1 /* 2 * Kernel Probes (KProbes) 3 * kernel/kprobes.c 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License as published by 7 * the Free Software Foundation; either version 2 of the License, or 8 * (at your option) any later version. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program; if not, write to the Free Software 17 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 18 * 19 * Copyright (C) IBM Corporation, 2002, 2004 20 * 21 * 2002-Oct Created by Vamsi Krishna S <vamsi_krishna@in.ibm.com> Kernel 22 * Probes initial implementation (includes suggestions from 23 * Rusty Russell). 24 * 2004-Aug Updated by Prasanna S Panchamukhi <prasanna@in.ibm.com> with 25 * hlists and exceptions notifier as suggested by Andi Kleen. 26 * 2004-July Suparna Bhattacharya <suparna@in.ibm.com> added jumper probes 27 * interface to access function arguments. 28 * 2004-Sep Prasanna S Panchamukhi <prasanna@in.ibm.com> Changed Kprobes 29 * exceptions notifier to be first on the priority list. 30 * 2005-May Hien Nguyen <hien@us.ibm.com>, Jim Keniston 31 * <jkenisto@us.ibm.com> and Prasanna S Panchamukhi 32 * <prasanna@in.ibm.com> added function-return probes. 33 */ 34 #include <linux/kprobes.h> 35 #include <linux/hash.h> 36 #include <linux/init.h> 37 #include <linux/slab.h> 38 #include <linux/stddef.h> 39 #include <linux/module.h> 40 #include <linux/moduleloader.h> 41 #include <linux/kallsyms.h> 42 #include <linux/freezer.h> 43 #include <linux/seq_file.h> 44 #include <linux/debugfs.h> 45 #include <linux/kdebug.h> 46 47 #include <asm-generic/sections.h> 48 #include <asm/cacheflush.h> 49 #include <asm/errno.h> 50 #include <asm/uaccess.h> 51 52 #define KPROBE_HASH_BITS 6 53 #define KPROBE_TABLE_SIZE (1 << KPROBE_HASH_BITS) 54 55 56 /* 57 * Some oddball architectures like 64bit powerpc have function descriptors 58 * so this must be overridable. 59 */ 60 #ifndef kprobe_lookup_name 61 #define kprobe_lookup_name(name, addr) \ 62 addr = ((kprobe_opcode_t *)(kallsyms_lookup_name(name))) 63 #endif 64 65 static int kprobes_initialized; 66 static struct hlist_head kprobe_table[KPROBE_TABLE_SIZE]; 67 static struct hlist_head kretprobe_inst_table[KPROBE_TABLE_SIZE]; 68 69 /* NOTE: change this value only with kprobe_mutex held */ 70 static bool kprobe_enabled; 71 72 DEFINE_MUTEX(kprobe_mutex); /* Protects kprobe_table */ 73 static DEFINE_PER_CPU(struct kprobe *, kprobe_instance) = NULL; 74 static struct { 75 spinlock_t lock ____cacheline_aligned; 76 } kretprobe_table_locks[KPROBE_TABLE_SIZE]; 77 78 static spinlock_t *kretprobe_table_lock_ptr(unsigned long hash) 79 { 80 return &(kretprobe_table_locks[hash].lock); 81 } 82 83 /* 84 * Normally, functions that we'd want to prohibit kprobes in, are marked 85 * __kprobes. But, there are cases where such functions already belong to 86 * a different section (__sched for preempt_schedule) 87 * 88 * For such cases, we now have a blacklist 89 */ 90 static struct kprobe_blackpoint kprobe_blacklist[] = { 91 {"preempt_schedule",}, 92 {NULL} /* Terminator */ 93 }; 94 95 #ifdef __ARCH_WANT_KPROBES_INSN_SLOT 96 /* 97 * kprobe->ainsn.insn points to the copy of the instruction to be 98 * single-stepped. x86_64, POWER4 and above have no-exec support and 99 * stepping on the instruction on a vmalloced/kmalloced/data page 100 * is a recipe for disaster 101 */ 102 #define INSNS_PER_PAGE (PAGE_SIZE/(MAX_INSN_SIZE * sizeof(kprobe_opcode_t))) 103 104 struct kprobe_insn_page { 105 struct hlist_node hlist; 106 kprobe_opcode_t *insns; /* Page of instruction slots */ 107 char slot_used[INSNS_PER_PAGE]; 108 int nused; 109 int ngarbage; 110 }; 111 112 enum kprobe_slot_state { 113 SLOT_CLEAN = 0, 114 SLOT_DIRTY = 1, 115 SLOT_USED = 2, 116 }; 117 118 static struct hlist_head kprobe_insn_pages; 119 static int kprobe_garbage_slots; 120 static int collect_garbage_slots(void); 121 122 static int __kprobes check_safety(void) 123 { 124 int ret = 0; 125 #if defined(CONFIG_PREEMPT) && defined(CONFIG_PM) 126 ret = freeze_processes(); 127 if (ret == 0) { 128 struct task_struct *p, *q; 129 do_each_thread(p, q) { 130 if (p != current && p->state == TASK_RUNNING && 131 p->pid != 0) { 132 printk("Check failed: %s is running\n",p->comm); 133 ret = -1; 134 goto loop_end; 135 } 136 } while_each_thread(p, q); 137 } 138 loop_end: 139 thaw_processes(); 140 #else 141 synchronize_sched(); 142 #endif 143 return ret; 144 } 145 146 /** 147 * get_insn_slot() - Find a slot on an executable page for an instruction. 148 * We allocate an executable page if there's no room on existing ones. 149 */ 150 kprobe_opcode_t __kprobes *get_insn_slot(void) 151 { 152 struct kprobe_insn_page *kip; 153 struct hlist_node *pos; 154 155 retry: 156 hlist_for_each_entry(kip, pos, &kprobe_insn_pages, hlist) { 157 if (kip->nused < INSNS_PER_PAGE) { 158 int i; 159 for (i = 0; i < INSNS_PER_PAGE; i++) { 160 if (kip->slot_used[i] == SLOT_CLEAN) { 161 kip->slot_used[i] = SLOT_USED; 162 kip->nused++; 163 return kip->insns + (i * MAX_INSN_SIZE); 164 } 165 } 166 /* Surprise! No unused slots. Fix kip->nused. */ 167 kip->nused = INSNS_PER_PAGE; 168 } 169 } 170 171 /* If there are any garbage slots, collect it and try again. */ 172 if (kprobe_garbage_slots && collect_garbage_slots() == 0) { 173 goto retry; 174 } 175 /* All out of space. Need to allocate a new page. Use slot 0. */ 176 kip = kmalloc(sizeof(struct kprobe_insn_page), GFP_KERNEL); 177 if (!kip) 178 return NULL; 179 180 /* 181 * Use module_alloc so this page is within +/- 2GB of where the 182 * kernel image and loaded module images reside. This is required 183 * so x86_64 can correctly handle the %rip-relative fixups. 184 */ 185 kip->insns = module_alloc(PAGE_SIZE); 186 if (!kip->insns) { 187 kfree(kip); 188 return NULL; 189 } 190 INIT_HLIST_NODE(&kip->hlist); 191 hlist_add_head(&kip->hlist, &kprobe_insn_pages); 192 memset(kip->slot_used, SLOT_CLEAN, INSNS_PER_PAGE); 193 kip->slot_used[0] = SLOT_USED; 194 kip->nused = 1; 195 kip->ngarbage = 0; 196 return kip->insns; 197 } 198 199 /* Return 1 if all garbages are collected, otherwise 0. */ 200 static int __kprobes collect_one_slot(struct kprobe_insn_page *kip, int idx) 201 { 202 kip->slot_used[idx] = SLOT_CLEAN; 203 kip->nused--; 204 if (kip->nused == 0) { 205 /* 206 * Page is no longer in use. Free it unless 207 * it's the last one. We keep the last one 208 * so as not to have to set it up again the 209 * next time somebody inserts a probe. 210 */ 211 hlist_del(&kip->hlist); 212 if (hlist_empty(&kprobe_insn_pages)) { 213 INIT_HLIST_NODE(&kip->hlist); 214 hlist_add_head(&kip->hlist, 215 &kprobe_insn_pages); 216 } else { 217 module_free(NULL, kip->insns); 218 kfree(kip); 219 } 220 return 1; 221 } 222 return 0; 223 } 224 225 static int __kprobes collect_garbage_slots(void) 226 { 227 struct kprobe_insn_page *kip; 228 struct hlist_node *pos, *next; 229 230 /* Ensure no-one is preepmted on the garbages */ 231 if (check_safety() != 0) 232 return -EAGAIN; 233 234 hlist_for_each_entry_safe(kip, pos, next, &kprobe_insn_pages, hlist) { 235 int i; 236 if (kip->ngarbage == 0) 237 continue; 238 kip->ngarbage = 0; /* we will collect all garbages */ 239 for (i = 0; i < INSNS_PER_PAGE; i++) { 240 if (kip->slot_used[i] == SLOT_DIRTY && 241 collect_one_slot(kip, i)) 242 break; 243 } 244 } 245 kprobe_garbage_slots = 0; 246 return 0; 247 } 248 249 void __kprobes free_insn_slot(kprobe_opcode_t * slot, int dirty) 250 { 251 struct kprobe_insn_page *kip; 252 struct hlist_node *pos; 253 254 hlist_for_each_entry(kip, pos, &kprobe_insn_pages, hlist) { 255 if (kip->insns <= slot && 256 slot < kip->insns + (INSNS_PER_PAGE * MAX_INSN_SIZE)) { 257 int i = (slot - kip->insns) / MAX_INSN_SIZE; 258 if (dirty) { 259 kip->slot_used[i] = SLOT_DIRTY; 260 kip->ngarbage++; 261 } else { 262 collect_one_slot(kip, i); 263 } 264 break; 265 } 266 } 267 268 if (dirty && ++kprobe_garbage_slots > INSNS_PER_PAGE) 269 collect_garbage_slots(); 270 } 271 #endif 272 273 /* We have preemption disabled.. so it is safe to use __ versions */ 274 static inline void set_kprobe_instance(struct kprobe *kp) 275 { 276 __get_cpu_var(kprobe_instance) = kp; 277 } 278 279 static inline void reset_kprobe_instance(void) 280 { 281 __get_cpu_var(kprobe_instance) = NULL; 282 } 283 284 /* 285 * This routine is called either: 286 * - under the kprobe_mutex - during kprobe_[un]register() 287 * OR 288 * - with preemption disabled - from arch/xxx/kernel/kprobes.c 289 */ 290 struct kprobe __kprobes *get_kprobe(void *addr) 291 { 292 struct hlist_head *head; 293 struct hlist_node *node; 294 struct kprobe *p; 295 296 head = &kprobe_table[hash_ptr(addr, KPROBE_HASH_BITS)]; 297 hlist_for_each_entry_rcu(p, node, head, hlist) { 298 if (p->addr == addr) 299 return p; 300 } 301 return NULL; 302 } 303 304 /* 305 * Aggregate handlers for multiple kprobes support - these handlers 306 * take care of invoking the individual kprobe handlers on p->list 307 */ 308 static int __kprobes aggr_pre_handler(struct kprobe *p, struct pt_regs *regs) 309 { 310 struct kprobe *kp; 311 312 list_for_each_entry_rcu(kp, &p->list, list) { 313 if (kp->pre_handler) { 314 set_kprobe_instance(kp); 315 if (kp->pre_handler(kp, regs)) 316 return 1; 317 } 318 reset_kprobe_instance(); 319 } 320 return 0; 321 } 322 323 static void __kprobes aggr_post_handler(struct kprobe *p, struct pt_regs *regs, 324 unsigned long flags) 325 { 326 struct kprobe *kp; 327 328 list_for_each_entry_rcu(kp, &p->list, list) { 329 if (kp->post_handler) { 330 set_kprobe_instance(kp); 331 kp->post_handler(kp, regs, flags); 332 reset_kprobe_instance(); 333 } 334 } 335 } 336 337 static int __kprobes aggr_fault_handler(struct kprobe *p, struct pt_regs *regs, 338 int trapnr) 339 { 340 struct kprobe *cur = __get_cpu_var(kprobe_instance); 341 342 /* 343 * if we faulted "during" the execution of a user specified 344 * probe handler, invoke just that probe's fault handler 345 */ 346 if (cur && cur->fault_handler) { 347 if (cur->fault_handler(cur, regs, trapnr)) 348 return 1; 349 } 350 return 0; 351 } 352 353 static int __kprobes aggr_break_handler(struct kprobe *p, struct pt_regs *regs) 354 { 355 struct kprobe *cur = __get_cpu_var(kprobe_instance); 356 int ret = 0; 357 358 if (cur && cur->break_handler) { 359 if (cur->break_handler(cur, regs)) 360 ret = 1; 361 } 362 reset_kprobe_instance(); 363 return ret; 364 } 365 366 /* Walks the list and increments nmissed count for multiprobe case */ 367 void __kprobes kprobes_inc_nmissed_count(struct kprobe *p) 368 { 369 struct kprobe *kp; 370 if (p->pre_handler != aggr_pre_handler) { 371 p->nmissed++; 372 } else { 373 list_for_each_entry_rcu(kp, &p->list, list) 374 kp->nmissed++; 375 } 376 return; 377 } 378 379 void __kprobes recycle_rp_inst(struct kretprobe_instance *ri, 380 struct hlist_head *head) 381 { 382 struct kretprobe *rp = ri->rp; 383 384 /* remove rp inst off the rprobe_inst_table */ 385 hlist_del(&ri->hlist); 386 INIT_HLIST_NODE(&ri->hlist); 387 if (likely(rp)) { 388 spin_lock(&rp->lock); 389 hlist_add_head(&ri->hlist, &rp->free_instances); 390 spin_unlock(&rp->lock); 391 } else 392 /* Unregistering */ 393 hlist_add_head(&ri->hlist, head); 394 } 395 396 void kretprobe_hash_lock(struct task_struct *tsk, 397 struct hlist_head **head, unsigned long *flags) 398 { 399 unsigned long hash = hash_ptr(tsk, KPROBE_HASH_BITS); 400 spinlock_t *hlist_lock; 401 402 *head = &kretprobe_inst_table[hash]; 403 hlist_lock = kretprobe_table_lock_ptr(hash); 404 spin_lock_irqsave(hlist_lock, *flags); 405 } 406 407 void kretprobe_table_lock(unsigned long hash, unsigned long *flags) 408 { 409 spinlock_t *hlist_lock = kretprobe_table_lock_ptr(hash); 410 spin_lock_irqsave(hlist_lock, *flags); 411 } 412 413 void kretprobe_hash_unlock(struct task_struct *tsk, unsigned long *flags) 414 { 415 unsigned long hash = hash_ptr(tsk, KPROBE_HASH_BITS); 416 spinlock_t *hlist_lock; 417 418 hlist_lock = kretprobe_table_lock_ptr(hash); 419 spin_unlock_irqrestore(hlist_lock, *flags); 420 } 421 422 void kretprobe_table_unlock(unsigned long hash, unsigned long *flags) 423 { 424 spinlock_t *hlist_lock = kretprobe_table_lock_ptr(hash); 425 spin_unlock_irqrestore(hlist_lock, *flags); 426 } 427 428 /* 429 * This function is called from finish_task_switch when task tk becomes dead, 430 * so that we can recycle any function-return probe instances associated 431 * with this task. These left over instances represent probed functions 432 * that have been called but will never return. 433 */ 434 void __kprobes kprobe_flush_task(struct task_struct *tk) 435 { 436 struct kretprobe_instance *ri; 437 struct hlist_head *head, empty_rp; 438 struct hlist_node *node, *tmp; 439 unsigned long hash, flags = 0; 440 441 if (unlikely(!kprobes_initialized)) 442 /* Early boot. kretprobe_table_locks not yet initialized. */ 443 return; 444 445 hash = hash_ptr(tk, KPROBE_HASH_BITS); 446 head = &kretprobe_inst_table[hash]; 447 kretprobe_table_lock(hash, &flags); 448 hlist_for_each_entry_safe(ri, node, tmp, head, hlist) { 449 if (ri->task == tk) 450 recycle_rp_inst(ri, &empty_rp); 451 } 452 kretprobe_table_unlock(hash, &flags); 453 INIT_HLIST_HEAD(&empty_rp); 454 hlist_for_each_entry_safe(ri, node, tmp, &empty_rp, hlist) { 455 hlist_del(&ri->hlist); 456 kfree(ri); 457 } 458 } 459 460 static inline void free_rp_inst(struct kretprobe *rp) 461 { 462 struct kretprobe_instance *ri; 463 struct hlist_node *pos, *next; 464 465 hlist_for_each_entry_safe(ri, pos, next, &rp->free_instances, hlist) { 466 hlist_del(&ri->hlist); 467 kfree(ri); 468 } 469 } 470 471 static void __kprobes cleanup_rp_inst(struct kretprobe *rp) 472 { 473 unsigned long flags, hash; 474 struct kretprobe_instance *ri; 475 struct hlist_node *pos, *next; 476 struct hlist_head *head; 477 478 /* No race here */ 479 for (hash = 0; hash < KPROBE_TABLE_SIZE; hash++) { 480 kretprobe_table_lock(hash, &flags); 481 head = &kretprobe_inst_table[hash]; 482 hlist_for_each_entry_safe(ri, pos, next, head, hlist) { 483 if (ri->rp == rp) 484 ri->rp = NULL; 485 } 486 kretprobe_table_unlock(hash, &flags); 487 } 488 free_rp_inst(rp); 489 } 490 491 /* 492 * Keep all fields in the kprobe consistent 493 */ 494 static inline void copy_kprobe(struct kprobe *old_p, struct kprobe *p) 495 { 496 memcpy(&p->opcode, &old_p->opcode, sizeof(kprobe_opcode_t)); 497 memcpy(&p->ainsn, &old_p->ainsn, sizeof(struct arch_specific_insn)); 498 } 499 500 /* 501 * Add the new probe to old_p->list. Fail if this is the 502 * second jprobe at the address - two jprobes can't coexist 503 */ 504 static int __kprobes add_new_kprobe(struct kprobe *old_p, struct kprobe *p) 505 { 506 if (p->break_handler) { 507 if (old_p->break_handler) 508 return -EEXIST; 509 list_add_tail_rcu(&p->list, &old_p->list); 510 old_p->break_handler = aggr_break_handler; 511 } else 512 list_add_rcu(&p->list, &old_p->list); 513 if (p->post_handler && !old_p->post_handler) 514 old_p->post_handler = aggr_post_handler; 515 return 0; 516 } 517 518 /* 519 * Fill in the required fields of the "manager kprobe". Replace the 520 * earlier kprobe in the hlist with the manager kprobe 521 */ 522 static inline void add_aggr_kprobe(struct kprobe *ap, struct kprobe *p) 523 { 524 copy_kprobe(p, ap); 525 flush_insn_slot(ap); 526 ap->addr = p->addr; 527 ap->pre_handler = aggr_pre_handler; 528 ap->fault_handler = aggr_fault_handler; 529 if (p->post_handler) 530 ap->post_handler = aggr_post_handler; 531 if (p->break_handler) 532 ap->break_handler = aggr_break_handler; 533 534 INIT_LIST_HEAD(&ap->list); 535 list_add_rcu(&p->list, &ap->list); 536 537 hlist_replace_rcu(&p->hlist, &ap->hlist); 538 } 539 540 /* 541 * This is the second or subsequent kprobe at the address - handle 542 * the intricacies 543 */ 544 static int __kprobes register_aggr_kprobe(struct kprobe *old_p, 545 struct kprobe *p) 546 { 547 int ret = 0; 548 struct kprobe *ap; 549 550 if (old_p->pre_handler == aggr_pre_handler) { 551 copy_kprobe(old_p, p); 552 ret = add_new_kprobe(old_p, p); 553 } else { 554 ap = kzalloc(sizeof(struct kprobe), GFP_KERNEL); 555 if (!ap) 556 return -ENOMEM; 557 add_aggr_kprobe(ap, old_p); 558 copy_kprobe(ap, p); 559 ret = add_new_kprobe(ap, p); 560 } 561 return ret; 562 } 563 564 static int __kprobes in_kprobes_functions(unsigned long addr) 565 { 566 struct kprobe_blackpoint *kb; 567 568 if (addr >= (unsigned long)__kprobes_text_start && 569 addr < (unsigned long)__kprobes_text_end) 570 return -EINVAL; 571 /* 572 * If there exists a kprobe_blacklist, verify and 573 * fail any probe registration in the prohibited area 574 */ 575 for (kb = kprobe_blacklist; kb->name != NULL; kb++) { 576 if (kb->start_addr) { 577 if (addr >= kb->start_addr && 578 addr < (kb->start_addr + kb->range)) 579 return -EINVAL; 580 } 581 } 582 return 0; 583 } 584 585 /* 586 * If we have a symbol_name argument, look it up and add the offset field 587 * to it. This way, we can specify a relative address to a symbol. 588 */ 589 static kprobe_opcode_t __kprobes *kprobe_addr(struct kprobe *p) 590 { 591 kprobe_opcode_t *addr = p->addr; 592 if (p->symbol_name) { 593 if (addr) 594 return NULL; 595 kprobe_lookup_name(p->symbol_name, addr); 596 } 597 598 if (!addr) 599 return NULL; 600 return (kprobe_opcode_t *)(((char *)addr) + p->offset); 601 } 602 603 static int __kprobes __register_kprobe(struct kprobe *p, 604 unsigned long called_from) 605 { 606 int ret = 0; 607 struct kprobe *old_p; 608 struct module *probed_mod; 609 kprobe_opcode_t *addr; 610 611 addr = kprobe_addr(p); 612 if (!addr) 613 return -EINVAL; 614 p->addr = addr; 615 616 if (!kernel_text_address((unsigned long) p->addr) || 617 in_kprobes_functions((unsigned long) p->addr)) 618 return -EINVAL; 619 620 p->mod_refcounted = 0; 621 622 /* 623 * Check if are we probing a module. 624 */ 625 probed_mod = module_text_address((unsigned long) p->addr); 626 if (probed_mod) { 627 struct module *calling_mod = module_text_address(called_from); 628 /* 629 * We must allow modules to probe themself and in this case 630 * avoid incrementing the module refcount, so as to allow 631 * unloading of self probing modules. 632 */ 633 if (calling_mod && calling_mod != probed_mod) { 634 if (unlikely(!try_module_get(probed_mod))) 635 return -EINVAL; 636 p->mod_refcounted = 1; 637 } else 638 probed_mod = NULL; 639 } 640 641 p->nmissed = 0; 642 INIT_LIST_HEAD(&p->list); 643 mutex_lock(&kprobe_mutex); 644 old_p = get_kprobe(p->addr); 645 if (old_p) { 646 ret = register_aggr_kprobe(old_p, p); 647 goto out; 648 } 649 650 ret = arch_prepare_kprobe(p); 651 if (ret) 652 goto out; 653 654 INIT_HLIST_NODE(&p->hlist); 655 hlist_add_head_rcu(&p->hlist, 656 &kprobe_table[hash_ptr(p->addr, KPROBE_HASH_BITS)]); 657 658 if (kprobe_enabled) 659 arch_arm_kprobe(p); 660 661 out: 662 mutex_unlock(&kprobe_mutex); 663 664 if (ret && probed_mod) 665 module_put(probed_mod); 666 return ret; 667 } 668 669 /* 670 * Unregister a kprobe without a scheduler synchronization. 671 */ 672 static int __kprobes __unregister_kprobe_top(struct kprobe *p) 673 { 674 struct kprobe *old_p, *list_p; 675 676 old_p = get_kprobe(p->addr); 677 if (unlikely(!old_p)) 678 return -EINVAL; 679 680 if (p != old_p) { 681 list_for_each_entry_rcu(list_p, &old_p->list, list) 682 if (list_p == p) 683 /* kprobe p is a valid probe */ 684 goto valid_p; 685 return -EINVAL; 686 } 687 valid_p: 688 if (old_p == p || 689 (old_p->pre_handler == aggr_pre_handler && 690 list_is_singular(&old_p->list))) { 691 /* 692 * Only probe on the hash list. Disarm only if kprobes are 693 * enabled - otherwise, the breakpoint would already have 694 * been removed. We save on flushing icache. 695 */ 696 if (kprobe_enabled) 697 arch_disarm_kprobe(p); 698 hlist_del_rcu(&old_p->hlist); 699 } else { 700 if (p->break_handler) 701 old_p->break_handler = NULL; 702 if (p->post_handler) { 703 list_for_each_entry_rcu(list_p, &old_p->list, list) { 704 if ((list_p != p) && (list_p->post_handler)) 705 goto noclean; 706 } 707 old_p->post_handler = NULL; 708 } 709 noclean: 710 list_del_rcu(&p->list); 711 } 712 return 0; 713 } 714 715 static void __kprobes __unregister_kprobe_bottom(struct kprobe *p) 716 { 717 struct module *mod; 718 struct kprobe *old_p; 719 720 if (p->mod_refcounted) { 721 mod = module_text_address((unsigned long)p->addr); 722 if (mod) 723 module_put(mod); 724 } 725 726 if (list_empty(&p->list) || list_is_singular(&p->list)) { 727 if (!list_empty(&p->list)) { 728 /* "p" is the last child of an aggr_kprobe */ 729 old_p = list_entry(p->list.next, struct kprobe, list); 730 list_del(&p->list); 731 kfree(old_p); 732 } 733 arch_remove_kprobe(p); 734 } 735 } 736 737 static int __register_kprobes(struct kprobe **kps, int num, 738 unsigned long called_from) 739 { 740 int i, ret = 0; 741 742 if (num <= 0) 743 return -EINVAL; 744 for (i = 0; i < num; i++) { 745 ret = __register_kprobe(kps[i], called_from); 746 if (ret < 0) { 747 if (i > 0) 748 unregister_kprobes(kps, i); 749 break; 750 } 751 } 752 return ret; 753 } 754 755 /* 756 * Registration and unregistration functions for kprobe. 757 */ 758 int __kprobes register_kprobe(struct kprobe *p) 759 { 760 return __register_kprobes(&p, 1, 761 (unsigned long)__builtin_return_address(0)); 762 } 763 764 void __kprobes unregister_kprobe(struct kprobe *p) 765 { 766 unregister_kprobes(&p, 1); 767 } 768 769 int __kprobes register_kprobes(struct kprobe **kps, int num) 770 { 771 return __register_kprobes(kps, num, 772 (unsigned long)__builtin_return_address(0)); 773 } 774 775 void __kprobes unregister_kprobes(struct kprobe **kps, int num) 776 { 777 int i; 778 779 if (num <= 0) 780 return; 781 mutex_lock(&kprobe_mutex); 782 for (i = 0; i < num; i++) 783 if (__unregister_kprobe_top(kps[i]) < 0) 784 kps[i]->addr = NULL; 785 mutex_unlock(&kprobe_mutex); 786 787 synchronize_sched(); 788 for (i = 0; i < num; i++) 789 if (kps[i]->addr) 790 __unregister_kprobe_bottom(kps[i]); 791 } 792 793 static struct notifier_block kprobe_exceptions_nb = { 794 .notifier_call = kprobe_exceptions_notify, 795 .priority = 0x7fffffff /* we need to be notified first */ 796 }; 797 798 unsigned long __weak arch_deref_entry_point(void *entry) 799 { 800 return (unsigned long)entry; 801 } 802 803 static int __register_jprobes(struct jprobe **jps, int num, 804 unsigned long called_from) 805 { 806 struct jprobe *jp; 807 int ret = 0, i; 808 809 if (num <= 0) 810 return -EINVAL; 811 for (i = 0; i < num; i++) { 812 unsigned long addr; 813 jp = jps[i]; 814 addr = arch_deref_entry_point(jp->entry); 815 816 if (!kernel_text_address(addr)) 817 ret = -EINVAL; 818 else { 819 /* Todo: Verify probepoint is a function entry point */ 820 jp->kp.pre_handler = setjmp_pre_handler; 821 jp->kp.break_handler = longjmp_break_handler; 822 ret = __register_kprobe(&jp->kp, called_from); 823 } 824 if (ret < 0) { 825 if (i > 0) 826 unregister_jprobes(jps, i); 827 break; 828 } 829 } 830 return ret; 831 } 832 833 int __kprobes register_jprobe(struct jprobe *jp) 834 { 835 return __register_jprobes(&jp, 1, 836 (unsigned long)__builtin_return_address(0)); 837 } 838 839 void __kprobes unregister_jprobe(struct jprobe *jp) 840 { 841 unregister_jprobes(&jp, 1); 842 } 843 844 int __kprobes register_jprobes(struct jprobe **jps, int num) 845 { 846 return __register_jprobes(jps, num, 847 (unsigned long)__builtin_return_address(0)); 848 } 849 850 void __kprobes unregister_jprobes(struct jprobe **jps, int num) 851 { 852 int i; 853 854 if (num <= 0) 855 return; 856 mutex_lock(&kprobe_mutex); 857 for (i = 0; i < num; i++) 858 if (__unregister_kprobe_top(&jps[i]->kp) < 0) 859 jps[i]->kp.addr = NULL; 860 mutex_unlock(&kprobe_mutex); 861 862 synchronize_sched(); 863 for (i = 0; i < num; i++) { 864 if (jps[i]->kp.addr) 865 __unregister_kprobe_bottom(&jps[i]->kp); 866 } 867 } 868 869 #ifdef CONFIG_KRETPROBES 870 /* 871 * This kprobe pre_handler is registered with every kretprobe. When probe 872 * hits it will set up the return probe. 873 */ 874 static int __kprobes pre_handler_kretprobe(struct kprobe *p, 875 struct pt_regs *regs) 876 { 877 struct kretprobe *rp = container_of(p, struct kretprobe, kp); 878 unsigned long hash, flags = 0; 879 struct kretprobe_instance *ri; 880 881 /*TODO: consider to only swap the RA after the last pre_handler fired */ 882 hash = hash_ptr(current, KPROBE_HASH_BITS); 883 spin_lock_irqsave(&rp->lock, flags); 884 if (!hlist_empty(&rp->free_instances)) { 885 ri = hlist_entry(rp->free_instances.first, 886 struct kretprobe_instance, hlist); 887 hlist_del(&ri->hlist); 888 spin_unlock_irqrestore(&rp->lock, flags); 889 890 ri->rp = rp; 891 ri->task = current; 892 893 if (rp->entry_handler && rp->entry_handler(ri, regs)) { 894 spin_unlock_irqrestore(&rp->lock, flags); 895 return 0; 896 } 897 898 arch_prepare_kretprobe(ri, regs); 899 900 /* XXX(hch): why is there no hlist_move_head? */ 901 INIT_HLIST_NODE(&ri->hlist); 902 kretprobe_table_lock(hash, &flags); 903 hlist_add_head(&ri->hlist, &kretprobe_inst_table[hash]); 904 kretprobe_table_unlock(hash, &flags); 905 } else { 906 rp->nmissed++; 907 spin_unlock_irqrestore(&rp->lock, flags); 908 } 909 return 0; 910 } 911 912 static int __kprobes __register_kretprobe(struct kretprobe *rp, 913 unsigned long called_from) 914 { 915 int ret = 0; 916 struct kretprobe_instance *inst; 917 int i; 918 void *addr; 919 920 if (kretprobe_blacklist_size) { 921 addr = kprobe_addr(&rp->kp); 922 if (!addr) 923 return -EINVAL; 924 925 for (i = 0; kretprobe_blacklist[i].name != NULL; i++) { 926 if (kretprobe_blacklist[i].addr == addr) 927 return -EINVAL; 928 } 929 } 930 931 rp->kp.pre_handler = pre_handler_kretprobe; 932 rp->kp.post_handler = NULL; 933 rp->kp.fault_handler = NULL; 934 rp->kp.break_handler = NULL; 935 936 /* Pre-allocate memory for max kretprobe instances */ 937 if (rp->maxactive <= 0) { 938 #ifdef CONFIG_PREEMPT 939 rp->maxactive = max(10, 2 * NR_CPUS); 940 #else 941 rp->maxactive = NR_CPUS; 942 #endif 943 } 944 spin_lock_init(&rp->lock); 945 INIT_HLIST_HEAD(&rp->free_instances); 946 for (i = 0; i < rp->maxactive; i++) { 947 inst = kmalloc(sizeof(struct kretprobe_instance) + 948 rp->data_size, GFP_KERNEL); 949 if (inst == NULL) { 950 free_rp_inst(rp); 951 return -ENOMEM; 952 } 953 INIT_HLIST_NODE(&inst->hlist); 954 hlist_add_head(&inst->hlist, &rp->free_instances); 955 } 956 957 rp->nmissed = 0; 958 /* Establish function entry probe point */ 959 ret = __register_kprobe(&rp->kp, called_from); 960 if (ret != 0) 961 free_rp_inst(rp); 962 return ret; 963 } 964 965 static int __register_kretprobes(struct kretprobe **rps, int num, 966 unsigned long called_from) 967 { 968 int ret = 0, i; 969 970 if (num <= 0) 971 return -EINVAL; 972 for (i = 0; i < num; i++) { 973 ret = __register_kretprobe(rps[i], called_from); 974 if (ret < 0) { 975 if (i > 0) 976 unregister_kretprobes(rps, i); 977 break; 978 } 979 } 980 return ret; 981 } 982 983 int __kprobes register_kretprobe(struct kretprobe *rp) 984 { 985 return __register_kretprobes(&rp, 1, 986 (unsigned long)__builtin_return_address(0)); 987 } 988 989 void __kprobes unregister_kretprobe(struct kretprobe *rp) 990 { 991 unregister_kretprobes(&rp, 1); 992 } 993 994 int __kprobes register_kretprobes(struct kretprobe **rps, int num) 995 { 996 return __register_kretprobes(rps, num, 997 (unsigned long)__builtin_return_address(0)); 998 } 999 1000 void __kprobes unregister_kretprobes(struct kretprobe **rps, int num) 1001 { 1002 int i; 1003 1004 if (num <= 0) 1005 return; 1006 mutex_lock(&kprobe_mutex); 1007 for (i = 0; i < num; i++) 1008 if (__unregister_kprobe_top(&rps[i]->kp) < 0) 1009 rps[i]->kp.addr = NULL; 1010 mutex_unlock(&kprobe_mutex); 1011 1012 synchronize_sched(); 1013 for (i = 0; i < num; i++) { 1014 if (rps[i]->kp.addr) { 1015 __unregister_kprobe_bottom(&rps[i]->kp); 1016 cleanup_rp_inst(rps[i]); 1017 } 1018 } 1019 } 1020 1021 #else /* CONFIG_KRETPROBES */ 1022 int __kprobes register_kretprobe(struct kretprobe *rp) 1023 { 1024 return -ENOSYS; 1025 } 1026 1027 int __kprobes register_kretprobes(struct kretprobe **rps, int num) 1028 { 1029 return -ENOSYS; 1030 } 1031 void __kprobes unregister_kretprobe(struct kretprobe *rp) 1032 { 1033 } 1034 1035 void __kprobes unregister_kretprobes(struct kretprobe **rps, int num) 1036 { 1037 } 1038 1039 static int __kprobes pre_handler_kretprobe(struct kprobe *p, 1040 struct pt_regs *regs) 1041 { 1042 return 0; 1043 } 1044 1045 #endif /* CONFIG_KRETPROBES */ 1046 1047 static int __init init_kprobes(void) 1048 { 1049 int i, err = 0; 1050 unsigned long offset = 0, size = 0; 1051 char *modname, namebuf[128]; 1052 const char *symbol_name; 1053 void *addr; 1054 struct kprobe_blackpoint *kb; 1055 1056 /* FIXME allocate the probe table, currently defined statically */ 1057 /* initialize all list heads */ 1058 for (i = 0; i < KPROBE_TABLE_SIZE; i++) { 1059 INIT_HLIST_HEAD(&kprobe_table[i]); 1060 INIT_HLIST_HEAD(&kretprobe_inst_table[i]); 1061 spin_lock_init(&(kretprobe_table_locks[i].lock)); 1062 } 1063 1064 /* 1065 * Lookup and populate the kprobe_blacklist. 1066 * 1067 * Unlike the kretprobe blacklist, we'll need to determine 1068 * the range of addresses that belong to the said functions, 1069 * since a kprobe need not necessarily be at the beginning 1070 * of a function. 1071 */ 1072 for (kb = kprobe_blacklist; kb->name != NULL; kb++) { 1073 kprobe_lookup_name(kb->name, addr); 1074 if (!addr) 1075 continue; 1076 1077 kb->start_addr = (unsigned long)addr; 1078 symbol_name = kallsyms_lookup(kb->start_addr, 1079 &size, &offset, &modname, namebuf); 1080 if (!symbol_name) 1081 kb->range = 0; 1082 else 1083 kb->range = size; 1084 } 1085 1086 if (kretprobe_blacklist_size) { 1087 /* lookup the function address from its name */ 1088 for (i = 0; kretprobe_blacklist[i].name != NULL; i++) { 1089 kprobe_lookup_name(kretprobe_blacklist[i].name, 1090 kretprobe_blacklist[i].addr); 1091 if (!kretprobe_blacklist[i].addr) 1092 printk("kretprobe: lookup failed: %s\n", 1093 kretprobe_blacklist[i].name); 1094 } 1095 } 1096 1097 /* By default, kprobes are enabled */ 1098 kprobe_enabled = true; 1099 1100 err = arch_init_kprobes(); 1101 if (!err) 1102 err = register_die_notifier(&kprobe_exceptions_nb); 1103 kprobes_initialized = (err == 0); 1104 1105 if (!err) 1106 init_test_probes(); 1107 return err; 1108 } 1109 1110 #ifdef CONFIG_DEBUG_FS 1111 static void __kprobes report_probe(struct seq_file *pi, struct kprobe *p, 1112 const char *sym, int offset,char *modname) 1113 { 1114 char *kprobe_type; 1115 1116 if (p->pre_handler == pre_handler_kretprobe) 1117 kprobe_type = "r"; 1118 else if (p->pre_handler == setjmp_pre_handler) 1119 kprobe_type = "j"; 1120 else 1121 kprobe_type = "k"; 1122 if (sym) 1123 seq_printf(pi, "%p %s %s+0x%x %s\n", p->addr, kprobe_type, 1124 sym, offset, (modname ? modname : " ")); 1125 else 1126 seq_printf(pi, "%p %s %p\n", p->addr, kprobe_type, p->addr); 1127 } 1128 1129 static void __kprobes *kprobe_seq_start(struct seq_file *f, loff_t *pos) 1130 { 1131 return (*pos < KPROBE_TABLE_SIZE) ? pos : NULL; 1132 } 1133 1134 static void __kprobes *kprobe_seq_next(struct seq_file *f, void *v, loff_t *pos) 1135 { 1136 (*pos)++; 1137 if (*pos >= KPROBE_TABLE_SIZE) 1138 return NULL; 1139 return pos; 1140 } 1141 1142 static void __kprobes kprobe_seq_stop(struct seq_file *f, void *v) 1143 { 1144 /* Nothing to do */ 1145 } 1146 1147 static int __kprobes show_kprobe_addr(struct seq_file *pi, void *v) 1148 { 1149 struct hlist_head *head; 1150 struct hlist_node *node; 1151 struct kprobe *p, *kp; 1152 const char *sym = NULL; 1153 unsigned int i = *(loff_t *) v; 1154 unsigned long offset = 0; 1155 char *modname, namebuf[128]; 1156 1157 head = &kprobe_table[i]; 1158 preempt_disable(); 1159 hlist_for_each_entry_rcu(p, node, head, hlist) { 1160 sym = kallsyms_lookup((unsigned long)p->addr, NULL, 1161 &offset, &modname, namebuf); 1162 if (p->pre_handler == aggr_pre_handler) { 1163 list_for_each_entry_rcu(kp, &p->list, list) 1164 report_probe(pi, kp, sym, offset, modname); 1165 } else 1166 report_probe(pi, p, sym, offset, modname); 1167 } 1168 preempt_enable(); 1169 return 0; 1170 } 1171 1172 static struct seq_operations kprobes_seq_ops = { 1173 .start = kprobe_seq_start, 1174 .next = kprobe_seq_next, 1175 .stop = kprobe_seq_stop, 1176 .show = show_kprobe_addr 1177 }; 1178 1179 static int __kprobes kprobes_open(struct inode *inode, struct file *filp) 1180 { 1181 return seq_open(filp, &kprobes_seq_ops); 1182 } 1183 1184 static struct file_operations debugfs_kprobes_operations = { 1185 .open = kprobes_open, 1186 .read = seq_read, 1187 .llseek = seq_lseek, 1188 .release = seq_release, 1189 }; 1190 1191 static void __kprobes enable_all_kprobes(void) 1192 { 1193 struct hlist_head *head; 1194 struct hlist_node *node; 1195 struct kprobe *p; 1196 unsigned int i; 1197 1198 mutex_lock(&kprobe_mutex); 1199 1200 /* If kprobes are already enabled, just return */ 1201 if (kprobe_enabled) 1202 goto already_enabled; 1203 1204 for (i = 0; i < KPROBE_TABLE_SIZE; i++) { 1205 head = &kprobe_table[i]; 1206 hlist_for_each_entry_rcu(p, node, head, hlist) 1207 arch_arm_kprobe(p); 1208 } 1209 1210 kprobe_enabled = true; 1211 printk(KERN_INFO "Kprobes globally enabled\n"); 1212 1213 already_enabled: 1214 mutex_unlock(&kprobe_mutex); 1215 return; 1216 } 1217 1218 static void __kprobes disable_all_kprobes(void) 1219 { 1220 struct hlist_head *head; 1221 struct hlist_node *node; 1222 struct kprobe *p; 1223 unsigned int i; 1224 1225 mutex_lock(&kprobe_mutex); 1226 1227 /* If kprobes are already disabled, just return */ 1228 if (!kprobe_enabled) 1229 goto already_disabled; 1230 1231 kprobe_enabled = false; 1232 printk(KERN_INFO "Kprobes globally disabled\n"); 1233 for (i = 0; i < KPROBE_TABLE_SIZE; i++) { 1234 head = &kprobe_table[i]; 1235 hlist_for_each_entry_rcu(p, node, head, hlist) { 1236 if (!arch_trampoline_kprobe(p)) 1237 arch_disarm_kprobe(p); 1238 } 1239 } 1240 1241 mutex_unlock(&kprobe_mutex); 1242 /* Allow all currently running kprobes to complete */ 1243 synchronize_sched(); 1244 return; 1245 1246 already_disabled: 1247 mutex_unlock(&kprobe_mutex); 1248 return; 1249 } 1250 1251 /* 1252 * XXX: The debugfs bool file interface doesn't allow for callbacks 1253 * when the bool state is switched. We can reuse that facility when 1254 * available 1255 */ 1256 static ssize_t read_enabled_file_bool(struct file *file, 1257 char __user *user_buf, size_t count, loff_t *ppos) 1258 { 1259 char buf[3]; 1260 1261 if (kprobe_enabled) 1262 buf[0] = '1'; 1263 else 1264 buf[0] = '0'; 1265 buf[1] = '\n'; 1266 buf[2] = 0x00; 1267 return simple_read_from_buffer(user_buf, count, ppos, buf, 2); 1268 } 1269 1270 static ssize_t write_enabled_file_bool(struct file *file, 1271 const char __user *user_buf, size_t count, loff_t *ppos) 1272 { 1273 char buf[32]; 1274 int buf_size; 1275 1276 buf_size = min(count, (sizeof(buf)-1)); 1277 if (copy_from_user(buf, user_buf, buf_size)) 1278 return -EFAULT; 1279 1280 switch (buf[0]) { 1281 case 'y': 1282 case 'Y': 1283 case '1': 1284 enable_all_kprobes(); 1285 break; 1286 case 'n': 1287 case 'N': 1288 case '0': 1289 disable_all_kprobes(); 1290 break; 1291 } 1292 1293 return count; 1294 } 1295 1296 static struct file_operations fops_kp = { 1297 .read = read_enabled_file_bool, 1298 .write = write_enabled_file_bool, 1299 }; 1300 1301 static int __kprobes debugfs_kprobe_init(void) 1302 { 1303 struct dentry *dir, *file; 1304 unsigned int value = 1; 1305 1306 dir = debugfs_create_dir("kprobes", NULL); 1307 if (!dir) 1308 return -ENOMEM; 1309 1310 file = debugfs_create_file("list", 0444, dir, NULL, 1311 &debugfs_kprobes_operations); 1312 if (!file) { 1313 debugfs_remove(dir); 1314 return -ENOMEM; 1315 } 1316 1317 file = debugfs_create_file("enabled", 0600, dir, 1318 &value, &fops_kp); 1319 if (!file) { 1320 debugfs_remove(dir); 1321 return -ENOMEM; 1322 } 1323 1324 return 0; 1325 } 1326 1327 late_initcall(debugfs_kprobe_init); 1328 #endif /* CONFIG_DEBUG_FS */ 1329 1330 module_init(init_kprobes); 1331 1332 EXPORT_SYMBOL_GPL(register_kprobe); 1333 EXPORT_SYMBOL_GPL(unregister_kprobe); 1334 EXPORT_SYMBOL_GPL(register_kprobes); 1335 EXPORT_SYMBOL_GPL(unregister_kprobes); 1336 EXPORT_SYMBOL_GPL(register_jprobe); 1337 EXPORT_SYMBOL_GPL(unregister_jprobe); 1338 EXPORT_SYMBOL_GPL(register_jprobes); 1339 EXPORT_SYMBOL_GPL(unregister_jprobes); 1340 EXPORT_SYMBOL_GPL(jprobe_return); 1341 EXPORT_SYMBOL_GPL(register_kretprobe); 1342 EXPORT_SYMBOL_GPL(unregister_kretprobe); 1343 EXPORT_SYMBOL_GPL(register_kretprobes); 1344 EXPORT_SYMBOL_GPL(unregister_kretprobes); 1345