cachepc-linux

Fork of AMDESE/linux with modifications for CachePC side-channel attack
git clone https://git.sinitax.com/sinitax/cachepc-linux
Log | Files | Refs | README | LICENSE | sfeed.txt

kprobes.c (10841B)

      1// SPDX-License-Identifier: GPL-2.0-only
      2/*
      3 * arch/arm64/kernel/probes/kprobes.c
      4 *
      5 * Kprobes support for ARM64
      6 *
      7 * Copyright (C) 2013 Linaro Limited.
      8 * Author: Sandeepa Prabhu <sandeepa.prabhu@linaro.org>
      9 */
     10
     11#define pr_fmt(fmt) "kprobes: " fmt
     12
     13#include <linux/extable.h>
     14#include <linux/kasan.h>
     15#include <linux/kernel.h>
     16#include <linux/kprobes.h>
     17#include <linux/sched/debug.h>
     18#include <linux/set_memory.h>
     19#include <linux/slab.h>
     20#include <linux/stop_machine.h>
     21#include <linux/stringify.h>
     22#include <linux/uaccess.h>
     23#include <linux/vmalloc.h>
     24
     25#include <asm/cacheflush.h>
     26#include <asm/daifflags.h>
     27#include <asm/debug-monitors.h>
     28#include <asm/insn.h>
     29#include <asm/irq.h>
     30#include <asm/patching.h>
     31#include <asm/ptrace.h>
     32#include <asm/sections.h>
     33#include <asm/system_misc.h>
     34#include <asm/traps.h>
     35
     36#include "decode-insn.h"
     37
     38DEFINE_PER_CPU(struct kprobe *, current_kprobe) = NULL;
     39DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk);
     40
     41static void __kprobes
     42post_kprobe_handler(struct kprobe *, struct kprobe_ctlblk *, struct pt_regs *);
     43
     44static void __kprobes arch_prepare_ss_slot(struct kprobe *p)
     45{
     46	kprobe_opcode_t *addr = p->ainsn.api.insn;
     47	void *addrs[] = {addr, addr + 1};
     48	u32 insns[] = {p->opcode, BRK64_OPCODE_KPROBES_SS};
     49
     50	/* prepare insn slot */
     51	aarch64_insn_patch_text(addrs, insns, 2);
     52
     53	flush_icache_range((uintptr_t)addr, (uintptr_t)(addr + MAX_INSN_SIZE));
     54
     55	/*
     56	 * Needs restoring of return address after stepping xol.
     57	 */
     58	p->ainsn.api.restore = (unsigned long) p->addr +
     59	  sizeof(kprobe_opcode_t);
     60}
     61
     62static void __kprobes arch_prepare_simulate(struct kprobe *p)
     63{
     64	/* This instructions is not executed xol. No need to adjust the PC */
     65	p->ainsn.api.restore = 0;
     66}
     67
     68static void __kprobes arch_simulate_insn(struct kprobe *p, struct pt_regs *regs)
     69{
     70	struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
     71
     72	if (p->ainsn.api.handler)
     73		p->ainsn.api.handler((u32)p->opcode, (long)p->addr, regs);
     74
     75	/* single step simulated, now go for post processing */
     76	post_kprobe_handler(p, kcb, regs);
     77}
     78
     79int __kprobes arch_prepare_kprobe(struct kprobe *p)
     80{
     81	unsigned long probe_addr = (unsigned long)p->addr;
     82
     83	if (probe_addr & 0x3)
     84		return -EINVAL;
     85
     86	/* copy instruction */
     87	p->opcode = le32_to_cpu(*p->addr);
     88
     89	if (search_exception_tables(probe_addr))
     90		return -EINVAL;
     91
     92	/* decode instruction */
     93	switch (arm_kprobe_decode_insn(p->addr, &p->ainsn)) {
     94	case INSN_REJECTED:	/* insn not supported */
     95		return -EINVAL;
     96
     97	case INSN_GOOD_NO_SLOT:	/* insn need simulation */
     98		p->ainsn.api.insn = NULL;
     99		break;
    100
    101	case INSN_GOOD:	/* instruction uses slot */
    102		p->ainsn.api.insn = get_insn_slot();
    103		if (!p->ainsn.api.insn)
    104			return -ENOMEM;
    105		break;
    106	}
    107
    108	/* prepare the instruction */
    109	if (p->ainsn.api.insn)
    110		arch_prepare_ss_slot(p);
    111	else
    112		arch_prepare_simulate(p);
    113
    114	return 0;
    115}
    116
    117void *alloc_insn_page(void)
    118{
    119	return __vmalloc_node_range(PAGE_SIZE, 1, VMALLOC_START, VMALLOC_END,
    120			GFP_KERNEL, PAGE_KERNEL_ROX, VM_FLUSH_RESET_PERMS,
    121			NUMA_NO_NODE, __builtin_return_address(0));
    122}
    123
    124/* arm kprobe: install breakpoint in text */
    125void __kprobes arch_arm_kprobe(struct kprobe *p)
    126{
    127	void *addr = p->addr;
    128	u32 insn = BRK64_OPCODE_KPROBES;
    129
    130	aarch64_insn_patch_text(&addr, &insn, 1);
    131}
    132
    133/* disarm kprobe: remove breakpoint from text */
    134void __kprobes arch_disarm_kprobe(struct kprobe *p)
    135{
    136	void *addr = p->addr;
    137
    138	aarch64_insn_patch_text(&addr, &p->opcode, 1);
    139}
    140
    141void __kprobes arch_remove_kprobe(struct kprobe *p)
    142{
    143	if (p->ainsn.api.insn) {
    144		free_insn_slot(p->ainsn.api.insn, 0);
    145		p->ainsn.api.insn = NULL;
    146	}
    147}
    148
    149static void __kprobes save_previous_kprobe(struct kprobe_ctlblk *kcb)
    150{
    151	kcb->prev_kprobe.kp = kprobe_running();
    152	kcb->prev_kprobe.status = kcb->kprobe_status;
    153}
    154
    155static void __kprobes restore_previous_kprobe(struct kprobe_ctlblk *kcb)
    156{
    157	__this_cpu_write(current_kprobe, kcb->prev_kprobe.kp);
    158	kcb->kprobe_status = kcb->prev_kprobe.status;
    159}
    160
    161static void __kprobes set_current_kprobe(struct kprobe *p)
    162{
    163	__this_cpu_write(current_kprobe, p);
    164}
    165
    166/*
    167 * Mask all of DAIF while executing the instruction out-of-line, to keep things
    168 * simple and avoid nesting exceptions. Interrupts do have to be disabled since
    169 * the kprobe state is per-CPU and doesn't get migrated.
    170 */
    171static void __kprobes kprobes_save_local_irqflag(struct kprobe_ctlblk *kcb,
    172						struct pt_regs *regs)
    173{
    174	kcb->saved_irqflag = regs->pstate & DAIF_MASK;
    175	regs->pstate |= DAIF_MASK;
    176}
    177
    178static void __kprobes kprobes_restore_local_irqflag(struct kprobe_ctlblk *kcb,
    179						struct pt_regs *regs)
    180{
    181	regs->pstate &= ~DAIF_MASK;
    182	regs->pstate |= kcb->saved_irqflag;
    183}
    184
    185static void __kprobes setup_singlestep(struct kprobe *p,
    186				       struct pt_regs *regs,
    187				       struct kprobe_ctlblk *kcb, int reenter)
    188{
    189	unsigned long slot;
    190
    191	if (reenter) {
    192		save_previous_kprobe(kcb);
    193		set_current_kprobe(p);
    194		kcb->kprobe_status = KPROBE_REENTER;
    195	} else {
    196		kcb->kprobe_status = KPROBE_HIT_SS;
    197	}
    198
    199
    200	if (p->ainsn.api.insn) {
    201		/* prepare for single stepping */
    202		slot = (unsigned long)p->ainsn.api.insn;
    203
    204		kprobes_save_local_irqflag(kcb, regs);
    205		instruction_pointer_set(regs, slot);
    206	} else {
    207		/* insn simulation */
    208		arch_simulate_insn(p, regs);
    209	}
    210}
    211
    212static int __kprobes reenter_kprobe(struct kprobe *p,
    213				    struct pt_regs *regs,
    214				    struct kprobe_ctlblk *kcb)
    215{
    216	switch (kcb->kprobe_status) {
    217	case KPROBE_HIT_SSDONE:
    218	case KPROBE_HIT_ACTIVE:
    219		kprobes_inc_nmissed_count(p);
    220		setup_singlestep(p, regs, kcb, 1);
    221		break;
    222	case KPROBE_HIT_SS:
    223	case KPROBE_REENTER:
    224		pr_warn("Failed to recover from reentered kprobes.\n");
    225		dump_kprobe(p);
    226		BUG();
    227		break;
    228	default:
    229		WARN_ON(1);
    230		return 0;
    231	}
    232
    233	return 1;
    234}
    235
    236static void __kprobes
    237post_kprobe_handler(struct kprobe *cur, struct kprobe_ctlblk *kcb, struct pt_regs *regs)
    238{
    239	/* return addr restore if non-branching insn */
    240	if (cur->ainsn.api.restore != 0)
    241		instruction_pointer_set(regs, cur->ainsn.api.restore);
    242
    243	/* restore back original saved kprobe variables and continue */
    244	if (kcb->kprobe_status == KPROBE_REENTER) {
    245		restore_previous_kprobe(kcb);
    246		return;
    247	}
    248	/* call post handler */
    249	kcb->kprobe_status = KPROBE_HIT_SSDONE;
    250	if (cur->post_handler)
    251		cur->post_handler(cur, regs, 0);
    252
    253	reset_current_kprobe();
    254}
    255
    256int __kprobes kprobe_fault_handler(struct pt_regs *regs, unsigned int fsr)
    257{
    258	struct kprobe *cur = kprobe_running();
    259	struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
    260
    261	switch (kcb->kprobe_status) {
    262	case KPROBE_HIT_SS:
    263	case KPROBE_REENTER:
    264		/*
    265		 * We are here because the instruction being single
    266		 * stepped caused a page fault. We reset the current
    267		 * kprobe and the ip points back to the probe address
    268		 * and allow the page fault handler to continue as a
    269		 * normal page fault.
    270		 */
    271		instruction_pointer_set(regs, (unsigned long) cur->addr);
    272		BUG_ON(!instruction_pointer(regs));
    273
    274		if (kcb->kprobe_status == KPROBE_REENTER) {
    275			restore_previous_kprobe(kcb);
    276		} else {
    277			kprobes_restore_local_irqflag(kcb, regs);
    278			reset_current_kprobe();
    279		}
    280
    281		break;
    282	case KPROBE_HIT_ACTIVE:
    283	case KPROBE_HIT_SSDONE:
    284		/*
    285		 * In case the user-specified fault handler returned
    286		 * zero, try to fix up.
    287		 */
    288		if (fixup_exception(regs))
    289			return 1;
    290	}
    291	return 0;
    292}
    293
    294static void __kprobes kprobe_handler(struct pt_regs *regs)
    295{
    296	struct kprobe *p, *cur_kprobe;
    297	struct kprobe_ctlblk *kcb;
    298	unsigned long addr = instruction_pointer(regs);
    299
    300	kcb = get_kprobe_ctlblk();
    301	cur_kprobe = kprobe_running();
    302
    303	p = get_kprobe((kprobe_opcode_t *) addr);
    304
    305	if (p) {
    306		if (cur_kprobe) {
    307			if (reenter_kprobe(p, regs, kcb))
    308				return;
    309		} else {
    310			/* Probe hit */
    311			set_current_kprobe(p);
    312			kcb->kprobe_status = KPROBE_HIT_ACTIVE;
    313
    314			/*
    315			 * If we have no pre-handler or it returned 0, we
    316			 * continue with normal processing.  If we have a
    317			 * pre-handler and it returned non-zero, it will
    318			 * modify the execution path and no need to single
    319			 * stepping. Let's just reset current kprobe and exit.
    320			 */
    321			if (!p->pre_handler || !p->pre_handler(p, regs)) {
    322				setup_singlestep(p, regs, kcb, 0);
    323			} else
    324				reset_current_kprobe();
    325		}
    326	}
    327	/*
    328	 * The breakpoint instruction was removed right
    329	 * after we hit it.  Another cpu has removed
    330	 * either a probepoint or a debugger breakpoint
    331	 * at this address.  In either case, no further
    332	 * handling of this interrupt is appropriate.
    333	 * Return back to original instruction, and continue.
    334	 */
    335}
    336
    337static int __kprobes
    338kprobe_breakpoint_ss_handler(struct pt_regs *regs, unsigned long esr)
    339{
    340	struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
    341	unsigned long addr = instruction_pointer(regs);
    342	struct kprobe *cur = kprobe_running();
    343
    344	if (cur && (kcb->kprobe_status & (KPROBE_HIT_SS | KPROBE_REENTER)) &&
    345	    ((unsigned long)&cur->ainsn.api.insn[1] == addr)) {
    346		kprobes_restore_local_irqflag(kcb, regs);
    347		post_kprobe_handler(cur, kcb, regs);
    348
    349		return DBG_HOOK_HANDLED;
    350	}
    351
    352	/* not ours, kprobes should ignore it */
    353	return DBG_HOOK_ERROR;
    354}
    355
    356static struct break_hook kprobes_break_ss_hook = {
    357	.imm = KPROBES_BRK_SS_IMM,
    358	.fn = kprobe_breakpoint_ss_handler,
    359};
    360
    361static int __kprobes
    362kprobe_breakpoint_handler(struct pt_regs *regs, unsigned long esr)
    363{
    364	kprobe_handler(regs);
    365	return DBG_HOOK_HANDLED;
    366}
    367
    368static struct break_hook kprobes_break_hook = {
    369	.imm = KPROBES_BRK_IMM,
    370	.fn = kprobe_breakpoint_handler,
    371};
    372
    373/*
    374 * Provide a blacklist of symbols identifying ranges which cannot be kprobed.
    375 * This blacklist is exposed to userspace via debugfs (kprobes/blacklist).
    376 */
    377int __init arch_populate_kprobe_blacklist(void)
    378{
    379	int ret;
    380
    381	ret = kprobe_add_area_blacklist((unsigned long)__entry_text_start,
    382					(unsigned long)__entry_text_end);
    383	if (ret)
    384		return ret;
    385	ret = kprobe_add_area_blacklist((unsigned long)__irqentry_text_start,
    386					(unsigned long)__irqentry_text_end);
    387	if (ret)
    388		return ret;
    389	ret = kprobe_add_area_blacklist((unsigned long)__idmap_text_start,
    390					(unsigned long)__idmap_text_end);
    391	if (ret)
    392		return ret;
    393	ret = kprobe_add_area_blacklist((unsigned long)__hyp_text_start,
    394					(unsigned long)__hyp_text_end);
    395	if (ret || is_kernel_in_hyp_mode())
    396		return ret;
    397	ret = kprobe_add_area_blacklist((unsigned long)__hyp_idmap_text_start,
    398					(unsigned long)__hyp_idmap_text_end);
    399	return ret;
    400}
    401
    402void __kprobes __used *trampoline_probe_handler(struct pt_regs *regs)
    403{
    404	return (void *)kretprobe_trampoline_handler(regs, (void *)regs->regs[29]);
    405}
    406
    407void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
    408				      struct pt_regs *regs)
    409{
    410	ri->ret_addr = (kprobe_opcode_t *)regs->regs[30];
    411	ri->fp = (void *)regs->regs[29];
    412
    413	/* replace return addr (x30) with trampoline */
    414	regs->regs[30] = (long)&__kretprobe_trampoline;
    415}
    416
    417int __kprobes arch_trampoline_kprobe(struct kprobe *p)
    418{
    419	return 0;
    420}
    421
    422int __init arch_init_kprobes(void)
    423{
    424	register_kernel_break_hook(&kprobes_break_hook);
    425	register_kernel_break_hook(&kprobes_break_ss_hook);
    426
    427	return 0;
    428}