Blame view
arch/x86/kernel/kprobes.c
40.5 KB
1da177e4c
|
1 2 |
/* * Kernel Probes (KProbes) |
1da177e4c
|
3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
* * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * * Copyright (C) IBM Corporation, 2002, 2004 * * 2002-Oct Created by Vamsi Krishna S <vamsi_krishna@in.ibm.com> Kernel * Probes initial implementation ( includes contributions from * Rusty Russell). * 2004-July Suparna Bhattacharya <suparna@in.ibm.com> added jumper probes * interface to access function arguments. |
d6be29b87
|
25 26 |
* 2004-Oct Jim Keniston <jkenisto@us.ibm.com> and Prasanna S Panchamukhi * <prasanna@in.ibm.com> adapted for x86_64 from i386. |
1da177e4c
|
27 28 |
* 2005-Mar Roland McGrath <roland@redhat.com> * Fixed to handle %rip-relative addressing mode correctly. |
d6be29b87
|
29 30 31 32 33 34 35 |
* 2005-May Hien Nguyen <hien@us.ibm.com>, Jim Keniston * <jkenisto@us.ibm.com> and Prasanna S Panchamukhi * <prasanna@in.ibm.com> added function-return probes. * 2005-May Rusty Lynch <rusty.lynch@intel.com> * Added function return probes functionality * 2006-Feb Masami Hiramatsu <hiramatu@sdl.hitachi.co.jp> added * kprobe-booster and kretprobe-booster for i386. |
da07ab037
|
36 37 |
* 2007-Dec Masami Hiramatsu <mhiramat@redhat.com> added kprobe-booster * and kretprobe-booster for x86-64 |
d6be29b87
|
38 39 40 |
* 2007-Dec Masami Hiramatsu <mhiramat@redhat.com>, Arjan van de Ven * <arjan@infradead.org> and Jim Keniston <jkenisto@us.ibm.com> * unified x86 kprobes code. |
1da177e4c
|
41 |
*/ |
1da177e4c
|
42 43 |
#include <linux/kprobes.h> #include <linux/ptrace.h> |
1da177e4c
|
44 45 |
#include <linux/string.h> #include <linux/slab.h> |
b506a9d08
|
46 |
#include <linux/hardirq.h> |
1da177e4c
|
47 |
#include <linux/preempt.h> |
c28f89663
|
48 |
#include <linux/module.h> |
1eeb66a1b
|
49 |
#include <linux/kdebug.h> |
b46b3d70c
|
50 |
#include <linux/kallsyms.h> |
c0f7ac3a9
|
51 |
#include <linux/ftrace.h> |
9ec4b1f35
|
52 |
|
8533bbe9f
|
53 54 |
#include <asm/cacheflush.h> #include <asm/desc.h> |
1da177e4c
|
55 |
#include <asm/pgtable.h> |
c28f89663
|
56 |
#include <asm/uaccess.h> |
19d36ccdc
|
57 |
#include <asm/alternative.h> |
b46b3d70c
|
58 |
#include <asm/insn.h> |
62edab905
|
59 |
#include <asm/debugreg.h> |
1da177e4c
|
60 |
|
1da177e4c
|
61 |
void jprobe_return_end(void); |
e7a510f92
|
62 63 |
DEFINE_PER_CPU(struct kprobe *, current_kprobe) = NULL; DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk); |
1da177e4c
|
64 |
|
98272ed0d
|
65 |
#define stack_addr(regs) ((unsigned long *)kernel_stack_pointer(regs)) |
8533bbe9f
|
66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 |
#define W(row, b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, ba, bb, bc, bd, be, bf)\ (((b0##UL << 0x0)|(b1##UL << 0x1)|(b2##UL << 0x2)|(b3##UL << 0x3) | \ (b4##UL << 0x4)|(b5##UL << 0x5)|(b6##UL << 0x6)|(b7##UL << 0x7) | \ (b8##UL << 0x8)|(b9##UL << 0x9)|(ba##UL << 0xa)|(bb##UL << 0xb) | \ (bc##UL << 0xc)|(bd##UL << 0xd)|(be##UL << 0xe)|(bf##UL << 0xf)) \ << (row % 32)) /* * Undefined/reserved opcodes, conditional jump, Opcode Extension * Groups, and some special opcodes can not boost. */ static const u32 twobyte_is_boostable[256 / 32] = { /* 0 1 2 3 4 5 6 7 8 9 a b c d e f */ /* ---------------------------------------------- */ W(0x00, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 0) | /* 00 */ W(0x10, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) , /* 10 */ W(0x20, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) | /* 20 */ W(0x30, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) , /* 30 */ W(0x40, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 40 */ W(0x50, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) , /* 50 */ W(0x60, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1) | /* 60 */ W(0x70, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 1, 1) , /* 70 */ W(0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) | /* 80 */ W(0x90, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 90 */ W(0xa0, 1, 1, 0, 1, 1, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1) | /* a0 */ W(0xb0, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 1, 1, 1, 1) , /* b0 */ W(0xc0, 1, 1, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1) | /* c0 */ W(0xd0, 0, 1, 1, 1, 0, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1) , /* d0 */ W(0xe0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1) | /* e0 */ W(0xf0, 0, 1, 1, 1, 0, 1, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0) /* f0 */ /* ----------------------------------------------- */ /* 0 1 2 3 4 5 6 7 8 9 a b c d e f */ }; |
8533bbe9f
|
99 |
#undef W |
f438d914b
|
100 101 102 103 104 105 |
struct kretprobe_blackpoint kretprobe_blacklist[] = { {"__switch_to", }, /* This function switches only current task, but doesn't switch kernel stack.*/ {NULL, NULL} /* Terminator */ }; const int kretprobe_blacklist_size = ARRAY_SIZE(kretprobe_blacklist); |
c0f7ac3a9
|
106 |
static void __kprobes __synthesize_relative_insn(void *from, void *to, u8 op) |
aa470140e
|
107 |
{ |
c0f7ac3a9
|
108 109 |
struct __arch_relative_insn { u8 op; |
aa470140e
|
110 |
s32 raddr; |
c0f7ac3a9
|
111 112 113 114 115 116 117 118 119 120 121 |
} __attribute__((packed)) *insn; insn = (struct __arch_relative_insn *)from; insn->raddr = (s32)((long)(to) - ((long)(from) + 5)); insn->op = op; } /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/ static void __kprobes synthesize_reljump(void *from, void *to) { __synthesize_relative_insn(from, to, RELATIVEJUMP_OPCODE); |
aa470140e
|
122 123 124 |
} /* |
567a9fd86
|
125 |
* Skip the prefixes of the instruction. |
9930927f3
|
126 |
*/ |
567a9fd86
|
127 |
static kprobe_opcode_t *__kprobes skip_prefixes(kprobe_opcode_t *insn) |
9930927f3
|
128 |
{ |
567a9fd86
|
129 130 131 132 133 134 135 |
insn_attr_t attr; attr = inat_get_opcode_attribute((insn_byte_t)*insn); while (inat_is_legacy_prefix(attr)) { insn++; attr = inat_get_opcode_attribute((insn_byte_t)*insn); } |
9930927f3
|
136 |
#ifdef CONFIG_X86_64 |
567a9fd86
|
137 138 |
if (inat_is_rex_prefix(attr)) insn++; |
9930927f3
|
139 |
#endif |
567a9fd86
|
140 |
return insn; |
9930927f3
|
141 142 143 |
} /* |
d6be29b87
|
144 145 |
* Returns non-zero if opcode is boostable. * RIP relative instructions are adjusted at copying time in 64 bits mode |
aa470140e
|
146 |
*/ |
e7b5e11ea
|
147 |
static int __kprobes can_boost(kprobe_opcode_t *opcodes) |
aa470140e
|
148 |
{ |
aa470140e
|
149 150 |
kprobe_opcode_t opcode; kprobe_opcode_t *orig_opcodes = opcodes; |
cde5edbda
|
151 |
if (search_exception_tables((unsigned long)opcodes)) |
30390880d
|
152 |
return 0; /* Page fault may occur on this address. */ |
aa470140e
|
153 154 155 156 157 158 159 160 161 |
retry: if (opcodes - orig_opcodes > MAX_INSN_SIZE - 1) return 0; opcode = *(opcodes++); /* 2nd-byte opcode */ if (opcode == 0x0f) { if (opcodes - orig_opcodes > MAX_INSN_SIZE - 1) return 0; |
8533bbe9f
|
162 163 |
return test_bit(*opcodes, (unsigned long *)twobyte_is_boostable); |
aa470140e
|
164 165 166 |
} switch (opcode & 0xf0) { |
d6be29b87
|
167 |
#ifdef CONFIG_X86_64 |
aa470140e
|
168 169 |
case 0x40: goto retry; /* REX prefix is boostable */ |
d6be29b87
|
170 |
#endif |
aa470140e
|
171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 |
case 0x60: if (0x63 < opcode && opcode < 0x67) goto retry; /* prefixes */ /* can't boost Address-size override and bound */ return (opcode != 0x62 && opcode != 0x67); case 0x70: return 0; /* can't boost conditional jump */ case 0xc0: /* can't boost software-interruptions */ return (0xc1 < opcode && opcode < 0xcc) || opcode == 0xcf; case 0xd0: /* can boost AA* and XLAT */ return (opcode == 0xd4 || opcode == 0xd5 || opcode == 0xd7); case 0xe0: /* can boost in/out and absolute jmps */ return ((opcode & 0x04) || opcode == 0xea); case 0xf0: if ((opcode & 0x0c) == 0 && opcode != 0xf1) goto retry; /* lock/rep(ne) prefix */ /* clear and set flags are boostable */ return (opcode == 0xf5 || (0xf7 < opcode && opcode < 0xfe)); default: /* segment override prefixes are boostable */ if (opcode == 0x26 || opcode == 0x36 || opcode == 0x3e) goto retry; /* prefixes */ /* CS override prefix and call are not boostable */ return (opcode != 0x2e && opcode != 0x9a); } } |
b46b3d70c
|
200 201 202 203 204 205 206 207 208 209 210 |
/* Recover the probed instruction at addr for further analysis. */ static int recover_probed_instruction(kprobe_opcode_t *buf, unsigned long addr) { struct kprobe *kp; kp = get_kprobe((void *)addr); if (!kp) return -EINVAL; /* * Basically, kp->ainsn.insn has an original instruction. * However, RIP-relative instruction can not do single-stepping |
c0f7ac3a9
|
211 |
* at different place, __copy_instruction() tweaks the displacement of |
b46b3d70c
|
212 213 214 215 216 217 218 219 220 221 222 223 224 |
* that instruction. In that case, we can't recover the instruction * from the kp->ainsn.insn. * * On the other hand, kp->opcode has a copy of the first byte of * the probed instruction, which is overwritten by int3. And * the instruction at kp->addr is not modified by kprobes except * for the first byte, we can recover the original instruction * from it and kp->opcode. */ memcpy(buf, kp->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t)); buf[0] = kp->opcode; return 0; } |
b46b3d70c
|
225 226 227 228 229 230 231 |
/* Check if paddr is at an instruction boundary */ static int __kprobes can_probe(unsigned long paddr) { int ret; unsigned long addr, offset = 0; struct insn insn; kprobe_opcode_t buf[MAX_INSN_SIZE]; |
6abded71d
|
232 |
if (!kallsyms_lookup_size_offset(paddr, NULL, &offset)) |
b46b3d70c
|
233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 |
return 0; /* Decode instructions */ addr = paddr - offset; while (addr < paddr) { kernel_insn_init(&insn, (void *)addr); insn_get_opcode(&insn); /* * Check if the instruction has been modified by another * kprobe, in which case we replace the breakpoint by the * original instruction in our buffer. */ if (insn.opcode.bytes[0] == BREAKPOINT_INSTRUCTION) { ret = recover_probed_instruction(buf, addr); if (ret) /* * Another debugging subsystem might insert * this breakpoint. In that case, we can't * recover it. */ return 0; kernel_insn_init(&insn, buf); } insn_get_length(&insn); addr += insn.length; } return (addr == paddr); } |
1da177e4c
|
263 |
/* |
d6be29b87
|
264 |
* Returns non-zero if opcode modifies the interrupt flag. |
1da177e4c
|
265 |
*/ |
8645419cd
|
266 |
static int __kprobes is_IF_modifier(kprobe_opcode_t *insn) |
1da177e4c
|
267 |
{ |
567a9fd86
|
268 269 |
/* Skip prefixes */ insn = skip_prefixes(insn); |
1da177e4c
|
270 271 272 273 274 275 276 |
switch (*insn) { case 0xfa: /* cli */ case 0xfb: /* sti */ case 0xcf: /* iret/iretd */ case 0x9d: /* popf/popfd */ return 1; } |
9930927f3
|
277 |
|
1da177e4c
|
278 279 280 281 |
return 0; } /* |
c0f7ac3a9
|
282 283 |
* Copy an instruction and adjust the displacement if the instruction * uses the %rip-relative addressing mode. |
aa470140e
|
284 |
* If it does, Return the address of the 32-bit displacement word. |
1da177e4c
|
285 |
* If not, return null. |
31f80e45e
|
286 |
* Only applicable to 64-bit x86. |
1da177e4c
|
287 |
*/ |
c0f7ac3a9
|
288 |
static int __kprobes __copy_instruction(u8 *dest, u8 *src, int recover) |
1da177e4c
|
289 |
{ |
89ae465b0
|
290 |
struct insn insn; |
c0f7ac3a9
|
291 292 |
int ret; kprobe_opcode_t buf[MAX_INSN_SIZE]; |
1da177e4c
|
293 |
|
c0f7ac3a9
|
294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 |
kernel_insn_init(&insn, src); if (recover) { insn_get_opcode(&insn); if (insn.opcode.bytes[0] == BREAKPOINT_INSTRUCTION) { ret = recover_probed_instruction(buf, (unsigned long)src); if (ret) return 0; kernel_insn_init(&insn, buf); } } insn_get_length(&insn); memcpy(dest, insn.kaddr, insn.length); #ifdef CONFIG_X86_64 |
89ae465b0
|
309 310 311 |
if (insn_rip_relative(&insn)) { s64 newdisp; u8 *disp; |
c0f7ac3a9
|
312 |
kernel_insn_init(&insn, dest); |
89ae465b0
|
313 314 315 316 317 318 319 320 321 322 323 324 325 |
insn_get_displacement(&insn); /* * The copied instruction uses the %rip-relative addressing * mode. Adjust the displacement for the difference between * the original location of this instruction and the location * of the copy that will actually be run. The tricky bit here * is making sure that the sign extension happens correctly in * this calculation, since we need a signed 32-bit result to * be sign-extended to 64 bits when it's added to the %rip * value and yield the same 64-bit result that the sign- * extension of the original signed 32-bit displacement would * have given. */ |
c0f7ac3a9
|
326 327 |
newdisp = (u8 *) src + (s64) insn.displacement.value - (u8 *) dest; |
89ae465b0
|
328 |
BUG_ON((s64) (s32) newdisp != newdisp); /* Sanity check. */ |
c0f7ac3a9
|
329 |
disp = (u8 *) dest + insn_offset_displacement(&insn); |
89ae465b0
|
330 |
*(s32 *) disp = (s32) newdisp; |
1da177e4c
|
331 |
} |
d6be29b87
|
332 |
#endif |
c0f7ac3a9
|
333 |
return insn.length; |
31f80e45e
|
334 |
} |
1da177e4c
|
335 |
|
f709b1223
|
336 |
static void __kprobes arch_copy_kprobe(struct kprobe *p) |
1da177e4c
|
337 |
{ |
c0f7ac3a9
|
338 339 340 341 342 |
/* * Copy an instruction without recovering int3, because it will be * put by another subsystem. */ __copy_instruction(p->ainsn.insn, p->addr, 0); |
31f80e45e
|
343 |
|
8533bbe9f
|
344 |
if (can_boost(p->addr)) |
aa470140e
|
345 |
p->ainsn.boostable = 0; |
8533bbe9f
|
346 |
else |
aa470140e
|
347 |
p->ainsn.boostable = -1; |
8533bbe9f
|
348 |
|
7e1048b11
|
349 |
p->opcode = *p->addr; |
1da177e4c
|
350 |
} |
8533bbe9f
|
351 352 |
int __kprobes arch_prepare_kprobe(struct kprobe *p) { |
4554dbcb8
|
353 354 |
if (alternatives_text_reserved(p->addr, p->addr)) return -EINVAL; |
b46b3d70c
|
355 356 |
if (!can_probe((unsigned long)p->addr)) return -EILSEQ; |
8533bbe9f
|
357 358 359 360 361 362 363 |
/* insn: must be on special executable page on x86. */ p->ainsn.insn = get_insn_slot(); if (!p->ainsn.insn) return -ENOMEM; arch_copy_kprobe(p); return 0; } |
0f2fbdcbb
|
364 |
void __kprobes arch_arm_kprobe(struct kprobe *p) |
1da177e4c
|
365 |
{ |
19d36ccdc
|
366 |
text_poke(p->addr, ((unsigned char []){BREAKPOINT_INSTRUCTION}), 1); |
1da177e4c
|
367 |
} |
0f2fbdcbb
|
368 |
void __kprobes arch_disarm_kprobe(struct kprobe *p) |
1da177e4c
|
369 |
{ |
19d36ccdc
|
370 |
text_poke(p->addr, &p->opcode, 1); |
7e1048b11
|
371 |
} |
0498b6350
|
372 |
void __kprobes arch_remove_kprobe(struct kprobe *p) |
7e1048b11
|
373 |
{ |
129415607
|
374 375 376 377 |
if (p->ainsn.insn) { free_insn_slot(p->ainsn.insn, (p->ainsn.boostable == 1)); p->ainsn.insn = NULL; } |
1da177e4c
|
378 |
} |
3b60211c1
|
379 |
static void __kprobes save_previous_kprobe(struct kprobe_ctlblk *kcb) |
aa3d7e3d7
|
380 |
{ |
e7a510f92
|
381 382 |
kcb->prev_kprobe.kp = kprobe_running(); kcb->prev_kprobe.status = kcb->kprobe_status; |
8533bbe9f
|
383 384 |
kcb->prev_kprobe.old_flags = kcb->kprobe_old_flags; kcb->prev_kprobe.saved_flags = kcb->kprobe_saved_flags; |
aa3d7e3d7
|
385 |
} |
3b60211c1
|
386 |
static void __kprobes restore_previous_kprobe(struct kprobe_ctlblk *kcb) |
aa3d7e3d7
|
387 |
{ |
b76834bc1
|
388 |
__this_cpu_write(current_kprobe, kcb->prev_kprobe.kp); |
e7a510f92
|
389 |
kcb->kprobe_status = kcb->prev_kprobe.status; |
8533bbe9f
|
390 391 |
kcb->kprobe_old_flags = kcb->prev_kprobe.old_flags; kcb->kprobe_saved_flags = kcb->prev_kprobe.saved_flags; |
aa3d7e3d7
|
392 |
} |
3b60211c1
|
393 |
static void __kprobes set_current_kprobe(struct kprobe *p, struct pt_regs *regs, |
e7a510f92
|
394 |
struct kprobe_ctlblk *kcb) |
aa3d7e3d7
|
395 |
{ |
b76834bc1
|
396 |
__this_cpu_write(current_kprobe, p); |
8533bbe9f
|
397 |
kcb->kprobe_saved_flags = kcb->kprobe_old_flags |
053de0444
|
398 |
= (regs->flags & (X86_EFLAGS_TF | X86_EFLAGS_IF)); |
aa3d7e3d7
|
399 |
if (is_IF_modifier(p->ainsn.insn)) |
053de0444
|
400 |
kcb->kprobe_saved_flags &= ~X86_EFLAGS_IF; |
aa3d7e3d7
|
401 |
} |
e7b5e11ea
|
402 |
static void __kprobes clear_btf(void) |
1ecc798c6
|
403 |
{ |
ea8e61b7b
|
404 405 406 407 408 409 |
if (test_thread_flag(TIF_BLOCKSTEP)) { unsigned long debugctl = get_debugctlmsr(); debugctl &= ~DEBUGCTLMSR_BTF; update_debugctlmsr(debugctl); } |
1ecc798c6
|
410 |
} |
e7b5e11ea
|
411 |
static void __kprobes restore_btf(void) |
1ecc798c6
|
412 |
{ |
ea8e61b7b
|
413 414 415 416 417 418 |
if (test_thread_flag(TIF_BLOCKSTEP)) { unsigned long debugctl = get_debugctlmsr(); debugctl |= DEBUGCTLMSR_BTF; update_debugctlmsr(debugctl); } |
1ecc798c6
|
419 |
} |
4c4308cb9
|
420 |
void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri, |
0f2fbdcbb
|
421 |
struct pt_regs *regs) |
73649dab0
|
422 |
{ |
8533bbe9f
|
423 |
unsigned long *sara = stack_addr(regs); |
ba8af12f4
|
424 |
|
4c4308cb9
|
425 |
ri->ret_addr = (kprobe_opcode_t *) *sara; |
8533bbe9f
|
426 |
|
4c4308cb9
|
427 428 |
/* Replace the return addr with trampoline addr */ *sara = (unsigned long) &kretprobe_trampoline; |
73649dab0
|
429 |
} |
f315decbd
|
430 |
|
c0f7ac3a9
|
431 432 433 434 435 436 437 |
#ifdef CONFIG_OPTPROBES static int __kprobes setup_detour_execution(struct kprobe *p, struct pt_regs *regs, int reenter); #else #define setup_detour_execution(p, regs, reenter) (0) #endif |
f315decbd
|
438 |
static void __kprobes setup_singlestep(struct kprobe *p, struct pt_regs *regs, |
0f94eb634
|
439 |
struct kprobe_ctlblk *kcb, int reenter) |
f315decbd
|
440 |
{ |
c0f7ac3a9
|
441 442 |
if (setup_detour_execution(p, regs, reenter)) return; |
615d0ebbc
|
443 |
#if !defined(CONFIG_PREEMPT) |
f315decbd
|
444 445 |
if (p->ainsn.boostable == 1 && !p->post_handler) { /* Boost up -- we can execute copied instructions directly */ |
0f94eb634
|
446 447 448 449 450 451 452 |
if (!reenter) reset_current_kprobe(); /* * Reentering boosted probe doesn't reset current_kprobe, * nor set current_kprobe, because it doesn't use single * stepping. */ |
f315decbd
|
453 454 455 456 457 |
regs->ip = (unsigned long)p->ainsn.insn; preempt_enable_no_resched(); return; } #endif |
0f94eb634
|
458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 |
if (reenter) { save_previous_kprobe(kcb); set_current_kprobe(p, regs, kcb); kcb->kprobe_status = KPROBE_REENTER; } else kcb->kprobe_status = KPROBE_HIT_SS; /* Prepare real single stepping */ clear_btf(); regs->flags |= X86_EFLAGS_TF; regs->flags &= ~X86_EFLAGS_IF; /* single step inline if the instruction is an int3 */ if (p->opcode == BREAKPOINT_INSTRUCTION) regs->ip = (unsigned long)p->addr; else regs->ip = (unsigned long)p->ainsn.insn; |
f315decbd
|
473 |
} |
40102d4a4
|
474 475 476 477 478 |
/* * We have reentered the kprobe_handler(), since another probe was hit while * within the handler. We save the original kprobes variables and just single * step on the instruction of the new probe without calling any user handlers. */ |
59e87cdcd
|
479 480 |
static int __kprobes reenter_kprobe(struct kprobe *p, struct pt_regs *regs, struct kprobe_ctlblk *kcb) |
40102d4a4
|
481 |
{ |
f315decbd
|
482 483 |
switch (kcb->kprobe_status) { case KPROBE_HIT_SSDONE: |
f315decbd
|
484 |
case KPROBE_HIT_ACTIVE: |
fb8830e72
|
485 |
kprobes_inc_nmissed_count(p); |
0f94eb634
|
486 |
setup_singlestep(p, regs, kcb, 1); |
f315decbd
|
487 488 |
break; case KPROBE_HIT_SS: |
e9afe9e1b
|
489 490 491 492 493 494 495 496 497 498 499 |
/* A probe has been hit in the codepath leading up to, or just * after, single-stepping of a probed instruction. This entire * codepath should strictly reside in .kprobes.text section. * Raise a BUG or we'll continue in an endless reentering loop * and eventually a stack overflow. */ printk(KERN_WARNING "Unrecoverable kprobe detected at %p. ", p->addr); dump_kprobe(p); BUG(); |
f315decbd
|
500 501 502 |
default: /* impossible cases */ WARN_ON(1); |
fb8830e72
|
503 |
return 0; |
59e87cdcd
|
504 |
} |
f315decbd
|
505 |
|
59e87cdcd
|
506 |
return 1; |
40102d4a4
|
507 |
} |
73649dab0
|
508 |
|
8533bbe9f
|
509 510 |
/* * Interrupts are disabled on entry as trap3 is an interrupt gate and they |
af901ca18
|
511 |
* remain disabled throughout this function. |
8533bbe9f
|
512 513 |
*/ static int __kprobes kprobe_handler(struct pt_regs *regs) |
1da177e4c
|
514 |
{ |
8533bbe9f
|
515 |
kprobe_opcode_t *addr; |
f315decbd
|
516 |
struct kprobe *p; |
d217d5450
|
517 |
struct kprobe_ctlblk *kcb; |
8533bbe9f
|
518 |
addr = (kprobe_opcode_t *)(regs->ip - sizeof(kprobe_opcode_t)); |
d217d5450
|
519 520 |
/* * We don't want to be preempted for the entire |
f315decbd
|
521 522 523 |
* duration of kprobe processing. We conditionally * re-enable preemption at the end of this function, * and also in reenter_kprobe() and setup_singlestep(). |
d217d5450
|
524 525 |
*/ preempt_disable(); |
1da177e4c
|
526 |
|
f315decbd
|
527 |
kcb = get_kprobe_ctlblk(); |
b97601563
|
528 |
p = get_kprobe(addr); |
f315decbd
|
529 |
|
b97601563
|
530 |
if (p) { |
b97601563
|
531 |
if (kprobe_running()) { |
f315decbd
|
532 533 |
if (reenter_kprobe(p, regs, kcb)) return 1; |
1da177e4c
|
534 |
} else { |
b97601563
|
535 536 |
set_current_kprobe(p, regs, kcb); kcb->kprobe_status = KPROBE_HIT_ACTIVE; |
f315decbd
|
537 |
|
1da177e4c
|
538 |
/* |
f315decbd
|
539 540 541 542 543 544 |
* If we have no pre-handler or it returned 0, we * continue with normal processing. If we have a * pre-handler and it returned non-zero, it prepped * for calling the break_handler below on re-entry * for jprobe processing, so get out doing nothing * more here. |
1da177e4c
|
545 |
*/ |
f315decbd
|
546 |
if (!p->pre_handler || !p->pre_handler(p, regs)) |
0f94eb634
|
547 |
setup_singlestep(p, regs, kcb, 0); |
f315decbd
|
548 |
return 1; |
b97601563
|
549 |
} |
829e92458
|
550 551 552 553 554 555 556 557 558 559 560 561 562 |
} else if (*addr != BREAKPOINT_INSTRUCTION) { /* * The breakpoint instruction was removed right * after we hit it. Another cpu has removed * either a probepoint or a debugger breakpoint * at this address. In either case, no further * handling of this interrupt is appropriate. * Back up over the (now missing) int3 and run * the original instruction. */ regs->ip = (unsigned long)addr; preempt_enable_no_resched(); return 1; |
f315decbd
|
563 |
} else if (kprobe_running()) { |
b76834bc1
|
564 |
p = __this_cpu_read(current_kprobe); |
f315decbd
|
565 |
if (p->break_handler && p->break_handler(p, regs)) { |
0f94eb634
|
566 |
setup_singlestep(p, regs, kcb, 0); |
f315decbd
|
567 |
return 1; |
1da177e4c
|
568 |
} |
f315decbd
|
569 |
} /* else: not a kprobe fault; let the kernel handle it */ |
1da177e4c
|
570 |
|
d217d5450
|
571 |
preempt_enable_no_resched(); |
f315decbd
|
572 |
return 0; |
1da177e4c
|
573 |
} |
f007ea268
|
574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 |
#ifdef CONFIG_X86_64 #define SAVE_REGS_STRING \ /* Skip cs, ip, orig_ax. */ \ " subq $24, %rsp " \ " pushq %rdi " \ " pushq %rsi " \ " pushq %rdx " \ " pushq %rcx " \ " pushq %rax " \ " pushq %r8 " \ " pushq %r9 " \ " pushq %r10 " \ " pushq %r11 " \ " pushq %rbx " \ " pushq %rbp " \ " pushq %r12 " \ " pushq %r13 " \ " pushq %r14 " \ " pushq %r15 " #define RESTORE_REGS_STRING \ " popq %r15 " \ " popq %r14 " \ " popq %r13 " \ " popq %r12 " \ " popq %rbp " \ " popq %rbx " \ " popq %r11 " \ " popq %r10 " \ " popq %r9 " \ " popq %r8 " \ " popq %rax " \ " popq %rcx " \ " popq %rdx " \ " popq %rsi " \ " popq %rdi " \ /* Skip orig_ax, ip, cs */ \ " addq $24, %rsp " #else #define SAVE_REGS_STRING \ /* Skip cs, ip, orig_ax and gs. */ \ " subl $16, %esp " \ " pushl %fs " \ |
f007ea268
|
650 651 |
" pushl %es " \ |
a19747984
|
652 653 |
" pushl %ds " \ |
f007ea268
|
654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 |
" pushl %eax " \ " pushl %ebp " \ " pushl %edi " \ " pushl %esi " \ " pushl %edx " \ " pushl %ecx " \ " pushl %ebx " #define RESTORE_REGS_STRING \ " popl %ebx " \ " popl %ecx " \ " popl %edx " \ " popl %esi " \ " popl %edi " \ " popl %ebp " \ " popl %eax " \ /* Skip ds, es, fs, gs, orig_ax, and ip. Note: don't pop cs here*/\ " addl $24, %esp " #endif |
1da177e4c
|
687 |
/* |
da07ab037
|
688 689 |
* When a retprobed function returns, this code saves registers and * calls trampoline_handler() runs, which calls the kretprobe's handler. |
73649dab0
|
690 |
*/ |
f1452d424
|
691 |
static void __used __kprobes kretprobe_trampoline_holder(void) |
1017579a8
|
692 |
{ |
d6be29b87
|
693 694 695 |
asm volatile ( ".global kretprobe_trampoline " |
da07ab037
|
696 697 |
"kretprobe_trampoline: " |
d6be29b87
|
698 |
#ifdef CONFIG_X86_64 |
da07ab037
|
699 700 701 702 703 |
/* We don't bother saving the ss register */ " pushq %rsp " " pushfq " |
f007ea268
|
704 |
SAVE_REGS_STRING |
da07ab037
|
705 706 707 708 709 710 711 |
" movq %rsp, %rdi " " call trampoline_handler " /* Replace saved sp with true return address. */ " movq %rax, 152(%rsp) " |
f007ea268
|
712 |
RESTORE_REGS_STRING |
da07ab037
|
713 714 |
" popfq " |
d6be29b87
|
715 716 717 |
#else " pushf " |
f007ea268
|
718 |
SAVE_REGS_STRING |
d6be29b87
|
719 720 721 722 723 |
" movl %esp, %eax " " call trampoline_handler " /* Move flags to cs */ |
fee039a1d
|
724 725 726 727 |
" movl 56(%esp), %edx " " movl %edx, 52(%esp) " |
d6be29b87
|
728 |
/* Replace saved flags with true return address. */ |
fee039a1d
|
729 730 |
" movl %eax, 56(%esp) " |
f007ea268
|
731 |
RESTORE_REGS_STRING |
d6be29b87
|
732 733 734 |
" popf " #endif |
da07ab037
|
735 736 |
" ret "); |
1017579a8
|
737 |
} |
73649dab0
|
738 739 |
/* |
da07ab037
|
740 |
* Called from kretprobe_trampoline |
73649dab0
|
741 |
*/ |
f1452d424
|
742 |
static __used __kprobes void *trampoline_handler(struct pt_regs *regs) |
73649dab0
|
743 |
{ |
62c27be0d
|
744 |
struct kretprobe_instance *ri = NULL; |
99219a3fb
|
745 |
struct hlist_head *head, empty_rp; |
62c27be0d
|
746 |
struct hlist_node *node, *tmp; |
991a51d83
|
747 |
unsigned long flags, orig_ret_address = 0; |
d6be29b87
|
748 |
unsigned long trampoline_address = (unsigned long)&kretprobe_trampoline; |
737480a0d
|
749 |
kprobe_opcode_t *correct_ret_addr = NULL; |
73649dab0
|
750 |
|
99219a3fb
|
751 |
INIT_HLIST_HEAD(&empty_rp); |
ef53d9c5e
|
752 |
kretprobe_hash_lock(current, &head, &flags); |
8533bbe9f
|
753 |
/* fixup registers */ |
d6be29b87
|
754 |
#ifdef CONFIG_X86_64 |
da07ab037
|
755 |
regs->cs = __KERNEL_CS; |
d6be29b87
|
756 757 |
#else regs->cs = __KERNEL_CS | get_kernel_rpl(); |
fee039a1d
|
758 |
regs->gs = 0; |
d6be29b87
|
759 |
#endif |
da07ab037
|
760 |
regs->ip = trampoline_address; |
8533bbe9f
|
761 |
regs->orig_ax = ~0UL; |
73649dab0
|
762 |
|
ba8af12f4
|
763 764 |
/* * It is possible to have multiple instances associated with a given |
8533bbe9f
|
765 |
* task either because multiple functions in the call path have |
025dfdafe
|
766 |
* return probes installed on them, and/or more than one |
ba8af12f4
|
767 768 769 |
* return probe was registered for a target function. * * We can handle this because: |
8533bbe9f
|
770 |
* - instances are always pushed into the head of the list |
ba8af12f4
|
771 |
* - when multiple return probes are registered for the same |
8533bbe9f
|
772 773 774 |
* function, the (chronologically) first instance's ret_addr * will be the real return address, and all the rest will * point to kretprobe_trampoline. |
ba8af12f4
|
775 776 |
*/ hlist_for_each_entry_safe(ri, node, tmp, head, hlist) { |
62c27be0d
|
777 |
if (ri->task != current) |
ba8af12f4
|
778 |
/* another task is sharing our hash bucket */ |
62c27be0d
|
779 |
continue; |
ba8af12f4
|
780 |
|
737480a0d
|
781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 |
orig_ret_address = (unsigned long)ri->ret_addr; if (orig_ret_address != trampoline_address) /* * This is the real return address. Any other * instances associated with this task are for * other calls deeper on the call stack */ break; } kretprobe_assert(ri, orig_ret_address, trampoline_address); correct_ret_addr = ri->ret_addr; hlist_for_each_entry_safe(ri, node, tmp, head, hlist) { if (ri->task != current) /* another task is sharing our hash bucket */ continue; orig_ret_address = (unsigned long)ri->ret_addr; |
da07ab037
|
801 |
if (ri->rp && ri->rp->handler) { |
b76834bc1
|
802 |
__this_cpu_write(current_kprobe, &ri->rp->kp); |
da07ab037
|
803 |
get_kprobe_ctlblk()->kprobe_status = KPROBE_HIT_ACTIVE; |
737480a0d
|
804 |
ri->ret_addr = correct_ret_addr; |
ba8af12f4
|
805 |
ri->rp->handler(ri, regs); |
b76834bc1
|
806 |
__this_cpu_write(current_kprobe, NULL); |
da07ab037
|
807 |
} |
ba8af12f4
|
808 |
|
99219a3fb
|
809 |
recycle_rp_inst(ri, &empty_rp); |
ba8af12f4
|
810 811 812 813 814 815 816 817 |
if (orig_ret_address != trampoline_address) /* * This is the real return address. Any other * instances associated with this task are for * other calls deeper on the call stack */ break; |
73649dab0
|
818 |
} |
ba8af12f4
|
819 |
|
ef53d9c5e
|
820 |
kretprobe_hash_unlock(current, &flags); |
ba8af12f4
|
821 |
|
99219a3fb
|
822 823 824 825 |
hlist_for_each_entry_safe(ri, node, tmp, &empty_rp, hlist) { hlist_del(&ri->hlist); kfree(ri); } |
da07ab037
|
826 |
return (void *)orig_ret_address; |
73649dab0
|
827 828 829 |
} /* |
1da177e4c
|
830 831 832 833 834 835 836 837 838 839 840 |
* Called after single-stepping. p->addr is the address of the * instruction whose first byte has been replaced by the "int 3" * instruction. To avoid the SMP problems that can occur when we * temporarily put back the original opcode to single-step, we * single-stepped a copy of the instruction. The address of this * copy is p->ainsn.insn. * * This function prepares to return from the post-single-step * interrupt. We have to fix up the stack as follows: * * 0) Except in the case of absolute or indirect jump or call instructions, |
65ea5b034
|
841 |
* the new ip is relative to the copied instruction. We need to make |
1da177e4c
|
842 843 844 |
* it relative to the original instruction. * * 1) If the single-stepped instruction was pushfl, then the TF and IF |
65ea5b034
|
845 |
* flags are set in the just-pushed flags, and may need to be cleared. |
1da177e4c
|
846 847 848 849 |
* * 2) If the single-stepped instruction was a call, the return address * that is atop the stack is the address following the copied instruction. * We need to make it the address following the original instruction. |
aa470140e
|
850 851 852 853 854 |
* * If this is the first time we've single-stepped the instruction at * this probepoint, and the instruction is boostable, boost it: add a * jump instruction after the copied instruction, that jumps to the next * instruction after the probepoint. |
1da177e4c
|
855 |
*/ |
e7a510f92
|
856 857 |
static void __kprobes resume_execution(struct kprobe *p, struct pt_regs *regs, struct kprobe_ctlblk *kcb) |
1da177e4c
|
858 |
{ |
8533bbe9f
|
859 860 861 |
unsigned long *tos = stack_addr(regs); unsigned long copy_ip = (unsigned long)p->ainsn.insn; unsigned long orig_ip = (unsigned long)p->addr; |
1da177e4c
|
862 |
kprobe_opcode_t *insn = p->ainsn.insn; |
567a9fd86
|
863 864 |
/* Skip prefixes */ insn = skip_prefixes(insn); |
1da177e4c
|
865 |
|
053de0444
|
866 |
regs->flags &= ~X86_EFLAGS_TF; |
1da177e4c
|
867 |
switch (*insn) { |
0b0122faf
|
868 |
case 0x9c: /* pushfl */ |
053de0444
|
869 |
*tos &= ~(X86_EFLAGS_TF | X86_EFLAGS_IF); |
8533bbe9f
|
870 |
*tos |= kcb->kprobe_old_flags; |
1da177e4c
|
871 |
break; |
0b0122faf
|
872 873 |
case 0xc2: /* iret/ret/lret */ case 0xc3: |
0b9e2cac8
|
874 |
case 0xca: |
0b0122faf
|
875 876 877 878 |
case 0xcb: case 0xcf: case 0xea: /* jmp absolute -- ip is correct */ /* ip is already adjusted, no more changes required */ |
aa470140e
|
879 |
p->ainsn.boostable = 1; |
0b0122faf
|
880 881 |
goto no_change; case 0xe8: /* call relative - Fix return addr */ |
8533bbe9f
|
882 |
*tos = orig_ip + (*tos - copy_ip); |
1da177e4c
|
883 |
break; |
e7b5e11ea
|
884 |
#ifdef CONFIG_X86_32 |
d6be29b87
|
885 886 887 888 |
case 0x9a: /* call absolute -- same as call absolute, indirect */ *tos = orig_ip + (*tos - copy_ip); goto no_change; #endif |
1da177e4c
|
889 |
case 0xff: |
dc49e3445
|
890 |
if ((insn[1] & 0x30) == 0x10) { |
8533bbe9f
|
891 892 893 894 895 896 |
/* * call absolute, indirect * Fix return addr; ip is correct. * But this is not boostable */ *tos = orig_ip + (*tos - copy_ip); |
0b0122faf
|
897 |
goto no_change; |
8533bbe9f
|
898 899 900 901 902 903 |
} else if (((insn[1] & 0x31) == 0x20) || ((insn[1] & 0x31) == 0x21)) { /* * jmp near and far, absolute indirect * ip is correct. And this is boostable */ |
aa470140e
|
904 |
p->ainsn.boostable = 1; |
0b0122faf
|
905 |
goto no_change; |
1da177e4c
|
906 |
} |
1da177e4c
|
907 908 909 |
default: break; } |
aa470140e
|
910 |
if (p->ainsn.boostable == 0) { |
8533bbe9f
|
911 912 |
if ((regs->ip > copy_ip) && (regs->ip - copy_ip) + 5 < MAX_INSN_SIZE) { |
aa470140e
|
913 914 915 916 |
/* * These instructions can be executed directly if it * jumps back to correct address. */ |
c0f7ac3a9
|
917 918 |
synthesize_reljump((void *)regs->ip, (void *)orig_ip + (regs->ip - copy_ip)); |
aa470140e
|
919 920 921 922 923 |
p->ainsn.boostable = 1; } else { p->ainsn.boostable = -1; } } |
8533bbe9f
|
924 |
regs->ip += orig_ip - copy_ip; |
65ea5b034
|
925 |
|
0b0122faf
|
926 |
no_change: |
1ecc798c6
|
927 |
restore_btf(); |
1da177e4c
|
928 |
} |
8533bbe9f
|
929 930 |
/* * Interrupts are disabled on entry as trap1 is an interrupt gate and they |
af901ca18
|
931 |
* remain disabled throughout this function. |
8533bbe9f
|
932 933 |
*/ static int __kprobes post_kprobe_handler(struct pt_regs *regs) |
1da177e4c
|
934 |
{ |
e7a510f92
|
935 936 937 938 |
struct kprobe *cur = kprobe_running(); struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); if (!cur) |
1da177e4c
|
939 |
return 0; |
acb5b8a2d
|
940 941 |
resume_execution(cur, regs, kcb); regs->flags |= kcb->kprobe_saved_flags; |
acb5b8a2d
|
942 |
|
e7a510f92
|
943 944 945 |
if ((kcb->kprobe_status != KPROBE_REENTER) && cur->post_handler) { kcb->kprobe_status = KPROBE_HIT_SSDONE; cur->post_handler(cur, regs, 0); |
aa3d7e3d7
|
946 |
} |
1da177e4c
|
947 |
|
8533bbe9f
|
948 |
/* Restore back the original saved kprobes variables and continue. */ |
e7a510f92
|
949 950 |
if (kcb->kprobe_status == KPROBE_REENTER) { restore_previous_kprobe(kcb); |
aa3d7e3d7
|
951 |
goto out; |
aa3d7e3d7
|
952 |
} |
e7a510f92
|
953 |
reset_current_kprobe(); |
aa3d7e3d7
|
954 |
out: |
1da177e4c
|
955 956 957 |
preempt_enable_no_resched(); /* |
65ea5b034
|
958 |
* if somebody else is singlestepping across a probe point, flags |
1da177e4c
|
959 960 961 |
* will have TF set, in which case, continue the remaining processing * of do_debug, as if this is not a probe hit. */ |
053de0444
|
962 |
if (regs->flags & X86_EFLAGS_TF) |
1da177e4c
|
963 964 965 966 |
return 0; return 1; } |
0f2fbdcbb
|
967 |
int __kprobes kprobe_fault_handler(struct pt_regs *regs, int trapnr) |
1da177e4c
|
968 |
{ |
e7a510f92
|
969 970 |
struct kprobe *cur = kprobe_running(); struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); |
d6be29b87
|
971 |
switch (kcb->kprobe_status) { |
c28f89663
|
972 973 974 975 976 |
case KPROBE_HIT_SS: case KPROBE_REENTER: /* * We are here because the instruction being single * stepped caused a page fault. We reset the current |
65ea5b034
|
977 |
* kprobe and the ip points back to the probe address |
c28f89663
|
978 979 980 |
* and allow the page fault handler to continue as a * normal page fault. */ |
65ea5b034
|
981 |
regs->ip = (unsigned long)cur->addr; |
8533bbe9f
|
982 |
regs->flags |= kcb->kprobe_old_flags; |
c28f89663
|
983 984 985 986 |
if (kcb->kprobe_status == KPROBE_REENTER) restore_previous_kprobe(kcb); else reset_current_kprobe(); |
1da177e4c
|
987 |
preempt_enable_no_resched(); |
c28f89663
|
988 989 990 991 992 |
break; case KPROBE_HIT_ACTIVE: case KPROBE_HIT_SSDONE: /* * We increment the nmissed count for accounting, |
8533bbe9f
|
993 |
* we can also use npre/npostfault count for accounting |
c28f89663
|
994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 |
* these specific fault cases. */ kprobes_inc_nmissed_count(cur); /* * We come here because instructions in the pre/post * handler caused the page_fault, this could happen * if handler tries to access user space by * copy_from_user(), get_user() etc. Let the * user-specified handler try to fix it first. */ if (cur->fault_handler && cur->fault_handler(cur, regs, trapnr)) return 1; /* * In case the user-specified fault handler returned * zero, try to fix up. */ |
d6be29b87
|
1012 1013 |
if (fixup_exception(regs)) return 1; |
6d48583ba
|
1014 |
|
c28f89663
|
1015 |
/* |
8533bbe9f
|
1016 |
* fixup routine could not handle it, |
c28f89663
|
1017 1018 1019 1020 1021 |
* Let do_page_fault() fix it. */ break; default: break; |
1da177e4c
|
1022 1023 1024 1025 1026 1027 1028 |
} return 0; } /* * Wrapper routine for handling exceptions. */ |
0f2fbdcbb
|
1029 1030 |
int __kprobes kprobe_exceptions_notify(struct notifier_block *self, unsigned long val, void *data) |
1da177e4c
|
1031 |
{ |
ade1af771
|
1032 |
struct die_args *args = data; |
66ff2d069
|
1033 |
int ret = NOTIFY_DONE; |
8533bbe9f
|
1034 |
if (args->regs && user_mode_vm(args->regs)) |
2326c7701
|
1035 |
return ret; |
1da177e4c
|
1036 1037 1038 |
switch (val) { case DIE_INT3: if (kprobe_handler(args->regs)) |
66ff2d069
|
1039 |
ret = NOTIFY_STOP; |
1da177e4c
|
1040 1041 |
break; case DIE_DEBUG: |
62edab905
|
1042 1043 1044 1045 1046 1047 |
if (post_kprobe_handler(args->regs)) { /* * Reset the BS bit in dr6 (pointed by args->err) to * denote completion of processing */ (*(unsigned long *)ERR_PTR(args->err)) &= ~DR_STEP; |
66ff2d069
|
1048 |
ret = NOTIFY_STOP; |
62edab905
|
1049 |
} |
1da177e4c
|
1050 1051 |
break; case DIE_GPF: |
b506a9d08
|
1052 1053 1054 1055 1056 1057 |
/* * To be potentially processing a kprobe fault and to * trust the result from kprobe_running(), we have * be non-preemptible. */ if (!preemptible() && kprobe_running() && |
1da177e4c
|
1058 |
kprobe_fault_handler(args->regs, args->trapnr)) |
66ff2d069
|
1059 |
ret = NOTIFY_STOP; |
1da177e4c
|
1060 1061 1062 1063 |
break; default: break; } |
66ff2d069
|
1064 |
return ret; |
1da177e4c
|
1065 |
} |
0f2fbdcbb
|
1066 |
int __kprobes setjmp_pre_handler(struct kprobe *p, struct pt_regs *regs) |
1da177e4c
|
1067 1068 1069 |
{ struct jprobe *jp = container_of(p, struct jprobe, kp); unsigned long addr; |
e7a510f92
|
1070 |
struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); |
1da177e4c
|
1071 |
|
e7a510f92
|
1072 |
kcb->jprobe_saved_regs = *regs; |
8533bbe9f
|
1073 1074 |
kcb->jprobe_saved_sp = stack_addr(regs); addr = (unsigned long)(kcb->jprobe_saved_sp); |
1da177e4c
|
1075 1076 1077 1078 1079 1080 1081 |
/* * As Linus pointed out, gcc assumes that the callee * owns the argument space and could overwrite it, e.g. * tailcall optimization. So, to be absolutely safe * we also save and restore enough stack bytes to cover * the argument area. */ |
e7a510f92
|
1082 |
memcpy(kcb->jprobes_stack, (kprobe_opcode_t *)addr, |
d6be29b87
|
1083 |
MIN_STACK_SIZE(addr)); |
053de0444
|
1084 |
regs->flags &= ~X86_EFLAGS_IF; |
58dfe883d
|
1085 |
trace_hardirqs_off(); |
65ea5b034
|
1086 |
regs->ip = (unsigned long)(jp->entry); |
1da177e4c
|
1087 1088 |
return 1; } |
0f2fbdcbb
|
1089 |
void __kprobes jprobe_return(void) |
1da177e4c
|
1090 |
{ |
e7a510f92
|
1091 |
struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); |
d6be29b87
|
1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 |
asm volatile ( #ifdef CONFIG_X86_64 " xchg %%rbx,%%rsp " #else " xchgl %%ebx,%%esp " #endif " int3 " " .globl jprobe_return_end " " jprobe_return_end: " " nop "::"b" (kcb->jprobe_saved_sp):"memory"); |
1da177e4c
|
1109 |
} |
0f2fbdcbb
|
1110 |
int __kprobes longjmp_break_handler(struct kprobe *p, struct pt_regs *regs) |
1da177e4c
|
1111 |
{ |
e7a510f92
|
1112 |
struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); |
65ea5b034
|
1113 |
u8 *addr = (u8 *) (regs->ip - 1); |
1da177e4c
|
1114 |
struct jprobe *jp = container_of(p, struct jprobe, kp); |
d6be29b87
|
1115 1116 |
if ((addr > (u8 *) jprobe_return) && (addr < (u8 *) jprobe_return_end)) { |
8533bbe9f
|
1117 |
if (stack_addr(regs) != kcb->jprobe_saved_sp) { |
29b6cd794
|
1118 |
struct pt_regs *saved_regs = &kcb->jprobe_saved_regs; |
d6be29b87
|
1119 1120 1121 |
printk(KERN_ERR "current sp %p does not match saved sp %p ", |
8533bbe9f
|
1122 |
stack_addr(regs), kcb->jprobe_saved_sp); |
d6be29b87
|
1123 1124 |
printk(KERN_ERR "Saved registers for jprobe %p ", jp); |
1da177e4c
|
1125 |
show_registers(saved_regs); |
d6be29b87
|
1126 1127 |
printk(KERN_ERR "Current registers "); |
1da177e4c
|
1128 1129 1130 |
show_registers(regs); BUG(); } |
e7a510f92
|
1131 |
*regs = kcb->jprobe_saved_regs; |
8533bbe9f
|
1132 1133 1134 |
memcpy((kprobe_opcode_t *)(kcb->jprobe_saved_sp), kcb->jprobes_stack, MIN_STACK_SIZE(kcb->jprobe_saved_sp)); |
d217d5450
|
1135 |
preempt_enable_no_resched(); |
1da177e4c
|
1136 1137 1138 1139 |
return 1; } return 0; } |
ba8af12f4
|
1140 |
|
c0f7ac3a9
|
1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 |
#ifdef CONFIG_OPTPROBES /* Insert a call instruction at address 'from', which calls address 'to'.*/ static void __kprobes synthesize_relcall(void *from, void *to) { __synthesize_relative_insn(from, to, RELATIVECALL_OPCODE); } /* Insert a move instruction which sets a pointer to eax/rdi (1st arg). */ static void __kprobes synthesize_set_arg1(kprobe_opcode_t *addr, unsigned long val) { #ifdef CONFIG_X86_64 *addr++ = 0x48; *addr++ = 0xbf; #else *addr++ = 0xb8; #endif *(unsigned long *)addr = val; } |
6376b2297
|
1162 |
static void __used __kprobes kprobes_optinsn_template_holder(void) |
c0f7ac3a9
|
1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 |
{ asm volatile ( ".global optprobe_template_entry " "optprobe_template_entry: " #ifdef CONFIG_X86_64 /* We don't bother saving the ss register */ " pushq %rsp " " pushfq " SAVE_REGS_STRING " movq %rsp, %rsi " ".global optprobe_template_val " "optprobe_template_val: " ASM_NOP5 ASM_NOP5 ".global optprobe_template_call " "optprobe_template_call: " ASM_NOP5 /* Move flags to rsp */ " movq 144(%rsp), %rdx " " movq %rdx, 152(%rsp) " RESTORE_REGS_STRING /* Skip flags entry */ " addq $8, %rsp " " popfq " #else /* CONFIG_X86_32 */ " pushf " SAVE_REGS_STRING " movl %esp, %edx " ".global optprobe_template_val " "optprobe_template_val: " ASM_NOP5 ".global optprobe_template_call " "optprobe_template_call: " ASM_NOP5 RESTORE_REGS_STRING " addl $4, %esp " /* skip cs */ " popf " #endif ".global optprobe_template_end " "optprobe_template_end: "); } #define TMPL_MOVE_IDX \ ((long)&optprobe_template_val - (long)&optprobe_template_entry) #define TMPL_CALL_IDX \ ((long)&optprobe_template_call - (long)&optprobe_template_entry) #define TMPL_END_IDX \ ((long)&optprobe_template_end - (long)&optprobe_template_entry) #define INT3_SIZE sizeof(kprobe_opcode_t) /* Optimized kprobe call back function: called from optinsn */ static void __kprobes optimized_callback(struct optimized_kprobe *op, struct pt_regs *regs) { struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); preempt_disable(); if (kprobe_running()) { kprobes_inc_nmissed_count(&op->kp); } else { /* Save skipped registers */ #ifdef CONFIG_X86_64 regs->cs = __KERNEL_CS; #else regs->cs = __KERNEL_CS | get_kernel_rpl(); regs->gs = 0; #endif regs->ip = (unsigned long)op->kp.addr + INT3_SIZE; regs->orig_ax = ~0UL; |
b76834bc1
|
1256 |
__this_cpu_write(current_kprobe, &op->kp); |
c0f7ac3a9
|
1257 1258 |
kcb->kprobe_status = KPROBE_HIT_ACTIVE; opt_pre_handler(&op->kp, regs); |
b76834bc1
|
1259 |
__this_cpu_write(current_kprobe, NULL); |
c0f7ac3a9
|
1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 |
} preempt_enable_no_resched(); } static int __kprobes copy_optimized_instructions(u8 *dest, u8 *src) { int len = 0, ret; while (len < RELATIVEJUMP_SIZE) { ret = __copy_instruction(dest + len, src + len, 1); if (!ret || !can_boost(dest + len)) return -EINVAL; len += ret; } /* Check whether the address range is reserved */ if (ftrace_text_reserved(src, src + len - 1) || |
4c3ef6d79
|
1276 1277 |
alternatives_text_reserved(src, src + len - 1) || jump_label_text_reserved(src, src + len - 1)) |
c0f7ac3a9
|
1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 |
return -EBUSY; return len; } /* Check whether insn is indirect jump */ static int __kprobes insn_is_indirect_jump(struct insn *insn) { return ((insn->opcode.bytes[0] == 0xff && (X86_MODRM_REG(insn->modrm.value) & 6) == 4) || /* Jump */ insn->opcode.bytes[0] == 0xea); /* Segment based jump */ } /* Check whether insn jumps into specified address range */ static int insn_jump_into_range(struct insn *insn, unsigned long start, int len) { unsigned long target = 0; switch (insn->opcode.bytes[0]) { case 0xe0: /* loopne */ case 0xe1: /* loope */ case 0xe2: /* loop */ case 0xe3: /* jcxz */ case 0xe9: /* near relative jump */ case 0xeb: /* short relative jump */ break; case 0x0f: if ((insn->opcode.bytes[1] & 0xf0) == 0x80) /* jcc near */ break; return 0; default: if ((insn->opcode.bytes[0] & 0xf0) == 0x70) /* jcc short */ break; return 0; } target = (unsigned long)insn->next_byte + insn->immediate.value; return (start <= target && target <= start + len); } /* Decode whole function to ensure any instructions don't jump into target */ static int __kprobes can_optimize(unsigned long paddr) { int ret; unsigned long addr, size = 0, offset = 0; struct insn insn; kprobe_opcode_t buf[MAX_INSN_SIZE]; |
c0f7ac3a9
|
1325 1326 |
/* Lookup symbol including addr */ |
6abded71d
|
1327 |
if (!kallsyms_lookup_size_offset(paddr, &size, &offset)) |
c0f7ac3a9
|
1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435 1436 1437 1438 1439 1440 1441 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 1478 1479 1480 1481 1482 1483 1484 1485 1486 1487 1488 1489 1490 1491 1492 1493 1494 1495 1496 1497 1498 1499 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509 1510 1511 |
return 0; /* Check there is enough space for a relative jump. */ if (size - offset < RELATIVEJUMP_SIZE) return 0; /* Decode instructions */ addr = paddr - offset; while (addr < paddr - offset + size) { /* Decode until function end */ if (search_exception_tables(addr)) /* * Since some fixup code will jumps into this function, * we can't optimize kprobe in this function. */ return 0; kernel_insn_init(&insn, (void *)addr); insn_get_opcode(&insn); if (insn.opcode.bytes[0] == BREAKPOINT_INSTRUCTION) { ret = recover_probed_instruction(buf, addr); if (ret) return 0; kernel_insn_init(&insn, buf); } insn_get_length(&insn); /* Recover address */ insn.kaddr = (void *)addr; insn.next_byte = (void *)(addr + insn.length); /* Check any instructions don't jump into target */ if (insn_is_indirect_jump(&insn) || insn_jump_into_range(&insn, paddr + INT3_SIZE, RELATIVE_ADDR_SIZE)) return 0; addr += insn.length; } return 1; } /* Check optimized_kprobe can actually be optimized. */ int __kprobes arch_check_optimized_kprobe(struct optimized_kprobe *op) { int i; struct kprobe *p; for (i = 1; i < op->optinsn.size; i++) { p = get_kprobe(op->kp.addr + i); if (p && !kprobe_disabled(p)) return -EEXIST; } return 0; } /* Check the addr is within the optimized instructions. */ int __kprobes arch_within_optimized_kprobe(struct optimized_kprobe *op, unsigned long addr) { return ((unsigned long)op->kp.addr <= addr && (unsigned long)op->kp.addr + op->optinsn.size > addr); } /* Free optimized instruction slot */ static __kprobes void __arch_remove_optimized_kprobe(struct optimized_kprobe *op, int dirty) { if (op->optinsn.insn) { free_optinsn_slot(op->optinsn.insn, dirty); op->optinsn.insn = NULL; op->optinsn.size = 0; } } void __kprobes arch_remove_optimized_kprobe(struct optimized_kprobe *op) { __arch_remove_optimized_kprobe(op, 1); } /* * Copy replacing target instructions * Target instructions MUST be relocatable (checked inside) */ int __kprobes arch_prepare_optimized_kprobe(struct optimized_kprobe *op) { u8 *buf; int ret; long rel; if (!can_optimize((unsigned long)op->kp.addr)) return -EILSEQ; op->optinsn.insn = get_optinsn_slot(); if (!op->optinsn.insn) return -ENOMEM; /* * Verify if the address gap is in 2GB range, because this uses * a relative jump. */ rel = (long)op->optinsn.insn - (long)op->kp.addr + RELATIVEJUMP_SIZE; if (abs(rel) > 0x7fffffff) return -ERANGE; buf = (u8 *)op->optinsn.insn; /* Copy instructions into the out-of-line buffer */ ret = copy_optimized_instructions(buf + TMPL_END_IDX, op->kp.addr); if (ret < 0) { __arch_remove_optimized_kprobe(op, 0); return ret; } op->optinsn.size = ret; /* Copy arch-dep-instance from template */ memcpy(buf, &optprobe_template_entry, TMPL_END_IDX); /* Set probe information */ synthesize_set_arg1(buf + TMPL_MOVE_IDX, (unsigned long)op); /* Set probe function call */ synthesize_relcall(buf + TMPL_CALL_IDX, optimized_callback); /* Set returning jmp instruction at the tail of out-of-line buffer */ synthesize_reljump(buf + TMPL_END_IDX + op->optinsn.size, (u8 *)op->kp.addr + op->optinsn.size); flush_icache_range((unsigned long) buf, (unsigned long) buf + TMPL_END_IDX + op->optinsn.size + RELATIVEJUMP_SIZE); return 0; } /* Replace a breakpoint (int3) with a relative jump. */ int __kprobes arch_optimize_kprobe(struct optimized_kprobe *op) { unsigned char jmp_code[RELATIVEJUMP_SIZE]; s32 rel = (s32)((long)op->optinsn.insn - ((long)op->kp.addr + RELATIVEJUMP_SIZE)); /* Backup instructions which will be replaced by jump address */ memcpy(op->optinsn.copied_insn, op->kp.addr + INT3_SIZE, RELATIVE_ADDR_SIZE); jmp_code[0] = RELATIVEJUMP_OPCODE; *(s32 *)(&jmp_code[1]) = rel; /* * text_poke_smp doesn't support NMI/MCE code modifying. * However, since kprobes itself also doesn't support NMI/MCE * code probing, it's not a problem. */ text_poke_smp(op->kp.addr, jmp_code, RELATIVEJUMP_SIZE); return 0; } /* Replace a relative jump with a breakpoint (int3). */ void __kprobes arch_unoptimize_kprobe(struct optimized_kprobe *op) { u8 buf[RELATIVEJUMP_SIZE]; /* Set int3 to first byte for kprobes */ buf[0] = BREAKPOINT_INSTRUCTION; memcpy(buf + 1, op->optinsn.copied_insn, RELATIVE_ADDR_SIZE); text_poke_smp(op->kp.addr, buf, RELATIVEJUMP_SIZE); } static int __kprobes setup_detour_execution(struct kprobe *p, struct pt_regs *regs, int reenter) { struct optimized_kprobe *op; if (p->flags & KPROBE_FLAG_OPTIMIZED) { /* This kprobe is really able to run optimized path. */ op = container_of(p, struct optimized_kprobe, kp); /* Detour through copied instructions */ regs->ip = (unsigned long)op->optinsn.insn + TMPL_END_IDX; if (!reenter) reset_current_kprobe(); preempt_enable_no_resched(); return 1; } return 0; } #endif |
6772926be
|
1512 |
int __init arch_init_kprobes(void) |
ba8af12f4
|
1513 |
{ |
da07ab037
|
1514 |
return 0; |
ba8af12f4
|
1515 |
} |
bf8f6e5b3
|
1516 1517 1518 |
int __kprobes arch_trampoline_kprobe(struct kprobe *p) { |
bf8f6e5b3
|
1519 1520 |
return 0; } |