This patchset adds support for basic kernel probes(kprobes), jump probes(jprobes) and return probes(kretprobes) support for AArch64.
This kprobes mechanism make use of software breakpoint and single stepping support available in ARM v8 kernel.
Basic verification is done with sample test modules available as part of "samples/kprobes/" running on ARM v8 fast model (RTSM).
Patch 1 (AArch64-Add-single-step-and-breakpoint-handler-hooks.patch) is v3 version of: http://permalink.gmane.org/gmane.linux.ports.arm.kernel/269733
Changes: v2 -> v3 - Renamed break_lock to break_hook_lock - Use rcu protected list traversal for step_hook - eliminated addr argument for debug hooks, now callback functions shall extract address from pt_regs instead. - refined entry.S changes only to handler 'BRK64' esr value.
Patch 2 (arm64-Kernel-code-patching-support.patch) implement basic code patching support needed for kprobes. Similar api is published earlier on LKML/LAKML as part of jump label support: https://lkml.org/lkml/2013/9/25/250 However, for kprobes some changes required with that version, can rebase on new version of patch from Jiang.
Sandeepa Prabhu (5): AArch64: Add single-step and breakpoint handler hooks arm64: Kernel code patching support AArch64: Instruction simulation and decode support AArch64: Add Kprobes support for ARM v8 kernel AArch64: Support kretprobe support for ARM v8
arch/arm64/Kconfig | 2 + arch/arm64/include/asm/debug-monitors.h | 23 ++ arch/arm64/include/asm/kprobes.h | 58 +++ arch/arm64/include/asm/probes.h | 48 +++ arch/arm64/include/asm/ptrace.h | 6 + arch/arm64/kernel/Makefile | 2 + arch/arm64/kernel/debug-monitors.c | 85 ++++- arch/arm64/kernel/entry.S | 2 + arch/arm64/kernel/kprobes-arm64.c | 245 ++++++++++++ arch/arm64/kernel/kprobes-arm64.h | 26 ++ arch/arm64/kernel/kprobes.c | 642 ++++++++++++++++++++++++++++++++ arch/arm64/kernel/kprobes.h | 28 ++ arch/arm64/kernel/patch.c | 58 +++ arch/arm64/kernel/patch.h | 20 + arch/arm64/kernel/probes-aarch64.c | 235 ++++++++++++ arch/arm64/kernel/probes-aarch64.h | 127 +++++++ arch/arm64/kernel/probes-common.c | 117 ++++++ arch/arm64/kernel/vmlinux.lds.S | 1 + 18 files changed, 1722 insertions(+), 3 deletions(-) create mode 100644 arch/arm64/include/asm/kprobes.h create mode 100644 arch/arm64/include/asm/probes.h create mode 100644 arch/arm64/kernel/kprobes-arm64.c create mode 100644 arch/arm64/kernel/kprobes-arm64.h create mode 100644 arch/arm64/kernel/kprobes.c create mode 100644 arch/arm64/kernel/kprobes.h create mode 100644 arch/arm64/kernel/patch.c create mode 100644 arch/arm64/kernel/patch.h create mode 100644 arch/arm64/kernel/probes-aarch64.c create mode 100644 arch/arm64/kernel/probes-aarch64.h create mode 100644 arch/arm64/kernel/probes-common.c
AArch64 Single Steping and Breakpoint debug exceptions will be used by multiple debug framworks like kprobes & kgdb.
This patch implements the hooks for those frameworks to register their own handlers for handling breakpoint and single step events.
Reworked the debug exception handler in entry.S: do_dbg to route software breakpoint (BRK64) exception to do_debug_exception()
Signed-off-by: Sandeepa Prabhu sandeepa.prabhu@linaro.org Signed-off-by: Deepak Saxena dsaxena@linaro.org --- arch/arm64/include/asm/debug-monitors.h | 23 +++++++++ arch/arm64/kernel/debug-monitors.c | 85 +++++++++++++++++++++++++++++++-- arch/arm64/kernel/entry.S | 2 + 3 files changed, 107 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/include/asm/debug-monitors.h b/arch/arm64/include/asm/debug-monitors.h index a2232d0..8e354b3 100644 --- a/arch/arm64/include/asm/debug-monitors.h +++ b/arch/arm64/include/asm/debug-monitors.h @@ -16,6 +16,8 @@ #ifndef __ASM_DEBUG_MONITORS_H #define __ASM_DEBUG_MONITORS_H
+#include <linux/rculist.h> + #ifdef __KERNEL__
#define DBG_ESR_EVT(x) (((x) >> 27) & 0x7) @@ -62,6 +64,27 @@ struct task_struct;
#define DBG_ARCH_ID_RESERVED 0 /* In case of ptrace ABI updates. */
+#define DEBUG_HOOK_HANDLED 0 +#define DEBUG_HOOK_ERROR 1 + +struct step_hook { + struct list_head node; + int (*fn)(struct pt_regs *regs, unsigned int esr); +}; + +void register_step_hook(struct step_hook *hook); +void unregister_step_hook(struct step_hook *hook); + +struct break_hook { + struct list_head node; + u32 esr_val; + u32 esr_mask; + int (*fn)(struct pt_regs *regs, unsigned int esr); +}; + +void register_break_hook(struct break_hook *hook); +void unregister_break_hook(struct break_hook *hook); + u8 debug_monitors_arch(void);
void enable_debug_monitors(enum debug_el el); diff --git a/arch/arm64/kernel/debug-monitors.c b/arch/arm64/kernel/debug-monitors.c index cbfacf7..fbbf824 100644 --- a/arch/arm64/kernel/debug-monitors.c +++ b/arch/arm64/kernel/debug-monitors.c @@ -188,6 +188,43 @@ static void clear_regs_spsr_ss(struct pt_regs *regs) regs->pstate = spsr; }
+/* EL1 Single Step Handler hooks */ +static LIST_HEAD(step_hook); + +void register_step_hook(struct step_hook *hook) +{ + list_add_rcu(&hook->node, &step_hook); +} + +void unregister_step_hook(struct step_hook *hook) +{ + list_del_rcu(&hook->node); +} + +/* + * Call registered single step handers + * There is no Syndrome info to check for determining the handler. + * So we call all the registered handlers, until the right handler is + * found which returns zero. + */ +static int call_step_hook(struct pt_regs *regs, unsigned int esr) +{ + struct step_hook *hook; + int retval = DEBUG_HOOK_ERROR; + + rcu_read_lock(); + + list_for_each_entry_rcu(hook, &step_hook, node) { + retval = hook->fn(regs, esr); + if (retval == DEBUG_HOOK_HANDLED) + break; + } + + rcu_read_unlock(); + + return retval; +} + static int single_step_handler(unsigned long addr, unsigned int esr, struct pt_regs *regs) { @@ -215,8 +252,11 @@ static int single_step_handler(unsigned long addr, unsigned int esr, */ user_rewind_single_step(current); } else { - /* TODO: route to KGDB */ - pr_warning("Unexpected kernel single-step exception at EL1\n"); + /* Call single step handlers for kgdb/kprobes */ + if (call_step_hook(regs, esr) == DEBUG_HOOK_HANDLED) + return 0; + + pr_warn("unexpected single step exception at %lx!\n", addr); /* * Re-enable stepping since we know that we will be * returning to regs. @@ -227,11 +267,50 @@ static int single_step_handler(unsigned long addr, unsigned int esr, return 0; }
+ +static LIST_HEAD(break_hook); +static DEFINE_RAW_SPINLOCK(break_hook_lock); + +void register_break_hook(struct break_hook *hook) +{ + raw_spin_lock(&break_hook_lock); + list_add(&hook->node, &break_hook); + raw_spin_unlock(&break_hook_lock); +} + +void unregister_break_hook(struct break_hook *hook) +{ + raw_spin_lock(&break_hook_lock); + list_del(&hook->node); + raw_spin_unlock(&break_hook_lock); +} + +static int call_break_hook(struct pt_regs *regs, unsigned int esr) +{ + struct break_hook *hook; + int (*fn)(struct pt_regs *regs, unsigned int esr) = NULL; + + raw_spin_lock(&break_hook_lock); + list_for_each_entry(hook, &break_hook, node) + if ((esr & hook->esr_mask) == hook->esr_val) + fn = hook->fn; + raw_spin_unlock(&break_hook_lock); + + return fn ? fn(regs, esr) : DEBUG_HOOK_ERROR; +} + static int brk_handler(unsigned long addr, unsigned int esr, struct pt_regs *regs) { siginfo_t info;
+ /* call single step handlers for kgdb/kprobes */ + if (call_break_hook(regs, esr) == DEBUG_HOOK_HANDLED) + return 0; + + pr_warn("unexpected brk exception at %llx, esr=0x%x\n", + instruction_pointer(regs), esr); + if (!user_mode(regs)) return -EFAULT;
@@ -291,7 +370,7 @@ static int __init debug_traps_init(void) hook_debug_fault_code(DBG_ESR_EVT_HWSS, single_step_handler, SIGTRAP, TRAP_HWBKPT, "single-step handler"); hook_debug_fault_code(DBG_ESR_EVT_BRK, brk_handler, SIGTRAP, - TRAP_BRKPT, "ptrace BRK handler"); + TRAP_BRKPT, "AArch64 BRK handler"); return 0; } arch_initcall(debug_traps_init); diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S index 3881fd1..7fbc510 100644 --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -288,6 +288,8 @@ el1_dbg: /* * Debug exception handling */ + cmp x24, #ESR_EL1_EC_BRK64 // if BRK64 + cinc x24, x24, eq // set bit '0' tbz x24, #0, el1_inv // EL1 only mrs x0, far_el1 mov x2, sp // struct pt_regs
On Tue, Oct 01, 2013 at 04:57:56PM +0100, Sandeepa Prabhu wrote:
AArch64 Single Steping and Breakpoint debug exceptions will be used by multiple debug framworks like kprobes & kgdb.
This patch implements the hooks for those frameworks to register their own handlers for handling breakpoint and single step events.
Reworked the debug exception handler in entry.S: do_dbg to route software breakpoint (BRK64) exception to do_debug_exception()
Signed-off-by: Sandeepa Prabhu sandeepa.prabhu@linaro.org Signed-off-by: Deepak Saxena dsaxena@linaro.org
arch/arm64/include/asm/debug-monitors.h | 23 +++++++++ arch/arm64/kernel/debug-monitors.c | 85 +++++++++++++++++++++++++++++++-- arch/arm64/kernel/entry.S | 2 + 3 files changed, 107 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/include/asm/debug-monitors.h b/arch/arm64/include/asm/debug-monitors.h index a2232d0..8e354b3 100644 --- a/arch/arm64/include/asm/debug-monitors.h +++ b/arch/arm64/include/asm/debug-monitors.h @@ -16,6 +16,8 @@ #ifndef __ASM_DEBUG_MONITORS_H #define __ASM_DEBUG_MONITORS_H +#include <linux/rculist.h>
#ifdef __KERNEL__ #define DBG_ESR_EVT(x) (((x) >> 27) & 0x7) @@ -62,6 +64,27 @@ struct task_struct; #define DBG_ARCH_ID_RESERVED 0 /* In case of ptrace ABI updates. */ +#define DEBUG_HOOK_HANDLED 0 +#define DEBUG_HOOK_ERROR 1
Cosmetic: we use DBG vs DEBUG in the rest of this header.
+struct step_hook {
- struct list_head node;
- int (*fn)(struct pt_regs *regs, unsigned int esr);
+};
+void register_step_hook(struct step_hook *hook); +void unregister_step_hook(struct step_hook *hook);
+struct break_hook {
- struct list_head node;
- u32 esr_val;
- u32 esr_mask;
- int (*fn)(struct pt_regs *regs, unsigned int esr);
+};
+void register_break_hook(struct break_hook *hook); +void unregister_break_hook(struct break_hook *hook);
u8 debug_monitors_arch(void); void enable_debug_monitors(enum debug_el el); diff --git a/arch/arm64/kernel/debug-monitors.c b/arch/arm64/kernel/debug-monitors.c index cbfacf7..fbbf824 100644 --- a/arch/arm64/kernel/debug-monitors.c +++ b/arch/arm64/kernel/debug-monitors.c @@ -188,6 +188,43 @@ static void clear_regs_spsr_ss(struct pt_regs *regs) regs->pstate = spsr; } +/* EL1 Single Step Handler hooks */ +static LIST_HEAD(step_hook);
+void register_step_hook(struct step_hook *hook) +{
- list_add_rcu(&hook->node, &step_hook);
+}
This isn't safe against concurrent registrations. Why don't you use an rwlock instead? Then you take the writer lock here...
+/*
- Call registered single step handers
- There is no Syndrome info to check for determining the handler.
- So we call all the registered handlers, until the right handler is
- found which returns zero.
- */
+static int call_step_hook(struct pt_regs *regs, unsigned int esr) +{
- struct step_hook *hook;
- int retval = DEBUG_HOOK_ERROR;
- rcu_read_lock();
... and the reader lock here.
- list_for_each_entry_rcu(hook, &step_hook, node) {
retval = hook->fn(regs, esr);if (retval == DEBUG_HOOK_HANDLED)break;- }
- rcu_read_unlock();
- return retval;
+}
static int single_step_handler(unsigned long addr, unsigned int esr, struct pt_regs *regs) { @@ -215,8 +252,11 @@ static int single_step_handler(unsigned long addr, unsigned int esr, */ user_rewind_single_step(current); } else {
/* TODO: route to KGDB */pr_warning("Unexpected kernel single-step exception at EL1\n");
/* Call single step handlers for kgdb/kprobes */
Useless comment.
if (call_step_hook(regs, esr) == DEBUG_HOOK_HANDLED)return 0;pr_warn("unexpected single step exception at %lx!\n", addr);
Why have you reworded this warning?
/* * Re-enable stepping since we know that we will be * returning to regs.@@ -227,11 +267,50 @@ static int single_step_handler(unsigned long addr, unsigned int esr, return 0; }
+static LIST_HEAD(break_hook); +static DEFINE_RAW_SPINLOCK(break_hook_lock);
+void register_break_hook(struct break_hook *hook) +{
- raw_spin_lock(&break_hook_lock);
- list_add(&hook->node, &break_hook);
- raw_spin_unlock(&break_hook_lock);
+}
+void unregister_break_hook(struct break_hook *hook) +{
- raw_spin_lock(&break_hook_lock);
- list_del(&hook->node);
- raw_spin_unlock(&break_hook_lock);
+}
+static int call_break_hook(struct pt_regs *regs, unsigned int esr) +{
- struct break_hook *hook;
- int (*fn)(struct pt_regs *regs, unsigned int esr) = NULL;
- raw_spin_lock(&break_hook_lock);
- list_for_each_entry(hook, &break_hook, node)
if ((esr & hook->esr_mask) == hook->esr_val)fn = hook->fn;- raw_spin_unlock(&break_hook_lock);
- return fn ? fn(regs, esr) : DEBUG_HOOK_ERROR;
+}
static int brk_handler(unsigned long addr, unsigned int esr, struct pt_regs *regs) { siginfo_t info;
- /* call single step handlers for kgdb/kprobes */
- if (call_break_hook(regs, esr) == DEBUG_HOOK_HANDLED)
return 0;- pr_warn("unexpected brk exception at %llx, esr=0x%x\n",
instruction_pointer(regs), esr);
%lx for the pc.
Will
On 3 October 2013 22:23, Will Deacon will.deacon@arm.com wrote:
On Tue, Oct 01, 2013 at 04:57:56PM +0100, Sandeepa Prabhu wrote:
AArch64 Single Steping and Breakpoint debug exceptions will be used by multiple debug framworks like kprobes & kgdb.
This patch implements the hooks for those frameworks to register their own handlers for handling breakpoint and single step events.
Reworked the debug exception handler in entry.S: do_dbg to route software breakpoint (BRK64) exception to do_debug_exception()
Signed-off-by: Sandeepa Prabhu sandeepa.prabhu@linaro.org Signed-off-by: Deepak Saxena dsaxena@linaro.org
arch/arm64/include/asm/debug-monitors.h | 23 +++++++++ arch/arm64/kernel/debug-monitors.c | 85 +++++++++++++++++++++++++++++++-- arch/arm64/kernel/entry.S | 2 + 3 files changed, 107 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/include/asm/debug-monitors.h b/arch/arm64/include/asm/debug-monitors.h index a2232d0..8e354b3 100644 --- a/arch/arm64/include/asm/debug-monitors.h +++ b/arch/arm64/include/asm/debug-monitors.h @@ -16,6 +16,8 @@ #ifndef __ASM_DEBUG_MONITORS_H #define __ASM_DEBUG_MONITORS_H
+#include <linux/rculist.h>
#ifdef __KERNEL__
#define DBG_ESR_EVT(x) (((x) >> 27) & 0x7) @@ -62,6 +64,27 @@ struct task_struct;
#define DBG_ARCH_ID_RESERVED 0 /* In case of ptrace ABI updates. */
+#define DEBUG_HOOK_HANDLED 0 +#define DEBUG_HOOK_ERROR 1
Cosmetic: we use DBG vs DEBUG in the rest of this header.
Ok, I'll change it to DBG_*
+struct step_hook {
struct list_head node;int (*fn)(struct pt_regs *regs, unsigned int esr);+};
+void register_step_hook(struct step_hook *hook); +void unregister_step_hook(struct step_hook *hook);
+struct break_hook {
struct list_head node;u32 esr_val;u32 esr_mask;int (*fn)(struct pt_regs *regs, unsigned int esr);+};
+void register_break_hook(struct break_hook *hook); +void unregister_break_hook(struct break_hook *hook);
u8 debug_monitors_arch(void);
void enable_debug_monitors(enum debug_el el); diff --git a/arch/arm64/kernel/debug-monitors.c b/arch/arm64/kernel/debug-monitors.c index cbfacf7..fbbf824 100644 --- a/arch/arm64/kernel/debug-monitors.c +++ b/arch/arm64/kernel/debug-monitors.c @@ -188,6 +188,43 @@ static void clear_regs_spsr_ss(struct pt_regs *regs) regs->pstate = spsr; }
+/* EL1 Single Step Handler hooks */ +static LIST_HEAD(step_hook);
+void register_step_hook(struct step_hook *hook) +{
list_add_rcu(&hook->node, &step_hook);+}
This isn't safe against concurrent registrations. Why don't you use an rwlock instead? Then you take the writer lock here...
+/*
- Call registered single step handers
- There is no Syndrome info to check for determining the handler.
- So we call all the registered handlers, until the right handler is
- found which returns zero.
- */
+static int call_step_hook(struct pt_regs *regs, unsigned int esr) +{
struct step_hook *hook;int retval = DEBUG_HOOK_ERROR;rcu_read_lock();... and the reader lock here.
Hmm, rwlock sounds good, there wont be lock contention when concurrent handlers on different CPU. I will change it to rwlocks, can be used for call_break_hook as well instead of normal spin-lock to reduce contention.
list_for_each_entry_rcu(hook, &step_hook, node) {retval = hook->fn(regs, esr);if (retval == DEBUG_HOOK_HANDLED)break;}rcu_read_unlock();return retval;+}
static int single_step_handler(unsigned long addr, unsigned int esr, struct pt_regs *regs) { @@ -215,8 +252,11 @@ static int single_step_handler(unsigned long addr, unsigned int esr, */ user_rewind_single_step(current); } else {
/* TODO: route to KGDB */pr_warning("Unexpected kernel single-step exception at EL1\n");
/* Call single step handlers for kgdb/kprobes */Useless comment.
I will re-frame, how about simple "Call registered single step hook functions" ?
if (call_step_hook(regs, esr) == DEBUG_HOOK_HANDLED)return 0;pr_warn("unexpected single step exception at %lx!\n", addr);Why have you reworded this warning?
oops, mistake it was debug change to print addr, revert it in next version.
/* * Re-enable stepping since we know that we will be * returning to regs.@@ -227,11 +267,50 @@ static int single_step_handler(unsigned long addr, unsigned int esr, return 0; }
+static LIST_HEAD(break_hook); +static DEFINE_RAW_SPINLOCK(break_hook_lock);
+void register_break_hook(struct break_hook *hook) +{
raw_spin_lock(&break_hook_lock);list_add(&hook->node, &break_hook);raw_spin_unlock(&break_hook_lock);+}
+void unregister_break_hook(struct break_hook *hook) +{
raw_spin_lock(&break_hook_lock);list_del(&hook->node);raw_spin_unlock(&break_hook_lock);+}
+static int call_break_hook(struct pt_regs *regs, unsigned int esr) +{
struct break_hook *hook;int (*fn)(struct pt_regs *regs, unsigned int esr) = NULL;raw_spin_lock(&break_hook_lock);list_for_each_entry(hook, &break_hook, node)if ((esr & hook->esr_mask) == hook->esr_val)fn = hook->fn;raw_spin_unlock(&break_hook_lock);return fn ? fn(regs, esr) : DEBUG_HOOK_ERROR;+}
static int brk_handler(unsigned long addr, unsigned int esr, struct pt_regs *regs) { siginfo_t info;
/* call single step handlers for kgdb/kprobes */if (call_break_hook(regs, esr) == DEBUG_HOOK_HANDLED)return 0;pr_warn("unexpected brk exception at %llx, esr=0x%x\n",instruction_pointer(regs), esr);%lx for the pc.
Hmm, shall correct it in v4.
Will
Implement API for kernel code section. These API supports modifying kernel text section, one instruction at a time.
This functionality will be used in kprobes handlers to place/replace software breakpoints, kprobe breakpoints cannot be placed inside these handlers so will be added under __kprobes section.
Signed-off-by: Sandeepa Prabhu sandeepa.prabhu@linaro.org --- arch/arm64/kernel/patch.c | 58 +++++++++++++++++++++++++++++++++++++++++++++++ arch/arm64/kernel/patch.h | 20 ++++++++++++++++ 2 files changed, 78 insertions(+) create mode 100644 arch/arm64/kernel/patch.c create mode 100644 arch/arm64/kernel/patch.h
diff --git a/arch/arm64/kernel/patch.c b/arch/arm64/kernel/patch.c new file mode 100644 index 0000000..880742d --- /dev/null +++ b/arch/arm64/kernel/patch.c @@ -0,0 +1,58 @@ +/* + * arch/arm64/kernel/patch.c + * + * Copyright (C) 2013 Linaro Limited. + * Based on arch/arm/kernel/patch.c + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + */ +#include <linux/kernel.h> +#include <linux/stop_machine.h> +#include <asm/cacheflush.h> +#include <asm/smp_plat.h> + +#include "patch.h" + +struct patch { + void *addr; + unsigned int insn; +}; + +/* Patching kernel text -AArch64 mode */ +void __kprobes __patch_text(void *addr, unsigned int insn) +{ + int size = sizeof(u32); + + /* AArch64 32-bit alignment check */ + if ((unsigned long)addr % size) + return; + + /* little-endian mode: does it work for big-endian mode? */ + *(u32 *) addr = insn; + + flush_icache_range((uintptr_t) (addr), (uintptr_t) (addr) + size); +} + +static int __kprobes patch_text_stop_machine(void *data) +{ + struct patch *patch = data; + + __patch_text(patch->addr, patch->insn); + return 0; +} + +void __kprobes patch_text(void *addr, unsigned int insn) +{ + struct patch patch = { + .addr = addr, + .insn = insn, + }; + stop_machine(patch_text_stop_machine, &patch, cpu_online_mask); +} diff --git a/arch/arm64/kernel/patch.h b/arch/arm64/kernel/patch.h new file mode 100644 index 0000000..e9d5e75 --- /dev/null +++ b/arch/arm64/kernel/patch.h @@ -0,0 +1,20 @@ +/* + * arch/arm/kernel/patch.h + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + */ + +#ifndef _AARCH64_KERNEL_PATCH_H +#define _AARCH64_KERNEL_PATCH_H + +void patch_text(void *addr, unsigned int insn); +void __patch_text(void *addr, unsigned int insn); + +#endif /* _AARCH64_KERNEL_PATCH_H */
Support for v8 instruction decoding and simulation is implemented, which are common for use by kprobes as well as uprobes.
Kprobes/uprobes on ARM64 is leveraged on single-stepping of instruction from a out-of-line memory slot.
The instructions that use PC-relative access can not be stepped from out-of-line memory slot, so are simulated in C code using the saved copy of pt_regs.
This patch implements helper macros and data structures for building instruction decode table, along with handlers for instruction prepare and simulation.
Signed-off-by: Sandeepa Prabhu sandeepa.prabhu@linaro.org --- arch/arm64/include/asm/probes.h | 48 ++++++++ arch/arm64/kernel/probes-aarch64.c | 235 +++++++++++++++++++++++++++++++++++++ arch/arm64/kernel/probes-aarch64.h | 127 ++++++++++++++++++++ arch/arm64/kernel/probes-common.c | 117 ++++++++++++++++++ 4 files changed, 527 insertions(+) create mode 100644 arch/arm64/include/asm/probes.h create mode 100644 arch/arm64/kernel/probes-aarch64.c create mode 100644 arch/arm64/kernel/probes-aarch64.h create mode 100644 arch/arm64/kernel/probes-common.c
diff --git a/arch/arm64/include/asm/probes.h b/arch/arm64/include/asm/probes.h new file mode 100644 index 0000000..8d4355e --- /dev/null +++ b/arch/arm64/include/asm/probes.h @@ -0,0 +1,48 @@ +/* + * arch/arm64/include/asm/probes.h + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + */ +#ifndef _ARM_PROBES_H +#define _ARM_PROBES_H + +struct kprobe; +struct arch_specific_insn; + +typedef u32 kprobe_opcode_t; +typedef unsigned long (kprobes_pstate_check_t)(unsigned long); +typedef unsigned long +(kprobes_condition_check_t)(struct kprobe *, struct pt_regs *); +typedef void +(kprobes_prepare_t)(struct kprobe *, struct arch_specific_insn *); +typedef void (kprobes_handler_t) (struct kprobe *, struct pt_regs *); + +typedef enum { + NO_RESTORE, + RESTORE_PC, +} pc_restore_t; + +struct kprobe_pc_restore { + pc_restore_t type; + unsigned long addr; +}; + +/* architecture specific copy of original instruction */ +struct arch_specific_insn { + kprobe_opcode_t *insn; + kprobes_pstate_check_t *pstate_cc; + kprobes_condition_check_t *check_condn; + kprobes_prepare_t *prepare; + kprobes_handler_t *handler; + /* restore address after step xol */ + struct kprobe_pc_restore restore; +}; + +#endif diff --git a/arch/arm64/kernel/probes-aarch64.c b/arch/arm64/kernel/probes-aarch64.c new file mode 100644 index 0000000..0163129 --- /dev/null +++ b/arch/arm64/kernel/probes-aarch64.c @@ -0,0 +1,235 @@ +/* + * arch/arm64/kernel/probes-aarch64.c + * + * Copyright (C) 2013 Linaro Limited. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + */ + +#include <linux/kernel.h> +#include <linux/kprobes.h> +#include <linux/module.h> + +#include "probes-aarch64.h" + +#define sign_extend(x, signbit) \ + ((x) | (0 - ((x) & (1 << (signbit))))) + +#define bbl_displacement(insn) \ + sign_extend(((insn) & 0x3ffffff) << 2, 27) + +#define bcond_displacement(insn) \ + sign_extend(((insn >> 5) & 0xfffff) << 2, 21) + +#define cbz_displacement(insn) \ + sign_extend(((insn >> 5) & 0xfffff) << 2, 21) + +#define tbz_displacement(insn) \ + sign_extend(((insn >> 5) & 0x3fff) << 2, 15) + +#define ldr_displacement(insn) \ + sign_extend(((insn >> 5) & 0xfffff) << 2, 21) + +/* conditional check functions */ +static unsigned long __kprobes +__check_pstate(struct kprobe *p, struct pt_regs *regs) +{ + struct arch_specific_insn *asi = &p->ainsn; + unsigned long pstate = regs->pstate & 0xffffffff; + + return asi->pstate_cc(pstate); +} + +static unsigned long __kprobes +__check_cbz(struct kprobe *p, struct pt_regs *regs) +{ + kprobe_opcode_t insn = p->opcode; + int xn = insn & 0x1f; + + return (insn & (1 << 31)) ? + !(regs->regs[xn]) : !(regs->regs[xn] & 0xffffffff); +} + +static unsigned long __kprobes +__check_cbnz(struct kprobe *p, struct pt_regs *regs) +{ + kprobe_opcode_t insn = p->opcode; + int xn = insn & 0x1f; + + return (insn & (1 << 31)) ? + (regs->regs[xn]) : (regs->regs[xn] & 0xffffffff); +} + +static unsigned long __kprobes +__check_tbz(struct kprobe *p, struct pt_regs *regs) +{ + kprobe_opcode_t insn = p->opcode; + int xn = insn & 0x1f; + int bit_pos = ((insn & (1 << 31)) >> 26) | ((insn >> 19) & 0x1f); + + return ~((regs->regs[xn] >> bit_pos) & 0x1); +} + +static unsigned long __kprobes +__check_tbnz(struct kprobe *p, struct pt_regs *regs) +{ + kprobe_opcode_t insn = p->opcode; + int xn = insn & 0x1f; + int bit_pos = ((insn & (1 << 31)) >> 26) | ((insn >> 19) & 0x1f); + + return (regs->regs[xn] >> bit_pos) & 0x1; +} + +/* prepare functions */ +void __kprobes prepare_none(struct kprobe *p, struct arch_specific_insn *asi) +{ +} + +void __kprobes prepare_bcond(struct kprobe *p, struct arch_specific_insn *asi) +{ + kprobe_opcode_t insn = p->opcode; + + asi->check_condn = __check_pstate; + asi->pstate_cc = kprobe_condition_checks[insn & 0xf]; +} + +void __kprobes +prepare_cbz_cbnz(struct kprobe *p, struct arch_specific_insn *asi) +{ + kprobe_opcode_t insn = p->opcode; + + asi->check_condn = (insn & (1 << 24)) ? __check_cbnz : __check_cbz; +} + +void __kprobes +prepare_tbz_tbnz(struct kprobe *p, struct arch_specific_insn *asi) +{ + kprobe_opcode_t insn = p->opcode; + + asi->check_condn = (insn & (1 << 24)) ? __check_tbnz : __check_tbz; +} + +/* simulate functions */ +void __kprobes simulate_none(struct kprobe *p, struct pt_regs *regs) +{ +} + +void __kprobes simulate_adr_adrp(struct kprobe *p, struct pt_regs *regs) +{ + kprobe_opcode_t insn = p->opcode; + long iaddr = (long)p->addr; + long res, imm, xn; + + xn = insn & 0x1f; + imm = ((insn >> 3) & 0xffffc) | ((insn >> 29) & 0x3); + res = iaddr + 8 + sign_extend(imm, 20); + + regs->regs[xn] = insn & 0x80000000 ? res & 0xfffffffffffff000 : res; + instruction_pointer(regs) += 4; + + return; +} + +void __kprobes simulate_b_bl(struct kprobe *p, struct pt_regs *regs) +{ + kprobe_opcode_t insn = p->opcode; + long iaddr = (long)p->addr; + int disp = bbl_displacement(insn); + + /* Link register */ + if (insn & (1 << 31)) + regs->regs[30] = iaddr + 4; + + instruction_pointer(regs) = iaddr + disp; + + return; +} + +void __kprobes simulate_b_cond(struct kprobe *p, struct pt_regs *regs) +{ + kprobe_opcode_t insn = p->opcode; + long iaddr = (long)p->addr; + int disp = bcond_displacement(insn); + + instruction_pointer(regs) = iaddr + disp; + + return; +} + +void __kprobes simulate_br_blr_ret(struct kprobe *p, struct pt_regs *regs) +{ + kprobe_opcode_t insn = p->opcode; + long iaddr = (long)p->addr; + int xn = (insn >> 5) & 0x1f; + + /* BLR */ + if (((insn >> 21) & 0x3) == 1) + regs->regs[30] = iaddr + 4; + + instruction_pointer(regs) = regs->regs[xn]; + + return; +} + +void __kprobes simulate_cbz_cbnz(struct kprobe *p, struct pt_regs *regs) +{ + kprobe_opcode_t insn = p->opcode; + long iaddr = (long)p->addr; + int disp = cbz_displacement(insn); + + instruction_pointer(regs) = iaddr + disp; + + return; +} + +void __kprobes simulate_tbz_tbnz(struct kprobe *p, struct pt_regs *regs) +{ + kprobe_opcode_t insn = p->opcode; + long iaddr = (long)p->addr; + int disp = tbz_displacement(insn); + + instruction_pointer(regs) = iaddr + disp; + + return; +} + +void __kprobes simulate_ldr_literal(struct kprobe *p, struct pt_regs *regs) +{ + kprobe_opcode_t insn = p->opcode; + u64 *load_addr; + long iaddr = (long)p->addr; + int xn = insn & 0x1f; + int disp = ldr_displacement(insn); + + load_addr = (u64 *) (iaddr + disp); + + if (insn & (1 << 30)) /* x0-x31 */ + regs->regs[xn] = *load_addr; + else /* w0-w31 */ + *(u32 *) (®s->regs[xn]) = (*(u32 *) (load_addr)); + + return; +} + +void __kprobes simulate_ldrsw_literal(struct kprobe *p, struct pt_regs *regs) +{ + kprobe_opcode_t insn = p->opcode; + u64 *load_addr; + long data, iaddr = (long)p->addr; + int xn = insn & 0x1f; + int disp = ldr_displacement(insn); + + load_addr = (u64 *) (iaddr + disp); + data = *load_addr; + + regs->regs[xn] = sign_extend(data, 63); + + return; +} diff --git a/arch/arm64/kernel/probes-aarch64.h b/arch/arm64/kernel/probes-aarch64.h new file mode 100644 index 0000000..fb7475c --- /dev/null +++ b/arch/arm64/kernel/probes-aarch64.h @@ -0,0 +1,127 @@ +/* + * arch/arm64/kernel/probes-aarch64.h + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + */ + +#ifndef _ARM_KERNEL_PROBES_AARCH64_H +#define _ARM_KERNEL_PROBES_AARCH64_H + +/* + * The following definitions and macros are used to build instruction + * decoding tables. + */ +enum decode_type { + DECODE_TYPE_END, + DECODE_TYPE_REJECT, + DECODE_TYPE_SINGLESTEP, + DECODE_TYPE_SIMULATE, + DECODE_TYPE_TABLE, + NUM_DECODE_TYPES, /* Must be last enum */ +}; + +struct aarch64_decode_item; + +struct aarch64_decode_header { + enum decode_type type; + u32 mask; + u32 val; +}; + +struct aarch64_decode_actions { + kprobes_prepare_t *prepare; + kprobes_handler_t *handler; +}; + +struct aarch64_decode_table { + const struct aarch64_decode_item *tbl; +}; + +union aarch64_decode_handler { + struct aarch64_decode_actions actions; + struct aarch64_decode_table table; +}; + +struct aarch64_decode_item { + struct aarch64_decode_header header; + union aarch64_decode_handler decode; +}; + +#define decode_get_type(_entry) ((_entry).header.type) + +#define decode_table_end(_entry) \ + ((_entry).header.type == DECODE_TYPE_END) + +#define decode_table_hit(_entry, insn) \ + ((insn & (_entry).header.mask) == (_entry).header.val) + +#define decode_prepare_fn(_entry) ((_entry).decode.actions.prepare) +#define decode_handler_fn(_entry) ((_entry).decode.actions.handler) +#define decode_sub_table(_entry) ((_entry).decode.table.tbl) + +#define DECODE_ADD_HEADER(_type, _val, _mask) \ + .header = { \ + .type = _type, \ + .mask = _mask, \ + .val = _val, \ + }, + +#define DECODE_ADD_ACTION(_prepare, _handler) \ + .decode = { \ + .actions = { \ + .prepare = _prepare, \ + .handler = _handler, \ + } \ + }, + +#define DECODE_ADD_TABLE(_table) \ + .decode = { \ + .table = {.tbl = _table} \ + }, + +#define DECODE_REJECT(_v, _m) \ + { DECODE_ADD_HEADER(DECODE_TYPE_REJECT, _v, _m) } + +#define DECODE_SINGLESTEP(_v, _m) \ + { DECODE_ADD_HEADER(DECODE_TYPE_SINGLESTEP, _v, _m) } + +#define DECODE_SIMULATE(_v, _m, _p, _h) \ + { DECODE_ADD_HEADER(DECODE_TYPE_SIMULATE, _v, _m) \ + DECODE_ADD_ACTION(_p, _h) } + +#define DECODE_TABLE(_v, _m, _table) \ + { DECODE_ADD_HEADER(DECODE_TYPE_TABLE, _v, _m) \ + DECODE_ADD_TABLE(_table) } + +#define DECODE_LITERAL(_v, _m, _p, _h) DECODE_SIMULATE(_v, _m, _p, _h) +#define DECODE_BRANCH(_v, _m, _p, _h) DECODE_SIMULATE(_v, _m, _p, _h) + +/* should be the last element in decode structure */ +#define DECODE_END { .header = {.type = DECODE_TYPE_END, } } + +extern kprobes_pstate_check_t *const kprobe_condition_checks[16]; + +void __kprobes prepare_none(struct kprobe *p, struct arch_specific_insn *asi); +void __kprobes prepare_bcond(struct kprobe *p, struct arch_specific_insn *asi); +void __kprobes prepare_cbz_cbnz(struct kprobe *p, + struct arch_specific_insn *asi); +void __kprobes prepare_tbz_tbnz(struct kprobe *p, + struct arch_specific_insn *asi); +void __kprobes simulate_none(struct kprobe *p, struct pt_regs *regs); +void __kprobes simulate_adr_adrp(struct kprobe *p, struct pt_regs *regs); +void __kprobes simulate_b_bl(struct kprobe *p, struct pt_regs *regs); +void __kprobes simulate_b_cond(struct kprobe *p, struct pt_regs *regs); +void __kprobes simulate_br_blr_ret(struct kprobe *p, struct pt_regs *regs); +void __kprobes simulate_cbz_cbnz(struct kprobe *p, struct pt_regs *regs); +void __kprobes simulate_tbz_tbnz(struct kprobe *p, struct pt_regs *regs); +void __kprobes simulate_ldr_literal(struct kprobe *p, struct pt_regs *regs); +void __kprobes simulate_ldrsw_literal(struct kprobe *p, struct pt_regs *regs); + +#endif /* _ARM_KERNEL_PROBES_AARCH64_H */ diff --git a/arch/arm64/kernel/probes-common.c b/arch/arm64/kernel/probes-common.c new file mode 100644 index 0000000..4990940 --- /dev/null +++ b/arch/arm64/kernel/probes-common.c @@ -0,0 +1,117 @@ +/* + * arch/arm64/kernel/probes-common.c + * + * copied from arch/arm/kernel/kprobes-common.c + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * Description: + * This file is the place for common routines for AArch64 and + * AArch32 conditional checks, needed by kprobes-AArch64 and + * uprobes-AArch32/AArch64 + * + * AArch64 and AArch32 instrcution decoding differ, and are implemented + * in respective probes-*** files, this file is for common code only. + */ +#include <linux/kernel.h> +#include <linux/kprobes.h> +#include <linux/module.h> + +static unsigned long __kprobes __check_eq(unsigned long pstate) +{ + return pstate & PSR_Z_BIT; +} + +static unsigned long __kprobes __check_ne(unsigned long pstate) +{ + return (~pstate) & PSR_Z_BIT; +} + +static unsigned long __kprobes __check_cs(unsigned long pstate) +{ + return pstate & PSR_C_BIT; +} + +static unsigned long __kprobes __check_cc(unsigned long pstate) +{ + return (~pstate) & PSR_C_BIT; +} + +static unsigned long __kprobes __check_mi(unsigned long pstate) +{ + return pstate & PSR_N_BIT; +} + +static unsigned long __kprobes __check_pl(unsigned long pstate) +{ + return (~pstate) & PSR_N_BIT; +} + +static unsigned long __kprobes __check_vs(unsigned long pstate) +{ + return pstate & PSR_V_BIT; +} + +static unsigned long __kprobes __check_vc(unsigned long pstate) +{ + return (~pstate) & PSR_V_BIT; +} + +static unsigned long __kprobes __check_hi(unsigned long pstate) +{ + pstate &= ~(pstate >> 1); /* PSR_C_BIT &= ~PSR_Z_BIT */ + return pstate & PSR_C_BIT; +} + +static unsigned long __kprobes __check_ls(unsigned long pstate) +{ + pstate &= ~(pstate >> 1); /* PSR_C_BIT &= ~PSR_Z_BIT */ + return (~pstate) & PSR_C_BIT; +} + +static unsigned long __kprobes __check_ge(unsigned long pstate) +{ + pstate ^= (pstate << 3); /* PSR_N_BIT ^= PSR_V_BIT */ + return (~pstate) & PSR_N_BIT; +} + +static unsigned long __kprobes __check_lt(unsigned long pstate) +{ + pstate ^= (pstate << 3); /* PSR_N_BIT ^= PSR_V_BIT */ + return pstate & PSR_N_BIT; +} + +static unsigned long __kprobes __check_gt(unsigned long pstate) +{ + /*PSR_N_BIT ^= PSR_V_BIT */ + unsigned long temp = pstate ^ (pstate << 3); + temp |= (pstate << 1); /*PSR_N_BIT |= PSR_Z_BIT */ + return (~temp) & PSR_N_BIT; +} + +static unsigned long __kprobes __check_le(unsigned long pstate) +{ + /*PSR_N_BIT ^= PSR_V_BIT */ + unsigned long temp = pstate ^ (pstate << 3); + temp |= (pstate << 1); /*PSR_N_BIT |= PSR_Z_BIT */ + return temp & PSR_N_BIT; +} + +static unsigned long __kprobes __check_al(unsigned long pstate) +{ + return true; +} + +kprobes_pstate_check_t *const kprobe_condition_checks[16] = { + &__check_eq, &__check_ne, &__check_cs, &__check_cc, + &__check_mi, &__check_pl, &__check_vs, &__check_vc, + &__check_hi, &__check_ls, &__check_ge, &__check_lt, + &__check_gt, &__check_le, &__check_al, &__check_al +};
Add support for basic kernel probes(kprobes), jump probes (jprobes) and kprobes instruction decode tables for ARM64 kernel.
Kprobes makes use of software breakpoint to trap the kernel execution and then use single stepping feature of the ARM v8 debug architecture.
ARM v8 supports single stepping to be enabled while returning from the debug execption(ERET). Kprobes prepares a executable memory slot for XOL(execute-out-of-line) with the copy of the original instruction under probe, and update exception return address to the prepared slot with single stepping enabled. With this scheme, the instruction is executed with the same register context except for the different PC that is pointing to the prepared slot.
Stepping from slot puts limitation on the PC-relative and symbolic literal access instructions (branching, load literal) that the offset from new PC may not be ensured to fit in immediate value of opcode,(usually +/-1MB range). So these instructions are simulated in C code.
Instructions generating exceptions or cpu mode change are rejected, and not allowed to insert probe for such instructions.
Instructions using Exclusive Monitor are rejected in this version, as there are limitations on single-stepping when exclusive monitor is enabled, and cannot simulate atomic instructions(LDREX/STREX) in C code.
System instructions are mostly stepped, except MSR immeidate that updates "daif" flags in PSTATE, which are not safe for probing(rejected)
Load FP/ASIMD registers from literals (PC-relative) are not implemented in this version, since NEON/FP register context are not saved while entering debug exception.
TODO: - stepping or emulation support for exclusive load/store in safe way. - Emulate FP/AdvSIMD literal load/store if require support.
Signed-off-by: Sandeepa Prabhu sandeepa.prabhu@linaro.org --- arch/arm64/Kconfig | 1 + arch/arm64/include/asm/kprobes.h | 57 ++++ arch/arm64/include/asm/ptrace.h | 6 + arch/arm64/kernel/Makefile | 2 + arch/arm64/kernel/kprobes-arm64.c | 245 ++++++++++++++++++ arch/arm64/kernel/kprobes-arm64.h | 26 ++ arch/arm64/kernel/kprobes.c | 529 ++++++++++++++++++++++++++++++++++++++ arch/arm64/kernel/kprobes.h | 28 ++ arch/arm64/kernel/vmlinux.lds.S | 1 + 9 files changed, 895 insertions(+) create mode 100644 arch/arm64/include/asm/kprobes.h create mode 100644 arch/arm64/kernel/kprobes-arm64.c create mode 100644 arch/arm64/kernel/kprobes-arm64.h create mode 100644 arch/arm64/kernel/kprobes.c create mode 100644 arch/arm64/kernel/kprobes.h
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index c044548..8cf5cde 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -24,6 +24,7 @@ config ARM64 select HAVE_DMA_ATTRS select HAVE_GENERIC_DMA_COHERENT select HAVE_HW_BREAKPOINT if PERF_EVENTS + select HAVE_KPROBES if !XIP_KERNEL select HAVE_MEMBLOCK select HAVE_PERF_EVENTS select IRQ_DOMAIN diff --git a/arch/arm64/include/asm/kprobes.h b/arch/arm64/include/asm/kprobes.h new file mode 100644 index 0000000..a43f74f --- /dev/null +++ b/arch/arm64/include/asm/kprobes.h @@ -0,0 +1,57 @@ +/* + * arch/arm64/include/asm/kprobes.h + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + */ + +#ifndef _ARM_KPROBES_H +#define _ARM_KPROBES_H + +#include <linux/types.h> +#include <linux/ptrace.h> +#include <linux/percpu.h> + +#define __ARCH_WANT_KPROBES_INSN_SLOT +#define MAX_INSN_SIZE 2 +#define MAX_STACK_SIZE 128 + +#define flush_insn_slot(p) do { } while (0) +#define kretprobe_blacklist_size 0 + +#include <asm/probes.h> + +struct prev_kprobe { + struct kprobe *kp; + unsigned int status; +}; + +/* Single step context for kprobe */ +struct kprobe_step_ctx { +#define KPROBES_STEP_NONE 0x0 +#define KPROBES_STEP_PENDING 0x1 + unsigned long ss_status; + unsigned long match_addr; +}; + +/* per-cpu kprobe control block */ +struct kprobe_ctlblk { + unsigned int kprobe_status; + struct prev_kprobe prev_kprobe; + struct kprobe_step_ctx ss_ctx; + struct pt_regs jprobe_saved_regs; + char jprobes_stack[MAX_STACK_SIZE]; +}; + +void arch_remove_kprobe(struct kprobe *); +int kprobe_fault_handler(struct pt_regs *regs, unsigned int fsr); +int kprobe_exceptions_notify(struct notifier_block *self, + unsigned long val, void *data); + +#endif /* _ARM_KPROBES_H */ diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h index 0dacbbf..58b2589 100644 --- a/arch/arm64/include/asm/ptrace.h +++ b/arch/arm64/include/asm/ptrace.h @@ -164,6 +164,12 @@ static inline int valid_user_regs(struct user_pt_regs *regs) }
#define instruction_pointer(regs) (regs)->pc +#define stack_pointer(regs) ((regs)->sp) + +static inline long regs_return_value(struct pt_regs *regs) +{ + return regs->regs[0]; +}
#ifdef CONFIG_SMP extern unsigned long profile_pc(struct pt_regs *regs); diff --git a/arch/arm64/kernel/Makefile b/arch/arm64/kernel/Makefile index 7b4b564..6c4e541 100644 --- a/arch/arm64/kernel/Makefile +++ b/arch/arm64/kernel/Makefile @@ -18,6 +18,8 @@ arm64-obj-$(CONFIG_SMP) += smp.o smp_spin_table.o smp_psci.o arm64-obj-$(CONFIG_HW_PERF_EVENTS) += perf_event.o arm64-obj-$(CONFIG_HAVE_HW_BREAKPOINT)+= hw_breakpoint.o arm64-obj-$(CONFIG_EARLY_PRINTK) += early_printk.o +arm64-obj-$(CONFIG_KPROBES) += kprobes.o kprobes-arm64.o patch.o \ + probes-aarch64.o probes-common.o
obj-y += $(arm64-obj-y) vdso/ obj-m += $(arm64-obj-m) diff --git a/arch/arm64/kernel/kprobes-arm64.c b/arch/arm64/kernel/kprobes-arm64.c new file mode 100644 index 0000000..e269e24 --- /dev/null +++ b/arch/arm64/kernel/kprobes-arm64.c @@ -0,0 +1,245 @@ +/* + * arch/arm64/kernel/kprobes-arm64.c + * + * Copyright (C) 2013 Linaro Limited. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + */ + +#include <linux/kernel.h> +#include <linux/kprobes.h> +#include <linux/module.h> + +#include "probes-aarch64.h" +#include "kprobes-arm64.h" + +/* Load literal (PC-relative) instructions + * Encoding: xx01 1x00 xxxx xxxx xxxx xxxx xxxx xxxx + * + * opcode[26]: V=0, Load GP registers, simulate them. + * Encoding: xx01 1000 xxxx xxxx xxxx xxxx xxxx xxxx + * opcode[31:30]: op = 00, 01 - LDR literal + * opcode[31:30]: op = 10, - LDRSW literal + * + * 1. V=1 -Load FP/AdvSIMD registers + * Encoding: xx01 1100 xxxx xxxx xxxx xxxx xxxx xxxx + * 2. V=0,opc=11 -PRFM(Prefetch literal) + * Encoding: 1101 1000 xxxx xxxx xxxx xxxx xxxx xxxx + * + * TODO: + * -Rejecting FP/AdvSIMD load & PRFM literal in this version, + * needs revisit this for possible emulation/simulation. + */ +static const struct aarch64_decode_item load_literal_subtable[] = { + DECODE_REJECT(0x1C000000, 0x3F000000), + DECODE_REJECT(0xD8000000, 0xFF000000), + DECODE_LITERAL(0x18000000, 0xBF000000, prepare_none, + simulate_ldr_literal), + DECODE_LITERAL(0x98000000, 0xFF000000, prepare_none, + simulate_ldrsw_literal), + DECODE_END, +}; + +/* AArch64 instruction decode table for kprobes: + * The instruction will fall into one of the 3 groups: + * 1. Single stepped out-of-the-line slot. + * -Most instructions fall in this group, those does not + * depend on PC address. + * + * 2. Should be simulated because of PC-relative/literal access. + * -All branching and PC-relative insrtcutions are simulated + * in C code, making use of saved pt_regs + * Catch: SIMD/NEON register context are not saved while + * entering debug exception, so are rejected for now. + * + * 3. Cannot be probed(not safe) so are rejected. + * - Exception generation and exception return instructions + * - Exclusive monitor(LDREX/STREX family) + * + */ +static const struct aarch64_decode_item aarch64_decode_table[] = { + /* + * Data processing - PC relative(literal) addressing: + * Encoding: xxx1 0000 xxxx xxxx xxxx xxxx xxxx xxxx + */ + DECODE_LITERAL(0x10000000, 0x1F000000, prepare_none, + simulate_adr_adrp), + + /* + * Data processing - Add/Substract Immediate: + * Encoding: xxx1 0001 xxxx xxxx xxxx xxxx xxxx xxxx + */ + DECODE_SINGLESTEP(0x11000000, 0x1F000000), + + /* + * Data processing + * Encoding: + * xxx1 0010 0xxx xxxx xxxx xxxx xxxx xxxx (Logical) + * xxx1 0010 1xxx xxxx xxxx xxxx xxxx xxxx (Move wide) + * xxx1 0011 0xxx xxxx xxxx xxxx xxxx xxxx (Bitfield) + * xxx1 0011 1xxx xxxx xxxx xxxx xxxx xxxx (Extract) + */ + DECODE_SINGLESTEP(0x12000000, 0x1E000000), + + /* + * Data processing - SIMD/FP/AdvSIMD/Crypto-AES/SHA + * Encoding: xxx0 111x xxxx xxxx xxxx xxxx xxxx xxxx + * Encoding: xxx1 111x xxxx xxxx xxxx xxxx xxxx xxxx + */ + DECODE_SINGLESTEP(0x0E000000, 0x0E000000), + + /* + * Data processing - Register + * Encoding: xxxx 101x xxxx xxxx xxxx xxxx xxxx xxxx + */ + DECODE_SINGLESTEP(0x0A000000, 0x0E000000), + + /* Branching Instructions + * + * Encoding: + * x001 01xx xxxx xxxx xxxx xxxx xxxx xxxx (uncondtional Branch) + * x011 010x xxxx xxxx xxxx xxxx xxxx xxxx (compare & branch) + * x011 011x xxxx xxxx xxxx xxxx xxxx xxxx (Test & Branch) + * 0101 010x xxxx xxxx xxxx xxxx xxxx xxxx (Conditional, immediate) + * 1101 011x xxxx xxxx xxxx xxxx xxxx xxxx (Unconditional,register) + */ + DECODE_BRANCH(0x14000000, 0x7C000000, prepare_none, + simulate_b_bl), + DECODE_BRANCH(0x34000000, 0x7E000000, prepare_cbz_cbnz, + simulate_cbz_cbnz), + DECODE_BRANCH(0x36000000, 0x7E000000, prepare_tbz_tbnz, + simulate_tbz_tbnz), + DECODE_BRANCH(0x54000000, 0xFE000000, prepare_bcond, + simulate_b_cond), + DECODE_BRANCH(0xD6000000, 0xFE000000, prepare_none, + simulate_br_blr_ret), + + /* System insn: + * Encoding: 1101 0101 00xx xxxx xxxx xxxx xxxx xxxx + * + * Note: MSR immediate (update PSTATE daif) is not safe handling + * within kprobes, so rejecting. + * Don't re-arrange the decode table entries below here. + */ + DECODE_REJECT(0xD500401F, 0xFFF8F01F), + DECODE_SINGLESTEP(0xD5000000, 0xFFC00000), + + /* Exception Generation: + * Encoding: 1101 0100 xxxx xxxx xxxx xxxx xxxx xxxx + * Instructions: SVC, HVC, SMC, BRK, HLT, DCPS1, DCPS2, DCPS3 + */ + DECODE_REJECT(0xD4000000, 0xFF000000), + + /* + * Load/Store - Exclusive monitor + * Encoding: xx00 1000 xxxx xxxx xxxx xxxx xxxx xxxx + * + * - Rejecting exlusive monitor'ed instructions + * TODO: needs revisit to check if there a way to safely + * step or emulate these instructions. + */ + DECODE_REJECT(0x08000000, 0x3F000000), + + /* + * Load/Store - PC relative(literal): + * Encoding: xx01 1x00 xxxx xxxx xxxx xxxx xxxx xxxx + */ + DECODE_TABLE(0x18000000, 0x3B000000, load_literal_subtable), + + /* + * Load/Store - Register Pair + * Encoding: + * xx10 1x00 0xxx xxxx xxxx xxxx xxxx xxxx + * xx10 1x00 1xxx xxxx xxxx xxxx xxxx xxxx + * xx10 1x01 0xxx xxxx xxxx xxxx xxxx xxxx + * xx10 1x01 1xxx xxxx xxxx xxxx xxxx xxxx + */ + DECODE_SINGLESTEP(0x28000000, 0x3A000000), + + /* + * Load/Store - Register + * Encoding: + * xx11 1x00 xx0x xxxx xxxx 00xx xxxx xxxx (unscaled imm) + * xx11 1x00 xx0x xxxx xxxx 01xx xxxx xxxx (imm post-indexed) + * xx11 1x00 xx0x xxxx xxxx 10xx xxxx xxxx (unpriviledged) + * xx11 1x00 xx0x xxxx xxxx 11xx xxxx xxxx (imm pre-indexed) + * + * xx11 1x00 xx10 xxxx xxxx xx10 xxxx xxxx (register offset) + * + * xx11 1x01 xxxx xxxx xxxx xxxx xxxx xxxx (unsigned imm) + */ + DECODE_SINGLESTEP(0x38000000, 0x3B200000), + DECODE_SINGLESTEP(0x38200200, 0x38300300), + DECODE_SINGLESTEP(0x39000000, 0x3B000000), + + /* + * Load/Store - AdvSIMD + * Encoding: + * 0x00 1100 0x00 0000 xxxx xxxx xxxx xxxx (Multiple-structure) + * 0x00 1100 1x0x xxxx xxxx xxxx xxxx xxxx (Multi-struct post-indexed) + * 0x00 1101 0xx0 0000 xxxx xxxx xxxx xxxx (Single-structure)) + * 0x00 1101 1xxx xxxx xxxx xxxx xxxx xxxx (Single-struct post-index) + */ + DECODE_SINGLESTEP(0x0C000000, 0xBFBF0000), + DECODE_SINGLESTEP(0x0C800000, 0xBFA00000), + DECODE_SINGLESTEP(0x0D000000, 0xBF9F0000), + DECODE_SINGLESTEP(0x0D800000, 0xBF800000), + + /* Unallocated: xxx0 0xxx xxxx xxxx xxxx xxxx xxxx xxxx */ + DECODE_REJECT(0x00000000, 0x18000000), + DECODE_END, +}; + +static int __kprobes +kprobe_decode_insn(kprobe_opcode_t insn, struct arch_specific_insn *asi, + const struct aarch64_decode_item *tbl) +{ + unsigned int entry, ret = INSN_REJECTED; + + for (entry = 0; !decode_table_end(tbl[entry]); entry++) { + if (decode_table_hit(tbl[entry], insn)) + break; + } + + switch (decode_get_type(tbl[entry])) { + case DECODE_TYPE_END: + case DECODE_TYPE_REJECT: + default: + ret = INSN_REJECTED; + break; + + case DECODE_TYPE_SINGLESTEP: + ret = INSN_GOOD; + break; + + case DECODE_TYPE_SIMULATE: + asi->prepare = decode_prepare_fn(tbl[entry]); + asi->handler = decode_handler_fn(tbl[entry]); + ret = INSN_GOOD_NO_SLOT; + break; + + case DECODE_TYPE_TABLE: + /* recurse with next level decode table */ + ret = kprobe_decode_insn(insn, asi, + decode_sub_table(tbl[entry])); + }; + return ret; +} + +/* Return: + * INSN_REJECTED If instruction is one not allowed to kprobe, + * INSN_GOOD If instruction is supported and uses instruction slot, + * INSN_GOOD_NO_SLOT If instruction is supported but doesn't use its slot. + */ +enum kprobe_insn __kprobes +arm_kprobe_decode_insn(kprobe_opcode_t insn, struct arch_specific_insn *asi) +{ + return kprobe_decode_insn(insn, asi, aarch64_decode_table); +} diff --git a/arch/arm64/kernel/kprobes-arm64.h b/arch/arm64/kernel/kprobes-arm64.h new file mode 100644 index 0000000..d0cc616 --- /dev/null +++ b/arch/arm64/kernel/kprobes-arm64.h @@ -0,0 +1,26 @@ +/* + * arch/arm64/kernel/kprobes-arm64.h + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + */ + +#ifndef _ARM_KERNEL_KPROBES_ARM64_H +#define _ARM_KERNEL_KPROBES_ARM64_H + +enum kprobe_insn { + INSN_REJECTED, + INSN_GOOD_NO_SLOT, + INSN_GOOD, +}; + +enum kprobe_insn __kprobes +arm_kprobe_decode_insn(kprobe_opcode_t insn, struct arch_specific_insn *asi); + +#endif /* _ARM_KERNEL_KPROBES_ARM64_H */ diff --git a/arch/arm64/kernel/kprobes.c b/arch/arm64/kernel/kprobes.c new file mode 100644 index 0000000..4840433 --- /dev/null +++ b/arch/arm64/kernel/kprobes.c @@ -0,0 +1,529 @@ +/* + * arch/arm64/kernel/kprobes.c + * + * Kprobes support for AArch64 + * + * Copyright (C) 2013 Linaro Limited. + * Author: Sandeepa Prabhu sandeepa.prabhu@linaro.org + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + */ +#include <linux/kernel.h> +#include <linux/kprobes.h> +#include <linux/module.h> +#include <linux/slab.h> +#include <linux/stop_machine.h> +#include <linux/stringify.h> +#include <asm/traps.h> +#include <asm/cacheflush.h> +#include <asm/debug-monitors.h> +#include <asm/system_misc.h> + +#include "patch.h" +#include "kprobes.h" +#include "kprobes-arm64.h" + +#define MIN_STACK_SIZE(addr) min((unsigned long)MAX_STACK_SIZE, \ + (unsigned long)current_thread_info() + THREAD_START_SP - (addr)) + +DEFINE_PER_CPU(struct kprobe *, current_kprobe) = NULL; +DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk); + +static int __kprobes +post_kprobe_handler(struct kprobe_ctlblk *kcb, struct pt_regs *regs); + +static void __kprobes arch_prepare_ss_slot(struct kprobe *p) +{ + int i; + /* prepare insn slot */ + p->ainsn.insn[0] = p->opcode; + /* NOP for superscalar uArch decode */ + for (i = 1; i < MAX_INSN_SIZE; i++) + p->ainsn.insn[i] = ARCH64_NOP_OPCODE; + + flush_icache_range((uintptr_t) (p->ainsn.insn), + (uintptr_t) (p->ainsn.insn) + MAX_INSN_SIZE); +} + +static void __kprobes arch_prepare_insn(struct kprobe *p) +{ + if (p->ainsn.prepare) + p->ainsn.prepare(p, &p->ainsn); +} + +static void __kprobes arch_simulate_insn(struct kprobe *p, struct pt_regs *regs) +{ + struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); + + if (p->ainsn.handler) + p->ainsn.handler(p, regs); + + /* single step simulated, now go for post processing */ + post_kprobe_handler(kcb, regs); +} + +int __kprobes arch_prepare_kprobe(struct kprobe *p) +{ + kprobe_opcode_t insn; + unsigned long probe_addr = (unsigned long)p->addr; + + /* copy instruction */ + insn = *p->addr; + p->opcode = insn; + + if (in_exception_text(probe_addr)) + return -EINVAL; + + /* decode instruction */ + switch (arm_kprobe_decode_insn(insn, &p->ainsn)) { + case INSN_REJECTED: /* insn not supported */ + return -EINVAL; + + break; + case INSN_GOOD_NO_SLOT: /* doesn't need insn slot */ + p->ainsn.insn = NULL; + break; + + case INSN_GOOD: /* instruction uses slot */ + p->ainsn.insn = get_insn_slot(); + if (!p->ainsn.insn) + return -ENOMEM; + break; + }; + + /* prepare the instruction */ + if (p->ainsn.insn) + arch_prepare_ss_slot(p); + else + arch_prepare_insn(p); + + return 0; +} + +/* arm kprobe: install breakpoint in text */ +void __kprobes arch_arm_kprobe(struct kprobe *p) +{ + void *addr = p->addr; + + patch_text((u32 *) addr, BRK64_OPCODE_KPROBES); +} + +/* disarm kprobe: remove breakpoint from text */ +void __kprobes arch_disarm_kprobe(struct kprobe *p) +{ + void *addr = p->addr; + + patch_text((u32 *) addr, p->opcode); +} + +void __kprobes arch_remove_kprobe(struct kprobe *p) +{ + if (p->ainsn.insn) { + free_insn_slot(p->ainsn.insn, 0); + p->ainsn.insn = NULL; + } +} + +static void __kprobes save_previous_kprobe(struct kprobe_ctlblk *kcb) +{ + kcb->prev_kprobe.kp = kprobe_running(); + kcb->prev_kprobe.status = kcb->kprobe_status; +} + +static void __kprobes restore_previous_kprobe(struct kprobe_ctlblk *kcb) +{ + __get_cpu_var(current_kprobe) = kcb->prev_kprobe.kp; + kcb->kprobe_status = kcb->prev_kprobe.status; +} + +static void __kprobes set_current_kprobe(struct kprobe *p) +{ + __get_cpu_var(current_kprobe) = p; +} + +static void __kprobes +set_ss_context(struct kprobe_ctlblk *kcb, unsigned long addr) +{ + kcb->ss_ctx.ss_status = KPROBES_STEP_PENDING; + kcb->ss_ctx.match_addr = addr + sizeof(kprobe_opcode_t); +} + +static void __kprobes clear_ss_context(struct kprobe_ctlblk *kcb) +{ + kcb->ss_ctx.ss_status = KPROBES_STEP_NONE; + kcb->ss_ctx.match_addr = 0; +} + +static void __kprobes setup_singlestep(struct kprobe *p, + struct pt_regs *regs, + struct kprobe_ctlblk *kcb, int reenter) +{ + unsigned long slot; + + if (reenter) { + save_previous_kprobe(kcb); + set_current_kprobe(p); + kcb->kprobe_status = KPROBE_REENTER; + } else { + kcb->kprobe_status = KPROBE_HIT_SS; + } + + if (p->ainsn.insn) { + /* prepare for single stepping */ + slot = (unsigned long)p->ainsn.insn; + + /* + * Needs restoring of return address after stepping xol. + * If this happens to be a return probe, the exception + * return address would have been hacked by the pre_handler + * to point to trampoline, so we shall restore trampoline + * address after stepping. Other cases, it is just next pc. + */ + if ((long)p->addr == instruction_pointer(regs)) + p->ainsn.restore.addr = regs->pc + + sizeof(kprobe_opcode_t); /*next pc*/ + else /* hacked ret addr!, could be kretprobe */ + p->ainsn.restore.addr = regs->pc; /* trampoline */ + + p->ainsn.restore.type = RESTORE_PC; + + set_ss_context(kcb, slot); /* mark pending ss */ + kernel_enable_single_step(regs); + instruction_pointer(regs) = slot; + } else { + /* insn simulation */ + arch_simulate_insn(p, regs); + } +} + +static int __kprobes reenter_kprobe(struct kprobe *p, + struct pt_regs *regs, + struct kprobe_ctlblk *kcb) +{ + switch (kcb->kprobe_status) { + case KPROBE_HIT_SSDONE: + case KPROBE_HIT_ACTIVE: + kprobes_inc_nmissed_count(p); + setup_singlestep(p, regs, kcb, 1); + break; + case KPROBE_HIT_SS: + pr_warn("Unrecoverable kprobe detected at %p.\n", p->addr); + dump_kprobe(p); + BUG(); + default: + WARN_ON(1); + return 0; + } + + return 1; +} + +static int __kprobes +post_kprobe_handler(struct kprobe_ctlblk *kcb, struct pt_regs *regs) +{ + struct kprobe *cur = kprobe_running(); + + if (!cur) + return 0; + + if ((kcb->kprobe_status != KPROBE_REENTER) && cur->post_handler) { + kcb->kprobe_status = KPROBE_HIT_SSDONE; + cur->post_handler(cur, regs, 0); + } + + /* restore back original saved kprobe variables and continue */ + if (kcb->kprobe_status == KPROBE_REENTER) { + restore_previous_kprobe(kcb); + goto out; + } + reset_current_kprobe(); +out: + /* If single step done, disable it now */ + if (cur->ainsn.insn) + kernel_disable_single_step(); + + /* return addr restore if non-branching insn & not return probe */ + if (cur->ainsn.restore.type == RESTORE_PC) { + instruction_pointer(regs) = cur->ainsn.restore.addr; + cur->ainsn.restore.addr = 0; + cur->ainsn.restore.type = NO_RESTORE; + } + + return 1; +} + +int __kprobes kprobe_fault_handler(struct pt_regs *regs, unsigned int fsr) +{ + struct kprobe *cur = kprobe_running(); + struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); + + switch (kcb->kprobe_status) { + case KPROBE_HIT_SS: + case KPROBE_REENTER: + /* + * We are here because the instruction being single + * stepped caused a page fault. We reset the current + * kprobe and the ip points back to the probe address + * and allow the page fault handler to continue as a + * normal page fault. + */ + instruction_pointer(regs) = (unsigned long)cur->addr; + if (kcb->kprobe_status == KPROBE_REENTER) + restore_previous_kprobe(kcb); + else + reset_current_kprobe(); + + break; + case KPROBE_HIT_ACTIVE: + case KPROBE_HIT_SSDONE: + /* + * We increment the nmissed count for accounting, + * we can also use npre/npostfault count for accounting + * these specific fault cases. + */ + kprobes_inc_nmissed_count(cur); + + /* + * We come here because instructions in the pre/post + * handler caused the page_fault, this could happen + * if handler tries to access user space by + * copy_from_user(), get_user() etc. Let the + * user-specified handler try to fix it first. + */ + if (cur->fault_handler && cur->fault_handler(cur, regs, fsr)) + return 1; + + /* + * In case the user-specified fault handler returned + * zero, try to fix up. + */ + if (fixup_exception(regs)) + return 1; + + break; + default: + break; + } + return 0; +} + +int __kprobes kprobe_exceptions_notify(struct notifier_block *self, + unsigned long val, void *data) +{ + return NOTIFY_DONE; +} + +/* Exception return should resume the kernel code execution */ +static void __kprobes singlestep_skip(struct kprobe *p, struct pt_regs *regs) +{ + return; +} + +void __kprobes kprobe_handler(struct pt_regs *regs) +{ + struct kprobe *p, *cur; + struct kprobe_ctlblk *kcb; + unsigned long addr = instruction_pointer(regs); + + kcb = get_kprobe_ctlblk(); + cur = kprobe_running(); + + p = get_kprobe((kprobe_opcode_t *) addr); + + if (p) { + if (cur) { + if (reenter_kprobe(p, regs, kcb)) + return; + } else if (!p->ainsn.check_condn || + p->ainsn.check_condn(p, regs)) { + /* Probe hit and conditional execution check ok. */ + set_current_kprobe(p); + kcb->kprobe_status = KPROBE_HIT_ACTIVE; + + /* + * If we have no pre-handler or it returned 0, we + * continue with normal processing. If we have a + * pre-handler and it returned non-zero, it prepped + * for calling the break_handler below on re-entry, + * so get out doing nothing more here. + */ + if (!p->pre_handler || !p->pre_handler(p, regs)) { + kcb->kprobe_status = KPROBE_HIT_SS; + setup_singlestep(p, regs, kcb, 0); + return; + } + } else { + /* + * Probe hit but conditional execution check failed, + * so just skip the instruction and continue as if + * nothing had happened. + */ + singlestep_skip(p, regs); + return; + } + } else if (*(kprobe_opcode_t *) addr != BRK64_OPCODE_KPROBES) { + /* + * The breakpoint instruction was removed right + * after we hit it. Another cpu has removed + * either a probepoint or a debugger breakpoint + * at this address. In either case, no further + * handling of this interrupt is appropriate. + * Back up over the (now missing) int3 and run + * the original instruction. + */ + instruction_pointer(regs) -= 4; + preempt_enable_no_resched(); + return; + } else if (cur) { + /* We probably hit a jprobe. Call its break handler. */ + if (cur->break_handler && cur->break_handler(cur, regs)) { + kcb->kprobe_status = KPROBE_HIT_SS; + setup_singlestep(cur, regs, kcb, 0); + return; + } + reset_current_kprobe(); + } else { + /* breakpoint is removed, now in a race */ + instruction_pointer(regs) -= 4; + preempt_enable_no_resched(); + } + return; +} + +static int __kprobes +kprobe_ss_hit(struct kprobe_ctlblk *kcb, unsigned long addr) +{ + if ((kcb->ss_ctx.ss_status == KPROBES_STEP_PENDING) + && (kcb->ss_ctx.match_addr == addr)) { + clear_ss_context(kcb); /* clear pending ss */ + return DEBUG_HOOK_HANDLED; + } else { + /* not ours, kprobes should ignore it */ + return DEBUG_HOOK_ERROR; + } +} + +static int __kprobes +kprobe_single_step_handler(struct pt_regs *regs, unsigned int esr) +{ + struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); + unsigned long flags; + int retval; + + /* check, and return error if this is not our step */ + retval = kprobe_ss_hit(kcb, instruction_pointer(regs)); + + if (retval == DEBUG_HOOK_HANDLED) { + /* single step is complete, call post handlers */ + local_irq_save(flags); + post_kprobe_handler(kcb, regs); + local_irq_restore(flags); + } + + return retval; +} + +static int __kprobes +kprobe_breakpoint_handler(struct pt_regs *regs, unsigned int esr) +{ + unsigned long flags; + local_irq_save(flags); + kprobe_handler(regs); + local_irq_restore(flags); + + return DEBUG_HOOK_HANDLED; +} + +int __kprobes setjmp_pre_handler(struct kprobe *p, struct pt_regs *regs) +{ + struct jprobe *jp = container_of(p, struct jprobe, kp); + struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); + long stack_ptr = stack_pointer(regs); + + kcb->jprobe_saved_regs = *regs; + memcpy(kcb->jprobes_stack, (void *)stack_ptr, + MIN_STACK_SIZE(stack_ptr)); + + instruction_pointer(regs) = (long)jp->entry; + regs->pstate |= PSR_I_BIT; + + preempt_disable(); + return 1; +} + +void __kprobes jprobe_return(void) +{ + struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); + + /* + * Jprobe handler return by entering break exception, + * encoded same as kprobe, but with following conditions + * -a magic number in x0 to identify from rest of other kprobes. + * -restore stack addr to original saved pt_regs + */ + asm volatile ("ldr x0, [%0]\n\t" + "mov sp, x0\n\t" + "ldr x0, =" __stringify(JPROBES_MAGIC_NUM) "\n\t" + "BRK %1\n\t" + "NOP\n\t" + : + : "r"(&kcb->jprobe_saved_regs.sp), + "I"(BRK64_ESR_KPROBES) + : "memory"); +} + +int __kprobes longjmp_break_handler(struct kprobe *p, struct pt_regs *regs) +{ + struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); + long stack_addr = kcb->jprobe_saved_regs.sp; + long orig_sp = stack_pointer(regs); + struct jprobe *jp = container_of(p, struct jprobe, kp); + + if (regs->regs[0] == JPROBES_MAGIC_NUM) { + if (orig_sp != stack_addr) { + struct pt_regs *saved_regs = + (struct pt_regs *)kcb->jprobe_saved_regs.sp; + pr_err("current sp %lx does not match saved sp %lx\n", + orig_sp, stack_addr); + pr_err("Saved registers for jprobe %p\n", jp); + show_regs(saved_regs); + pr_err("Current registers\n"); + show_regs(regs); + BUG(); + } + *regs = kcb->jprobe_saved_regs; + memcpy((void *)stack_addr, kcb->jprobes_stack, + MIN_STACK_SIZE(stack_addr)); + preempt_enable_no_resched(); + return 1; + } + return 0; +} + +/* Break Handler hook */ +static struct break_hook kprobes_break_hook = { + .esr_mask = BRK64_ESR_MASK, + .esr_val = BRK64_ESR_KPROBES, + .fn = kprobe_breakpoint_handler, +}; + +/* Single Step handler hook */ +static struct step_hook kprobes_step_hook = { + .fn = kprobe_single_step_handler, +}; + +int __init arch_init_kprobes() +{ + register_break_hook(&kprobes_break_hook); + register_step_hook(&kprobes_step_hook); + + return 0; +} diff --git a/arch/arm64/kernel/kprobes.h b/arch/arm64/kernel/kprobes.h new file mode 100644 index 0000000..0c78e18 --- /dev/null +++ b/arch/arm64/kernel/kprobes.h @@ -0,0 +1,28 @@ +/* + * arch/arm64/kernel/kprobes.h + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + */ + +#ifndef _ARM_KERNEL_KPROBES_H +#define _ARM_KERNEL_KPROBES_H + +/* BRK opcodes with ESR encoding */ +#define BRK64_ESR_MASK 0xFFFF +#define BRK64_ESR_KPROBES 0x0001 +#define BRK64_OPCODE_KPROBES 0xD4200020 /* "brk 0x1" */ +#define ARCH64_NOP_OPCODE 0xD503201F + +#define JPROBES_MAGIC_NUM 0xa5a5a5a5a5a5a5a5 + +/* Move this out to appropriate header file */ +int fixup_exception(struct pt_regs *regs); + +#endif /* _ARM_KERNEL_KPROBES_H */ diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S index f8ab9d8..40951b1 100644 --- a/arch/arm64/kernel/vmlinux.lds.S +++ b/arch/arm64/kernel/vmlinux.lds.S @@ -62,6 +62,7 @@ SECTIONS TEXT_TEXT SCHED_TEXT LOCK_TEXT + KPROBES_TEXT HYPERVISOR_TEXT *(.fixup) *(.gnu.warning)
Unlike ARM v7(ldmia {.., pc} ) ARM v8 ISA does not support popping the PC value from stack or absolute addr without using one of the general purpose registers. This means return probes cannot return to the original return address directly without modifying register context, without trapping into debug exception.
So like many other architectures, we prepare a global routine with NOPs, which serve as trampoline that hacks away the function return address, by placing an extra kprobe on the trampoline entry.
The pre-handler of this special trampoline' kprobe execute return probe handlers and restore original return address in ELR_EL1, this way, saved pt_regs still hold the original register values to be carried back to the caller.
Signed-off-by: Sandeepa Prabhu sandeepa.prabhu@linaro.org --- arch/arm64/Kconfig | 1 + arch/arm64/include/asm/kprobes.h | 1 + arch/arm64/kernel/kprobes.c | 115 ++++++++++++++++++++++++++++++++++++++- 3 files changed, 116 insertions(+), 1 deletion(-)
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 8cf5cde..9ca71b0 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -25,6 +25,7 @@ config ARM64 select HAVE_GENERIC_DMA_COHERENT select HAVE_HW_BREAKPOINT if PERF_EVENTS select HAVE_KPROBES if !XIP_KERNEL + select HAVE_KRETPROBES if (HAVE_KPROBES) select HAVE_MEMBLOCK select HAVE_PERF_EVENTS select IRQ_DOMAIN diff --git a/arch/arm64/include/asm/kprobes.h b/arch/arm64/include/asm/kprobes.h index a43f74f..c2a1ff1 100644 --- a/arch/arm64/include/asm/kprobes.h +++ b/arch/arm64/include/asm/kprobes.h @@ -53,5 +53,6 @@ void arch_remove_kprobe(struct kprobe *); int kprobe_fault_handler(struct pt_regs *regs, unsigned int fsr); int kprobe_exceptions_notify(struct notifier_block *self, unsigned long val, void *data); +void kretprobe_trampoline(void);
#endif /* _ARM_KPROBES_H */ diff --git a/arch/arm64/kernel/kprobes.c b/arch/arm64/kernel/kprobes.c index 4840433..8c0f32d 100644 --- a/arch/arm64/kernel/kprobes.c +++ b/arch/arm64/kernel/kprobes.c @@ -508,6 +508,118 @@ int __kprobes longjmp_break_handler(struct kprobe *p, struct pt_regs *regs) return 0; }
+/* + * Kretprobes: kernel return probes handling + * + * ARM v8 ISA does not support popping the PC value from the + * stack like on v7(ldmia {..,pc}), so atleast one register need + * to be used for achieving branch. It means return probes cannot + * return back to the original return address directly without + * modifying the register context. + * + * So like many other architectures, we prepare a global routine + * with NOPs, which serve as trampoline address that hack away the + * function return, with the exact register context. + * + * We place a kprobe on trampoline routine entry to trap again and + * execute return probe handlers and restore original return address + * in ELR_EL1, this way saved pt_regs still hold the original + * register values to be carried back to the caller. + */ +static void __used kretprobe_trampoline_holder(void) +{ + asm volatile (".global kretprobe_trampoline\n" + "kretprobe_trampoline:\n" + "NOP\n\t" + "NOP\n\t"); +} + +static int __kprobes +trampoline_probe_handler(struct kprobe *p, struct pt_regs *regs) +{ + struct kretprobe_instance *ri = NULL; + struct hlist_head *head, empty_rp; + struct hlist_node *tmp; + unsigned long flags, orig_ret_addr = 0; + unsigned long trampoline_address = + (unsigned long)&kretprobe_trampoline; + + INIT_HLIST_HEAD(&empty_rp); + kretprobe_hash_lock(current, &head, &flags); + + /* + * It is possible to have multiple instances associated with a given + * task either because multiple functions in the call path have + * a return probe installed on them, and/or more than one return + * probe was registered for a target function. + * + * We can handle this because: + * - instances are always inserted at the head of the list + * - when multiple return probes are registered for the same + * function, the first instance's ret_addr will point to the + * real return address, and all the rest will point to + * kretprobe_trampoline + */ + hlist_for_each_entry_safe(ri, tmp, head, hlist) { + if (ri->task != current) + /* another task is sharing our hash bucket */ + continue; + + if (ri->rp && ri->rp->handler) { + __get_cpu_var(current_kprobe) = &ri->rp->kp; + get_kprobe_ctlblk()->kprobe_status = KPROBE_HIT_ACTIVE; + ri->rp->handler(ri, regs); + __get_cpu_var(current_kprobe) = NULL; + } + + orig_ret_addr = (unsigned long)ri->ret_addr; + recycle_rp_inst(ri, &empty_rp); + + if (orig_ret_addr != trampoline_address) + /* + * This is the real return address. Any other + * instances associated with this task are for + * other calls deeper on the call stack + */ + break; + } + + kretprobe_assert(ri, orig_ret_addr, trampoline_address); + /* restore the original return address */ + instruction_pointer(regs) = orig_ret_addr; + reset_current_kprobe(); + kretprobe_hash_unlock(current, &flags); + preempt_enable_no_resched(); + + hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) { + hlist_del(&ri->hlist); + kfree(ri); + } + + /* return 1 so that post handlers not called */ + return 1; +} + +void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri, + struct pt_regs *regs) +{ + ri->ret_addr = (kprobe_opcode_t *) + (instruction_pointer(regs) + sizeof(kprobe_opcode_t)); + + /* Replace the return addr with trampoline addr */ + instruction_pointer(regs) = (unsigned long)&kretprobe_trampoline; +} + +static struct kprobe trampoline = { + .addr = (kprobe_opcode_t *) &kretprobe_trampoline, + .pre_handler = trampoline_probe_handler +}; + +int __kprobes arch_trampoline_kprobe(struct kprobe *p) +{ + return p->addr == (kprobe_opcode_t *) &kretprobe_trampoline; +} + /* Break Handler hook */ static struct break_hook kprobes_break_hook = { .esr_mask = BRK64_ESR_MASK, @@ -525,5 +637,6 @@ int __init arch_init_kprobes() register_break_hook(&kprobes_break_hook); register_step_hook(&kprobes_step_hook);
- return 0; + /* register trampoline for kret probe */ + return register_kprobe(&trampoline); }
linaro-kernel@lists.linaro.org
-
Sandeepa Prabhu -
Will Deacon