2 * Kernel Probes (KProbes)
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation; either version 2 of the License, or
7 * (at your option) any later version.
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
18 * Copyright IBM Corp. 2002, 2006
20 * s390 port, used ppc64 as template. Mike Grundy <grundym@us.ibm.com>
23 #include <linux/kprobes.h>
24 #include <linux/ptrace.h>
25 #include <linux/preempt.h>
26 #include <linux/stop_machine.h>
27 #include <linux/kdebug.h>
28 #include <linux/uaccess.h>
29 #include <asm/cacheflush.h>
30 #include <asm/sections.h>
31 #include <linux/module.h>
32 #include <linux/slab.h>
33 #include <linux/hardirq.h>
35 DEFINE_PER_CPU(struct kprobe *, current_kprobe);
36 DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk);
38 struct kretprobe_blackpoint kretprobe_blacklist[] = { };
40 DEFINE_INSN_CACHE_OPS(dmainsn);
42 static void *alloc_dmainsn_page(void)
44 return (void *)__get_free_page(GFP_KERNEL | GFP_DMA);
47 static void free_dmainsn_page(void *page)
49 free_page((unsigned long)page);
52 struct kprobe_insn_cache kprobe_dmainsn_slots = {
53 .mutex = __MUTEX_INITIALIZER(kprobe_dmainsn_slots.mutex),
54 .alloc = alloc_dmainsn_page,
55 .free = free_dmainsn_page,
56 .pages = LIST_HEAD_INIT(kprobe_dmainsn_slots.pages),
57 .insn_size = MAX_INSN_SIZE,
60 static int __kprobes is_prohibited_opcode(kprobe_opcode_t *insn)
62 switch (insn[0] >> 8) {
63 case 0x0c: /* bassm */
67 case 0xac: /* stnsm */
68 case 0xad: /* stosm */
71 switch (insn[0] & 0x0f) {
78 case 0xb25a: /* bsa */
79 case 0xb240: /* bakr */
80 case 0xb258: /* bsg */
83 case 0xb98d: /* epsw */
89 static int __kprobes get_fixup_type(kprobe_opcode_t *insn)
91 /* default fixup method */
92 int fixup = FIXUP_PSW_NORMAL;
94 switch (insn[0] >> 8) {
97 fixup = FIXUP_RETURN_REGISTER;
98 /* if r2 = 0, no branch will be taken */
99 if ((insn[0] & 0x0f) == 0)
100 fixup |= FIXUP_BRANCH_NOT_TAKEN;
102 case 0x06: /* bctr */
104 fixup = FIXUP_BRANCH_NOT_TAKEN;
108 fixup = FIXUP_RETURN_REGISTER;
113 case 0x87: /* bxle */
114 fixup = FIXUP_BRANCH_NOT_TAKEN;
116 case 0x82: /* lpsw */
117 fixup = FIXUP_NOT_REQUIRED;
119 case 0xb2: /* lpswe */
120 if ((insn[0] & 0xff) == 0xb2)
121 fixup = FIXUP_NOT_REQUIRED;
123 case 0xa7: /* bras */
124 if ((insn[0] & 0x0f) == 0x05)
125 fixup |= FIXUP_RETURN_REGISTER;
128 if ((insn[0] & 0x0f) == 0x05) /* brasl */
129 fixup |= FIXUP_RETURN_REGISTER;
132 switch (insn[2] & 0xff) {
133 case 0x44: /* bxhg */
134 case 0x45: /* bxleg */
135 fixup = FIXUP_BRANCH_NOT_TAKEN;
139 case 0xe3: /* bctg */
140 if ((insn[2] & 0xff) == 0x46)
141 fixup = FIXUP_BRANCH_NOT_TAKEN;
144 switch (insn[2] & 0xff) {
145 case 0xe5: /* clgrb */
146 case 0xe6: /* cgrb */
148 case 0xf7: /* clrb */
149 case 0xfc: /* cgib */
150 case 0xfd: /* cglib */
152 case 0xff: /* clib */
153 fixup = FIXUP_BRANCH_NOT_TAKEN;
161 static int __kprobes is_insn_relative_long(kprobe_opcode_t *insn)
163 /* Check if we have a RIL-b or RIL-c format instruction which
164 * we need to modify in order to avoid instruction emulation. */
165 switch (insn[0] >> 8) {
167 if ((insn[0] & 0x0f) == 0x00) /* larl */
171 switch (insn[0] & 0x0f) {
172 case 0x02: /* llhrl */
173 case 0x04: /* lghrl */
174 case 0x05: /* lhrl */
175 case 0x06: /* llghrl */
176 case 0x07: /* sthrl */
177 case 0x08: /* lgrl */
178 case 0x0b: /* stgrl */
179 case 0x0c: /* lgfrl */
181 case 0x0e: /* llgfrl */
182 case 0x0f: /* strl */
187 switch (insn[0] & 0x0f) {
188 case 0x02: /* pfdrl */
189 case 0x04: /* cghrl */
190 case 0x05: /* chrl */
191 case 0x06: /* clghrl */
192 case 0x07: /* clhrl */
193 case 0x08: /* cgrl */
194 case 0x0a: /* clgrl */
195 case 0x0c: /* cgfrl */
197 case 0x0e: /* clgfrl */
198 case 0x0f: /* clrl */
206 static void __kprobes copy_instruction(struct kprobe *p)
211 memcpy(p->ainsn.insn, p->addr, ((p->opcode >> 14) + 3) & -2);
212 if (!is_insn_relative_long(p->ainsn.insn))
215 * For pc-relative instructions in RIL-b or RIL-c format patch the
216 * RI2 displacement field. We have already made sure that the insn
217 * slot for the patched instruction is within the same 2GB area
218 * as the original instruction (either kernel image or module area).
219 * Therefore the new displacement will always fit.
221 disp = *(s32 *)&p->ainsn.insn[1];
222 addr = (u64)(unsigned long)p->addr;
223 new_addr = (u64)(unsigned long)p->ainsn.insn;
224 new_disp = ((addr + (disp * 2)) - new_addr) / 2;
225 *(s32 *)&p->ainsn.insn[1] = new_disp;
228 static inline int is_kernel_addr(void *addr)
230 return addr < (void *)_end;
233 static inline int is_module_addr(void *addr)
236 BUILD_BUG_ON(MODULES_LEN > (1UL << 31));
237 if (addr < (void *)MODULES_VADDR)
239 if (addr > (void *)MODULES_END)
245 static int __kprobes s390_get_insn_slot(struct kprobe *p)
248 * Get an insn slot that is within the same 2GB area like the original
249 * instruction. That way instructions with a 32bit signed displacement
250 * field can be patched and executed within the insn slot.
252 p->ainsn.insn = NULL;
253 if (is_kernel_addr(p->addr))
254 p->ainsn.insn = get_dmainsn_slot();
255 if (is_module_addr(p->addr))
256 p->ainsn.insn = get_insn_slot();
257 return p->ainsn.insn ? 0 : -ENOMEM;
260 static void __kprobes s390_free_insn_slot(struct kprobe *p)
264 if (is_kernel_addr(p->addr))
265 free_dmainsn_slot(p->ainsn.insn, 0);
267 free_insn_slot(p->ainsn.insn, 0);
268 p->ainsn.insn = NULL;
271 int __kprobes arch_prepare_kprobe(struct kprobe *p)
273 if ((unsigned long) p->addr & 0x01)
275 /* Make sure the probe isn't going on a difficult instruction */
276 if (is_prohibited_opcode(p->addr))
278 if (s390_get_insn_slot(p))
280 p->opcode = *p->addr;
285 struct ins_replace_args {
286 kprobe_opcode_t *ptr;
287 kprobe_opcode_t opcode;
290 static int __kprobes swap_instruction(void *aref)
292 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
293 unsigned long status = kcb->kprobe_status;
294 struct ins_replace_args *args = aref;
296 kcb->kprobe_status = KPROBE_SWAP_INST;
297 probe_kernel_write(args->ptr, &args->opcode, sizeof(args->opcode));
298 kcb->kprobe_status = status;
302 void __kprobes arch_arm_kprobe(struct kprobe *p)
304 struct ins_replace_args args;
307 args.opcode = BREAKPOINT_INSTRUCTION;
308 stop_machine(swap_instruction, &args, NULL);
311 void __kprobes arch_disarm_kprobe(struct kprobe *p)
313 struct ins_replace_args args;
316 args.opcode = p->opcode;
317 stop_machine(swap_instruction, &args, NULL);
320 void __kprobes arch_remove_kprobe(struct kprobe *p)
322 s390_free_insn_slot(p);
325 static void __kprobes enable_singlestep(struct kprobe_ctlblk *kcb,
326 struct pt_regs *regs,
329 struct per_regs per_kprobe;
331 /* Set up the PER control registers %cr9-%cr11 */
332 per_kprobe.control = PER_EVENT_IFETCH;
333 per_kprobe.start = ip;
336 /* Save control regs and psw mask */
337 __ctl_store(kcb->kprobe_saved_ctl, 9, 11);
338 kcb->kprobe_saved_imask = regs->psw.mask &
339 (PSW_MASK_PER | PSW_MASK_IO | PSW_MASK_EXT);
341 /* Set PER control regs, turns on single step for the given address */
342 __ctl_load(per_kprobe, 9, 11);
343 regs->psw.mask |= PSW_MASK_PER;
344 regs->psw.mask &= ~(PSW_MASK_IO | PSW_MASK_EXT);
345 regs->psw.addr = ip | PSW_ADDR_AMODE;
348 static void __kprobes disable_singlestep(struct kprobe_ctlblk *kcb,
349 struct pt_regs *regs,
352 /* Restore control regs and psw mask, set new psw address */
353 __ctl_load(kcb->kprobe_saved_ctl, 9, 11);
354 regs->psw.mask &= ~PSW_MASK_PER;
355 regs->psw.mask |= kcb->kprobe_saved_imask;
356 regs->psw.addr = ip | PSW_ADDR_AMODE;
360 * Activate a kprobe by storing its pointer to current_kprobe. The
361 * previous kprobe is stored in kcb->prev_kprobe. A stack of up to
362 * two kprobes can be active, see KPROBE_REENTER.
364 static void __kprobes push_kprobe(struct kprobe_ctlblk *kcb, struct kprobe *p)
366 kcb->prev_kprobe.kp = __get_cpu_var(current_kprobe);
367 kcb->prev_kprobe.status = kcb->kprobe_status;
368 __get_cpu_var(current_kprobe) = p;
372 * Deactivate a kprobe by backing up to the previous state. If the
373 * current state is KPROBE_REENTER prev_kprobe.kp will be non-NULL,
374 * for any other state prev_kprobe.kp will be NULL.
376 static void __kprobes pop_kprobe(struct kprobe_ctlblk *kcb)
378 __get_cpu_var(current_kprobe) = kcb->prev_kprobe.kp;
379 kcb->kprobe_status = kcb->prev_kprobe.status;
382 void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
383 struct pt_regs *regs)
385 ri->ret_addr = (kprobe_opcode_t *) regs->gprs[14];
387 /* Replace the return addr with trampoline addr */
388 regs->gprs[14] = (unsigned long) &kretprobe_trampoline;
391 static void __kprobes kprobe_reenter_check(struct kprobe_ctlblk *kcb,
394 switch (kcb->kprobe_status) {
395 case KPROBE_HIT_SSDONE:
396 case KPROBE_HIT_ACTIVE:
397 kprobes_inc_nmissed_count(p);
403 * A kprobe on the code path to single step an instruction
404 * is a BUG. The code path resides in the .kprobes.text
405 * section and is executed with interrupts disabled.
407 printk(KERN_EMERG "Invalid kprobe detected at %p.\n", p->addr);
413 static int __kprobes kprobe_handler(struct pt_regs *regs)
415 struct kprobe_ctlblk *kcb;
419 * We want to disable preemption for the entire duration of kprobe
420 * processing. That includes the calls to the pre/post handlers
421 * and single stepping the kprobe instruction.
424 kcb = get_kprobe_ctlblk();
425 p = get_kprobe((void *)((regs->psw.addr & PSW_ADDR_INSN) - 2));
428 if (kprobe_running()) {
430 * We have hit a kprobe while another is still
431 * active. This can happen in the pre and post
432 * handler. Single step the instruction of the
433 * new probe but do not call any handler function
434 * of this secondary kprobe.
435 * push_kprobe and pop_kprobe saves and restores
436 * the currently active kprobe.
438 kprobe_reenter_check(kcb, p);
440 kcb->kprobe_status = KPROBE_REENTER;
443 * If we have no pre-handler or it returned 0, we
444 * continue with single stepping. If we have a
445 * pre-handler and it returned non-zero, it prepped
446 * for calling the break_handler below on re-entry
447 * for jprobe processing, so get out doing nothing
451 kcb->kprobe_status = KPROBE_HIT_ACTIVE;
452 if (p->pre_handler && p->pre_handler(p, regs))
454 kcb->kprobe_status = KPROBE_HIT_SS;
456 enable_singlestep(kcb, regs, (unsigned long) p->ainsn.insn);
458 } else if (kprobe_running()) {
459 p = __get_cpu_var(current_kprobe);
460 if (p->break_handler && p->break_handler(p, regs)) {
462 * Continuation after the jprobe completed and
463 * caused the jprobe_return trap. The jprobe
464 * break_handler "returns" to the original
465 * function that still has the kprobe breakpoint
466 * installed. We continue with single stepping.
468 kcb->kprobe_status = KPROBE_HIT_SS;
469 enable_singlestep(kcb, regs,
470 (unsigned long) p->ainsn.insn);
473 * No kprobe at this address and the current kprobe
474 * has no break handler (no jprobe!). The kernel just
475 * exploded, let the standard trap handler pick up the
479 * No kprobe at this address and no active kprobe. The trap has
480 * not been caused by a kprobe breakpoint. The race of breakpoint
481 * vs. kprobe remove does not exist because on s390 as we use
482 * stop_machine to arm/disarm the breakpoints.
484 preempt_enable_no_resched();
489 * Function return probe trampoline:
490 * - init_kprobes() establishes a probepoint here
491 * - When the probed function returns, this probe
492 * causes the handlers to fire
494 static void __used kretprobe_trampoline_holder(void)
496 asm volatile(".global kretprobe_trampoline\n"
497 "kretprobe_trampoline: bcr 0,0\n");
501 * Called when the probe at kretprobe trampoline is hit
503 static int __kprobes trampoline_probe_handler(struct kprobe *p,
504 struct pt_regs *regs)
506 struct kretprobe_instance *ri;
507 struct hlist_head *head, empty_rp;
508 struct hlist_node *tmp;
509 unsigned long flags, orig_ret_address;
510 unsigned long trampoline_address;
511 kprobe_opcode_t *correct_ret_addr;
513 INIT_HLIST_HEAD(&empty_rp);
514 kretprobe_hash_lock(current, &head, &flags);
517 * It is possible to have multiple instances associated with a given
518 * task either because an multiple functions in the call path
519 * have a return probe installed on them, and/or more than one return
520 * return probe was registered for a target function.
522 * We can handle this because:
523 * - instances are always inserted at the head of the list
524 * - when multiple return probes are registered for the same
525 * function, the first instance's ret_addr will point to the
526 * real return address, and all the rest will point to
527 * kretprobe_trampoline
530 orig_ret_address = 0;
531 correct_ret_addr = NULL;
532 trampoline_address = (unsigned long) &kretprobe_trampoline;
533 hlist_for_each_entry_safe(ri, tmp, head, hlist) {
534 if (ri->task != current)
535 /* another task is sharing our hash bucket */
538 orig_ret_address = (unsigned long) ri->ret_addr;
540 if (orig_ret_address != trampoline_address)
542 * This is the real return address. Any other
543 * instances associated with this task are for
544 * other calls deeper on the call stack
549 kretprobe_assert(ri, orig_ret_address, trampoline_address);
551 correct_ret_addr = ri->ret_addr;
552 hlist_for_each_entry_safe(ri, tmp, head, hlist) {
553 if (ri->task != current)
554 /* another task is sharing our hash bucket */
557 orig_ret_address = (unsigned long) ri->ret_addr;
559 if (ri->rp && ri->rp->handler) {
560 ri->ret_addr = correct_ret_addr;
561 ri->rp->handler(ri, regs);
564 recycle_rp_inst(ri, &empty_rp);
566 if (orig_ret_address != trampoline_address)
568 * This is the real return address. Any other
569 * instances associated with this task are for
570 * other calls deeper on the call stack
575 regs->psw.addr = orig_ret_address | PSW_ADDR_AMODE;
577 pop_kprobe(get_kprobe_ctlblk());
578 kretprobe_hash_unlock(current, &flags);
579 preempt_enable_no_resched();
581 hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) {
582 hlist_del(&ri->hlist);
586 * By returning a non-zero value, we are telling
587 * kprobe_handler() that we don't want the post_handler
588 * to run (and have re-enabled preemption)
594 * Called after single-stepping. p->addr is the address of the
595 * instruction whose first byte has been replaced by the "breakpoint"
596 * instruction. To avoid the SMP problems that can occur when we
597 * temporarily put back the original opcode to single-step, we
598 * single-stepped a copy of the instruction. The address of this
599 * copy is p->ainsn.insn.
601 static void __kprobes resume_execution(struct kprobe *p, struct pt_regs *regs)
603 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
604 unsigned long ip = regs->psw.addr & PSW_ADDR_INSN;
605 int fixup = get_fixup_type(p->ainsn.insn);
607 if (fixup & FIXUP_PSW_NORMAL)
608 ip += (unsigned long) p->addr - (unsigned long) p->ainsn.insn;
610 if (fixup & FIXUP_BRANCH_NOT_TAKEN) {
611 int ilen = ((p->ainsn.insn[0] >> 14) + 3) & -2;
612 if (ip - (unsigned long) p->ainsn.insn == ilen)
613 ip = (unsigned long) p->addr + ilen;
616 if (fixup & FIXUP_RETURN_REGISTER) {
617 int reg = (p->ainsn.insn[0] & 0xf0) >> 4;
618 regs->gprs[reg] += (unsigned long) p->addr -
619 (unsigned long) p->ainsn.insn;
622 disable_singlestep(kcb, regs, ip);
625 static int __kprobes post_kprobe_handler(struct pt_regs *regs)
627 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
628 struct kprobe *p = kprobe_running();
633 if (kcb->kprobe_status != KPROBE_REENTER && p->post_handler) {
634 kcb->kprobe_status = KPROBE_HIT_SSDONE;
635 p->post_handler(p, regs, 0);
638 resume_execution(p, regs);
640 preempt_enable_no_resched();
643 * if somebody else is singlestepping across a probe point, psw mask
644 * will have PER set, in which case, continue the remaining processing
645 * of do_single_step, as if this is not a probe hit.
647 if (regs->psw.mask & PSW_MASK_PER)
653 static int __kprobes kprobe_trap_handler(struct pt_regs *regs, int trapnr)
655 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
656 struct kprobe *p = kprobe_running();
657 const struct exception_table_entry *entry;
659 switch(kcb->kprobe_status) {
660 case KPROBE_SWAP_INST:
661 /* We are here because the instruction replacement failed */
666 * We are here because the instruction being single
667 * stepped caused a page fault. We reset the current
668 * kprobe and the nip points back to the probe address
669 * and allow the page fault handler to continue as a
672 disable_singlestep(kcb, regs, (unsigned long) p->addr);
674 preempt_enable_no_resched();
676 case KPROBE_HIT_ACTIVE:
677 case KPROBE_HIT_SSDONE:
679 * We increment the nmissed count for accounting,
680 * we can also use npre/npostfault count for accouting
681 * these specific fault cases.
683 kprobes_inc_nmissed_count(p);
686 * We come here because instructions in the pre/post
687 * handler caused the page_fault, this could happen
688 * if handler tries to access user space by
689 * copy_from_user(), get_user() etc. Let the
690 * user-specified handler try to fix it first.
692 if (p->fault_handler && p->fault_handler(p, regs, trapnr))
696 * In case the user-specified fault handler returned
697 * zero, try to fix up.
699 entry = search_exception_tables(regs->psw.addr & PSW_ADDR_INSN);
701 regs->psw.addr = extable_fixup(entry) | PSW_ADDR_AMODE;
706 * fixup_exception() could not handle it,
707 * Let do_page_fault() fix it.
716 int __kprobes kprobe_fault_handler(struct pt_regs *regs, int trapnr)
720 if (regs->psw.mask & (PSW_MASK_IO | PSW_MASK_EXT))
722 ret = kprobe_trap_handler(regs, trapnr);
723 if (regs->psw.mask & (PSW_MASK_IO | PSW_MASK_EXT))
724 local_irq_restore(regs->psw.mask & ~PSW_MASK_PER);
729 * Wrapper routine to for handling exceptions.
731 int __kprobes kprobe_exceptions_notify(struct notifier_block *self,
732 unsigned long val, void *data)
734 struct die_args *args = (struct die_args *) data;
735 struct pt_regs *regs = args->regs;
736 int ret = NOTIFY_DONE;
738 if (regs->psw.mask & (PSW_MASK_IO | PSW_MASK_EXT))
743 if (kprobe_handler(regs))
747 if (post_kprobe_handler(regs))
751 if (!preemptible() && kprobe_running() &&
752 kprobe_trap_handler(regs, args->trapnr))
759 if (regs->psw.mask & (PSW_MASK_IO | PSW_MASK_EXT))
760 local_irq_restore(regs->psw.mask & ~PSW_MASK_PER);
765 int __kprobes setjmp_pre_handler(struct kprobe *p, struct pt_regs *regs)
767 struct jprobe *jp = container_of(p, struct jprobe, kp);
768 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
771 memcpy(&kcb->jprobe_saved_regs, regs, sizeof(struct pt_regs));
773 /* setup return addr to the jprobe handler routine */
774 regs->psw.addr = (unsigned long) jp->entry | PSW_ADDR_AMODE;
775 regs->psw.mask &= ~(PSW_MASK_IO | PSW_MASK_EXT);
777 /* r15 is the stack pointer */
778 stack = (unsigned long) regs->gprs[15];
780 memcpy(kcb->jprobes_stack, (void *) stack, MIN_STACK_SIZE(stack));
784 void __kprobes jprobe_return(void)
786 asm volatile(".word 0x0002");
789 static void __used __kprobes jprobe_return_end(void)
791 asm volatile("bcr 0,0");
794 int __kprobes longjmp_break_handler(struct kprobe *p, struct pt_regs *regs)
796 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
799 stack = (unsigned long) kcb->jprobe_saved_regs.gprs[15];
801 /* Put the regs back */
802 memcpy(regs, &kcb->jprobe_saved_regs, sizeof(struct pt_regs));
803 /* put the stack back */
804 memcpy((void *) stack, kcb->jprobes_stack, MIN_STACK_SIZE(stack));
805 preempt_enable_no_resched();
809 static struct kprobe trampoline = {
810 .addr = (kprobe_opcode_t *) &kretprobe_trampoline,
811 .pre_handler = trampoline_probe_handler
814 int __init arch_init_kprobes(void)
816 return register_kprobe(&trampoline);
819 int __kprobes arch_trampoline_kprobe(struct kprobe *p)
821 return p->addr == (kprobe_opcode_t *) &kretprobe_trampoline;
projects / karo-tx-linux.git / blob