2 * Kernel Probes (KProbes)
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation; either version 2 of the License, or
7 * (at your option) any later version.
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
18 * Copyright (C) IBM Corporation, 2002, 2004
20 * 2002-Oct Created by Vamsi Krishna S <vamsi_krishna@in.ibm.com> Kernel
21 * Probes initial implementation ( includes contributions from
23 * 2004-July Suparna Bhattacharya <suparna@in.ibm.com> added jumper probes
24 * interface to access function arguments.
25 * 2004-Nov Ananth N Mavinakayanahalli <ananth@in.ibm.com> kprobes port
29 #include <linux/kprobes.h>
30 #include <linux/ptrace.h>
31 #include <linux/preempt.h>
32 #include <linux/module.h>
33 #include <linux/kdebug.h>
34 #include <asm/cacheflush.h>
35 #include <asm/sstep.h>
36 #include <asm/uaccess.h>
38 DEFINE_PER_CPU(struct kprobe *, current_kprobe) = NULL;
39 DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk);
41 int __kprobes arch_prepare_kprobe(struct kprobe *p)
44 kprobe_opcode_t insn = *p->addr;
46 if ((unsigned long)p->addr & 0x03) {
47 printk("Attempt to register kprobe at an unaligned address\n");
49 } else if (IS_MTMSRD(insn) || IS_RFID(insn) || IS_RFI(insn)) {
50 printk("Cannot register a kprobe on rfi/rfid or mtmsr[d]\n");
54 /* insn must be on a special executable page on ppc64 */
56 p->ainsn.insn = get_insn_slot();
62 memcpy(p->ainsn.insn, p->addr,
63 MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
65 flush_icache_range((unsigned long)p->ainsn.insn,
66 (unsigned long)p->ainsn.insn + sizeof(kprobe_opcode_t));
69 p->ainsn.boostable = 0;
73 void __kprobes arch_arm_kprobe(struct kprobe *p)
75 *p->addr = BREAKPOINT_INSTRUCTION;
76 flush_icache_range((unsigned long) p->addr,
77 (unsigned long) p->addr + sizeof(kprobe_opcode_t));
80 void __kprobes arch_disarm_kprobe(struct kprobe *p)
83 flush_icache_range((unsigned long) p->addr,
84 (unsigned long) p->addr + sizeof(kprobe_opcode_t));
87 void __kprobes arch_remove_kprobe(struct kprobe *p)
89 mutex_lock(&kprobe_mutex);
90 free_insn_slot(p->ainsn.insn, 0);
91 mutex_unlock(&kprobe_mutex);
94 static void __kprobes prepare_singlestep(struct kprobe *p, struct pt_regs *regs)
99 * On powerpc we should single step on the original
100 * instruction even if the probed insn is a trap
101 * variant as values in regs could play a part in
102 * if the trap is taken or not
104 regs->nip = (unsigned long)p->ainsn.insn;
107 static void __kprobes save_previous_kprobe(struct kprobe_ctlblk *kcb)
109 kcb->prev_kprobe.kp = kprobe_running();
110 kcb->prev_kprobe.status = kcb->kprobe_status;
111 kcb->prev_kprobe.saved_msr = kcb->kprobe_saved_msr;
114 static void __kprobes restore_previous_kprobe(struct kprobe_ctlblk *kcb)
116 __get_cpu_var(current_kprobe) = kcb->prev_kprobe.kp;
117 kcb->kprobe_status = kcb->prev_kprobe.status;
118 kcb->kprobe_saved_msr = kcb->prev_kprobe.saved_msr;
121 static void __kprobes set_current_kprobe(struct kprobe *p, struct pt_regs *regs,
122 struct kprobe_ctlblk *kcb)
124 __get_cpu_var(current_kprobe) = p;
125 kcb->kprobe_saved_msr = regs->msr;
128 /* Called with kretprobe_lock held */
129 void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
130 struct pt_regs *regs)
132 ri->ret_addr = (kprobe_opcode_t *)regs->link;
134 /* Replace the return addr with trampoline addr */
135 regs->link = (unsigned long)kretprobe_trampoline;
138 static int __kprobes kprobe_handler(struct pt_regs *regs)
142 unsigned int *addr = (unsigned int *)regs->nip;
143 struct kprobe_ctlblk *kcb;
146 * We don't want to be preempted for the entire
147 * duration of kprobe processing
150 kcb = get_kprobe_ctlblk();
152 /* Check we're not actually recursing */
153 if (kprobe_running()) {
154 p = get_kprobe(addr);
156 kprobe_opcode_t insn = *p->ainsn.insn;
157 if (kcb->kprobe_status == KPROBE_HIT_SS &&
159 regs->msr &= ~MSR_SE;
160 regs->msr |= kcb->kprobe_saved_msr;
163 /* We have reentered the kprobe_handler(), since
164 * another probe was hit while within the handler.
165 * We here save the original kprobes variables and
166 * just single step on the instruction of the new probe
167 * without calling any user handlers.
169 save_previous_kprobe(kcb);
170 set_current_kprobe(p, regs, kcb);
171 kcb->kprobe_saved_msr = regs->msr;
172 kprobes_inc_nmissed_count(p);
173 prepare_singlestep(p, regs);
174 kcb->kprobe_status = KPROBE_REENTER;
177 if (*addr != BREAKPOINT_INSTRUCTION) {
178 /* If trap variant, then it belongs not to us */
179 kprobe_opcode_t cur_insn = *addr;
180 if (is_trap(cur_insn))
182 /* The breakpoint instruction was removed by
183 * another cpu right after we hit, no further
184 * handling of this interrupt is appropriate
189 p = __get_cpu_var(current_kprobe);
190 if (p->break_handler && p->break_handler(p, regs)) {
197 p = get_kprobe(addr);
199 if (*addr != BREAKPOINT_INSTRUCTION) {
201 * PowerPC has multiple variants of the "trap"
202 * instruction. If the current instruction is a
203 * trap variant, it could belong to someone else
205 kprobe_opcode_t cur_insn = *addr;
206 if (is_trap(cur_insn))
209 * The breakpoint instruction was removed right
210 * after we hit it. Another cpu has removed
211 * either a probepoint or a debugger breakpoint
212 * at this address. In either case, no further
213 * handling of this interrupt is appropriate.
217 /* Not one of ours: let kernel handle it */
221 kcb->kprobe_status = KPROBE_HIT_ACTIVE;
222 set_current_kprobe(p, regs, kcb);
223 if (p->pre_handler && p->pre_handler(p, regs))
224 /* handler has already set things up, so skip ss setup */
228 if (p->ainsn.boostable >= 0) {
229 unsigned int insn = *p->ainsn.insn;
231 /* regs->nip is also adjusted if emulate_step returns 1 */
232 ret = emulate_step(regs, insn);
235 * Once this instruction has been boosted
236 * successfully, set the boostable flag
238 if (unlikely(p->ainsn.boostable == 0))
239 p->ainsn.boostable = 1;
242 p->post_handler(p, regs, 0);
244 kcb->kprobe_status = KPROBE_HIT_SSDONE;
245 reset_current_kprobe();
246 preempt_enable_no_resched();
248 } else if (ret < 0) {
250 * We don't allow kprobes on mtmsr(d)/rfi(d), etc.
251 * So, we should never get here... but, its still
252 * good to catch them, just in case...
254 printk("Can't step on instruction %x\n", insn);
257 /* This instruction can't be boosted */
258 p->ainsn.boostable = -1;
260 prepare_singlestep(p, regs);
261 kcb->kprobe_status = KPROBE_HIT_SS;
265 preempt_enable_no_resched();
270 * Function return probe trampoline:
271 * - init_kprobes() establishes a probepoint here
272 * - When the probed function returns, this probe
273 * causes the handlers to fire
275 void kretprobe_trampoline_holder(void)
277 asm volatile(".global kretprobe_trampoline\n"
278 "kretprobe_trampoline:\n"
283 * Called when the probe at kretprobe trampoline is hit
285 int __kprobes trampoline_probe_handler(struct kprobe *p, struct pt_regs *regs)
287 struct kretprobe_instance *ri = NULL;
288 struct hlist_head *head, empty_rp;
289 struct hlist_node *node, *tmp;
290 unsigned long flags, orig_ret_address = 0;
291 unsigned long trampoline_address =(unsigned long)&kretprobe_trampoline;
293 INIT_HLIST_HEAD(&empty_rp);
294 spin_lock_irqsave(&kretprobe_lock, flags);
295 head = kretprobe_inst_table_head(current);
298 * It is possible to have multiple instances associated with a given
299 * task either because an multiple functions in the call path
300 * have a return probe installed on them, and/or more then one return
301 * return probe was registered for a target function.
303 * We can handle this because:
304 * - instances are always inserted at the head of the list
305 * - when multiple return probes are registered for the same
306 * function, the first instance's ret_addr will point to the
307 * real return address, and all the rest will point to
308 * kretprobe_trampoline
310 hlist_for_each_entry_safe(ri, node, tmp, head, hlist) {
311 if (ri->task != current)
312 /* another task is sharing our hash bucket */
315 if (ri->rp && ri->rp->handler)
316 ri->rp->handler(ri, regs);
318 orig_ret_address = (unsigned long)ri->ret_addr;
319 recycle_rp_inst(ri, &empty_rp);
321 if (orig_ret_address != trampoline_address)
323 * This is the real return address. Any other
324 * instances associated with this task are for
325 * other calls deeper on the call stack
330 kretprobe_assert(ri, orig_ret_address, trampoline_address);
331 regs->nip = orig_ret_address;
333 reset_current_kprobe();
334 spin_unlock_irqrestore(&kretprobe_lock, flags);
335 preempt_enable_no_resched();
337 hlist_for_each_entry_safe(ri, node, tmp, &empty_rp, hlist) {
338 hlist_del(&ri->hlist);
342 * By returning a non-zero value, we are telling
343 * kprobe_handler() that we don't want the post_handler
344 * to run (and have re-enabled preemption)
350 * Called after single-stepping. p->addr is the address of the
351 * instruction whose first byte has been replaced by the "breakpoint"
352 * instruction. To avoid the SMP problems that can occur when we
353 * temporarily put back the original opcode to single-step, we
354 * single-stepped a copy of the instruction. The address of this
355 * copy is p->ainsn.insn.
357 static void __kprobes resume_execution(struct kprobe *p, struct pt_regs *regs)
360 unsigned int insn = *p->ainsn.insn;
362 regs->nip = (unsigned long)p->addr;
363 ret = emulate_step(regs, insn);
365 regs->nip = (unsigned long)p->addr + 4;
368 static int __kprobes post_kprobe_handler(struct pt_regs *regs)
370 struct kprobe *cur = kprobe_running();
371 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
376 if ((kcb->kprobe_status != KPROBE_REENTER) && cur->post_handler) {
377 kcb->kprobe_status = KPROBE_HIT_SSDONE;
378 cur->post_handler(cur, regs, 0);
381 resume_execution(cur, regs);
382 regs->msr |= kcb->kprobe_saved_msr;
384 /*Restore back the original saved kprobes variables and continue. */
385 if (kcb->kprobe_status == KPROBE_REENTER) {
386 restore_previous_kprobe(kcb);
389 reset_current_kprobe();
391 preempt_enable_no_resched();
394 * if somebody else is singlestepping across a probe point, msr
395 * will have SE set, in which case, continue the remaining processing
396 * of do_debug, as if this is not a probe hit.
398 if (regs->msr & MSR_SE)
404 int __kprobes kprobe_fault_handler(struct pt_regs *regs, int trapnr)
406 struct kprobe *cur = kprobe_running();
407 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
408 const struct exception_table_entry *entry;
410 switch(kcb->kprobe_status) {
414 * We are here because the instruction being single
415 * stepped caused a page fault. We reset the current
416 * kprobe and the nip points back to the probe address
417 * and allow the page fault handler to continue as a
420 regs->nip = (unsigned long)cur->addr;
421 regs->msr &= ~MSR_SE;
422 regs->msr |= kcb->kprobe_saved_msr;
423 if (kcb->kprobe_status == KPROBE_REENTER)
424 restore_previous_kprobe(kcb);
426 reset_current_kprobe();
427 preempt_enable_no_resched();
429 case KPROBE_HIT_ACTIVE:
430 case KPROBE_HIT_SSDONE:
432 * We increment the nmissed count for accounting,
433 * we can also use npre/npostfault count for accouting
434 * these specific fault cases.
436 kprobes_inc_nmissed_count(cur);
439 * We come here because instructions in the pre/post
440 * handler caused the page_fault, this could happen
441 * if handler tries to access user space by
442 * copy_from_user(), get_user() etc. Let the
443 * user-specified handler try to fix it first.
445 if (cur->fault_handler && cur->fault_handler(cur, regs, trapnr))
449 * In case the user-specified fault handler returned
450 * zero, try to fix up.
452 if ((entry = search_exception_tables(regs->nip)) != NULL) {
453 regs->nip = entry->fixup;
458 * fixup_exception() could not handle it,
459 * Let do_page_fault() fix it.
469 * Wrapper routine to for handling exceptions.
471 int __kprobes kprobe_exceptions_notify(struct notifier_block *self,
472 unsigned long val, void *data)
474 struct die_args *args = (struct die_args *)data;
475 int ret = NOTIFY_DONE;
477 if (args->regs && user_mode(args->regs))
482 if (kprobe_handler(args->regs))
486 if (post_kprobe_handler(args->regs))
495 int __kprobes setjmp_pre_handler(struct kprobe *p, struct pt_regs *regs)
497 struct jprobe *jp = container_of(p, struct jprobe, kp);
498 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
500 memcpy(&kcb->jprobe_saved_regs, regs, sizeof(struct pt_regs));
502 /* setup return addr to the jprobe handler routine */
504 regs->nip = (unsigned long)(((func_descr_t *)jp->entry)->entry);
505 regs->gpr[2] = (unsigned long)(((func_descr_t *)jp->entry)->toc);
507 regs->nip = (unsigned long)jp->entry;
513 void __kprobes jprobe_return(void)
515 asm volatile("trap" ::: "memory");
518 void __kprobes jprobe_return_end(void)
522 int __kprobes longjmp_break_handler(struct kprobe *p, struct pt_regs *regs)
524 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
527 * FIXME - we should ideally be validating that we got here 'cos
528 * of the "trap" in jprobe_return() above, before restoring the
531 memcpy(regs, &kcb->jprobe_saved_regs, sizeof(struct pt_regs));
532 preempt_enable_no_resched();
536 static struct kprobe trampoline_p = {
537 .addr = (kprobe_opcode_t *) &kretprobe_trampoline,
538 .pre_handler = trampoline_probe_handler
541 int __init arch_init_kprobes(void)
543 return register_kprobe(&trampoline_p);
546 int __kprobes arch_trampoline_kprobe(struct kprobe *p)
548 if (p->addr == (kprobe_opcode_t *)&kretprobe_trampoline)