LXR linux/arch/x86_64/kernel/kprobes.c

   1/*
   2 *  Kernel Probes (KProbes)
   3 *  arch/x86_64/kernel/kprobes.c
   4 *
   5 * This program is free software; you can redistribute it and/or modify
   6 * it under the terms of the GNU General Public License as published by
   7 * the Free Software Foundation; either version 2 of the License, or
   8 * (at your option) any later version.
   9 *
  10 * This program is distributed in the hope that it will be useful,
  11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13 * GNU General Public License for more details.
  14 *
  15 * You should have received a copy of the GNU General Public License
  16 * along with this program; if not, write to the Free Software
  17 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  18 *
  19 * Copyright (C) IBM Corporation, 2002, 2004
  20 *
  21 * 2002-Oct     Created by Vamsi Krishna S <vamsi_krishna@in.ibm.com> Kernel
  22 *              Probes initial implementation ( includes contributions from
  23 *              Rusty Russell).
  24 * 2004-July    Suparna Bhattacharya <suparna@in.ibm.com> added jumper probes
  25 *              interface to access function arguments.
  26 * 2004-Oct     Jim Keniston <kenistoj@us.ibm.com> and Prasanna S Panchamukhi
  27 *              <prasanna@in.ibm.com> adapted for x86_64
  28 */
  29
  30#include <linux/config.h>
  31#include <linux/kprobes.h>
  32#include <linux/ptrace.h>
  33#include <linux/spinlock.h>
  34#include <linux/string.h>
  35#include <linux/slab.h>
  36#include <linux/preempt.h>
  37#include <linux/vmalloc.h>
  38
  39#include <asm/pgtable.h>
  40#include <asm/kdebug.h>
  41
  42static DECLARE_MUTEX(kprobe_mutex);
  43
  44/* kprobe_status settings */
  45#define KPROBE_HIT_ACTIVE       0x00000001
  46#define KPROBE_HIT_SS           0x00000002
  47
  48static struct kprobe *current_kprobe;
  49static unsigned long kprobe_status, kprobe_old_rflags, kprobe_saved_rflags;
  50static struct pt_regs jprobe_saved_regs;
  51static long *jprobe_saved_rsp;
  52static kprobe_opcode_t *get_insn_slot(void);
  53static void free_insn_slot(kprobe_opcode_t *slot);
  54void jprobe_return_end(void);
  55
  56/* copy of the kernel stack at the probe fire time */
  57static kprobe_opcode_t jprobes_stack[MAX_STACK_SIZE];
  58
  59/*
  60 * returns non-zero if opcode modifies the interrupt flag.
  61 */
  62static inline int is_IF_modifier(kprobe_opcode_t *insn)
  63{
  64        switch (*insn) {
  65        case 0xfa:              /* cli */
  66        case 0xfb:              /* sti */
  67        case 0xcf:              /* iret/iretd */
  68        case 0x9d:              /* popf/popfd */
  69                return 1;
  70        }
  71
  72        if (*insn  >= 0x40 && *insn <= 0x4f && *++insn == 0xcf)
  73                return 1;
  74        return 0;
  75}
  76
  77int arch_prepare_kprobe(struct kprobe *p)
  78{
  79        /* insn: must be on special executable page on x86_64. */
  80        up(&kprobe_mutex);
  81        p->ainsn.insn = get_insn_slot();
  82        down(&kprobe_mutex);
  83        if (!p->ainsn.insn) {
  84                return -ENOMEM;
  85        }
  86        return 0;
  87}
  88
  89void arch_copy_kprobe(struct kprobe *p)
  90{
  91        memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE);
  92}
  93
  94void arch_remove_kprobe(struct kprobe *p)
  95{
  96        up(&kprobe_mutex);
  97        free_insn_slot(p->ainsn.insn);
  98        down(&kprobe_mutex);
  99}
 100
 101static inline void disarm_kprobe(struct kprobe *p, struct pt_regs *regs)
 102{
 103        *p->addr = p->opcode;
 104        regs->rip = (unsigned long)p->addr;
 105}
 106
 107static void prepare_singlestep(struct kprobe *p, struct pt_regs *regs)
 108{
 109        regs->eflags |= TF_MASK;
 110        regs->eflags &= ~IF_MASK;
 111
 112        regs->rip = (unsigned long)p->ainsn.insn;
 113}
 114
 115/*
 116 * Interrupts are disabled on entry as trap3 is an interrupt gate and they
 117 * remain disabled thorough out this function.
 118 */
 119int kprobe_handler(struct pt_regs *regs)
 120{
 121        struct kprobe *p;
 122        int ret = 0;
 123        kprobe_opcode_t *addr = (kprobe_opcode_t *)(regs->rip - sizeof(kprobe_opcode_t));
 124
 125        /* We're in an interrupt, but this is clear and BUG()-safe. */
 126        preempt_disable();
 127
 128        /* Check we're not actually recursing */
 129        if (kprobe_running()) {
 130                /* We *are* holding lock here, so this is safe.
 131                   Disarm the probe we just hit, and ignore it. */
 132                p = get_kprobe(addr);
 133                if (p) {
 134                        disarm_kprobe(p, regs);
 135                        ret = 1;
 136                } else {
 137                        p = current_kprobe;
 138                        if (p->break_handler && p->break_handler(p, regs)) {
 139                                goto ss_probe;
 140                        }
 141                }
 142                /* If it's not ours, can't be delete race, (we hold lock). */
 143                goto no_kprobe;
 144        }
 145
 146        lock_kprobes();
 147        p = get_kprobe(addr);
 148        if (!p) {
 149                unlock_kprobes();
 150                if (*addr != BREAKPOINT_INSTRUCTION) {
 151                        /*
 152                         * The breakpoint instruction was removed right
 153                         * after we hit it.  Another cpu has removed
 154                         * either a probepoint or a debugger breakpoint
 155                         * at this address.  In either case, no further
 156                         * handling of this interrupt is appropriate.
 157                         */
 158                        ret = 1;
 159                }
 160                /* Not one of ours: let kernel handle it */
 161                goto no_kprobe;
 162        }
 163
 164        kprobe_status = KPROBE_HIT_ACTIVE;
 165        current_kprobe = p;
 166        kprobe_saved_rflags = kprobe_old_rflags
 167            = (regs->eflags & (TF_MASK | IF_MASK));
 168        if (is_IF_modifier(p->ainsn.insn))
 169                kprobe_saved_rflags &= ~IF_MASK;
 170
 171        if (p->pre_handler(p, regs)) {
 172                /* handler has already set things up, so skip ss setup */
 173                return 1;
 174        }
 175
 176      ss_probe:
 177        prepare_singlestep(p, regs);
 178        kprobe_status = KPROBE_HIT_SS;
 179        return 1;
 180
 181      no_kprobe:
 182        preempt_enable_no_resched();
 183        return ret;
 184}
 185
 186/*
 187 * Called after single-stepping.  p->addr is the address of the
 188 * instruction whose first byte has been replaced by the "int 3"
 189 * instruction.  To avoid the SMP problems that can occur when we
 190 * temporarily put back the original opcode to single-step, we
 191 * single-stepped a copy of the instruction.  The address of this
 192 * copy is p->ainsn.insn.
 193 *
 194 * This function prepares to return from the post-single-step
 195 * interrupt.  We have to fix up the stack as follows:
 196 *
 197 * 0) Except in the case of absolute or indirect jump or call instructions,
 198 * the new rip is relative to the copied instruction.  We need to make
 199 * it relative to the original instruction.
 200 *
 201 * 1) If the single-stepped instruction was pushfl, then the TF and IF
 202 * flags are set in the just-pushed eflags, and may need to be cleared.
 203 *
 204 * 2) If the single-stepped instruction was a call, the return address
 205 * that is atop the stack is the address following the copied instruction.
 206 * We need to make it the address following the original instruction.
 207 */
 208static void resume_execution(struct kprobe *p, struct pt_regs *regs)
 209{
 210        unsigned long *tos = (unsigned long *)regs->rsp;
 211        unsigned long next_rip = 0;
 212        unsigned long copy_rip = (unsigned long)p->ainsn.insn;
 213        unsigned long orig_rip = (unsigned long)p->addr;
 214        kprobe_opcode_t *insn = p->ainsn.insn;
 215
 216        /*skip the REX prefix*/
 217        if (*insn >= 0x40 && *insn <= 0x4f)
 218                insn++;
 219
 220        switch (*insn) {
 221        case 0x9c:              /* pushfl */
 222                *tos &= ~(TF_MASK | IF_MASK);
 223                *tos |= kprobe_old_rflags;
 224                break;
 225        case 0xe8:              /* call relative - Fix return addr */
 226                *tos = orig_rip + (*tos - copy_rip);
 227                break;
 228        case 0xff:
 229                if ((*insn & 0x30) == 0x10) {
 230                        /* call absolute, indirect */
 231                        /* Fix return addr; rip is correct. */
 232                        next_rip = regs->rip;
 233                        *tos = orig_rip + (*tos - copy_rip);
 234                } else if (((*insn & 0x31) == 0x20) ||  /* jmp near, absolute indirect */
 235                           ((*insn & 0x31) == 0x21)) {  /* jmp far, absolute indirect */
 236                        /* rip is correct. */
 237                        next_rip = regs->rip;
 238                }
 239                break;
 240        case 0xea:              /* jmp absolute -- rip is correct */
 241                next_rip = regs->rip;
 242                break;
 243        default:
 244                break;
 245        }
 246
 247        regs->eflags &= ~TF_MASK;
 248        if (next_rip) {
 249                regs->rip = next_rip;
 250        } else {
 251                regs->rip = orig_rip + (regs->rip - copy_rip);
 252        }
 253}
 254
 255/*
 256 * Interrupts are disabled on entry as trap1 is an interrupt gate and they
 257 * remain disabled thoroughout this function.  And we hold kprobe lock.
 258 */
 259int post_kprobe_handler(struct pt_regs *regs)
 260{
 261        if (!kprobe_running())
 262                return 0;
 263
 264        if (current_kprobe->post_handler)
 265                current_kprobe->post_handler(current_kprobe, regs, 0);
 266
 267        resume_execution(current_kprobe, regs);
 268        regs->eflags |= kprobe_saved_rflags;
 269
 270        unlock_kprobes();
 271        preempt_enable_no_resched();
 272
 273        /*
 274         * if somebody else is singlestepping across a probe point, eflags
 275         * will have TF set, in which case, continue the remaining processing
 276         * of do_debug, as if this is not a probe hit.
 277         */
 278        if (regs->eflags & TF_MASK)
 279                return 0;
 280
 281        return 1;
 282}
 283
 284/* Interrupts disabled, kprobe_lock held. */
 285int kprobe_fault_handler(struct pt_regs *regs, int trapnr)
 286{
 287        if (current_kprobe->fault_handler
 288            && current_kprobe->fault_handler(current_kprobe, regs, trapnr))
 289                return 1;
 290
 291        if (kprobe_status & KPROBE_HIT_SS) {
 292                resume_execution(current_kprobe, regs);
 293                regs->eflags |= kprobe_old_rflags;
 294
 295                unlock_kprobes();
 296                preempt_enable_no_resched();
 297        }
 298        return 0;
 299}
 300
 301/*
 302 * Wrapper routine for handling exceptions.
 303 */
 304int kprobe_exceptions_notify(struct notifier_block *self, unsigned long val,
 305                             void *data)
 306{
 307        struct die_args *args = (struct die_args *)data;
 308        switch (val) {
 309        case DIE_INT3:
 310                if (kprobe_handler(args->regs))
 311                        return NOTIFY_STOP;
 312                break;
 313        case DIE_DEBUG:
 314                if (post_kprobe_handler(args->regs))
 315                        return NOTIFY_STOP;
 316                break;
 317        case DIE_GPF:
 318                if (kprobe_running() &&
 319                    kprobe_fault_handler(args->regs, args->trapnr))
 320                        return NOTIFY_STOP;
 321                break;
 322        case DIE_PAGE_FAULT:
 323                if (kprobe_running() &&
 324                    kprobe_fault_handler(args->regs, args->trapnr))
 325                        return NOTIFY_STOP;
 326                break;
 327        default:
 328                break;
 329        }
 330        return NOTIFY_DONE;
 331}
 332
 333int setjmp_pre_handler(struct kprobe *p, struct pt_regs *regs)
 334{
 335        struct jprobe *jp = container_of(p, struct jprobe, kp);
 336        unsigned long addr;
 337
 338        jprobe_saved_regs = *regs;
 339        jprobe_saved_rsp = (long *) regs->rsp;
 340        addr = (unsigned long)jprobe_saved_rsp;
 341        /*
 342         * As Linus pointed out, gcc assumes that the callee
 343         * owns the argument space and could overwrite it, e.g.
 344         * tailcall optimization. So, to be absolutely safe
 345         * we also save and restore enough stack bytes to cover
 346         * the argument area.
 347         */
 348        memcpy(jprobes_stack, (kprobe_opcode_t *) addr, MIN_STACK_SIZE(addr));
 349        regs->eflags &= ~IF_MASK;
 350        regs->rip = (unsigned long)(jp->entry);
 351        return 1;
 352}
 353
 354void jprobe_return(void)
 355{
 356        preempt_enable_no_resched();
 357        asm volatile ("       xchg   %%rbx,%%rsp     \n"
 358                      "       int3                      \n"
 359                      "       .globl jprobe_return_end  \n"
 360                      "       jprobe_return_end:        \n"
 361                      "       nop                       \n"::"b"
 362                      (jprobe_saved_rsp):"memory");
 363}
 364
 365int longjmp_break_handler(struct kprobe *p, struct pt_regs *regs)
 366{
 367        u8 *addr = (u8 *) (regs->rip - 1);
 368        unsigned long stack_addr = (unsigned long)jprobe_saved_rsp;
 369        struct jprobe *jp = container_of(p, struct jprobe, kp);
 370
 371        if ((addr > (u8 *) jprobe_return) && (addr < (u8 *) jprobe_return_end)) {
 372                if ((long *)regs->rsp != jprobe_saved_rsp) {
 373                        struct pt_regs *saved_regs =
 374                            container_of(jprobe_saved_rsp, struct pt_regs, rsp);
 375                        printk("current rsp %p does not match saved rsp %p\n",
 376                               (long *)regs->rsp, jprobe_saved_rsp);
 377                        printk("Saved registers for jprobe %p\n", jp);
 378                        show_registers(saved_regs);
 379                        printk("Current registers\n");
 380                        show_registers(regs);
 381                        BUG();
 382                }
 383                *regs = jprobe_saved_regs;
 384                memcpy((kprobe_opcode_t *) stack_addr, jprobes_stack,
 385                       MIN_STACK_SIZE(stack_addr));
 386                return 1;
 387        }
 388        return 0;
 389}
 390
 391/*
 392 * kprobe->ainsn.insn points to the copy of the instruction to be single-stepped.
 393 * By default on x86_64, pages we get from kmalloc or vmalloc are not
 394 * executable.  Single-stepping an instruction on such a page yields an
 395 * oops.  So instead of storing the instruction copies in their respective
 396 * kprobe objects, we allocate a page, map it executable, and store all the
 397 * instruction copies there.  (We can allocate additional pages if somebody
 398 * inserts a huge number of probes.)  Each page can hold up to INSNS_PER_PAGE
 399 * instruction slots, each of which is MAX_INSN_SIZE*sizeof(kprobe_opcode_t)
 400 * bytes.
 401 */
 402#define INSNS_PER_PAGE (PAGE_SIZE/(MAX_INSN_SIZE*sizeof(kprobe_opcode_t)))
 403struct kprobe_insn_page {
 404        struct hlist_node hlist;
 405        kprobe_opcode_t *insns;         /* page of instruction slots */
 406        char slot_used[INSNS_PER_PAGE];
 407        int nused;
 408};
 409
 410static struct hlist_head kprobe_insn_pages;
 411
 412/**
 413 * get_insn_slot() - Find a slot on an executable page for an instruction.
 414 * We allocate an executable page if there's no room on existing ones.
 415 */
 416static kprobe_opcode_t *get_insn_slot(void)
 417{
 418        struct kprobe_insn_page *kip;
 419        struct hlist_node *pos;
 420
 421        hlist_for_each(pos, &kprobe_insn_pages) {
 422                kip = hlist_entry(pos, struct kprobe_insn_page, hlist);
 423                if (kip->nused < INSNS_PER_PAGE) {
 424                        int i;
 425                        for (i = 0; i < INSNS_PER_PAGE; i++) {
 426                                if (!kip->slot_used[i]) {
 427                                        kip->slot_used[i] = 1;
 428                                        kip->nused++;
 429                                        return kip->insns + (i*MAX_INSN_SIZE);
 430                                }
 431                        }
 432                        /* Surprise!  No unused slots.  Fix kip->nused. */
 433                        kip->nused = INSNS_PER_PAGE;
 434                }
 435        }
 436
 437        /* All out of space.  Need to allocate a new page. Use slot 0.*/
 438        kip = kmalloc(sizeof(struct kprobe_insn_page), GFP_KERNEL);
 439        if (!kip) {
 440                return NULL;
 441        }
 442        kip->insns = (kprobe_opcode_t*) __vmalloc(PAGE_SIZE,
 443                GFP_KERNEL|__GFP_HIGHMEM, __pgprot(__PAGE_KERNEL_EXEC));
 444        if (!kip->insns) {
 445                kfree(kip);
 446                return NULL;
 447        }
 448        INIT_HLIST_NODE(&kip->hlist);
 449        hlist_add_head(&kip->hlist, &kprobe_insn_pages);
 450        memset(kip->slot_used, 0, INSNS_PER_PAGE);
 451        kip->slot_used[0] = 1;
 452        kip->nused = 1;
 453        return kip->insns;
 454}
 455
 456/**
 457 * free_insn_slot() - Free instruction slot obtained from get_insn_slot().
 458 */
 459static void free_insn_slot(kprobe_opcode_t *slot)
 460{
 461        struct kprobe_insn_page *kip;
 462        struct hlist_node *pos;
 463
 464        hlist_for_each(pos, &kprobe_insn_pages) {
 465                kip = hlist_entry(pos, struct kprobe_insn_page, hlist);
 466                if (kip->insns <= slot
 467                    && slot < kip->insns+(INSNS_PER_PAGE*MAX_INSN_SIZE)) {
 468                        int i = (slot - kip->insns) / MAX_INSN_SIZE;
 469                        kip->slot_used[i] = 0;
 470                        kip->nused--;
 471                        if (kip->nused == 0) {
 472                                /*
 473                                 * Page is no longer in use.  Free it unless
 474                                 * it's the last one.  We keep the last one
 475                                 * so as not to have to set it up again the
 476                                 * next time somebody inserts a probe.
 477                                 */
 478                                hlist_del(&kip->hlist);
 479                                if (hlist_empty(&kprobe_insn_pages)) {
 480                                        INIT_HLIST_NODE(&kip->hlist);
 481                                        hlist_add_head(&kip->hlist,
 482                                                &kprobe_insn_pages);
 483                                } else {
 484                                        vfree(kip->insns);
 485                                        kfree(kip);
 486                                }
 487                        }
 488                        return;
 489                }
 490        }
 491}
 492