x86/kernel/uprobes.c

0001 // SPDX-License-Identifier: GPL-2.0-or-later
0002 /*
0003  * User-space Probes (UProbes) for x86
0004  *
0005  * Copyright (C) IBM Corporation, 2008-2011
0006  * Authors:
0007  *  Srikar Dronamraju
0008  *  Jim Keniston
0009  */
0010 #include <linux/kernel.h>
0011 #include <linux/sched.h>
0012 #include <linux/ptrace.h>
0013 #include <linux/uprobes.h>
0014 #include <linux/uaccess.h>
0015
0016 #include <linux/kdebug.h>
0017 #include <asm/processor.h>
0018 #include <asm/insn.h>
0019 #include <asm/mmu_context.h>
0020
0021 /* Post-execution fixups. */
0022
0023 /* Adjust IP back to vicinity of actual insn */
0024 #define UPROBE_FIX_IP       0x01
0025
0026 /* Adjust the return address of a call insn */
0027 #define UPROBE_FIX_CALL     0x02
0028
0029 /* Instruction will modify TF, don't change it */
0030 #define UPROBE_FIX_SETF     0x04
0031
0032 #define UPROBE_FIX_RIP_SI   0x08
0033 #define UPROBE_FIX_RIP_DI   0x10
0034 #define UPROBE_FIX_RIP_BX   0x20
0035 #define UPROBE_FIX_RIP_MASK \
0036     (UPROBE_FIX_RIP_SI | UPROBE_FIX_RIP_DI | UPROBE_FIX_RIP_BX)
0037
0038 #define UPROBE_TRAP_NR      UINT_MAX
0039
0040 /* Adaptations for mhiramat x86 decoder v14. */
0041 #define OPCODE1(insn)       ((insn)->opcode.bytes[0])
0042 #define OPCODE2(insn)       ((insn)->opcode.bytes[1])
0043 #define OPCODE3(insn)       ((insn)->opcode.bytes[2])
0044 #define MODRM_REG(insn)     X86_MODRM_REG((insn)->modrm.value)
0045
0046 #define W(row, b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, ba, bb, bc, bd, be, bf)\
0047     (((b0##UL << 0x0)|(b1##UL << 0x1)|(b2##UL << 0x2)|(b3##UL << 0x3) |   \
0048       (b4##UL << 0x4)|(b5##UL << 0x5)|(b6##UL << 0x6)|(b7##UL << 0x7) |   \
0049       (b8##UL << 0x8)|(b9##UL << 0x9)|(ba##UL << 0xa)|(bb##UL << 0xb) |   \
0050       (bc##UL << 0xc)|(bd##UL << 0xd)|(be##UL << 0xe)|(bf##UL << 0xf))    \
0051      << (row % 32))
0052
0053 /*
0054  * Good-instruction tables for 32-bit apps.  This is non-const and volatile
0055  * to keep gcc from statically optimizing it out, as variable_test_bit makes
0056  * some versions of gcc to think only *(unsigned long*) is used.
0057  *
0058  * Opcodes we'll probably never support:
0059  * 6c-6f - ins,outs. SEGVs if used in userspace
0060  * e4-e7 - in,out imm. SEGVs if used in userspace
0061  * ec-ef - in,out acc. SEGVs if used in userspace
0062  * cc - int3. SIGTRAP if used in userspace
0063  * ce - into. Not used in userspace - no kernel support to make it useful. SEGVs
0064  *  (why we support bound (62) then? it's similar, and similarly unused...)
0065  * f1 - int1. SIGTRAP if used in userspace
0066  * f4 - hlt. SEGVs if used in userspace
0067  * fa - cli. SEGVs if used in userspace
0068  * fb - sti. SEGVs if used in userspace
0069  *
0070  * Opcodes which need some work to be supported:
0071  * 07,17,1f - pop es/ss/ds
0072  *  Normally not used in userspace, but would execute if used.
0073  *  Can cause GP or stack exception if tries to load wrong segment descriptor.
0074  *  We hesitate to run them under single step since kernel's handling
0075  *  of userspace single-stepping (TF flag) is fragile.
0076  *  We can easily refuse to support push es/cs/ss/ds (06/0e/16/1e)
0077  *  on the same grounds that they are never used.
0078  * cd - int N.
0079  *  Used by userspace for "int 80" syscall entry. (Other "int N"
0080  *  cause GP -> SEGV since their IDT gates don't allow calls from CPL 3).
0081  *  Not supported since kernel's handling of userspace single-stepping
0082  *  (TF flag) is fragile.
0083  * cf - iret. Normally not used in userspace. Doesn't SEGV unless arguments are bad
0084  */
0085 #if defined(CONFIG_X86_32) || defined(CONFIG_IA32_EMULATION)
0086 static volatile u32 good_insns_32[256 / 32] = {
0087     /*      0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f         */
0088     /*      ----------------------------------------------         */
0089     W(0x00, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1) | /* 00 */
0090     W(0x10, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0) , /* 10 */
0091     W(0x20, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 20 */
0092     W(0x30, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 30 */
0093     W(0x40, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 40 */
0094     W(0x50, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 50 */
0095     W(0x60, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0) | /* 60 */
0096     W(0x70, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 70 */
0097     W(0x80, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 80 */
0098     W(0x90, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 90 */
0099     W(0xa0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* a0 */
0100     W(0xb0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* b0 */
0101     W(0xc0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0) | /* c0 */
0102     W(0xd0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* d0 */
0103     W(0xe0, 1, 1, 1, 1, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0, 0, 0) | /* e0 */
0104     W(0xf0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1)   /* f0 */
0105     /*      ----------------------------------------------         */
0106     /*      0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f         */
0107 };
0108 #else
0109 #define good_insns_32   NULL
0110 #endif
0111
0112 /* Good-instruction tables for 64-bit apps.
0113  *
0114  * Genuinely invalid opcodes:
0115  * 06,07 - formerly push/pop es
0116  * 0e - formerly push cs
0117  * 16,17 - formerly push/pop ss
0118  * 1e,1f - formerly push/pop ds
0119  * 27,2f,37,3f - formerly daa/das/aaa/aas
0120  * 60,61 - formerly pusha/popa
0121  * 62 - formerly bound. EVEX prefix for AVX512 (not yet supported)
0122  * 82 - formerly redundant encoding of Group1
0123  * 9a - formerly call seg:ofs
0124  * ce - formerly into
0125  * d4,d5 - formerly aam/aad
0126  * d6 - formerly undocumented salc
0127  * ea - formerly jmp seg:ofs
0128  *
0129  * Opcodes we'll probably never support:
0130  * 6c-6f - ins,outs. SEGVs if used in userspace
0131  * e4-e7 - in,out imm. SEGVs if used in userspace
0132  * ec-ef - in,out acc. SEGVs if used in userspace
0133  * cc - int3. SIGTRAP if used in userspace
0134  * f1 - int1. SIGTRAP if used in userspace
0135  * f4 - hlt. SEGVs if used in userspace
0136  * fa - cli. SEGVs if used in userspace
0137  * fb - sti. SEGVs if used in userspace
0138  *
0139  * Opcodes which need some work to be supported:
0140  * cd - int N.
0141  *  Used by userspace for "int 80" syscall entry. (Other "int N"
0142  *  cause GP -> SEGV since their IDT gates don't allow calls from CPL 3).
0143  *  Not supported since kernel's handling of userspace single-stepping
0144  *  (TF flag) is fragile.
0145  * cf - iret. Normally not used in userspace. Doesn't SEGV unless arguments are bad
0146  */
0147 #if defined(CONFIG_X86_64)
0148 static volatile u32 good_insns_64[256 / 32] = {
0149     /*      0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f         */
0150     /*      ----------------------------------------------         */
0151     W(0x00, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1, 1, 1, 0, 1) | /* 00 */
0152     W(0x10, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1, 1, 1, 0, 0) , /* 10 */
0153     W(0x20, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0) | /* 20 */
0154     W(0x30, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0) , /* 30 */
0155     W(0x40, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 40 */
0156     W(0x50, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 50 */
0157     W(0x60, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0) | /* 60 */
0158     W(0x70, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 70 */
0159     W(0x80, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 80 */
0160     W(0x90, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1) , /* 90 */
0161     W(0xa0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* a0 */
0162     W(0xb0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* b0 */
0163     W(0xc0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0) | /* c0 */
0164     W(0xd0, 1, 1, 1, 1, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* d0 */
0165     W(0xe0, 1, 1, 1, 1, 0, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 0) | /* e0 */
0166     W(0xf0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1)   /* f0 */
0167     /*      ----------------------------------------------         */
0168     /*      0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f         */
0169 };
0170 #else
0171 #define good_insns_64   NULL
0172 #endif
0173
0174 /* Using this for both 64-bit and 32-bit apps.
0175  * Opcodes we don't support:
0176  * 0f 00 - SLDT/STR/LLDT/LTR/VERR/VERW/-/- group. System insns
0177  * 0f 01 - SGDT/SIDT/LGDT/LIDT/SMSW/-/LMSW/INVLPG group.
0178  *  Also encodes tons of other system insns if mod=11.
0179  *  Some are in fact non-system: xend, xtest, rdtscp, maybe more
0180  * 0f 05 - syscall
0181  * 0f 06 - clts (CPL0 insn)
0182  * 0f 07 - sysret
0183  * 0f 08 - invd (CPL0 insn)
0184  * 0f 09 - wbinvd (CPL0 insn)
0185  * 0f 0b - ud2
0186  * 0f 30 - wrmsr (CPL0 insn) (then why rdmsr is allowed, it's also CPL0 insn?)
0187  * 0f 34 - sysenter
0188  * 0f 35 - sysexit
0189  * 0f 37 - getsec
0190  * 0f 78 - vmread (Intel VMX. CPL0 insn)
0191  * 0f 79 - vmwrite (Intel VMX. CPL0 insn)
0192  *  Note: with prefixes, these two opcodes are
0193  *  extrq/insertq/AVX512 convert vector ops.
0194  * 0f ae - group15: [f]xsave,[f]xrstor,[v]{ld,st}mxcsr,clflush[opt],
0195  *  {rd,wr}{fs,gs}base,{s,l,m}fence.
0196  *  Why? They are all user-executable.
0197  */
0198 static volatile u32 good_2byte_insns[256 / 32] = {
0199     /*      0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f         */
0200     /*      ----------------------------------------------         */
0201     W(0x00, 0, 0, 1, 1, 1, 0, 0, 0, 0, 0, 1, 0, 1, 1, 1, 1) | /* 00 */
0202     W(0x10, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 10 */
0203     W(0x20, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 20 */
0204     W(0x30, 0, 1, 1, 1, 0, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1) , /* 30 */
0205     W(0x40, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 40 */
0206     W(0x50, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 50 */
0207     W(0x60, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 60 */
0208     W(0x70, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1, 1, 1) , /* 70 */
0209     W(0x80, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 80 */
0210     W(0x90, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 90 */
0211     W(0xa0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1) | /* a0 */
0212     W(0xb0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* b0 */
0213     W(0xc0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* c0 */
0214     W(0xd0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* d0 */
0215     W(0xe0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* e0 */
0216     W(0xf0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1)   /* f0 */
0217     /*      ----------------------------------------------         */
0218     /*      0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f         */
0219 };
0220 #undef W
0221
0222 /*
0223  * opcodes we may need to refine support for:
0224  *
0225  *  0f - 2-byte instructions: For many of these instructions, the validity
0226  *  depends on the prefix and/or the reg field.  On such instructions, we
0227  *  just consider the opcode combination valid if it corresponds to any
0228  *  valid instruction.
0229  *
0230  *  8f - Group 1 - only reg = 0 is OK
0231  *  c6-c7 - Group 11 - only reg = 0 is OK
0232  *  d9-df - fpu insns with some illegal encodings
0233  *  f2, f3 - repnz, repz prefixes.  These are also the first byte for
0234  *  certain floating-point instructions, such as addsd.
0235  *
0236  *  fe - Group 4 - only reg = 0 or 1 is OK
0237  *  ff - Group 5 - only reg = 0-6 is OK
0238  *
0239  * others -- Do we need to support these?
0240  *
0241  *  0f - (floating-point?) prefetch instructions
0242  *  07, 17, 1f - pop es, pop ss, pop ds
0243  *  26, 2e, 36, 3e - es:, cs:, ss:, ds: segment prefixes --
0244  *  but 64 and 65 (fs: and gs:) seem to be used, so we support them
0245  *  67 - addr16 prefix
0246  *  ce - into
0247  *  f0 - lock prefix
0248  */
0249
0250 /*
0251  * TODO:
0252  * - Where necessary, examine the modrm byte and allow only valid instructions
0253  * in the different Groups and fpu instructions.
0254  */
0255
0256 static bool is_prefix_bad(struct insn *insn)
0257 {
0258     insn_byte_t p;
0259     int i;
0260
0261     for_each_insn_prefix(insn, i, p) {
0262         insn_attr_t attr;
0263
0264         attr = inat_get_opcode_attribute(p);
0265         switch (attr) {
0266         case INAT_MAKE_PREFIX(INAT_PFX_ES):
0267         case INAT_MAKE_PREFIX(INAT_PFX_CS):
0268         case INAT_MAKE_PREFIX(INAT_PFX_DS):
0269         case INAT_MAKE_PREFIX(INAT_PFX_SS):
0270         case INAT_MAKE_PREFIX(INAT_PFX_LOCK):
0271             return true;
0272         }
0273     }
0274     return false;
0275 }
0276
0277 static int uprobe_init_insn(struct arch_uprobe *auprobe, struct insn *insn, bool x86_64)
0278 {
0279     enum insn_mode m = x86_64 ? INSN_MODE_64 : INSN_MODE_32;
0280     u32 volatile *good_insns;
0281     int ret;
0282
0283     ret = insn_decode(insn, auprobe->insn, sizeof(auprobe->insn), m);
0284     if (ret < 0)
0285         return -ENOEXEC;
0286
0287     if (is_prefix_bad(insn))
0288         return -ENOTSUPP;
0289
0290     /* We should not singlestep on the exception masking instructions */
0291     if (insn_masking_exception(insn))
0292         return -ENOTSUPP;
0293
0294     if (x86_64)
0295         good_insns = good_insns_64;
0296     else
0297         good_insns = good_insns_32;
0298
0299     if (test_bit(OPCODE1(insn), (unsigned long *)good_insns))
0300         return 0;
0301
0302     if (insn->opcode.nbytes == 2) {
0303         if (test_bit(OPCODE2(insn), (unsigned long *)good_2byte_insns))
0304             return 0;
0305     }
0306
0307     return -ENOTSUPP;
0308 }
0309
0310 #ifdef CONFIG_X86_64
0311 /*
0312  * If arch_uprobe->insn doesn't use rip-relative addressing, return
0313  * immediately.  Otherwise, rewrite the instruction so that it accesses
0314  * its memory operand indirectly through a scratch register.  Set
0315  * defparam->fixups accordingly. (The contents of the scratch register
0316  * will be saved before we single-step the modified instruction,
0317  * and restored afterward).
0318  *
0319  * We do this because a rip-relative instruction can access only a
0320  * relatively small area (+/- 2 GB from the instruction), and the XOL
0321  * area typically lies beyond that area.  At least for instructions
0322  * that store to memory, we can't execute the original instruction
0323  * and "fix things up" later, because the misdirected store could be
0324  * disastrous.
0325  *
0326  * Some useful facts about rip-relative instructions:
0327  *
0328  *  - There's always a modrm byte with bit layout "00 reg 101".
0329  *  - There's never a SIB byte.
0330  *  - The displacement is always 4 bytes.
0331  *  - REX.B=1 bit in REX prefix, which normally extends r/m field,
0332  *    has no effect on rip-relative mode. It doesn't make modrm byte
0333  *    with r/m=101 refer to register 1101 = R13.
0334  */
0335 static void riprel_analyze(struct arch_uprobe *auprobe, struct insn *insn)
0336 {
0337     u8 *cursor;
0338     u8 reg;
0339     u8 reg2;
0340
0341     if (!insn_rip_relative(insn))
0342         return;
0343
0344     /*
0345      * insn_rip_relative() would have decoded rex_prefix, vex_prefix, modrm.
0346      * Clear REX.b bit (extension of MODRM.rm field):
0347      * we want to encode low numbered reg, not r8+.
0348      */
0349     if (insn->rex_prefix.nbytes) {
0350         cursor = auprobe->insn + insn_offset_rex_prefix(insn);
0351         /* REX byte has 0100wrxb layout, clearing REX.b bit */
0352         *cursor &= 0xfe;
0353     }
0354     /*
0355      * Similar treatment for VEX3/EVEX prefix.
0356      * TODO: add XOP treatment when insn decoder supports them
0357      */
0358     if (insn->vex_prefix.nbytes >= 3) {
0359         /*
0360          * vex2:     c5    rvvvvLpp   (has no b bit)
0361          * vex3/xop: c4/8f rxbmmmmm wvvvvLpp
0362          * evex:     62    rxbR00mm wvvvv1pp zllBVaaa
0363          * Setting VEX3.b (setting because it has inverted meaning).
0364          * Setting EVEX.x since (in non-SIB encoding) EVEX.x
0365          * is the 4th bit of MODRM.rm, and needs the same treatment.
0366          * For VEX3-encoded insns, VEX3.x value has no effect in
0367          * non-SIB encoding, the change is superfluous but harmless.
0368          */
0369         cursor = auprobe->insn + insn_offset_vex_prefix(insn) + 1;
0370         *cursor |= 0x60;
0371     }
0372
0373     /*
0374      * Convert from rip-relative addressing to register-relative addressing
0375      * via a scratch register.
0376      *
0377      * This is tricky since there are insns with modrm byte
0378      * which also use registers not encoded in modrm byte:
0379      * [i]div/[i]mul: implicitly use dx:ax
0380      * shift ops: implicitly use cx
0381      * cmpxchg: implicitly uses ax
0382      * cmpxchg8/16b: implicitly uses dx:ax and bx:cx
0383      *   Encoding: 0f c7/1 modrm
0384      *   The code below thinks that reg=1 (cx), chooses si as scratch.
0385      * mulx: implicitly uses dx: mulx r/m,r1,r2 does r1:r2 = dx * r/m.
0386      *   First appeared in Haswell (BMI2 insn). It is vex-encoded.
0387      *   Example where none of bx,cx,dx can be used as scratch reg:
0388      *   c4 e2 63 f6 0d disp32   mulx disp32(%rip),%ebx,%ecx
0389      * [v]pcmpistri: implicitly uses cx, xmm0
0390      * [v]pcmpistrm: implicitly uses xmm0
0391      * [v]pcmpestri: implicitly uses ax, dx, cx, xmm0
0392      * [v]pcmpestrm: implicitly uses ax, dx, xmm0
0393      *   Evil SSE4.2 string comparison ops from hell.
0394      * maskmovq/[v]maskmovdqu: implicitly uses (ds:rdi) as destination.
0395      *   Encoding: 0f f7 modrm, 66 0f f7 modrm, vex-encoded: c5 f9 f7 modrm.
0396      *   Store op1, byte-masked by op2 msb's in each byte, to (ds:rdi).
0397      *   AMD says it has no 3-operand form (vex.vvvv must be 1111)
0398      *   and that it can have only register operands, not mem
0399      *   (its modrm byte must have mode=11).
0400      *   If these restrictions will ever be lifted,
0401      *   we'll need code to prevent selection of di as scratch reg!
0402      *
0403      * Summary: I don't know any insns with modrm byte which
0404      * use SI register implicitly. DI register is used only
0405      * by one insn (maskmovq) and BX register is used
0406      * only by one too (cmpxchg8b).
0407      * BP is stack-segment based (may be a problem?).
0408      * AX, DX, CX are off-limits (many implicit users).
0409      * SP is unusable (it's stack pointer - think about "pop mem";
0410      * also, rsp+disp32 needs sib encoding -> insn length change).
0411      */
0412
0413     reg = MODRM_REG(insn);  /* Fetch modrm.reg */
0414     reg2 = 0xff;        /* Fetch vex.vvvv */
0415     if (insn->vex_prefix.nbytes)
0416         reg2 = insn->vex_prefix.bytes[2];
0417     /*
0418      * TODO: add XOP vvvv reading.
0419      *
0420      * vex.vvvv field is in bits 6-3, bits are inverted.
0421      * But in 32-bit mode, high-order bit may be ignored.
0422      * Therefore, let's consider only 3 low-order bits.
0423      */
0424     reg2 = ((reg2 >> 3) & 0x7) ^ 0x7;
0425     /*
0426      * Register numbering is ax,cx,dx,bx, sp,bp,si,di, r8..r15.
0427      *
0428      * Choose scratch reg. Order is important: must not select bx
0429      * if we can use si (cmpxchg8b case!)
0430      */
0431     if (reg != 6 && reg2 != 6) {
0432         reg2 = 6;
0433         auprobe->defparam.fixups |= UPROBE_FIX_RIP_SI;
0434     } else if (reg != 7 && reg2 != 7) {
0435         reg2 = 7;
0436         auprobe->defparam.fixups |= UPROBE_FIX_RIP_DI;
0437         /* TODO (paranoia): force maskmovq to not use di */
0438     } else {
0439         reg2 = 3;
0440         auprobe->defparam.fixups |= UPROBE_FIX_RIP_BX;
0441     }
0442     /*
0443      * Point cursor at the modrm byte.  The next 4 bytes are the
0444      * displacement.  Beyond the displacement, for some instructions,
0445      * is the immediate operand.
0446      */
0447     cursor = auprobe->insn + insn_offset_modrm(insn);
0448     /*
0449      * Change modrm from "00 reg 101" to "10 reg reg2". Example:
0450      * 89 05 disp32  mov %eax,disp32(%rip) becomes
0451      * 89 86 disp32  mov %eax,disp32(%rsi)
0452      */
0453     *cursor = 0x80 | (reg << 3) | reg2;
0454 }
0455
0456 static inline unsigned long *
0457 scratch_reg(struct arch_uprobe *auprobe, struct pt_regs *regs)
0458 {
0459     if (auprobe->defparam.fixups & UPROBE_FIX_RIP_SI)
0460         return &regs->si;
0461     if (auprobe->defparam.fixups & UPROBE_FIX_RIP_DI)
0462         return &regs->di;
0463     return &regs->bx;
0464 }
0465
0466 /*
0467  * If we're emulating a rip-relative instruction, save the contents
0468  * of the scratch register and store the target address in that register.
0469  */
0470 static void riprel_pre_xol(struct arch_uprobe *auprobe, struct pt_regs *regs)
0471 {
0472     if (auprobe->defparam.fixups & UPROBE_FIX_RIP_MASK) {
0473         struct uprobe_task *utask = current->utask;
0474         unsigned long *sr = scratch_reg(auprobe, regs);
0475
0476         utask->autask.saved_scratch_register = *sr;
0477         *sr = utask->vaddr + auprobe->defparam.ilen;
0478     }
0479 }
0480
0481 static void riprel_post_xol(struct arch_uprobe *auprobe, struct pt_regs *regs)
0482 {
0483     if (auprobe->defparam.fixups & UPROBE_FIX_RIP_MASK) {
0484         struct uprobe_task *utask = current->utask;
0485         unsigned long *sr = scratch_reg(auprobe, regs);
0486
0487         *sr = utask->autask.saved_scratch_register;
0488     }
0489 }
0490 #else /* 32-bit: */
0491 /*
0492  * No RIP-relative addressing on 32-bit
0493  */
0494 static void riprel_analyze(struct arch_uprobe *auprobe, struct insn *insn)
0495 {
0496 }
0497 static void riprel_pre_xol(struct arch_uprobe *auprobe, struct pt_regs *regs)
0498 {
0499 }
0500 static void riprel_post_xol(struct arch_uprobe *auprobe, struct pt_regs *regs)
0501 {
0502 }
0503 #endif /* CONFIG_X86_64 */
0504
0505 struct uprobe_xol_ops {
0506     bool    (*emulate)(struct arch_uprobe *, struct pt_regs *);
0507     int (*pre_xol)(struct arch_uprobe *, struct pt_regs *);
0508     int (*post_xol)(struct arch_uprobe *, struct pt_regs *);
0509     void    (*abort)(struct arch_uprobe *, struct pt_regs *);
0510 };
0511
0512 static inline int sizeof_long(struct pt_regs *regs)
0513 {
0514     /*
0515      * Check registers for mode as in_xxx_syscall() does not apply here.
0516      */
0517     return user_64bit_mode(regs) ? 8 : 4;
0518 }
0519
0520 static int default_pre_xol_op(struct arch_uprobe *auprobe, struct pt_regs *regs)
0521 {
0522     riprel_pre_xol(auprobe, regs);
0523     return 0;
0524 }
0525
0526 static int emulate_push_stack(struct pt_regs *regs, unsigned long val)
0527 {
0528     unsigned long new_sp = regs->sp - sizeof_long(regs);
0529
0530     if (copy_to_user((void __user *)new_sp, &val, sizeof_long(regs)))
0531         return -EFAULT;
0532
0533     regs->sp = new_sp;
0534     return 0;
0535 }
0536
0537 /*
0538  * We have to fix things up as follows:
0539  *
0540  * Typically, the new ip is relative to the copied instruction.  We need
0541  * to make it relative to the original instruction (FIX_IP).  Exceptions
0542  * are return instructions and absolute or indirect jump or call instructions.
0543  *
0544  * If the single-stepped instruction was a call, the return address that
0545  * is atop the stack is the address following the copied instruction.  We
0546  * need to make it the address following the original instruction (FIX_CALL).
0547  *
0548  * If the original instruction was a rip-relative instruction such as
0549  * "movl %edx,0xnnnn(%rip)", we have instead executed an equivalent
0550  * instruction using a scratch register -- e.g., "movl %edx,0xnnnn(%rsi)".
0551  * We need to restore the contents of the scratch register
0552  * (FIX_RIP_reg).
0553  */
0554 static int default_post_xol_op(struct arch_uprobe *auprobe, struct pt_regs *regs)
0555 {
0556     struct uprobe_task *utask = current->utask;
0557
0558     riprel_post_xol(auprobe, regs);
0559     if (auprobe->defparam.fixups & UPROBE_FIX_IP) {
0560         long correction = utask->vaddr - utask->xol_vaddr;
0561         regs->ip += correction;
0562     } else if (auprobe->defparam.fixups & UPROBE_FIX_CALL) {
0563         regs->sp += sizeof_long(regs); /* Pop incorrect return address */
0564         if (emulate_push_stack(regs, utask->vaddr + auprobe->defparam.ilen))
0565             return -ERESTART;
0566     }
0567     /* popf; tell the caller to not touch TF */
0568     if (auprobe->defparam.fixups & UPROBE_FIX_SETF)
0569         utask->autask.saved_tf = true;
0570
0571     return 0;
0572 }
0573
0574 static void default_abort_op(struct arch_uprobe *auprobe, struct pt_regs *regs)
0575 {
0576     riprel_post_xol(auprobe, regs);
0577 }
0578
0579 static const struct uprobe_xol_ops default_xol_ops = {
0580     .pre_xol  = default_pre_xol_op,
0581     .post_xol = default_post_xol_op,
0582     .abort    = default_abort_op,
0583 };
0584
0585 static bool branch_is_call(struct arch_uprobe *auprobe)
0586 {
0587     return auprobe->branch.opc1 == 0xe8;
0588 }
0589
0590 #define CASE_COND                   \
0591     COND(70, 71, XF(OF))                \
0592     COND(72, 73, XF(CF))                \
0593     COND(74, 75, XF(ZF))                \
0594     COND(78, 79, XF(SF))                \
0595     COND(7a, 7b, XF(PF))                \
0596     COND(76, 77, XF(CF) || XF(ZF))          \
0597     COND(7c, 7d, XF(SF) != XF(OF))          \
0598     COND(7e, 7f, XF(ZF) || XF(SF) != XF(OF))
0599
0600 #define COND(op_y, op_n, expr)              \
0601     case 0x ## op_y: DO((expr) != 0)        \
0602     case 0x ## op_n: DO((expr) == 0)
0603
0604 #define XF(xf)  (!!(flags & X86_EFLAGS_ ## xf))
0605
0606 static bool is_cond_jmp_opcode(u8 opcode)
0607 {
0608     switch (opcode) {
0609     #define DO(expr)    \
0610         return true;
0611     CASE_COND
0612     #undef  DO
0613
0614     default:
0615         return false;
0616     }
0617 }
0618
0619 static bool check_jmp_cond(struct arch_uprobe *auprobe, struct pt_regs *regs)
0620 {
0621     unsigned long flags = regs->flags;
0622
0623     switch (auprobe->branch.opc1) {
0624     #define DO(expr)    \
0625         return expr;
0626     CASE_COND
0627     #undef  DO
0628
0629     default:    /* not a conditional jmp */
0630         return true;
0631     }
0632 }
0633
0634 #undef  XF
0635 #undef  COND
0636 #undef  CASE_COND
0637
0638 static bool branch_emulate_op(struct arch_uprobe *auprobe, struct pt_regs *regs)
0639 {
0640     unsigned long new_ip = regs->ip += auprobe->branch.ilen;
0641     unsigned long offs = (long)auprobe->branch.offs;
0642
0643     if (branch_is_call(auprobe)) {
0644         /*
0645          * If it fails we execute this (mangled, see the comment in
0646          * branch_clear_offset) insn out-of-line. In the likely case
0647          * this should trigger the trap, and the probed application
0648          * should die or restart the same insn after it handles the
0649          * signal, arch_uprobe_post_xol() won't be even called.
0650          *
0651          * But there is corner case, see the comment in ->post_xol().
0652          */
0653         if (emulate_push_stack(regs, new_ip))
0654             return false;
0655     } else if (!check_jmp_cond(auprobe, regs)) {
0656         offs = 0;
0657     }
0658
0659     regs->ip = new_ip + offs;
0660     return true;
0661 }
0662
0663 static bool push_emulate_op(struct arch_uprobe *auprobe, struct pt_regs *regs)
0664 {
0665     unsigned long *src_ptr = (void *)regs + auprobe->push.reg_offset;
0666
0667     if (emulate_push_stack(regs, *src_ptr))
0668         return false;
0669     regs->ip += auprobe->push.ilen;
0670     return true;
0671 }
0672
0673 static int branch_post_xol_op(struct arch_uprobe *auprobe, struct pt_regs *regs)
0674 {
0675     BUG_ON(!branch_is_call(auprobe));
0676     /*
0677      * We can only get here if branch_emulate_op() failed to push the ret
0678      * address _and_ another thread expanded our stack before the (mangled)
0679      * "call" insn was executed out-of-line. Just restore ->sp and restart.
0680      * We could also restore ->ip and try to call branch_emulate_op() again.
0681      */
0682     regs->sp += sizeof_long(regs);
0683     return -ERESTART;
0684 }
0685
0686 static void branch_clear_offset(struct arch_uprobe *auprobe, struct insn *insn)
0687 {
0688     /*
0689      * Turn this insn into "call 1f; 1:", this is what we will execute
0690      * out-of-line if ->emulate() fails. We only need this to generate
0691      * a trap, so that the probed task receives the correct signal with
0692      * the properly filled siginfo.
0693      *
0694      * But see the comment in ->post_xol(), in the unlikely case it can
0695      * succeed. So we need to ensure that the new ->ip can not fall into
0696      * the non-canonical area and trigger #GP.
0697      *
0698      * We could turn it into (say) "pushf", but then we would need to
0699      * divorce ->insn[] and ->ixol[]. We need to preserve the 1st byte
0700      * of ->insn[] for set_orig_insn().
0701      */
0702     memset(auprobe->insn + insn_offset_immediate(insn),
0703         0, insn->immediate.nbytes);
0704 }
0705
0706 static const struct uprobe_xol_ops branch_xol_ops = {
0707     .emulate  = branch_emulate_op,
0708     .post_xol = branch_post_xol_op,
0709 };
0710
0711 static const struct uprobe_xol_ops push_xol_ops = {
0712     .emulate  = push_emulate_op,
0713 };
0714
0715 /* Returns -ENOSYS if branch_xol_ops doesn't handle this insn */
0716 static int branch_setup_xol_ops(struct arch_uprobe *auprobe, struct insn *insn)
0717 {
0718     u8 opc1 = OPCODE1(insn);
0719     insn_byte_t p;
0720     int i;
0721
0722     switch (opc1) {
0723     case 0xeb:  /* jmp 8 */
0724     case 0xe9:  /* jmp 32 */
0725     case 0x90:  /* prefix* + nop; same as jmp with .offs = 0 */
0726         break;
0727
0728     case 0xe8:  /* call relative */
0729         branch_clear_offset(auprobe, insn);
0730         break;
0731
0732     case 0x0f:
0733         if (insn->opcode.nbytes != 2)
0734             return -ENOSYS;
0735         /*
0736          * If it is a "near" conditional jmp, OPCODE2() - 0x10 matches
0737          * OPCODE1() of the "short" jmp which checks the same condition.
0738          */
0739         opc1 = OPCODE2(insn) - 0x10;
0740         fallthrough;
0741     default:
0742         if (!is_cond_jmp_opcode(opc1))
0743             return -ENOSYS;
0744     }
0745
0746     /*
0747      * 16-bit overrides such as CALLW (66 e8 nn nn) are not supported.
0748      * Intel and AMD behavior differ in 64-bit mode: Intel ignores 66 prefix.
0749      * No one uses these insns, reject any branch insns with such prefix.
0750      */
0751     for_each_insn_prefix(insn, i, p) {
0752         if (p == 0x66)
0753             return -ENOTSUPP;
0754     }
0755
0756     auprobe->branch.opc1 = opc1;
0757     auprobe->branch.ilen = insn->length;
0758     auprobe->branch.offs = insn->immediate.value;
0759
0760     auprobe->ops = &branch_xol_ops;
0761     return 0;
0762 }
0763
0764 /* Returns -ENOSYS if push_xol_ops doesn't handle this insn */
0765 static int push_setup_xol_ops(struct arch_uprobe *auprobe, struct insn *insn)
0766 {
0767     u8 opc1 = OPCODE1(insn), reg_offset = 0;
0768
0769     if (opc1 < 0x50 || opc1 > 0x57)
0770         return -ENOSYS;
0771
0772     if (insn->length > 2)
0773         return -ENOSYS;
0774     if (insn->length == 2) {
0775         /* only support rex_prefix 0x41 (x64 only) */
0776 #ifdef CONFIG_X86_64
0777         if (insn->rex_prefix.nbytes != 1 ||
0778             insn->rex_prefix.bytes[0] != 0x41)
0779             return -ENOSYS;
0780
0781         switch (opc1) {
0782         case 0x50:
0783             reg_offset = offsetof(struct pt_regs, r8);
0784             break;
0785         case 0x51:
0786             reg_offset = offsetof(struct pt_regs, r9);
0787             break;
0788         case 0x52:
0789             reg_offset = offsetof(struct pt_regs, r10);
0790             break;
0791         case 0x53:
0792             reg_offset = offsetof(struct pt_regs, r11);
0793             break;
0794         case 0x54:
0795             reg_offset = offsetof(struct pt_regs, r12);
0796             break;
0797         case 0x55:
0798             reg_offset = offsetof(struct pt_regs, r13);
0799             break;
0800         case 0x56:
0801             reg_offset = offsetof(struct pt_regs, r14);
0802             break;
0803         case 0x57:
0804             reg_offset = offsetof(struct pt_regs, r15);
0805             break;
0806         }
0807 #else
0808         return -ENOSYS;
0809 #endif
0810     } else {
0811         switch (opc1) {
0812         case 0x50:
0813             reg_offset = offsetof(struct pt_regs, ax);
0814             break;
0815         case 0x51:
0816             reg_offset = offsetof(struct pt_regs, cx);
0817             break;
0818         case 0x52:
0819             reg_offset = offsetof(struct pt_regs, dx);
0820             break;
0821         case 0x53:
0822             reg_offset = offsetof(struct pt_regs, bx);
0823             break;
0824         case 0x54:
0825             reg_offset = offsetof(struct pt_regs, sp);
0826             break;
0827         case 0x55:
0828             reg_offset = offsetof(struct pt_regs, bp);
0829             break;
0830         case 0x56:
0831             reg_offset = offsetof(struct pt_regs, si);
0832             break;
0833         case 0x57:
0834             reg_offset = offsetof(struct pt_regs, di);
0835             break;
0836         }
0837     }
0838
0839     auprobe->push.reg_offset = reg_offset;
0840     auprobe->push.ilen = insn->length;
0841     auprobe->ops = &push_xol_ops;
0842     return 0;
0843 }
0844
0845 /**
0846  * arch_uprobe_analyze_insn - instruction analysis including validity and fixups.
0847  * @auprobe: the probepoint information.
0848  * @mm: the probed address space.
0849  * @addr: virtual address at which to install the probepoint
0850  * Return 0 on success or a -ve number on error.
0851  */
0852 int arch_uprobe_analyze_insn(struct arch_uprobe *auprobe, struct mm_struct *mm, unsigned long addr)
0853 {
0854     struct insn insn;
0855     u8 fix_ip_or_call = UPROBE_FIX_IP;
0856     int ret;
0857
0858     ret = uprobe_init_insn(auprobe, &insn, is_64bit_mm(mm));
0859     if (ret)
0860         return ret;
0861
0862     ret = branch_setup_xol_ops(auprobe, &insn);
0863     if (ret != -ENOSYS)
0864         return ret;
0865
0866     ret = push_setup_xol_ops(auprobe, &insn);
0867     if (ret != -ENOSYS)
0868         return ret;
0869
0870     /*
0871      * Figure out which fixups default_post_xol_op() will need to perform,
0872      * and annotate defparam->fixups accordingly.
0873      */
0874     switch (OPCODE1(&insn)) {
0875     case 0x9d:      /* popf */
0876         auprobe->defparam.fixups |= UPROBE_FIX_SETF;
0877         break;
0878     case 0xc3:      /* ret or lret -- ip is correct */
0879     case 0xcb:
0880     case 0xc2:
0881     case 0xca:
0882     case 0xea:      /* jmp absolute -- ip is correct */
0883         fix_ip_or_call = 0;
0884         break;
0885     case 0x9a:      /* call absolute - Fix return addr, not ip */
0886         fix_ip_or_call = UPROBE_FIX_CALL;
0887         break;
0888     case 0xff:
0889         switch (MODRM_REG(&insn)) {
0890         case 2: case 3:         /* call or lcall, indirect */
0891             fix_ip_or_call = UPROBE_FIX_CALL;
0892             break;
0893         case 4: case 5:         /* jmp or ljmp, indirect */
0894             fix_ip_or_call = 0;
0895             break;
0896         }
0897         fallthrough;
0898     default:
0899         riprel_analyze(auprobe, &insn);
0900     }
0901
0902     auprobe->defparam.ilen = insn.length;
0903     auprobe->defparam.fixups |= fix_ip_or_call;
0904
0905     auprobe->ops = &default_xol_ops;
0906     return 0;
0907 }
0908
0909 /*
0910  * arch_uprobe_pre_xol - prepare to execute out of line.
0911  * @auprobe: the probepoint information.
0912  * @regs: reflects the saved user state of current task.
0913  */
0914 int arch_uprobe_pre_xol(struct arch_uprobe *auprobe, struct pt_regs *regs)
0915 {
0916     struct uprobe_task *utask = current->utask;
0917
0918     if (auprobe->ops->pre_xol) {
0919         int err = auprobe->ops->pre_xol(auprobe, regs);
0920         if (err)
0921             return err;
0922     }
0923
0924     regs->ip = utask->xol_vaddr;
0925     utask->autask.saved_trap_nr = current->thread.trap_nr;
0926     current->thread.trap_nr = UPROBE_TRAP_NR;
0927
0928     utask->autask.saved_tf = !!(regs->flags & X86_EFLAGS_TF);
0929     regs->flags |= X86_EFLAGS_TF;
0930     if (test_tsk_thread_flag(current, TIF_BLOCKSTEP))
0931         set_task_blockstep(current, false);
0932
0933     return 0;
0934 }
0935
0936 /*
0937  * If xol insn itself traps and generates a signal(Say,
0938  * SIGILL/SIGSEGV/etc), then detect the case where a singlestepped
0939  * instruction jumps back to its own address. It is assumed that anything
0940  * like do_page_fault/do_trap/etc sets thread.trap_nr != -1.
0941  *
0942  * arch_uprobe_pre_xol/arch_uprobe_post_xol save/restore thread.trap_nr,
0943  * arch_uprobe_xol_was_trapped() simply checks that ->trap_nr is not equal to
0944  * UPROBE_TRAP_NR == -1 set by arch_uprobe_pre_xol().
0945  */
0946 bool arch_uprobe_xol_was_trapped(struct task_struct *t)
0947 {
0948     if (t->thread.trap_nr != UPROBE_TRAP_NR)
0949         return true;
0950
0951     return false;
0952 }
0953
0954 /*
0955  * Called after single-stepping. To avoid the SMP problems that can
0956  * occur when we temporarily put back the original opcode to
0957  * single-step, we single-stepped a copy of the instruction.
0958  *
0959  * This function prepares to resume execution after the single-step.
0960  */
0961 int arch_uprobe_post_xol(struct arch_uprobe *auprobe, struct pt_regs *regs)
0962 {
0963     struct uprobe_task *utask = current->utask;
0964     bool send_sigtrap = utask->autask.saved_tf;
0965     int err = 0;
0966
0967     WARN_ON_ONCE(current->thread.trap_nr != UPROBE_TRAP_NR);
0968     current->thread.trap_nr = utask->autask.saved_trap_nr;
0969
0970     if (auprobe->ops->post_xol) {
0971         err = auprobe->ops->post_xol(auprobe, regs);
0972         if (err) {
0973             /*
0974              * Restore ->ip for restart or post mortem analysis.
0975              * ->post_xol() must not return -ERESTART unless this
0976              * is really possible.
0977              */
0978             regs->ip = utask->vaddr;
0979             if (err == -ERESTART)
0980                 err = 0;
0981             send_sigtrap = false;
0982         }
0983     }
0984     /*
0985      * arch_uprobe_pre_xol() doesn't save the state of TIF_BLOCKSTEP
0986      * so we can get an extra SIGTRAP if we do not clear TF. We need
0987      * to examine the opcode to make it right.
0988      */
0989     if (send_sigtrap)
0990         send_sig(SIGTRAP, current, 0);
0991
0992     if (!utask->autask.saved_tf)
0993         regs->flags &= ~X86_EFLAGS_TF;
0994
0995     return err;
0996 }
0997
0998 /* callback routine for handling exceptions. */
0999 int arch_uprobe_exception_notify(struct notifier_block *self, unsigned long val, void *data)
1000 {
1001     struct die_args *args = data;
1002     struct pt_regs *regs = args->regs;
1003     int ret = NOTIFY_DONE;
1004
1005     /* We are only interested in userspace traps */
1006     if (regs && !user_mode(regs))
1007         return NOTIFY_DONE;
1008
1009     switch (val) {
1010     case DIE_INT3:
1011         if (uprobe_pre_sstep_notifier(regs))
1012             ret = NOTIFY_STOP;
1013
1014         break;
1015
1016     case DIE_DEBUG:
1017         if (uprobe_post_sstep_notifier(regs))
1018             ret = NOTIFY_STOP;
1019
1020         break;
1021
1022     default:
1023         break;
1024     }
1025
1026     return ret;
1027 }
1028
1029 /*
1030  * This function gets called when XOL instruction either gets trapped or
1031  * the thread has a fatal signal. Reset the instruction pointer to its
1032  * probed address for the potential restart or for post mortem analysis.
1033  */
1034 void arch_uprobe_abort_xol(struct arch_uprobe *auprobe, struct pt_regs *regs)
1035 {
1036     struct uprobe_task *utask = current->utask;
1037
1038     if (auprobe->ops->abort)
1039         auprobe->ops->abort(auprobe, regs);
1040
1041     current->thread.trap_nr = utask->autask.saved_trap_nr;
1042     regs->ip = utask->vaddr;
1043     /* clear TF if it was set by us in arch_uprobe_pre_xol() */
1044     if (!utask->autask.saved_tf)
1045         regs->flags &= ~X86_EFLAGS_TF;
1046 }
1047
1048 static bool __skip_sstep(struct arch_uprobe *auprobe, struct pt_regs *regs)
1049 {
1050     if (auprobe->ops->emulate)
1051         return auprobe->ops->emulate(auprobe, regs);
1052     return false;
1053 }
1054
1055 bool arch_uprobe_skip_sstep(struct arch_uprobe *auprobe, struct pt_regs *regs)
1056 {
1057     bool ret = __skip_sstep(auprobe, regs);
1058     if (ret && (regs->flags & X86_EFLAGS_TF))
1059         send_sig(SIGTRAP, current, 0);
1060     return ret;
1061 }
1062
1063 unsigned long
1064 arch_uretprobe_hijack_return_addr(unsigned long trampoline_vaddr, struct pt_regs *regs)
1065 {
1066     int rasize = sizeof_long(regs), nleft;
1067     unsigned long orig_ret_vaddr = 0; /* clear high bits for 32-bit apps */
1068
1069     if (copy_from_user(&orig_ret_vaddr, (void __user *)regs->sp, rasize))
1070         return -1;
1071
1072     /* check whether address has been already hijacked */
1073     if (orig_ret_vaddr == trampoline_vaddr)
1074         return orig_ret_vaddr;
1075
1076     nleft = copy_to_user((void __user *)regs->sp, &trampoline_vaddr, rasize);
1077     if (likely(!nleft))
1078         return orig_ret_vaddr;
1079
1080     if (nleft != rasize) {
1081         pr_err("return address clobbered: pid=%d, %%sp=%#lx, %%ip=%#lx\n",
1082                current->pid, regs->sp, regs->ip);
1083
1084         force_sig(SIGSEGV);
1085     }
1086
1087     return -1;
1088 }
1089
1090 bool arch_uretprobe_is_alive(struct return_instance *ret, enum rp_check ctx,
1091                 struct pt_regs *regs)
1092 {
1093     if (ctx == RP_CHECK_CALL) /* sp was just decremented by "call" insn */
1094         return regs->sp < ret->stack;
1095     else
1096         return regs->sp <= ret->stack;
1097 }