1 /* 2 * This program is free software; you can redistribute it and/or modify 3 * it under the terms of the GNU General Public License as published by 4 * the Free Software Foundation; either version 2 of the License, or 5 * (at your option) any later version. 6 * 7 * This program is distributed in the hope that it will be useful, 8 * but WITHOUT ANY WARRANTY; without even the implied warranty of 9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 10 * GNU General Public License for more details. 11 * 12 * You should have received a copy of the GNU General Public License 13 * along with this program; if not, write to the Free Software 14 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 15 * 16 * Copyright (C) 2007 Alan Stern 17 * Copyright (C) 2009 IBM Corporation 18 * Copyright (C) 2009 Frederic Weisbecker <fweisbec@gmail.com> 19 * 20 * Authors: Alan Stern <stern@rowland.harvard.edu> 21 * K.Prasad <prasad@linux.vnet.ibm.com> 22 * Frederic Weisbecker <fweisbec@gmail.com> 23 */ 24 25 /* 26 * HW_breakpoint: a unified kernel/user-space hardware breakpoint facility, 27 * using the CPU's debug registers. 28 */ 29 30 #include <linux/perf_event.h> 31 #include <linux/hw_breakpoint.h> 32 #include <linux/irqflags.h> 33 #include <linux/notifier.h> 34 #include <linux/kallsyms.h> 35 #include <linux/kprobes.h> 36 #include <linux/percpu.h> 37 #include <linux/kdebug.h> 38 #include <linux/kernel.h> 39 #include <linux/module.h> 40 #include <linux/sched.h> 41 #include <linux/init.h> 42 #include <linux/smp.h> 43 44 #include <asm/hw_breakpoint.h> 45 #include <asm/processor.h> 46 #include <asm/debugreg.h> 47 48 /* Per cpu debug control register value */ 49 DEFINE_PER_CPU(unsigned long, dr7); 50 EXPORT_PER_CPU_SYMBOL(dr7); 51 52 /* Per cpu debug address registers values */ 53 static DEFINE_PER_CPU(unsigned long, cpu_debugreg[HBP_NUM]); 54 55 /* 56 * Stores the breakpoints currently in use on each breakpoint address 57 * register for each cpus 58 */ 59 static DEFINE_PER_CPU(struct perf_event *, bp_per_reg[HBP_NUM]); 60 61 62 /* 63 * Encode the length, type, Exact, and Enable bits for a particular breakpoint 64 * as stored in debug register 7. 65 */ 66 unsigned long encode_dr7(int drnum, unsigned int len, unsigned int type) 67 { 68 unsigned long bp_info; 69 70 bp_info = (len | type) & 0xf; 71 bp_info <<= (DR_CONTROL_SHIFT + drnum * DR_CONTROL_SIZE); 72 bp_info |= (DR_GLOBAL_ENABLE << (drnum * DR_ENABLE_SIZE)) | 73 DR_GLOBAL_SLOWDOWN; 74 return bp_info; 75 } 76 77 /* 78 * Decode the length and type bits for a particular breakpoint as 79 * stored in debug register 7. Return the "enabled" status. 80 */ 81 int decode_dr7(unsigned long dr7, int bpnum, unsigned *len, unsigned *type) 82 { 83 int bp_info = dr7 >> (DR_CONTROL_SHIFT + bpnum * DR_CONTROL_SIZE); 84 85 *len = (bp_info & 0xc) | 0x40; 86 *type = (bp_info & 0x3) | 0x80; 87 88 return (dr7 >> (bpnum * DR_ENABLE_SIZE)) & 0x3; 89 } 90 91 /* 92 * Install a perf counter breakpoint. 93 * 94 * We seek a free debug address register and use it for this 95 * breakpoint. Eventually we enable it in the debug control register. 96 * 97 * Atomic: we hold the counter->ctx->lock and we only handle variables 98 * and registers local to this cpu. 99 */ 100 int arch_install_hw_breakpoint(struct perf_event *bp) 101 { 102 struct arch_hw_breakpoint *info = counter_arch_bp(bp); 103 unsigned long *dr7; 104 int i; 105 106 for (i = 0; i < HBP_NUM; i++) { 107 struct perf_event **slot = &__get_cpu_var(bp_per_reg[i]); 108 109 if (!*slot) { 110 *slot = bp; 111 break; 112 } 113 } 114 115 if (WARN_ONCE(i == HBP_NUM, "Can't find any breakpoint slot")) 116 return -EBUSY; 117 118 set_debugreg(info->address, i); 119 __get_cpu_var(cpu_debugreg[i]) = info->address; 120 121 dr7 = &__get_cpu_var(dr7); 122 *dr7 |= encode_dr7(i, info->len, info->type); 123 124 set_debugreg(*dr7, 7); 125 126 return 0; 127 } 128 129 /* 130 * Uninstall the breakpoint contained in the given counter. 131 * 132 * First we search the debug address register it uses and then we disable 133 * it. 134 * 135 * Atomic: we hold the counter->ctx->lock and we only handle variables 136 * and registers local to this cpu. 137 */ 138 void arch_uninstall_hw_breakpoint(struct perf_event *bp) 139 { 140 struct arch_hw_breakpoint *info = counter_arch_bp(bp); 141 unsigned long *dr7; 142 int i; 143 144 for (i = 0; i < HBP_NUM; i++) { 145 struct perf_event **slot = &__get_cpu_var(bp_per_reg[i]); 146 147 if (*slot == bp) { 148 *slot = NULL; 149 break; 150 } 151 } 152 153 if (WARN_ONCE(i == HBP_NUM, "Can't find any breakpoint slot")) 154 return; 155 156 dr7 = &__get_cpu_var(dr7); 157 *dr7 &= ~encode_dr7(i, info->len, info->type); 158 159 set_debugreg(*dr7, 7); 160 } 161 162 static int get_hbp_len(u8 hbp_len) 163 { 164 unsigned int len_in_bytes = 0; 165 166 switch (hbp_len) { 167 case X86_BREAKPOINT_LEN_1: 168 len_in_bytes = 1; 169 break; 170 case X86_BREAKPOINT_LEN_2: 171 len_in_bytes = 2; 172 break; 173 case X86_BREAKPOINT_LEN_4: 174 len_in_bytes = 4; 175 break; 176 #ifdef CONFIG_X86_64 177 case X86_BREAKPOINT_LEN_8: 178 len_in_bytes = 8; 179 break; 180 #endif 181 } 182 return len_in_bytes; 183 } 184 185 /* 186 * Check for virtual address in user space. 187 */ 188 int arch_check_va_in_userspace(unsigned long va, u8 hbp_len) 189 { 190 unsigned int len; 191 192 len = get_hbp_len(hbp_len); 193 194 return (va <= TASK_SIZE - len); 195 } 196 197 /* 198 * Check for virtual address in kernel space. 199 */ 200 static int arch_check_va_in_kernelspace(unsigned long va, u8 hbp_len) 201 { 202 unsigned int len; 203 204 len = get_hbp_len(hbp_len); 205 206 return (va >= TASK_SIZE) && ((va + len - 1) >= TASK_SIZE); 207 } 208 209 /* 210 * Store a breakpoint's encoded address, length, and type. 211 */ 212 static int arch_store_info(struct perf_event *bp) 213 { 214 struct arch_hw_breakpoint *info = counter_arch_bp(bp); 215 /* 216 * For kernel-addresses, either the address or symbol name can be 217 * specified. 218 */ 219 if (info->name) 220 info->address = (unsigned long) 221 kallsyms_lookup_name(info->name); 222 if (info->address) 223 return 0; 224 225 return -EINVAL; 226 } 227 228 int arch_bp_generic_fields(int x86_len, int x86_type, 229 int *gen_len, int *gen_type) 230 { 231 /* Len */ 232 switch (x86_len) { 233 case X86_BREAKPOINT_LEN_1: 234 *gen_len = HW_BREAKPOINT_LEN_1; 235 break; 236 case X86_BREAKPOINT_LEN_2: 237 *gen_len = HW_BREAKPOINT_LEN_2; 238 break; 239 case X86_BREAKPOINT_LEN_4: 240 *gen_len = HW_BREAKPOINT_LEN_4; 241 break; 242 #ifdef CONFIG_X86_64 243 case X86_BREAKPOINT_LEN_8: 244 *gen_len = HW_BREAKPOINT_LEN_8; 245 break; 246 #endif 247 default: 248 return -EINVAL; 249 } 250 251 /* Type */ 252 switch (x86_type) { 253 case X86_BREAKPOINT_EXECUTE: 254 *gen_type = HW_BREAKPOINT_X; 255 break; 256 case X86_BREAKPOINT_WRITE: 257 *gen_type = HW_BREAKPOINT_W; 258 break; 259 case X86_BREAKPOINT_RW: 260 *gen_type = HW_BREAKPOINT_W | HW_BREAKPOINT_R; 261 break; 262 default: 263 return -EINVAL; 264 } 265 266 return 0; 267 } 268 269 270 static int arch_build_bp_info(struct perf_event *bp) 271 { 272 struct arch_hw_breakpoint *info = counter_arch_bp(bp); 273 274 info->address = bp->attr.bp_addr; 275 276 /* Len */ 277 switch (bp->attr.bp_len) { 278 case HW_BREAKPOINT_LEN_1: 279 info->len = X86_BREAKPOINT_LEN_1; 280 break; 281 case HW_BREAKPOINT_LEN_2: 282 info->len = X86_BREAKPOINT_LEN_2; 283 break; 284 case HW_BREAKPOINT_LEN_4: 285 info->len = X86_BREAKPOINT_LEN_4; 286 break; 287 #ifdef CONFIG_X86_64 288 case HW_BREAKPOINT_LEN_8: 289 info->len = X86_BREAKPOINT_LEN_8; 290 break; 291 #endif 292 default: 293 return -EINVAL; 294 } 295 296 /* Type */ 297 switch (bp->attr.bp_type) { 298 case HW_BREAKPOINT_W: 299 info->type = X86_BREAKPOINT_WRITE; 300 break; 301 case HW_BREAKPOINT_W | HW_BREAKPOINT_R: 302 info->type = X86_BREAKPOINT_RW; 303 break; 304 case HW_BREAKPOINT_X: 305 info->type = X86_BREAKPOINT_EXECUTE; 306 break; 307 default: 308 return -EINVAL; 309 } 310 311 return 0; 312 } 313 /* 314 * Validate the arch-specific HW Breakpoint register settings 315 */ 316 int arch_validate_hwbkpt_settings(struct perf_event *bp, 317 struct task_struct *tsk) 318 { 319 struct arch_hw_breakpoint *info = counter_arch_bp(bp); 320 unsigned int align; 321 int ret; 322 323 324 ret = arch_build_bp_info(bp); 325 if (ret) 326 return ret; 327 328 ret = -EINVAL; 329 330 if (info->type == X86_BREAKPOINT_EXECUTE) 331 /* 332 * Ptrace-refactoring code 333 * For now, we'll allow instruction breakpoint only for user-space 334 * addresses 335 */ 336 if ((!arch_check_va_in_userspace(info->address, info->len)) && 337 info->len != X86_BREAKPOINT_EXECUTE) 338 return ret; 339 340 switch (info->len) { 341 case X86_BREAKPOINT_LEN_1: 342 align = 0; 343 break; 344 case X86_BREAKPOINT_LEN_2: 345 align = 1; 346 break; 347 case X86_BREAKPOINT_LEN_4: 348 align = 3; 349 break; 350 #ifdef CONFIG_X86_64 351 case X86_BREAKPOINT_LEN_8: 352 align = 7; 353 break; 354 #endif 355 default: 356 return ret; 357 } 358 359 if (bp->callback) 360 ret = arch_store_info(bp); 361 362 if (ret < 0) 363 return ret; 364 /* 365 * Check that the low-order bits of the address are appropriate 366 * for the alignment implied by len. 367 */ 368 if (info->address & align) 369 return -EINVAL; 370 371 /* Check that the virtual address is in the proper range */ 372 if (tsk) { 373 if (!arch_check_va_in_userspace(info->address, info->len)) 374 return -EFAULT; 375 } else { 376 if (!arch_check_va_in_kernelspace(info->address, info->len)) 377 return -EFAULT; 378 } 379 380 return 0; 381 } 382 383 /* 384 * Dump the debug register contents to the user. 385 * We can't dump our per cpu values because it 386 * may contain cpu wide breakpoint, something that 387 * doesn't belong to the current task. 388 * 389 * TODO: include non-ptrace user breakpoints (perf) 390 */ 391 void aout_dump_debugregs(struct user *dump) 392 { 393 int i; 394 int dr7 = 0; 395 struct perf_event *bp; 396 struct arch_hw_breakpoint *info; 397 struct thread_struct *thread = ¤t->thread; 398 399 for (i = 0; i < HBP_NUM; i++) { 400 bp = thread->ptrace_bps[i]; 401 402 if (bp && !bp->attr.disabled) { 403 dump->u_debugreg[i] = bp->attr.bp_addr; 404 info = counter_arch_bp(bp); 405 dr7 |= encode_dr7(i, info->len, info->type); 406 } else { 407 dump->u_debugreg[i] = 0; 408 } 409 } 410 411 dump->u_debugreg[4] = 0; 412 dump->u_debugreg[5] = 0; 413 dump->u_debugreg[6] = current->thread.debugreg6; 414 415 dump->u_debugreg[7] = dr7; 416 } 417 EXPORT_SYMBOL_GPL(aout_dump_debugregs); 418 419 /* 420 * Release the user breakpoints used by ptrace 421 */ 422 void flush_ptrace_hw_breakpoint(struct task_struct *tsk) 423 { 424 int i; 425 struct thread_struct *t = &tsk->thread; 426 427 for (i = 0; i < HBP_NUM; i++) { 428 unregister_hw_breakpoint(t->ptrace_bps[i]); 429 t->ptrace_bps[i] = NULL; 430 } 431 } 432 433 void hw_breakpoint_restore(void) 434 { 435 set_debugreg(__get_cpu_var(cpu_debugreg[0]), 0); 436 set_debugreg(__get_cpu_var(cpu_debugreg[1]), 1); 437 set_debugreg(__get_cpu_var(cpu_debugreg[2]), 2); 438 set_debugreg(__get_cpu_var(cpu_debugreg[3]), 3); 439 set_debugreg(current->thread.debugreg6, 6); 440 set_debugreg(__get_cpu_var(dr7), 7); 441 } 442 EXPORT_SYMBOL_GPL(hw_breakpoint_restore); 443 444 /* 445 * Handle debug exception notifications. 446 * 447 * Return value is either NOTIFY_STOP or NOTIFY_DONE as explained below. 448 * 449 * NOTIFY_DONE returned if one of the following conditions is true. 450 * i) When the causative address is from user-space and the exception 451 * is a valid one, i.e. not triggered as a result of lazy debug register 452 * switching 453 * ii) When there are more bits than trap<n> set in DR6 register (such 454 * as BD, BS or BT) indicating that more than one debug condition is 455 * met and requires some more action in do_debug(). 456 * 457 * NOTIFY_STOP returned for all other cases 458 * 459 */ 460 static int __kprobes hw_breakpoint_handler(struct die_args *args) 461 { 462 int i, cpu, rc = NOTIFY_STOP; 463 struct perf_event *bp; 464 unsigned long dr7, dr6; 465 unsigned long *dr6_p; 466 467 /* The DR6 value is pointed by args->err */ 468 dr6_p = (unsigned long *)ERR_PTR(args->err); 469 dr6 = *dr6_p; 470 471 /* Do an early return if no trap bits are set in DR6 */ 472 if ((dr6 & DR_TRAP_BITS) == 0) 473 return NOTIFY_DONE; 474 475 get_debugreg(dr7, 7); 476 /* Disable breakpoints during exception handling */ 477 set_debugreg(0UL, 7); 478 /* 479 * Assert that local interrupts are disabled 480 * Reset the DRn bits in the virtualized register value. 481 * The ptrace trigger routine will add in whatever is needed. 482 */ 483 current->thread.debugreg6 &= ~DR_TRAP_BITS; 484 cpu = get_cpu(); 485 486 /* Handle all the breakpoints that were triggered */ 487 for (i = 0; i < HBP_NUM; ++i) { 488 if (likely(!(dr6 & (DR_TRAP0 << i)))) 489 continue; 490 491 /* 492 * The counter may be concurrently released but that can only 493 * occur from a call_rcu() path. We can then safely fetch 494 * the breakpoint, use its callback, touch its counter 495 * while we are in an rcu_read_lock() path. 496 */ 497 rcu_read_lock(); 498 499 bp = per_cpu(bp_per_reg[i], cpu); 500 if (bp) 501 rc = NOTIFY_DONE; 502 /* 503 * Reset the 'i'th TRAP bit in dr6 to denote completion of 504 * exception handling 505 */ 506 (*dr6_p) &= ~(DR_TRAP0 << i); 507 /* 508 * bp can be NULL due to lazy debug register switching 509 * or due to concurrent perf counter removing. 510 */ 511 if (!bp) { 512 rcu_read_unlock(); 513 break; 514 } 515 516 (bp->callback)(bp, args->regs); 517 518 rcu_read_unlock(); 519 } 520 if (dr6 & (~DR_TRAP_BITS)) 521 rc = NOTIFY_DONE; 522 523 set_debugreg(dr7, 7); 524 put_cpu(); 525 526 return rc; 527 } 528 529 /* 530 * Handle debug exception notifications. 531 */ 532 int __kprobes hw_breakpoint_exceptions_notify( 533 struct notifier_block *unused, unsigned long val, void *data) 534 { 535 if (val != DIE_DEBUG) 536 return NOTIFY_DONE; 537 538 return hw_breakpoint_handler(data); 539 } 540 541 void hw_breakpoint_pmu_read(struct perf_event *bp) 542 { 543 /* TODO */ 544 } 545 546 void hw_breakpoint_pmu_unthrottle(struct perf_event *bp) 547 { 548 /* TODO */ 549 } 550