s390/kernel/kprobes.c

0001 // SPDX-License-Identifier: GPL-2.0+
0002 /*
0003  *  Kernel Probes (KProbes)
0004  *
0005  * Copyright IBM Corp. 2002, 2006
0006  *
0007  * s390 port, used ppc64 as template. Mike Grundy <grundym@us.ibm.com>
0008  */
0009
0010 #define pr_fmt(fmt) "kprobes: " fmt
0011
0012 #include <linux/moduleloader.h>
0013 #include <linux/kprobes.h>
0014 #include <linux/ptrace.h>
0015 #include <linux/preempt.h>
0016 #include <linux/stop_machine.h>
0017 #include <linux/kdebug.h>
0018 #include <linux/uaccess.h>
0019 #include <linux/extable.h>
0020 #include <linux/module.h>
0021 #include <linux/slab.h>
0022 #include <linux/hardirq.h>
0023 #include <linux/ftrace.h>
0024 #include <asm/set_memory.h>
0025 #include <asm/sections.h>
0026 #include <asm/dis.h>
0027 #include "entry.h"
0028
0029 DEFINE_PER_CPU(struct kprobe *, current_kprobe);
0030 DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk);
0031
0032 struct kretprobe_blackpoint kretprobe_blacklist[] = { };
0033
0034 DEFINE_INSN_CACHE_OPS(s390_insn);
0035
0036 static int insn_page_in_use;
0037
0038 void *alloc_insn_page(void)
0039 {
0040     void *page;
0041
0042     page = module_alloc(PAGE_SIZE);
0043     if (!page)
0044         return NULL;
0045     __set_memory((unsigned long) page, 1, SET_MEMORY_RO | SET_MEMORY_X);
0046     return page;
0047 }
0048
0049 static void *alloc_s390_insn_page(void)
0050 {
0051     if (xchg(&insn_page_in_use, 1) == 1)
0052         return NULL;
0053     return &kprobes_insn_page;
0054 }
0055
0056 static void free_s390_insn_page(void *page)
0057 {
0058     xchg(&insn_page_in_use, 0);
0059 }
0060
0061 struct kprobe_insn_cache kprobe_s390_insn_slots = {
0062     .mutex = __MUTEX_INITIALIZER(kprobe_s390_insn_slots.mutex),
0063     .alloc = alloc_s390_insn_page,
0064     .free = free_s390_insn_page,
0065     .pages = LIST_HEAD_INIT(kprobe_s390_insn_slots.pages),
0066     .insn_size = MAX_INSN_SIZE,
0067 };
0068
0069 static void copy_instruction(struct kprobe *p)
0070 {
0071     kprobe_opcode_t insn[MAX_INSN_SIZE];
0072     s64 disp, new_disp;
0073     u64 addr, new_addr;
0074     unsigned int len;
0075
0076     len = insn_length(*p->addr >> 8);
0077     memcpy(&insn, p->addr, len);
0078     p->opcode = insn[0];
0079     if (probe_is_insn_relative_long(&insn[0])) {
0080         /*
0081          * For pc-relative instructions in RIL-b or RIL-c format patch
0082          * the RI2 displacement field. We have already made sure that
0083          * the insn slot for the patched instruction is within the same
0084          * 2GB area as the original instruction (either kernel image or
0085          * module area). Therefore the new displacement will always fit.
0086          */
0087         disp = *(s32 *)&insn[1];
0088         addr = (u64)(unsigned long)p->addr;
0089         new_addr = (u64)(unsigned long)p->ainsn.insn;
0090         new_disp = ((addr + (disp * 2)) - new_addr) / 2;
0091         *(s32 *)&insn[1] = new_disp;
0092     }
0093     s390_kernel_write(p->ainsn.insn, &insn, len);
0094 }
0095 NOKPROBE_SYMBOL(copy_instruction);
0096
0097 static int s390_get_insn_slot(struct kprobe *p)
0098 {
0099     /*
0100      * Get an insn slot that is within the same 2GB area like the original
0101      * instruction. That way instructions with a 32bit signed displacement
0102      * field can be patched and executed within the insn slot.
0103      */
0104     p->ainsn.insn = NULL;
0105     if (is_kernel((unsigned long)p->addr))
0106         p->ainsn.insn = get_s390_insn_slot();
0107     else if (is_module_addr(p->addr))
0108         p->ainsn.insn = get_insn_slot();
0109     return p->ainsn.insn ? 0 : -ENOMEM;
0110 }
0111 NOKPROBE_SYMBOL(s390_get_insn_slot);
0112
0113 static void s390_free_insn_slot(struct kprobe *p)
0114 {
0115     if (!p->ainsn.insn)
0116         return;
0117     if (is_kernel((unsigned long)p->addr))
0118         free_s390_insn_slot(p->ainsn.insn, 0);
0119     else
0120         free_insn_slot(p->ainsn.insn, 0);
0121     p->ainsn.insn = NULL;
0122 }
0123 NOKPROBE_SYMBOL(s390_free_insn_slot);
0124
0125 /* Check if paddr is at an instruction boundary */
0126 static bool can_probe(unsigned long paddr)
0127 {
0128     unsigned long addr, offset = 0;
0129     kprobe_opcode_t insn;
0130     struct kprobe *kp;
0131
0132     if (paddr & 0x01)
0133         return false;
0134
0135     if (!kallsyms_lookup_size_offset(paddr, NULL, &offset))
0136         return false;
0137
0138     /* Decode instructions */
0139     addr = paddr - offset;
0140     while (addr < paddr) {
0141         if (copy_from_kernel_nofault(&insn, (void *)addr, sizeof(insn)))
0142             return false;
0143
0144         if (insn >> 8 == 0) {
0145             if (insn != BREAKPOINT_INSTRUCTION) {
0146                 /*
0147                  * Note that QEMU inserts opcode 0x0000 to implement
0148                  * software breakpoints for guests. Since the size of
0149                  * the original instruction is unknown, stop following
0150                  * instructions and prevent setting a kprobe.
0151                  */
0152                 return false;
0153             }
0154             /*
0155              * Check if the instruction has been modified by another
0156              * kprobe, in which case the original instruction is
0157              * decoded.
0158              */
0159             kp = get_kprobe((void *)addr);
0160             if (!kp) {
0161                 /* not a kprobe */
0162                 return false;
0163             }
0164             insn = kp->opcode;
0165         }
0166         addr += insn_length(insn >> 8);
0167     }
0168     return addr == paddr;
0169 }
0170
0171 int arch_prepare_kprobe(struct kprobe *p)
0172 {
0173     if (!can_probe((unsigned long)p->addr))
0174         return -EINVAL;
0175     /* Make sure the probe isn't going on a difficult instruction */
0176     if (probe_is_prohibited_opcode(p->addr))
0177         return -EINVAL;
0178     if (s390_get_insn_slot(p))
0179         return -ENOMEM;
0180     copy_instruction(p);
0181     return 0;
0182 }
0183 NOKPROBE_SYMBOL(arch_prepare_kprobe);
0184
0185 struct swap_insn_args {
0186     struct kprobe *p;
0187     unsigned int arm_kprobe : 1;
0188 };
0189
0190 static int swap_instruction(void *data)
0191 {
0192     struct swap_insn_args *args = data;
0193     struct kprobe *p = args->p;
0194     u16 opc;
0195
0196     opc = args->arm_kprobe ? BREAKPOINT_INSTRUCTION : p->opcode;
0197     s390_kernel_write(p->addr, &opc, sizeof(opc));
0198     return 0;
0199 }
0200 NOKPROBE_SYMBOL(swap_instruction);
0201
0202 void arch_arm_kprobe(struct kprobe *p)
0203 {
0204     struct swap_insn_args args = {.p = p, .arm_kprobe = 1};
0205
0206     stop_machine_cpuslocked(swap_instruction, &args, NULL);
0207 }
0208 NOKPROBE_SYMBOL(arch_arm_kprobe);
0209
0210 void arch_disarm_kprobe(struct kprobe *p)
0211 {
0212     struct swap_insn_args args = {.p = p, .arm_kprobe = 0};
0213
0214     stop_machine_cpuslocked(swap_instruction, &args, NULL);
0215 }
0216 NOKPROBE_SYMBOL(arch_disarm_kprobe);
0217
0218 void arch_remove_kprobe(struct kprobe *p)
0219 {
0220     s390_free_insn_slot(p);
0221 }
0222 NOKPROBE_SYMBOL(arch_remove_kprobe);
0223
0224 static void enable_singlestep(struct kprobe_ctlblk *kcb,
0225                   struct pt_regs *regs,
0226                   unsigned long ip)
0227 {
0228     struct per_regs per_kprobe;
0229
0230     /* Set up the PER control registers %cr9-%cr11 */
0231     per_kprobe.control = PER_EVENT_IFETCH;
0232     per_kprobe.start = ip;
0233     per_kprobe.end = ip;
0234
0235     /* Save control regs and psw mask */
0236     __ctl_store(kcb->kprobe_saved_ctl, 9, 11);
0237     kcb->kprobe_saved_imask = regs->psw.mask &
0238         (PSW_MASK_PER | PSW_MASK_IO | PSW_MASK_EXT);
0239
0240     /* Set PER control regs, turns on single step for the given address */
0241     __ctl_load(per_kprobe, 9, 11);
0242     regs->psw.mask |= PSW_MASK_PER;
0243     regs->psw.mask &= ~(PSW_MASK_IO | PSW_MASK_EXT);
0244     regs->psw.addr = ip;
0245 }
0246 NOKPROBE_SYMBOL(enable_singlestep);
0247
0248 static void disable_singlestep(struct kprobe_ctlblk *kcb,
0249                    struct pt_regs *regs,
0250                    unsigned long ip)
0251 {
0252     /* Restore control regs and psw mask, set new psw address */
0253     __ctl_load(kcb->kprobe_saved_ctl, 9, 11);
0254     regs->psw.mask &= ~PSW_MASK_PER;
0255     regs->psw.mask |= kcb->kprobe_saved_imask;
0256     regs->psw.addr = ip;
0257 }
0258 NOKPROBE_SYMBOL(disable_singlestep);
0259
0260 /*
0261  * Activate a kprobe by storing its pointer to current_kprobe. The
0262  * previous kprobe is stored in kcb->prev_kprobe. A stack of up to
0263  * two kprobes can be active, see KPROBE_REENTER.
0264  */
0265 static void push_kprobe(struct kprobe_ctlblk *kcb, struct kprobe *p)
0266 {
0267     kcb->prev_kprobe.kp = __this_cpu_read(current_kprobe);
0268     kcb->prev_kprobe.status = kcb->kprobe_status;
0269     __this_cpu_write(current_kprobe, p);
0270 }
0271 NOKPROBE_SYMBOL(push_kprobe);
0272
0273 /*
0274  * Deactivate a kprobe by backing up to the previous state. If the
0275  * current state is KPROBE_REENTER prev_kprobe.kp will be non-NULL,
0276  * for any other state prev_kprobe.kp will be NULL.
0277  */
0278 static void pop_kprobe(struct kprobe_ctlblk *kcb)
0279 {
0280     __this_cpu_write(current_kprobe, kcb->prev_kprobe.kp);
0281     kcb->kprobe_status = kcb->prev_kprobe.status;
0282 }
0283 NOKPROBE_SYMBOL(pop_kprobe);
0284
0285 void arch_prepare_kretprobe(struct kretprobe_instance *ri, struct pt_regs *regs)
0286 {
0287     ri->ret_addr = (kprobe_opcode_t *)regs->gprs[14];
0288     ri->fp = (void *)regs->gprs[15];
0289
0290     /* Replace the return addr with trampoline addr */
0291     regs->gprs[14] = (unsigned long)&__kretprobe_trampoline;
0292 }
0293 NOKPROBE_SYMBOL(arch_prepare_kretprobe);
0294
0295 static void kprobe_reenter_check(struct kprobe_ctlblk *kcb, struct kprobe *p)
0296 {
0297     switch (kcb->kprobe_status) {
0298     case KPROBE_HIT_SSDONE:
0299     case KPROBE_HIT_ACTIVE:
0300         kprobes_inc_nmissed_count(p);
0301         break;
0302     case KPROBE_HIT_SS:
0303     case KPROBE_REENTER:
0304     default:
0305         /*
0306          * A kprobe on the code path to single step an instruction
0307          * is a BUG. The code path resides in the .kprobes.text
0308          * section and is executed with interrupts disabled.
0309          */
0310         pr_err("Failed to recover from reentered kprobes.\n");
0311         dump_kprobe(p);
0312         BUG();
0313     }
0314 }
0315 NOKPROBE_SYMBOL(kprobe_reenter_check);
0316
0317 static int kprobe_handler(struct pt_regs *regs)
0318 {
0319     struct kprobe_ctlblk *kcb;
0320     struct kprobe *p;
0321
0322     /*
0323      * We want to disable preemption for the entire duration of kprobe
0324      * processing. That includes the calls to the pre/post handlers
0325      * and single stepping the kprobe instruction.
0326      */
0327     preempt_disable();
0328     kcb = get_kprobe_ctlblk();
0329     p = get_kprobe((void *)(regs->psw.addr - 2));
0330
0331     if (p) {
0332         if (kprobe_running()) {
0333             /*
0334              * We have hit a kprobe while another is still
0335              * active. This can happen in the pre and post
0336              * handler. Single step the instruction of the
0337              * new probe but do not call any handler function
0338              * of this secondary kprobe.
0339              * push_kprobe and pop_kprobe saves and restores
0340              * the currently active kprobe.
0341              */
0342             kprobe_reenter_check(kcb, p);
0343             push_kprobe(kcb, p);
0344             kcb->kprobe_status = KPROBE_REENTER;
0345         } else {
0346             /*
0347              * If we have no pre-handler or it returned 0, we
0348              * continue with single stepping. If we have a
0349              * pre-handler and it returned non-zero, it prepped
0350              * for changing execution path, so get out doing
0351              * nothing more here.
0352              */
0353             push_kprobe(kcb, p);
0354             kcb->kprobe_status = KPROBE_HIT_ACTIVE;
0355             if (p->pre_handler && p->pre_handler(p, regs)) {
0356                 pop_kprobe(kcb);
0357                 preempt_enable_no_resched();
0358                 return 1;
0359             }
0360             kcb->kprobe_status = KPROBE_HIT_SS;
0361         }
0362         enable_singlestep(kcb, regs, (unsigned long) p->ainsn.insn);
0363         return 1;
0364     } /* else:
0365        * No kprobe at this address and no active kprobe. The trap has
0366        * not been caused by a kprobe breakpoint. The race of breakpoint
0367        * vs. kprobe remove does not exist because on s390 as we use
0368        * stop_machine to arm/disarm the breakpoints.
0369        */
0370     preempt_enable_no_resched();
0371     return 0;
0372 }
0373 NOKPROBE_SYMBOL(kprobe_handler);
0374
0375 void arch_kretprobe_fixup_return(struct pt_regs *regs,
0376                  kprobe_opcode_t *correct_ret_addr)
0377 {
0378     /* Replace fake return address with real one. */
0379     regs->gprs[14] = (unsigned long)correct_ret_addr;
0380 }
0381 NOKPROBE_SYMBOL(arch_kretprobe_fixup_return);
0382
0383 /*
0384  * Called from __kretprobe_trampoline
0385  */
0386 void trampoline_probe_handler(struct pt_regs *regs)
0387 {
0388     kretprobe_trampoline_handler(regs, (void *)regs->gprs[15]);
0389 }
0390 NOKPROBE_SYMBOL(trampoline_probe_handler);
0391
0392 /* assembler function that handles the kretprobes must not be probed itself */
0393 NOKPROBE_SYMBOL(__kretprobe_trampoline);
0394
0395 /*
0396  * Called after single-stepping.  p->addr is the address of the
0397  * instruction whose first byte has been replaced by the "breakpoint"
0398  * instruction.  To avoid the SMP problems that can occur when we
0399  * temporarily put back the original opcode to single-step, we
0400  * single-stepped a copy of the instruction.  The address of this
0401  * copy is p->ainsn.insn.
0402  */
0403 static void resume_execution(struct kprobe *p, struct pt_regs *regs)
0404 {
0405     struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
0406     unsigned long ip = regs->psw.addr;
0407     int fixup = probe_get_fixup_type(p->ainsn.insn);
0408
0409     if (fixup & FIXUP_PSW_NORMAL)
0410         ip += (unsigned long) p->addr - (unsigned long) p->ainsn.insn;
0411
0412     if (fixup & FIXUP_BRANCH_NOT_TAKEN) {
0413         int ilen = insn_length(p->ainsn.insn[0] >> 8);
0414         if (ip - (unsigned long) p->ainsn.insn == ilen)
0415             ip = (unsigned long) p->addr + ilen;
0416     }
0417
0418     if (fixup & FIXUP_RETURN_REGISTER) {
0419         int reg = (p->ainsn.insn[0] & 0xf0) >> 4;
0420         regs->gprs[reg] += (unsigned long) p->addr -
0421                    (unsigned long) p->ainsn.insn;
0422     }
0423
0424     disable_singlestep(kcb, regs, ip);
0425 }
0426 NOKPROBE_SYMBOL(resume_execution);
0427
0428 static int post_kprobe_handler(struct pt_regs *regs)
0429 {
0430     struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
0431     struct kprobe *p = kprobe_running();
0432
0433     if (!p)
0434         return 0;
0435
0436     if (kcb->kprobe_status != KPROBE_REENTER && p->post_handler) {
0437         kcb->kprobe_status = KPROBE_HIT_SSDONE;
0438         p->post_handler(p, regs, 0);
0439     }
0440
0441     resume_execution(p, regs);
0442     pop_kprobe(kcb);
0443     preempt_enable_no_resched();
0444
0445     /*
0446      * if somebody else is singlestepping across a probe point, psw mask
0447      * will have PER set, in which case, continue the remaining processing
0448      * of do_single_step, as if this is not a probe hit.
0449      */
0450     if (regs->psw.mask & PSW_MASK_PER)
0451         return 0;
0452
0453     return 1;
0454 }
0455 NOKPROBE_SYMBOL(post_kprobe_handler);
0456
0457 static int kprobe_trap_handler(struct pt_regs *regs, int trapnr)
0458 {
0459     struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
0460     struct kprobe *p = kprobe_running();
0461
0462     switch(kcb->kprobe_status) {
0463     case KPROBE_HIT_SS:
0464     case KPROBE_REENTER:
0465         /*
0466          * We are here because the instruction being single
0467          * stepped caused a page fault. We reset the current
0468          * kprobe and the nip points back to the probe address
0469          * and allow the page fault handler to continue as a
0470          * normal page fault.
0471          */
0472         disable_singlestep(kcb, regs, (unsigned long) p->addr);
0473         pop_kprobe(kcb);
0474         preempt_enable_no_resched();
0475         break;
0476     case KPROBE_HIT_ACTIVE:
0477     case KPROBE_HIT_SSDONE:
0478         /*
0479          * In case the user-specified fault handler returned
0480          * zero, try to fix up.
0481          */
0482         if (fixup_exception(regs))
0483             return 1;
0484         /*
0485          * fixup_exception() could not handle it,
0486          * Let do_page_fault() fix it.
0487          */
0488         break;
0489     default:
0490         break;
0491     }
0492     return 0;
0493 }
0494 NOKPROBE_SYMBOL(kprobe_trap_handler);
0495
0496 int kprobe_fault_handler(struct pt_regs *regs, int trapnr)
0497 {
0498     int ret;
0499
0500     if (regs->psw.mask & (PSW_MASK_IO | PSW_MASK_EXT))
0501         local_irq_disable();
0502     ret = kprobe_trap_handler(regs, trapnr);
0503     if (regs->psw.mask & (PSW_MASK_IO | PSW_MASK_EXT))
0504         local_irq_restore(regs->psw.mask & ~PSW_MASK_PER);
0505     return ret;
0506 }
0507 NOKPROBE_SYMBOL(kprobe_fault_handler);
0508
0509 /*
0510  * Wrapper routine to for handling exceptions.
0511  */
0512 int kprobe_exceptions_notify(struct notifier_block *self,
0513                  unsigned long val, void *data)
0514 {
0515     struct die_args *args = (struct die_args *) data;
0516     struct pt_regs *regs = args->regs;
0517     int ret = NOTIFY_DONE;
0518
0519     if (regs->psw.mask & (PSW_MASK_IO | PSW_MASK_EXT))
0520         local_irq_disable();
0521
0522     switch (val) {
0523     case DIE_BPT:
0524         if (kprobe_handler(regs))
0525             ret = NOTIFY_STOP;
0526         break;
0527     case DIE_SSTEP:
0528         if (post_kprobe_handler(regs))
0529             ret = NOTIFY_STOP;
0530         break;
0531     case DIE_TRAP:
0532         if (!preemptible() && kprobe_running() &&
0533             kprobe_trap_handler(regs, args->trapnr))
0534             ret = NOTIFY_STOP;
0535         break;
0536     default:
0537         break;
0538     }
0539
0540     if (regs->psw.mask & (PSW_MASK_IO | PSW_MASK_EXT))
0541         local_irq_restore(regs->psw.mask & ~PSW_MASK_PER);
0542
0543     return ret;
0544 }
0545 NOKPROBE_SYMBOL(kprobe_exceptions_notify);
0546
0547 int __init arch_init_kprobes(void)
0548 {
0549     return 0;
0550 }
0551
0552 int arch_trampoline_kprobe(struct kprobe *p)
0553 {
0554     return 0;
0555 }
0556 NOKPROBE_SYMBOL(arch_trampoline_kprobe);