1 // SPDX-License-Identifier: GPL-2.0-or-later
3 * Kernel Probes (KProbes)
5 * Copyright (C) IBM Corporation, 2002, 2004
7 * 2002-Oct Created by Vamsi Krishna S <vamsi_krishna@in.ibm.com> Kernel
8 * Probes initial implementation ( includes contributions from
10 * 2004-July Suparna Bhattacharya <suparna@in.ibm.com> added jumper probes
11 * interface to access function arguments.
12 * 2004-Oct Jim Keniston <jkenisto@us.ibm.com> and Prasanna S Panchamukhi
13 * <prasanna@in.ibm.com> adapted for x86_64 from i386.
14 * 2005-Mar Roland McGrath <roland@redhat.com>
15 * Fixed to handle %rip-relative addressing mode correctly.
16 * 2005-May Hien Nguyen <hien@us.ibm.com>, Jim Keniston
17 * <jkenisto@us.ibm.com> and Prasanna S Panchamukhi
18 * <prasanna@in.ibm.com> added function-return probes.
19 * 2005-May Rusty Lynch <rusty.lynch@intel.com>
20 * Added function return probes functionality
21 * 2006-Feb Masami Hiramatsu <hiramatu@sdl.hitachi.co.jp> added
22 * kprobe-booster and kretprobe-booster for i386.
23 * 2007-Dec Masami Hiramatsu <mhiramat@redhat.com> added kprobe-booster
24 * and kretprobe-booster for x86-64
25 * 2007-Dec Masami Hiramatsu <mhiramat@redhat.com>, Arjan van de Ven
26 * <arjan@infradead.org> and Jim Keniston <jkenisto@us.ibm.com>
27 * unified x86 kprobes code.
29 #include <linux/kprobes.h>
30 #include <linux/ptrace.h>
31 #include <linux/string.h>
32 #include <linux/slab.h>
33 #include <linux/hardirq.h>
34 #include <linux/preempt.h>
35 #include <linux/sched/debug.h>
36 #include <linux/perf_event.h>
37 #include <linux/extable.h>
38 #include <linux/kdebug.h>
39 #include <linux/kallsyms.h>
40 #include <linux/ftrace.h>
41 #include <linux/kasan.h>
42 #include <linux/moduleloader.h>
43 #include <linux/objtool.h>
44 #include <linux/vmalloc.h>
45 #include <linux/pgtable.h>
47 #include <asm/text-patching.h>
48 #include <asm/cacheflush.h>
50 #include <linux/uaccess.h>
51 #include <asm/alternative.h>
53 #include <asm/debugreg.h>
54 #include <asm/set_memory.h>
59 DEFINE_PER_CPU(struct kprobe *, current_kprobe) = NULL;
60 DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk);
62 #define stack_addr(regs) ((unsigned long *)regs->sp)
64 #define W(row, b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, ba, bb, bc, bd, be, bf)\
65 (((b0##UL << 0x0)|(b1##UL << 0x1)|(b2##UL << 0x2)|(b3##UL << 0x3) | \
66 (b4##UL << 0x4)|(b5##UL << 0x5)|(b6##UL << 0x6)|(b7##UL << 0x7) | \
67 (b8##UL << 0x8)|(b9##UL << 0x9)|(ba##UL << 0xa)|(bb##UL << 0xb) | \
68 (bc##UL << 0xc)|(bd##UL << 0xd)|(be##UL << 0xe)|(bf##UL << 0xf)) \
71 * Undefined/reserved opcodes, conditional jump, Opcode Extension
72 * Groups, and some special opcodes can not boost.
73 * This is non-const and volatile to keep gcc from statically
74 * optimizing it out, as variable_test_bit makes gcc think only
75 * *(unsigned long*) is used.
77 static volatile u32 twobyte_is_boostable[256 / 32] = {
78 /* 0 1 2 3 4 5 6 7 8 9 a b c d e f */
79 /* ---------------------------------------------- */
80 W(0x00, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 0) | /* 00 */
81 W(0x10, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1) , /* 10 */
82 W(0x20, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) | /* 20 */
83 W(0x30, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) , /* 30 */
84 W(0x40, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 40 */
85 W(0x50, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) , /* 50 */
86 W(0x60, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1) | /* 60 */
87 W(0x70, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 1, 1) , /* 70 */
88 W(0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) | /* 80 */
89 W(0x90, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 90 */
90 W(0xa0, 1, 1, 0, 1, 1, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1) | /* a0 */
91 W(0xb0, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 1, 1, 1, 1) , /* b0 */
92 W(0xc0, 1, 1, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1) | /* c0 */
93 W(0xd0, 0, 1, 1, 1, 0, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1) , /* d0 */
94 W(0xe0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1) | /* e0 */
95 W(0xf0, 0, 1, 1, 1, 0, 1, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0) /* f0 */
96 /* ----------------------------------------------- */
97 /* 0 1 2 3 4 5 6 7 8 9 a b c d e f */
101 struct kretprobe_blackpoint kretprobe_blacklist[] = {
102 {"__switch_to", }, /* This function switches only current task, but
103 doesn't switch kernel stack.*/
104 {NULL, NULL} /* Terminator */
107 const int kretprobe_blacklist_size = ARRAY_SIZE(kretprobe_blacklist);
109 static nokprobe_inline void
110 __synthesize_relative_insn(void *dest, void *from, void *to, u8 op)
112 struct __arch_relative_insn {
117 insn = (struct __arch_relative_insn *)dest;
118 insn->raddr = (s32)((long)(to) - ((long)(from) + 5));
122 /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/
123 void synthesize_reljump(void *dest, void *from, void *to)
125 __synthesize_relative_insn(dest, from, to, JMP32_INSN_OPCODE);
127 NOKPROBE_SYMBOL(synthesize_reljump);
129 /* Insert a call instruction at address 'from', which calls address 'to'.*/
130 void synthesize_relcall(void *dest, void *from, void *to)
132 __synthesize_relative_insn(dest, from, to, CALL_INSN_OPCODE);
134 NOKPROBE_SYMBOL(synthesize_relcall);
137 * Returns non-zero if INSN is boostable.
138 * RIP relative instructions are adjusted at copying time in 64 bits mode
140 int can_boost(struct insn *insn, void *addr)
142 kprobe_opcode_t opcode;
146 if (search_exception_tables((unsigned long)addr))
147 return 0; /* Page fault may occur on this address. */
149 /* 2nd-byte opcode */
150 if (insn->opcode.nbytes == 2)
151 return test_bit(insn->opcode.bytes[1],
152 (unsigned long *)twobyte_is_boostable);
154 if (insn->opcode.nbytes != 1)
157 for_each_insn_prefix(insn, i, prefix) {
160 attr = inat_get_opcode_attribute(prefix);
161 /* Can't boost Address-size override prefix and CS override prefix */
162 if (prefix == 0x2e || inat_is_address_size_prefix(attr))
166 opcode = insn->opcode.bytes[0];
169 case 0x62: /* bound */
170 case 0x70 ... 0x7f: /* Conditional jumps */
171 case 0x9a: /* Call far */
172 case 0xc0 ... 0xc1: /* Grp2 */
173 case 0xcc ... 0xce: /* software exceptions */
174 case 0xd0 ... 0xd3: /* Grp2 */
175 case 0xd6: /* (UD) */
176 case 0xd8 ... 0xdf: /* ESC */
177 case 0xe0 ... 0xe3: /* LOOP*, JCXZ */
178 case 0xe8 ... 0xe9: /* near Call, JMP */
179 case 0xeb: /* Short JMP */
180 case 0xf0 ... 0xf4: /* LOCK/REP, HLT */
181 case 0xf6 ... 0xf7: /* Grp3 */
182 case 0xfe: /* Grp4 */
183 /* ... are not boostable */
185 case 0xff: /* Grp5 */
186 /* Only indirect jmp is boostable */
187 return X86_MODRM_REG(insn->modrm.bytes[0]) == 4;
194 __recover_probed_insn(kprobe_opcode_t *buf, unsigned long addr)
199 kp = get_kprobe((void *)addr);
200 faddr = ftrace_location(addr) == addr;
202 * Use the current code if it is not modified by Kprobe
203 * and it cannot be modified by ftrace.
209 * Basically, kp->ainsn.insn has an original instruction.
210 * However, RIP-relative instruction can not do single-stepping
211 * at different place, __copy_instruction() tweaks the displacement of
212 * that instruction. In that case, we can't recover the instruction
213 * from the kp->ainsn.insn.
215 * On the other hand, in case on normal Kprobe, kp->opcode has a copy
216 * of the first byte of the probed instruction, which is overwritten
217 * by int3. And the instruction at kp->addr is not modified by kprobes
218 * except for the first byte, we can recover the original instruction
219 * from it and kp->opcode.
221 * In case of Kprobes using ftrace, we do not have a copy of
222 * the original instruction. In fact, the ftrace location might
223 * be modified at anytime and even could be in an inconsistent state.
224 * Fortunately, we know that the original code is the ideal 5-byte
227 if (copy_from_kernel_nofault(buf, (void *)addr,
228 MAX_INSN_SIZE * sizeof(kprobe_opcode_t)))
232 memcpy(buf, x86_nops[5], 5);
235 return (unsigned long)buf;
239 * Recover the probed instruction at addr for further analysis.
240 * Caller must lock kprobes by kprobe_mutex, or disable preemption
241 * for preventing to release referencing kprobes.
242 * Returns zero if the instruction can not get recovered (or access failed).
244 unsigned long recover_probed_instruction(kprobe_opcode_t *buf, unsigned long addr)
246 unsigned long __addr;
248 __addr = __recover_optprobed_insn(buf, addr);
252 return __recover_probed_insn(buf, addr);
255 /* Check if paddr is at an instruction boundary */
256 static int can_probe(unsigned long paddr)
258 unsigned long addr, __addr, offset = 0;
260 kprobe_opcode_t buf[MAX_INSN_SIZE];
262 if (!kallsyms_lookup_size_offset(paddr, NULL, &offset))
265 /* Decode instructions */
266 addr = paddr - offset;
267 while (addr < paddr) {
271 * Check if the instruction has been modified by another
272 * kprobe, in which case we replace the breakpoint by the
273 * original instruction in our buffer.
274 * Also, jump optimization will change the breakpoint to
275 * relative-jump. Since the relative-jump itself is
276 * normally used, we just go through if there is no kprobe.
278 __addr = recover_probed_instruction(buf, addr);
282 ret = insn_decode_kernel(&insn, (void *)__addr);
287 * Another debugging subsystem might insert this breakpoint.
288 * In that case, we can't recover it.
290 if (insn.opcode.bytes[0] == INT3_INSN_OPCODE)
295 return (addr == paddr);
298 /* If x86 supports IBT (ENDBR) it must be skipped. */
299 kprobe_opcode_t *arch_adjust_kprobe_addr(unsigned long addr, unsigned long offset,
302 if (is_endbr(*(u32 *)addr)) {
303 *on_func_entry = !offset || offset == 4;
308 *on_func_entry = !offset;
311 return (kprobe_opcode_t *)(addr + offset);
315 * Copy an instruction with recovering modified instruction by kprobes
316 * and adjust the displacement if the instruction uses the %rip-relative
317 * addressing mode. Note that since @real will be the final place of copied
318 * instruction, displacement must be adjust by @real, not @dest.
319 * This returns the length of copied instruction, or 0 if it has an error.
321 int __copy_instruction(u8 *dest, u8 *src, u8 *real, struct insn *insn)
323 kprobe_opcode_t buf[MAX_INSN_SIZE];
324 unsigned long recovered_insn = recover_probed_instruction(buf, (unsigned long)src);
327 if (!recovered_insn || !insn)
330 /* This can access kernel text if given address is not recovered */
331 if (copy_from_kernel_nofault(dest, (void *)recovered_insn,
335 ret = insn_decode_kernel(insn, dest);
339 /* We can not probe force emulate prefixed instruction */
340 if (insn_has_emulate_prefix(insn))
343 /* Another subsystem puts a breakpoint, failed to recover */
344 if (insn->opcode.bytes[0] == INT3_INSN_OPCODE)
347 /* We should not singlestep on the exception masking instructions */
348 if (insn_masking_exception(insn))
352 /* Only x86_64 has RIP relative instructions */
353 if (insn_rip_relative(insn)) {
357 * The copied instruction uses the %rip-relative addressing
358 * mode. Adjust the displacement for the difference between
359 * the original location of this instruction and the location
360 * of the copy that will actually be run. The tricky bit here
361 * is making sure that the sign extension happens correctly in
362 * this calculation, since we need a signed 32-bit result to
363 * be sign-extended to 64 bits when it's added to the %rip
364 * value and yield the same 64-bit result that the sign-
365 * extension of the original signed 32-bit displacement would
368 newdisp = (u8 *) src + (s64) insn->displacement.value
370 if ((s64) (s32) newdisp != newdisp) {
371 pr_err("Kprobes error: new displacement does not fit into s32 (%llx)\n", newdisp);
374 disp = (u8 *) dest + insn_offset_displacement(insn);
375 *(s32 *) disp = (s32) newdisp;
381 /* Prepare reljump or int3 right after instruction */
382 static int prepare_singlestep(kprobe_opcode_t *buf, struct kprobe *p,
385 int len = insn->length;
387 if (!IS_ENABLED(CONFIG_PREEMPTION) &&
388 !p->post_handler && can_boost(insn, p->addr) &&
389 MAX_INSN_SIZE - len >= JMP32_INSN_SIZE) {
391 * These instructions can be executed directly if it
392 * jumps back to correct address.
394 synthesize_reljump(buf + len, p->ainsn.insn + len,
395 p->addr + insn->length);
396 len += JMP32_INSN_SIZE;
397 p->ainsn.boostable = 1;
399 /* Otherwise, put an int3 for trapping singlestep */
400 if (MAX_INSN_SIZE - len < INT3_INSN_SIZE)
403 buf[len] = INT3_INSN_OPCODE;
404 len += INT3_INSN_SIZE;
410 /* Make page to RO mode when allocate it */
411 void *alloc_insn_page(void)
415 page = module_alloc(PAGE_SIZE);
419 set_vm_flush_reset_perms(page);
421 * First make the page read-only, and only then make it executable to
422 * prevent it from being W+X in between.
424 set_memory_ro((unsigned long)page, 1);
427 * TODO: Once additional kernel code protection mechanisms are set, ensure
428 * that the page was not maliciously altered and it is still zeroed.
430 set_memory_x((unsigned long)page, 1);
435 /* Kprobe x86 instruction emulation - only regs->ip or IF flag modifiers */
437 static void kprobe_emulate_ifmodifiers(struct kprobe *p, struct pt_regs *regs)
439 switch (p->ainsn.opcode) {
441 regs->flags &= ~(X86_EFLAGS_IF);
444 regs->flags |= X86_EFLAGS_IF;
446 case 0x9c: /* pushf */
447 int3_emulate_push(regs, regs->flags);
449 case 0x9d: /* popf */
450 regs->flags = int3_emulate_pop(regs);
453 regs->ip = regs->ip - INT3_INSN_SIZE + p->ainsn.size;
455 NOKPROBE_SYMBOL(kprobe_emulate_ifmodifiers);
457 static void kprobe_emulate_ret(struct kprobe *p, struct pt_regs *regs)
459 int3_emulate_ret(regs);
461 NOKPROBE_SYMBOL(kprobe_emulate_ret);
463 static void kprobe_emulate_call(struct kprobe *p, struct pt_regs *regs)
465 unsigned long func = regs->ip - INT3_INSN_SIZE + p->ainsn.size;
467 func += p->ainsn.rel32;
468 int3_emulate_call(regs, func);
470 NOKPROBE_SYMBOL(kprobe_emulate_call);
472 static nokprobe_inline
473 void __kprobe_emulate_jmp(struct kprobe *p, struct pt_regs *regs, bool cond)
475 unsigned long ip = regs->ip - INT3_INSN_SIZE + p->ainsn.size;
478 ip += p->ainsn.rel32;
479 int3_emulate_jmp(regs, ip);
482 static void kprobe_emulate_jmp(struct kprobe *p, struct pt_regs *regs)
484 __kprobe_emulate_jmp(p, regs, true);
486 NOKPROBE_SYMBOL(kprobe_emulate_jmp);
488 static const unsigned long jcc_mask[6] = {
492 [3] = X86_EFLAGS_CF | X86_EFLAGS_ZF,
497 static void kprobe_emulate_jcc(struct kprobe *p, struct pt_regs *regs)
499 bool invert = p->ainsn.jcc.type & 1;
502 if (p->ainsn.jcc.type < 0xc) {
503 match = regs->flags & jcc_mask[p->ainsn.jcc.type >> 1];
505 match = ((regs->flags & X86_EFLAGS_SF) >> X86_EFLAGS_SF_BIT) ^
506 ((regs->flags & X86_EFLAGS_OF) >> X86_EFLAGS_OF_BIT);
507 if (p->ainsn.jcc.type >= 0xe)
508 match = match && (regs->flags & X86_EFLAGS_ZF);
510 __kprobe_emulate_jmp(p, regs, (match && !invert) || (!match && invert));
512 NOKPROBE_SYMBOL(kprobe_emulate_jcc);
514 static void kprobe_emulate_loop(struct kprobe *p, struct pt_regs *regs)
518 if (p->ainsn.loop.type != 3) { /* LOOP* */
519 if (p->ainsn.loop.asize == 32)
520 match = ((*(u32 *)®s->cx)--) != 0;
522 else if (p->ainsn.loop.asize == 64)
523 match = ((*(u64 *)®s->cx)--) != 0;
526 match = ((*(u16 *)®s->cx)--) != 0;
528 if (p->ainsn.loop.asize == 32)
529 match = *(u32 *)(®s->cx) == 0;
531 else if (p->ainsn.loop.asize == 64)
532 match = *(u64 *)(®s->cx) == 0;
535 match = *(u16 *)(®s->cx) == 0;
538 if (p->ainsn.loop.type == 0) /* LOOPNE */
539 match = match && !(regs->flags & X86_EFLAGS_ZF);
540 else if (p->ainsn.loop.type == 1) /* LOOPE */
541 match = match && (regs->flags & X86_EFLAGS_ZF);
543 __kprobe_emulate_jmp(p, regs, match);
545 NOKPROBE_SYMBOL(kprobe_emulate_loop);
547 static const int addrmode_regoffs[] = {
548 offsetof(struct pt_regs, ax),
549 offsetof(struct pt_regs, cx),
550 offsetof(struct pt_regs, dx),
551 offsetof(struct pt_regs, bx),
552 offsetof(struct pt_regs, sp),
553 offsetof(struct pt_regs, bp),
554 offsetof(struct pt_regs, si),
555 offsetof(struct pt_regs, di),
557 offsetof(struct pt_regs, r8),
558 offsetof(struct pt_regs, r9),
559 offsetof(struct pt_regs, r10),
560 offsetof(struct pt_regs, r11),
561 offsetof(struct pt_regs, r12),
562 offsetof(struct pt_regs, r13),
563 offsetof(struct pt_regs, r14),
564 offsetof(struct pt_regs, r15),
568 static void kprobe_emulate_call_indirect(struct kprobe *p, struct pt_regs *regs)
570 unsigned long offs = addrmode_regoffs[p->ainsn.indirect.reg];
572 int3_emulate_call(regs, regs_get_register(regs, offs));
574 NOKPROBE_SYMBOL(kprobe_emulate_call_indirect);
576 static void kprobe_emulate_jmp_indirect(struct kprobe *p, struct pt_regs *regs)
578 unsigned long offs = addrmode_regoffs[p->ainsn.indirect.reg];
580 int3_emulate_jmp(regs, regs_get_register(regs, offs));
582 NOKPROBE_SYMBOL(kprobe_emulate_jmp_indirect);
584 static int prepare_emulation(struct kprobe *p, struct insn *insn)
586 insn_byte_t opcode = insn->opcode.bytes[0];
591 case 0x9c: /* pushfl */
592 case 0x9d: /* popf/popfd */
594 * IF modifiers must be emulated since it will enable interrupt while
595 * int3 single stepping.
597 p->ainsn.emulate_op = kprobe_emulate_ifmodifiers;
598 p->ainsn.opcode = opcode;
600 case 0xc2: /* ret/lret */
604 p->ainsn.emulate_op = kprobe_emulate_ret;
606 case 0x9a: /* far call absolute -- segment is not supported */
607 case 0xea: /* far jmp absolute -- segment is not supported */
608 case 0xcc: /* int3 */
609 case 0xcf: /* iret -- in-kernel IRET is not supported */
612 case 0xe8: /* near call relative */
613 p->ainsn.emulate_op = kprobe_emulate_call;
614 if (insn->immediate.nbytes == 2)
615 p->ainsn.rel32 = *(s16 *)&insn->immediate.value;
617 p->ainsn.rel32 = *(s32 *)&insn->immediate.value;
619 case 0xeb: /* short jump relative */
620 case 0xe9: /* near jump relative */
621 p->ainsn.emulate_op = kprobe_emulate_jmp;
622 if (insn->immediate.nbytes == 1)
623 p->ainsn.rel32 = *(s8 *)&insn->immediate.value;
624 else if (insn->immediate.nbytes == 2)
625 p->ainsn.rel32 = *(s16 *)&insn->immediate.value;
627 p->ainsn.rel32 = *(s32 *)&insn->immediate.value;
630 /* 1 byte conditional jump */
631 p->ainsn.emulate_op = kprobe_emulate_jcc;
632 p->ainsn.jcc.type = opcode & 0xf;
633 p->ainsn.rel32 = *(char *)insn->immediate.bytes;
636 opcode = insn->opcode.bytes[1];
637 if ((opcode & 0xf0) == 0x80) {
638 /* 2 bytes Conditional Jump */
639 p->ainsn.emulate_op = kprobe_emulate_jcc;
640 p->ainsn.jcc.type = opcode & 0xf;
641 if (insn->immediate.nbytes == 2)
642 p->ainsn.rel32 = *(s16 *)&insn->immediate.value;
644 p->ainsn.rel32 = *(s32 *)&insn->immediate.value;
645 } else if (opcode == 0x01 &&
646 X86_MODRM_REG(insn->modrm.bytes[0]) == 0 &&
647 X86_MODRM_MOD(insn->modrm.bytes[0]) == 3) {
648 /* VM extensions - not supported */
652 case 0xe0: /* Loop NZ */
653 case 0xe1: /* Loop */
654 case 0xe2: /* Loop */
655 case 0xe3: /* J*CXZ */
656 p->ainsn.emulate_op = kprobe_emulate_loop;
657 p->ainsn.loop.type = opcode & 0x3;
658 p->ainsn.loop.asize = insn->addr_bytes * 8;
659 p->ainsn.rel32 = *(s8 *)&insn->immediate.value;
663 * Since the 0xff is an extended group opcode, the instruction
664 * is determined by the MOD/RM byte.
666 opcode = insn->modrm.bytes[0];
667 if ((opcode & 0x30) == 0x10) {
668 if ((opcode & 0x8) == 0x8)
669 return -EOPNOTSUPP; /* far call */
670 /* call absolute, indirect */
671 p->ainsn.emulate_op = kprobe_emulate_call_indirect;
672 } else if ((opcode & 0x30) == 0x20) {
673 if ((opcode & 0x8) == 0x8)
674 return -EOPNOTSUPP; /* far jmp */
675 /* jmp near absolute indirect */
676 p->ainsn.emulate_op = kprobe_emulate_jmp_indirect;
680 if (insn->addr_bytes != sizeof(unsigned long))
681 return -EOPNOTSUPP; /* Don't support different size */
682 if (X86_MODRM_MOD(opcode) != 3)
683 return -EOPNOTSUPP; /* TODO: support memory addressing */
685 p->ainsn.indirect.reg = X86_MODRM_RM(opcode);
687 if (X86_REX_B(insn->rex_prefix.value))
688 p->ainsn.indirect.reg += 8;
694 p->ainsn.size = insn->length;
699 static int arch_copy_kprobe(struct kprobe *p)
702 kprobe_opcode_t buf[MAX_INSN_SIZE];
705 /* Copy an instruction with recovering if other optprobe modifies it.*/
706 len = __copy_instruction(buf, p->addr, p->ainsn.insn, &insn);
710 /* Analyze the opcode and setup emulate functions */
711 ret = prepare_emulation(p, &insn);
715 /* Add int3 for single-step or booster jmp */
716 len = prepare_singlestep(buf, p, &insn);
720 /* Also, displacement change doesn't affect the first byte */
723 p->ainsn.tp_len = len;
724 perf_event_text_poke(p->ainsn.insn, NULL, 0, buf, len);
726 /* OK, write back the instruction(s) into ROX insn buffer */
727 text_poke(p->ainsn.insn, buf, len);
732 int arch_prepare_kprobe(struct kprobe *p)
736 if (alternatives_text_reserved(p->addr, p->addr))
739 if (!can_probe((unsigned long)p->addr))
742 memset(&p->ainsn, 0, sizeof(p->ainsn));
744 /* insn: must be on special executable page on x86. */
745 p->ainsn.insn = get_insn_slot();
749 ret = arch_copy_kprobe(p);
751 free_insn_slot(p->ainsn.insn, 0);
752 p->ainsn.insn = NULL;
758 void arch_arm_kprobe(struct kprobe *p)
760 u8 int3 = INT3_INSN_OPCODE;
762 text_poke(p->addr, &int3, 1);
764 perf_event_text_poke(p->addr, &p->opcode, 1, &int3, 1);
767 void arch_disarm_kprobe(struct kprobe *p)
769 u8 int3 = INT3_INSN_OPCODE;
771 perf_event_text_poke(p->addr, &int3, 1, &p->opcode, 1);
772 text_poke(p->addr, &p->opcode, 1);
776 void arch_remove_kprobe(struct kprobe *p)
779 /* Record the perf event before freeing the slot */
780 perf_event_text_poke(p->ainsn.insn, p->ainsn.insn,
781 p->ainsn.tp_len, NULL, 0);
782 free_insn_slot(p->ainsn.insn, p->ainsn.boostable);
783 p->ainsn.insn = NULL;
787 static nokprobe_inline void
788 save_previous_kprobe(struct kprobe_ctlblk *kcb)
790 kcb->prev_kprobe.kp = kprobe_running();
791 kcb->prev_kprobe.status = kcb->kprobe_status;
792 kcb->prev_kprobe.old_flags = kcb->kprobe_old_flags;
793 kcb->prev_kprobe.saved_flags = kcb->kprobe_saved_flags;
796 static nokprobe_inline void
797 restore_previous_kprobe(struct kprobe_ctlblk *kcb)
799 __this_cpu_write(current_kprobe, kcb->prev_kprobe.kp);
800 kcb->kprobe_status = kcb->prev_kprobe.status;
801 kcb->kprobe_old_flags = kcb->prev_kprobe.old_flags;
802 kcb->kprobe_saved_flags = kcb->prev_kprobe.saved_flags;
805 static nokprobe_inline void
806 set_current_kprobe(struct kprobe *p, struct pt_regs *regs,
807 struct kprobe_ctlblk *kcb)
809 __this_cpu_write(current_kprobe, p);
810 kcb->kprobe_saved_flags = kcb->kprobe_old_flags
811 = (regs->flags & X86_EFLAGS_IF);
814 void arch_prepare_kretprobe(struct kretprobe_instance *ri, struct pt_regs *regs)
816 unsigned long *sara = stack_addr(regs);
818 ri->ret_addr = (kprobe_opcode_t *) *sara;
821 /* Replace the return addr with trampoline addr */
822 *sara = (unsigned long) &__kretprobe_trampoline;
824 NOKPROBE_SYMBOL(arch_prepare_kretprobe);
826 static void kprobe_post_process(struct kprobe *cur, struct pt_regs *regs,
827 struct kprobe_ctlblk *kcb)
829 if ((kcb->kprobe_status != KPROBE_REENTER) && cur->post_handler) {
830 kcb->kprobe_status = KPROBE_HIT_SSDONE;
831 cur->post_handler(cur, regs, 0);
834 /* Restore back the original saved kprobes variables and continue. */
835 if (kcb->kprobe_status == KPROBE_REENTER)
836 restore_previous_kprobe(kcb);
838 reset_current_kprobe();
840 NOKPROBE_SYMBOL(kprobe_post_process);
842 static void setup_singlestep(struct kprobe *p, struct pt_regs *regs,
843 struct kprobe_ctlblk *kcb, int reenter)
845 if (setup_detour_execution(p, regs, reenter))
848 #if !defined(CONFIG_PREEMPTION)
849 if (p->ainsn.boostable) {
850 /* Boost up -- we can execute copied instructions directly */
852 reset_current_kprobe();
854 * Reentering boosted probe doesn't reset current_kprobe,
855 * nor set current_kprobe, because it doesn't use single
858 regs->ip = (unsigned long)p->ainsn.insn;
863 save_previous_kprobe(kcb);
864 set_current_kprobe(p, regs, kcb);
865 kcb->kprobe_status = KPROBE_REENTER;
867 kcb->kprobe_status = KPROBE_HIT_SS;
869 if (p->ainsn.emulate_op) {
870 p->ainsn.emulate_op(p, regs);
871 kprobe_post_process(p, regs, kcb);
875 /* Disable interrupt, and set ip register on trampoline */
876 regs->flags &= ~X86_EFLAGS_IF;
877 regs->ip = (unsigned long)p->ainsn.insn;
879 NOKPROBE_SYMBOL(setup_singlestep);
882 * Called after single-stepping. p->addr is the address of the
883 * instruction whose first byte has been replaced by the "int3"
884 * instruction. To avoid the SMP problems that can occur when we
885 * temporarily put back the original opcode to single-step, we
886 * single-stepped a copy of the instruction. The address of this
887 * copy is p->ainsn.insn. We also doesn't use trap, but "int3" again
888 * right after the copied instruction.
889 * Different from the trap single-step, "int3" single-step can not
890 * handle the instruction which changes the ip register, e.g. jmp,
891 * call, conditional jmp, and the instructions which changes the IF
892 * flags because interrupt must be disabled around the single-stepping.
893 * Such instructions are software emulated, but others are single-stepped
896 * When the 2nd "int3" handled, the regs->ip and regs->flags needs to
897 * be adjusted, so that we can resume execution on correct code.
899 static void resume_singlestep(struct kprobe *p, struct pt_regs *regs,
900 struct kprobe_ctlblk *kcb)
902 unsigned long copy_ip = (unsigned long)p->ainsn.insn;
903 unsigned long orig_ip = (unsigned long)p->addr;
905 /* Restore saved interrupt flag and ip register */
906 regs->flags |= kcb->kprobe_saved_flags;
907 /* Note that regs->ip is executed int3 so must be a step back */
908 regs->ip += (orig_ip - copy_ip) - INT3_INSN_SIZE;
910 NOKPROBE_SYMBOL(resume_singlestep);
913 * We have reentered the kprobe_handler(), since another probe was hit while
914 * within the handler. We save the original kprobes variables and just single
915 * step on the instruction of the new probe without calling any user handlers.
917 static int reenter_kprobe(struct kprobe *p, struct pt_regs *regs,
918 struct kprobe_ctlblk *kcb)
920 switch (kcb->kprobe_status) {
921 case KPROBE_HIT_SSDONE:
922 case KPROBE_HIT_ACTIVE:
924 kprobes_inc_nmissed_count(p);
925 setup_singlestep(p, regs, kcb, 1);
928 /* A probe has been hit in the codepath leading up to, or just
929 * after, single-stepping of a probed instruction. This entire
930 * codepath should strictly reside in .kprobes.text section.
931 * Raise a BUG or we'll continue in an endless reentering loop
932 * and eventually a stack overflow.
934 pr_err("Unrecoverable kprobe detected.\n");
938 /* impossible cases */
945 NOKPROBE_SYMBOL(reenter_kprobe);
947 static nokprobe_inline int kprobe_is_ss(struct kprobe_ctlblk *kcb)
949 return (kcb->kprobe_status == KPROBE_HIT_SS ||
950 kcb->kprobe_status == KPROBE_REENTER);
954 * Interrupts are disabled on entry as trap3 is an interrupt gate and they
955 * remain disabled throughout this function.
957 int kprobe_int3_handler(struct pt_regs *regs)
959 kprobe_opcode_t *addr;
961 struct kprobe_ctlblk *kcb;
966 addr = (kprobe_opcode_t *)(regs->ip - sizeof(kprobe_opcode_t));
968 * We don't want to be preempted for the entire duration of kprobe
969 * processing. Since int3 and debug trap disables irqs and we clear
970 * IF while singlestepping, it must be no preemptible.
973 kcb = get_kprobe_ctlblk();
974 p = get_kprobe(addr);
977 if (kprobe_running()) {
978 if (reenter_kprobe(p, regs, kcb))
981 set_current_kprobe(p, regs, kcb);
982 kcb->kprobe_status = KPROBE_HIT_ACTIVE;
985 * If we have no pre-handler or it returned 0, we
986 * continue with normal processing. If we have a
987 * pre-handler and it returned non-zero, that means
988 * user handler setup registers to exit to another
989 * instruction, we must skip the single stepping.
991 if (!p->pre_handler || !p->pre_handler(p, regs))
992 setup_singlestep(p, regs, kcb, 0);
994 reset_current_kprobe();
997 } else if (kprobe_is_ss(kcb)) {
998 p = kprobe_running();
999 if ((unsigned long)p->ainsn.insn < regs->ip &&
1000 (unsigned long)p->ainsn.insn + MAX_INSN_SIZE > regs->ip) {
1001 /* Most provably this is the second int3 for singlestep */
1002 resume_singlestep(p, regs, kcb);
1003 kprobe_post_process(p, regs, kcb);
1008 if (*addr != INT3_INSN_OPCODE) {
1010 * The breakpoint instruction was removed right
1011 * after we hit it. Another cpu has removed
1012 * either a probepoint or a debugger breakpoint
1013 * at this address. In either case, no further
1014 * handling of this interrupt is appropriate.
1015 * Back up over the (now missing) int3 and run
1016 * the original instruction.
1018 regs->ip = (unsigned long)addr;
1020 } /* else: not a kprobe fault; let the kernel handle it */
1024 NOKPROBE_SYMBOL(kprobe_int3_handler);
1027 * When a retprobed function returns, this code saves registers and
1028 * calls trampoline_handler() runs, which calls the kretprobe's handler.
1032 ".global __kretprobe_trampoline\n"
1033 ".type __kretprobe_trampoline, @function\n"
1034 "__kretprobe_trampoline:\n"
1035 #ifdef CONFIG_X86_64
1037 /* Push a fake return address to tell the unwinder it's a kretprobe. */
1038 " pushq $__kretprobe_trampoline\n"
1040 /* Save the 'sp - 8', this will be fixed later. */
1044 " movq %rsp, %rdi\n"
1045 " call trampoline_handler\n"
1047 /* In trampoline_handler(), 'regs->flags' is copied to 'regs->sp'. */
1051 /* Push a fake return address to tell the unwinder it's a kretprobe. */
1052 " pushl $__kretprobe_trampoline\n"
1054 /* Save the 'sp - 4', this will be fixed later. */
1058 " movl %esp, %eax\n"
1059 " call trampoline_handler\n"
1061 /* In trampoline_handler(), 'regs->flags' is copied to 'regs->sp'. */
1066 ".size __kretprobe_trampoline, .-__kretprobe_trampoline\n"
1068 NOKPROBE_SYMBOL(__kretprobe_trampoline);
1070 * __kretprobe_trampoline() skips updating frame pointer. The frame pointer
1071 * saved in trampoline_handler() points to the real caller function's
1072 * frame pointer. Thus the __kretprobe_trampoline() doesn't have a
1073 * standard stack frame with CONFIG_FRAME_POINTER=y.
1074 * Let's mark it non-standard function. Anyway, FP unwinder can correctly
1075 * unwind without the hint.
1077 STACK_FRAME_NON_STANDARD_FP(__kretprobe_trampoline);
1079 /* This is called from kretprobe_trampoline_handler(). */
1080 void arch_kretprobe_fixup_return(struct pt_regs *regs,
1081 kprobe_opcode_t *correct_ret_addr)
1083 unsigned long *frame_pointer = ®s->sp + 1;
1085 /* Replace fake return address with real one. */
1086 *frame_pointer = (unsigned long)correct_ret_addr;
1090 * Called from __kretprobe_trampoline
1092 __used __visible void trampoline_handler(struct pt_regs *regs)
1094 unsigned long *frame_pointer;
1096 /* fixup registers */
1097 regs->cs = __KERNEL_CS;
1098 #ifdef CONFIG_X86_32
1101 regs->ip = (unsigned long)&__kretprobe_trampoline;
1102 regs->orig_ax = ~0UL;
1103 regs->sp += sizeof(long);
1104 frame_pointer = ®s->sp + 1;
1107 * The return address at 'frame_pointer' is recovered by the
1108 * arch_kretprobe_fixup_return() which called from the
1109 * kretprobe_trampoline_handler().
1111 kretprobe_trampoline_handler(regs, frame_pointer);
1114 * Copy FLAGS to 'pt_regs::sp' so that __kretprobe_trapmoline()
1115 * can do RET right after POPF.
1117 regs->sp = regs->flags;
1119 NOKPROBE_SYMBOL(trampoline_handler);
1121 int kprobe_fault_handler(struct pt_regs *regs, int trapnr)
1123 struct kprobe *cur = kprobe_running();
1124 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
1126 if (unlikely(regs->ip == (unsigned long)cur->ainsn.insn)) {
1127 /* This must happen on single-stepping */
1128 WARN_ON(kcb->kprobe_status != KPROBE_HIT_SS &&
1129 kcb->kprobe_status != KPROBE_REENTER);
1131 * We are here because the instruction being single
1132 * stepped caused a page fault. We reset the current
1133 * kprobe and the ip points back to the probe address
1134 * and allow the page fault handler to continue as a
1135 * normal page fault.
1137 regs->ip = (unsigned long)cur->addr;
1140 * If the IF flag was set before the kprobe hit,
1143 regs->flags |= kcb->kprobe_old_flags;
1145 if (kcb->kprobe_status == KPROBE_REENTER)
1146 restore_previous_kprobe(kcb);
1148 reset_current_kprobe();
1153 NOKPROBE_SYMBOL(kprobe_fault_handler);
1155 int __init arch_populate_kprobe_blacklist(void)
1157 return kprobe_add_area_blacklist((unsigned long)__entry_text_start,
1158 (unsigned long)__entry_text_end);
1161 int __init arch_init_kprobes(void)
1166 int arch_trampoline_kprobe(struct kprobe *p)
projects / linux-2.6-microblaze.git / blob