2 * Kernel Probes (KProbes)
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation; either version 2 of the License, or
7 * (at your option) any later version.
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
18 * Copyright IBM Corp. 2002, 2006
20 * s390 port, used ppc64 as template. Mike Grundy <grundym@us.ibm.com>
23 #include <linux/kprobes.h>
24 #include <linux/ptrace.h>
25 #include <linux/preempt.h>
26 #include <linux/stop_machine.h>
27 #include <linux/kdebug.h>
28 #include <linux/uaccess.h>
29 #include <linux/module.h>
30 #include <linux/slab.h>
31 #include <linux/hardirq.h>
32 #include <asm/cacheflush.h>
33 #include <asm/sections.h>
36 DEFINE_PER_CPU(struct kprobe *, current_kprobe);
37 DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk);
39 struct kretprobe_blackpoint kretprobe_blacklist[] = { };
41 DEFINE_INSN_CACHE_OPS(dmainsn);
43 static void *alloc_dmainsn_page(void)
45 return (void *)__get_free_page(GFP_KERNEL | GFP_DMA);
48 static void free_dmainsn_page(void *page)
50 free_page((unsigned long)page);
53 struct kprobe_insn_cache kprobe_dmainsn_slots = {
54 .mutex = __MUTEX_INITIALIZER(kprobe_dmainsn_slots.mutex),
55 .alloc = alloc_dmainsn_page,
56 .free = free_dmainsn_page,
57 .pages = LIST_HEAD_INIT(kprobe_dmainsn_slots.pages),
58 .insn_size = MAX_INSN_SIZE,
61 static void __kprobes copy_instruction(struct kprobe *p)
66 memcpy(p->ainsn.insn, p->addr, insn_length(p->opcode >> 8));
67 if (!probe_is_insn_relative_long(p->ainsn.insn))
70 * For pc-relative instructions in RIL-b or RIL-c format patch the
71 * RI2 displacement field. We have already made sure that the insn
72 * slot for the patched instruction is within the same 2GB area
73 * as the original instruction (either kernel image or module area).
74 * Therefore the new displacement will always fit.
76 disp = *(s32 *)&p->ainsn.insn[1];
77 addr = (u64)(unsigned long)p->addr;
78 new_addr = (u64)(unsigned long)p->ainsn.insn;
79 new_disp = ((addr + (disp * 2)) - new_addr) / 2;
80 *(s32 *)&p->ainsn.insn[1] = new_disp;
83 static inline int is_kernel_addr(void *addr)
85 return addr < (void *)_end;
88 static inline int is_module_addr(void *addr)
91 BUILD_BUG_ON(MODULES_LEN > (1UL << 31));
92 if (addr < (void *)MODULES_VADDR)
94 if (addr > (void *)MODULES_END)
100 static int __kprobes s390_get_insn_slot(struct kprobe *p)
103 * Get an insn slot that is within the same 2GB area like the original
104 * instruction. That way instructions with a 32bit signed displacement
105 * field can be patched and executed within the insn slot.
107 p->ainsn.insn = NULL;
108 if (is_kernel_addr(p->addr))
109 p->ainsn.insn = get_dmainsn_slot();
110 else if (is_module_addr(p->addr))
111 p->ainsn.insn = get_insn_slot();
112 return p->ainsn.insn ? 0 : -ENOMEM;
115 static void __kprobes s390_free_insn_slot(struct kprobe *p)
119 if (is_kernel_addr(p->addr))
120 free_dmainsn_slot(p->ainsn.insn, 0);
122 free_insn_slot(p->ainsn.insn, 0);
123 p->ainsn.insn = NULL;
126 int __kprobes arch_prepare_kprobe(struct kprobe *p)
128 if ((unsigned long) p->addr & 0x01)
130 /* Make sure the probe isn't going on a difficult instruction */
131 if (probe_is_prohibited_opcode(p->addr))
133 if (s390_get_insn_slot(p))
135 p->opcode = *p->addr;
140 struct ins_replace_args {
141 kprobe_opcode_t *ptr;
142 kprobe_opcode_t opcode;
145 static int __kprobes swap_instruction(void *aref)
147 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
148 unsigned long status = kcb->kprobe_status;
149 struct ins_replace_args *args = aref;
151 kcb->kprobe_status = KPROBE_SWAP_INST;
152 probe_kernel_write(args->ptr, &args->opcode, sizeof(args->opcode));
153 kcb->kprobe_status = status;
157 void __kprobes arch_arm_kprobe(struct kprobe *p)
159 struct ins_replace_args args;
162 args.opcode = BREAKPOINT_INSTRUCTION;
163 stop_machine(swap_instruction, &args, NULL);
166 void __kprobes arch_disarm_kprobe(struct kprobe *p)
168 struct ins_replace_args args;
171 args.opcode = p->opcode;
172 stop_machine(swap_instruction, &args, NULL);
175 void __kprobes arch_remove_kprobe(struct kprobe *p)
177 s390_free_insn_slot(p);
180 static void __kprobes enable_singlestep(struct kprobe_ctlblk *kcb,
181 struct pt_regs *regs,
184 struct per_regs per_kprobe;
186 /* Set up the PER control registers %cr9-%cr11 */
187 per_kprobe.control = PER_EVENT_IFETCH;
188 per_kprobe.start = ip;
191 /* Save control regs and psw mask */
192 __ctl_store(kcb->kprobe_saved_ctl, 9, 11);
193 kcb->kprobe_saved_imask = regs->psw.mask &
194 (PSW_MASK_PER | PSW_MASK_IO | PSW_MASK_EXT);
196 /* Set PER control regs, turns on single step for the given address */
197 __ctl_load(per_kprobe, 9, 11);
198 regs->psw.mask |= PSW_MASK_PER;
199 regs->psw.mask &= ~(PSW_MASK_IO | PSW_MASK_EXT);
200 regs->psw.addr = ip | PSW_ADDR_AMODE;
203 static void __kprobes disable_singlestep(struct kprobe_ctlblk *kcb,
204 struct pt_regs *regs,
207 /* Restore control regs and psw mask, set new psw address */
208 __ctl_load(kcb->kprobe_saved_ctl, 9, 11);
209 regs->psw.mask &= ~PSW_MASK_PER;
210 regs->psw.mask |= kcb->kprobe_saved_imask;
211 regs->psw.addr = ip | PSW_ADDR_AMODE;
215 * Activate a kprobe by storing its pointer to current_kprobe. The
216 * previous kprobe is stored in kcb->prev_kprobe. A stack of up to
217 * two kprobes can be active, see KPROBE_REENTER.
219 static void __kprobes push_kprobe(struct kprobe_ctlblk *kcb, struct kprobe *p)
221 kcb->prev_kprobe.kp = __get_cpu_var(current_kprobe);
222 kcb->prev_kprobe.status = kcb->kprobe_status;
223 __get_cpu_var(current_kprobe) = p;
227 * Deactivate a kprobe by backing up to the previous state. If the
228 * current state is KPROBE_REENTER prev_kprobe.kp will be non-NULL,
229 * for any other state prev_kprobe.kp will be NULL.
231 static void __kprobes pop_kprobe(struct kprobe_ctlblk *kcb)
233 __get_cpu_var(current_kprobe) = kcb->prev_kprobe.kp;
234 kcb->kprobe_status = kcb->prev_kprobe.status;
237 void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
238 struct pt_regs *regs)
240 ri->ret_addr = (kprobe_opcode_t *) regs->gprs[14];
242 /* Replace the return addr with trampoline addr */
243 regs->gprs[14] = (unsigned long) &kretprobe_trampoline;
246 static void __kprobes kprobe_reenter_check(struct kprobe_ctlblk *kcb,
249 switch (kcb->kprobe_status) {
250 case KPROBE_HIT_SSDONE:
251 case KPROBE_HIT_ACTIVE:
252 kprobes_inc_nmissed_count(p);
258 * A kprobe on the code path to single step an instruction
259 * is a BUG. The code path resides in the .kprobes.text
260 * section and is executed with interrupts disabled.
262 printk(KERN_EMERG "Invalid kprobe detected at %p.\n", p->addr);
268 static int __kprobes kprobe_handler(struct pt_regs *regs)
270 struct kprobe_ctlblk *kcb;
274 * We want to disable preemption for the entire duration of kprobe
275 * processing. That includes the calls to the pre/post handlers
276 * and single stepping the kprobe instruction.
279 kcb = get_kprobe_ctlblk();
280 p = get_kprobe((void *)((regs->psw.addr & PSW_ADDR_INSN) - 2));
283 if (kprobe_running()) {
285 * We have hit a kprobe while another is still
286 * active. This can happen in the pre and post
287 * handler. Single step the instruction of the
288 * new probe but do not call any handler function
289 * of this secondary kprobe.
290 * push_kprobe and pop_kprobe saves and restores
291 * the currently active kprobe.
293 kprobe_reenter_check(kcb, p);
295 kcb->kprobe_status = KPROBE_REENTER;
298 * If we have no pre-handler or it returned 0, we
299 * continue with single stepping. If we have a
300 * pre-handler and it returned non-zero, it prepped
301 * for calling the break_handler below on re-entry
302 * for jprobe processing, so get out doing nothing
306 kcb->kprobe_status = KPROBE_HIT_ACTIVE;
307 if (p->pre_handler && p->pre_handler(p, regs))
309 kcb->kprobe_status = KPROBE_HIT_SS;
311 enable_singlestep(kcb, regs, (unsigned long) p->ainsn.insn);
313 } else if (kprobe_running()) {
314 p = __get_cpu_var(current_kprobe);
315 if (p->break_handler && p->break_handler(p, regs)) {
317 * Continuation after the jprobe completed and
318 * caused the jprobe_return trap. The jprobe
319 * break_handler "returns" to the original
320 * function that still has the kprobe breakpoint
321 * installed. We continue with single stepping.
323 kcb->kprobe_status = KPROBE_HIT_SS;
324 enable_singlestep(kcb, regs,
325 (unsigned long) p->ainsn.insn);
328 * No kprobe at this address and the current kprobe
329 * has no break handler (no jprobe!). The kernel just
330 * exploded, let the standard trap handler pick up the
334 * No kprobe at this address and no active kprobe. The trap has
335 * not been caused by a kprobe breakpoint. The race of breakpoint
336 * vs. kprobe remove does not exist because on s390 as we use
337 * stop_machine to arm/disarm the breakpoints.
339 preempt_enable_no_resched();
344 * Function return probe trampoline:
345 * - init_kprobes() establishes a probepoint here
346 * - When the probed function returns, this probe
347 * causes the handlers to fire
349 static void __used kretprobe_trampoline_holder(void)
351 asm volatile(".global kretprobe_trampoline\n"
352 "kretprobe_trampoline: bcr 0,0\n");
356 * Called when the probe at kretprobe trampoline is hit
358 static int __kprobes trampoline_probe_handler(struct kprobe *p,
359 struct pt_regs *regs)
361 struct kretprobe_instance *ri;
362 struct hlist_head *head, empty_rp;
363 struct hlist_node *tmp;
364 unsigned long flags, orig_ret_address;
365 unsigned long trampoline_address;
366 kprobe_opcode_t *correct_ret_addr;
368 INIT_HLIST_HEAD(&empty_rp);
369 kretprobe_hash_lock(current, &head, &flags);
372 * It is possible to have multiple instances associated with a given
373 * task either because an multiple functions in the call path
374 * have a return probe installed on them, and/or more than one return
375 * return probe was registered for a target function.
377 * We can handle this because:
378 * - instances are always inserted at the head of the list
379 * - when multiple return probes are registered for the same
380 * function, the first instance's ret_addr will point to the
381 * real return address, and all the rest will point to
382 * kretprobe_trampoline
385 orig_ret_address = 0;
386 correct_ret_addr = NULL;
387 trampoline_address = (unsigned long) &kretprobe_trampoline;
388 hlist_for_each_entry_safe(ri, tmp, head, hlist) {
389 if (ri->task != current)
390 /* another task is sharing our hash bucket */
393 orig_ret_address = (unsigned long) ri->ret_addr;
395 if (orig_ret_address != trampoline_address)
397 * This is the real return address. Any other
398 * instances associated with this task are for
399 * other calls deeper on the call stack
404 kretprobe_assert(ri, orig_ret_address, trampoline_address);
406 correct_ret_addr = ri->ret_addr;
407 hlist_for_each_entry_safe(ri, tmp, head, hlist) {
408 if (ri->task != current)
409 /* another task is sharing our hash bucket */
412 orig_ret_address = (unsigned long) ri->ret_addr;
414 if (ri->rp && ri->rp->handler) {
415 ri->ret_addr = correct_ret_addr;
416 ri->rp->handler(ri, regs);
419 recycle_rp_inst(ri, &empty_rp);
421 if (orig_ret_address != trampoline_address)
423 * This is the real return address. Any other
424 * instances associated with this task are for
425 * other calls deeper on the call stack
430 regs->psw.addr = orig_ret_address | PSW_ADDR_AMODE;
432 pop_kprobe(get_kprobe_ctlblk());
433 kretprobe_hash_unlock(current, &flags);
434 preempt_enable_no_resched();
436 hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) {
437 hlist_del(&ri->hlist);
441 * By returning a non-zero value, we are telling
442 * kprobe_handler() that we don't want the post_handler
443 * to run (and have re-enabled preemption)
449 * Called after single-stepping. p->addr is the address of the
450 * instruction whose first byte has been replaced by the "breakpoint"
451 * instruction. To avoid the SMP problems that can occur when we
452 * temporarily put back the original opcode to single-step, we
453 * single-stepped a copy of the instruction. The address of this
454 * copy is p->ainsn.insn.
456 static void __kprobes resume_execution(struct kprobe *p, struct pt_regs *regs)
458 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
459 unsigned long ip = regs->psw.addr & PSW_ADDR_INSN;
460 int fixup = probe_get_fixup_type(p->ainsn.insn);
462 if (fixup & FIXUP_PSW_NORMAL)
463 ip += (unsigned long) p->addr - (unsigned long) p->ainsn.insn;
465 if (fixup & FIXUP_BRANCH_NOT_TAKEN) {
466 int ilen = insn_length(p->ainsn.insn[0] >> 8);
467 if (ip - (unsigned long) p->ainsn.insn == ilen)
468 ip = (unsigned long) p->addr + ilen;
471 if (fixup & FIXUP_RETURN_REGISTER) {
472 int reg = (p->ainsn.insn[0] & 0xf0) >> 4;
473 regs->gprs[reg] += (unsigned long) p->addr -
474 (unsigned long) p->ainsn.insn;
477 disable_singlestep(kcb, regs, ip);
480 static int __kprobes post_kprobe_handler(struct pt_regs *regs)
482 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
483 struct kprobe *p = kprobe_running();
488 if (kcb->kprobe_status != KPROBE_REENTER && p->post_handler) {
489 kcb->kprobe_status = KPROBE_HIT_SSDONE;
490 p->post_handler(p, regs, 0);
493 resume_execution(p, regs);
495 preempt_enable_no_resched();
498 * if somebody else is singlestepping across a probe point, psw mask
499 * will have PER set, in which case, continue the remaining processing
500 * of do_single_step, as if this is not a probe hit.
502 if (regs->psw.mask & PSW_MASK_PER)
508 static int __kprobes kprobe_trap_handler(struct pt_regs *regs, int trapnr)
510 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
511 struct kprobe *p = kprobe_running();
512 const struct exception_table_entry *entry;
514 switch(kcb->kprobe_status) {
515 case KPROBE_SWAP_INST:
516 /* We are here because the instruction replacement failed */
521 * We are here because the instruction being single
522 * stepped caused a page fault. We reset the current
523 * kprobe and the nip points back to the probe address
524 * and allow the page fault handler to continue as a
527 disable_singlestep(kcb, regs, (unsigned long) p->addr);
529 preempt_enable_no_resched();
531 case KPROBE_HIT_ACTIVE:
532 case KPROBE_HIT_SSDONE:
534 * We increment the nmissed count for accounting,
535 * we can also use npre/npostfault count for accounting
536 * these specific fault cases.
538 kprobes_inc_nmissed_count(p);
541 * We come here because instructions in the pre/post
542 * handler caused the page_fault, this could happen
543 * if handler tries to access user space by
544 * copy_from_user(), get_user() etc. Let the
545 * user-specified handler try to fix it first.
547 if (p->fault_handler && p->fault_handler(p, regs, trapnr))
551 * In case the user-specified fault handler returned
552 * zero, try to fix up.
554 entry = search_exception_tables(regs->psw.addr & PSW_ADDR_INSN);
556 regs->psw.addr = extable_fixup(entry) | PSW_ADDR_AMODE;
561 * fixup_exception() could not handle it,
562 * Let do_page_fault() fix it.
571 int __kprobes kprobe_fault_handler(struct pt_regs *regs, int trapnr)
575 if (regs->psw.mask & (PSW_MASK_IO | PSW_MASK_EXT))
577 ret = kprobe_trap_handler(regs, trapnr);
578 if (regs->psw.mask & (PSW_MASK_IO | PSW_MASK_EXT))
579 local_irq_restore(regs->psw.mask & ~PSW_MASK_PER);
584 * Wrapper routine to for handling exceptions.
586 int __kprobes kprobe_exceptions_notify(struct notifier_block *self,
587 unsigned long val, void *data)
589 struct die_args *args = (struct die_args *) data;
590 struct pt_regs *regs = args->regs;
591 int ret = NOTIFY_DONE;
593 if (regs->psw.mask & (PSW_MASK_IO | PSW_MASK_EXT))
598 if (kprobe_handler(regs))
602 if (post_kprobe_handler(regs))
606 if (!preemptible() && kprobe_running() &&
607 kprobe_trap_handler(regs, args->trapnr))
614 if (regs->psw.mask & (PSW_MASK_IO | PSW_MASK_EXT))
615 local_irq_restore(regs->psw.mask & ~PSW_MASK_PER);
620 int __kprobes setjmp_pre_handler(struct kprobe *p, struct pt_regs *regs)
622 struct jprobe *jp = container_of(p, struct jprobe, kp);
623 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
626 memcpy(&kcb->jprobe_saved_regs, regs, sizeof(struct pt_regs));
628 /* setup return addr to the jprobe handler routine */
629 regs->psw.addr = (unsigned long) jp->entry | PSW_ADDR_AMODE;
630 regs->psw.mask &= ~(PSW_MASK_IO | PSW_MASK_EXT);
632 /* r15 is the stack pointer */
633 stack = (unsigned long) regs->gprs[15];
635 memcpy(kcb->jprobes_stack, (void *) stack, MIN_STACK_SIZE(stack));
639 void __kprobes jprobe_return(void)
641 asm volatile(".word 0x0002");
644 int __kprobes longjmp_break_handler(struct kprobe *p, struct pt_regs *regs)
646 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
649 stack = (unsigned long) kcb->jprobe_saved_regs.gprs[15];
651 /* Put the regs back */
652 memcpy(regs, &kcb->jprobe_saved_regs, sizeof(struct pt_regs));
653 /* put the stack back */
654 memcpy((void *) stack, kcb->jprobes_stack, MIN_STACK_SIZE(stack));
655 preempt_enable_no_resched();
659 static struct kprobe trampoline = {
660 .addr = (kprobe_opcode_t *) &kretprobe_trampoline,
661 .pre_handler = trampoline_probe_handler
664 int __init arch_init_kprobes(void)
666 return register_kprobe(&trampoline);
669 int __kprobes arch_trampoline_kprobe(struct kprobe *p)
671 return p->addr == (kprobe_opcode_t *) &kretprobe_trampoline;
projects / linux-block.git / blob