1 // SPDX-License-Identifier: GPL-2.0-only
3 * arch/arm/kernel/kprobes.c
7 * Abhishek Sagar <sagar.abhishek@gmail.com>
8 * Copyright (C) 2006, 2007 Motorola Inc.
10 * Nicolas Pitre <nico@marvell.com>
11 * Copyright (C) 2007 Marvell Ltd.
14 #include <linux/kernel.h>
15 #include <linux/kprobes.h>
16 #include <linux/module.h>
17 #include <linux/slab.h>
18 #include <linux/stop_machine.h>
19 #include <linux/sched/debug.h>
20 #include <linux/stringify.h>
21 #include <asm/traps.h>
22 #include <asm/opcodes.h>
23 #include <asm/cacheflush.h>
24 #include <linux/percpu.h>
25 #include <linux/bug.h>
26 #include <asm/patch.h>
27 #include <asm/sections.h>
29 #include "../decode-arm.h"
30 #include "../decode-thumb.h"
33 #define MIN_STACK_SIZE(addr) \
34 min((unsigned long)MAX_STACK_SIZE, \
35 (unsigned long)current_thread_info() + THREAD_START_SP - (addr))
37 #define flush_insns(addr, size) \
38 flush_icache_range((unsigned long)(addr), \
39 (unsigned long)(addr) + \
42 DEFINE_PER_CPU(struct kprobe
*, current_kprobe
) = NULL
;
43 DEFINE_PER_CPU(struct kprobe_ctlblk
, kprobe_ctlblk
);
46 int __kprobes
arch_prepare_kprobe(struct kprobe
*p
)
49 kprobe_opcode_t tmp_insn
[MAX_INSN_SIZE
];
50 unsigned long addr
= (unsigned long)p
->addr
;
52 kprobe_decode_insn_t
*decode_insn
;
53 const union decode_action
*actions
;
55 const struct decode_checker
**checkers
;
57 #ifdef CONFIG_THUMB2_KERNEL
59 addr
&= ~1; /* Bit 0 would normally be set to indicate Thumb code */
60 insn
= __mem_to_opcode_thumb16(((u16
*)addr
)[0]);
61 if (is_wide_instruction(insn
)) {
62 u16 inst2
= __mem_to_opcode_thumb16(((u16
*)addr
)[1]);
63 insn
= __opcode_thumb32_compose(insn
, inst2
);
64 decode_insn
= thumb32_probes_decode_insn
;
65 actions
= kprobes_t32_actions
;
66 checkers
= kprobes_t32_checkers
;
68 decode_insn
= thumb16_probes_decode_insn
;
69 actions
= kprobes_t16_actions
;
70 checkers
= kprobes_t16_checkers
;
72 #else /* !CONFIG_THUMB2_KERNEL */
76 insn
= __mem_to_opcode_arm(*p
->addr
);
77 decode_insn
= arm_probes_decode_insn
;
78 actions
= kprobes_arm_actions
;
79 checkers
= kprobes_arm_checkers
;
83 p
->ainsn
.insn
= tmp_insn
;
85 switch ((*decode_insn
)(insn
, &p
->ainsn
, true, actions
, checkers
)) {
86 case INSN_REJECTED
: /* not supported */
89 case INSN_GOOD
: /* instruction uses slot */
90 p
->ainsn
.insn
= get_insn_slot();
93 for (is
= 0; is
< MAX_INSN_SIZE
; ++is
)
94 p
->ainsn
.insn
[is
] = tmp_insn
[is
];
95 flush_insns(p
->ainsn
.insn
,
96 sizeof(p
->ainsn
.insn
[0]) * MAX_INSN_SIZE
);
97 p
->ainsn
.insn_fn
= (probes_insn_fn_t
*)
98 ((uintptr_t)p
->ainsn
.insn
| thumb
);
101 case INSN_GOOD_NO_SLOT
: /* instruction doesn't need insn slot */
102 p
->ainsn
.insn
= NULL
;
107 * Never instrument insn like 'str r0, [sp, +/-r1]'. Also, insn likes
108 * 'str r0, [sp, #-68]' should also be prohibited.
111 if ((p
->ainsn
.stack_space
< 0) ||
112 (p
->ainsn
.stack_space
> MAX_STACK_SIZE
))
118 void __kprobes
arch_arm_kprobe(struct kprobe
*p
)
123 if (IS_ENABLED(CONFIG_THUMB2_KERNEL
)) {
124 /* Remove any Thumb flag */
125 addr
= (void *)((uintptr_t)p
->addr
& ~1);
127 if (is_wide_instruction(p
->opcode
))
128 brkp
= KPROBE_THUMB32_BREAKPOINT_INSTRUCTION
;
130 brkp
= KPROBE_THUMB16_BREAKPOINT_INSTRUCTION
;
132 kprobe_opcode_t insn
= p
->opcode
;
135 brkp
= KPROBE_ARM_BREAKPOINT_INSTRUCTION
;
137 if (insn
>= 0xe0000000)
138 brkp
|= 0xe0000000; /* Unconditional instruction */
140 brkp
|= insn
& 0xf0000000; /* Copy condition from insn */
143 patch_text(addr
, brkp
);
147 * The actual disarming is done here on each CPU and synchronized using
148 * stop_machine. This synchronization is necessary on SMP to avoid removing
149 * a probe between the moment the 'Undefined Instruction' exception is raised
150 * and the moment the exception handler reads the faulting instruction from
151 * memory. It is also needed to atomically set the two half-words of a 32-bit
159 static int __kprobes_remove_breakpoint(void *data
)
161 struct patch
*p
= data
;
162 __patch_text(p
->addr
, p
->insn
);
166 void __kprobes
kprobes_remove_breakpoint(void *addr
, unsigned int insn
)
172 stop_machine_cpuslocked(__kprobes_remove_breakpoint
, &p
,
176 void __kprobes
arch_disarm_kprobe(struct kprobe
*p
)
178 kprobes_remove_breakpoint((void *)((uintptr_t)p
->addr
& ~1),
182 void __kprobes
arch_remove_kprobe(struct kprobe
*p
)
185 free_insn_slot(p
->ainsn
.insn
, 0);
186 p
->ainsn
.insn
= NULL
;
190 static void __kprobes
save_previous_kprobe(struct kprobe_ctlblk
*kcb
)
192 kcb
->prev_kprobe
.kp
= kprobe_running();
193 kcb
->prev_kprobe
.status
= kcb
->kprobe_status
;
196 static void __kprobes
restore_previous_kprobe(struct kprobe_ctlblk
*kcb
)
198 __this_cpu_write(current_kprobe
, kcb
->prev_kprobe
.kp
);
199 kcb
->kprobe_status
= kcb
->prev_kprobe
.status
;
202 static void __kprobes
set_current_kprobe(struct kprobe
*p
)
204 __this_cpu_write(current_kprobe
, p
);
207 static void __kprobes
208 singlestep_skip(struct kprobe
*p
, struct pt_regs
*regs
)
210 #ifdef CONFIG_THUMB2_KERNEL
211 regs
->ARM_cpsr
= it_advance(regs
->ARM_cpsr
);
212 if (is_wide_instruction(p
->opcode
))
221 static inline void __kprobes
222 singlestep(struct kprobe
*p
, struct pt_regs
*regs
, struct kprobe_ctlblk
*kcb
)
224 p
->ainsn
.insn_singlestep(p
->opcode
, &p
->ainsn
, regs
);
228 * Called with IRQs disabled. IRQs must remain disabled from that point
229 * all the way until processing this kprobe is complete. The current
230 * kprobes implementation cannot process more than one nested level of
231 * kprobe, and that level is reserved for user kprobe handlers, so we can't
232 * risk encountering a new kprobe in an interrupt handler.
234 void __kprobes
kprobe_handler(struct pt_regs
*regs
)
236 struct kprobe
*p
, *cur
;
237 struct kprobe_ctlblk
*kcb
;
239 kcb
= get_kprobe_ctlblk();
240 cur
= kprobe_running();
242 #ifdef CONFIG_THUMB2_KERNEL
244 * First look for a probe which was registered using an address with
245 * bit 0 set, this is the usual situation for pointers to Thumb code.
246 * If not found, fallback to looking for one with bit 0 clear.
248 p
= get_kprobe((kprobe_opcode_t
*)(regs
->ARM_pc
| 1));
250 p
= get_kprobe((kprobe_opcode_t
*)regs
->ARM_pc
);
252 #else /* ! CONFIG_THUMB2_KERNEL */
253 p
= get_kprobe((kprobe_opcode_t
*)regs
->ARM_pc
);
257 if (!p
->ainsn
.insn_check_cc(regs
->ARM_cpsr
)) {
259 * Probe hit but conditional execution check failed,
260 * so just skip the instruction and continue as if
261 * nothing had happened.
262 * In this case, we can skip recursing check too.
264 singlestep_skip(p
, regs
);
266 /* Kprobe is pending, so we're recursing. */
267 switch (kcb
->kprobe_status
) {
268 case KPROBE_HIT_ACTIVE
:
269 case KPROBE_HIT_SSDONE
:
271 /* A pre- or post-handler probe got us here. */
272 kprobes_inc_nmissed_count(p
);
273 save_previous_kprobe(kcb
);
274 set_current_kprobe(p
);
275 kcb
->kprobe_status
= KPROBE_REENTER
;
276 singlestep(p
, regs
, kcb
);
277 restore_previous_kprobe(kcb
);
280 /* A nested probe was hit in FIQ, it is a BUG */
281 pr_warn("Unrecoverable kprobe detected.\n");
285 /* impossible cases */
289 /* Probe hit and conditional execution check ok. */
290 set_current_kprobe(p
);
291 kcb
->kprobe_status
= KPROBE_HIT_ACTIVE
;
294 * If we have no pre-handler or it returned 0, we
295 * continue with normal processing. If we have a
296 * pre-handler and it returned non-zero, it will
297 * modify the execution path and no need to single
298 * stepping. Let's just reset current kprobe and exit.
300 if (!p
->pre_handler
|| !p
->pre_handler(p
, regs
)) {
301 kcb
->kprobe_status
= KPROBE_HIT_SS
;
302 singlestep(p
, regs
, kcb
);
303 if (p
->post_handler
) {
304 kcb
->kprobe_status
= KPROBE_HIT_SSDONE
;
305 p
->post_handler(p
, regs
, 0);
308 reset_current_kprobe();
312 * The probe was removed and a race is in progress.
313 * There is nothing we can do about it. Let's restart
314 * the instruction. By the time we can restart, the
315 * real instruction will be there.
320 static int __kprobes
kprobe_trap_handler(struct pt_regs
*regs
, unsigned int instr
)
323 local_irq_save(flags
);
324 kprobe_handler(regs
);
325 local_irq_restore(flags
);
329 int __kprobes
kprobe_fault_handler(struct pt_regs
*regs
, unsigned int fsr
)
331 struct kprobe
*cur
= kprobe_running();
332 struct kprobe_ctlblk
*kcb
= get_kprobe_ctlblk();
334 switch (kcb
->kprobe_status
) {
338 * We are here because the instruction being single
339 * stepped caused a page fault. We reset the current
340 * kprobe and the PC to point back to the probe address
341 * and allow the page fault handler to continue as a
344 regs
->ARM_pc
= (long)cur
->addr
;
345 if (kcb
->kprobe_status
== KPROBE_REENTER
) {
346 restore_previous_kprobe(kcb
);
348 reset_current_kprobe();
352 case KPROBE_HIT_ACTIVE
:
353 case KPROBE_HIT_SSDONE
:
355 * We increment the nmissed count for accounting,
356 * we can also use npre/npostfault count for accounting
357 * these specific fault cases.
359 kprobes_inc_nmissed_count(cur
);
362 * We come here because instructions in the pre/post
363 * handler caused the page_fault, this could happen
364 * if handler tries to access user space by
365 * copy_from_user(), get_user() etc. Let the
366 * user-specified handler try to fix it.
368 if (cur
->fault_handler
&& cur
->fault_handler(cur
, regs
, fsr
))
379 int __kprobes
kprobe_exceptions_notify(struct notifier_block
*self
,
380 unsigned long val
, void *data
)
383 * notify_die() is currently never called on ARM,
384 * so this callback is currently empty.
390 * When a retprobed function returns, trampoline_handler() is called,
391 * calling the kretprobe's handler. We construct a struct pt_regs to
392 * give a view of registers r0-r11 to the user return-handler. This is
393 * not a complete pt_regs structure, but that should be plenty sufficient
394 * for kretprobe handlers which should normally be interested in r0 only
397 void __naked __kprobes
kretprobe_trampoline(void)
399 __asm__
__volatile__ (
400 "stmdb sp!, {r0 - r11} \n\t"
402 "bl trampoline_handler \n\t"
404 "ldmia sp!, {r0 - r11} \n\t"
405 #ifdef CONFIG_THUMB2_KERNEL
413 /* Called from kretprobe_trampoline */
414 static __used __kprobes
void *trampoline_handler(struct pt_regs
*regs
)
416 struct kretprobe_instance
*ri
= NULL
;
417 struct hlist_head
*head
, empty_rp
;
418 struct hlist_node
*tmp
;
419 unsigned long flags
, orig_ret_address
= 0;
420 unsigned long trampoline_address
= (unsigned long)&kretprobe_trampoline
;
421 kprobe_opcode_t
*correct_ret_addr
= NULL
;
423 INIT_HLIST_HEAD(&empty_rp
);
424 kretprobe_hash_lock(current
, &head
, &flags
);
427 * It is possible to have multiple instances associated with a given
428 * task either because multiple functions in the call path have
429 * a return probe installed on them, and/or more than one return
430 * probe was registered for a target function.
432 * We can handle this because:
433 * - instances are always inserted at the head of the list
434 * - when multiple return probes are registered for the same
435 * function, the first instance's ret_addr will point to the
436 * real return address, and all the rest will point to
437 * kretprobe_trampoline
439 hlist_for_each_entry_safe(ri
, tmp
, head
, hlist
) {
440 if (ri
->task
!= current
)
441 /* another task is sharing our hash bucket */
444 orig_ret_address
= (unsigned long)ri
->ret_addr
;
446 if (orig_ret_address
!= trampoline_address
)
448 * This is the real return address. Any other
449 * instances associated with this task are for
450 * other calls deeper on the call stack
455 kretprobe_assert(ri
, orig_ret_address
, trampoline_address
);
457 correct_ret_addr
= ri
->ret_addr
;
458 hlist_for_each_entry_safe(ri
, tmp
, head
, hlist
) {
459 if (ri
->task
!= current
)
460 /* another task is sharing our hash bucket */
463 orig_ret_address
= (unsigned long)ri
->ret_addr
;
464 if (ri
->rp
&& ri
->rp
->handler
) {
465 __this_cpu_write(current_kprobe
, &ri
->rp
->kp
);
466 get_kprobe_ctlblk()->kprobe_status
= KPROBE_HIT_ACTIVE
;
467 ri
->ret_addr
= correct_ret_addr
;
468 ri
->rp
->handler(ri
, regs
);
469 __this_cpu_write(current_kprobe
, NULL
);
472 recycle_rp_inst(ri
, &empty_rp
);
474 if (orig_ret_address
!= trampoline_address
)
476 * This is the real return address. Any other
477 * instances associated with this task are for
478 * other calls deeper on the call stack
483 kretprobe_hash_unlock(current
, &flags
);
485 hlist_for_each_entry_safe(ri
, tmp
, &empty_rp
, hlist
) {
486 hlist_del(&ri
->hlist
);
490 return (void *)orig_ret_address
;
493 void __kprobes
arch_prepare_kretprobe(struct kretprobe_instance
*ri
,
494 struct pt_regs
*regs
)
496 ri
->ret_addr
= (kprobe_opcode_t
*)regs
->ARM_lr
;
498 /* Replace the return addr with trampoline addr. */
499 regs
->ARM_lr
= (unsigned long)&kretprobe_trampoline
;
502 int __kprobes
arch_trampoline_kprobe(struct kprobe
*p
)
507 #ifdef CONFIG_THUMB2_KERNEL
509 static struct undef_hook kprobes_thumb16_break_hook
= {
510 .instr_mask
= 0xffff,
511 .instr_val
= KPROBE_THUMB16_BREAKPOINT_INSTRUCTION
,
512 .cpsr_mask
= MODE_MASK
,
513 .cpsr_val
= SVC_MODE
,
514 .fn
= kprobe_trap_handler
,
517 static struct undef_hook kprobes_thumb32_break_hook
= {
518 .instr_mask
= 0xffffffff,
519 .instr_val
= KPROBE_THUMB32_BREAKPOINT_INSTRUCTION
,
520 .cpsr_mask
= MODE_MASK
,
521 .cpsr_val
= SVC_MODE
,
522 .fn
= kprobe_trap_handler
,
525 #else /* !CONFIG_THUMB2_KERNEL */
527 static struct undef_hook kprobes_arm_break_hook
= {
528 .instr_mask
= 0x0fffffff,
529 .instr_val
= KPROBE_ARM_BREAKPOINT_INSTRUCTION
,
530 .cpsr_mask
= MODE_MASK
,
531 .cpsr_val
= SVC_MODE
,
532 .fn
= kprobe_trap_handler
,
535 #endif /* !CONFIG_THUMB2_KERNEL */
537 int __init
arch_init_kprobes()
539 arm_probes_decode_init();
540 #ifdef CONFIG_THUMB2_KERNEL
541 register_undef_hook(&kprobes_thumb16_break_hook
);
542 register_undef_hook(&kprobes_thumb32_break_hook
);
544 register_undef_hook(&kprobes_arm_break_hook
);
549 bool arch_within_kprobe_blacklist(unsigned long addr
)
551 void *a
= (void *)addr
;
553 return __in_irqentry_text(addr
) ||
554 in_entry_text(addr
) ||
555 in_idmap_text(addr
) ||
556 memory_contains(__kprobes_text_start
, __kprobes_text_end
, a
, 1);