2 * Dynamic Binary Instrumentation Module based on KProbes
3 * modules/kprobe/arch/asm-arm/dbi_kprobes.c
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, write to the Free Software
17 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
19 * Copyright (C) Samsung Electronics, 2006-2010
21 * 2006-2007 Ekaterina Gorelkina <e.gorelkina@samsung.com>: initial implementation for ARM/MIPS
22 * 2008-2009 Alexey Gerenkov <a.gerenkov@samsung.com> User-Space
23 * Probes initial implementation; Support x86.
24 * 2010 Ekaterina Gorelkina <e.gorelkina@samsung.com>: redesign module for separating core and arch parts
25 * 2010-2011 Alexander Shirshikov <a.shirshikov@samsung.com>: initial implementation for Thumb
26 * 2012 Stanislav Andreev <s.andreev@samsung.com>: added time debug profiling support; BUG() message fix
27 * 2012 Stanislav Andreev <s.andreev@samsung.com>: redesign of kprobe functionality -
28 * kprobe_handler() now called via undefined instruction hooks
29 * 2012 Stanislav Andreev <s.andreev@samsung.com>: hash tables search implemented for uprobes
32 #include <linux/module.h>
35 #include "dbi_kprobes.h"
36 #include "trampoline_arm.h"
37 #include "../dbi_kprobes.h"
38 #include "../../dbi_kprobes.h"
40 #include "../../dbi_kdebug.h"
41 #include "../../dbi_insn_slots.h"
42 #include "../../dbi_kprobes_deps.h"
45 #include <asm/cacheflush.h>
46 #include <asm/traps.h>
47 #include <asm/ptrace.h>
48 #include <linux/list.h>
49 #include <linux/hash.h>
51 #define SUPRESS_BUG_MESSAGES
53 extern struct kprobe * per_cpu__current_kprobe;
54 extern struct hlist_head kprobe_table[KPROBE_TABLE_SIZE];
56 static void (*__swap_register_undef_hook)(struct undef_hook *hook);
57 static void (*__swap_unregister_undef_hook)(struct undef_hook *hook);
59 static struct kprobe trampoline_p =
61 .addr = (kprobe_opcode_t *) & kretprobe_trampoline,
62 .pre_handler = trampoline_probe_handler
65 int prep_pc_dep_insn_execbuf(kprobe_opcode_t *insns, kprobe_opcode_t insn, int uregs)
73 for (i = 0; i < 13; i++, reg_mask <<= 1)
75 if (!(insn & reg_mask))
81 for (i = 0; i < 13; i++)
83 if ((uregs & 0x1) && (ARM_INSN_REG_RN (insn) == i))
85 if ((uregs & 0x2) && (ARM_INSN_REG_RD (insn) == i))
87 if ((uregs & 0x4) && (ARM_INSN_REG_RS (insn) == i))
89 if ((uregs & 0x8) && (ARM_INSN_REG_RM (insn) == i))
96 DBPRINTF ("there are no free register %x in insn %lx!", uregs, insn);
99 DBPRINTF ("prep_pc_dep_insn_execbuf: using R%d, changing regs %x", i, uregs);
101 // set register to save
102 ARM_INSN_REG_SET_RD (insns[0], i);
103 // set register to load address to
104 ARM_INSN_REG_SET_RD (insns[1], i);
105 // set instruction to execute and patch it
108 ARM_INSN_REG_CLEAR_MR (insn, 15);
109 ARM_INSN_REG_SET_MR (insn, i);
113 if ((uregs & 0x1) && (ARM_INSN_REG_RN (insn) == 15))
114 ARM_INSN_REG_SET_RN (insn, i);
115 if ((uregs & 0x2) && (ARM_INSN_REG_RD (insn) == 15))
116 ARM_INSN_REG_SET_RD (insn, i);
117 if ((uregs & 0x4) && (ARM_INSN_REG_RS (insn) == 15))
118 ARM_INSN_REG_SET_RS (insn, i);
119 if ((uregs & 0x8) && (ARM_INSN_REG_RM (insn) == 15))
120 ARM_INSN_REG_SET_RM (insn, i);
122 insns[UPROBES_TRAMP_INSN_IDX] = insn;
123 // set register to restore
124 ARM_INSN_REG_SET_RD (insns[3], i);
127 EXPORT_SYMBOL_GPL(prep_pc_dep_insn_execbuf);
129 int arch_check_insn_arm(struct arch_specific_insn *ainsn)
133 // check instructions that can change PC by nature
135 // ARM_INSN_MATCH (UNDEF, ainsn->insn_arm[0]) ||
136 ARM_INSN_MATCH (AUNDEF, ainsn->insn_arm[0]) ||
137 ARM_INSN_MATCH (SWI, ainsn->insn_arm[0]) ||
138 ARM_INSN_MATCH (BREAK, ainsn->insn_arm[0]) ||
139 ARM_INSN_MATCH (BL, ainsn->insn_arm[0]) ||
140 ARM_INSN_MATCH (BLX1, ainsn->insn_arm[0]) ||
141 ARM_INSN_MATCH (BLX2, ainsn->insn_arm[0]) ||
142 ARM_INSN_MATCH (BX, ainsn->insn_arm[0]) ||
143 ARM_INSN_MATCH (BXJ, ainsn->insn_arm[0]))
145 DBPRINTF ("Bad insn arch_check_insn_arm: %lx\n", ainsn->insn_arm[0]);
148 #ifndef CONFIG_CPU_V7
149 // check instructions that can write result to PC
150 else if ((ARM_INSN_MATCH (DPIS, ainsn->insn_arm[0]) ||
151 ARM_INSN_MATCH (DPRS, ainsn->insn_arm[0]) ||
152 ARM_INSN_MATCH (DPI, ainsn->insn_arm[0]) ||
153 ARM_INSN_MATCH (LIO, ainsn->insn_arm[0]) ||
154 ARM_INSN_MATCH (LRO, ainsn->insn_arm[0])) &&
155 (ARM_INSN_REG_RD (ainsn->insn_arm[0]) == 15))
157 DBPRINTF ("Bad arch_check_insn_arm: %lx\n", ainsn->insn_arm[0]);
160 #endif // CONFIG_CPU_V7
161 // check special instruction loads store multiple registers
162 else if ((ARM_INSN_MATCH (LM, ainsn->insn_arm[0]) || ARM_INSN_MATCH (SM, ainsn->insn_arm[0])) &&
163 // store pc or load to pc
164 (ARM_INSN_REG_MR (ainsn->insn_arm[0], 15) ||
165 // store/load with pc update
166 ((ARM_INSN_REG_RN (ainsn->insn_arm[0]) == 15) && (ainsn->insn_arm[0] & 0x200000))))
168 DBPRINTF ("Bad insn arch_check_insn_arm: %lx\n", ainsn->insn_arm[0]);
173 EXPORT_SYMBOL_GPL(arch_check_insn_arm);
175 int arch_prepare_kprobe (struct kprobe *p)
177 kprobe_opcode_t insns[KPROBES_TRAMP_LEN];
178 int uregs, pc_dep, ret = 0;
179 kprobe_opcode_t insn[MAX_INSN_SIZE];
180 struct arch_specific_insn ainsn;
182 /* insn: must be on special executable page on i386. */
183 p->ainsn.insn = get_insn_slot(NULL, &kprobe_insn_pages, 0);
187 memcpy (insn, p->addr, MAX_INSN_SIZE * sizeof (kprobe_opcode_t));
188 ainsn.insn_arm = ainsn.insn = insn;
189 ret = arch_check_insn_arm (&ainsn);
192 p->opcode = *p->addr;
196 if(ARM_INSN_MATCH (DPIS, insn[0]) || ARM_INSN_MATCH (LRO, insn[0]) ||
197 ARM_INSN_MATCH (SRO, insn[0]))
200 if( (ARM_INSN_REG_RN (insn[0]) == 15) || (ARM_INSN_REG_RM (insn[0]) == 15) ||
201 (ARM_INSN_MATCH (SRO, insn[0]) && (ARM_INSN_REG_RD (insn[0]) == 15)) )
203 DBPRINTF ("Unboostable insn %lx, DPIS/LRO/SRO\n", insn[0]);
208 else if(ARM_INSN_MATCH (DPI, insn[0]) || ARM_INSN_MATCH (LIO, insn[0]) ||
209 ARM_INSN_MATCH (SIO, insn[0]))
212 if ((ARM_INSN_REG_RN (insn[0]) == 15) || (ARM_INSN_MATCH (SIO, insn[0]) &&
213 (ARM_INSN_REG_RD (insn[0]) == 15)))
216 DBPRINTF ("Unboostable insn %lx/%p, DPI/LIO/SIO\n", insn[0], p);
220 else if(ARM_INSN_MATCH (DPRS, insn[0]))
223 if ((ARM_INSN_REG_RN (insn[0]) == 15) || (ARM_INSN_REG_RM (insn[0]) == 15) ||
224 (ARM_INSN_REG_RS (insn[0]) == 15))
227 DBPRINTF ("Unboostable insn %lx, DPRS\n", insn[0]);
231 else if(ARM_INSN_MATCH (SM, insn[0]))
234 if (ARM_INSN_REG_MR (insn[0], 15))
236 DBPRINTF ("Unboostable insn %lx, SM\n", insn[0]);
240 // check instructions that can write result to SP andu uses PC
241 if (pc_dep && (ARM_INSN_REG_RD (ainsn.insn[0]) == 13))
243 free_insn_slot(&kprobe_insn_pages, NULL, p->ainsn.insn);
250 memcpy (insns, pc_dep_insn_execbuf, sizeof (insns));
251 if (prep_pc_dep_insn_execbuf (insns, insn[0], uregs) != 0)
253 DBPRINTF ("failed to prepare exec buffer for insn %lx!", insn[0]);
254 free_insn_slot(&kprobe_insn_pages, NULL, p->ainsn.insn);
257 insns[6] = (kprobe_opcode_t) (p->addr + 2);
261 memcpy (insns, gen_insn_execbuf, sizeof (insns));
262 insns[KPROBES_TRAMP_INSN_IDX] = insn[0];
264 insns[7] = (kprobe_opcode_t) (p->addr + 1);
265 DBPRINTF ("arch_prepare_kprobe: insn %lx", insn[0]);
266 DBPRINTF ("arch_prepare_kprobe: to %p - %lx %lx %lx %lx %lx %lx %lx %lx %lx",
267 p->ainsn.insn, insns[0], insns[1], insns[2], insns[3], insns[4],
268 insns[5], insns[6], insns[7], insns[8]);
269 memcpy (p->ainsn.insn, insns, sizeof(insns));
270 flush_icache_range((long unsigned)p->ainsn.insn, (long unsigned)(p->ainsn.insn) + sizeof(insns));
278 free_insn_slot(&kprobe_insn_pages, NULL, p->ainsn.insn);
279 printk("arch_prepare_kprobe: instruction 0x%lx not instrumentation, addr=0x%p\n", insn[0], p->addr);
285 void prepare_singlestep (struct kprobe *p, struct pt_regs *regs)
288 regs->ARM_pc = (unsigned long)p->ss_addr;
291 regs->ARM_pc = (unsigned long)p->ainsn.insn;
294 EXPORT_SYMBOL_GPL(prepare_singlestep);
296 void save_previous_kprobe(struct kprobe_ctlblk *kcb, struct kprobe *p_run)
298 kcb->prev_kprobe.kp = kprobe_running();
299 kcb->prev_kprobe.status = kcb->kprobe_status;
302 void restore_previous_kprobe(struct kprobe_ctlblk *kcb)
304 __get_cpu_var(current_kprobe) = kcb->prev_kprobe.kp;
305 kcb->kprobe_status = kcb->prev_kprobe.status;
308 void set_current_kprobe(struct kprobe *p, struct pt_regs *regs, struct kprobe_ctlblk *kcb)
310 __get_cpu_var(current_kprobe) = p;
311 DBPRINTF ("set_current_kprobe: p=%p addr=%p\n", p, p->addr);
314 static int kprobe_handler(struct pt_regs *regs)
316 struct kprobe *p, *cur;
317 struct kprobe_ctlblk *kcb;
319 kcb = get_kprobe_ctlblk();
320 cur = kprobe_running();
321 p = get_kprobe((void *)regs->ARM_pc);
325 /* Kprobe is pending, so we're recursing. */
326 switch (kcb->kprobe_status) {
327 case KPROBE_HIT_ACTIVE:
328 case KPROBE_HIT_SSDONE:
329 /* A pre- or post-handler probe got us here. */
330 kprobes_inc_nmissed_count(p);
331 save_previous_kprobe(kcb, NULL);
332 set_current_kprobe(p, 0, 0);
333 kcb->kprobe_status = KPROBE_REENTER;
334 prepare_singlestep(p, regs);
335 restore_previous_kprobe(kcb);
338 /* impossible cases */
342 set_current_kprobe(p, 0, 0);
343 kcb->kprobe_status = KPROBE_HIT_ACTIVE;
345 if (!p->pre_handler || !p->pre_handler(p, regs)) {
346 kcb->kprobe_status = KPROBE_HIT_SS;
347 prepare_singlestep(p, regs);
348 reset_current_kprobe();
358 printk("no_kprobe\n");
362 int kprobe_trap_handler(struct pt_regs *regs, unsigned int instr)
367 #ifdef SUPRESS_BUG_MESSAGES
368 int swap_oops_in_progress;
369 /* oops_in_progress used to avoid BUG() messages
370 * that slow down kprobe_handler() execution */
371 swap_oops_in_progress = oops_in_progress;
372 oops_in_progress = 1;
375 local_irq_save(flags);
377 ret = kprobe_handler(regs);
378 preempt_enable_no_resched();
379 local_irq_restore(flags);
381 #ifdef SUPRESS_BUG_MESSAGES
382 oops_in_progress = swap_oops_in_progress;
388 int setjmp_pre_handler(struct kprobe *p, struct pt_regs *regs)
390 struct jprobe *jp = container_of(p, struct jprobe, kp);
391 kprobe_pre_entry_handler_t pre_entry = (kprobe_pre_entry_handler_t)jp->pre_entry;
392 entry_point_t entry = (entry_point_t)jp->entry;
393 pre_entry = (kprobe_pre_entry_handler_t)jp->pre_entry;
395 if (((unsigned long)p->addr == sched_addr) && sched_rp) {
396 struct thread_info *tinfo = (struct thread_info *)regs->ARM_r2;
397 patch_suspended_task(sched_rp, tinfo->task);
401 p->ss_addr = (void *)pre_entry (jp->priv_arg, regs);
405 entry(regs->ARM_r0, regs->ARM_r1, regs->ARM_r2,
406 regs->ARM_r3, regs->ARM_r4, regs->ARM_r5);
414 void dbi_jprobe_return (void)
418 int longjmp_break_handler (struct kprobe *p, struct pt_regs *regs)
422 EXPORT_SYMBOL_GPL(longjmp_break_handler);
424 void arch_arm_kprobe (struct kprobe *p)
426 *p->addr = BREAKPOINT_INSTRUCTION;
427 flush_icache_range ((unsigned long) p->addr, (unsigned long) p->addr + sizeof (kprobe_opcode_t));
430 void arch_disarm_kprobe (struct kprobe *p)
432 *p->addr = p->opcode;
433 flush_icache_range ((unsigned long) p->addr, (unsigned long) p->addr + sizeof (kprobe_opcode_t));
437 int trampoline_probe_handler (struct kprobe *p, struct pt_regs *regs)
439 struct kretprobe_instance *ri = NULL;
440 struct hlist_head *head;
441 struct hlist_node *node, *tmp;
442 unsigned long flags, orig_ret_address = 0;
443 unsigned long trampoline_address = (unsigned long) &kretprobe_trampoline;
445 struct kretprobe *crp = NULL;
446 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk ();
450 spin_lock_irqsave (&kretprobe_lock, flags);
453 * We are using different hash keys (current and mm) for finding kernel
454 * space and user space probes. Kernel space probes can change mm field in
455 * task_struct. User space probes can be shared between threads of one
456 * process so they have different current but same mm.
458 head = kretprobe_inst_table_head(current);
461 * It is possible to have multiple instances associated with a given
462 * task either because an multiple functions in the call path
463 * have a return probe installed on them, and/or more then one
464 * return probe was registered for a target function.
466 * We can handle this because:
467 * - instances are always inserted at the head of the list
468 * - when multiple return probes are registered for the same
469 * function, the first instance's ret_addr will point to the
470 * real return address, and all the rest will point to
471 * kretprobe_trampoline
473 hlist_for_each_entry_safe (ri, node, tmp, head, hlist)
475 if (ri->task != current)
476 /* another task is sharing our hash bucket */
478 if (ri->rp && ri->rp->handler){
479 ri->rp->handler (ri, regs, ri->rp->priv_arg);
482 orig_ret_address = (unsigned long) ri->ret_addr;
483 recycle_rp_inst (ri);
484 if (orig_ret_address != trampoline_address)
486 * This is the real return address. Any other
487 * instances associated with this task are for
488 * other calls deeper on the call stack
492 kretprobe_assert (ri, orig_ret_address, trampoline_address);
494 regs->uregs[14] = orig_ret_address;
495 DBPRINTF ("regs->uregs[14] = 0x%lx\n", regs->uregs[14]);
496 DBPRINTF ("regs->uregs[15] = 0x%lx\n", regs->uregs[15]);
498 if (trampoline_address != (unsigned long) &kretprobe_trampoline)
500 regs->uregs[15] = orig_ret_address;
502 if (!thumb_mode( regs )) regs->uregs[15] += 4;
503 else regs->uregs[15] += 2;
506 DBPRINTF ("regs->uregs[15] = 0x%lx\n", regs->uregs[15]);
508 if(p){ // ARM, MIPS, X86 user space
509 if (thumb_mode( regs ) && !(regs->uregs[14] & 0x01))
511 regs->ARM_cpsr &= 0xFFFFFFDF;
513 if (user_mode( regs ) && (regs->uregs[14] & 0x01))
515 regs->ARM_cpsr |= 0x20;
519 if (kcb->kprobe_status == KPROBE_REENTER) {
520 restore_previous_kprobe(kcb);
522 reset_current_kprobe();
526 spin_unlock_irqrestore (&kretprobe_lock, flags);
529 * By returning a non-zero value, we are telling
530 * kprobe_handler() that we don't want the post_handler
531 * to run (and have re-enabled preemption)
536 EXPORT_SYMBOL_GPL(trampoline_probe_handler);
538 void arch_prepare_kretprobe(struct kretprobe *rp, struct pt_regs *regs)
540 struct kretprobe_instance *ri;
542 DBPRINTF ("start\n");
543 //TODO: test - remove retprobe after func entry but before its exit
544 if ((ri = get_free_rp_inst (rp)) != NULL)
548 ri->ret_addr = (kprobe_opcode_t *) regs->uregs[14];
549 ri->sp = (kprobe_opcode_t *)regs->ARM_sp; //uregs[13];
551 /* Set flag of current mode */
552 ri->sp = (kprobe_opcode_t *)((long)ri->sp | !!thumb_mode(regs));
554 /* Replace the return addr with trampoline addr */
555 regs->uregs[14] = (unsigned long) &kretprobe_trampoline;
557 // DBPRINTF ("ret addr set to %p->%lx\n", ri->ret_addr, regs->uregs[14]);
561 DBPRINTF ("WARNING: missed retprobe %p\n", rp->kp.addr);
566 void swap_register_undef_hook(struct undef_hook *hook)
568 __swap_register_undef_hook(hook);
570 EXPORT_SYMBOL_GPL(swap_register_undef_hook);
572 void swap_unregister_undef_hook(struct undef_hook *hook)
574 __swap_unregister_undef_hook(hook);
576 EXPORT_SYMBOL_GPL(swap_unregister_undef_hook);
578 // kernel probes hook
579 static struct undef_hook undef_ho_k = {
580 .instr_mask = 0xffffffff,
581 .instr_val = BREAKPOINT_INSTRUCTION,
582 .cpsr_mask = MODE_MASK,
583 .cpsr_val = SVC_MODE,
584 .fn = kprobe_trap_handler
587 int arch_init_kprobes(void)
591 // Register hooks (kprobe_handler)
592 __swap_register_undef_hook = swap_ksyms("register_undef_hook");
593 if (__swap_register_undef_hook == NULL) {
594 printk("no register_undef_hook symbol found!\n");
598 // Unregister hooks (kprobe_handler)
599 __swap_unregister_undef_hook = swap_ksyms("unregister_undef_hook");
600 if (__swap_unregister_undef_hook == NULL) {
601 printk("no unregister_undef_hook symbol found!\n");
605 swap_register_undef_hook(&undef_ho_k);
606 if ((ret = dbi_register_kprobe (&trampoline_p)) != 0) {
607 //dbi_unregister_jprobe(&do_exit_p, 0);
613 void arch_exit_kprobes(void)
615 swap_unregister_undef_hook(&undef_ho_k);
618 /* export symbol for trampoline_arm.h */
619 EXPORT_SYMBOL_GPL(gen_insn_execbuf);
620 EXPORT_SYMBOL_GPL(pc_dep_insn_execbuf);