| 1 | // SPDX-License-Identifier: GPL-2.0 |
|---|
| 2 | #include <linux/highmem.h> |
|---|
| 3 | #include <linux/kdebug.h> |
|---|
| 4 | #include <linux/types.h> |
|---|
| 5 | #include <linux/notifier.h> |
|---|
| 6 | #include <linux/sched.h> |
|---|
| 7 | #include <linux/uprobes.h> |
|---|
| 8 | |
|---|
| 9 | #include <asm/branch.h> |
|---|
| 10 | #include <asm/cpu-features.h> |
|---|
| 11 | #include <asm/ptrace.h> |
|---|
| 12 | |
|---|
| 13 | #include "probes-common.h" |
|---|
| 14 | |
|---|
| 15 | static inline int insn_has_delay_slot(const union mips_instruction insn) |
|---|
| 16 | { |
|---|
| 17 | return __insn_has_delay_slot(insn: insn); |
|---|
| 18 | } |
|---|
| 19 | |
|---|
| 20 | /** |
|---|
| 21 | * arch_uprobe_analyze_insn - instruction analysis including validity and fixups. |
|---|
| 22 | * @mm: the probed address space. |
|---|
| 23 | * @arch_uprobe: the probepoint information. |
|---|
| 24 | * @addr: virtual address at which to install the probepoint |
|---|
| 25 | * Return 0 on success or a -ve number on error. |
|---|
| 26 | */ |
|---|
| 27 | int arch_uprobe_analyze_insn(struct arch_uprobe *aup, |
|---|
| 28 | struct mm_struct *mm, unsigned long addr) |
|---|
| 29 | { |
|---|
| 30 | union mips_instruction inst; |
|---|
| 31 | |
|---|
| 32 | /* |
|---|
| 33 | * For the time being this also blocks attempts to use uprobes with |
|---|
| 34 | * MIPS16 and microMIPS. |
|---|
| 35 | */ |
|---|
| 36 | if (addr & 0x03) |
|---|
| 37 | return -EINVAL; |
|---|
| 38 | |
|---|
| 39 | inst.word = aup->insn[0]; |
|---|
| 40 | |
|---|
| 41 | if (__insn_is_compact_branch(insn: inst)) { |
|---|
| 42 | pr_notice("Uprobes for compact branches are not supported\n" ); |
|---|
| 43 | return -EINVAL; |
|---|
| 44 | } |
|---|
| 45 | |
|---|
| 46 | aup->ixol[0] = aup->insn[insn_has_delay_slot(insn: inst)]; |
|---|
| 47 | aup->ixol[1] = UPROBE_BRK_UPROBE_XOL; /* NOP */ |
|---|
| 48 | |
|---|
| 49 | return 0; |
|---|
| 50 | } |
|---|
| 51 | |
|---|
| 52 | /** |
|---|
| 53 | * is_trap_insn - check if the instruction is a trap variant |
|---|
| 54 | * @insn: instruction to be checked. |
|---|
| 55 | * Returns true if @insn is a trap variant. |
|---|
| 56 | * |
|---|
| 57 | * This definition overrides the weak definition in kernel/events/uprobes.c. |
|---|
| 58 | * and is needed for the case where an architecture has multiple trap |
|---|
| 59 | * instructions (like PowerPC or MIPS). We treat BREAK just like the more |
|---|
| 60 | * modern conditional trap instructions. |
|---|
| 61 | */ |
|---|
| 62 | bool is_trap_insn(uprobe_opcode_t *insn) |
|---|
| 63 | { |
|---|
| 64 | union mips_instruction inst; |
|---|
| 65 | |
|---|
| 66 | inst.word = *insn; |
|---|
| 67 | |
|---|
| 68 | switch (inst.i_format.opcode) { |
|---|
| 69 | case spec_op: |
|---|
| 70 | switch (inst.r_format.func) { |
|---|
| 71 | case break_op: |
|---|
| 72 | case teq_op: |
|---|
| 73 | case tge_op: |
|---|
| 74 | case tgeu_op: |
|---|
| 75 | case tlt_op: |
|---|
| 76 | case tltu_op: |
|---|
| 77 | case tne_op: |
|---|
| 78 | return true; |
|---|
| 79 | } |
|---|
| 80 | break; |
|---|
| 81 | |
|---|
| 82 | case bcond_op: /* Yes, really ... */ |
|---|
| 83 | switch (inst.u_format.rt) { |
|---|
| 84 | case teqi_op: |
|---|
| 85 | case tgei_op: |
|---|
| 86 | case tgeiu_op: |
|---|
| 87 | case tlti_op: |
|---|
| 88 | case tltiu_op: |
|---|
| 89 | case tnei_op: |
|---|
| 90 | return true; |
|---|
| 91 | } |
|---|
| 92 | break; |
|---|
| 93 | } |
|---|
| 94 | |
|---|
| 95 | return false; |
|---|
| 96 | } |
|---|
| 97 | |
|---|
| 98 | #define UPROBE_TRAP_NR ULONG_MAX |
|---|
| 99 | |
|---|
| 100 | /* |
|---|
| 101 | * arch_uprobe_pre_xol - prepare to execute out of line. |
|---|
| 102 | * @auprobe: the probepoint information. |
|---|
| 103 | * @regs: reflects the saved user state of current task. |
|---|
| 104 | */ |
|---|
| 105 | int arch_uprobe_pre_xol(struct arch_uprobe *aup, struct pt_regs *regs) |
|---|
| 106 | { |
|---|
| 107 | struct uprobe_task *utask = current->utask; |
|---|
| 108 | |
|---|
| 109 | /* |
|---|
| 110 | * Now find the EPC where to resume after the breakpoint has been |
|---|
| 111 | * dealt with. This may require emulation of a branch. |
|---|
| 112 | */ |
|---|
| 113 | aup->resume_epc = regs->cp0_epc + 4; |
|---|
| 114 | if (insn_has_delay_slot((union mips_instruction) aup->insn[0])) { |
|---|
| 115 | __compute_return_epc_for_insn(regs, |
|---|
| 116 | (union mips_instruction) aup->insn[0]); |
|---|
| 117 | aup->resume_epc = regs->cp0_epc; |
|---|
| 118 | } |
|---|
| 119 | utask->autask.saved_trap_nr = current->thread.trap_nr; |
|---|
| 120 | current->thread.trap_nr = UPROBE_TRAP_NR; |
|---|
| 121 | regs->cp0_epc = current->utask->xol_vaddr; |
|---|
| 122 | |
|---|
| 123 | return 0; |
|---|
| 124 | } |
|---|
| 125 | |
|---|
| 126 | int arch_uprobe_post_xol(struct arch_uprobe *aup, struct pt_regs *regs) |
|---|
| 127 | { |
|---|
| 128 | struct uprobe_task *utask = current->utask; |
|---|
| 129 | |
|---|
| 130 | current->thread.trap_nr = utask->autask.saved_trap_nr; |
|---|
| 131 | regs->cp0_epc = aup->resume_epc; |
|---|
| 132 | |
|---|
| 133 | return 0; |
|---|
| 134 | } |
|---|
| 135 | |
|---|
| 136 | /* |
|---|
| 137 | * If xol insn itself traps and generates a signal(Say, |
|---|
| 138 | * SIGILL/SIGSEGV/etc), then detect the case where a singlestepped |
|---|
| 139 | * instruction jumps back to its own address. It is assumed that anything |
|---|
| 140 | * like do_page_fault/do_trap/etc sets thread.trap_nr != -1. |
|---|
| 141 | * |
|---|
| 142 | * arch_uprobe_pre_xol/arch_uprobe_post_xol save/restore thread.trap_nr, |
|---|
| 143 | * arch_uprobe_xol_was_trapped() simply checks that ->trap_nr is not equal to |
|---|
| 144 | * UPROBE_TRAP_NR == -1 set by arch_uprobe_pre_xol(). |
|---|
| 145 | */ |
|---|
| 146 | bool arch_uprobe_xol_was_trapped(struct task_struct *tsk) |
|---|
| 147 | { |
|---|
| 148 | if (tsk->thread.trap_nr != UPROBE_TRAP_NR) |
|---|
| 149 | return true; |
|---|
| 150 | |
|---|
| 151 | return false; |
|---|
| 152 | } |
|---|
| 153 | |
|---|
| 154 | int arch_uprobe_exception_notify(struct notifier_block *self, |
|---|
| 155 | unsigned long val, void *data) |
|---|
| 156 | { |
|---|
| 157 | struct die_args *args = data; |
|---|
| 158 | struct pt_regs *regs = args->regs; |
|---|
| 159 | |
|---|
| 160 | /* regs == NULL is a kernel bug */ |
|---|
| 161 | if (WARN_ON(!regs)) |
|---|
| 162 | return NOTIFY_DONE; |
|---|
| 163 | |
|---|
| 164 | /* We are only interested in userspace traps */ |
|---|
| 165 | if (!user_mode(regs)) |
|---|
| 166 | return NOTIFY_DONE; |
|---|
| 167 | |
|---|
| 168 | switch (val) { |
|---|
| 169 | case DIE_UPROBE: |
|---|
| 170 | if (uprobe_pre_sstep_notifier(regs)) |
|---|
| 171 | return NOTIFY_STOP; |
|---|
| 172 | break; |
|---|
| 173 | case DIE_UPROBE_XOL: |
|---|
| 174 | if (uprobe_post_sstep_notifier(regs)) |
|---|
| 175 | return NOTIFY_STOP; |
|---|
| 176 | break; |
|---|
| 177 | default: |
|---|
| 178 | break; |
|---|
| 179 | } |
|---|
| 180 | |
|---|
| 181 | return 0; |
|---|
| 182 | } |
|---|
| 183 | |
|---|
| 184 | /* |
|---|
| 185 | * This function gets called when XOL instruction either gets trapped or |
|---|
| 186 | * the thread has a fatal signal. Reset the instruction pointer to its |
|---|
| 187 | * probed address for the potential restart or for post mortem analysis. |
|---|
| 188 | */ |
|---|
| 189 | void arch_uprobe_abort_xol(struct arch_uprobe *aup, |
|---|
| 190 | struct pt_regs *regs) |
|---|
| 191 | { |
|---|
| 192 | struct uprobe_task *utask = current->utask; |
|---|
| 193 | |
|---|
| 194 | current->thread.trap_nr = utask->autask.saved_trap_nr; |
|---|
| 195 | instruction_pointer_set(regs, val: utask->vaddr); |
|---|
| 196 | } |
|---|
| 197 | |
|---|
| 198 | unsigned long arch_uretprobe_hijack_return_addr( |
|---|
| 199 | unsigned long trampoline_vaddr, struct pt_regs *regs) |
|---|
| 200 | { |
|---|
| 201 | unsigned long ra; |
|---|
| 202 | |
|---|
| 203 | ra = regs->regs[31]; |
|---|
| 204 | |
|---|
| 205 | /* Replace the return address with the trampoline address */ |
|---|
| 206 | regs->regs[31] = trampoline_vaddr; |
|---|
| 207 | |
|---|
| 208 | return ra; |
|---|
| 209 | } |
|---|
| 210 | |
|---|
| 211 | void arch_uprobe_copy_ixol(struct page *page, unsigned long vaddr, |
|---|
| 212 | void *src, unsigned long len) |
|---|
| 213 | { |
|---|
| 214 | unsigned long kaddr, kstart; |
|---|
| 215 | |
|---|
| 216 | /* Initialize the slot */ |
|---|
| 217 | kaddr = (unsigned long)kmap_atomic(page); |
|---|
| 218 | kstart = kaddr + (vaddr & ~PAGE_MASK); |
|---|
| 219 | memcpy((void *)kstart, src, len); |
|---|
| 220 | flush_icache_range(start: kstart, end: kstart + len); |
|---|
| 221 | kunmap_atomic((void *)kaddr); |
|---|
| 222 | } |
|---|
| 223 | |
|---|
| 224 | /** |
|---|
| 225 | * uprobe_get_swbp_addr - compute address of swbp given post-swbp regs |
|---|
| 226 | * @regs: Reflects the saved state of the task after it has hit a breakpoint |
|---|
| 227 | * instruction. |
|---|
| 228 | * Return the address of the breakpoint instruction. |
|---|
| 229 | * |
|---|
| 230 | * This overrides the weak version in kernel/events/uprobes.c. |
|---|
| 231 | */ |
|---|
| 232 | unsigned long uprobe_get_swbp_addr(struct pt_regs *regs) |
|---|
| 233 | { |
|---|
| 234 | return instruction_pointer(regs); |
|---|
| 235 | } |
|---|
| 236 | |
|---|
| 237 | /* |
|---|
| 238 | * See if the instruction can be emulated. |
|---|
| 239 | * Returns true if instruction was emulated, false otherwise. |
|---|
| 240 | * |
|---|
| 241 | * For now we always emulate so this function just returns false. |
|---|
| 242 | */ |
|---|
| 243 | bool arch_uprobe_skip_sstep(struct arch_uprobe *auprobe, struct pt_regs *regs) |
|---|
| 244 | { |
|---|
| 245 | return false; |
|---|
| 246 | } |
|---|
| 247 | |
|---|
