointer(regs)); 415 416 if (retval == DBG_HOOK_HANDLED) { 417 kprobes_restore_local_irqflag(kcb, regs); 418 kernel_disable_single_step(); 419 420 post_kprobe_handler(kcb, regs); 421 } 422 423 return retval; 424 } 425 426 static struct step_hook kprobes_step_hook = { 427 .fn = kprobe_single_step_handler, 428 }; 429 430 static int __kprobes 431 kprobe_breakpoint_handler(struct pt_regs *regs, unsigned int esr) 432 { 433 kprobe_handler(regs); 434 return DBG_HOOK_HANDLED; 435 } 436 437 static struct break_hook kprobes_break_hook = { 438 .imm = KPROBES_BRK_IMM, 439 .fn = kprobe_breakpoint_handler, 440 }; 441 442 /* 443 * Provide a blacklist of symbols identifying ranges which cannot be kprobed. 444 * This blacklist is exposed to userspace via debugfs (kprobes/blacklist). 445 */ 446 int __init arch_populate_kprobe_blacklist(void) 447 { 448 int ret; 449 450 ret = kprobe_add_area_blacklist((unsigned long)__entry_text_start, 451 (unsigned long)__entry_text_end); 452 if (ret) 453 return ret; 454 ret = kprobe_add_area_blacklist((unsigned long)__irqentry_text_start, 455 (unsigned long)__irqentry_text_end); 456 if (ret) 457 return ret; 458 ret = kprobe_add_area_blacklist((unsigned long)__idmap_text_start, 459 (unsigned long)__idmap_text_end); 460 if (ret) 461 return ret; 462 ret = kprobe_add_area_blacklist((unsigned long)__hyp_text_start, 463 (unsigned long)__hyp_text_end); 464 if (ret || is_kernel_in_hyp_mode()) 465 return ret; 466 ret = kprobe_add_area_blacklist((unsigned long)__hyp_idmap_text_start, 467 (unsigned long)__hyp_idmap_text_end); 468 return ret; 469 } 470 471 void __kprobes __used *trampoline_probe_handler(struct pt_regs *regs) 472 { 473 struct kretprobe_instance *ri = NULL; 474 struct hlist_head *head, empty_rp; 475 struct hlist_node *tmp; 476 unsigned long flags, orig_ret_address = 0; 477 unsigned long trampoline_address = 478 (unsigned long)&kretprobe_trampoline; 479 kprobe_opcode_t *correct_ret_addr = NULL; 480 481 INIT_HLIST_HEAD(&empty_rp); 482 kretprobe_hash_lock(current, &head, &flags); 483 484 /* 485 * It is possible to have multiple instances associated with a given 486 * task either because multiple functions in the call path have 487 * return probes installed on them, and/or more than one 488 * return probe was registered for a target function. 489 * 490 * We can handle this because: 491 * - instances are always pushed into the head of the list 492 * - when multiple return probes are registered for the same 493 * function, the (chronologically) first instance's ret_addr 494 * will be the real return address, and all the rest will 495 * point to kretprobe_trampoline. 496 */ 497 hlist_for_each_entry_safe(ri, tmp, head, hlist) { 498 if (ri->task != current) 499 /* another task is sharing our hash bucket */ 500 continue; 501 502 orig_ret_address = (unsigned long)ri->ret_addr; 503 504 if (orig_ret_address != trampoline_address) 505 /* 506 * This is the real return address. Any other 507 * instances associated with this task are for 508 * other calls deeper on the call stack 509 */ 510 break; 511 } 512 513 kretprobe_assert(ri, orig_ret_address, trampoline_address); 514 515 correct_ret_addr = ri->ret_addr; 516 hlist_for_each_entry_safe(ri, tmp, head, hlist) { 517 if (ri->task != current) 518 /* another task is sharing our hash bucket */ 519 continue; 520 521 orig_ret_address = (unsigned long)ri->ret_addr; 522 if (ri->rp && ri->rp->handler) { 523 __this_cpu_write(current_kprobe, &ri->rp->kp); 524 get_kprobe_ctlblk()->kprobe_status = KPROBE_HIT_ACTIVE; 525 ri->ret_addr = correct_ret_addr; 526 ri->rp->handler(ri, regs); 527 __this_cpu_write(current_kprobe, NULL); 528 } 529 530 recycle_rp_inst(ri, &empty_rp); 531 532 if (orig_ret_address != trampoline_address) 533 /* 534 * This is the real return address. Any other 535 * instances associated with this task are for 536 * other calls deeper on the call stack 537 */ 538 break; 539 } 540 541 kretprobe_hash_unlock(current, &flags); 542 543 hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) { 544 hlist_del(&ri->hlist); 545 kfree(ri); 546 } 547 return (void *)orig_ret_address; 548 } 549 550 void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri, 551 struct pt_regs *regs) 552 { 553 ri->ret_addr = (kprobe_opcode_t *)regs->regs[30]; 554 555 /* replace return addr (x30) with trampoline */ 556 regs->regs[30] = (long)&kretprobe_trampoline; 557 } 558 559 int __kprobes arch_trampoline_kprobe(struct kprobe *p) 560 { 561 return 0; 562 } 563 564 int __init arch_init_kprobes(void) 565 { 566 register_kernel_break_hook(&kprobes_break_hook); 567 register_kernel_step_hook(&kprobes_step_hook); 568 569 return 0; 570 } 571