powerpc/kernel/kprobes.c

0001 // SPDX-License-Identifier: GPL-2.0-or-later
0002 /*
0003  *  Kernel Probes (KProbes)
0004  *
0005  * Copyright (C) IBM Corporation, 2002, 2004
0006  *
0007  * 2002-Oct Created by Vamsi Krishna S <vamsi_krishna@in.ibm.com> Kernel
0008  *      Probes initial implementation ( includes contributions from
0009  *      Rusty Russell).
0010  * 2004-July    Suparna Bhattacharya <suparna@in.ibm.com> added jumper probes
0011  *      interface to access function arguments.
0012  * 2004-Nov Ananth N Mavinakayanahalli <ananth@in.ibm.com> kprobes port
0013  *      for PPC64
0014  */
0015
0016 #include <linux/kprobes.h>
0017 #include <linux/ptrace.h>
0018 #include <linux/preempt.h>
0019 #include <linux/extable.h>
0020 #include <linux/kdebug.h>
0021 #include <linux/slab.h>
0022 #include <linux/moduleloader.h>
0023 #include <asm/code-patching.h>
0024 #include <asm/cacheflush.h>
0025 #include <asm/sstep.h>
0026 #include <asm/sections.h>
0027 #include <asm/inst.h>
0028 #include <asm/set_memory.h>
0029 #include <linux/uaccess.h>
0030
0031 DEFINE_PER_CPU(struct kprobe *, current_kprobe) = NULL;
0032 DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk);
0033
0034 struct kretprobe_blackpoint kretprobe_blacklist[] = {{NULL, NULL}};
0035
0036 bool arch_within_kprobe_blacklist(unsigned long addr)
0037 {
0038     return  (addr >= (unsigned long)__kprobes_text_start &&
0039          addr < (unsigned long)__kprobes_text_end) ||
0040         (addr >= (unsigned long)_stext &&
0041          addr < (unsigned long)__head_end);
0042 }
0043
0044 kprobe_opcode_t *kprobe_lookup_name(const char *name, unsigned int offset)
0045 {
0046     kprobe_opcode_t *addr = NULL;
0047
0048 #ifdef CONFIG_PPC64_ELF_ABI_V2
0049     /* PPC64 ABIv2 needs local entry point */
0050     addr = (kprobe_opcode_t *)kallsyms_lookup_name(name);
0051     if (addr && !offset) {
0052 #ifdef CONFIG_KPROBES_ON_FTRACE
0053         unsigned long faddr;
0054         /*
0055          * Per livepatch.h, ftrace location is always within the first
0056          * 16 bytes of a function on powerpc with -mprofile-kernel.
0057          */
0058         faddr = ftrace_location_range((unsigned long)addr,
0059                           (unsigned long)addr + 16);
0060         if (faddr)
0061             addr = (kprobe_opcode_t *)faddr;
0062         else
0063 #endif
0064             addr = (kprobe_opcode_t *)ppc_function_entry(addr);
0065     }
0066 #elif defined(CONFIG_PPC64_ELF_ABI_V1)
0067     /*
0068      * 64bit powerpc ABIv1 uses function descriptors:
0069      * - Check for the dot variant of the symbol first.
0070      * - If that fails, try looking up the symbol provided.
0071      *
0072      * This ensures we always get to the actual symbol and not
0073      * the descriptor.
0074      *
0075      * Also handle <module:symbol> format.
0076      */
0077     char dot_name[MODULE_NAME_LEN + 1 + KSYM_NAME_LEN];
0078     bool dot_appended = false;
0079     const char *c;
0080     ssize_t ret = 0;
0081     int len = 0;
0082
0083     if ((c = strnchr(name, MODULE_NAME_LEN, ':')) != NULL) {
0084         c++;
0085         len = c - name;
0086         memcpy(dot_name, name, len);
0087     } else
0088         c = name;
0089
0090     if (*c != '\0' && *c != '.') {
0091         dot_name[len++] = '.';
0092         dot_appended = true;
0093     }
0094     ret = strscpy(dot_name + len, c, KSYM_NAME_LEN);
0095     if (ret > 0)
0096         addr = (kprobe_opcode_t *)kallsyms_lookup_name(dot_name);
0097
0098     /* Fallback to the original non-dot symbol lookup */
0099     if (!addr && dot_appended)
0100         addr = (kprobe_opcode_t *)kallsyms_lookup_name(name);
0101 #else
0102     addr = (kprobe_opcode_t *)kallsyms_lookup_name(name);
0103 #endif
0104
0105     return addr;
0106 }
0107
0108 static bool arch_kprobe_on_func_entry(unsigned long offset)
0109 {
0110 #ifdef CONFIG_PPC64_ELF_ABI_V2
0111 #ifdef CONFIG_KPROBES_ON_FTRACE
0112     return offset <= 16;
0113 #else
0114     return offset <= 8;
0115 #endif
0116 #else
0117     return !offset;
0118 #endif
0119 }
0120
0121 /* XXX try and fold the magic of kprobe_lookup_name() in this */
0122 kprobe_opcode_t *arch_adjust_kprobe_addr(unsigned long addr, unsigned long offset,
0123                      bool *on_func_entry)
0124 {
0125     *on_func_entry = arch_kprobe_on_func_entry(offset);
0126     return (kprobe_opcode_t *)(addr + offset);
0127 }
0128
0129 void *alloc_insn_page(void)
0130 {
0131     void *page;
0132
0133     page = module_alloc(PAGE_SIZE);
0134     if (!page)
0135         return NULL;
0136
0137     if (strict_module_rwx_enabled()) {
0138         set_memory_ro((unsigned long)page, 1);
0139         set_memory_x((unsigned long)page, 1);
0140     }
0141     return page;
0142 }
0143
0144 int arch_prepare_kprobe(struct kprobe *p)
0145 {
0146     int ret = 0;
0147     struct kprobe *prev;
0148     ppc_inst_t insn = ppc_inst_read(p->addr);
0149
0150     if ((unsigned long)p->addr & 0x03) {
0151         printk("Attempt to register kprobe at an unaligned address\n");
0152         ret = -EINVAL;
0153     } else if (!can_single_step(ppc_inst_val(insn))) {
0154         printk("Cannot register a kprobe on instructions that can't be single stepped\n");
0155         ret = -EINVAL;
0156     } else if ((unsigned long)p->addr & ~PAGE_MASK &&
0157            ppc_inst_prefixed(ppc_inst_read(p->addr - 1))) {
0158         printk("Cannot register a kprobe on the second word of prefixed instruction\n");
0159         ret = -EINVAL;
0160     }
0161     preempt_disable();
0162     prev = get_kprobe(p->addr - 1);
0163     preempt_enable_no_resched();
0164     if (prev && ppc_inst_prefixed(ppc_inst_read(prev->ainsn.insn))) {
0165         printk("Cannot register a kprobe on the second word of prefixed instruction\n");
0166         ret = -EINVAL;
0167     }
0168
0169     /* insn must be on a special executable page on ppc64.  This is
0170      * not explicitly required on ppc32 (right now), but it doesn't hurt */
0171     if (!ret) {
0172         p->ainsn.insn = get_insn_slot();
0173         if (!p->ainsn.insn)
0174             ret = -ENOMEM;
0175     }
0176
0177     if (!ret) {
0178         patch_instruction(p->ainsn.insn, insn);
0179         p->opcode = ppc_inst_val(insn);
0180     }
0181
0182     p->ainsn.boostable = 0;
0183     return ret;
0184 }
0185 NOKPROBE_SYMBOL(arch_prepare_kprobe);
0186
0187 void arch_arm_kprobe(struct kprobe *p)
0188 {
0189     WARN_ON_ONCE(patch_instruction(p->addr, ppc_inst(BREAKPOINT_INSTRUCTION)));
0190 }
0191 NOKPROBE_SYMBOL(arch_arm_kprobe);
0192
0193 void arch_disarm_kprobe(struct kprobe *p)
0194 {
0195     WARN_ON_ONCE(patch_instruction(p->addr, ppc_inst(p->opcode)));
0196 }
0197 NOKPROBE_SYMBOL(arch_disarm_kprobe);
0198
0199 void arch_remove_kprobe(struct kprobe *p)
0200 {
0201     if (p->ainsn.insn) {
0202         free_insn_slot(p->ainsn.insn, 0);
0203         p->ainsn.insn = NULL;
0204     }
0205 }
0206 NOKPROBE_SYMBOL(arch_remove_kprobe);
0207
0208 static nokprobe_inline void prepare_singlestep(struct kprobe *p, struct pt_regs *regs)
0209 {
0210     enable_single_step(regs);
0211
0212     /*
0213      * On powerpc we should single step on the original
0214      * instruction even if the probed insn is a trap
0215      * variant as values in regs could play a part in
0216      * if the trap is taken or not
0217      */
0218     regs_set_return_ip(regs, (unsigned long)p->ainsn.insn);
0219 }
0220
0221 static nokprobe_inline void save_previous_kprobe(struct kprobe_ctlblk *kcb)
0222 {
0223     kcb->prev_kprobe.kp = kprobe_running();
0224     kcb->prev_kprobe.status = kcb->kprobe_status;
0225     kcb->prev_kprobe.saved_msr = kcb->kprobe_saved_msr;
0226 }
0227
0228 static nokprobe_inline void restore_previous_kprobe(struct kprobe_ctlblk *kcb)
0229 {
0230     __this_cpu_write(current_kprobe, kcb->prev_kprobe.kp);
0231     kcb->kprobe_status = kcb->prev_kprobe.status;
0232     kcb->kprobe_saved_msr = kcb->prev_kprobe.saved_msr;
0233 }
0234
0235 static nokprobe_inline void set_current_kprobe(struct kprobe *p, struct pt_regs *regs,
0236                 struct kprobe_ctlblk *kcb)
0237 {
0238     __this_cpu_write(current_kprobe, p);
0239     kcb->kprobe_saved_msr = regs->msr;
0240 }
0241
0242 void arch_prepare_kretprobe(struct kretprobe_instance *ri, struct pt_regs *regs)
0243 {
0244     ri->ret_addr = (kprobe_opcode_t *)regs->link;
0245     ri->fp = NULL;
0246
0247     /* Replace the return addr with trampoline addr */
0248     regs->link = (unsigned long)__kretprobe_trampoline;
0249 }
0250 NOKPROBE_SYMBOL(arch_prepare_kretprobe);
0251
0252 static int try_to_emulate(struct kprobe *p, struct pt_regs *regs)
0253 {
0254     int ret;
0255     ppc_inst_t insn = ppc_inst_read(p->ainsn.insn);
0256
0257     /* regs->nip is also adjusted if emulate_step returns 1 */
0258     ret = emulate_step(regs, insn);
0259     if (ret > 0) {
0260         /*
0261          * Once this instruction has been boosted
0262          * successfully, set the boostable flag
0263          */
0264         if (unlikely(p->ainsn.boostable == 0))
0265             p->ainsn.boostable = 1;
0266     } else if (ret < 0) {
0267         /*
0268          * We don't allow kprobes on mtmsr(d)/rfi(d), etc.
0269          * So, we should never get here... but, its still
0270          * good to catch them, just in case...
0271          */
0272         printk("Can't step on instruction %08lx\n", ppc_inst_as_ulong(insn));
0273         BUG();
0274     } else {
0275         /*
0276          * If we haven't previously emulated this instruction, then it
0277          * can't be boosted. Note it down so we don't try to do so again.
0278          *
0279          * If, however, we had emulated this instruction in the past,
0280          * then this is just an error with the current run (for
0281          * instance, exceptions due to a load/store). We return 0 so
0282          * that this is now single-stepped, but continue to try
0283          * emulating it in subsequent probe hits.
0284          */
0285         if (unlikely(p->ainsn.boostable != 1))
0286             p->ainsn.boostable = -1;
0287     }
0288
0289     return ret;
0290 }
0291 NOKPROBE_SYMBOL(try_to_emulate);
0292
0293 int kprobe_handler(struct pt_regs *regs)
0294 {
0295     struct kprobe *p;
0296     int ret = 0;
0297     unsigned int *addr = (unsigned int *)regs->nip;
0298     struct kprobe_ctlblk *kcb;
0299
0300     if (user_mode(regs))
0301         return 0;
0302
0303     if (!IS_ENABLED(CONFIG_BOOKE) &&
0304         (!(regs->msr & MSR_IR) || !(regs->msr & MSR_DR)))
0305         return 0;
0306
0307     /*
0308      * We don't want to be preempted for the entire
0309      * duration of kprobe processing
0310      */
0311     preempt_disable();
0312     kcb = get_kprobe_ctlblk();
0313
0314     p = get_kprobe(addr);
0315     if (!p) {
0316         unsigned int instr;
0317
0318         if (get_kernel_nofault(instr, addr))
0319             goto no_kprobe;
0320
0321         if (instr != BREAKPOINT_INSTRUCTION) {
0322             /*
0323              * PowerPC has multiple variants of the "trap"
0324              * instruction. If the current instruction is a
0325              * trap variant, it could belong to someone else
0326              */
0327             if (is_trap(instr))
0328                 goto no_kprobe;
0329             /*
0330              * The breakpoint instruction was removed right
0331              * after we hit it.  Another cpu has removed
0332              * either a probepoint or a debugger breakpoint
0333              * at this address.  In either case, no further
0334              * handling of this interrupt is appropriate.
0335              */
0336             ret = 1;
0337         }
0338         /* Not one of ours: let kernel handle it */
0339         goto no_kprobe;
0340     }
0341
0342     /* Check we're not actually recursing */
0343     if (kprobe_running()) {
0344         kprobe_opcode_t insn = *p->ainsn.insn;
0345         if (kcb->kprobe_status == KPROBE_HIT_SS && is_trap(insn)) {
0346             /* Turn off 'trace' bits */
0347             regs_set_return_msr(regs,
0348                 (regs->msr & ~MSR_SINGLESTEP) |
0349                 kcb->kprobe_saved_msr);
0350             goto no_kprobe;
0351         }
0352
0353         /*
0354          * We have reentered the kprobe_handler(), since another probe
0355          * was hit while within the handler. We here save the original
0356          * kprobes variables and just single step on the instruction of
0357          * the new probe without calling any user handlers.
0358          */
0359         save_previous_kprobe(kcb);
0360         set_current_kprobe(p, regs, kcb);
0361         kprobes_inc_nmissed_count(p);
0362         kcb->kprobe_status = KPROBE_REENTER;
0363         if (p->ainsn.boostable >= 0) {
0364             ret = try_to_emulate(p, regs);
0365
0366             if (ret > 0) {
0367                 restore_previous_kprobe(kcb);
0368                 preempt_enable_no_resched();
0369                 return 1;
0370             }
0371         }
0372         prepare_singlestep(p, regs);
0373         return 1;
0374     }
0375
0376     kcb->kprobe_status = KPROBE_HIT_ACTIVE;
0377     set_current_kprobe(p, regs, kcb);
0378     if (p->pre_handler && p->pre_handler(p, regs)) {
0379         /* handler changed execution path, so skip ss setup */
0380         reset_current_kprobe();
0381         preempt_enable_no_resched();
0382         return 1;
0383     }
0384
0385     if (p->ainsn.boostable >= 0) {
0386         ret = try_to_emulate(p, regs);
0387
0388         if (ret > 0) {
0389             if (p->post_handler)
0390                 p->post_handler(p, regs, 0);
0391
0392             kcb->kprobe_status = KPROBE_HIT_SSDONE;
0393             reset_current_kprobe();
0394             preempt_enable_no_resched();
0395             return 1;
0396         }
0397     }
0398     prepare_singlestep(p, regs);
0399     kcb->kprobe_status = KPROBE_HIT_SS;
0400     return 1;
0401
0402 no_kprobe:
0403     preempt_enable_no_resched();
0404     return ret;
0405 }
0406 NOKPROBE_SYMBOL(kprobe_handler);
0407
0408 /*
0409  * Function return probe trampoline:
0410  *  - init_kprobes() establishes a probepoint here
0411  *  - When the probed function returns, this probe
0412  *      causes the handlers to fire
0413  */
0414 asm(".global __kretprobe_trampoline\n"
0415     ".type __kretprobe_trampoline, @function\n"
0416     "__kretprobe_trampoline:\n"
0417     "nop\n"
0418     "blr\n"
0419     ".size __kretprobe_trampoline, .-__kretprobe_trampoline\n");
0420
0421 /*
0422  * Called when the probe at kretprobe trampoline is hit
0423  */
0424 static int trampoline_probe_handler(struct kprobe *p, struct pt_regs *regs)
0425 {
0426     unsigned long orig_ret_address;
0427
0428     orig_ret_address = __kretprobe_trampoline_handler(regs, NULL);
0429     /*
0430      * We get here through one of two paths:
0431      * 1. by taking a trap -> kprobe_handler() -> here
0432      * 2. by optprobe branch -> optimized_callback() -> opt_pre_handler() -> here
0433      *
0434      * When going back through (1), we need regs->nip to be setup properly
0435      * as it is used to determine the return address from the trap.
0436      * For (2), since nip is not honoured with optprobes, we instead setup
0437      * the link register properly so that the subsequent 'blr' in
0438      * __kretprobe_trampoline jumps back to the right instruction.
0439      *
0440      * For nip, we should set the address to the previous instruction since
0441      * we end up emulating it in kprobe_handler(), which increments the nip
0442      * again.
0443      */
0444     regs_set_return_ip(regs, orig_ret_address - 4);
0445     regs->link = orig_ret_address;
0446
0447     return 0;
0448 }
0449 NOKPROBE_SYMBOL(trampoline_probe_handler);
0450
0451 /*
0452  * Called after single-stepping.  p->addr is the address of the
0453  * instruction whose first byte has been replaced by the "breakpoint"
0454  * instruction.  To avoid the SMP problems that can occur when we
0455  * temporarily put back the original opcode to single-step, we
0456  * single-stepped a copy of the instruction.  The address of this
0457  * copy is p->ainsn.insn.
0458  */
0459 int kprobe_post_handler(struct pt_regs *regs)
0460 {
0461     int len;
0462     struct kprobe *cur = kprobe_running();
0463     struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
0464
0465     if (!cur || user_mode(regs))
0466         return 0;
0467
0468     len = ppc_inst_len(ppc_inst_read(cur->ainsn.insn));
0469     /* make sure we got here for instruction we have a kprobe on */
0470     if (((unsigned long)cur->ainsn.insn + len) != regs->nip)
0471         return 0;
0472
0473     if ((kcb->kprobe_status != KPROBE_REENTER) && cur->post_handler) {
0474         kcb->kprobe_status = KPROBE_HIT_SSDONE;
0475         cur->post_handler(cur, regs, 0);
0476     }
0477
0478     /* Adjust nip to after the single-stepped instruction */
0479     regs_set_return_ip(regs, (unsigned long)cur->addr + len);
0480     regs_set_return_msr(regs, regs->msr | kcb->kprobe_saved_msr);
0481
0482     /*Restore back the original saved kprobes variables and continue. */
0483     if (kcb->kprobe_status == KPROBE_REENTER) {
0484         restore_previous_kprobe(kcb);
0485         goto out;
0486     }
0487     reset_current_kprobe();
0488 out:
0489     preempt_enable_no_resched();
0490
0491     /*
0492      * if somebody else is singlestepping across a probe point, msr
0493      * will have DE/SE set, in which case, continue the remaining processing
0494      * of do_debug, as if this is not a probe hit.
0495      */
0496     if (regs->msr & MSR_SINGLESTEP)
0497         return 0;
0498
0499     return 1;
0500 }
0501 NOKPROBE_SYMBOL(kprobe_post_handler);
0502
0503 int kprobe_fault_handler(struct pt_regs *regs, int trapnr)
0504 {
0505     struct kprobe *cur = kprobe_running();
0506     struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
0507     const struct exception_table_entry *entry;
0508
0509     switch(kcb->kprobe_status) {
0510     case KPROBE_HIT_SS:
0511     case KPROBE_REENTER:
0512         /*
0513          * We are here because the instruction being single
0514          * stepped caused a page fault. We reset the current
0515          * kprobe and the nip points back to the probe address
0516          * and allow the page fault handler to continue as a
0517          * normal page fault.
0518          */
0519         regs_set_return_ip(regs, (unsigned long)cur->addr);
0520         /* Turn off 'trace' bits */
0521         regs_set_return_msr(regs,
0522             (regs->msr & ~MSR_SINGLESTEP) |
0523             kcb->kprobe_saved_msr);
0524         if (kcb->kprobe_status == KPROBE_REENTER)
0525             restore_previous_kprobe(kcb);
0526         else
0527             reset_current_kprobe();
0528         preempt_enable_no_resched();
0529         break;
0530     case KPROBE_HIT_ACTIVE:
0531     case KPROBE_HIT_SSDONE:
0532         /*
0533          * In case the user-specified fault handler returned
0534          * zero, try to fix up.
0535          */
0536         if ((entry = search_exception_tables(regs->nip)) != NULL) {
0537             regs_set_return_ip(regs, extable_fixup(entry));
0538             return 1;
0539         }
0540
0541         /*
0542          * fixup_exception() could not handle it,
0543          * Let do_page_fault() fix it.
0544          */
0545         break;
0546     default:
0547         break;
0548     }
0549     return 0;
0550 }
0551 NOKPROBE_SYMBOL(kprobe_fault_handler);
0552
0553 static struct kprobe trampoline_p = {
0554     .addr = (kprobe_opcode_t *) &__kretprobe_trampoline,
0555     .pre_handler = trampoline_probe_handler
0556 };
0557
0558 int __init arch_init_kprobes(void)
0559 {
0560     return register_kprobe(&trampoline_p);
0561 }
0562
0563 int arch_trampoline_kprobe(struct kprobe *p)
0564 {
0565     if (p->addr == (kprobe_opcode_t *)&__kretprobe_trampoline)
0566         return 1;
0567
0568     return 0;
0569 }
0570 NOKPROBE_SYMBOL(arch_trampoline_kprobe);