1 // SPDX-License-Identifier: GPL-2.0-or-later
3 * Kernel Probes (KProbes)
5 * Copyright (C) IBM Corporation, 2002, 2004
7 * 2002-Oct Created by Vamsi Krishna S <vamsi_krishna@in.ibm.com> Kernel
8 * Probes initial implementation ( includes contributions from
10 * 2004-July Suparna Bhattacharya <suparna@in.ibm.com> added jumper probes
11 * interface to access function arguments.
12 * 2004-Oct Jim Keniston <jkenisto@us.ibm.com> and Prasanna S Panchamukhi
13 * <prasanna@in.ibm.com> adapted for x86_64 from i386.
14 * 2005-Mar Roland McGrath <roland@redhat.com>
15 * Fixed to handle %rip-relative addressing mode correctly.
16 * 2005-May Hien Nguyen <hien@us.ibm.com>, Jim Keniston
17 * <jkenisto@us.ibm.com> and Prasanna S Panchamukhi
18 * <prasanna@in.ibm.com> added function-return probes.
19 * 2005-May Rusty Lynch <rusty.lynch@intel.com>
20 * Added function return probes functionality
21 * 2006-Feb Masami Hiramatsu <hiramatu@sdl.hitachi.co.jp> added
22 * kprobe-booster and kretprobe-booster for i386.
23 * 2007-Dec Masami Hiramatsu <mhiramat@redhat.com> added kprobe-booster
24 * and kretprobe-booster for x86-64
25 * 2007-Dec Masami Hiramatsu <mhiramat@redhat.com>, Arjan van de Ven
26 * <arjan@infradead.org> and Jim Keniston <jkenisto@us.ibm.com>
27 * unified x86 kprobes code.
29 #include <linux/kprobes.h>
30 #include <linux/ptrace.h>
31 #include <linux/string.h>
32 #include <linux/slab.h>
33 #include <linux/hardirq.h>
34 #include <linux/preempt.h>
35 #include <linux/sched/debug.h>
36 #include <linux/perf_event.h>
37 #include <linux/extable.h>
38 #include <linux/kdebug.h>
39 #include <linux/kallsyms.h>
40 #include <linux/ftrace.h>
41 #include <linux/kasan.h>
42 #include <linux/moduleloader.h>
43 #include <linux/objtool.h>
44 #include <linux/vmalloc.h>
45 #include <linux/pgtable.h>
47 #include <asm/text-patching.h>
48 #include <asm/cacheflush.h>
50 #include <linux/uaccess.h>
51 #include <asm/alternative.h>
53 #include <asm/debugreg.h>
54 #include <asm/set_memory.h>
58 DEFINE_PER_CPU(struct kprobe *, current_kprobe) = NULL;
59 DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk);
61 #define stack_addr(regs) ((unsigned long *)regs->sp)
63 #define W(row, b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, ba, bb, bc, bd, be, bf)\
64 (((b0##UL << 0x0)|(b1##UL << 0x1)|(b2##UL << 0x2)|(b3##UL << 0x3) | \
65 (b4##UL << 0x4)|(b5##UL << 0x5)|(b6##UL << 0x6)|(b7##UL << 0x7) | \
66 (b8##UL << 0x8)|(b9##UL << 0x9)|(ba##UL << 0xa)|(bb##UL << 0xb) | \
67 (bc##UL << 0xc)|(bd##UL << 0xd)|(be##UL << 0xe)|(bf##UL << 0xf)) \
70 * Undefined/reserved opcodes, conditional jump, Opcode Extension
71 * Groups, and some special opcodes can not boost.
72 * This is non-const and volatile to keep gcc from statically
73 * optimizing it out, as variable_test_bit makes gcc think only
74 * *(unsigned long*) is used.
76 static volatile u32 twobyte_is_boostable[256 / 32] = {
77 /* 0 1 2 3 4 5 6 7 8 9 a b c d e f */
78 /* ---------------------------------------------- */
79 W(0x00, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 0) | /* 00 */
80 W(0x10, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1) , /* 10 */
81 W(0x20, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) | /* 20 */
82 W(0x30, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) , /* 30 */
83 W(0x40, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 40 */
84 W(0x50, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) , /* 50 */
85 W(0x60, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1) | /* 60 */
86 W(0x70, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 1, 1) , /* 70 */
87 W(0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) | /* 80 */
88 W(0x90, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 90 */
89 W(0xa0, 1, 1, 0, 1, 1, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1) | /* a0 */
90 W(0xb0, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 1, 1, 1, 1) , /* b0 */
91 W(0xc0, 1, 1, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1) | /* c0 */
92 W(0xd0, 0, 1, 1, 1, 0, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1) , /* d0 */
93 W(0xe0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1) | /* e0 */
94 W(0xf0, 0, 1, 1, 1, 0, 1, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0) /* f0 */
95 /* ----------------------------------------------- */
96 /* 0 1 2 3 4 5 6 7 8 9 a b c d e f */
100 struct kretprobe_blackpoint kretprobe_blacklist[] = {
101 {"__switch_to", }, /* This function switches only current task, but
102 doesn't switch kernel stack.*/
103 {NULL, NULL} /* Terminator */
106 const int kretprobe_blacklist_size = ARRAY_SIZE(kretprobe_blacklist);
108 static nokprobe_inline void
109 __synthesize_relative_insn(void *dest, void *from, void *to, u8 op)
111 struct __arch_relative_insn {
116 insn = (struct __arch_relative_insn *)dest;
117 insn->raddr = (s32)((long)(to) - ((long)(from) + 5));
121 /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/
122 void synthesize_reljump(void *dest, void *from, void *to)
124 __synthesize_relative_insn(dest, from, to, JMP32_INSN_OPCODE);
126 NOKPROBE_SYMBOL(synthesize_reljump);
128 /* Insert a call instruction at address 'from', which calls address 'to'.*/
129 void synthesize_relcall(void *dest, void *from, void *to)
131 __synthesize_relative_insn(dest, from, to, CALL_INSN_OPCODE);
133 NOKPROBE_SYMBOL(synthesize_relcall);
136 * Returns non-zero if INSN is boostable.
137 * RIP relative instructions are adjusted at copying time in 64 bits mode
139 int can_boost(struct insn *insn, void *addr)
141 kprobe_opcode_t opcode;
145 if (search_exception_tables((unsigned long)addr))
146 return 0; /* Page fault may occur on this address. */
148 /* 2nd-byte opcode */
149 if (insn->opcode.nbytes == 2)
150 return test_bit(insn->opcode.bytes[1],
151 (unsigned long *)twobyte_is_boostable);
153 if (insn->opcode.nbytes != 1)
156 for_each_insn_prefix(insn, i, prefix) {
159 attr = inat_get_opcode_attribute(prefix);
160 /* Can't boost Address-size override prefix and CS override prefix */
161 if (prefix == 0x2e || inat_is_address_size_prefix(attr))
165 opcode = insn->opcode.bytes[0];
167 switch (opcode & 0xf0) {
169 /* can't boost "bound" */
170 return (opcode != 0x62);
172 return 0; /* can't boost conditional jump */
174 return opcode != 0x9a; /* can't boost call far */
176 /* can't boost software-interruptions */
177 return (0xc1 < opcode && opcode < 0xcc) || opcode == 0xcf;
179 /* can boost AA* and XLAT */
180 return (opcode == 0xd4 || opcode == 0xd5 || opcode == 0xd7);
182 /* can boost in/out and absolute jmps */
183 return ((opcode & 0x04) || opcode == 0xea);
185 /* clear and set flags are boostable */
186 return (opcode == 0xf5 || (0xf7 < opcode && opcode < 0xfe));
188 /* indirect jmp is boostable */
189 return X86_MODRM_REG(insn->modrm.bytes[0]) == 4;
191 /* call is not boostable */
192 return opcode != 0x9a;
197 __recover_probed_insn(kprobe_opcode_t *buf, unsigned long addr)
202 kp = get_kprobe((void *)addr);
203 faddr = ftrace_location(addr);
205 * Addresses inside the ftrace location are refused by
206 * arch_check_ftrace_location(). Something went terribly wrong
207 * if such an address is checked here.
209 if (WARN_ON(faddr && faddr != addr))
212 * Use the current code if it is not modified by Kprobe
213 * and it cannot be modified by ftrace.
219 * Basically, kp->ainsn.insn has an original instruction.
220 * However, RIP-relative instruction can not do single-stepping
221 * at different place, __copy_instruction() tweaks the displacement of
222 * that instruction. In that case, we can't recover the instruction
223 * from the kp->ainsn.insn.
225 * On the other hand, in case on normal Kprobe, kp->opcode has a copy
226 * of the first byte of the probed instruction, which is overwritten
227 * by int3. And the instruction at kp->addr is not modified by kprobes
228 * except for the first byte, we can recover the original instruction
229 * from it and kp->opcode.
231 * In case of Kprobes using ftrace, we do not have a copy of
232 * the original instruction. In fact, the ftrace location might
233 * be modified at anytime and even could be in an inconsistent state.
234 * Fortunately, we know that the original code is the ideal 5-byte
237 if (copy_from_kernel_nofault(buf, (void *)addr,
238 MAX_INSN_SIZE * sizeof(kprobe_opcode_t)))
242 memcpy(buf, ideal_nops[NOP_ATOMIC5], 5);
245 return (unsigned long)buf;
249 * Recover the probed instruction at addr for further analysis.
250 * Caller must lock kprobes by kprobe_mutex, or disable preemption
251 * for preventing to release referencing kprobes.
252 * Returns zero if the instruction can not get recovered (or access failed).
254 unsigned long recover_probed_instruction(kprobe_opcode_t *buf, unsigned long addr)
256 unsigned long __addr;
258 __addr = __recover_optprobed_insn(buf, addr);
262 return __recover_probed_insn(buf, addr);
265 /* Check if paddr is at an instruction boundary */
266 static int can_probe(unsigned long paddr)
268 unsigned long addr, __addr, offset = 0;
270 kprobe_opcode_t buf[MAX_INSN_SIZE];
272 if (!kallsyms_lookup_size_offset(paddr, NULL, &offset))
275 /* Decode instructions */
276 addr = paddr - offset;
277 while (addr < paddr) {
281 * Check if the instruction has been modified by another
282 * kprobe, in which case we replace the breakpoint by the
283 * original instruction in our buffer.
284 * Also, jump optimization will change the breakpoint to
285 * relative-jump. Since the relative-jump itself is
286 * normally used, we just go through if there is no kprobe.
288 __addr = recover_probed_instruction(buf, addr);
292 ret = insn_decode(&insn, (void *)__addr, MAX_INSN_SIZE, INSN_MODE_KERN);
297 * Another debugging subsystem might insert this breakpoint.
298 * In that case, we can't recover it.
300 if (insn.opcode.bytes[0] == INT3_INSN_OPCODE)
305 return (addr == paddr);
309 * Copy an instruction with recovering modified instruction by kprobes
310 * and adjust the displacement if the instruction uses the %rip-relative
311 * addressing mode. Note that since @real will be the final place of copied
312 * instruction, displacement must be adjust by @real, not @dest.
313 * This returns the length of copied instruction, or 0 if it has an error.
315 int __copy_instruction(u8 *dest, u8 *src, u8 *real, struct insn *insn)
317 kprobe_opcode_t buf[MAX_INSN_SIZE];
318 unsigned long recovered_insn = recover_probed_instruction(buf, (unsigned long)src);
321 if (!recovered_insn || !insn)
324 /* This can access kernel text if given address is not recovered */
325 if (copy_from_kernel_nofault(dest, (void *)recovered_insn,
329 ret = insn_decode(insn, dest, MAX_INSN_SIZE, INSN_MODE_KERN);
333 /* We can not probe force emulate prefixed instruction */
334 if (insn_has_emulate_prefix(insn))
337 /* Another subsystem puts a breakpoint, failed to recover */
338 if (insn->opcode.bytes[0] == INT3_INSN_OPCODE)
341 /* We should not singlestep on the exception masking instructions */
342 if (insn_masking_exception(insn))
346 /* Only x86_64 has RIP relative instructions */
347 if (insn_rip_relative(insn)) {
351 * The copied instruction uses the %rip-relative addressing
352 * mode. Adjust the displacement for the difference between
353 * the original location of this instruction and the location
354 * of the copy that will actually be run. The tricky bit here
355 * is making sure that the sign extension happens correctly in
356 * this calculation, since we need a signed 32-bit result to
357 * be sign-extended to 64 bits when it's added to the %rip
358 * value and yield the same 64-bit result that the sign-
359 * extension of the original signed 32-bit displacement would
362 newdisp = (u8 *) src + (s64) insn->displacement.value
364 if ((s64) (s32) newdisp != newdisp) {
365 pr_err("Kprobes error: new displacement does not fit into s32 (%llx)\n", newdisp);
368 disp = (u8 *) dest + insn_offset_displacement(insn);
369 *(s32 *) disp = (s32) newdisp;
375 /* Prepare reljump or int3 right after instruction */
376 static int prepare_singlestep(kprobe_opcode_t *buf, struct kprobe *p,
379 int len = insn->length;
381 if (!IS_ENABLED(CONFIG_PREEMPTION) &&
382 !p->post_handler && can_boost(insn, p->addr) &&
383 MAX_INSN_SIZE - len >= JMP32_INSN_SIZE) {
385 * These instructions can be executed directly if it
386 * jumps back to correct address.
388 synthesize_reljump(buf + len, p->ainsn.insn + len,
389 p->addr + insn->length);
390 len += JMP32_INSN_SIZE;
391 p->ainsn.boostable = 1;
393 /* Otherwise, put an int3 for trapping singlestep */
394 if (MAX_INSN_SIZE - len < INT3_INSN_SIZE)
397 buf[len] = INT3_INSN_OPCODE;
398 len += INT3_INSN_SIZE;
404 /* Make page to RO mode when allocate it */
405 void *alloc_insn_page(void)
409 page = module_alloc(PAGE_SIZE);
413 set_vm_flush_reset_perms(page);
415 * First make the page read-only, and only then make it executable to
416 * prevent it from being W+X in between.
418 set_memory_ro((unsigned long)page, 1);
421 * TODO: Once additional kernel code protection mechanisms are set, ensure
422 * that the page was not maliciously altered and it is still zeroed.
424 set_memory_x((unsigned long)page, 1);
429 /* Recover page to RW mode before releasing it */
430 void free_insn_page(void *page)
432 module_memfree(page);
435 /* Kprobe x86 instruction emulation - only regs->ip or IF flag modifiers */
437 static void kprobe_emulate_ifmodifiers(struct kprobe *p, struct pt_regs *regs)
439 switch (p->ainsn.opcode) {
441 regs->flags &= ~(X86_EFLAGS_IF);
444 regs->flags |= X86_EFLAGS_IF;
446 case 0x9c: /* pushf */
447 int3_emulate_push(regs, regs->flags);
449 case 0x9d: /* popf */
450 regs->flags = int3_emulate_pop(regs);
453 regs->ip = regs->ip - INT3_INSN_SIZE + p->ainsn.size;
455 NOKPROBE_SYMBOL(kprobe_emulate_ifmodifiers);
457 static void kprobe_emulate_ret(struct kprobe *p, struct pt_regs *regs)
459 int3_emulate_ret(regs);
461 NOKPROBE_SYMBOL(kprobe_emulate_ret);
463 static void kprobe_emulate_call(struct kprobe *p, struct pt_regs *regs)
465 unsigned long func = regs->ip - INT3_INSN_SIZE + p->ainsn.size;
467 func += p->ainsn.rel32;
468 int3_emulate_call(regs, func);
470 NOKPROBE_SYMBOL(kprobe_emulate_call);
472 static nokprobe_inline
473 void __kprobe_emulate_jmp(struct kprobe *p, struct pt_regs *regs, bool cond)
475 unsigned long ip = regs->ip - INT3_INSN_SIZE + p->ainsn.size;
478 ip += p->ainsn.rel32;
479 int3_emulate_jmp(regs, ip);
482 static void kprobe_emulate_jmp(struct kprobe *p, struct pt_regs *regs)
484 __kprobe_emulate_jmp(p, regs, true);
486 NOKPROBE_SYMBOL(kprobe_emulate_jmp);
488 static const unsigned long jcc_mask[6] = {
492 [3] = X86_EFLAGS_CF | X86_EFLAGS_ZF,
497 static void kprobe_emulate_jcc(struct kprobe *p, struct pt_regs *regs)
499 bool invert = p->ainsn.jcc.type & 1;
502 if (p->ainsn.jcc.type < 0xc) {
503 match = regs->flags & jcc_mask[p->ainsn.jcc.type >> 1];
505 match = ((regs->flags & X86_EFLAGS_SF) >> X86_EFLAGS_SF_BIT) ^
506 ((regs->flags & X86_EFLAGS_OF) >> X86_EFLAGS_OF_BIT);
507 if (p->ainsn.jcc.type >= 0xe)
508 match = match && (regs->flags & X86_EFLAGS_ZF);
510 __kprobe_emulate_jmp(p, regs, (match && !invert) || (!match && invert));
512 NOKPROBE_SYMBOL(kprobe_emulate_jcc);
514 static void kprobe_emulate_loop(struct kprobe *p, struct pt_regs *regs)
518 if (p->ainsn.loop.type != 3) { /* LOOP* */
519 if (p->ainsn.loop.asize == 32)
520 match = ((*(u32 *)®s->cx)--) != 0;
522 else if (p->ainsn.loop.asize == 64)
523 match = ((*(u64 *)®s->cx)--) != 0;
526 match = ((*(u16 *)®s->cx)--) != 0;
528 if (p->ainsn.loop.asize == 32)
529 match = *(u32 *)(®s->cx) == 0;
531 else if (p->ainsn.loop.asize == 64)
532 match = *(u64 *)(®s->cx) == 0;
535 match = *(u16 *)(®s->cx) == 0;
538 if (p->ainsn.loop.type == 0) /* LOOPNE */
539 match = match && !(regs->flags & X86_EFLAGS_ZF);
540 else if (p->ainsn.loop.type == 1) /* LOOPE */
541 match = match && (regs->flags & X86_EFLAGS_ZF);
543 __kprobe_emulate_jmp(p, regs, match);
545 NOKPROBE_SYMBOL(kprobe_emulate_loop);
547 static const int addrmode_regoffs[] = {
548 offsetof(struct pt_regs, ax),
549 offsetof(struct pt_regs, cx),
550 offsetof(struct pt_regs, dx),
551 offsetof(struct pt_regs, bx),
552 offsetof(struct pt_regs, sp),
553 offsetof(struct pt_regs, bp),
554 offsetof(struct pt_regs, si),
555 offsetof(struct pt_regs, di),
557 offsetof(struct pt_regs, r8),
558 offsetof(struct pt_regs, r9),
559 offsetof(struct pt_regs, r10),
560 offsetof(struct pt_regs, r11),
561 offsetof(struct pt_regs, r12),
562 offsetof(struct pt_regs, r13),
563 offsetof(struct pt_regs, r14),
564 offsetof(struct pt_regs, r15),
568 static void kprobe_emulate_call_indirect(struct kprobe *p, struct pt_regs *regs)
570 unsigned long offs = addrmode_regoffs[p->ainsn.indirect.reg];
572 int3_emulate_call(regs, regs_get_register(regs, offs));
574 NOKPROBE_SYMBOL(kprobe_emulate_call_indirect);
576 static void kprobe_emulate_jmp_indirect(struct kprobe *p, struct pt_regs *regs)
578 unsigned long offs = addrmode_regoffs[p->ainsn.indirect.reg];
580 int3_emulate_jmp(regs, regs_get_register(regs, offs));
582 NOKPROBE_SYMBOL(kprobe_emulate_jmp_indirect);
584 static int prepare_emulation(struct kprobe *p, struct insn *insn)
586 insn_byte_t opcode = insn->opcode.bytes[0];
591 case 0x9c: /* pushfl */
592 case 0x9d: /* popf/popfd */
594 * IF modifiers must be emulated since it will enable interrupt while
595 * int3 single stepping.
597 p->ainsn.emulate_op = kprobe_emulate_ifmodifiers;
598 p->ainsn.opcode = opcode;
600 case 0xc2: /* ret/lret */
604 p->ainsn.emulate_op = kprobe_emulate_ret;
606 case 0x9a: /* far call absolute -- segment is not supported */
607 case 0xea: /* far jmp absolute -- segment is not supported */
608 case 0xcc: /* int3 */
609 case 0xcf: /* iret -- in-kernel IRET is not supported */
612 case 0xe8: /* near call relative */
613 p->ainsn.emulate_op = kprobe_emulate_call;
614 if (insn->immediate.nbytes == 2)
615 p->ainsn.rel32 = *(s16 *)&insn->immediate.value;
617 p->ainsn.rel32 = *(s32 *)&insn->immediate.value;
619 case 0xeb: /* short jump relative */
620 case 0xe9: /* near jump relative */
621 p->ainsn.emulate_op = kprobe_emulate_jmp;
622 if (insn->immediate.nbytes == 1)
623 p->ainsn.rel32 = *(s8 *)&insn->immediate.value;
624 else if (insn->immediate.nbytes == 2)
625 p->ainsn.rel32 = *(s16 *)&insn->immediate.value;
627 p->ainsn.rel32 = *(s32 *)&insn->immediate.value;
630 /* 1 byte conditional jump */
631 p->ainsn.emulate_op = kprobe_emulate_jcc;
632 p->ainsn.jcc.type = opcode & 0xf;
633 p->ainsn.rel32 = *(char *)insn->immediate.bytes;
636 opcode = insn->opcode.bytes[1];
637 if ((opcode & 0xf0) == 0x80) {
638 /* 2 bytes Conditional Jump */
639 p->ainsn.emulate_op = kprobe_emulate_jcc;
640 p->ainsn.jcc.type = opcode & 0xf;
641 if (insn->immediate.nbytes == 2)
642 p->ainsn.rel32 = *(s16 *)&insn->immediate.value;
644 p->ainsn.rel32 = *(s32 *)&insn->immediate.value;
645 } else if (opcode == 0x01 &&
646 X86_MODRM_REG(insn->modrm.bytes[0]) == 0 &&
647 X86_MODRM_MOD(insn->modrm.bytes[0]) == 3) {
648 /* VM extensions - not supported */
652 case 0xe0: /* Loop NZ */
653 case 0xe1: /* Loop */
654 case 0xe2: /* Loop */
655 case 0xe3: /* J*CXZ */
656 p->ainsn.emulate_op = kprobe_emulate_loop;
657 p->ainsn.loop.type = opcode & 0x3;
658 p->ainsn.loop.asize = insn->addr_bytes * 8;
659 p->ainsn.rel32 = *(s8 *)&insn->immediate.value;
663 * Since the 0xff is an extended group opcode, the instruction
664 * is determined by the MOD/RM byte.
666 opcode = insn->modrm.bytes[0];
667 if ((opcode & 0x30) == 0x10) {
668 if ((opcode & 0x8) == 0x8)
669 return -EOPNOTSUPP; /* far call */
670 /* call absolute, indirect */
671 p->ainsn.emulate_op = kprobe_emulate_call_indirect;
672 } else if ((opcode & 0x30) == 0x20) {
673 if ((opcode & 0x8) == 0x8)
674 return -EOPNOTSUPP; /* far jmp */
675 /* jmp near absolute indirect */
676 p->ainsn.emulate_op = kprobe_emulate_jmp_indirect;
680 if (insn->addr_bytes != sizeof(unsigned long))
681 return -EOPNOTSUPP; /* Don't support differnt size */
682 if (X86_MODRM_MOD(opcode) != 3)
683 return -EOPNOTSUPP; /* TODO: support memory addressing */
685 p->ainsn.indirect.reg = X86_MODRM_RM(opcode);
687 if (X86_REX_B(insn->rex_prefix.value))
688 p->ainsn.indirect.reg += 8;
694 p->ainsn.size = insn->length;
699 static int arch_copy_kprobe(struct kprobe *p)
702 kprobe_opcode_t buf[MAX_INSN_SIZE];
705 /* Copy an instruction with recovering if other optprobe modifies it.*/
706 len = __copy_instruction(buf, p->addr, p->ainsn.insn, &insn);
710 /* Analyze the opcode and setup emulate functions */
711 ret = prepare_emulation(p, &insn);
715 /* Add int3 for single-step or booster jmp */
716 len = prepare_singlestep(buf, p, &insn);
720 /* Also, displacement change doesn't affect the first byte */
723 p->ainsn.tp_len = len;
724 perf_event_text_poke(p->ainsn.insn, NULL, 0, buf, len);
726 /* OK, write back the instruction(s) into ROX insn buffer */
727 text_poke(p->ainsn.insn, buf, len);
732 int arch_prepare_kprobe(struct kprobe *p)
736 if (alternatives_text_reserved(p->addr, p->addr))
739 if (!can_probe((unsigned long)p->addr))
742 memset(&p->ainsn, 0, sizeof(p->ainsn));
744 /* insn: must be on special executable page on x86. */
745 p->ainsn.insn = get_insn_slot();
749 ret = arch_copy_kprobe(p);
751 free_insn_slot(p->ainsn.insn, 0);
752 p->ainsn.insn = NULL;
758 void arch_arm_kprobe(struct kprobe *p)
760 u8 int3 = INT3_INSN_OPCODE;
762 text_poke(p->addr, &int3, 1);
764 perf_event_text_poke(p->addr, &p->opcode, 1, &int3, 1);
767 void arch_disarm_kprobe(struct kprobe *p)
769 u8 int3 = INT3_INSN_OPCODE;
771 perf_event_text_poke(p->addr, &int3, 1, &p->opcode, 1);
772 text_poke(p->addr, &p->opcode, 1);
776 void arch_remove_kprobe(struct kprobe *p)
779 /* Record the perf event before freeing the slot */
780 perf_event_text_poke(p->ainsn.insn, p->ainsn.insn,
781 p->ainsn.tp_len, NULL, 0);
782 free_insn_slot(p->ainsn.insn, p->ainsn.boostable);
783 p->ainsn.insn = NULL;
787 static nokprobe_inline void
788 save_previous_kprobe(struct kprobe_ctlblk *kcb)
790 kcb->prev_kprobe.kp = kprobe_running();
791 kcb->prev_kprobe.status = kcb->kprobe_status;
792 kcb->prev_kprobe.old_flags = kcb->kprobe_old_flags;
793 kcb->prev_kprobe.saved_flags = kcb->kprobe_saved_flags;
796 static nokprobe_inline void
797 restore_previous_kprobe(struct kprobe_ctlblk *kcb)
799 __this_cpu_write(current_kprobe, kcb->prev_kprobe.kp);
800 kcb->kprobe_status = kcb->prev_kprobe.status;
801 kcb->kprobe_old_flags = kcb->prev_kprobe.old_flags;
802 kcb->kprobe_saved_flags = kcb->prev_kprobe.saved_flags;
805 static nokprobe_inline void
806 set_current_kprobe(struct kprobe *p, struct pt_regs *regs,
807 struct kprobe_ctlblk *kcb)
809 __this_cpu_write(current_kprobe, p);
810 kcb->kprobe_saved_flags = kcb->kprobe_old_flags
811 = (regs->flags & X86_EFLAGS_IF);
814 void arch_prepare_kretprobe(struct kretprobe_instance *ri, struct pt_regs *regs)
816 unsigned long *sara = stack_addr(regs);
818 ri->ret_addr = (kprobe_opcode_t *) *sara;
821 /* Replace the return addr with trampoline addr */
822 *sara = (unsigned long) &kretprobe_trampoline;
824 NOKPROBE_SYMBOL(arch_prepare_kretprobe);
826 static void kprobe_post_process(struct kprobe *cur, struct pt_regs *regs,
827 struct kprobe_ctlblk *kcb)
829 if ((kcb->kprobe_status != KPROBE_REENTER) && cur->post_handler) {
830 kcb->kprobe_status = KPROBE_HIT_SSDONE;
831 cur->post_handler(cur, regs, 0);
834 /* Restore back the original saved kprobes variables and continue. */
835 if (kcb->kprobe_status == KPROBE_REENTER)
836 restore_previous_kprobe(kcb);
838 reset_current_kprobe();
840 NOKPROBE_SYMBOL(kprobe_post_process);
842 static void setup_singlestep(struct kprobe *p, struct pt_regs *regs,
843 struct kprobe_ctlblk *kcb, int reenter)
845 if (setup_detour_execution(p, regs, reenter))
848 #if !defined(CONFIG_PREEMPTION)
849 if (p->ainsn.boostable) {
850 /* Boost up -- we can execute copied instructions directly */
852 reset_current_kprobe();
854 * Reentering boosted probe doesn't reset current_kprobe,
855 * nor set current_kprobe, because it doesn't use single
858 regs->ip = (unsigned long)p->ainsn.insn;
863 save_previous_kprobe(kcb);
864 set_current_kprobe(p, regs, kcb);
865 kcb->kprobe_status = KPROBE_REENTER;
867 kcb->kprobe_status = KPROBE_HIT_SS;
869 if (p->ainsn.emulate_op) {
870 p->ainsn.emulate_op(p, regs);
871 kprobe_post_process(p, regs, kcb);
875 /* Disable interrupt, and set ip register on trampoline */
876 regs->flags &= ~X86_EFLAGS_IF;
877 regs->ip = (unsigned long)p->ainsn.insn;
879 NOKPROBE_SYMBOL(setup_singlestep);
882 * Called after single-stepping. p->addr is the address of the
883 * instruction whose first byte has been replaced by the "int3"
884 * instruction. To avoid the SMP problems that can occur when we
885 * temporarily put back the original opcode to single-step, we
886 * single-stepped a copy of the instruction. The address of this
887 * copy is p->ainsn.insn. We also doesn't use trap, but "int3" again
888 * right after the copied instruction.
889 * Different from the trap single-step, "int3" single-step can not
890 * handle the instruction which changes the ip register, e.g. jmp,
891 * call, conditional jmp, and the instructions which changes the IF
892 * flags because interrupt must be disabled around the single-stepping.
893 * Such instructions are software emulated, but others are single-stepped
896 * When the 2nd "int3" handled, the regs->ip and regs->flags needs to
897 * be adjusted, so that we can resume execution on correct code.
899 static void resume_singlestep(struct kprobe *p, struct pt_regs *regs,
900 struct kprobe_ctlblk *kcb)
902 unsigned long copy_ip = (unsigned long)p->ainsn.insn;
903 unsigned long orig_ip = (unsigned long)p->addr;
905 /* Restore saved interrupt flag and ip register */
906 regs->flags |= kcb->kprobe_saved_flags;
907 /* Note that regs->ip is executed int3 so must be a step back */
908 regs->ip += (orig_ip - copy_ip) - INT3_INSN_SIZE;
910 NOKPROBE_SYMBOL(resume_singlestep);
913 * We have reentered the kprobe_handler(), since another probe was hit while
914 * within the handler. We save the original kprobes variables and just single
915 * step on the instruction of the new probe without calling any user handlers.
917 static int reenter_kprobe(struct kprobe *p, struct pt_regs *regs,
918 struct kprobe_ctlblk *kcb)
920 switch (kcb->kprobe_status) {
921 case KPROBE_HIT_SSDONE:
922 case KPROBE_HIT_ACTIVE:
924 kprobes_inc_nmissed_count(p);
925 setup_singlestep(p, regs, kcb, 1);
928 /* A probe has been hit in the codepath leading up to, or just
929 * after, single-stepping of a probed instruction. This entire
930 * codepath should strictly reside in .kprobes.text section.
931 * Raise a BUG or we'll continue in an endless reentering loop
932 * and eventually a stack overflow.
934 pr_err("Unrecoverable kprobe detected.\n");
938 /* impossible cases */
945 NOKPROBE_SYMBOL(reenter_kprobe);
947 static int nokprobe_inline kprobe_is_ss(struct kprobe_ctlblk *kcb)
949 return (kcb->kprobe_status == KPROBE_HIT_SS ||
950 kcb->kprobe_status == KPROBE_REENTER);
954 * Interrupts are disabled on entry as trap3 is an interrupt gate and they
955 * remain disabled throughout this function.
957 int kprobe_int3_handler(struct pt_regs *regs)
959 kprobe_opcode_t *addr;
961 struct kprobe_ctlblk *kcb;
966 addr = (kprobe_opcode_t *)(regs->ip - sizeof(kprobe_opcode_t));
968 * We don't want to be preempted for the entire duration of kprobe
969 * processing. Since int3 and debug trap disables irqs and we clear
970 * IF while singlestepping, it must be no preemptible.
973 kcb = get_kprobe_ctlblk();
974 p = get_kprobe(addr);
977 if (kprobe_running()) {
978 if (reenter_kprobe(p, regs, kcb))
981 set_current_kprobe(p, regs, kcb);
982 kcb->kprobe_status = KPROBE_HIT_ACTIVE;
985 * If we have no pre-handler or it returned 0, we
986 * continue with normal processing. If we have a
987 * pre-handler and it returned non-zero, that means
988 * user handler setup registers to exit to another
989 * instruction, we must skip the single stepping.
991 if (!p->pre_handler || !p->pre_handler(p, regs))
992 setup_singlestep(p, regs, kcb, 0);
994 reset_current_kprobe();
997 } else if (kprobe_is_ss(kcb)) {
998 p = kprobe_running();
999 if ((unsigned long)p->ainsn.insn < regs->ip &&
1000 (unsigned long)p->ainsn.insn + MAX_INSN_SIZE > regs->ip) {
1001 /* Most provably this is the second int3 for singlestep */
1002 resume_singlestep(p, regs, kcb);
1003 kprobe_post_process(p, regs, kcb);
1008 if (*addr != INT3_INSN_OPCODE) {
1010 * The breakpoint instruction was removed right
1011 * after we hit it. Another cpu has removed
1012 * either a probepoint or a debugger breakpoint
1013 * at this address. In either case, no further
1014 * handling of this interrupt is appropriate.
1015 * Back up over the (now missing) int3 and run
1016 * the original instruction.
1018 regs->ip = (unsigned long)addr;
1020 } /* else: not a kprobe fault; let the kernel handle it */
1024 NOKPROBE_SYMBOL(kprobe_int3_handler);
1027 * When a retprobed function returns, this code saves registers and
1028 * calls trampoline_handler() runs, which calls the kretprobe's handler.
1032 ".global kretprobe_trampoline\n"
1033 ".type kretprobe_trampoline, @function\n"
1034 "kretprobe_trampoline:\n"
1035 /* We don't bother saving the ss register */
1036 #ifdef CONFIG_X86_64
1040 " movq %rsp, %rdi\n"
1041 " call trampoline_handler\n"
1042 /* Replace saved sp with true return address. */
1043 " movq %rax, 19*8(%rsp)\n"
1050 " movl %esp, %eax\n"
1051 " call trampoline_handler\n"
1052 /* Replace saved sp with true return address. */
1053 " movl %eax, 15*4(%esp)\n"
1058 ".size kretprobe_trampoline, .-kretprobe_trampoline\n"
1060 NOKPROBE_SYMBOL(kretprobe_trampoline);
1061 STACK_FRAME_NON_STANDARD(kretprobe_trampoline);
1065 * Called from kretprobe_trampoline
1067 __used __visible void *trampoline_handler(struct pt_regs *regs)
1069 /* fixup registers */
1070 regs->cs = __KERNEL_CS;
1071 #ifdef CONFIG_X86_32
1074 regs->ip = (unsigned long)&kretprobe_trampoline;
1075 regs->orig_ax = ~0UL;
1077 return (void *)kretprobe_trampoline_handler(regs, &kretprobe_trampoline, ®s->sp);
1079 NOKPROBE_SYMBOL(trampoline_handler);
1081 int kprobe_fault_handler(struct pt_regs *regs, int trapnr)
1083 struct kprobe *cur = kprobe_running();
1084 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
1086 if (unlikely(regs->ip == (unsigned long)cur->ainsn.insn)) {
1087 /* This must happen on single-stepping */
1088 WARN_ON(kcb->kprobe_status != KPROBE_HIT_SS &&
1089 kcb->kprobe_status != KPROBE_REENTER);
1091 * We are here because the instruction being single
1092 * stepped caused a page fault. We reset the current
1093 * kprobe and the ip points back to the probe address
1094 * and allow the page fault handler to continue as a
1095 * normal page fault.
1097 regs->ip = (unsigned long)cur->addr;
1100 * If the IF flag was set before the kprobe hit,
1103 regs->flags |= kcb->kprobe_old_flags;
1105 if (kcb->kprobe_status == KPROBE_REENTER)
1106 restore_previous_kprobe(kcb);
1108 reset_current_kprobe();
1109 } else if (kcb->kprobe_status == KPROBE_HIT_ACTIVE ||
1110 kcb->kprobe_status == KPROBE_HIT_SSDONE) {
1112 * We increment the nmissed count for accounting,
1113 * we can also use npre/npostfault count for accounting
1114 * these specific fault cases.
1116 kprobes_inc_nmissed_count(cur);
1119 * We come here because instructions in the pre/post
1120 * handler caused the page_fault, this could happen
1121 * if handler tries to access user space by
1122 * copy_from_user(), get_user() etc. Let the
1123 * user-specified handler try to fix it first.
1125 if (cur->fault_handler && cur->fault_handler(cur, regs, trapnr))
1131 NOKPROBE_SYMBOL(kprobe_fault_handler);
1133 int __init arch_populate_kprobe_blacklist(void)
1135 return kprobe_add_area_blacklist((unsigned long)__entry_text_start,
1136 (unsigned long)__entry_text_end);
1139 int __init arch_init_kprobes(void)
1144 int arch_trampoline_kprobe(struct kprobe *p)
projects / linux-2.6-microblaze.git / blob