arch/arm64/kernel/probes/kprobes.c

   1 // SPDX-License-Identifier: GPL-2.0-only
   2 /*
   3  * arch/arm64/kernel/probes/kprobes.c
   4  *
   5  * Kprobes support for ARM64
   6  *
   7  * Copyright (C) 2013 Linaro Limited.
   8  * Author: Sandeepa Prabhu <sandeepa.prabhu@linaro.org>
   9  */
  10 #include <linux/kasan.h>
  11 #include <linux/kernel.h>
  12 #include <linux/kprobes.h>
  13 #include <linux/extable.h>
  14 #include <linux/slab.h>
  15 #include <linux/stop_machine.h>
  16 #include <linux/sched/debug.h>
  17 #include <linux/set_memory.h>
  18 #include <linux/stringify.h>
  19 #include <linux/vmalloc.h>
  20 #include <asm/traps.h>
  21 #include <asm/ptrace.h>
  22 #include <asm/cacheflush.h>
  23 #include <asm/debug-monitors.h>
  24 #include <asm/daifflags.h>
  25 #include <asm/system_misc.h>
  26 #include <asm/insn.h>
  27 #include <linux/uaccess.h>
  28 #include <asm/irq.h>
  29 #include <asm/sections.h>
  30
  31 #include "decode-insn.h"
  32
  33 DEFINE_PER_CPU(struct kprobe *, current_kprobe) = NULL;
  34 DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk);
  35
  36 static void __kprobes
  37 post_kprobe_handler(struct kprobe *, struct kprobe_ctlblk *, struct pt_regs *);
  38
  39 static void __kprobes arch_prepare_ss_slot(struct kprobe *p)
  40 {
  41         kprobe_opcode_t *addr = p->ainsn.api.insn;
  42         void *addrs[] = {addr, addr + 1};
  43         u32 insns[] = {p->opcode, BRK64_OPCODE_KPROBES_SS};
  44
  45         /* prepare insn slot */
  46         aarch64_insn_patch_text(addrs, insns, 2);
  47
  48         flush_icache_range((uintptr_t)addr, (uintptr_t)(addr + MAX_INSN_SIZE));
  49
  50         /*
  51          * Needs restoring of return address after stepping xol.
  52          */
  53         p->ainsn.api.restore = (unsigned long) p->addr +
  54           sizeof(kprobe_opcode_t);
  55 }
  56
  57 static void __kprobes arch_prepare_simulate(struct kprobe *p)
  58 {
  59         /* This instructions is not executed xol. No need to adjust the PC */
  60         p->ainsn.api.restore = 0;
  61 }
  62
  63 static void __kprobes arch_simulate_insn(struct kprobe *p, struct pt_regs *regs)
  64 {
  65         struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
  66
  67         if (p->ainsn.api.handler)
  68                 p->ainsn.api.handler((u32)p->opcode, (long)p->addr, regs);
  69
  70         /* single step simulated, now go for post processing */
  71         post_kprobe_handler(p, kcb, regs);
  72 }
  73
  74 int __kprobes arch_prepare_kprobe(struct kprobe *p)
  75 {
  76         unsigned long probe_addr = (unsigned long)p->addr;
  77
  78         if (probe_addr & 0x3)
  79                 return -EINVAL;
  80
  81         /* copy instruction */
  82         p->opcode = le32_to_cpu(*p->addr);
  83
  84         if (search_exception_tables(probe_addr))
  85                 return -EINVAL;
  86
  87         /* decode instruction */
  88         switch (arm_kprobe_decode_insn(p->addr, &p->ainsn)) {
  89         case INSN_REJECTED:     /* insn not supported */
  90                 return -EINVAL;
  91
  92         case INSN_GOOD_NO_SLOT: /* insn need simulation */
  93                 p->ainsn.api.insn = NULL;
  94                 break;
  95
  96         case INSN_GOOD: /* instruction uses slot */
  97                 p->ainsn.api.insn = get_insn_slot();
  98                 if (!p->ainsn.api.insn)
  99                         return -ENOMEM;
 100                 break;
 101         }
 102
 103         /* prepare the instruction */
 104         if (p->ainsn.api.insn)
 105                 arch_prepare_ss_slot(p);
 106         else
 107                 arch_prepare_simulate(p);
 108
 109         return 0;
 110 }
 111
 112 void *alloc_insn_page(void)
 113 {
 114         return __vmalloc_node_range(PAGE_SIZE, 1, VMALLOC_START, VMALLOC_END,
 115                         GFP_KERNEL, PAGE_KERNEL_ROX, VM_FLUSH_RESET_PERMS,
 116                         NUMA_NO_NODE, __builtin_return_address(0));
 117 }
 118
 119 /* arm kprobe: install breakpoint in text */
 120 void __kprobes arch_arm_kprobe(struct kprobe *p)
 121 {
 122         void *addr = p->addr;
 123         u32 insn = BRK64_OPCODE_KPROBES;
 124
 125         aarch64_insn_patch_text(&addr, &insn, 1);
 126 }
 127
 128 /* disarm kprobe: remove breakpoint from text */
 129 void __kprobes arch_disarm_kprobe(struct kprobe *p)
 130 {
 131         void *addr = p->addr;
 132
 133         aarch64_insn_patch_text(&addr, &p->opcode, 1);
 134 }
 135
 136 void __kprobes arch_remove_kprobe(struct kprobe *p)
 137 {
 138         if (p->ainsn.api.insn) {
 139                 free_insn_slot(p->ainsn.api.insn, 0);
 140                 p->ainsn.api.insn = NULL;
 141         }
 142 }
 143
 144 static void __kprobes save_previous_kprobe(struct kprobe_ctlblk *kcb)
 145 {
 146         kcb->prev_kprobe.kp = kprobe_running();
 147         kcb->prev_kprobe.status = kcb->kprobe_status;
 148 }
 149
 150 static void __kprobes restore_previous_kprobe(struct kprobe_ctlblk *kcb)
 151 {
 152         __this_cpu_write(current_kprobe, kcb->prev_kprobe.kp);
 153         kcb->kprobe_status = kcb->prev_kprobe.status;
 154 }
 155
 156 static void __kprobes set_current_kprobe(struct kprobe *p)
 157 {
 158         __this_cpu_write(current_kprobe, p);
 159 }
 160
 161 /*
 162  * Mask all of DAIF while executing the instruction out-of-line, to keep things
 163  * simple and avoid nesting exceptions. Interrupts do have to be disabled since
 164  * the kprobe state is per-CPU and doesn't get migrated.
 165  */
 166 static void __kprobes kprobes_save_local_irqflag(struct kprobe_ctlblk *kcb,
 167                                                 struct pt_regs *regs)
 168 {
 169         kcb->saved_irqflag = regs->pstate & DAIF_MASK;
 170         regs->pstate |= DAIF_MASK;
 171 }
 172
 173 static void __kprobes kprobes_restore_local_irqflag(struct kprobe_ctlblk *kcb,
 174                                                 struct pt_regs *regs)
 175 {
 176         regs->pstate &= ~DAIF_MASK;
 177         regs->pstate |= kcb->saved_irqflag;
 178 }
 179
 180 static void __kprobes setup_singlestep(struct kprobe *p,
 181                                        struct pt_regs *regs,
 182                                        struct kprobe_ctlblk *kcb, int reenter)
 183 {
 184         unsigned long slot;
 185
 186         if (reenter) {
 187                 save_previous_kprobe(kcb);
 188                 set_current_kprobe(p);
 189                 kcb->kprobe_status = KPROBE_REENTER;
 190         } else {
 191                 kcb->kprobe_status = KPROBE_HIT_SS;
 192         }
 193
 194
 195         if (p->ainsn.api.insn) {
 196                 /* prepare for single stepping */
 197                 slot = (unsigned long)p->ainsn.api.insn;
 198
 199                 kprobes_save_local_irqflag(kcb, regs);
 200                 instruction_pointer_set(regs, slot);
 201         } else {
 202                 /* insn simulation */
 203                 arch_simulate_insn(p, regs);
 204         }
 205 }
 206
 207 static int __kprobes reenter_kprobe(struct kprobe *p,
 208                                     struct pt_regs *regs,
 209                                     struct kprobe_ctlblk *kcb)
 210 {
 211         switch (kcb->kprobe_status) {
 212         case KPROBE_HIT_SSDONE:
 213         case KPROBE_HIT_ACTIVE:
 214                 kprobes_inc_nmissed_count(p);
 215                 setup_singlestep(p, regs, kcb, 1);
 216                 break;
 217         case KPROBE_HIT_SS:
 218         case KPROBE_REENTER:
 219                 pr_warn("Unrecoverable kprobe detected.\n");
 220                 dump_kprobe(p);
 221                 BUG();
 222                 break;
 223         default:
 224                 WARN_ON(1);
 225                 return 0;
 226         }
 227
 228         return 1;
 229 }
 230
 231 static void __kprobes
 232 post_kprobe_handler(struct kprobe *cur, struct kprobe_ctlblk *kcb, struct pt_regs *regs)
 233 {
 234         /* return addr restore if non-branching insn */
 235         if (cur->ainsn.api.restore != 0)
 236                 instruction_pointer_set(regs, cur->ainsn.api.restore);
 237
 238         /* restore back original saved kprobe variables and continue */
 239         if (kcb->kprobe_status == KPROBE_REENTER) {
 240                 restore_previous_kprobe(kcb);
 241                 return;
 242         }
 243         /* call post handler */
 244         kcb->kprobe_status = KPROBE_HIT_SSDONE;
 245         if (cur->post_handler)
 246                 cur->post_handler(cur, regs, 0);
 247
 248         reset_current_kprobe();
 249 }
 250
 251 int __kprobes kprobe_fault_handler(struct pt_regs *regs, unsigned int fsr)
 252 {
 253         struct kprobe *cur = kprobe_running();
 254         struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
 255
 256         switch (kcb->kprobe_status) {
 257         case KPROBE_HIT_SS:
 258         case KPROBE_REENTER:
 259                 /*
 260                  * We are here because the instruction being single
 261                  * stepped caused a page fault. We reset the current
 262                  * kprobe and the ip points back to the probe address
 263                  * and allow the page fault handler to continue as a
 264                  * normal page fault.
 265                  */
 266                 instruction_pointer_set(regs, (unsigned long) cur->addr);
 267                 if (!instruction_pointer(regs))
 268                         BUG();
 269
 270                 if (kcb->kprobe_status == KPROBE_REENTER)
 271                         restore_previous_kprobe(kcb);
 272                 else
 273                         reset_current_kprobe();
 274
 275                 break;
 276         case KPROBE_HIT_ACTIVE:
 277         case KPROBE_HIT_SSDONE:
 278                 /*
 279                  * We increment the nmissed count for accounting,
 280                  * we can also use npre/npostfault count for accounting
 281                  * these specific fault cases.
 282                  */
 283                 kprobes_inc_nmissed_count(cur);
 284
 285                 /*
 286                  * We come here because instructions in the pre/post
 287                  * handler caused the page_fault, this could happen
 288                  * if handler tries to access user space by
 289                  * copy_from_user(), get_user() etc. Let the
 290                  * user-specified handler try to fix it first.
 291                  */
 292                 if (cur->fault_handler && cur->fault_handler(cur, regs, fsr))
 293                         return 1;
 294
 295                 /*
 296                  * In case the user-specified fault handler returned
 297                  * zero, try to fix up.
 298                  */
 299                 if (fixup_exception(regs))
 300                         return 1;
 301         }
 302         return 0;
 303 }
 304
 305 static void __kprobes kprobe_handler(struct pt_regs *regs)
 306 {
 307         struct kprobe *p, *cur_kprobe;
 308         struct kprobe_ctlblk *kcb;
 309         unsigned long addr = instruction_pointer(regs);
 310
 311         kcb = get_kprobe_ctlblk();
 312         cur_kprobe = kprobe_running();
 313
 314         p = get_kprobe((kprobe_opcode_t *) addr);
 315
 316         if (p) {
 317                 if (cur_kprobe) {
 318                         if (reenter_kprobe(p, regs, kcb))
 319                                 return;
 320                 } else {
 321                         /* Probe hit */
 322                         set_current_kprobe(p);
 323                         kcb->kprobe_status = KPROBE_HIT_ACTIVE;
 324
 325                         /*
 326                          * If we have no pre-handler or it returned 0, we
 327                          * continue with normal processing.  If we have a
 328                          * pre-handler and it returned non-zero, it will
 329                          * modify the execution path and no need to single
 330                          * stepping. Let's just reset current kprobe and exit.
 331                          */
 332                         if (!p->pre_handler || !p->pre_handler(p, regs)) {
 333                                 setup_singlestep(p, regs, kcb, 0);
 334                         } else
 335                                 reset_current_kprobe();
 336                 }
 337         }
 338         /*
 339          * The breakpoint instruction was removed right
 340          * after we hit it.  Another cpu has removed
 341          * either a probepoint or a debugger breakpoint
 342          * at this address.  In either case, no further
 343          * handling of this interrupt is appropriate.
 344          * Return back to original instruction, and continue.
 345          */
 346 }
 347
 348 static int __kprobes
 349 kprobe_breakpoint_ss_handler(struct pt_regs *regs, unsigned int esr)
 350 {
 351         struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
 352         unsigned long addr = instruction_pointer(regs);
 353         struct kprobe *cur = kprobe_running();
 354
 355         if (cur && (kcb->kprobe_status == KPROBE_HIT_SS)
 356             && ((unsigned long)&cur->ainsn.api.insn[1] == addr)) {
 357                 kprobes_restore_local_irqflag(kcb, regs);
 358                 post_kprobe_handler(cur, kcb, regs);
 359
 360                 return DBG_HOOK_HANDLED;
 361         }
 362
 363         /* not ours, kprobes should ignore it */
 364         return DBG_HOOK_ERROR;
 365 }
 366
 367 static struct break_hook kprobes_break_ss_hook = {
 368         .imm = KPROBES_BRK_SS_IMM,
 369         .fn = kprobe_breakpoint_ss_handler,
 370 };
 371
 372 static int __kprobes
 373 kprobe_breakpoint_handler(struct pt_regs *regs, unsigned int esr)
 374 {
 375         kprobe_handler(regs);
 376         return DBG_HOOK_HANDLED;
 377 }
 378
 379 static struct break_hook kprobes_break_hook = {
 380         .imm = KPROBES_BRK_IMM,
 381         .fn = kprobe_breakpoint_handler,
 382 };
 383
 384 /*
 385  * Provide a blacklist of symbols identifying ranges which cannot be kprobed.
 386  * This blacklist is exposed to userspace via debugfs (kprobes/blacklist).
 387  */
 388 int __init arch_populate_kprobe_blacklist(void)
 389 {
 390         int ret;
 391
 392         ret = kprobe_add_area_blacklist((unsigned long)__entry_text_start,
 393                                         (unsigned long)__entry_text_end);
 394         if (ret)
 395                 return ret;
 396         ret = kprobe_add_area_blacklist((unsigned long)__irqentry_text_start,
 397                                         (unsigned long)__irqentry_text_end);
 398         if (ret)
 399                 return ret;
 400         ret = kprobe_add_area_blacklist((unsigned long)__idmap_text_start,
 401                                         (unsigned long)__idmap_text_end);
 402         if (ret)
 403                 return ret;
 404         ret = kprobe_add_area_blacklist((unsigned long)__hyp_text_start,
 405                                         (unsigned long)__hyp_text_end);
 406         if (ret || is_kernel_in_hyp_mode())
 407                 return ret;
 408         ret = kprobe_add_area_blacklist((unsigned long)__hyp_idmap_text_start,
 409                                         (unsigned long)__hyp_idmap_text_end);
 410         return ret;
 411 }
 412
 413 void __kprobes __used *trampoline_probe_handler(struct pt_regs *regs)
 414 {
 415         return (void *)kretprobe_trampoline_handler(regs, &kretprobe_trampoline,
 416                                         (void *)kernel_stack_pointer(regs));
 417 }
 418
 419 void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
 420                                       struct pt_regs *regs)
 421 {
 422         ri->ret_addr = (kprobe_opcode_t *)regs->regs[30];
 423         ri->fp = (void *)kernel_stack_pointer(regs);
 424
 425         /* replace return addr (x30) with trampoline */
 426         regs->regs[30] = (long)&kretprobe_trampoline;
 427 }
 428
 429 int __kprobes arch_trampoline_kprobe(struct kprobe *p)
 430 {
 431         return 0;
 432 }
 433
 434 int __init arch_init_kprobes(void)
 435 {
 436         register_kernel_break_hook(&kprobes_break_hook);
 437         register_kernel_break_hook(&kprobes_break_ss_hook);
 438
 439         return 0;
 440 }