1 /* 2 * Kernel Probes (KProbes) 3 * arch/mips/kernel/kprobes.c 4 * 5 * Copyright 2006 Sony Corp. 6 * Copyright 2010 Cavium Networks 7 * 8 * Some portions copied from the powerpc version. 9 * 10 * Copyright (C) IBM Corporation, 2002, 2004 11 * 12 * This program is free software; you can redistribute it and/or modify 13 * it under the terms of the GNU General Public License as published by 14 * the Free Software Foundation; version 2 of the License. 15 * 16 * This program is distributed in the hope that it will be useful, 17 * but WITHOUT ANY WARRANTY; without even the implied warranty of 18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 * GNU General Public License for more details. 20 * 21 * You should have received a copy of the GNU General Public License 22 * along with this program; if not, write to the Free Software 23 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 24 */ 25 26 #include <linux/kprobes.h> 27 #include <linux/preempt.h> 28 #include <linux/uaccess.h> 29 #include <linux/kdebug.h> 30 #include <linux/slab.h> 31 32 #include <asm/ptrace.h> 33 #include <asm/branch.h> 34 #include <asm/break.h> 35 36 #include "probes-common.h" 37 38 static const union mips_instruction breakpoint_insn = { 39 .b_format = { 40 .opcode = spec_op, 41 .code = BRK_KPROBE_BP, 42 .func = break_op 43 } 44 }; 45 46 static const union mips_instruction breakpoint2_insn = { 47 .b_format = { 48 .opcode = spec_op, 49 .code = BRK_KPROBE_SSTEPBP, 50 .func = break_op 51 } 52 }; 53 54 DEFINE_PER_CPU(struct kprobe *, current_kprobe); 55 DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk); 56 57 static int __kprobes insn_has_delayslot(union mips_instruction insn) 58 { 59 return __insn_has_delay_slot(insn); 60 } 61 62 /* 63 * insn_has_ll_or_sc function checks whether instruction is ll or sc 64 * one; putting breakpoint on top of atomic ll/sc pair is bad idea; 65 * so we need to prevent it and refuse kprobes insertion for such 66 * instructions; cannot do much about breakpoint in the middle of 67 * ll/sc pair; it is upto user to avoid those places 68 */ 69 static int __kprobes insn_has_ll_or_sc(union mips_instruction insn) 70 { 71 int ret = 0; 72 73 switch (insn.i_format.opcode) { 74 case ll_op: 75 case lld_op: 76 case sc_op: 77 case scd_op: 78 ret = 1; 79 break; 80 default: 81 break; 82 } 83 return ret; 84 } 85 86 int __kprobes arch_prepare_kprobe(struct kprobe *p) 87 { 88 union mips_instruction insn; 89 union mips_instruction prev_insn; 90 int ret = 0; 91 92 insn = p->addr[0]; 93 94 if (insn_has_ll_or_sc(insn)) { 95 pr_notice("Kprobes for ll and sc instructions are not" 96 "supported\n"); 97 ret = -EINVAL; 98 goto out; 99 } 100 101 if ((probe_kernel_read(&prev_insn, p->addr - 1, 102 sizeof(mips_instruction)) == 0) && 103 insn_has_delayslot(prev_insn)) { 104 pr_notice("Kprobes for branch delayslot are not supported\n"); 105 ret = -EINVAL; 106 goto out; 107 } 108 109 if (__insn_is_compact_branch(insn)) { 110 pr_notice("Kprobes for compact branches are not supported\n"); 111 ret = -EINVAL; 112 goto out; 113 } 114 115 /* insn: must be on special executable page on mips. */ 116 p->ainsn.insn = get_insn_slot(); 117 if (!p->ainsn.insn) { 118 ret = -ENOMEM; 119 goto out; 120 } 121 122 /* 123 * In the kprobe->ainsn.insn[] array we store the original 124 * instruction at index zero and a break trap instruction at 125 * index one. 126 * 127 * On MIPS arch if the instruction at probed address is a 128 * branch instruction, we need to execute the instruction at 129 * Branch Delayslot (BD) at the time of probe hit. As MIPS also 130 * doesn't have single stepping support, the BD instruction can 131 * not be executed in-line and it would be executed on SSOL slot 132 * using a normal breakpoint instruction in the next slot. 133 * So, read the instruction and save it for later execution. 134 */ 135 if (insn_has_delayslot(insn)) 136 memcpy(&p->ainsn.insn[0], p->addr + 1, sizeof(kprobe_opcode_t)); 137 else 138 memcpy(&p->ainsn.insn[0], p->addr, sizeof(kprobe_opcode_t)); 139 140 p->ainsn.insn[1] = breakpoint2_insn; 141 p->opcode = *p->addr; 142 143 out: 144 return ret; 145 } 146 147 void __kprobes arch_arm_kprobe(struct kprobe *p) 148 { 149 *p->addr = breakpoint_insn; 150 flush_insn_slot(p); 151 } 152 153 void __kprobes arch_disarm_kprobe(struct kprobe *p) 154 { 155 *p->addr = p->opcode; 156 flush_insn_slot(p); 157 } 158 159 void __kprobes arch_remove_kprobe(struct kprobe *p) 160 { 161 if (p->ainsn.insn) { 162 free_insn_slot(p->ainsn.insn, 0); 163 p->ainsn.insn = NULL; 164 } 165 } 166 167 static void save_previous_kprobe(struct kprobe_ctlblk *kcb) 168 { 169 kcb->prev_kprobe.kp = kprobe_running(); 170 kcb->prev_kprobe.status = kcb->kprobe_status; 171 kcb->prev_kprobe.old_SR = kcb->kprobe_old_SR; 172 kcb->prev_kprobe.saved_SR = kcb->kprobe_saved_SR; 173 kcb->prev_kprobe.saved_epc = kcb->kprobe_saved_epc; 174 } 175 176 static void restore_previous_kprobe(struct kprobe_ctlblk *kcb) 177 { 178 __this_cpu_write(current_kprobe, kcb->prev_kprobe.kp); 179 kcb->kprobe_status = kcb->prev_kprobe.status; 180 kcb->kprobe_old_SR = kcb->prev_kprobe.old_SR; 181 kcb->kprobe_saved_SR = kcb->prev_kprobe.saved_SR; 182 kcb->kprobe_saved_epc = kcb->prev_kprobe.saved_epc; 183 } 184 185 static void set_current_kprobe(struct kprobe *p, struct pt_regs *regs, 186 struct kprobe_ctlblk *kcb) 187 { 188 __this_cpu_write(current_kprobe, p); 189 kcb->kprobe_saved_SR = kcb->kprobe_old_SR = (regs->cp0_status & ST0_IE); 190 kcb->kprobe_saved_epc = regs->cp0_epc; 191 } 192 193 /** 194 * evaluate_branch_instrucion - 195 * 196 * Evaluate the branch instruction at probed address during probe hit. The 197 * result of evaluation would be the updated epc. The insturction in delayslot 198 * would actually be single stepped using a normal breakpoint) on SSOL slot. 199 * 200 * The result is also saved in the kprobe control block for later use, 201 * in case we need to execute the delayslot instruction. The latter will be 202 * false for NOP instruction in dealyslot and the branch-likely instructions 203 * when the branch is taken. And for those cases we set a flag as 204 * SKIP_DELAYSLOT in the kprobe control block 205 */ 206 static int evaluate_branch_instruction(struct kprobe *p, struct pt_regs *regs, 207 struct kprobe_ctlblk *kcb) 208 { 209 union mips_instruction insn = p->opcode; 210 long epc; 211 int ret = 0; 212 213 epc = regs->cp0_epc; 214 if (epc & 3) 215 goto unaligned; 216 217 if (p->ainsn.insn->word == 0) 218 kcb->flags |= SKIP_DELAYSLOT; 219 else 220 kcb->flags &= ~SKIP_DELAYSLOT; 221 222 ret = __compute_return_epc_for_insn(regs, insn); 223 if (ret < 0) 224 return ret; 225 226 if (ret == BRANCH_LIKELY_TAKEN) 227 kcb->flags |= SKIP_DELAYSLOT; 228 229 kcb->target_epc = regs->cp0_epc; 230 231 return 0; 232 233 unaligned: 234 pr_notice("%s: unaligned epc - sending SIGBUS.\n", current->comm); 235 force_sig(SIGBUS, current); 236 return -EFAULT; 237 238 } 239 240 static void prepare_singlestep(struct kprobe *p, struct pt_regs *regs, 241 struct kprobe_ctlblk *kcb) 242 { 243 int ret = 0; 244 245 regs->cp0_status &= ~ST0_IE; 246 247 /* single step inline if the instruction is a break */ 248 if (p->opcode.word == breakpoint_insn.word || 249 p->opcode.word == breakpoint2_insn.word) 250 regs->cp0_epc = (unsigned long)p->addr; 251 else if (insn_has_delayslot(p->opcode)) { 252 ret = evaluate_branch_instruction(p, regs, kcb); 253 if (ret < 0) { 254 pr_notice("Kprobes: Error in evaluating branch\n"); 255 return; 256 } 257 } 258 regs->cp0_epc = (unsigned long)&p->ainsn.insn[0]; 259 } 260 261 /* 262 * Called after single-stepping. p->addr is the address of the 263 * instruction whose first byte has been replaced by the "break 0" 264 * instruction. To avoid the SMP problems that can occur when we 265 * temporarily put back the original opcode to single-step, we 266 * single-stepped a copy of the instruction. The address of this 267 * copy is p->ainsn.insn. 268 * 269 * This function prepares to return from the post-single-step 270 * breakpoint trap. In case of branch instructions, the target 271 * epc to be restored. 272 */ 273 static void __kprobes resume_execution(struct kprobe *p, 274 struct pt_regs *regs, 275 struct kprobe_ctlblk *kcb) 276 { 277 if (insn_has_delayslot(p->opcode)) 278 regs->cp0_epc = kcb->target_epc; 279 else { 280 unsigned long orig_epc = kcb->kprobe_saved_epc; 281 regs->cp0_epc = orig_epc + 4; 282 } 283 } 284 285 static int __kprobes kprobe_handler(struct pt_regs *regs) 286 { 287 struct kprobe *p; 288 int ret = 0; 289 kprobe_opcode_t *addr; 290 struct kprobe_ctlblk *kcb; 291 292 addr = (kprobe_opcode_t *) regs->cp0_epc; 293 294 /* 295 * We don't want to be preempted for the entire 296 * duration of kprobe processing 297 */ 298 preempt_disable(); 299 kcb = get_kprobe_ctlblk(); 300 301 /* Check we're not actually recursing */ 302 if (kprobe_running()) { 303 p = get_kprobe(addr); 304 if (p) { 305 if (kcb->kprobe_status == KPROBE_HIT_SS && 306 p->ainsn.insn->word == breakpoint_insn.word) { 307 regs->cp0_status &= ~ST0_IE; 308 regs->cp0_status |= kcb->kprobe_saved_SR; 309 goto no_kprobe; 310 } 311 /* 312 * We have reentered the kprobe_handler(), since 313 * another probe was hit while within the handler. 314 * We here save the original kprobes variables and 315 * just single step on the instruction of the new probe 316 * without calling any user handlers. 317 */ 318 save_previous_kprobe(kcb); 319 set_current_kprobe(p, regs, kcb); 320 kprobes_inc_nmissed_count(p); 321 prepare_singlestep(p, regs, kcb); 322 kcb->kprobe_status = KPROBE_REENTER; 323 if (kcb->flags & SKIP_DELAYSLOT) { 324 resume_execution(p, regs, kcb); 325 restore_previous_kprobe(kcb); 326 preempt_enable_no_resched(); 327 } 328 return 1; 329 } else if (addr->word != breakpoint_insn.word) { 330 /* 331 * The breakpoint instruction was removed by 332 * another cpu right after we hit, no further 333 * handling of this interrupt is appropriate 334 */ 335 ret = 1; 336 } 337 goto no_kprobe; 338 } 339 340 p = get_kprobe(addr); 341 if (!p) { 342 if (addr->word != breakpoint_insn.word) { 343 /* 344 * The breakpoint instruction was removed right 345 * after we hit it. Another cpu has removed 346 * either a probepoint or a debugger breakpoint 347 * at this address. In either case, no further 348 * handling of this interrupt is appropriate. 349 */ 350 ret = 1; 351 } 352 /* Not one of ours: let kernel handle it */ 353 goto no_kprobe; 354 } 355 356 set_current_kprobe(p, regs, kcb); 357 kcb->kprobe_status = KPROBE_HIT_ACTIVE; 358 359 if (p->pre_handler && p->pre_handler(p, regs)) { 360 /* handler has already set things up, so skip ss setup */ 361 reset_current_kprobe(); 362 preempt_enable_no_resched(); 363 return 1; 364 } 365 366 prepare_singlestep(p, regs, kcb); 367 if (kcb->flags & SKIP_DELAYSLOT) { 368 kcb->kprobe_status = KPROBE_HIT_SSDONE; 369 if (p->post_handler) 370 p->post_handler(p, regs, 0); 371 resume_execution(p, regs, kcb); 372 preempt_enable_no_resched(); 373 } else 374 kcb->kprobe_status = KPROBE_HIT_SS; 375 376 return 1; 377 378 no_kprobe: 379 preempt_enable_no_resched(); 380 return ret; 381 382 } 383 384 static inline int post_kprobe_handler(struct pt_regs *regs) 385 { 386 struct kprobe *cur = kprobe_running(); 387 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); 388 389 if (!cur) 390 return 0; 391 392 if ((kcb->kprobe_status != KPROBE_REENTER) && cur->post_handler) { 393 kcb->kprobe_status = KPROBE_HIT_SSDONE; 394 cur->post_handler(cur, regs, 0); 395 } 396 397 resume_execution(cur, regs, kcb); 398 399 regs->cp0_status |= kcb->kprobe_saved_SR; 400 401 /* Restore back the original saved kprobes variables and continue. */ 402 if (kcb->kprobe_status == KPROBE_REENTER) { 403 restore_previous_kprobe(kcb); 404 goto out; 405 } 406 reset_current_kprobe(); 407 out: 408 preempt_enable_no_resched(); 409 410 return 1; 411 } 412 413 static inline int kprobe_fault_handler(struct pt_regs *regs, int trapnr) 414 { 415 struct kprobe *cur = kprobe_running(); 416 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); 417 418 if (cur->fault_handler && cur->fault_handler(cur, regs, trapnr)) 419 return 1; 420 421 if (kcb->kprobe_status & KPROBE_HIT_SS) { 422 resume_execution(cur, regs, kcb); 423 regs->cp0_status |= kcb->kprobe_old_SR; 424 425 reset_current_kprobe(); 426 preempt_enable_no_resched(); 427 } 428 return 0; 429 } 430 431 /* 432 * Wrapper routine for handling exceptions. 433 */ 434 int __kprobes kprobe_exceptions_notify(struct notifier_block *self, 435 unsigned long val, void *data) 436 { 437 438 struct die_args *args = (struct die_args *)data; 439 int ret = NOTIFY_DONE; 440 441 switch (val) { 442 case DIE_BREAK: 443 if (kprobe_handler(args->regs)) 444 ret = NOTIFY_STOP; 445 break; 446 case DIE_SSTEPBP: 447 if (post_kprobe_handler(args->regs)) 448 ret = NOTIFY_STOP; 449 break; 450 451 case DIE_PAGE_FAULT: 452 /* kprobe_running() needs smp_processor_id() */ 453 preempt_disable(); 454 455 if (kprobe_running() 456 && kprobe_fault_handler(args->regs, args->trapnr)) 457 ret = NOTIFY_STOP; 458 preempt_enable(); 459 break; 460 default: 461 break; 462 } 463 return ret; 464 } 465 466 /* 467 * Function return probe trampoline: 468 * - init_kprobes() establishes a probepoint here 469 * - When the probed function returns, this probe causes the 470 * handlers to fire 471 */ 472 static void __used kretprobe_trampoline_holder(void) 473 { 474 asm volatile( 475 ".set push\n\t" 476 /* Keep the assembler from reordering and placing JR here. */ 477 ".set noreorder\n\t" 478 "nop\n\t" 479 ".global kretprobe_trampoline\n" 480 "kretprobe_trampoline:\n\t" 481 "nop\n\t" 482 ".set pop" 483 : : : "memory"); 484 } 485 486 void kretprobe_trampoline(void); 487 488 void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri, 489 struct pt_regs *regs) 490 { 491 ri->ret_addr = (kprobe_opcode_t *) regs->regs[31]; 492 493 /* Replace the return addr with trampoline addr */ 494 regs->regs[31] = (unsigned long)kretprobe_trampoline; 495 } 496 497 /* 498 * Called when the probe at kretprobe trampoline is hit 499 */ 500 static int __kprobes trampoline_probe_handler(struct kprobe *p, 501 struct pt_regs *regs) 502 { 503 struct kretprobe_instance *ri = NULL; 504 struct hlist_head *head, empty_rp; 505 struct hlist_node *tmp; 506 unsigned long flags, orig_ret_address = 0; 507 unsigned long trampoline_address = (unsigned long)kretprobe_trampoline; 508 509 INIT_HLIST_HEAD(&empty_rp); 510 kretprobe_hash_lock(current, &head, &flags); 511 512 /* 513 * It is possible to have multiple instances associated with a given 514 * task either because an multiple functions in the call path 515 * have a return probe installed on them, and/or more than one return 516 * return probe was registered for a target function. 517 * 518 * We can handle this because: 519 * - instances are always inserted at the head of the list 520 * - when multiple return probes are registered for the same 521 * function, the first instance's ret_addr will point to the 522 * real return address, and all the rest will point to 523 * kretprobe_trampoline 524 */ 525 hlist_for_each_entry_safe(ri, tmp, head, hlist) { 526 if (ri->task != current) 527 /* another task is sharing our hash bucket */ 528 continue; 529 530 if (ri->rp && ri->rp->handler) 531 ri->rp->handler(ri, regs); 532 533 orig_ret_address = (unsigned long)ri->ret_addr; 534 recycle_rp_inst(ri, &empty_rp); 535 536 if (orig_ret_address != trampoline_address) 537 /* 538 * This is the real return address. Any other 539 * instances associated with this task are for 540 * other calls deeper on the call stack 541 */ 542 break; 543 } 544 545 kretprobe_assert(ri, orig_ret_address, trampoline_address); 546 instruction_pointer(regs) = orig_ret_address; 547 548 kretprobe_hash_unlock(current, &flags); 549 550 hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) { 551 hlist_del(&ri->hlist); 552 kfree(ri); 553 } 554 /* 555 * By returning a non-zero value, we are telling 556 * kprobe_handler() that we don't want the post_handler 557 * to run (and have re-enabled preemption) 558 */ 559 return 1; 560 } 561 562 int __kprobes arch_trampoline_kprobe(struct kprobe *p) 563 { 564 if (p->addr == (kprobe_opcode_t *)kretprobe_trampoline) 565 return 1; 566 567 return 0; 568 } 569 570 static struct kprobe trampoline_p = { 571 .addr = (kprobe_opcode_t *)kretprobe_trampoline, 572 .pre_handler = trampoline_probe_handler 573 }; 574 575 int __init arch_init_kprobes(void) 576 { 577 return register_kprobe(&trampoline_p); 578 } 579