1 // SPDX-License-Identifier: GPL-2.0+
3 * User-space Probes (UProbes)
5 * Copyright (C) IBM Corporation, 2008-2012
9 * Copyright (C) 2011-2012 Red Hat, Inc., Peter Zijlstra
12 #include <linux/kernel.h>
13 #include <linux/highmem.h>
14 #include <linux/pagemap.h> /* read_mapping_page */
15 #include <linux/slab.h>
16 #include <linux/sched.h>
17 #include <linux/sched/mm.h>
18 #include <linux/export.h>
19 #include <linux/rmap.h> /* anon_vma_prepare */
20 #include <linux/mmu_notifier.h>
21 #include <linux/swap.h> /* folio_free_swap */
22 #include <linux/ptrace.h> /* user_enable_single_step */
23 #include <linux/kdebug.h> /* notifier mechanism */
24 #include <linux/percpu-rwsem.h>
25 #include <linux/task_work.h>
26 #include <linux/shmem_fs.h>
27 #include <linux/khugepaged.h>
28 #include <linux/rcupdate_trace.h>
29 #include <linux/workqueue.h>
30 #include <linux/srcu.h>
31 #include <linux/oom.h> /* check_stable_address_space */
32 #include <linux/pagewalk.h>
34 #include <linux/uprobes.h>
36 #define UINSNS_PER_PAGE (PAGE_SIZE/UPROBE_XOL_SLOT_BYTES)
37 #define MAX_UPROBE_XOL_SLOTS UINSNS_PER_PAGE
39 static struct rb_root uprobes_tree = RB_ROOT;
41 * allows us to skip the uprobe_mmap if there are no uprobe events active
42 * at this time. Probably a fine grained per inode count is better?
44 #define no_uprobe_events() RB_EMPTY_ROOT(&uprobes_tree)
46 static DEFINE_RWLOCK(uprobes_treelock); /* serialize rbtree access */
47 static seqcount_rwlock_t uprobes_seqcount = SEQCNT_RWLOCK_ZERO(uprobes_seqcount, &uprobes_treelock);
49 #define UPROBES_HASH_SZ 13
50 /* serialize uprobe->pending_list */
51 static struct mutex uprobes_mmap_mutex[UPROBES_HASH_SZ];
52 #define uprobes_mmap_hash(v) (&uprobes_mmap_mutex[((unsigned long)(v)) % UPROBES_HASH_SZ])
54 DEFINE_STATIC_PERCPU_RWSEM(dup_mmap_sem);
56 /* Covers return_instance's uprobe lifetime. */
57 DEFINE_STATIC_SRCU(uretprobes_srcu);
59 /* Have a copy of original instruction */
60 #define UPROBE_COPY_INSN 0
63 struct rb_node rb_node; /* node in the rb tree */
65 struct rw_semaphore register_rwsem;
66 struct rw_semaphore consumer_rwsem;
67 struct list_head pending_list;
68 struct list_head consumers;
69 struct inode *inode; /* Also hold a ref to inode */
72 struct work_struct work;
75 loff_t ref_ctr_offset;
76 unsigned long flags; /* "unsigned long" so bitops work */
79 * The generic code assumes that it has two members of unknown type
80 * owned by the arch-specific code:
82 * insn - copy_insn() saves the original instruction here for
83 * arch_uprobe_analyze_insn().
85 * ixol - potentially modified instruction to execute out of
86 * line, copied to xol_area by xol_get_insn_slot().
88 struct arch_uprobe arch;
91 struct delayed_uprobe {
92 struct list_head list;
93 struct uprobe *uprobe;
97 static DEFINE_MUTEX(delayed_uprobe_lock);
98 static LIST_HEAD(delayed_uprobe_list);
101 * Execute out of line area: anonymous executable mapping installed
102 * by the probed task to execute the copy of the original instruction
103 * mangled by set_swbp().
105 * On a breakpoint hit, thread contests for a slot. It frees the
106 * slot after singlestep. Currently a fixed number of slots are
110 wait_queue_head_t wq; /* if all slots are busy */
111 unsigned long *bitmap; /* 0 = free slot */
115 * We keep the vma's vm_start rather than a pointer to the vma
116 * itself. The probed process or a naughty kernel module could make
117 * the vma go away, and we must handle that reasonably gracefully.
119 unsigned long vaddr; /* Page(s) of instruction slots */
122 static void uprobe_warn(struct task_struct *t, const char *msg)
124 pr_warn("uprobe: %s:%d failed to %s\n", current->comm, current->pid, msg);
128 * valid_vma: Verify if the specified vma is an executable vma
129 * Relax restrictions while unregistering: vm_flags might have
130 * changed after breakpoint was inserted.
131 * - is_register: indicates if we are in register context.
132 * - Return 1 if the specified virtual address is in an
135 static bool valid_vma(struct vm_area_struct *vma, bool is_register)
137 vm_flags_t flags = VM_HUGETLB | VM_MAYEXEC | VM_MAYSHARE;
142 return vma->vm_file && (vma->vm_flags & flags) == VM_MAYEXEC;
145 static unsigned long offset_to_vaddr(struct vm_area_struct *vma, loff_t offset)
147 return vma->vm_start + offset - ((loff_t)vma->vm_pgoff << PAGE_SHIFT);
150 static loff_t vaddr_to_offset(struct vm_area_struct *vma, unsigned long vaddr)
152 return ((loff_t)vma->vm_pgoff << PAGE_SHIFT) + (vaddr - vma->vm_start);
156 * is_swbp_insn - check if instruction is breakpoint instruction.
157 * @insn: instruction to be checked.
158 * Default implementation of is_swbp_insn
159 * Returns true if @insn is a breakpoint instruction.
161 bool __weak is_swbp_insn(uprobe_opcode_t *insn)
163 return *insn == UPROBE_SWBP_INSN;
167 * is_trap_insn - check if instruction is breakpoint instruction.
168 * @insn: instruction to be checked.
169 * Default implementation of is_trap_insn
170 * Returns true if @insn is a breakpoint instruction.
172 * This function is needed for the case where an architecture has multiple
173 * trap instructions (like powerpc).
175 bool __weak is_trap_insn(uprobe_opcode_t *insn)
177 return is_swbp_insn(insn);
180 static void copy_from_page(struct page *page, unsigned long vaddr, void *dst, int len)
182 void *kaddr = kmap_atomic(page);
183 memcpy(dst, kaddr + (vaddr & ~PAGE_MASK), len);
184 kunmap_atomic(kaddr);
187 static void copy_to_page(struct page *page, unsigned long vaddr, const void *src, int len)
189 void *kaddr = kmap_atomic(page);
190 memcpy(kaddr + (vaddr & ~PAGE_MASK), src, len);
191 kunmap_atomic(kaddr);
194 static int verify_opcode(struct page *page, unsigned long vaddr, uprobe_opcode_t *new_opcode)
196 uprobe_opcode_t old_opcode;
200 * Note: We only check if the old_opcode is UPROBE_SWBP_INSN here.
201 * We do not check if it is any other 'trap variant' which could
202 * be conditional trap instruction such as the one powerpc supports.
204 * The logic is that we do not care if the underlying instruction
205 * is a trap variant; uprobes always wins over any other (gdb)
208 copy_from_page(page, vaddr, &old_opcode, UPROBE_SWBP_INSN_SIZE);
209 is_swbp = is_swbp_insn(&old_opcode);
211 if (is_swbp_insn(new_opcode)) {
212 if (is_swbp) /* register: already installed? */
215 if (!is_swbp) /* unregister: was it changed by us? */
222 static struct delayed_uprobe *
223 delayed_uprobe_check(struct uprobe *uprobe, struct mm_struct *mm)
225 struct delayed_uprobe *du;
227 list_for_each_entry(du, &delayed_uprobe_list, list)
228 if (du->uprobe == uprobe && du->mm == mm)
233 static int delayed_uprobe_add(struct uprobe *uprobe, struct mm_struct *mm)
235 struct delayed_uprobe *du;
237 if (delayed_uprobe_check(uprobe, mm))
240 du = kzalloc(sizeof(*du), GFP_KERNEL);
246 list_add(&du->list, &delayed_uprobe_list);
250 static void delayed_uprobe_delete(struct delayed_uprobe *du)
258 static void delayed_uprobe_remove(struct uprobe *uprobe, struct mm_struct *mm)
260 struct list_head *pos, *q;
261 struct delayed_uprobe *du;
266 list_for_each_safe(pos, q, &delayed_uprobe_list) {
267 du = list_entry(pos, struct delayed_uprobe, list);
269 if (uprobe && du->uprobe != uprobe)
271 if (mm && du->mm != mm)
274 delayed_uprobe_delete(du);
278 static bool valid_ref_ctr_vma(struct uprobe *uprobe,
279 struct vm_area_struct *vma)
281 unsigned long vaddr = offset_to_vaddr(vma, uprobe->ref_ctr_offset);
283 return uprobe->ref_ctr_offset &&
285 file_inode(vma->vm_file) == uprobe->inode &&
286 (vma->vm_flags & (VM_WRITE|VM_SHARED)) == VM_WRITE &&
287 vma->vm_start <= vaddr &&
291 static struct vm_area_struct *
292 find_ref_ctr_vma(struct uprobe *uprobe, struct mm_struct *mm)
294 VMA_ITERATOR(vmi, mm, 0);
295 struct vm_area_struct *tmp;
297 for_each_vma(vmi, tmp)
298 if (valid_ref_ctr_vma(uprobe, tmp))
305 __update_ref_ctr(struct mm_struct *mm, unsigned long vaddr, short d)
315 ret = get_user_pages_remote(mm, vaddr, 1,
316 FOLL_WRITE, &page, NULL);
317 if (unlikely(ret <= 0)) {
319 * We are asking for 1 page. If get_user_pages_remote() fails,
320 * it may return 0, in that case we have to return error.
322 return ret == 0 ? -EBUSY : ret;
325 kaddr = kmap_atomic(page);
326 ptr = kaddr + (vaddr & ~PAGE_MASK);
328 if (unlikely(*ptr + d < 0)) {
329 pr_warn("ref_ctr going negative. vaddr: 0x%lx, "
330 "curr val: %d, delta: %d\n", vaddr, *ptr, d);
338 kunmap_atomic(kaddr);
343 static void update_ref_ctr_warn(struct uprobe *uprobe,
344 struct mm_struct *mm, short d)
346 pr_warn("ref_ctr %s failed for inode: 0x%lx offset: "
347 "0x%llx ref_ctr_offset: 0x%llx of mm: 0x%p\n",
348 d > 0 ? "increment" : "decrement", uprobe->inode->i_ino,
349 (unsigned long long) uprobe->offset,
350 (unsigned long long) uprobe->ref_ctr_offset, mm);
353 static int update_ref_ctr(struct uprobe *uprobe, struct mm_struct *mm,
356 struct vm_area_struct *rc_vma;
357 unsigned long rc_vaddr;
360 rc_vma = find_ref_ctr_vma(uprobe, mm);
363 rc_vaddr = offset_to_vaddr(rc_vma, uprobe->ref_ctr_offset);
364 ret = __update_ref_ctr(mm, rc_vaddr, d);
366 update_ref_ctr_warn(uprobe, mm, d);
372 mutex_lock(&delayed_uprobe_lock);
374 ret = delayed_uprobe_add(uprobe, mm);
376 delayed_uprobe_remove(uprobe, mm);
377 mutex_unlock(&delayed_uprobe_lock);
382 static bool orig_page_is_identical(struct vm_area_struct *vma,
383 unsigned long vaddr, struct page *page, bool *pmd_mappable)
385 const pgoff_t index = vaddr_to_offset(vma, vaddr) >> PAGE_SHIFT;
386 struct folio *orig_folio = filemap_get_folio(vma->vm_file->f_mapping,
388 struct page *orig_page;
391 if (IS_ERR(orig_folio))
393 orig_page = folio_file_page(orig_folio, index);
395 *pmd_mappable = folio_test_pmd_mappable(orig_folio);
396 identical = folio_test_uptodate(orig_folio) &&
397 pages_identical(page, orig_page);
398 folio_put(orig_folio);
402 static int __uprobe_write_opcode(struct vm_area_struct *vma,
403 struct folio_walk *fw, struct folio *folio,
404 unsigned long opcode_vaddr, uprobe_opcode_t opcode)
406 const unsigned long vaddr = opcode_vaddr & PAGE_MASK;
407 const bool is_register = !!is_swbp_insn(&opcode);
410 /* For now, we'll only handle PTE-mapped folios. */
411 if (fw->level != FW_LEVEL_PTE)
415 * See can_follow_write_pte(): we'd actually prefer a writable PTE here,
416 * but the VMA might not be writable.
418 if (!pte_write(fw->pte)) {
419 if (!PageAnonExclusive(fw->page))
421 if (unlikely(userfaultfd_pte_wp(vma, fw->pte)))
423 /* SOFTDIRTY is handled via pte_mkdirty() below. */
427 * We'll temporarily unmap the page and flush the TLB, such that we can
428 * modify the page atomically.
430 flush_cache_page(vma, vaddr, pte_pfn(fw->pte));
431 fw->pte = ptep_clear_flush(vma, vaddr, fw->ptep);
432 copy_to_page(fw->page, opcode_vaddr, &opcode, UPROBE_SWBP_INSN_SIZE);
435 * When unregistering, we may only zap a PTE if uffd is disabled and
436 * there are no unexpected folio references ...
438 if (is_register || userfaultfd_missing(vma) ||
439 (folio_ref_count(folio) != folio_mapcount(folio) + 1 +
440 folio_test_swapcache(folio) * folio_nr_pages(folio)))
444 * ... and the mapped page is identical to the original page that
445 * would get faulted in on next access.
447 if (!orig_page_is_identical(vma, vaddr, fw->page, &pmd_mappable))
450 dec_mm_counter(vma->vm_mm, MM_ANONPAGES);
451 folio_remove_rmap_pte(folio, fw->page, vma);
452 if (!folio_mapped(folio) && folio_test_swapcache(folio) &&
453 folio_trylock(folio)) {
454 folio_free_swap(folio);
462 * Make sure that our copy_to_page() changes become visible before the
463 * set_pte_at() write.
466 /* We modified the page. Make sure to mark the PTE dirty. */
467 set_pte_at(vma->vm_mm, vaddr, fw->ptep, pte_mkdirty(fw->pte));
473 * Expect the breakpoint instruction to be the smallest size instruction for
474 * the architecture. If an arch has variable length instruction and the
475 * breakpoint instruction is not of the smallest length instruction
476 * supported by that architecture then we need to modify is_trap_at_addr and
477 * uprobe_write_opcode accordingly. This would never be a problem for archs
478 * that have fixed length instructions.
480 * uprobe_write_opcode - write the opcode at a given virtual address.
481 * @auprobe: arch specific probepoint information.
482 * @vma: the probed virtual memory area.
483 * @opcode_vaddr: the virtual address to store the opcode.
484 * @opcode: opcode to be written at @opcode_vaddr.
486 * Called with mm->mmap_lock held for read or write.
487 * Return 0 (success) or a negative errno.
489 int uprobe_write_opcode(struct arch_uprobe *auprobe, struct vm_area_struct *vma,
490 const unsigned long opcode_vaddr, uprobe_opcode_t opcode)
492 const unsigned long vaddr = opcode_vaddr & PAGE_MASK;
493 struct mm_struct *mm = vma->vm_mm;
494 struct uprobe *uprobe;
495 int ret, is_register, ref_ctr_updated = 0;
496 unsigned int gup_flags = FOLL_FORCE;
497 struct mmu_notifier_range range;
498 struct folio_walk fw;
502 is_register = is_swbp_insn(&opcode);
503 uprobe = container_of(auprobe, struct uprobe, arch);
505 if (WARN_ON_ONCE(!is_cow_mapping(vma->vm_flags)))
509 * When registering, we have to break COW to get an exclusive anonymous
510 * page that we can safely modify. Use FOLL_WRITE to trigger a write
511 * fault if required. When unregistering, we might be lucky and the
512 * anon page is already gone. So defer write faults until really
513 * required. Use FOLL_SPLIT_PMD, because __uprobe_write_opcode()
514 * cannot deal with PMDs yet.
517 gup_flags |= FOLL_WRITE | FOLL_SPLIT_PMD;
520 ret = get_user_pages_remote(mm, vaddr, 1, gup_flags, &page, NULL);
523 folio = page_folio(page);
525 ret = verify_opcode(page, opcode_vaddr, &opcode);
531 /* We are going to replace instruction, update ref_ctr. */
532 if (!ref_ctr_updated && uprobe->ref_ctr_offset) {
533 ret = update_ref_ctr(uprobe, mm, is_register ? 1 : -1);
543 if (unlikely(!folio_test_anon(folio))) {
544 VM_WARN_ON_ONCE(is_register);
551 * In the common case, we'll be able to zap the page when
552 * unregistering. So trigger MMU notifiers now, as we won't
553 * be able to do it under PTL.
555 mmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, mm,
556 vaddr, vaddr + PAGE_SIZE);
557 mmu_notifier_invalidate_range_start(&range);
561 /* Walk the page tables again, to perform the actual update. */
562 if (folio_walk_start(&fw, vma, vaddr, 0)) {
564 ret = __uprobe_write_opcode(vma, &fw, folio, opcode_vaddr, opcode);
565 folio_walk_end(&fw, vma);
569 mmu_notifier_invalidate_range_end(&range);
574 gup_flags |= FOLL_WRITE | FOLL_SPLIT_PMD;
583 /* Revert back reference counter if instruction update failed. */
584 if (ret < 0 && is_register && ref_ctr_updated)
585 update_ref_ctr(uprobe, mm, -1);
587 /* try collapse pmd for compound page */
589 collapse_pte_mapped_thp(mm, vaddr, false);
591 return ret < 0 ? ret : 0;
595 * set_swbp - store breakpoint at a given address.
596 * @auprobe: arch specific probepoint information.
597 * @vma: the probed virtual memory area.
598 * @vaddr: the virtual address to insert the opcode.
600 * For mm @mm, store the breakpoint instruction at @vaddr.
601 * Return 0 (success) or a negative errno.
603 int __weak set_swbp(struct arch_uprobe *auprobe, struct vm_area_struct *vma,
606 return uprobe_write_opcode(auprobe, vma, vaddr, UPROBE_SWBP_INSN);
610 * set_orig_insn - Restore the original instruction.
611 * @vma: the probed virtual memory area.
612 * @auprobe: arch specific probepoint information.
613 * @vaddr: the virtual address to insert the opcode.
615 * For mm @mm, restore the original opcode (opcode) at @vaddr.
616 * Return 0 (success) or a negative errno.
618 int __weak set_orig_insn(struct arch_uprobe *auprobe,
619 struct vm_area_struct *vma, unsigned long vaddr)
621 return uprobe_write_opcode(auprobe, vma, vaddr,
622 *(uprobe_opcode_t *)&auprobe->insn);
625 /* uprobe should have guaranteed positive refcount */
626 static struct uprobe *get_uprobe(struct uprobe *uprobe)
628 refcount_inc(&uprobe->ref);
633 * uprobe should have guaranteed lifetime, which can be either of:
634 * - caller already has refcount taken (and wants an extra one);
635 * - uprobe is RCU protected and won't be freed until after grace period;
636 * - we are holding uprobes_treelock (for read or write, doesn't matter).
638 static struct uprobe *try_get_uprobe(struct uprobe *uprobe)
640 if (refcount_inc_not_zero(&uprobe->ref))
645 static inline bool uprobe_is_active(struct uprobe *uprobe)
647 return !RB_EMPTY_NODE(&uprobe->rb_node);
650 static void uprobe_free_rcu_tasks_trace(struct rcu_head *rcu)
652 struct uprobe *uprobe = container_of(rcu, struct uprobe, rcu);
657 static void uprobe_free_srcu(struct rcu_head *rcu)
659 struct uprobe *uprobe = container_of(rcu, struct uprobe, rcu);
661 call_rcu_tasks_trace(&uprobe->rcu, uprobe_free_rcu_tasks_trace);
664 static void uprobe_free_deferred(struct work_struct *work)
666 struct uprobe *uprobe = container_of(work, struct uprobe, work);
668 write_lock(&uprobes_treelock);
670 if (uprobe_is_active(uprobe)) {
671 write_seqcount_begin(&uprobes_seqcount);
672 rb_erase(&uprobe->rb_node, &uprobes_tree);
673 write_seqcount_end(&uprobes_seqcount);
676 write_unlock(&uprobes_treelock);
679 * If application munmap(exec_vma) before uprobe_unregister()
680 * gets called, we don't get a chance to remove uprobe from
681 * delayed_uprobe_list from remove_breakpoint(). Do it here.
683 mutex_lock(&delayed_uprobe_lock);
684 delayed_uprobe_remove(uprobe, NULL);
685 mutex_unlock(&delayed_uprobe_lock);
687 /* start srcu -> rcu_tasks_trace -> kfree chain */
688 call_srcu(&uretprobes_srcu, &uprobe->rcu, uprobe_free_srcu);
691 static void put_uprobe(struct uprobe *uprobe)
693 if (!refcount_dec_and_test(&uprobe->ref))
696 INIT_WORK(&uprobe->work, uprobe_free_deferred);
697 schedule_work(&uprobe->work);
700 /* Initialize hprobe as SRCU-protected "leased" uprobe */
701 static void hprobe_init_leased(struct hprobe *hprobe, struct uprobe *uprobe, int srcu_idx)
704 hprobe->state = HPROBE_LEASED;
705 hprobe->uprobe = uprobe;
706 hprobe->srcu_idx = srcu_idx;
709 /* Initialize hprobe as refcounted ("stable") uprobe (uprobe can be NULL). */
710 static void hprobe_init_stable(struct hprobe *hprobe, struct uprobe *uprobe)
712 hprobe->state = uprobe ? HPROBE_STABLE : HPROBE_GONE;
713 hprobe->uprobe = uprobe;
714 hprobe->srcu_idx = -1;
718 * hprobe_consume() fetches hprobe's underlying uprobe and detects whether
719 * uprobe is SRCU protected or is refcounted. hprobe_consume() can be
720 * used only once for a given hprobe.
722 * Caller has to call hprobe_finalize() and pass previous hprobe_state, so
723 * that hprobe_finalize() can perform SRCU unlock or put uprobe, whichever
726 static inline struct uprobe *hprobe_consume(struct hprobe *hprobe, enum hprobe_state *hstate)
728 *hstate = xchg(&hprobe->state, HPROBE_CONSUMED);
732 return hprobe->uprobe;
733 case HPROBE_GONE: /* uprobe is NULL, no SRCU */
734 case HPROBE_CONSUMED: /* uprobe was finalized already, do nothing */
737 WARN(1, "hprobe invalid state %d", *hstate);
743 * Reset hprobe state and, if hprobe was LEASED, release SRCU lock.
744 * hprobe_finalize() can only be used from current context after
745 * hprobe_consume() call (which determines uprobe and hstate value).
747 static void hprobe_finalize(struct hprobe *hprobe, enum hprobe_state hstate)
751 __srcu_read_unlock(&uretprobes_srcu, hprobe->srcu_idx);
754 put_uprobe(hprobe->uprobe);
757 case HPROBE_CONSUMED:
760 WARN(1, "hprobe invalid state %d", hstate);
766 * Attempt to switch (atomically) uprobe from being SRCU protected (LEASED)
767 * to refcounted (STABLE) state. Competes with hprobe_consume(); only one of
768 * them can win the race to perform SRCU unlocking. Whoever wins must perform
771 * Returns underlying valid uprobe or NULL, if there was no underlying uprobe
772 * to begin with or we failed to bump its refcount and it's going away.
774 * Returned non-NULL uprobe can be still safely used within an ongoing SRCU
775 * locked region. If `get` is true, it's guaranteed that non-NULL uprobe has
776 * an extra refcount for caller to assume and use. Otherwise, it's not
777 * guaranteed that returned uprobe has a positive refcount, so caller has to
778 * attempt try_get_uprobe(), if it needs to preserve uprobe beyond current
779 * SRCU lock region. See dup_utask().
781 static struct uprobe *hprobe_expire(struct hprobe *hprobe, bool get)
783 enum hprobe_state hstate;
786 * Caller should guarantee that return_instance is not going to be
787 * freed from under us. This can be achieved either through holding
788 * rcu_read_lock() or by owning return_instance in the first place.
790 * Underlying uprobe is itself protected from reuse by SRCU, so ensure
791 * SRCU lock is held properly.
793 lockdep_assert(srcu_read_lock_held(&uretprobes_srcu));
795 hstate = READ_ONCE(hprobe->state);
798 /* uprobe has positive refcount, bump refcount, if necessary */
799 return get ? get_uprobe(hprobe->uprobe) : hprobe->uprobe;
802 * SRCU was unlocked earlier and we didn't manage to take
803 * uprobe refcnt, so it's effectively NULL
806 case HPROBE_CONSUMED:
808 * uprobe was consumed, so it's effectively NULL as far as
809 * uretprobe processing logic is concerned
812 case HPROBE_LEASED: {
813 struct uprobe *uprobe = try_get_uprobe(hprobe->uprobe);
815 * Try to switch hprobe state, guarding against
816 * hprobe_consume() or another hprobe_expire() racing with us.
817 * Note, if we failed to get uprobe refcount, we use special
818 * HPROBE_GONE state to signal that hprobe->uprobe shouldn't
819 * be used as it will be freed after SRCU is unlocked.
821 if (try_cmpxchg(&hprobe->state, &hstate, uprobe ? HPROBE_STABLE : HPROBE_GONE)) {
822 /* We won the race, we are the ones to unlock SRCU */
823 __srcu_read_unlock(&uretprobes_srcu, hprobe->srcu_idx);
824 return get ? get_uprobe(uprobe) : uprobe;
828 * We lost the race, undo refcount bump (if it ever happened),
829 * unless caller would like an extra refcount anyways.
834 * Even if hprobe_consume() or another hprobe_expire() wins
835 * the state update race and unlocks SRCU from under us, we
836 * still have a guarantee that underyling uprobe won't be
837 * freed due to ongoing caller's SRCU lock region, so we can
838 * return it regardless. Also, if `get` was true, we also have
839 * an extra ref for the caller to own. This is used in dup_utask().
844 WARN(1, "unknown hprobe state %d", hstate);
849 static __always_inline
850 int uprobe_cmp(const struct inode *l_inode, const loff_t l_offset,
851 const struct uprobe *r)
853 if (l_inode < r->inode)
856 if (l_inode > r->inode)
859 if (l_offset < r->offset)
862 if (l_offset > r->offset)
868 #define __node_2_uprobe(node) \
869 rb_entry((node), struct uprobe, rb_node)
871 struct __uprobe_key {
876 static inline int __uprobe_cmp_key(const void *key, const struct rb_node *b)
878 const struct __uprobe_key *a = key;
879 return uprobe_cmp(a->inode, a->offset, __node_2_uprobe(b));
882 static inline int __uprobe_cmp(struct rb_node *a, const struct rb_node *b)
884 struct uprobe *u = __node_2_uprobe(a);
885 return uprobe_cmp(u->inode, u->offset, __node_2_uprobe(b));
889 * Assumes being inside RCU protected region.
890 * No refcount is taken on returned uprobe.
892 static struct uprobe *find_uprobe_rcu(struct inode *inode, loff_t offset)
894 struct __uprobe_key key = {
898 struct rb_node *node;
901 lockdep_assert(rcu_read_lock_trace_held());
904 seq = read_seqcount_begin(&uprobes_seqcount);
905 node = rb_find_rcu(&key, &uprobes_tree, __uprobe_cmp_key);
907 * Lockless RB-tree lookups can result only in false negatives.
908 * If the element is found, it is correct and can be returned
909 * under RCU protection. If we find nothing, we need to
910 * validate that seqcount didn't change. If it did, we have to
911 * try again as we might have missed the element (false
912 * negative). If seqcount is unchanged, search truly failed.
915 return __node_2_uprobe(node);
916 } while (read_seqcount_retry(&uprobes_seqcount, seq));
922 * Attempt to insert a new uprobe into uprobes_tree.
924 * If uprobe already exists (for given inode+offset), we just increment
925 * refcount of previously existing uprobe.
927 * If not, a provided new instance of uprobe is inserted into the tree (with
928 * assumed initial refcount == 1).
930 * In any case, we return a uprobe instance that ends up being in uprobes_tree.
931 * Caller has to clean up new uprobe instance, if it ended up not being
932 * inserted into the tree.
934 * We assume that uprobes_treelock is held for writing.
936 static struct uprobe *__insert_uprobe(struct uprobe *uprobe)
938 struct rb_node *node;
940 node = rb_find_add_rcu(&uprobe->rb_node, &uprobes_tree, __uprobe_cmp);
942 struct uprobe *u = __node_2_uprobe(node);
944 if (!try_get_uprobe(u)) {
945 rb_erase(node, &uprobes_tree);
946 RB_CLEAR_NODE(&u->rb_node);
957 * Acquire uprobes_treelock and insert uprobe into uprobes_tree
958 * (or reuse existing one, see __insert_uprobe() comments above).
960 static struct uprobe *insert_uprobe(struct uprobe *uprobe)
964 write_lock(&uprobes_treelock);
965 write_seqcount_begin(&uprobes_seqcount);
966 u = __insert_uprobe(uprobe);
967 write_seqcount_end(&uprobes_seqcount);
968 write_unlock(&uprobes_treelock);
974 ref_ctr_mismatch_warn(struct uprobe *cur_uprobe, struct uprobe *uprobe)
976 pr_warn("ref_ctr_offset mismatch. inode: 0x%lx offset: 0x%llx "
977 "ref_ctr_offset(old): 0x%llx ref_ctr_offset(new): 0x%llx\n",
978 uprobe->inode->i_ino, (unsigned long long) uprobe->offset,
979 (unsigned long long) cur_uprobe->ref_ctr_offset,
980 (unsigned long long) uprobe->ref_ctr_offset);
983 static struct uprobe *alloc_uprobe(struct inode *inode, loff_t offset,
984 loff_t ref_ctr_offset)
986 struct uprobe *uprobe, *cur_uprobe;
988 uprobe = kzalloc(sizeof(struct uprobe), GFP_KERNEL);
990 return ERR_PTR(-ENOMEM);
992 uprobe->inode = inode;
993 uprobe->offset = offset;
994 uprobe->ref_ctr_offset = ref_ctr_offset;
995 INIT_LIST_HEAD(&uprobe->consumers);
996 init_rwsem(&uprobe->register_rwsem);
997 init_rwsem(&uprobe->consumer_rwsem);
998 RB_CLEAR_NODE(&uprobe->rb_node);
999 refcount_set(&uprobe->ref, 1);
1001 /* add to uprobes_tree, sorted on inode:offset */
1002 cur_uprobe = insert_uprobe(uprobe);
1003 /* a uprobe exists for this inode:offset combination */
1004 if (cur_uprobe != uprobe) {
1005 if (cur_uprobe->ref_ctr_offset != uprobe->ref_ctr_offset) {
1006 ref_ctr_mismatch_warn(cur_uprobe, uprobe);
1007 put_uprobe(cur_uprobe);
1009 return ERR_PTR(-EINVAL);
1012 uprobe = cur_uprobe;
1018 static void consumer_add(struct uprobe *uprobe, struct uprobe_consumer *uc)
1020 static atomic64_t id;
1022 down_write(&uprobe->consumer_rwsem);
1023 list_add_rcu(&uc->cons_node, &uprobe->consumers);
1024 uc->id = (__u64) atomic64_inc_return(&id);
1025 up_write(&uprobe->consumer_rwsem);
1029 * For uprobe @uprobe, delete the consumer @uc.
1030 * Should never be called with consumer that's not part of @uprobe->consumers.
1032 static void consumer_del(struct uprobe *uprobe, struct uprobe_consumer *uc)
1034 down_write(&uprobe->consumer_rwsem);
1035 list_del_rcu(&uc->cons_node);
1036 up_write(&uprobe->consumer_rwsem);
1039 static int __copy_insn(struct address_space *mapping, struct file *filp,
1040 void *insn, int nbytes, loff_t offset)
1044 * Ensure that the page that has the original instruction is populated
1045 * and in page-cache. If ->read_folio == NULL it must be shmem_mapping(),
1046 * see uprobe_register().
1048 if (mapping->a_ops->read_folio)
1049 page = read_mapping_page(mapping, offset >> PAGE_SHIFT, filp);
1051 page = shmem_read_mapping_page(mapping, offset >> PAGE_SHIFT);
1053 return PTR_ERR(page);
1055 copy_from_page(page, offset, insn, nbytes);
1061 static int copy_insn(struct uprobe *uprobe, struct file *filp)
1063 struct address_space *mapping = uprobe->inode->i_mapping;
1064 loff_t offs = uprobe->offset;
1065 void *insn = &uprobe->arch.insn;
1066 int size = sizeof(uprobe->arch.insn);
1067 int len, err = -EIO;
1069 /* Copy only available bytes, -EIO if nothing was read */
1071 if (offs >= i_size_read(uprobe->inode))
1074 len = min_t(int, size, PAGE_SIZE - (offs & ~PAGE_MASK));
1075 err = __copy_insn(mapping, filp, insn, len, offs);
1087 static int prepare_uprobe(struct uprobe *uprobe, struct file *file,
1088 struct mm_struct *mm, unsigned long vaddr)
1092 if (test_bit(UPROBE_COPY_INSN, &uprobe->flags))
1095 /* TODO: move this into _register, until then we abuse this sem. */
1096 down_write(&uprobe->consumer_rwsem);
1097 if (test_bit(UPROBE_COPY_INSN, &uprobe->flags))
1100 ret = copy_insn(uprobe, file);
1105 if (is_trap_insn((uprobe_opcode_t *)&uprobe->arch.insn))
1108 ret = arch_uprobe_analyze_insn(&uprobe->arch, mm, vaddr);
1112 smp_wmb(); /* pairs with the smp_rmb() in handle_swbp() */
1113 set_bit(UPROBE_COPY_INSN, &uprobe->flags);
1116 up_write(&uprobe->consumer_rwsem);
1121 static inline bool consumer_filter(struct uprobe_consumer *uc, struct mm_struct *mm)
1123 return !uc->filter || uc->filter(uc, mm);
1126 static bool filter_chain(struct uprobe *uprobe, struct mm_struct *mm)
1128 struct uprobe_consumer *uc;
1131 down_read(&uprobe->consumer_rwsem);
1132 list_for_each_entry_rcu(uc, &uprobe->consumers, cons_node, rcu_read_lock_trace_held()) {
1133 ret = consumer_filter(uc, mm);
1137 up_read(&uprobe->consumer_rwsem);
1142 static int install_breakpoint(struct uprobe *uprobe, struct vm_area_struct *vma,
1143 unsigned long vaddr)
1145 struct mm_struct *mm = vma->vm_mm;
1149 ret = prepare_uprobe(uprobe, vma->vm_file, mm, vaddr);
1154 * set MMF_HAS_UPROBES in advance for uprobe_pre_sstep_notifier(),
1155 * the task can hit this breakpoint right after __replace_page().
1157 first_uprobe = !test_bit(MMF_HAS_UPROBES, &mm->flags);
1159 set_bit(MMF_HAS_UPROBES, &mm->flags);
1161 ret = set_swbp(&uprobe->arch, vma, vaddr);
1163 clear_bit(MMF_RECALC_UPROBES, &mm->flags);
1164 else if (first_uprobe)
1165 clear_bit(MMF_HAS_UPROBES, &mm->flags);
1170 static int remove_breakpoint(struct uprobe *uprobe, struct vm_area_struct *vma,
1171 unsigned long vaddr)
1173 struct mm_struct *mm = vma->vm_mm;
1175 set_bit(MMF_RECALC_UPROBES, &mm->flags);
1176 return set_orig_insn(&uprobe->arch, vma, vaddr);
1180 struct map_info *next;
1181 struct mm_struct *mm;
1182 unsigned long vaddr;
1185 static inline struct map_info *free_map_info(struct map_info *info)
1187 struct map_info *next = info->next;
1192 static struct map_info *
1193 build_map_info(struct address_space *mapping, loff_t offset, bool is_register)
1195 unsigned long pgoff = offset >> PAGE_SHIFT;
1196 struct vm_area_struct *vma;
1197 struct map_info *curr = NULL;
1198 struct map_info *prev = NULL;
1199 struct map_info *info;
1203 i_mmap_lock_read(mapping);
1204 vma_interval_tree_foreach(vma, &mapping->i_mmap, pgoff, pgoff) {
1205 if (!valid_vma(vma, is_register))
1208 if (!prev && !more) {
1210 * Needs GFP_NOWAIT to avoid i_mmap_rwsem recursion through
1211 * reclaim. This is optimistic, no harm done if it fails.
1213 prev = kmalloc(sizeof(struct map_info),
1214 GFP_NOWAIT | __GFP_NOMEMALLOC | __GFP_NOWARN);
1223 if (!mmget_not_zero(vma->vm_mm))
1231 info->mm = vma->vm_mm;
1232 info->vaddr = offset_to_vaddr(vma, offset);
1234 i_mmap_unlock_read(mapping);
1246 info = kmalloc(sizeof(struct map_info), GFP_KERNEL);
1248 curr = ERR_PTR(-ENOMEM);
1258 prev = free_map_info(prev);
1263 register_for_each_vma(struct uprobe *uprobe, struct uprobe_consumer *new)
1265 bool is_register = !!new;
1266 struct map_info *info;
1269 percpu_down_write(&dup_mmap_sem);
1270 info = build_map_info(uprobe->inode->i_mapping,
1271 uprobe->offset, is_register);
1273 err = PTR_ERR(info);
1278 struct mm_struct *mm = info->mm;
1279 struct vm_area_struct *vma;
1281 if (err && is_register)
1284 * We take mmap_lock for writing to avoid the race with
1285 * find_active_uprobe_rcu() which takes mmap_lock for reading.
1286 * Thus this install_breakpoint() can not make
1287 * is_trap_at_addr() true right after find_uprobe_rcu()
1288 * returns NULL in find_active_uprobe_rcu().
1290 mmap_write_lock(mm);
1291 if (check_stable_address_space(mm))
1294 vma = find_vma(mm, info->vaddr);
1295 if (!vma || !valid_vma(vma, is_register) ||
1296 file_inode(vma->vm_file) != uprobe->inode)
1299 if (vma->vm_start > info->vaddr ||
1300 vaddr_to_offset(vma, info->vaddr) != uprobe->offset)
1304 /* consult only the "caller", new consumer. */
1305 if (consumer_filter(new, mm))
1306 err = install_breakpoint(uprobe, vma, info->vaddr);
1307 } else if (test_bit(MMF_HAS_UPROBES, &mm->flags)) {
1308 if (!filter_chain(uprobe, mm))
1309 err |= remove_breakpoint(uprobe, vma, info->vaddr);
1313 mmap_write_unlock(mm);
1316 info = free_map_info(info);
1319 percpu_up_write(&dup_mmap_sem);
1324 * uprobe_unregister_nosync - unregister an already registered probe.
1325 * @uprobe: uprobe to remove
1326 * @uc: identify which probe if multiple probes are colocated.
1328 void uprobe_unregister_nosync(struct uprobe *uprobe, struct uprobe_consumer *uc)
1332 down_write(&uprobe->register_rwsem);
1333 consumer_del(uprobe, uc);
1334 err = register_for_each_vma(uprobe, NULL);
1335 up_write(&uprobe->register_rwsem);
1337 /* TODO : cant unregister? schedule a worker thread */
1338 if (unlikely(err)) {
1339 uprobe_warn(current, "unregister, leaking uprobe");
1345 EXPORT_SYMBOL_GPL(uprobe_unregister_nosync);
1347 void uprobe_unregister_sync(void)
1350 * Now that handler_chain() and handle_uretprobe_chain() iterate over
1351 * uprobe->consumers list under RCU protection without holding
1352 * uprobe->register_rwsem, we need to wait for RCU grace period to
1353 * make sure that we can't call into just unregistered
1354 * uprobe_consumer's callbacks anymore. If we don't do that, fast and
1355 * unlucky enough caller can free consumer's memory and cause
1356 * handler_chain() or handle_uretprobe_chain() to do an use-after-free.
1358 synchronize_rcu_tasks_trace();
1359 synchronize_srcu(&uretprobes_srcu);
1361 EXPORT_SYMBOL_GPL(uprobe_unregister_sync);
1364 * uprobe_register - register a probe
1365 * @inode: the file in which the probe has to be placed.
1366 * @offset: offset from the start of the file.
1367 * @ref_ctr_offset: offset of SDT marker / reference counter
1368 * @uc: information on howto handle the probe..
1370 * Apart from the access refcount, uprobe_register() takes a creation
1371 * refcount (thro alloc_uprobe) if and only if this @uprobe is getting
1372 * inserted into the rbtree (i.e first consumer for a @inode:@offset
1373 * tuple). Creation refcount stops uprobe_unregister from freeing the
1374 * @uprobe even before the register operation is complete. Creation
1375 * refcount is released when the last @uc for the @uprobe
1376 * unregisters. Caller of uprobe_register() is required to keep @inode
1377 * (and the containing mount) referenced.
1379 * Return: pointer to the new uprobe on success or an ERR_PTR on failure.
1381 struct uprobe *uprobe_register(struct inode *inode,
1382 loff_t offset, loff_t ref_ctr_offset,
1383 struct uprobe_consumer *uc)
1385 struct uprobe *uprobe;
1388 /* Uprobe must have at least one set consumer */
1389 if (!uc->handler && !uc->ret_handler)
1390 return ERR_PTR(-EINVAL);
1392 /* copy_insn() uses read_mapping_page() or shmem_read_mapping_page() */
1393 if (!inode->i_mapping->a_ops->read_folio &&
1394 !shmem_mapping(inode->i_mapping))
1395 return ERR_PTR(-EIO);
1396 /* Racy, just to catch the obvious mistakes */
1397 if (offset > i_size_read(inode))
1398 return ERR_PTR(-EINVAL);
1401 * This ensures that copy_from_page(), copy_to_page() and
1402 * __update_ref_ctr() can't cross page boundary.
1404 if (!IS_ALIGNED(offset, UPROBE_SWBP_INSN_SIZE))
1405 return ERR_PTR(-EINVAL);
1406 if (!IS_ALIGNED(ref_ctr_offset, sizeof(short)))
1407 return ERR_PTR(-EINVAL);
1409 uprobe = alloc_uprobe(inode, offset, ref_ctr_offset);
1413 down_write(&uprobe->register_rwsem);
1414 consumer_add(uprobe, uc);
1415 ret = register_for_each_vma(uprobe, uc);
1416 up_write(&uprobe->register_rwsem);
1419 uprobe_unregister_nosync(uprobe, uc);
1421 * Registration might have partially succeeded, so we can have
1422 * this consumer being called right at this time. We need to
1423 * sync here. It's ok, it's unlikely slow path.
1425 uprobe_unregister_sync();
1426 return ERR_PTR(ret);
1431 EXPORT_SYMBOL_GPL(uprobe_register);
1434 * uprobe_apply - add or remove the breakpoints according to @uc->filter
1435 * @uprobe: uprobe which "owns" the breakpoint
1436 * @uc: consumer which wants to add more or remove some breakpoints
1437 * @add: add or remove the breakpoints
1438 * Return: 0 on success or negative error code.
1440 int uprobe_apply(struct uprobe *uprobe, struct uprobe_consumer *uc, bool add)
1442 struct uprobe_consumer *con;
1445 down_write(&uprobe->register_rwsem);
1447 rcu_read_lock_trace();
1448 list_for_each_entry_rcu(con, &uprobe->consumers, cons_node, rcu_read_lock_trace_held()) {
1450 ret = register_for_each_vma(uprobe, add ? uc : NULL);
1454 rcu_read_unlock_trace();
1456 up_write(&uprobe->register_rwsem);
1461 static int unapply_uprobe(struct uprobe *uprobe, struct mm_struct *mm)
1463 VMA_ITERATOR(vmi, mm, 0);
1464 struct vm_area_struct *vma;
1468 for_each_vma(vmi, vma) {
1469 unsigned long vaddr;
1472 if (!valid_vma(vma, false) ||
1473 file_inode(vma->vm_file) != uprobe->inode)
1476 offset = (loff_t)vma->vm_pgoff << PAGE_SHIFT;
1477 if (uprobe->offset < offset ||
1478 uprobe->offset >= offset + vma->vm_end - vma->vm_start)
1481 vaddr = offset_to_vaddr(vma, uprobe->offset);
1482 err |= remove_breakpoint(uprobe, vma, vaddr);
1484 mmap_read_unlock(mm);
1489 static struct rb_node *
1490 find_node_in_range(struct inode *inode, loff_t min, loff_t max)
1492 struct rb_node *n = uprobes_tree.rb_node;
1495 struct uprobe *u = rb_entry(n, struct uprobe, rb_node);
1497 if (inode < u->inode) {
1499 } else if (inode > u->inode) {
1502 if (max < u->offset)
1504 else if (min > u->offset)
1515 * For a given range in vma, build a list of probes that need to be inserted.
1517 static void build_probe_list(struct inode *inode,
1518 struct vm_area_struct *vma,
1519 unsigned long start, unsigned long end,
1520 struct list_head *head)
1523 struct rb_node *n, *t;
1526 INIT_LIST_HEAD(head);
1527 min = vaddr_to_offset(vma, start);
1528 max = min + (end - start) - 1;
1530 read_lock(&uprobes_treelock);
1531 n = find_node_in_range(inode, min, max);
1533 for (t = n; t; t = rb_prev(t)) {
1534 u = rb_entry(t, struct uprobe, rb_node);
1535 if (u->inode != inode || u->offset < min)
1537 /* if uprobe went away, it's safe to ignore it */
1538 if (try_get_uprobe(u))
1539 list_add(&u->pending_list, head);
1541 for (t = n; (t = rb_next(t)); ) {
1542 u = rb_entry(t, struct uprobe, rb_node);
1543 if (u->inode != inode || u->offset > max)
1545 /* if uprobe went away, it's safe to ignore it */
1546 if (try_get_uprobe(u))
1547 list_add(&u->pending_list, head);
1550 read_unlock(&uprobes_treelock);
1553 /* @vma contains reference counter, not the probed instruction. */
1554 static int delayed_ref_ctr_inc(struct vm_area_struct *vma)
1556 struct list_head *pos, *q;
1557 struct delayed_uprobe *du;
1558 unsigned long vaddr;
1559 int ret = 0, err = 0;
1561 mutex_lock(&delayed_uprobe_lock);
1562 list_for_each_safe(pos, q, &delayed_uprobe_list) {
1563 du = list_entry(pos, struct delayed_uprobe, list);
1565 if (du->mm != vma->vm_mm ||
1566 !valid_ref_ctr_vma(du->uprobe, vma))
1569 vaddr = offset_to_vaddr(vma, du->uprobe->ref_ctr_offset);
1570 ret = __update_ref_ctr(vma->vm_mm, vaddr, 1);
1572 update_ref_ctr_warn(du->uprobe, vma->vm_mm, 1);
1576 delayed_uprobe_delete(du);
1578 mutex_unlock(&delayed_uprobe_lock);
1583 * Called from mmap_region/vma_merge with mm->mmap_lock acquired.
1585 * Currently we ignore all errors and always return 0, the callers
1586 * can't handle the failure anyway.
1588 int uprobe_mmap(struct vm_area_struct *vma)
1590 struct list_head tmp_list;
1591 struct uprobe *uprobe, *u;
1592 struct inode *inode;
1594 if (no_uprobe_events())
1598 (vma->vm_flags & (VM_WRITE|VM_SHARED)) == VM_WRITE &&
1599 test_bit(MMF_HAS_UPROBES, &vma->vm_mm->flags))
1600 delayed_ref_ctr_inc(vma);
1602 if (!valid_vma(vma, true))
1605 inode = file_inode(vma->vm_file);
1609 mutex_lock(uprobes_mmap_hash(inode));
1610 build_probe_list(inode, vma, vma->vm_start, vma->vm_end, &tmp_list);
1612 * We can race with uprobe_unregister(), this uprobe can be already
1613 * removed. But in this case filter_chain() must return false, all
1614 * consumers have gone away.
1616 list_for_each_entry_safe(uprobe, u, &tmp_list, pending_list) {
1617 if (!fatal_signal_pending(current) &&
1618 filter_chain(uprobe, vma->vm_mm)) {
1619 unsigned long vaddr = offset_to_vaddr(vma, uprobe->offset);
1620 install_breakpoint(uprobe, vma, vaddr);
1624 mutex_unlock(uprobes_mmap_hash(inode));
1630 vma_has_uprobes(struct vm_area_struct *vma, unsigned long start, unsigned long end)
1633 struct inode *inode;
1636 inode = file_inode(vma->vm_file);
1638 min = vaddr_to_offset(vma, start);
1639 max = min + (end - start) - 1;
1641 read_lock(&uprobes_treelock);
1642 n = find_node_in_range(inode, min, max);
1643 read_unlock(&uprobes_treelock);
1649 * Called in context of a munmap of a vma.
1651 void uprobe_munmap(struct vm_area_struct *vma, unsigned long start, unsigned long end)
1653 if (no_uprobe_events() || !valid_vma(vma, false))
1656 if (!atomic_read(&vma->vm_mm->mm_users)) /* called by mmput() ? */
1659 if (!test_bit(MMF_HAS_UPROBES, &vma->vm_mm->flags) ||
1660 test_bit(MMF_RECALC_UPROBES, &vma->vm_mm->flags))
1663 if (vma_has_uprobes(vma, start, end))
1664 set_bit(MMF_RECALC_UPROBES, &vma->vm_mm->flags);
1667 static vm_fault_t xol_fault(const struct vm_special_mapping *sm,
1668 struct vm_area_struct *vma, struct vm_fault *vmf)
1670 struct xol_area *area = vma->vm_mm->uprobes_state.xol_area;
1672 vmf->page = area->page;
1673 get_page(vmf->page);
1677 static int xol_mremap(const struct vm_special_mapping *sm, struct vm_area_struct *new_vma)
1682 static const struct vm_special_mapping xol_mapping = {
1683 .name = "[uprobes]",
1685 .mremap = xol_mremap,
1688 /* Slot allocation for XOL */
1689 static int xol_add_vma(struct mm_struct *mm, struct xol_area *area)
1691 struct vm_area_struct *vma;
1694 if (mmap_write_lock_killable(mm))
1697 if (mm->uprobes_state.xol_area) {
1703 /* Try to map as high as possible, this is only a hint. */
1704 area->vaddr = get_unmapped_area(NULL, TASK_SIZE - PAGE_SIZE,
1706 if (IS_ERR_VALUE(area->vaddr)) {
1712 vma = _install_special_mapping(mm, area->vaddr, PAGE_SIZE,
1713 VM_EXEC|VM_MAYEXEC|VM_DONTCOPY|VM_IO|
1722 /* pairs with get_xol_area() */
1723 smp_store_release(&mm->uprobes_state.xol_area, area); /* ^^^ */
1725 mmap_write_unlock(mm);
1730 void * __weak arch_uprobe_trampoline(unsigned long *psize)
1732 static uprobe_opcode_t insn = UPROBE_SWBP_INSN;
1734 *psize = UPROBE_SWBP_INSN_SIZE;
1738 static struct xol_area *__create_xol_area(unsigned long vaddr)
1740 struct mm_struct *mm = current->mm;
1741 unsigned long insns_size;
1742 struct xol_area *area;
1745 area = kzalloc(sizeof(*area), GFP_KERNEL);
1746 if (unlikely(!area))
1749 area->bitmap = kcalloc(BITS_TO_LONGS(UINSNS_PER_PAGE), sizeof(long),
1754 area->page = alloc_page(GFP_HIGHUSER | __GFP_ZERO);
1758 area->vaddr = vaddr;
1759 init_waitqueue_head(&area->wq);
1760 /* Reserve the 1st slot for get_trampoline_vaddr() */
1761 set_bit(0, area->bitmap);
1762 insns = arch_uprobe_trampoline(&insns_size);
1763 arch_uprobe_copy_ixol(area->page, 0, insns, insns_size);
1765 if (!xol_add_vma(mm, area))
1768 __free_page(area->page);
1770 kfree(area->bitmap);
1778 * get_xol_area - Allocate process's xol_area if necessary.
1779 * This area will be used for storing instructions for execution out of line.
1781 * Returns the allocated area or NULL.
1783 static struct xol_area *get_xol_area(void)
1785 struct mm_struct *mm = current->mm;
1786 struct xol_area *area;
1788 if (!mm->uprobes_state.xol_area)
1789 __create_xol_area(0);
1791 /* Pairs with xol_add_vma() smp_store_release() */
1792 area = READ_ONCE(mm->uprobes_state.xol_area); /* ^^^ */
1797 * uprobe_clear_state - Free the area allocated for slots.
1799 void uprobe_clear_state(struct mm_struct *mm)
1801 struct xol_area *area = mm->uprobes_state.xol_area;
1803 mutex_lock(&delayed_uprobe_lock);
1804 delayed_uprobe_remove(NULL, mm);
1805 mutex_unlock(&delayed_uprobe_lock);
1810 put_page(area->page);
1811 kfree(area->bitmap);
1815 void uprobe_start_dup_mmap(void)
1817 percpu_down_read(&dup_mmap_sem);
1820 void uprobe_end_dup_mmap(void)
1822 percpu_up_read(&dup_mmap_sem);
1825 void uprobe_dup_mmap(struct mm_struct *oldmm, struct mm_struct *newmm)
1827 if (test_bit(MMF_HAS_UPROBES, &oldmm->flags)) {
1828 set_bit(MMF_HAS_UPROBES, &newmm->flags);
1829 /* unconditionally, dup_mmap() skips VM_DONTCOPY vmas */
1830 set_bit(MMF_RECALC_UPROBES, &newmm->flags);
1834 static unsigned long xol_get_slot_nr(struct xol_area *area)
1836 unsigned long slot_nr;
1838 slot_nr = find_first_zero_bit(area->bitmap, UINSNS_PER_PAGE);
1839 if (slot_nr < UINSNS_PER_PAGE) {
1840 if (!test_and_set_bit(slot_nr, area->bitmap))
1844 return UINSNS_PER_PAGE;
1848 * xol_get_insn_slot - allocate a slot for xol.
1850 static bool xol_get_insn_slot(struct uprobe *uprobe, struct uprobe_task *utask)
1852 struct xol_area *area = get_xol_area();
1853 unsigned long slot_nr;
1858 wait_event(area->wq, (slot_nr = xol_get_slot_nr(area)) < UINSNS_PER_PAGE);
1860 utask->xol_vaddr = area->vaddr + slot_nr * UPROBE_XOL_SLOT_BYTES;
1861 arch_uprobe_copy_ixol(area->page, utask->xol_vaddr,
1862 &uprobe->arch.ixol, sizeof(uprobe->arch.ixol));
1867 * xol_free_insn_slot - free the slot allocated by xol_get_insn_slot()
1869 static void xol_free_insn_slot(struct uprobe_task *utask)
1871 struct xol_area *area = current->mm->uprobes_state.xol_area;
1872 unsigned long offset = utask->xol_vaddr - area->vaddr;
1873 unsigned int slot_nr;
1875 utask->xol_vaddr = 0;
1876 /* xol_vaddr must fit into [area->vaddr, area->vaddr + PAGE_SIZE) */
1877 if (WARN_ON_ONCE(offset >= PAGE_SIZE))
1880 slot_nr = offset / UPROBE_XOL_SLOT_BYTES;
1881 clear_bit(slot_nr, area->bitmap);
1882 smp_mb__after_atomic(); /* pairs with prepare_to_wait() */
1883 if (waitqueue_active(&area->wq))
1887 void __weak arch_uprobe_copy_ixol(struct page *page, unsigned long vaddr,
1888 void *src, unsigned long len)
1890 /* Initialize the slot */
1891 copy_to_page(page, vaddr, src, len);
1894 * We probably need flush_icache_user_page() but it needs vma.
1895 * This should work on most of architectures by default. If
1896 * architecture needs to do something different it can define
1897 * its own version of the function.
1899 flush_dcache_page(page);
1903 * uprobe_get_swbp_addr - compute address of swbp given post-swbp regs
1904 * @regs: Reflects the saved state of the task after it has hit a breakpoint
1906 * Return the address of the breakpoint instruction.
1908 unsigned long __weak uprobe_get_swbp_addr(struct pt_regs *regs)
1910 return instruction_pointer(regs) - UPROBE_SWBP_INSN_SIZE;
1913 unsigned long uprobe_get_trap_addr(struct pt_regs *regs)
1915 struct uprobe_task *utask = current->utask;
1917 if (unlikely(utask && utask->active_uprobe))
1918 return utask->vaddr;
1920 return instruction_pointer(regs);
1923 static void ri_pool_push(struct uprobe_task *utask, struct return_instance *ri)
1926 ri->next = utask->ri_pool;
1927 utask->ri_pool = ri;
1930 static struct return_instance *ri_pool_pop(struct uprobe_task *utask)
1932 struct return_instance *ri = utask->ri_pool;
1935 utask->ri_pool = ri->next;
1940 static void ri_free(struct return_instance *ri)
1942 kfree(ri->extra_consumers);
1946 static void free_ret_instance(struct uprobe_task *utask,
1947 struct return_instance *ri, bool cleanup_hprobe)
1951 if (cleanup_hprobe) {
1952 enum hprobe_state hstate;
1954 (void)hprobe_consume(&ri->hprobe, &hstate);
1955 hprobe_finalize(&ri->hprobe, hstate);
1959 * At this point return_instance is unlinked from utask's
1960 * return_instances list and this has become visible to ri_timer().
1961 * If seqcount now indicates that ri_timer's return instance
1962 * processing loop isn't active, we can return ri into the pool of
1963 * to-be-reused return instances for future uretprobes. If ri_timer()
1964 * happens to be running right now, though, we fallback to safety and
1965 * just perform RCU-delated freeing of ri.
1966 * Admittedly, this is a rather simple use of seqcount, but it nicely
1967 * abstracts away all the necessary memory barriers, so we use
1968 * a well-supported kernel primitive here.
1970 if (raw_seqcount_try_begin(&utask->ri_seqcount, seq)) {
1971 /* immediate reuse of ri without RCU GP is OK */
1972 ri_pool_push(utask, ri);
1974 /* we might be racing with ri_timer(), so play it safe */
1980 * Called with no locks held.
1981 * Called in context of an exiting or an exec-ing thread.
1983 void uprobe_free_utask(struct task_struct *t)
1985 struct uprobe_task *utask = t->utask;
1986 struct return_instance *ri, *ri_next;
1992 WARN_ON_ONCE(utask->active_uprobe || utask->xol_vaddr);
1994 timer_delete_sync(&utask->ri_timer);
1996 ri = utask->return_instances;
1999 free_ret_instance(utask, ri, true /* cleanup_hprobe */);
2003 /* free_ret_instance() above might add to ri_pool, so this loop should come last */
2004 ri = utask->ri_pool;
2014 #define RI_TIMER_PERIOD (HZ / 10) /* 100 ms */
2016 #define for_each_ret_instance_rcu(pos, head) \
2017 for (pos = rcu_dereference_raw(head); pos; pos = rcu_dereference_raw(pos->next))
2019 static void ri_timer(struct timer_list *timer)
2021 struct uprobe_task *utask = container_of(timer, struct uprobe_task, ri_timer);
2022 struct return_instance *ri;
2024 /* SRCU protects uprobe from reuse for the cmpxchg() inside hprobe_expire(). */
2025 guard(srcu)(&uretprobes_srcu);
2026 /* RCU protects return_instance from freeing. */
2030 * See free_ret_instance() for notes on seqcount use.
2031 * We also employ raw API variants to avoid lockdep false-positive
2032 * warning complaining about enabled preemption. The timer can only be
2033 * invoked once for a uprobe_task. Therefore there can only be one
2034 * writer. The reader does not require an even sequence count to make
2035 * progress, so it is OK to remain preemptible on PREEMPT_RT.
2037 raw_write_seqcount_begin(&utask->ri_seqcount);
2039 for_each_ret_instance_rcu(ri, utask->return_instances)
2040 hprobe_expire(&ri->hprobe, false);
2042 raw_write_seqcount_end(&utask->ri_seqcount);
2045 static struct uprobe_task *alloc_utask(void)
2047 struct uprobe_task *utask;
2049 utask = kzalloc(sizeof(*utask), GFP_KERNEL);
2053 timer_setup(&utask->ri_timer, ri_timer, 0);
2054 seqcount_init(&utask->ri_seqcount);
2060 * Allocate a uprobe_task object for the task if necessary.
2061 * Called when the thread hits a breakpoint.
2064 * - pointer to new uprobe_task on success
2067 static struct uprobe_task *get_utask(void)
2069 if (!current->utask)
2070 current->utask = alloc_utask();
2071 return current->utask;
2074 static struct return_instance *alloc_return_instance(struct uprobe_task *utask)
2076 struct return_instance *ri;
2078 ri = ri_pool_pop(utask);
2082 ri = kzalloc(sizeof(*ri), GFP_KERNEL);
2084 return ZERO_SIZE_PTR;
2089 static struct return_instance *dup_return_instance(struct return_instance *old)
2091 struct return_instance *ri;
2093 ri = kmemdup(old, sizeof(*ri), GFP_KERNEL);
2097 if (unlikely(old->cons_cnt > 1)) {
2098 ri->extra_consumers = kmemdup(old->extra_consumers,
2099 sizeof(ri->extra_consumers[0]) * (old->cons_cnt - 1),
2101 if (!ri->extra_consumers) {
2110 static int dup_utask(struct task_struct *t, struct uprobe_task *o_utask)
2112 struct uprobe_task *n_utask;
2113 struct return_instance **p, *o, *n;
2114 struct uprobe *uprobe;
2116 n_utask = alloc_utask();
2121 /* protect uprobes from freeing, we'll need try_get_uprobe() them */
2122 guard(srcu)(&uretprobes_srcu);
2124 p = &n_utask->return_instances;
2125 for (o = o_utask->return_instances; o; o = o->next) {
2126 n = dup_return_instance(o);
2130 /* if uprobe is non-NULL, we'll have an extra refcount for uprobe */
2131 uprobe = hprobe_expire(&o->hprobe, true);
2134 * New utask will have stable properly refcounted uprobe or
2135 * NULL. Even if we failed to get refcounted uprobe, we still
2136 * need to preserve full set of return_instances for proper
2137 * uretprobe handling and nesting in forked task.
2139 hprobe_init_stable(&n->hprobe, uprobe);
2142 rcu_assign_pointer(*p, n);
2151 static void dup_xol_work(struct callback_head *work)
2153 if (current->flags & PF_EXITING)
2156 if (!__create_xol_area(current->utask->dup_xol_addr) &&
2157 !fatal_signal_pending(current))
2158 uprobe_warn(current, "dup xol area");
2162 * Called in context of a new clone/fork from copy_process.
2164 void uprobe_copy_process(struct task_struct *t, unsigned long flags)
2166 struct uprobe_task *utask = current->utask;
2167 struct mm_struct *mm = current->mm;
2168 struct xol_area *area;
2172 if (!utask || !utask->return_instances)
2175 if (mm == t->mm && !(flags & CLONE_VFORK))
2178 if (dup_utask(t, utask))
2179 return uprobe_warn(t, "dup ret instances");
2181 /* The task can fork() after dup_xol_work() fails */
2182 area = mm->uprobes_state.xol_area;
2184 return uprobe_warn(t, "dup xol area");
2189 t->utask->dup_xol_addr = area->vaddr;
2190 init_task_work(&t->utask->dup_xol_work, dup_xol_work);
2191 task_work_add(t, &t->utask->dup_xol_work, TWA_RESUME);
2195 * Current area->vaddr notion assume the trampoline address is always
2196 * equal area->vaddr.
2198 * Returns -1 in case the xol_area is not allocated.
2200 unsigned long uprobe_get_trampoline_vaddr(void)
2202 unsigned long trampoline_vaddr = UPROBE_NO_TRAMPOLINE_VADDR;
2203 struct xol_area *area;
2205 /* Pairs with xol_add_vma() smp_store_release() */
2206 area = READ_ONCE(current->mm->uprobes_state.xol_area); /* ^^^ */
2208 trampoline_vaddr = area->vaddr;
2210 return trampoline_vaddr;
2213 static void cleanup_return_instances(struct uprobe_task *utask, bool chained,
2214 struct pt_regs *regs)
2216 struct return_instance *ri = utask->return_instances, *ri_next;
2217 enum rp_check ctx = chained ? RP_CHECK_CHAIN_CALL : RP_CHECK_CALL;
2219 while (ri && !arch_uretprobe_is_alive(ri, ctx, regs)) {
2221 rcu_assign_pointer(utask->return_instances, ri_next);
2224 free_ret_instance(utask, ri, true /* cleanup_hprobe */);
2229 static void prepare_uretprobe(struct uprobe *uprobe, struct pt_regs *regs,
2230 struct return_instance *ri)
2232 struct uprobe_task *utask = current->utask;
2233 unsigned long orig_ret_vaddr, trampoline_vaddr;
2237 if (!get_xol_area())
2240 if (utask->depth >= MAX_URETPROBE_DEPTH) {
2241 printk_ratelimited(KERN_INFO "uprobe: omit uretprobe due to"
2242 " nestedness limit pid/tgid=%d/%d\n",
2243 current->pid, current->tgid);
2247 trampoline_vaddr = uprobe_get_trampoline_vaddr();
2248 orig_ret_vaddr = arch_uretprobe_hijack_return_addr(trampoline_vaddr, regs);
2249 if (orig_ret_vaddr == -1)
2252 /* drop the entries invalidated by longjmp() */
2253 chained = (orig_ret_vaddr == trampoline_vaddr);
2254 cleanup_return_instances(utask, chained, regs);
2257 * We don't want to keep trampoline address in stack, rather keep the
2258 * original return address of first caller thru all the consequent
2259 * instances. This also makes breakpoint unwrapping easier.
2262 if (!utask->return_instances) {
2264 * This situation is not possible. Likely we have an
2265 * attack from user-space.
2267 uprobe_warn(current, "handle tail call");
2270 orig_ret_vaddr = utask->return_instances->orig_ret_vaddr;
2273 /* __srcu_read_lock() because SRCU lock survives switch to user space */
2274 srcu_idx = __srcu_read_lock(&uretprobes_srcu);
2276 ri->func = instruction_pointer(regs);
2277 ri->stack = user_stack_pointer(regs);
2278 ri->orig_ret_vaddr = orig_ret_vaddr;
2279 ri->chained = chained;
2283 hprobe_init_leased(&ri->hprobe, uprobe, srcu_idx);
2284 ri->next = utask->return_instances;
2285 rcu_assign_pointer(utask->return_instances, ri);
2287 mod_timer(&utask->ri_timer, jiffies + RI_TIMER_PERIOD);
2294 /* Prepare to single-step probed instruction out of line. */
2296 pre_ssout(struct uprobe *uprobe, struct pt_regs *regs, unsigned long bp_vaddr)
2298 struct uprobe_task *utask = current->utask;
2301 if (!try_get_uprobe(uprobe))
2304 if (!xol_get_insn_slot(uprobe, utask)) {
2309 utask->vaddr = bp_vaddr;
2310 err = arch_uprobe_pre_xol(&uprobe->arch, regs);
2311 if (unlikely(err)) {
2312 xol_free_insn_slot(utask);
2316 utask->active_uprobe = uprobe;
2317 utask->state = UTASK_SSTEP;
2325 * If we are singlestepping, then ensure this thread is not connected to
2326 * non-fatal signals until completion of singlestep. When xol insn itself
2327 * triggers the signal, restart the original insn even if the task is
2328 * already SIGKILL'ed (since coredump should report the correct ip). This
2329 * is even more important if the task has a handler for SIGSEGV/etc, The
2330 * _same_ instruction should be repeated again after return from the signal
2331 * handler, and SSTEP can never finish in this case.
2333 bool uprobe_deny_signal(void)
2335 struct task_struct *t = current;
2336 struct uprobe_task *utask = t->utask;
2338 if (likely(!utask || !utask->active_uprobe))
2341 WARN_ON_ONCE(utask->state != UTASK_SSTEP);
2343 if (task_sigpending(t)) {
2344 utask->signal_denied = true;
2345 clear_tsk_thread_flag(t, TIF_SIGPENDING);
2347 if (__fatal_signal_pending(t) || arch_uprobe_xol_was_trapped(t)) {
2348 utask->state = UTASK_SSTEP_TRAPPED;
2349 set_tsk_thread_flag(t, TIF_UPROBE);
2356 static void mmf_recalc_uprobes(struct mm_struct *mm)
2358 VMA_ITERATOR(vmi, mm, 0);
2359 struct vm_area_struct *vma;
2361 for_each_vma(vmi, vma) {
2362 if (!valid_vma(vma, false))
2365 * This is not strictly accurate, we can race with
2366 * uprobe_unregister() and see the already removed
2367 * uprobe if delete_uprobe() was not yet called.
2368 * Or this uprobe can be filtered out.
2370 if (vma_has_uprobes(vma, vma->vm_start, vma->vm_end))
2374 clear_bit(MMF_HAS_UPROBES, &mm->flags);
2377 static int is_trap_at_addr(struct mm_struct *mm, unsigned long vaddr)
2380 uprobe_opcode_t opcode;
2383 if (WARN_ON_ONCE(!IS_ALIGNED(vaddr, UPROBE_SWBP_INSN_SIZE)))
2386 pagefault_disable();
2387 result = __get_user(opcode, (uprobe_opcode_t __user *)vaddr);
2390 if (likely(result == 0))
2393 result = get_user_pages(vaddr, 1, FOLL_FORCE, &page);
2397 copy_from_page(page, vaddr, &opcode, UPROBE_SWBP_INSN_SIZE);
2400 /* This needs to return true for any variant of the trap insn */
2401 return is_trap_insn(&opcode);
2404 static struct uprobe *find_active_uprobe_speculative(unsigned long bp_vaddr)
2406 struct mm_struct *mm = current->mm;
2407 struct uprobe *uprobe = NULL;
2408 struct vm_area_struct *vma;
2409 struct file *vm_file;
2415 if (!mmap_lock_speculate_try_begin(mm, &seq))
2418 vma = vma_lookup(mm, bp_vaddr);
2423 * vm_file memory can be reused for another instance of struct file,
2424 * but can't be freed from under us, so it's safe to read fields from
2425 * it, even if the values are some garbage values; ultimately
2426 * find_uprobe_rcu() + mmap_lock_speculation_end() check will ensure
2427 * that whatever we speculatively found is correct
2429 vm_file = READ_ONCE(vma->vm_file);
2433 offset = (loff_t)(vma->vm_pgoff << PAGE_SHIFT) + (bp_vaddr - vma->vm_start);
2434 uprobe = find_uprobe_rcu(vm_file->f_inode, offset);
2438 /* now double check that nothing about MM changed */
2439 if (mmap_lock_speculate_retry(mm, seq))
2445 /* assumes being inside RCU protected region */
2446 static struct uprobe *find_active_uprobe_rcu(unsigned long bp_vaddr, int *is_swbp)
2448 struct mm_struct *mm = current->mm;
2449 struct uprobe *uprobe = NULL;
2450 struct vm_area_struct *vma;
2452 uprobe = find_active_uprobe_speculative(bp_vaddr);
2457 vma = vma_lookup(mm, bp_vaddr);
2460 struct inode *inode = file_inode(vma->vm_file);
2461 loff_t offset = vaddr_to_offset(vma, bp_vaddr);
2463 uprobe = find_uprobe_rcu(inode, offset);
2467 *is_swbp = is_trap_at_addr(mm, bp_vaddr);
2472 if (!uprobe && test_and_clear_bit(MMF_RECALC_UPROBES, &mm->flags))
2473 mmf_recalc_uprobes(mm);
2474 mmap_read_unlock(mm);
2479 static struct return_instance *push_consumer(struct return_instance *ri, __u64 id, __u64 cookie)
2481 struct return_consumer *ric;
2483 if (unlikely(ri == ZERO_SIZE_PTR))
2486 if (unlikely(ri->cons_cnt > 0)) {
2487 ric = krealloc(ri->extra_consumers, sizeof(*ric) * ri->cons_cnt, GFP_KERNEL);
2490 return ZERO_SIZE_PTR;
2492 ri->extra_consumers = ric;
2495 ric = likely(ri->cons_cnt == 0) ? &ri->consumer : &ri->extra_consumers[ri->cons_cnt - 1];
2497 ric->cookie = cookie;
2503 static struct return_consumer *
2504 return_consumer_find(struct return_instance *ri, int *iter, int id)
2506 struct return_consumer *ric;
2509 for (idx = *iter; idx < ri->cons_cnt; idx++)
2511 ric = likely(idx == 0) ? &ri->consumer : &ri->extra_consumers[idx - 1];
2512 if (ric->id == id) {
2521 static bool ignore_ret_handler(int rc)
2523 return rc == UPROBE_HANDLER_REMOVE || rc == UPROBE_HANDLER_IGNORE;
2526 static void handler_chain(struct uprobe *uprobe, struct pt_regs *regs)
2528 struct uprobe_consumer *uc;
2529 bool has_consumers = false, remove = true;
2530 struct return_instance *ri = NULL;
2531 struct uprobe_task *utask = current->utask;
2533 utask->auprobe = &uprobe->arch;
2535 list_for_each_entry_rcu(uc, &uprobe->consumers, cons_node, rcu_read_lock_trace_held()) {
2536 bool session = uc->handler && uc->ret_handler;
2541 rc = uc->handler(uc, regs, &cookie);
2542 WARN(rc < 0 || rc > 2,
2543 "bad rc=0x%x from %ps()\n", rc, uc->handler);
2546 remove &= rc == UPROBE_HANDLER_REMOVE;
2547 has_consumers = true;
2549 if (!uc->ret_handler || ignore_ret_handler(rc))
2553 ri = alloc_return_instance(utask);
2556 ri = push_consumer(ri, uc->id, cookie);
2558 utask->auprobe = NULL;
2560 if (!ZERO_OR_NULL_PTR(ri))
2561 prepare_uretprobe(uprobe, regs, ri);
2563 if (remove && has_consumers) {
2564 down_read(&uprobe->register_rwsem);
2566 /* re-check that removal is still required, this time under lock */
2567 if (!filter_chain(uprobe, current->mm)) {
2568 WARN_ON(!uprobe_is_active(uprobe));
2569 unapply_uprobe(uprobe, current->mm);
2572 up_read(&uprobe->register_rwsem);
2577 handle_uretprobe_chain(struct return_instance *ri, struct uprobe *uprobe, struct pt_regs *regs)
2579 struct return_consumer *ric;
2580 struct uprobe_consumer *uc;
2583 /* all consumers unsubscribed meanwhile */
2584 if (unlikely(!uprobe))
2587 rcu_read_lock_trace();
2588 list_for_each_entry_rcu(uc, &uprobe->consumers, cons_node, rcu_read_lock_trace_held()) {
2589 bool session = uc->handler && uc->ret_handler;
2591 if (uc->ret_handler) {
2592 ric = return_consumer_find(ri, &ric_idx, uc->id);
2593 if (!session || ric)
2594 uc->ret_handler(uc, ri->func, regs, ric ? &ric->cookie : NULL);
2597 rcu_read_unlock_trace();
2600 static struct return_instance *find_next_ret_chain(struct return_instance *ri)
2605 chained = ri->chained;
2606 ri = ri->next; /* can't be NULL if chained */
2612 void uprobe_handle_trampoline(struct pt_regs *regs)
2614 struct uprobe_task *utask;
2615 struct return_instance *ri, *ri_next, *next_chain;
2616 struct uprobe *uprobe;
2617 enum hprobe_state hstate;
2620 utask = current->utask;
2624 ri = utask->return_instances;
2630 * We should throw out the frames invalidated by longjmp().
2631 * If this chain is valid, then the next one should be alive
2632 * or NULL; the latter case means that nobody but ri->func
2633 * could hit this trampoline on return. TODO: sigaltstack().
2635 next_chain = find_next_ret_chain(ri);
2636 valid = !next_chain || arch_uretprobe_is_alive(next_chain, RP_CHECK_RET, regs);
2638 instruction_pointer_set(regs, ri->orig_ret_vaddr);
2640 /* pop current instance from the stack of pending return instances,
2641 * as it's not pending anymore: we just fixed up original
2642 * instruction pointer in regs and are about to call handlers;
2643 * this allows fixup_uretprobe_trampoline_entries() to properly fix up
2644 * captured stack traces from uretprobe handlers, in which pending
2645 * trampoline addresses on the stack are replaced with correct
2646 * original return addresses
2649 rcu_assign_pointer(utask->return_instances, ri_next);
2652 uprobe = hprobe_consume(&ri->hprobe, &hstate);
2654 handle_uretprobe_chain(ri, uprobe, regs);
2655 hprobe_finalize(&ri->hprobe, hstate);
2657 /* We already took care of hprobe, no need to waste more time on that. */
2658 free_ret_instance(utask, ri, false /* !cleanup_hprobe */);
2660 } while (ri != next_chain);
2666 uprobe_warn(current, "handle uretprobe, sending SIGILL.");
2670 bool __weak arch_uprobe_ignore(struct arch_uprobe *aup, struct pt_regs *regs)
2675 bool __weak arch_uretprobe_is_alive(struct return_instance *ret, enum rp_check ctx,
2676 struct pt_regs *regs)
2682 * Run handler and ask thread to singlestep.
2683 * Ensure all non-fatal signals cannot interrupt thread while it singlesteps.
2685 static void handle_swbp(struct pt_regs *regs)
2687 struct uprobe *uprobe;
2688 unsigned long bp_vaddr;
2691 bp_vaddr = uprobe_get_swbp_addr(regs);
2692 if (bp_vaddr == uprobe_get_trampoline_vaddr())
2693 return uprobe_handle_trampoline(regs);
2695 rcu_read_lock_trace();
2697 uprobe = find_active_uprobe_rcu(bp_vaddr, &is_swbp);
2700 /* No matching uprobe; signal SIGTRAP. */
2704 * Either we raced with uprobe_unregister() or we can't
2705 * access this memory. The latter is only possible if
2706 * another thread plays with our ->mm. In both cases
2707 * we can simply restart. If this vma was unmapped we
2708 * can pretend this insn was not executed yet and get
2709 * the (correct) SIGSEGV after restart.
2711 instruction_pointer_set(regs, bp_vaddr);
2716 /* change it in advance for ->handler() and restart */
2717 instruction_pointer_set(regs, bp_vaddr);
2720 * TODO: move copy_insn/etc into _register and remove this hack.
2721 * After we hit the bp, _unregister + _register can install the
2722 * new and not-yet-analyzed uprobe at the same address, restart.
2724 if (unlikely(!test_bit(UPROBE_COPY_INSN, &uprobe->flags)))
2728 * Pairs with the smp_wmb() in prepare_uprobe().
2730 * Guarantees that if we see the UPROBE_COPY_INSN bit set, then
2731 * we must also see the stores to &uprobe->arch performed by the
2732 * prepare_uprobe() call.
2736 /* Tracing handlers use ->utask to communicate with fetch methods */
2740 if (arch_uprobe_ignore(&uprobe->arch, regs))
2743 handler_chain(uprobe, regs);
2745 if (arch_uprobe_skip_sstep(&uprobe->arch, regs))
2748 if (pre_ssout(uprobe, regs, bp_vaddr))
2752 /* arch_uprobe_skip_sstep() succeeded, or restart if can't singlestep */
2753 rcu_read_unlock_trace();
2757 * Perform required fix-ups and disable singlestep.
2758 * Allow pending signals to take effect.
2760 static void handle_singlestep(struct uprobe_task *utask, struct pt_regs *regs)
2762 struct uprobe *uprobe;
2765 uprobe = utask->active_uprobe;
2766 if (utask->state == UTASK_SSTEP_ACK)
2767 err = arch_uprobe_post_xol(&uprobe->arch, regs);
2768 else if (utask->state == UTASK_SSTEP_TRAPPED)
2769 arch_uprobe_abort_xol(&uprobe->arch, regs);
2774 utask->active_uprobe = NULL;
2775 utask->state = UTASK_RUNNING;
2776 xol_free_insn_slot(utask);
2778 if (utask->signal_denied) {
2779 set_thread_flag(TIF_SIGPENDING);
2780 utask->signal_denied = false;
2783 if (unlikely(err)) {
2784 uprobe_warn(current, "execute the probed insn, sending SIGILL.");
2790 * On breakpoint hit, breakpoint notifier sets the TIF_UPROBE flag and
2791 * allows the thread to return from interrupt. After that handle_swbp()
2792 * sets utask->active_uprobe.
2794 * On singlestep exception, singlestep notifier sets the TIF_UPROBE flag
2795 * and allows the thread to return from interrupt.
2797 * While returning to userspace, thread notices the TIF_UPROBE flag and calls
2798 * uprobe_notify_resume().
2800 void uprobe_notify_resume(struct pt_regs *regs)
2802 struct uprobe_task *utask;
2804 clear_thread_flag(TIF_UPROBE);
2806 utask = current->utask;
2807 if (utask && utask->active_uprobe)
2808 handle_singlestep(utask, regs);
2814 * uprobe_pre_sstep_notifier gets called from interrupt context as part of
2815 * notifier mechanism. Set TIF_UPROBE flag and indicate breakpoint hit.
2817 int uprobe_pre_sstep_notifier(struct pt_regs *regs)
2822 if (!test_bit(MMF_HAS_UPROBES, ¤t->mm->flags) &&
2823 (!current->utask || !current->utask->return_instances))
2826 set_thread_flag(TIF_UPROBE);
2831 * uprobe_post_sstep_notifier gets called in interrupt context as part of notifier
2832 * mechanism. Set TIF_UPROBE flag and indicate completion of singlestep.
2834 int uprobe_post_sstep_notifier(struct pt_regs *regs)
2836 struct uprobe_task *utask = current->utask;
2838 if (!current->mm || !utask || !utask->active_uprobe)
2839 /* task is currently not uprobed */
2842 utask->state = UTASK_SSTEP_ACK;
2843 set_thread_flag(TIF_UPROBE);
2847 static struct notifier_block uprobe_exception_nb = {
2848 .notifier_call = arch_uprobe_exception_notify,
2849 .priority = INT_MAX-1, /* notified after kprobes, kgdb */
2852 void __init uprobes_init(void)
2856 for (i = 0; i < UPROBES_HASH_SZ; i++)
2857 mutex_init(&uprobes_mmap_mutex[i]);
2859 BUG_ON(register_die_notifier(&uprobe_exception_nb));
projects / linux-2.6-block.git / blob