2 * Kernel Probes (KProbes)
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation; either version 2 of the License, or
7 * (at your option) any later version.
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
18 * Copyright IBM Corp. 2002, 2006
20 * s390 port, used ppc64 as template. Mike Grundy <grundym@us.ibm.com>
23 #include <linux/kprobes.h>
24 #include <linux/ptrace.h>
25 #include <linux/preempt.h>
26 #include <linux/stop_machine.h>
27 #include <linux/kdebug.h>
28 #include <linux/uaccess.h>
29 #include <asm/cacheflush.h>
30 #include <asm/sections.h>
31 #include <linux/module.h>
32 #include <linux/slab.h>
33 #include <linux/hardirq.h>
35 DEFINE_PER_CPU(struct kprobe *, current_kprobe);
36 DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk);
38 struct kretprobe_blackpoint kretprobe_blacklist[] = { };
40 static int __kprobes is_prohibited_opcode(kprobe_opcode_t *insn)
42 switch (insn[0] >> 8) {
43 case 0x0c: /* bassm */
47 case 0xac: /* stnsm */
48 case 0xad: /* stosm */
53 case 0xb25a: /* bsa */
54 case 0xb240: /* bakr */
55 case 0xb258: /* bsg */
58 case 0xb98d: /* epsw */
64 static int __kprobes get_fixup_type(kprobe_opcode_t *insn)
66 /* default fixup method */
67 int fixup = FIXUP_PSW_NORMAL;
69 switch (insn[0] >> 8) {
72 fixup = FIXUP_RETURN_REGISTER;
73 /* if r2 = 0, no branch will be taken */
74 if ((insn[0] & 0x0f) == 0)
75 fixup |= FIXUP_BRANCH_NOT_TAKEN;
79 fixup = FIXUP_BRANCH_NOT_TAKEN;
83 fixup = FIXUP_RETURN_REGISTER;
89 fixup = FIXUP_BRANCH_NOT_TAKEN;
92 fixup = FIXUP_NOT_REQUIRED;
94 case 0xb2: /* lpswe */
95 if ((insn[0] & 0xff) == 0xb2)
96 fixup = FIXUP_NOT_REQUIRED;
99 if ((insn[0] & 0x0f) == 0x05)
100 fixup |= FIXUP_RETURN_REGISTER;
103 if ((insn[0] & 0x0f) == 0x00 || /* larl */
104 (insn[0] & 0x0f) == 0x05) /* brasl */
105 fixup |= FIXUP_RETURN_REGISTER;
108 switch (insn[2] & 0xff) {
109 case 0x44: /* bxhg */
110 case 0x45: /* bxleg */
111 fixup = FIXUP_BRANCH_NOT_TAKEN;
115 case 0xe3: /* bctg */
116 if ((insn[2] & 0xff) == 0x46)
117 fixup = FIXUP_BRANCH_NOT_TAKEN;
120 switch (insn[2] & 0xff) {
121 case 0xe5: /* clgrb */
122 case 0xe6: /* cgrb */
124 case 0xf7: /* clrb */
125 case 0xfc: /* cgib */
126 case 0xfd: /* cglib */
128 case 0xff: /* clib */
129 fixup = FIXUP_BRANCH_NOT_TAKEN;
137 int __kprobes arch_prepare_kprobe(struct kprobe *p)
139 if ((unsigned long) p->addr & 0x01)
142 /* Make sure the probe isn't going on a difficult instruction */
143 if (is_prohibited_opcode(p->addr))
146 p->opcode = *p->addr;
147 memcpy(p->ainsn.insn, p->addr, ((p->opcode >> 14) + 3) & -2);
152 struct ins_replace_args {
153 kprobe_opcode_t *ptr;
154 kprobe_opcode_t opcode;
157 static int __kprobes swap_instruction(void *aref)
159 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
160 unsigned long status = kcb->kprobe_status;
161 struct ins_replace_args *args = aref;
163 kcb->kprobe_status = KPROBE_SWAP_INST;
164 probe_kernel_write(args->ptr, &args->opcode, sizeof(args->opcode));
165 kcb->kprobe_status = status;
169 void __kprobes arch_arm_kprobe(struct kprobe *p)
171 struct ins_replace_args args;
174 args.opcode = BREAKPOINT_INSTRUCTION;
175 stop_machine(swap_instruction, &args, NULL);
178 void __kprobes arch_disarm_kprobe(struct kprobe *p)
180 struct ins_replace_args args;
183 args.opcode = p->opcode;
184 stop_machine(swap_instruction, &args, NULL);
187 void __kprobes arch_remove_kprobe(struct kprobe *p)
191 static void __kprobes enable_singlestep(struct kprobe_ctlblk *kcb,
192 struct pt_regs *regs,
195 struct per_regs per_kprobe;
197 /* Set up the PER control registers %cr9-%cr11 */
198 per_kprobe.control = PER_EVENT_IFETCH;
199 per_kprobe.start = ip;
202 /* Save control regs and psw mask */
203 __ctl_store(kcb->kprobe_saved_ctl, 9, 11);
204 kcb->kprobe_saved_imask = regs->psw.mask &
205 (PSW_MASK_PER | PSW_MASK_IO | PSW_MASK_EXT);
207 /* Set PER control regs, turns on single step for the given address */
208 __ctl_load(per_kprobe, 9, 11);
209 regs->psw.mask |= PSW_MASK_PER;
210 regs->psw.mask &= ~(PSW_MASK_IO | PSW_MASK_EXT);
211 regs->psw.addr = ip | PSW_ADDR_AMODE;
214 static void __kprobes disable_singlestep(struct kprobe_ctlblk *kcb,
215 struct pt_regs *regs,
218 /* Restore control regs and psw mask, set new psw address */
219 __ctl_load(kcb->kprobe_saved_ctl, 9, 11);
220 regs->psw.mask &= ~PSW_MASK_PER;
221 regs->psw.mask |= kcb->kprobe_saved_imask;
222 regs->psw.addr = ip | PSW_ADDR_AMODE;
226 * Activate a kprobe by storing its pointer to current_kprobe. The
227 * previous kprobe is stored in kcb->prev_kprobe. A stack of up to
228 * two kprobes can be active, see KPROBE_REENTER.
230 static void __kprobes push_kprobe(struct kprobe_ctlblk *kcb, struct kprobe *p)
232 kcb->prev_kprobe.kp = __get_cpu_var(current_kprobe);
233 kcb->prev_kprobe.status = kcb->kprobe_status;
234 __get_cpu_var(current_kprobe) = p;
238 * Deactivate a kprobe by backing up to the previous state. If the
239 * current state is KPROBE_REENTER prev_kprobe.kp will be non-NULL,
240 * for any other state prev_kprobe.kp will be NULL.
242 static void __kprobes pop_kprobe(struct kprobe_ctlblk *kcb)
244 __get_cpu_var(current_kprobe) = kcb->prev_kprobe.kp;
245 kcb->kprobe_status = kcb->prev_kprobe.status;
248 void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
249 struct pt_regs *regs)
251 ri->ret_addr = (kprobe_opcode_t *) regs->gprs[14];
253 /* Replace the return addr with trampoline addr */
254 regs->gprs[14] = (unsigned long) &kretprobe_trampoline;
257 static void __kprobes kprobe_reenter_check(struct kprobe_ctlblk *kcb,
260 switch (kcb->kprobe_status) {
261 case KPROBE_HIT_SSDONE:
262 case KPROBE_HIT_ACTIVE:
263 kprobes_inc_nmissed_count(p);
269 * A kprobe on the code path to single step an instruction
270 * is a BUG. The code path resides in the .kprobes.text
271 * section and is executed with interrupts disabled.
273 printk(KERN_EMERG "Invalid kprobe detected at %p.\n", p->addr);
279 static int __kprobes kprobe_handler(struct pt_regs *regs)
281 struct kprobe_ctlblk *kcb;
285 * We want to disable preemption for the entire duration of kprobe
286 * processing. That includes the calls to the pre/post handlers
287 * and single stepping the kprobe instruction.
290 kcb = get_kprobe_ctlblk();
291 p = get_kprobe((void *)((regs->psw.addr & PSW_ADDR_INSN) - 2));
294 if (kprobe_running()) {
296 * We have hit a kprobe while another is still
297 * active. This can happen in the pre and post
298 * handler. Single step the instruction of the
299 * new probe but do not call any handler function
300 * of this secondary kprobe.
301 * push_kprobe and pop_kprobe saves and restores
302 * the currently active kprobe.
304 kprobe_reenter_check(kcb, p);
306 kcb->kprobe_status = KPROBE_REENTER;
309 * If we have no pre-handler or it returned 0, we
310 * continue with single stepping. If we have a
311 * pre-handler and it returned non-zero, it prepped
312 * for calling the break_handler below on re-entry
313 * for jprobe processing, so get out doing nothing
317 kcb->kprobe_status = KPROBE_HIT_ACTIVE;
318 if (p->pre_handler && p->pre_handler(p, regs))
320 kcb->kprobe_status = KPROBE_HIT_SS;
322 enable_singlestep(kcb, regs, (unsigned long) p->ainsn.insn);
324 } else if (kprobe_running()) {
325 p = __get_cpu_var(current_kprobe);
326 if (p->break_handler && p->break_handler(p, regs)) {
328 * Continuation after the jprobe completed and
329 * caused the jprobe_return trap. The jprobe
330 * break_handler "returns" to the original
331 * function that still has the kprobe breakpoint
332 * installed. We continue with single stepping.
334 kcb->kprobe_status = KPROBE_HIT_SS;
335 enable_singlestep(kcb, regs,
336 (unsigned long) p->ainsn.insn);
339 * No kprobe at this address and the current kprobe
340 * has no break handler (no jprobe!). The kernel just
341 * exploded, let the standard trap handler pick up the
345 * No kprobe at this address and no active kprobe. The trap has
346 * not been caused by a kprobe breakpoint. The race of breakpoint
347 * vs. kprobe remove does not exist because on s390 as we use
348 * stop_machine to arm/disarm the breakpoints.
350 preempt_enable_no_resched();
355 * Function return probe trampoline:
356 * - init_kprobes() establishes a probepoint here
357 * - When the probed function returns, this probe
358 * causes the handlers to fire
360 static void __used kretprobe_trampoline_holder(void)
362 asm volatile(".global kretprobe_trampoline\n"
363 "kretprobe_trampoline: bcr 0,0\n");
367 * Called when the probe at kretprobe trampoline is hit
369 static int __kprobes trampoline_probe_handler(struct kprobe *p,
370 struct pt_regs *regs)
372 struct kretprobe_instance *ri;
373 struct hlist_head *head, empty_rp;
374 struct hlist_node *tmp;
375 unsigned long flags, orig_ret_address;
376 unsigned long trampoline_address;
377 kprobe_opcode_t *correct_ret_addr;
379 INIT_HLIST_HEAD(&empty_rp);
380 kretprobe_hash_lock(current, &head, &flags);
383 * It is possible to have multiple instances associated with a given
384 * task either because an multiple functions in the call path
385 * have a return probe installed on them, and/or more than one return
386 * return probe was registered for a target function.
388 * We can handle this because:
389 * - instances are always inserted at the head of the list
390 * - when multiple return probes are registered for the same
391 * function, the first instance's ret_addr will point to the
392 * real return address, and all the rest will point to
393 * kretprobe_trampoline
396 orig_ret_address = 0;
397 correct_ret_addr = NULL;
398 trampoline_address = (unsigned long) &kretprobe_trampoline;
399 hlist_for_each_entry_safe(ri, tmp, head, hlist) {
400 if (ri->task != current)
401 /* another task is sharing our hash bucket */
404 orig_ret_address = (unsigned long) ri->ret_addr;
406 if (orig_ret_address != trampoline_address)
408 * This is the real return address. Any other
409 * instances associated with this task are for
410 * other calls deeper on the call stack
415 kretprobe_assert(ri, orig_ret_address, trampoline_address);
417 correct_ret_addr = ri->ret_addr;
418 hlist_for_each_entry_safe(ri, tmp, head, hlist) {
419 if (ri->task != current)
420 /* another task is sharing our hash bucket */
423 orig_ret_address = (unsigned long) ri->ret_addr;
425 if (ri->rp && ri->rp->handler) {
426 ri->ret_addr = correct_ret_addr;
427 ri->rp->handler(ri, regs);
430 recycle_rp_inst(ri, &empty_rp);
432 if (orig_ret_address != trampoline_address)
434 * This is the real return address. Any other
435 * instances associated with this task are for
436 * other calls deeper on the call stack
441 regs->psw.addr = orig_ret_address | PSW_ADDR_AMODE;
443 pop_kprobe(get_kprobe_ctlblk());
444 kretprobe_hash_unlock(current, &flags);
445 preempt_enable_no_resched();
447 hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) {
448 hlist_del(&ri->hlist);
452 * By returning a non-zero value, we are telling
453 * kprobe_handler() that we don't want the post_handler
454 * to run (and have re-enabled preemption)
460 * Called after single-stepping. p->addr is the address of the
461 * instruction whose first byte has been replaced by the "breakpoint"
462 * instruction. To avoid the SMP problems that can occur when we
463 * temporarily put back the original opcode to single-step, we
464 * single-stepped a copy of the instruction. The address of this
465 * copy is p->ainsn.insn.
467 static void __kprobes resume_execution(struct kprobe *p, struct pt_regs *regs)
469 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
470 unsigned long ip = regs->psw.addr & PSW_ADDR_INSN;
471 int fixup = get_fixup_type(p->ainsn.insn);
473 if (fixup & FIXUP_PSW_NORMAL)
474 ip += (unsigned long) p->addr - (unsigned long) p->ainsn.insn;
476 if (fixup & FIXUP_BRANCH_NOT_TAKEN) {
477 int ilen = ((p->ainsn.insn[0] >> 14) + 3) & -2;
478 if (ip - (unsigned long) p->ainsn.insn == ilen)
479 ip = (unsigned long) p->addr + ilen;
482 if (fixup & FIXUP_RETURN_REGISTER) {
483 int reg = (p->ainsn.insn[0] & 0xf0) >> 4;
484 regs->gprs[reg] += (unsigned long) p->addr -
485 (unsigned long) p->ainsn.insn;
488 disable_singlestep(kcb, regs, ip);
491 static int __kprobes post_kprobe_handler(struct pt_regs *regs)
493 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
494 struct kprobe *p = kprobe_running();
499 if (kcb->kprobe_status != KPROBE_REENTER && p->post_handler) {
500 kcb->kprobe_status = KPROBE_HIT_SSDONE;
501 p->post_handler(p, regs, 0);
504 resume_execution(p, regs);
506 preempt_enable_no_resched();
509 * if somebody else is singlestepping across a probe point, psw mask
510 * will have PER set, in which case, continue the remaining processing
511 * of do_single_step, as if this is not a probe hit.
513 if (regs->psw.mask & PSW_MASK_PER)
519 static int __kprobes kprobe_trap_handler(struct pt_regs *regs, int trapnr)
521 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
522 struct kprobe *p = kprobe_running();
523 const struct exception_table_entry *entry;
525 switch(kcb->kprobe_status) {
526 case KPROBE_SWAP_INST:
527 /* We are here because the instruction replacement failed */
532 * We are here because the instruction being single
533 * stepped caused a page fault. We reset the current
534 * kprobe and the nip points back to the probe address
535 * and allow the page fault handler to continue as a
538 disable_singlestep(kcb, regs, (unsigned long) p->addr);
540 preempt_enable_no_resched();
542 case KPROBE_HIT_ACTIVE:
543 case KPROBE_HIT_SSDONE:
545 * We increment the nmissed count for accounting,
546 * we can also use npre/npostfault count for accouting
547 * these specific fault cases.
549 kprobes_inc_nmissed_count(p);
552 * We come here because instructions in the pre/post
553 * handler caused the page_fault, this could happen
554 * if handler tries to access user space by
555 * copy_from_user(), get_user() etc. Let the
556 * user-specified handler try to fix it first.
558 if (p->fault_handler && p->fault_handler(p, regs, trapnr))
562 * In case the user-specified fault handler returned
563 * zero, try to fix up.
565 entry = search_exception_tables(regs->psw.addr & PSW_ADDR_INSN);
567 regs->psw.addr = extable_fixup(entry) | PSW_ADDR_AMODE;
572 * fixup_exception() could not handle it,
573 * Let do_page_fault() fix it.
582 int __kprobes kprobe_fault_handler(struct pt_regs *regs, int trapnr)
586 if (regs->psw.mask & (PSW_MASK_IO | PSW_MASK_EXT))
588 ret = kprobe_trap_handler(regs, trapnr);
589 if (regs->psw.mask & (PSW_MASK_IO | PSW_MASK_EXT))
590 local_irq_restore(regs->psw.mask & ~PSW_MASK_PER);
595 * Wrapper routine to for handling exceptions.
597 int __kprobes kprobe_exceptions_notify(struct notifier_block *self,
598 unsigned long val, void *data)
600 struct die_args *args = (struct die_args *) data;
601 struct pt_regs *regs = args->regs;
602 int ret = NOTIFY_DONE;
604 if (regs->psw.mask & (PSW_MASK_IO | PSW_MASK_EXT))
609 if (kprobe_handler(regs))
613 if (post_kprobe_handler(regs))
617 if (!preemptible() && kprobe_running() &&
618 kprobe_trap_handler(regs, args->trapnr))
625 if (regs->psw.mask & (PSW_MASK_IO | PSW_MASK_EXT))
626 local_irq_restore(regs->psw.mask & ~PSW_MASK_PER);
631 int __kprobes setjmp_pre_handler(struct kprobe *p, struct pt_regs *regs)
633 struct jprobe *jp = container_of(p, struct jprobe, kp);
634 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
637 memcpy(&kcb->jprobe_saved_regs, regs, sizeof(struct pt_regs));
639 /* setup return addr to the jprobe handler routine */
640 regs->psw.addr = (unsigned long) jp->entry | PSW_ADDR_AMODE;
641 regs->psw.mask &= ~(PSW_MASK_IO | PSW_MASK_EXT);
643 /* r15 is the stack pointer */
644 stack = (unsigned long) regs->gprs[15];
646 memcpy(kcb->jprobes_stack, (void *) stack, MIN_STACK_SIZE(stack));
650 void __kprobes jprobe_return(void)
652 asm volatile(".word 0x0002");
655 static void __used __kprobes jprobe_return_end(void)
657 asm volatile("bcr 0,0");
660 int __kprobes longjmp_break_handler(struct kprobe *p, struct pt_regs *regs)
662 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
665 stack = (unsigned long) kcb->jprobe_saved_regs.gprs[15];
667 /* Put the regs back */
668 memcpy(regs, &kcb->jprobe_saved_regs, sizeof(struct pt_regs));
669 /* put the stack back */
670 memcpy((void *) stack, kcb->jprobes_stack, MIN_STACK_SIZE(stack));
671 preempt_enable_no_resched();
675 static struct kprobe trampoline = {
676 .addr = (kprobe_opcode_t *) &kretprobe_trampoline,
677 .pre_handler = trampoline_probe_handler
680 int __init arch_init_kprobes(void)
682 return register_kprobe(&trampoline);
685 int __kprobes arch_trampoline_kprobe(struct kprobe *p)
687 return p->addr == (kprobe_opcode_t *) &kretprobe_trampoline;