[PATCH v7 3/7] arm64: Kprobes with single stepping support
Steve Capper
steve.capper at linaro.org
Mon Jun 29 10:24:36 PDT 2015
On 15 June 2015 at 20:07, David Long <dave.long at linaro.org> wrote:
> From: Sandeepa Prabhu <sandeepa.prabhu at linaro.org>
>
> Add support for basic kernel probes(kprobes) and jump probes
> (jprobes) for ARM64.
>
> Kprobes utilizes software breakpoint and single step debug
> exceptions supported on ARM v8.
>
> A software breakpoint is placed at the probe address to trap the
> kernel execution into the kprobe handler.
>
> ARM v8 supports enabling single stepping before the break exception
> return (ERET), with next PC in exception return address (ELR_EL1). The
> kprobe handler prepares an executable memory slot for out-of-line
> execution with a copy of the original instruction being probed, and
> enables single stepping. The PC is set to the out-of-line slot address
> before the ERET. With this scheme, the instruction is executed with the
> exact same register context except for the PC (and DAIF) registers.
>
> Debug mask (PSTATE.D) is enabled only when single stepping a recursive
> kprobe, e.g.: during kprobes reenter so that probed instruction can be
> single stepped within the kprobe handler -exception- context.
> The recursion depth of kprobe is always 2, i.e. upon probe re-entry,
> any further re-entry is prevented by not calling handlers and the case
> counted as a missed kprobe).
>
> Single stepping from the x-o-l slot has a drawback for PC-relative accesses
> like branching and symbolic literals access as the offset from the new PC
> (slot address) may not be ensured to fit in the immediate value of
> the opcode. Such instructions need simulation, so reject
> probing them.
>
> Instructions generating exceptions or cpu mode change are rejected
> for probing.
>
> Instructions using Exclusive Monitor are rejected too.
>
> System instructions are mostly enabled for stepping, except MSR/MRS
> accesses to "DAIF" flags in PSTATE, which are not safe for
> probing.
>
> Thanks to Steve Capper and Pratyush Anand for several suggested
> Changes.
>
> Signed-off-by: Sandeepa Prabhu <sandeepa.prabhu at linaro.org>
> Signed-off-by: Steve Capper <steve.capper at linaro.org>
> Signed-off-by: David A. Long <dave.long at linaro.org>
> ---
> arch/arm64/Kconfig | 1 +
> arch/arm64/include/asm/debug-monitors.h | 5 +
> arch/arm64/include/asm/kprobes.h | 62 ++++
> arch/arm64/include/asm/probes.h | 50 +++
> arch/arm64/include/asm/ptrace.h | 3 +-
> arch/arm64/kernel/Makefile | 1 +
> arch/arm64/kernel/debug-monitors.c | 35 ++-
> arch/arm64/kernel/kprobes-arm64.c | 68 ++++
> arch/arm64/kernel/kprobes-arm64.h | 28 ++
> arch/arm64/kernel/kprobes.c | 537 ++++++++++++++++++++++++++++++++
> arch/arm64/kernel/kprobes.h | 24 ++
> arch/arm64/kernel/vmlinux.lds.S | 1 +
> arch/arm64/mm/fault.c | 25 ++
> 13 files changed, 829 insertions(+), 11 deletions(-)
> create mode 100644 arch/arm64/include/asm/kprobes.h
> create mode 100644 arch/arm64/include/asm/probes.h
> create mode 100644 arch/arm64/kernel/kprobes-arm64.c
> create mode 100644 arch/arm64/kernel/kprobes-arm64.h
> create mode 100644 arch/arm64/kernel/kprobes.c
> create mode 100644 arch/arm64/kernel/kprobes.h
>
> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> index 966091f..45a9bd81 100644
> --- a/arch/arm64/Kconfig
> +++ b/arch/arm64/Kconfig
> @@ -71,6 +71,7 @@ config ARM64
> select HAVE_REGS_AND_STACK_ACCESS_API
> select HAVE_RCU_TABLE_FREE
> select HAVE_SYSCALL_TRACEPOINTS
> + select HAVE_KPROBES
> select IRQ_DOMAIN
> select MODULES_USE_ELF_RELA
> select NO_BOOTMEM
> diff --git a/arch/arm64/include/asm/debug-monitors.h b/arch/arm64/include/asm/debug-monitors.h
> index 40ec68a..92d7cea 100644
> --- a/arch/arm64/include/asm/debug-monitors.h
> +++ b/arch/arm64/include/asm/debug-monitors.h
> @@ -90,6 +90,11 @@
>
> #define CACHE_FLUSH_IS_SAFE 1
>
> +/* kprobes BRK opcodes with ESR encoding */
> +#define BRK64_ESR_MASK 0xFFFF
> +#define BRK64_ESR_KPROBES 0x0004
> +#define BRK64_OPCODE_KPROBES (AARCH64_BREAK_MON | (BRK64_ESR_KPROBES << 5))
> +
> /* AArch32 */
> #define DBG_ESR_EVT_BKPT 0x4
> #define DBG_ESR_EVT_VECC 0x5
> diff --git a/arch/arm64/include/asm/kprobes.h b/arch/arm64/include/asm/kprobes.h
> new file mode 100644
> index 0000000..af31c4d
> --- /dev/null
> +++ b/arch/arm64/include/asm/kprobes.h
> @@ -0,0 +1,62 @@
> +/*
> + * arch/arm64/include/asm/kprobes.h
> + *
> + * Copyright (C) 2013 Linaro Limited
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * General Public License for more details.
> + */
> +
> +#ifndef _ARM_KPROBES_H
> +#define _ARM_KPROBES_H
> +
> +#include <linux/types.h>
> +#include <linux/ptrace.h>
> +#include <linux/percpu.h>
> +
> +#define __ARCH_WANT_KPROBES_INSN_SLOT
> +#define MAX_INSN_SIZE 1
> +#define MAX_STACK_SIZE 128
> +
> +#define flush_insn_slot(p) do { } while (0)
> +#define kretprobe_blacklist_size 0
> +
> +#include <asm/probes.h>
> +
> +struct prev_kprobe {
> + struct kprobe *kp;
> + unsigned int status;
> +};
> +
> +/* Single step context for kprobe */
> +struct kprobe_step_ctx {
> +#define KPROBES_STEP_NONE 0x0
> +#define KPROBES_STEP_PENDING 0x1
> + unsigned long ss_status;
> + unsigned long match_addr;
> +};
> +
> +/* per-cpu kprobe control block */
> +struct kprobe_ctlblk {
> + unsigned int kprobe_status;
> + unsigned long saved_irqflag;
> + struct prev_kprobe prev_kprobe;
> + struct kprobe_step_ctx ss_ctx;
> + struct pt_regs jprobe_saved_regs;
> + char jprobes_stack[MAX_STACK_SIZE];
> +};
> +
> +void arch_remove_kprobe(struct kprobe *);
> +int kprobe_fault_handler(struct pt_regs *regs, unsigned int fsr);
> +int kprobe_exceptions_notify(struct notifier_block *self,
> + unsigned long val, void *data);
> +int kprobe_breakpoint_handler(struct pt_regs *regs, unsigned int esr);
> +int kprobe_single_step_handler(struct pt_regs *regs, unsigned int esr);
> +
> +#endif /* _ARM_KPROBES_H */
> diff --git a/arch/arm64/include/asm/probes.h b/arch/arm64/include/asm/probes.h
> new file mode 100644
> index 0000000..7f5a27f
> --- /dev/null
> +++ b/arch/arm64/include/asm/probes.h
> @@ -0,0 +1,50 @@
> +/*
> + * arch/arm64/include/asm/probes.h
> + *
> + * Copyright (C) 2013 Linaro Limited
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * General Public License for more details.
> + */
> +#ifndef _ARM_PROBES_H
> +#define _ARM_PROBES_H
> +
> +struct kprobe;
> +struct arch_specific_insn;
> +
> +typedef u32 kprobe_opcode_t;
> +typedef unsigned long (kprobes_pstate_check_t)(unsigned long);
> +typedef unsigned long
> +(probes_condition_check_t)(struct kprobe *p, struct pt_regs *);
> +typedef void
> +(probes_prepare_t)(struct kprobe *, struct arch_specific_insn *);
> +typedef void (kprobes_handler_t) (u32 opcode, long addr, struct pt_regs *);
> +
> +enum pc_restore_type {
> + NO_RESTORE,
> + RESTORE_PC,
> +};
> +
> +struct kprobe_pc_restore {
> + enum pc_restore_type type;
> + unsigned long addr;
> +};
> +
> +/* architecture specific copy of original instruction */
> +struct arch_specific_insn {
> + kprobe_opcode_t *insn;
> + kprobes_pstate_check_t *pstate_cc;
> + probes_condition_check_t *check_condn;
> + probes_prepare_t *prepare;
> + kprobes_handler_t *handler;
> + /* restore address after step xol */
> + struct kprobe_pc_restore restore;
> +};
> +
> +#endif
> diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h
> index 8f440e9..aadf61a 100644
> --- a/arch/arm64/include/asm/ptrace.h
> +++ b/arch/arm64/include/asm/ptrace.h
> @@ -206,7 +206,8 @@ static inline int valid_user_regs(struct user_pt_regs *regs)
> return 0;
> }
>
> -#define instruction_pointer(regs) ((unsigned long)(regs)->pc)
> +#define instruction_pointer(regs) ((regs)->pc)
> +#define stack_pointer(regs) ((regs)->sp)
>
> #ifdef CONFIG_SMP
> extern unsigned long profile_pc(struct pt_regs *regs);
> diff --git a/arch/arm64/kernel/Makefile b/arch/arm64/kernel/Makefile
> index 426d076..1319872 100644
> --- a/arch/arm64/kernel/Makefile
> +++ b/arch/arm64/kernel/Makefile
> @@ -32,6 +32,7 @@ arm64-obj-$(CONFIG_CPU_PM) += sleep.o suspend.o
> arm64-obj-$(CONFIG_CPU_IDLE) += cpuidle.o
> arm64-obj-$(CONFIG_JUMP_LABEL) += jump_label.o
> arm64-obj-$(CONFIG_KGDB) += kgdb.o
> +arm64-obj-$(CONFIG_KPROBES) += kprobes.o kprobes-arm64.o
> arm64-obj-$(CONFIG_EFI) += efi.o efi-stub.o efi-entry.o
> arm64-obj-$(CONFIG_PCI) += pci.o
> arm64-obj-$(CONFIG_ARMV8_DEPRECATED) += armv8_deprecated.o
> diff --git a/arch/arm64/kernel/debug-monitors.c b/arch/arm64/kernel/debug-monitors.c
> index b056369..486ee94 100644
> --- a/arch/arm64/kernel/debug-monitors.c
> +++ b/arch/arm64/kernel/debug-monitors.c
> @@ -23,6 +23,7 @@
> #include <linux/hardirq.h>
> #include <linux/init.h>
> #include <linux/ptrace.h>
> +#include <linux/kprobes.h>
> #include <linux/stat.h>
> #include <linux/uaccess.h>
>
> @@ -228,6 +229,7 @@ static int single_step_handler(unsigned long addr, unsigned int esr,
> struct pt_regs *regs)
> {
> siginfo_t info;
> + bool handler_found = false;
>
> /*
> * If we are stepping a pending breakpoint, call the hw_breakpoint
> @@ -251,15 +253,21 @@ static int single_step_handler(unsigned long addr, unsigned int esr,
> */
> user_rewind_single_step(current);
> } else {
> +#ifdef CONFIG_KPROBES
> + if (kprobe_single_step_handler(regs, esr) == DBG_HOOK_HANDLED)
> + handler_found = true;
> +#endif
> if (call_step_hook(regs, esr) == DBG_HOOK_HANDLED)
> - return 0;
> -
> - pr_warning("Unexpected kernel single-step exception at EL1\n");
> - /*
> - * Re-enable stepping since we know that we will be
> - * returning to regs.
> - */
> - set_regs_spsr_ss(regs);
> + handler_found = true;
> +
> + if (!handler_found) {
> + pr_warn("Unexpected kernel single-step exception at EL1\n");
> + /*
> + * Re-enable stepping since we know that we will be
> + * returning to regs.
> + */
> + set_regs_spsr_ss(regs);
> + }
> }
>
> return 0;
> @@ -315,8 +323,15 @@ static int brk_handler(unsigned long addr, unsigned int esr,
> };
>
> force_sig_info(SIGTRAP, &info, current);
> - } else if (call_break_hook(regs, esr) != DBG_HOOK_HANDLED) {
> - pr_warning("Unexpected kernel BRK exception at EL1\n");
> + }
> +#ifdef CONFIG_KPROBES
> + else if ((esr & BRK64_ESR_MASK) == BRK64_ESR_KPROBES) {
> + if (kprobe_breakpoint_handler(regs, esr) != DBG_HOOK_HANDLED)
> + return -EFAULT;
> + }
> +#endif
> + else if (call_break_hook(regs, esr) != DBG_HOOK_HANDLED) {
> + pr_warn("Unexpected kernel BRK exception at EL1\n");
> return -EFAULT;
> }
>
> diff --git a/arch/arm64/kernel/kprobes-arm64.c b/arch/arm64/kernel/kprobes-arm64.c
> new file mode 100644
> index 0000000..f958c52
> --- /dev/null
> +++ b/arch/arm64/kernel/kprobes-arm64.c
> @@ -0,0 +1,68 @@
> +/*
> + * arch/arm64/kernel/kprobes-arm64.c
> + *
> + * Copyright (C) 2013 Linaro Limited.
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * General Public License for more details.
> + */
> +
> +#include <linux/kernel.h>
> +#include <linux/kprobes.h>
> +#include <linux/module.h>
> +#include <asm/kprobes.h>
> +#include <asm/insn.h>
> +
> +#include "kprobes-arm64.h"
> +
> +static bool __kprobes aarch64_insn_is_steppable(u32 insn)
> +{
> + if (aarch64_get_insn_class(insn) == AARCH64_INSN_CLS_BR_SYS) {
> + if (aarch64_insn_is_branch(insn))
> + return false;
> +
> + /* modification of daif creates issues */
> + if (aarch64_insn_is_daif_access(insn))
> + return false;
> +
> + if (aarch64_insn_is_exception(insn))
> + return false;
> +
> + if (aarch64_insn_is_hint(insn))
> + return aarch64_insn_is_nop(insn);
> +
> + return true;
> + }
> +
> + if (aarch64_insn_uses_literal(insn))
> + return false;
> +
> + if (aarch64_insn_is_exclusive(insn))
> + return false;
> +
> + return true;
> +}
> +
> +/* Return:
> + * INSN_REJECTED If instruction is one not allowed to kprobe,
> + * INSN_GOOD If instruction is supported and uses instruction slot,
> + * INSN_GOOD_NO_SLOT If instruction is supported but doesn't use its slot.
> + */
> +enum kprobe_insn __kprobes
> +arm_kprobe_decode_insn(kprobe_opcode_t insn, struct arch_specific_insn *asi)
> +{
> + /*
> + * Instructions reading or modifying the PC won't work from the XOL
> + * slot.
> + */
> + if (aarch64_insn_is_steppable(insn))
> + return INSN_GOOD;
> + else
> + return INSN_REJECTED;
> +}
> diff --git a/arch/arm64/kernel/kprobes-arm64.h b/arch/arm64/kernel/kprobes-arm64.h
> new file mode 100644
> index 0000000..87e7891
> --- /dev/null
> +++ b/arch/arm64/kernel/kprobes-arm64.h
> @@ -0,0 +1,28 @@
> +/*
> + * arch/arm64/kernel/kprobes-arm64.h
> + *
> + * Copyright (C) 2013 Linaro Limited.
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * General Public License for more details.
> + */
> +
> +#ifndef _ARM_KERNEL_KPROBES_ARM64_H
> +#define _ARM_KERNEL_KPROBES_ARM64_H
> +
> +enum kprobe_insn {
> + INSN_REJECTED,
> + INSN_GOOD_NO_SLOT,
> + INSN_GOOD,
> +};
> +
> +enum kprobe_insn __kprobes
> +arm_kprobe_decode_insn(kprobe_opcode_t insn, struct arch_specific_insn *asi);
> +
> +#endif /* _ARM_KERNEL_KPROBES_ARM64_H */
> diff --git a/arch/arm64/kernel/kprobes.c b/arch/arm64/kernel/kprobes.c
> new file mode 100644
> index 0000000..601d2c6
> --- /dev/null
> +++ b/arch/arm64/kernel/kprobes.c
> @@ -0,0 +1,537 @@
> +/*
> + * arch/arm64/kernel/kprobes.c
> + *
> + * Kprobes support for ARM64
> + *
> + * Copyright (C) 2013 Linaro Limited.
> + * Author: Sandeepa Prabhu <sandeepa.prabhu at linaro.org>
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * General Public License for more details.
> + *
> + */
> +#include <linux/kernel.h>
> +#include <linux/kprobes.h>
> +#include <linux/module.h>
> +#include <linux/slab.h>
> +#include <linux/stop_machine.h>
> +#include <linux/stringify.h>
> +#include <asm/traps.h>
> +#include <asm/ptrace.h>
> +#include <asm/cacheflush.h>
> +#include <asm/debug-monitors.h>
> +#include <asm/system_misc.h>
> +#include <asm/insn.h>
> +
> +#include "kprobes.h"
> +#include "kprobes-arm64.h"
> +
> +#define MIN_STACK_SIZE(addr) min((unsigned long)MAX_STACK_SIZE, \
> + (unsigned long)current_thread_info() + THREAD_START_SP - (addr))
> +
> +DEFINE_PER_CPU(struct kprobe *, current_kprobe) = NULL;
> +DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk);
> +
> +static void __kprobes arch_prepare_ss_slot(struct kprobe *p)
> +{
> + /* prepare insn slot */
> + p->ainsn.insn[0] = p->opcode;
> +
> + flush_icache_range((uintptr_t) (p->ainsn.insn),
> + (uintptr_t) (p->ainsn.insn) + MAX_INSN_SIZE);
> +
> + /*
> + * Needs restoring of return address after stepping xol.
> + */
> + p->ainsn.restore.addr = (unsigned long) p->addr +
> + sizeof(kprobe_opcode_t);
> + p->ainsn.restore.type = RESTORE_PC;
> +}
> +
> +int __kprobes arch_prepare_kprobe(struct kprobe *p)
> +{
> + kprobe_opcode_t insn;
> + unsigned long probe_addr = (unsigned long)p->addr;
> +
> + /* copy instruction */
> + insn = *p->addr;
> + p->opcode = insn;
> +
> + if (in_exception_text(probe_addr))
> + return -EINVAL;
> +
> + /* decode instruction */
> + switch (arm_kprobe_decode_insn(insn, &p->ainsn)) {
> + case INSN_REJECTED: /* insn not supported */
> + return -EINVAL;
> +
> + case INSN_GOOD_NO_SLOT: /* insn need simulation */
> + return -EINVAL;
> +
> + case INSN_GOOD: /* instruction uses slot */
> + p->ainsn.insn = get_insn_slot();
> + if (!p->ainsn.insn)
> + return -ENOMEM;
> + break;
> + };
> +
> + /* prepare the instruction */
> + arch_prepare_ss_slot(p);
> +
> + return 0;
> +}
> +
> +static int __kprobes patch_text(kprobe_opcode_t *addr, u32 opcode)
> +{
> + void *addrs[1];
> + u32 insns[1];
> +
> + addrs[0] = (void *)addr;
> + insns[0] = (u32)opcode;
> +
> + return aarch64_insn_patch_text_sync(addrs, insns, 1);
> +}
> +
> +/* arm kprobe: install breakpoint in text */
> +void __kprobes arch_arm_kprobe(struct kprobe *p)
> +{
> + patch_text(p->addr, BRK64_OPCODE_KPROBES);
> +}
> +
> +/* disarm kprobe: remove breakpoint from text */
> +void __kprobes arch_disarm_kprobe(struct kprobe *p)
> +{
> + patch_text(p->addr, p->opcode);
> +}
> +
> +void __kprobes arch_remove_kprobe(struct kprobe *p)
> +{
> + if (p->ainsn.insn) {
> + free_insn_slot(p->ainsn.insn, 0);
> + p->ainsn.insn = NULL;
> + }
> +}
> +
> +static void __kprobes save_previous_kprobe(struct kprobe_ctlblk *kcb)
> +{
> + kcb->prev_kprobe.kp = kprobe_running();
> + kcb->prev_kprobe.status = kcb->kprobe_status;
> +}
> +
> +static void __kprobes restore_previous_kprobe(struct kprobe_ctlblk *kcb)
> +{
> + __this_cpu_write(current_kprobe, kcb->prev_kprobe.kp);
> + kcb->kprobe_status = kcb->prev_kprobe.status;
> +}
> +
> +static void __kprobes set_current_kprobe(struct kprobe *p)
> +{
> + __this_cpu_write(current_kprobe, p);
> +}
> +
> +/*
> + * The D-flag (Debug mask) is set (masked) upon exception entry.
> + * Kprobes needs to clear (unmask) D-flag -ONLY- in case of recursive
> + * probe i.e. when probe hit from kprobe handler context upon
> + * executing the pre/post handlers. In this case we return with
> + * D-flag clear so that single-stepping can be carried-out.
> + *
> + * Leave D-flag set in all other cases.
> + */
> +static void __kprobes
> +spsr_set_debug_flag(struct pt_regs *regs, int mask)
> +{
> + unsigned long spsr = regs->pstate;
> +
> + if (mask)
> + spsr |= PSR_D_BIT;
> + else
> + spsr &= ~PSR_D_BIT;
> +
> + regs->pstate = spsr;
> +}
> +
> +/*
> + * Interrupts need to be disabled before single-step mode is set, and not
> + * reenabled until after single-step mode ends.
> + * Without disabling interrupt on local CPU, there is a chance of
> + * interrupt occurrence in the period of exception return and start of
> + * out-of-line single-step, that result in wrongly single stepping
> + * the interrupt handler.
> + */
> +static void __kprobes kprobes_save_local_irqflag(struct pt_regs *regs)
> +{
> + struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
> +
> + kcb->saved_irqflag = regs->pstate;
> + regs->pstate |= PSR_I_BIT;
> +}
> +
> +static void __kprobes kprobes_restore_local_irqflag(struct pt_regs *regs)
> +{
> + struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
> +
> + if (kcb->saved_irqflag & PSR_I_BIT)
> + regs->pstate |= PSR_I_BIT;
> + else
> + regs->pstate &= ~PSR_I_BIT;
> +}
> +
> +static void __kprobes
> +set_ss_context(struct kprobe_ctlblk *kcb, unsigned long addr)
> +{
> + kcb->ss_ctx.ss_status = KPROBES_STEP_PENDING;
> + kcb->ss_ctx.match_addr = addr + sizeof(kprobe_opcode_t);
> +}
> +
> +static void __kprobes clear_ss_context(struct kprobe_ctlblk *kcb)
> +{
> + kcb->ss_ctx.ss_status = KPROBES_STEP_NONE;
> + kcb->ss_ctx.match_addr = 0;
> +}
> +
> +static void __kprobes
> +skip_singlestep_missed(struct kprobe_ctlblk *kcb, struct pt_regs *regs)
> +{
> + /* set return addr to next pc to continue */
> + instruction_pointer(regs) += sizeof(kprobe_opcode_t);
> +}
I'm not sure if this is the best approach for skip_singlestep_missed?
If the condition check fails, we have very little to simulate :-), but
I think the user will expect the kprobe to fire?
For instance I have the following memcpy in my kernel:
ffffffc0003b6500 <memcpy>:
ffffffc0003b6500: aa0003e6 mov x6, x0
ffffffc0003b6504: f100405f cmp x2, #0x10
ffffffc0003b6508: 540003c3 b.cc ffffffc0003b6580 <memcpy+0x80>
ffffffc0003b650c: cb0103e4 neg x4, x1
ffffffc0003b6510: f2400c84 ands x4, x4, #0xf
ffffffc0003b6514: 540001c0 b.eq ffffffc0003b654c <memcpy+0x4c>
If I set the following kprobes:
p:kprobes/memcpy1 0xffffffc0003b6500
p:kprobes/memcpy2 0xffffffc0003b6508
So the second kprobe is placed on a conditional instruction.
I get the following statistics from perf:
perf stat -e kprobes:memcpy1 -e kprobes:memcpy2 -a sleep 10
Performance counter stats for 'system wide':
2,001 kprobes:memcpy1
(100.00%)
1,563 kprobes:memcpy2
10.001287601 seconds time elapsed
I (maybe naively) would expect the event counts to be the same? (as
both pc values are "hit").
For a case where the condition check fails, I think we should do something like:
set_current_probe(p);
instruction_pointer(regs) += sizeof(kprobe_opcode_t);
post_kprobe_handler(kcb, regs);
> +
> +static void __kprobes setup_singlestep(struct kprobe *p,
> + struct pt_regs *regs,
> + struct kprobe_ctlblk *kcb, int reenter)
> +{
> + unsigned long slot;
> +
> + if (reenter) {
> + save_previous_kprobe(kcb);
> + set_current_kprobe(p);
> + kcb->kprobe_status = KPROBE_REENTER;
> + } else {
> + kcb->kprobe_status = KPROBE_HIT_SS;
> + }
> +
> + if (p->ainsn.insn) {
> + /* prepare for single stepping */
> + slot = (unsigned long)p->ainsn.insn;
> +
> + set_ss_context(kcb, slot); /* mark pending ss */
> +
> + if (kcb->kprobe_status == KPROBE_REENTER)
> + spsr_set_debug_flag(regs, 0);
> +
> + /* IRQs and single stepping do not mix well. */
> + kprobes_save_local_irqflag(regs);
> + kernel_enable_single_step(regs);
> + instruction_pointer(regs) = slot;
> + } else {
> + BUG();
> + }
> +}
> +
> +static int __kprobes reenter_kprobe(struct kprobe *p,
> + struct pt_regs *regs,
> + struct kprobe_ctlblk *kcb)
> +{
> + switch (kcb->kprobe_status) {
> + case KPROBE_HIT_SSDONE:
> + case KPROBE_HIT_ACTIVE:
> + if (!p->ainsn.check_condn || p->ainsn.check_condn(p, regs)) {
> + kprobes_inc_nmissed_count(p);
> + setup_singlestep(p, regs, kcb, 1);
> + } else {
> + /* condition check failed, skip stepping */
> + skip_singlestep_missed(kcb, regs);
> + }
> + break;
> + case KPROBE_HIT_SS:
> + case KPROBE_REENTER:
> + pr_warn("Unrecoverable kprobe detected at %p.\n", p->addr);
> + dump_kprobe(p);
> + BUG();
> + break;
> + default:
> + WARN_ON(1);
> + return 0;
> + }
> +
> + return 1;
> +}
> +
> +static void __kprobes
> +post_kprobe_handler(struct kprobe_ctlblk *kcb, struct pt_regs *regs)
> +{
> + struct kprobe *cur = kprobe_running();
> +
> + if (!cur)
> + return;
> +
> + /* return addr restore if non-branching insn */
> + if (cur->ainsn.restore.type == RESTORE_PC) {
> + instruction_pointer(regs) = cur->ainsn.restore.addr;
> + if (!instruction_pointer(regs))
> + BUG();
> + }
> +
> + /* restore back original saved kprobe variables and continue */
> + if (kcb->kprobe_status == KPROBE_REENTER) {
> + restore_previous_kprobe(kcb);
> + return;
> + }
> + /* call post handler */
> + kcb->kprobe_status = KPROBE_HIT_SSDONE;
> + if (cur->post_handler) {
> + /* post_handler can hit breakpoint and single step
> + * again, so we enable D-flag for recursive exception.
> + */
> + cur->post_handler(cur, regs, 0);
> + }
> +
> + reset_current_kprobe();
> +}
> +
> +int __kprobes kprobe_fault_handler(struct pt_regs *regs, unsigned int fsr)
> +{
> + struct kprobe *cur = kprobe_running();
> + struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
> +
> + switch (kcb->kprobe_status) {
> + case KPROBE_HIT_SS:
> + case KPROBE_REENTER:
> + /*
> + * We are here because the instruction being single
> + * stepped caused a page fault. We reset the current
> + * kprobe and the ip points back to the probe address
> + * and allow the page fault handler to continue as a
> + * normal page fault.
> + */
> + instruction_pointer(regs) = (unsigned long)cur->addr;
> + if (!instruction_pointer(regs))
> + BUG();
> + if (kcb->kprobe_status == KPROBE_REENTER)
> + restore_previous_kprobe(kcb);
> + else
> + reset_current_kprobe();
> +
> + break;
> + case KPROBE_HIT_ACTIVE:
> + case KPROBE_HIT_SSDONE:
> + /*
> + * We increment the nmissed count for accounting,
> + * we can also use npre/npostfault count for accounting
> + * these specific fault cases.
> + */
> + kprobes_inc_nmissed_count(cur);
> +
> + /*
> + * We come here because instructions in the pre/post
> + * handler caused the page_fault, this could happen
> + * if handler tries to access user space by
> + * copy_from_user(), get_user() etc. Let the
> + * user-specified handler try to fix it first.
> + */
> + if (cur->fault_handler && cur->fault_handler(cur, regs, fsr))
> + return 1;
> +
> + /*
> + * In case the user-specified fault handler returned
> + * zero, try to fix up.
> + */
> + if (fixup_exception(regs))
> + return 1;
> +
> + break;
> + }
> + return 0;
> +}
> +
> +int __kprobes kprobe_exceptions_notify(struct notifier_block *self,
> + unsigned long val, void *data)
> +{
> + return NOTIFY_DONE;
> +}
> +
> +void __kprobes kprobe_handler(struct pt_regs *regs)
> +{
> + struct kprobe *p, *cur;
> + struct kprobe_ctlblk *kcb;
> + unsigned long addr = instruction_pointer(regs);
> +
> + kcb = get_kprobe_ctlblk();
> + cur = kprobe_running();
> +
> + p = get_kprobe((kprobe_opcode_t *) addr);
> +
> + if (p) {
> + if (cur) {
> + if (reenter_kprobe(p, regs, kcb))
> + return;
> + } else if (!p->ainsn.check_condn ||
> + p->ainsn.check_condn(p, regs)) {
> + /* Probe hit and conditional execution check ok. */
> + set_current_kprobe(p);
> + kcb->kprobe_status = KPROBE_HIT_ACTIVE;
> +
> + /*
> + * If we have no pre-handler or it returned 0, we
> + * continue with normal processing. If we have a
> + * pre-handler and it returned non-zero, it prepped
> + * for calling the break_handler below on re-entry,
> + * so get out doing nothing more here.
> + *
> + * pre_handler can hit a breakpoint and can step thru
> + * before return, keep PSTATE D-flag enabled until
> + * pre_handler return back.
> + */
> + if (!p->pre_handler || !p->pre_handler(p, regs)) {
> + kcb->kprobe_status = KPROBE_HIT_SS;
> + setup_singlestep(p, regs, kcb, 0);
> + return;
> + }
> + } else {
> + /*
> + * Breakpoint hit but conditional check failed,
> + * so just skip the instruction (NOP behaviour)
> + */
> + skip_singlestep_missed(kcb, regs);
> + return;
> + }
> + } else if (*(kprobe_opcode_t *) addr != BRK64_OPCODE_KPROBES) {
> + /*
> + * The breakpoint instruction was removed right
> + * after we hit it. Another cpu has removed
> + * either a probepoint or a debugger breakpoint
> + * at this address. In either case, no further
> + * handling of this interrupt is appropriate.
> + * Return back to original instruction, and continue.
> + */
> + return;
> + } else if (cur) {
> + /* We probably hit a jprobe. Call its break handler. */
> + if (cur->break_handler && cur->break_handler(cur, regs)) {
> + kcb->kprobe_status = KPROBE_HIT_SS;
> + setup_singlestep(cur, regs, kcb, 0);
> + return;
> + }
> + } else {
> + /* breakpoint is removed, now in a race
> + * Return back to original instruction & continue.
> + */
> + }
> +}
> +
> +static int __kprobes
> +kprobe_ss_hit(struct kprobe_ctlblk *kcb, unsigned long addr)
> +{
> + if ((kcb->ss_ctx.ss_status == KPROBES_STEP_PENDING)
> + && (kcb->ss_ctx.match_addr == addr)) {
> + clear_ss_context(kcb); /* clear pending ss */
> + return DBG_HOOK_HANDLED;
> + }
> + /* not ours, kprobes should ignore it */
> + return DBG_HOOK_ERROR;
> +}
> +
> +int __kprobes
> +kprobe_single_step_handler(struct pt_regs *regs, unsigned int esr)
> +{
> + struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
> + int retval;
> +
> + /* return error if this is not our step */
> + retval = kprobe_ss_hit(kcb, instruction_pointer(regs));
> +
> + if (retval == DBG_HOOK_HANDLED) {
> + kprobes_restore_local_irqflag(regs);
> + kernel_disable_single_step();
> +
> + if (kcb->kprobe_status == KPROBE_REENTER)
> + spsr_set_debug_flag(regs, 1);
> +
> + post_kprobe_handler(kcb, regs);
> + }
> +
> + return retval;
> +}
> +
> +int __kprobes
> +kprobe_breakpoint_handler(struct pt_regs *regs, unsigned int esr)
> +{
> + kprobe_handler(regs);
> + return DBG_HOOK_HANDLED;
> +}
> +
> +int __kprobes setjmp_pre_handler(struct kprobe *p, struct pt_regs *regs)
> +{
> + struct jprobe *jp = container_of(p, struct jprobe, kp);
> + struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
> + long stack_ptr = stack_pointer(regs);
> +
> + kcb->jprobe_saved_regs = *regs;
> + memcpy(kcb->jprobes_stack, (void *)stack_ptr,
> + MIN_STACK_SIZE(stack_ptr));
> +
> + instruction_pointer(regs) = (long)jp->entry;
> + preempt_disable();
> + return 1;
> +}
> +
> +void __kprobes jprobe_return(void)
> +{
> + struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
> +
> + /*
> + * Jprobe handler return by entering break exception,
> + * encoded same as kprobe, but with following conditions
> + * -a magic number in x0 to identify from rest of other kprobes.
> + * -restore stack addr to original saved pt_regs
> + */
> + asm volatile ("ldr x0, [%0]\n\t"
> + "mov sp, x0\n\t"
> + "ldr x0, =" __stringify(JPROBES_MAGIC_NUM) "\n\t"
> + "BRK %1\n\t"
> + "NOP\n\t"
> + :
> + : "r"(&kcb->jprobe_saved_regs.sp),
> + "I"(BRK64_ESR_KPROBES)
> + : "memory");
> +}
> +
> +int __kprobes longjmp_break_handler(struct kprobe *p, struct pt_regs *regs)
> +{
> + struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
> + long stack_addr = kcb->jprobe_saved_regs.sp;
> + long orig_sp = stack_pointer(regs);
> + struct jprobe *jp = container_of(p, struct jprobe, kp);
> +
> + if (regs->regs[0] == JPROBES_MAGIC_NUM) {
> + if (orig_sp != stack_addr) {
> + struct pt_regs *saved_regs =
> + (struct pt_regs *)kcb->jprobe_saved_regs.sp;
> + pr_err("current sp %lx does not match saved sp %lx\n",
> + orig_sp, stack_addr);
> + pr_err("Saved registers for jprobe %p\n", jp);
> + show_regs(saved_regs);
> + pr_err("Current registers\n");
> + show_regs(regs);
> + BUG();
> + }
> + *regs = kcb->jprobe_saved_regs;
> + memcpy((void *)stack_addr, kcb->jprobes_stack,
> + MIN_STACK_SIZE(stack_addr));
> + preempt_enable_no_resched();
> + return 1;
> + }
> + return 0;
> +}
> +
> +int __init arch_init_kprobes(void)
> +{
> + return 0;
> +}
> diff --git a/arch/arm64/kernel/kprobes.h b/arch/arm64/kernel/kprobes.h
> new file mode 100644
> index 0000000..e98ad60
> --- /dev/null
> +++ b/arch/arm64/kernel/kprobes.h
> @@ -0,0 +1,24 @@
> +/*
> + * arch/arm64/kernel/kprobes.h
> + *
> + * Copyright (C) 2013 Linaro Limited.
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * General Public License for more details.
> + */
> +
> +#ifndef _ARM_KERNEL_KPROBES_H
> +#define _ARM_KERNEL_KPROBES_H
> +
> +#define JPROBES_MAGIC_NUM 0xa5a5a5a5a5a5a5a5
> +
> +/* Move this out to appropriate header file */
> +int fixup_exception(struct pt_regs *regs);
> +
> +#endif /* _ARM_KERNEL_KPROBES_H */
> diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S
> index a2c2986..2da5f4e 100644
> --- a/arch/arm64/kernel/vmlinux.lds.S
> +++ b/arch/arm64/kernel/vmlinux.lds.S
> @@ -94,6 +94,7 @@ SECTIONS
> TEXT_TEXT
> SCHED_TEXT
> LOCK_TEXT
> + KPROBES_TEXT
> HYPERVISOR_TEXT
> *(.fixup)
> *(.gnu.warning)
> diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
> index 96da131..4c13dfb 100644
> --- a/arch/arm64/mm/fault.c
> +++ b/arch/arm64/mm/fault.c
> @@ -39,6 +39,28 @@
>
> static const char *fault_name(unsigned int esr);
>
> +#ifdef CONFIG_KPROBES
> +static inline int notify_page_fault(struct pt_regs *regs, unsigned int esr)
> +{
> + int ret = 0;
> +
> + /* kprobe_running() needs smp_processor_id() */
> + if (!user_mode(regs)) {
> + preempt_disable();
> + if (kprobe_running() && kprobe_fault_handler(regs, esr))
> + ret = 1;
> + preempt_enable();
> + }
> +
> + return ret;
> +}
> +#else
> +static inline int notify_page_fault(struct pt_regs *regs, unsigned int esr)
> +{
> + return 0;
> +}
> +#endif
> +
> /*
> * Dump out the page tables associated with 'addr' in mm 'mm'.
> */
> @@ -200,6 +222,9 @@ static int __kprobes do_page_fault(unsigned long addr, unsigned int esr,
> unsigned long vm_flags = VM_READ | VM_WRITE | VM_EXEC;
> unsigned int mm_flags = FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_KILLABLE;
>
> + if (notify_page_fault(regs, esr))
> + return 0;
> +
> tsk = current;
> mm = tsk->mm;
>
> --
> 1.8.1.2
>
More information about the linux-arm-kernel
mailing list