1 /* 2 * Kernel Probes (KProbes) 3 * arch/mips/kernel/kprobes.c 4 * 5 * Copyright 2006 Sony Corp. 6 * Copyright 2010 Cavium Networks 7 * 8 * Some portions copied from the powerpc version. 9 * 10 * Copyright (C) IBM Corporation, 2002, 2004 11 * 12 * This program is free software; you can redistribute it and/or modify 13 * it under the terms of the GNU General Public License as published by 14 * the Free Software Foundation; version 2 of the License. 15 * 16 * This program is distributed in the hope that it will be useful, 17 * but WITHOUT ANY WARRANTY; without even the implied warranty of 18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 * GNU General Public License for more details. 20 * 21 * You should have received a copy of the GNU General Public License 22 * along with this program; if not, write to the Free Software 23 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 24 */ 25 26 #include <linux/kprobes.h> 27 #include <linux/preempt.h> 28 #include <linux/uaccess.h> 29 #include <linux/kdebug.h> 30 #include <linux/slab.h> 31 32 #include <asm/ptrace.h> 33 #include <asm/branch.h> 34 #include <asm/break.h> 35 36 #include "probes-common.h" 37 38 static const union mips_instruction breakpoint_insn = { 39 .b_format = { 40 .opcode = spec_op, 41 .code = BRK_KPROBE_BP, 42 .func = break_op 43 } 44 }; 45 46 static const union mips_instruction breakpoint2_insn = { 47 .b_format = { 48 .opcode = spec_op, 49 .code = BRK_KPROBE_SSTEPBP, 50 .func = break_op 51 } 52 }; 53 54 DEFINE_PER_CPU(struct kprobe *, current_kprobe); 55 DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk); 56 57 static int __kprobes insn_has_delayslot(union mips_instruction insn) 58 { 59 return __insn_has_delay_slot(insn); 60 } 61 62 /* 63 * insn_has_ll_or_sc function checks whether instruction is ll or sc 64 * one; putting breakpoint on top of atomic ll/sc pair is bad idea; 65 * so we need to prevent it and refuse kprobes insertion for such 66 * instructions; cannot do much about breakpoint in the middle of 67 * ll/sc pair; it is upto user to avoid those places 68 */ 69 static int __kprobes insn_has_ll_or_sc(union mips_instruction insn) 70 { 71 int ret = 0; 72 73 switch (insn.i_format.opcode) { 74 case ll_op: 75 case lld_op: 76 case sc_op: 77 case scd_op: 78 ret = 1; 79 break; 80 default: 81 break; 82 } 83 return ret; 84 } 85 86 int __kprobes arch_prepare_kprobe(struct kprobe *p) 87 { 88 union mips_instruction insn; 89 union mips_instruction prev_insn; 90 int ret = 0; 91 92 insn = p->addr[0]; 93 94 if (insn_has_ll_or_sc(insn)) { 95 pr_notice("Kprobes for ll and sc instructions are not" 96 "supported\n"); 97 ret = -EINVAL; 98 goto out; 99 } 100 101 if ((probe_kernel_read(&prev_insn, p->addr - 1, 102 sizeof(mips_instruction)) == 0) && 103 insn_has_delayslot(prev_insn)) { 104 pr_notice("Kprobes for branch delayslot are not supported\n"); 105 ret = -EINVAL; 106 goto out; 107 } 108 109 if (__insn_is_compact_branch(insn)) { 110 pr_notice("Kprobes for compact branches are not supported\n"); 111 ret = -EINVAL; 112 goto out; 113 } 114 115 /* insn: must be on special executable page on mips. */ 116 p->ainsn.insn = get_insn_slot(); 117 if (!p->ainsn.insn) { 118 ret = -ENOMEM; 119 goto out; 120 } 121 122 /* 123 * In the kprobe->ainsn.insn[] array we store the original 124 * instruction at index zero and a break trap instruction at 125 * index one. 126 * 127 * On MIPS arch if the instruction at probed address is a 128 * branch instruction, we need to execute the instruction at 129 * Branch Delayslot (BD) at the time of probe hit. As MIPS also 130 * doesn't have single stepping support, the BD instruction can 131 * not be executed in-line and it would be executed on SSOL slot 132 * using a normal breakpoint instruction in the next slot. 133 * So, read the instruction and save it for later execution. 134 */ 135 if (insn_has_delayslot(insn)) 136 memcpy(&p->ainsn.insn[0], p->addr + 1, sizeof(kprobe_opcode_t)); 137 else 138 memcpy(&p->ainsn.insn[0], p->addr, sizeof(kprobe_opcode_t)); 139 140 p->ainsn.insn[1] = breakpoint2_insn; 141 p->opcode = *p->addr; 142 143 out: 144 return ret; 145 } 146 147 void __kprobes arch_arm_kprobe(struct kprobe *p) 148 { 149 *p->addr = breakpoint_insn; 150 flush_insn_slot(p); 151 } 152 153 void __kprobes arch_disarm_kprobe(struct kprobe *p) 154 { 155 *p->addr = p->opcode; 156 flush_insn_slot(p); 157 } 158 159 void __kprobes arch_remove_kprobe(struct kprobe *p) 160 { 161 if (p->ainsn.insn) { 162 free_insn_slot(p->ainsn.insn, 0); 163 p->ainsn.insn = NULL; 164 } 165 } 166 167 static void save_previous_kprobe(struct kprobe_ctlblk *kcb) 168 { 169 kcb->prev_kprobe.kp = kprobe_running(); 170 kcb->prev_kprobe.status = kcb->kprobe_status; 171 kcb->prev_kprobe.old_SR = kcb->kprobe_old_SR; 172 kcb->prev_kprobe.saved_SR = kcb->kprobe_saved_SR; 173 kcb->prev_kprobe.saved_epc = kcb->kprobe_saved_epc; 174 } 175 176 static void restore_previous_kprobe(struct kprobe_ctlblk *kcb) 177 { 178 __this_cpu_write(current_kprobe, kcb->prev_kprobe.kp); 179 kcb->kprobe_status = kcb->prev_kprobe.status; 180 kcb->kprobe_old_SR = kcb->prev_kprobe.old_SR; 181 kcb->kprobe_saved_SR = kcb->prev_kprobe.saved_SR; 182 kcb->kprobe_saved_epc = kcb->prev_kprobe.saved_epc; 183 } 184 185 static void set_current_kprobe(struct kprobe *p, struct pt_regs *regs, 186 struct kprobe_ctlblk *kcb) 187 { 188 __this_cpu_write(current_kprobe, p); 189 kcb->kprobe_saved_SR = kcb->kprobe_old_SR = (regs->cp0_status & ST0_IE); 190 kcb->kprobe_saved_epc = regs->cp0_epc; 191 } 192 193 /** 194 * evaluate_branch_instrucion - 195 * 196 * Evaluate the branch instruction at probed address during probe hit. The 197 * result of evaluation would be the updated epc. The insturction in delayslot 198 * would actually be single stepped using a normal breakpoint) on SSOL slot. 199 * 200 * The result is also saved in the kprobe control block for later use, 201 * in case we need to execute the delayslot instruction. The latter will be 202 * false for NOP instruction in dealyslot and the branch-likely instructions 203 * when the branch is taken. And for those cases we set a flag as 204 * SKIP_DELAYSLOT in the kprobe control block 205 */ 206 static int evaluate_branch_instruction(struct kprobe *p, struct pt_regs *regs, 207 struct kprobe_ctlblk *kcb) 208 { 209 union mips_instruction insn = p->opcode; 210 long epc; 211 int ret = 0; 212 213 epc = regs->cp0_epc; 214 if (epc & 3) 215 goto unaligned; 216 217 if (p->ainsn.insn->word == 0) 218 kcb->flags |= SKIP_DELAYSLOT; 219 else 220 kcb->flags &= ~SKIP_DELAYSLOT; 221 222 ret = __compute_return_epc_for_insn(regs, insn); 223 if (ret < 0) 224 return ret; 225 226 if (ret == BRANCH_LIKELY_TAKEN) 227 kcb->flags |= SKIP_DELAYSLOT; 228 229 kcb->target_epc = regs->cp0_epc; 230 231 return 0; 232 233 unaligned: 234 pr_notice("%s: unaligned epc - sending SIGBUS.\n", current->comm); 235 force_sig(SIGBUS, current); 236 return -EFAULT; 237 238 } 239 240 static void prepare_singlestep(struct kprobe *p, struct pt_regs *regs, 241 struct kprobe_ctlblk *kcb) 242 { 243 int ret = 0; 244 245 regs->cp0_status &= ~ST0_IE; 246 247 /* single step inline if the instruction is a break */ 248 if (p->opcode.word == breakpoint_insn.word || 249 p->opcode.word == breakpoint2_insn.word) 250 regs->cp0_epc = (unsigned long)p->addr; 251 else if (insn_has_delayslot(p->opcode)) { 252 ret = evaluate_branch_instruction(p, regs, kcb); 253 if (ret < 0) { 254 pr_notice("Kprobes: Error in evaluating branch\n"); 255 return; 256 } 257 } 258 regs->cp0_epc = (unsigned long)&p->ainsn.insn[0]; 259 } 260 261 /* 262 * Called after single-stepping. p->addr is the address of the 263 * instruction whose first byte has been replaced by the "break 0" 264 * instruction. To avoid the SMP problems that can occur when we 265 * temporarily put back the original opcode to single-step, we 266 * single-stepped a copy of the instruction. The address of this 267 * copy is p->ainsn.insn. 268 * 269 * This function prepares to return from the post-single-step 270 * breakpoint trap. In case of branch instructions, the target 271 * epc to be restored. 272 */ 273 static void __kprobes resume_execution(struct kprobe *p, 274 struct pt_regs *regs, 275 struct kprobe_ctlblk *kcb) 276 { 277 if (insn_has_delayslot(p->opcode)) 278 regs->cp0_epc = kcb->target_epc; 279 else { 280 unsigned long orig_epc = kcb->kprobe_saved_epc; 281 regs->cp0_epc = orig_epc + 4; 282 } 283 } 284 285 static int __kprobes kprobe_handler(struct pt_regs *regs) 286 { 287 struct kprobe *p; 288 int ret = 0; 289 kprobe_opcode_t *addr; 290 struct kprobe_ctlblk *kcb; 291 292 addr = (kprobe_opcode_t *) regs->cp0_epc; 293 294 /* 295 * We don't want to be preempted for the entire 296 * duration of kprobe processing 297 */ 298 preempt_disable(); 299 kcb = get_kprobe_ctlblk(); 300 301 /* Check we're not actually recursing */ 302 if (kprobe_running()) { 303 p = get_kprobe(addr); 304 if (p) { 305 if (kcb->kprobe_status == KPROBE_HIT_SS && 306 p->ainsn.insn->word == breakpoint_insn.word) { 307 regs->cp0_status &= ~ST0_IE; 308 regs->cp0_status |= kcb->kprobe_saved_SR; 309 goto no_kprobe; 310 } 311 /* 312 * We have reentered the kprobe_handler(), since 313 * another probe was hit while within the handler. 314 * We here save the original kprobes variables and 315 * just single step on the instruction of the new probe 316 * without calling any user handlers. 317 */ 318 save_previous_kprobe(kcb); 319 set_current_kprobe(p, regs, kcb); 320 kprobes_inc_nmissed_count(p); 321 prepare_singlestep(p, regs, kcb); 322 kcb->kprobe_status = KPROBE_REENTER; 323 if (kcb->flags & SKIP_DELAYSLOT) { 324 resume_execution(p, regs, kcb); 325 restore_previous_kprobe(kcb); 326 preempt_enable_no_resched(); 327 } 328 return 1; 329 } else { 330 if (addr->word != breakpoint_insn.word) { 331 /* 332 * The breakpoint instruction was removed by 333 * another cpu right after we hit, no further 334 * handling of this interrupt is appropriate 335 */ 336 ret = 1; 337 goto no_kprobe; 338 } 339 p = __this_cpu_read(current_kprobe); 340 if (p->break_handler && p->break_handler(p, regs)) 341 goto ss_probe; 342 } 343 goto no_kprobe; 344 } 345 346 p = get_kprobe(addr); 347 if (!p) { 348 if (addr->word != breakpoint_insn.word) { 349 /* 350 * The breakpoint instruction was removed right 351 * after we hit it. Another cpu has removed 352 * either a probepoint or a debugger breakpoint 353 * at this address. In either case, no further 354 * handling of this interrupt is appropriate. 355 */ 356 ret = 1; 357 } 358 /* Not one of ours: let kernel handle it */ 359 goto no_kprobe; 360 } 361 362 set_current_kprobe(p, regs, kcb); 363 kcb->kprobe_status = KPROBE_HIT_ACTIVE; 364 365 if (p->pre_handler && p->pre_handler(p, regs)) { 366 /* handler has already set things up, so skip ss setup */ 367 return 1; 368 } 369 370 ss_probe: 371 prepare_singlestep(p, regs, kcb); 372 if (kcb->flags & SKIP_DELAYSLOT) { 373 kcb->kprobe_status = KPROBE_HIT_SSDONE; 374 if (p->post_handler) 375 p->post_handler(p, regs, 0); 376 resume_execution(p, regs, kcb); 377 preempt_enable_no_resched(); 378 } else 379 kcb->kprobe_status = KPROBE_HIT_SS; 380 381 return 1; 382 383 no_kprobe: 384 preempt_enable_no_resched(); 385 return ret; 386 387 } 388 389 static inline int post_kprobe_handler(struct pt_regs *regs) 390 { 391 struct kprobe *cur = kprobe_running(); 392 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); 393 394 if (!cur) 395 return 0; 396 397 if ((kcb->kprobe_status != KPROBE_REENTER) && cur->post_handler) { 398 kcb->kprobe_status = KPROBE_HIT_SSDONE; 399 cur->post_handler(cur, regs, 0); 400 } 401 402 resume_execution(cur, regs, kcb); 403 404 regs->cp0_status |= kcb->kprobe_saved_SR; 405 406 /* Restore back the original saved kprobes variables and continue. */ 407 if (kcb->kprobe_status == KPROBE_REENTER) { 408 restore_previous_kprobe(kcb); 409 goto out; 410 } 411 reset_current_kprobe(); 412 out: 413 preempt_enable_no_resched(); 414 415 return 1; 416 } 417 418 static inline int kprobe_fault_handler(struct pt_regs *regs, int trapnr) 419 { 420 struct kprobe *cur = kprobe_running(); 421 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); 422 423 if (cur->fault_handler && cur->fault_handler(cur, regs, trapnr)) 424 return 1; 425 426 if (kcb->kprobe_status & KPROBE_HIT_SS) { 427 resume_execution(cur, regs, kcb); 428 regs->cp0_status |= kcb->kprobe_old_SR; 429 430 reset_current_kprobe(); 431 preempt_enable_no_resched(); 432 } 433 return 0; 434 } 435 436 /* 437 * Wrapper routine for handling exceptions. 438 */ 439 int __kprobes kprobe_exceptions_notify(struct notifier_block *self, 440 unsigned long val, void *data) 441 { 442 443 struct die_args *args = (struct die_args *)data; 444 int ret = NOTIFY_DONE; 445 446 switch (val) { 447 case DIE_BREAK: 448 if (kprobe_handler(args->regs)) 449 ret = NOTIFY_STOP; 450 break; 451 case DIE_SSTEPBP: 452 if (post_kprobe_handler(args->regs)) 453 ret = NOTIFY_STOP; 454 break; 455 456 case DIE_PAGE_FAULT: 457 /* kprobe_running() needs smp_processor_id() */ 458 preempt_disable(); 459 460 if (kprobe_running() 461 && kprobe_fault_handler(args->regs, args->trapnr)) 462 ret = NOTIFY_STOP; 463 preempt_enable(); 464 break; 465 default: 466 break; 467 } 468 return ret; 469 } 470 471 int __kprobes setjmp_pre_handler(struct kprobe *p, struct pt_regs *regs) 472 { 473 struct jprobe *jp = container_of(p, struct jprobe, kp); 474 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); 475 476 kcb->jprobe_saved_regs = *regs; 477 kcb->jprobe_saved_sp = regs->regs[29]; 478 479 memcpy(kcb->jprobes_stack, (void *)kcb->jprobe_saved_sp, 480 MIN_JPROBES_STACK_SIZE(kcb->jprobe_saved_sp)); 481 482 regs->cp0_epc = (unsigned long)(jp->entry); 483 484 return 1; 485 } 486 487 /* Defined in the inline asm below. */ 488 void jprobe_return_end(void); 489 490 void __kprobes jprobe_return(void) 491 { 492 /* Assembler quirk necessitates this '0,code' business. */ 493 asm volatile( 494 "break 0,%0\n\t" 495 ".globl jprobe_return_end\n" 496 "jprobe_return_end:\n" 497 : : "n" (BRK_KPROBE_BP) : "memory"); 498 } 499 500 int __kprobes longjmp_break_handler(struct kprobe *p, struct pt_regs *regs) 501 { 502 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); 503 504 if (regs->cp0_epc >= (unsigned long)jprobe_return && 505 regs->cp0_epc <= (unsigned long)jprobe_return_end) { 506 *regs = kcb->jprobe_saved_regs; 507 memcpy((void *)kcb->jprobe_saved_sp, kcb->jprobes_stack, 508 MIN_JPROBES_STACK_SIZE(kcb->jprobe_saved_sp)); 509 preempt_enable_no_resched(); 510 511 return 1; 512 } 513 return 0; 514 } 515 516 /* 517 * Function return probe trampoline: 518 * - init_kprobes() establishes a probepoint here 519 * - When the probed function returns, this probe causes the 520 * handlers to fire 521 */ 522 static void __used kretprobe_trampoline_holder(void) 523 { 524 asm volatile( 525 ".set push\n\t" 526 /* Keep the assembler from reordering and placing JR here. */ 527 ".set noreorder\n\t" 528 "nop\n\t" 529 ".global kretprobe_trampoline\n" 530 "kretprobe_trampoline:\n\t" 531 "nop\n\t" 532 ".set pop" 533 : : : "memory"); 534 } 535 536 void kretprobe_trampoline(void); 537 538 void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri, 539 struct pt_regs *regs) 540 { 541 ri->ret_addr = (kprobe_opcode_t *) regs->regs[31]; 542 543 /* Replace the return addr with trampoline addr */ 544 regs->regs[31] = (unsigned long)kretprobe_trampoline; 545 } 546 547 /* 548 * Called when the probe at kretprobe trampoline is hit 549 */ 550 static int __kprobes trampoline_probe_handler(struct kprobe *p, 551 struct pt_regs *regs) 552 { 553 struct kretprobe_instance *ri = NULL; 554 struct hlist_head *head, empty_rp; 555 struct hlist_node *tmp; 556 unsigned long flags, orig_ret_address = 0; 557 unsigned long trampoline_address = (unsigned long)kretprobe_trampoline; 558 559 INIT_HLIST_HEAD(&empty_rp); 560 kretprobe_hash_lock(current, &head, &flags); 561 562 /* 563 * It is possible to have multiple instances associated with a given 564 * task either because an multiple functions in the call path 565 * have a return probe installed on them, and/or more than one return 566 * return probe was registered for a target function. 567 * 568 * We can handle this because: 569 * - instances are always inserted at the head of the list 570 * - when multiple return probes are registered for the same 571 * function, the first instance's ret_addr will point to the 572 * real return address, and all the rest will point to 573 * kretprobe_trampoline 574 */ 575 hlist_for_each_entry_safe(ri, tmp, head, hlist) { 576 if (ri->task != current) 577 /* another task is sharing our hash bucket */ 578 continue; 579 580 if (ri->rp && ri->rp->handler) 581 ri->rp->handler(ri, regs); 582 583 orig_ret_address = (unsigned long)ri->ret_addr; 584 recycle_rp_inst(ri, &empty_rp); 585 586 if (orig_ret_address != trampoline_address) 587 /* 588 * This is the real return address. Any other 589 * instances associated with this task are for 590 * other calls deeper on the call stack 591 */ 592 break; 593 } 594 595 kretprobe_assert(ri, orig_ret_address, trampoline_address); 596 instruction_pointer(regs) = orig_ret_address; 597 598 reset_current_kprobe(); 599 kretprobe_hash_unlock(current, &flags); 600 preempt_enable_no_resched(); 601 602 hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) { 603 hlist_del(&ri->hlist); 604 kfree(ri); 605 } 606 /* 607 * By returning a non-zero value, we are telling 608 * kprobe_handler() that we don't want the post_handler 609 * to run (and have re-enabled preemption) 610 */ 611 return 1; 612 } 613 614 int __kprobes arch_trampoline_kprobe(struct kprobe *p) 615 { 616 if (p->addr == (kprobe_opcode_t *)kretprobe_trampoline) 617 return 1; 618 619 return 0; 620 } 621 622 static struct kprobe trampoline_p = { 623 .addr = (kprobe_opcode_t *)kretprobe_trampoline, 624 .pre_handler = trampoline_probe_handler 625 }; 626 627 int __init arch_init_kprobes(void) 628 { 629 return register_kprobe(&trampoline_p); 630 } 631