From 41dde781f50c39cddc8032fc04d6a7d538237737 Mon Sep 17 00:00:00 2001 From: Maneesh Soni Date: Tue, 8 Nov 2011 17:04:54 +0530 Subject: MIPS Kprobes: Fix OOPS in arch_prepare_kprobe() This patch fixes the arch_prepare_kprobe() on MIPS when it tries to find the instruction at the previous address to the probed address. The oops happens when the probed address is the first address in a kernel module and there is no previous address. The patch uses probe_kernel_read() to safely read the previous instruction. CPU 3 Unable to handle kernel paging request at virtual address ffffffffc0211ffc, epc == ffffffff81113204, ra == ffffffff8111511c Oops[#1]: Cpu 3 $ 0 : 0000000000000000 0000000000000001 ffffffffc0212000 0000000000000000 $ 4 : ffffffffc0220030 0000000000000000 0000000000000adf ffffffff81a3f898 $ 8 : ffffffffc0220030 ffffffffffffffff 000000000000ffff 0000000000004821 $12 : 000000000000000a ffffffff81105ddc ffffffff812927d0 0000000000000000 $16 : ffffffff81a40000 ffffffffc0220030 ffffffffc0220030 ffffffffc0212660 $20 : 0000000000000000 0000000000000008 efffffffffffffff ffffffffc0220000 $24 : 0000000000000002 ffffffff8139f5b0 $28 : a800000072adc000 a800000072adfca0 ffffffffc0220000 ffffffff8111511c Hi : 0000000000000000 Lo : 0000000000000000 epc : ffffffff81113204 arch_prepare_kprobe+0x1c/0xe8 Tainted: P ra : ffffffff8111511c register_kprobe+0x33c/0x730 Status: 10008ce3 KX SX UX KERNEL EXL IE Cause : 00800008 BadVA : ffffffffc0211ffc PrId : 000d9008 (Cavium Octeon II) Modules linked in: bpa_mem crashinfo pds tun cpumem ipv6 exportfs nfsd OOBnd(P) OOBhal(P) cvmx_mdio cvmx_gpio aipcmod(P) mtsmod procfs(P) utaker_mod dplr_pci hello atomicm_foo [last unloaded: sysmgr_hb] Process stapio (pid: 5603, threadinfo=a800000072adc000, task=a8000000722e0438, tls=000000002b4bcda0) Stack : ffffffff81a40000 ffffffff81a40000 ffffffffc0220030 ffffffff8111511c ffffffffc0218008 0000000000000001 ffffffffc0218008 0000000000000001 ffffffffc0220000 ffffffffc021efe8 1000000000000000 0000000000000008 efffffffffffffff ffffffffc0220000 ffffffffc0220000 ffffffffc021d500 0000000000000022 0000000000000002 1111000072be02b8 0000000000000000 00000000000015e6 00000000000015e6 00000000007d0f00 a800000072be02b8 0000000000000000 ffffffff811d16c8 a80000000382e3b0 ffffffff811d5ba0 ffffffff81b0a270 ffffffff81b0a270 ffffffffc0212000 0000000000000013 ffffffffc0220030 ffffffffc021ed00 a800000089114c80 000000007f90d590 a800000072adfe38 a800000089114c80 0000000010020000 0000000010020000 ... Call Trace: [] arch_prepare_kprobe+0x1c/0xe8 [] register_kprobe+0x33c/0x730 [] _stp_ctl_write_cmd+0x8e8/0xa88 [atomicm_foo] [] vfs_write+0xb4/0x178 [] SyS_write+0x58/0x148 [] handle_sysn32+0x44/0x84 Code: ffb20010 ffb00000 dc820028 <8c44fffc> 8c500000 0c4449e0 0004203c 14400029 3c048199 Signed-off-by: Maneesh Soni Signed-off-by: Victor Kamensky Cc: David Daney Cc: ananth@in.ibm.com Cc: linux-kernel@vger.kernel.org Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/2915/ Signed-off-by: Ralf Baechle --- arch/mips/kernel/kprobes.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) (limited to 'arch/mips/kernel/kprobes.c') diff --git a/arch/mips/kernel/kprobes.c b/arch/mips/kernel/kprobes.c index ee28683fc2ac..9fb1876cb0bd 100644 --- a/arch/mips/kernel/kprobes.c +++ b/arch/mips/kernel/kprobes.c @@ -25,6 +25,7 @@ #include #include +#include #include #include @@ -118,11 +119,19 @@ int __kprobes arch_prepare_kprobe(struct kprobe *p) union mips_instruction prev_insn; int ret = 0; - prev_insn = p->addr[-1]; insn = p->addr[0]; - if (insn_has_delayslot(insn) || insn_has_delayslot(prev_insn)) { - pr_notice("Kprobes for branch and jump instructions are not supported\n"); + if (insn_has_delayslot(insn)) { + pr_notice("Kprobes for branch and jump instructions are not" + "supported\n"); + ret = -EINVAL; + goto out; + } + + if ((probe_kernel_read(&prev_insn, p->addr - 1, + sizeof(mips_instruction)) == 0) && + insn_has_delayslot(prev_insn)) { + pr_notice("Kprobes for branch delayslot are not supported\n"); ret = -EINVAL; goto out; } -- cgit v1.2.3 From 9233c1ee71bdd3c8a918c8e17026cf3f7d99c90b Mon Sep 17 00:00:00 2001 From: Maneesh Soni Date: Tue, 8 Nov 2011 17:05:35 +0530 Subject: MIPS Kprobes: Deny probes on ll/sc instructions As ll/sc instruction are for atomic read-modify-write operations, allowing probes on top of these insturctions is a bad idea. Signed-off-by: Victor Kamensky Signed-off-by: Maneesh Soni Cc: David Daney Cc: ananth@in.ibm.com Cc: linux-kernel@vger.kernel.org Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/2912/ Signed-off-by: Ralf Baechle --- arch/mips/kernel/kprobes.c | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) (limited to 'arch/mips/kernel/kprobes.c') diff --git a/arch/mips/kernel/kprobes.c b/arch/mips/kernel/kprobes.c index 9fb1876cb0bd..0ab1a5ff1049 100644 --- a/arch/mips/kernel/kprobes.c +++ b/arch/mips/kernel/kprobes.c @@ -113,6 +113,30 @@ insn_ok: return 0; } +/* + * insn_has_ll_or_sc function checks whether instruction is ll or sc + * one; putting breakpoint on top of atomic ll/sc pair is bad idea; + * so we need to prevent it and refuse kprobes insertion for such + * instructions; cannot do much about breakpoint in the middle of + * ll/sc pair; it is upto user to avoid those places + */ +static int __kprobes insn_has_ll_or_sc(union mips_instruction insn) +{ + int ret = 0; + + switch (insn.i_format.opcode) { + case ll_op: + case lld_op: + case sc_op: + case scd_op: + ret = 1; + break; + default: + break; + } + return ret; +} + int __kprobes arch_prepare_kprobe(struct kprobe *p) { union mips_instruction insn; @@ -121,6 +145,13 @@ int __kprobes arch_prepare_kprobe(struct kprobe *p) insn = p->addr[0]; + if (insn_has_ll_or_sc(insn)) { + pr_notice("Kprobes for ll and sc instructions are not" + "supported\n"); + ret = -EINVAL; + goto out; + } + if (insn_has_delayslot(insn)) { pr_notice("Kprobes for branch and jump instructions are not" "supported\n"); -- cgit v1.2.3 From 6457a396bbc20656009eaf950ca165912a943520 Mon Sep 17 00:00:00 2001 From: Maneesh Soni Date: Tue, 8 Nov 2011 17:08:26 +0530 Subject: MIPS Kprobes: Support branch instructions probing This patch provides support for kprobes on branch instructions. The branch instruction at the probed address is actually emulated and not executed out-of-line like other normal instructions. Instead the delay-slot instruction is copied and single stepped out of line. At the time of probe hit, the original branch instruction is evaluated and the target cp0_epc is computed similar to compute_retrun_epc(). It is also checked if the delay slot instruction can be skipped, which is true if there is a NOP in delay slot or branch is taken in case of branch likely instructions. Once the delay slot instruction is single stepped the normal execution resume with the cp0_epc updated the earlier computed cp0_epc as per the branch instructions. Signed-off-by: Maneesh Soni Signed-off-by: Victor Kamensky Cc: David Daney Cc: ananth@in.ibm.com Cc: linux-kernel@vger.kernel.org Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/2914/ Signed-off-by: Ralf Baechle --- arch/mips/kernel/kprobes.c | 145 ++++++++++++++++++++++++++++++++++----------- 1 file changed, 112 insertions(+), 33 deletions(-) (limited to 'arch/mips/kernel/kprobes.c') diff --git a/arch/mips/kernel/kprobes.c b/arch/mips/kernel/kprobes.c index 0ab1a5ff1049..158467da9bc1 100644 --- a/arch/mips/kernel/kprobes.c +++ b/arch/mips/kernel/kprobes.c @@ -30,6 +30,7 @@ #include #include +#include #include #include @@ -152,13 +153,6 @@ int __kprobes arch_prepare_kprobe(struct kprobe *p) goto out; } - if (insn_has_delayslot(insn)) { - pr_notice("Kprobes for branch and jump instructions are not" - "supported\n"); - ret = -EINVAL; - goto out; - } - if ((probe_kernel_read(&prev_insn, p->addr - 1, sizeof(mips_instruction)) == 0) && insn_has_delayslot(prev_insn)) { @@ -178,9 +172,20 @@ int __kprobes arch_prepare_kprobe(struct kprobe *p) * In the kprobe->ainsn.insn[] array we store the original * instruction at index zero and a break trap instruction at * index one. + * + * On MIPS arch if the instruction at probed address is a + * branch instruction, we need to execute the instruction at + * Branch Delayslot (BD) at the time of probe hit. As MIPS also + * doesn't have single stepping support, the BD instruction can + * not be executed in-line and it would be executed on SSOL slot + * using a normal breakpoint instruction in the next slot. + * So, read the instruction and save it for later execution. */ + if (insn_has_delayslot(insn)) + memcpy(&p->ainsn.insn[0], p->addr + 1, sizeof(kprobe_opcode_t)); + else + memcpy(&p->ainsn.insn[0], p->addr, sizeof(kprobe_opcode_t)); - memcpy(&p->ainsn.insn[0], p->addr, sizeof(kprobe_opcode_t)); p->ainsn.insn[1] = breakpoint2_insn; p->opcode = *p->addr; @@ -231,16 +236,96 @@ static void set_current_kprobe(struct kprobe *p, struct pt_regs *regs, kcb->kprobe_saved_epc = regs->cp0_epc; } -static void prepare_singlestep(struct kprobe *p, struct pt_regs *regs) +/** + * evaluate_branch_instrucion - + * + * Evaluate the branch instruction at probed address during probe hit. The + * result of evaluation would be the updated epc. The insturction in delayslot + * would actually be single stepped using a normal breakpoint) on SSOL slot. + * + * The result is also saved in the kprobe control block for later use, + * in case we need to execute the delayslot instruction. The latter will be + * false for NOP instruction in dealyslot and the branch-likely instructions + * when the branch is taken. And for those cases we set a flag as + * SKIP_DELAYSLOT in the kprobe control block + */ +static int evaluate_branch_instruction(struct kprobe *p, struct pt_regs *regs, + struct kprobe_ctlblk *kcb) { + union mips_instruction insn = p->opcode; + long epc; + int ret = 0; + + epc = regs->cp0_epc; + if (epc & 3) + goto unaligned; + + if (p->ainsn.insn->word == 0) + kcb->flags |= SKIP_DELAYSLOT; + else + kcb->flags &= ~SKIP_DELAYSLOT; + + ret = __compute_return_epc_for_insn(regs, insn); + if (ret < 0) + return ret; + + if (ret == BRANCH_LIKELY_TAKEN) + kcb->flags |= SKIP_DELAYSLOT; + + kcb->target_epc = regs->cp0_epc; + + return 0; + +unaligned: + pr_notice("%s: unaligned epc - sending SIGBUS.\n", current->comm); + force_sig(SIGBUS, current); + return -EFAULT; + +} + +static void prepare_singlestep(struct kprobe *p, struct pt_regs *regs, + struct kprobe_ctlblk *kcb) +{ + int ret = 0; + regs->cp0_status &= ~ST0_IE; /* single step inline if the instruction is a break */ if (p->opcode.word == breakpoint_insn.word || p->opcode.word == breakpoint2_insn.word) regs->cp0_epc = (unsigned long)p->addr; - else - regs->cp0_epc = (unsigned long)&p->ainsn.insn[0]; + else if (insn_has_delayslot(p->opcode)) { + ret = evaluate_branch_instruction(p, regs, kcb); + if (ret < 0) { + pr_notice("Kprobes: Error in evaluating branch\n"); + return; + } + } + regs->cp0_epc = (unsigned long)&p->ainsn.insn[0]; +} + +/* + * Called after single-stepping. p->addr is the address of the + * instruction whose first byte has been replaced by the "break 0" + * instruction. To avoid the SMP problems that can occur when we + * temporarily put back the original opcode to single-step, we + * single-stepped a copy of the instruction. The address of this + * copy is p->ainsn.insn. + * + * This function prepares to return from the post-single-step + * breakpoint trap. In case of branch instructions, the target + * epc to be restored. + */ +static void __kprobes resume_execution(struct kprobe *p, + struct pt_regs *regs, + struct kprobe_ctlblk *kcb) +{ + if (insn_has_delayslot(p->opcode)) + regs->cp0_epc = kcb->target_epc; + else { + unsigned long orig_epc = kcb->kprobe_saved_epc; + regs->cp0_epc = orig_epc + 4; + } } static int __kprobes kprobe_handler(struct pt_regs *regs) @@ -279,8 +364,13 @@ static int __kprobes kprobe_handler(struct pt_regs *regs) save_previous_kprobe(kcb); set_current_kprobe(p, regs, kcb); kprobes_inc_nmissed_count(p); - prepare_singlestep(p, regs); + prepare_singlestep(p, regs, kcb); kcb->kprobe_status = KPROBE_REENTER; + if (kcb->flags & SKIP_DELAYSLOT) { + resume_execution(p, regs, kcb); + restore_previous_kprobe(kcb); + preempt_enable_no_resched(); + } return 1; } else { if (addr->word != breakpoint_insn.word) { @@ -324,8 +414,16 @@ static int __kprobes kprobe_handler(struct pt_regs *regs) } ss_probe: - prepare_singlestep(p, regs); - kcb->kprobe_status = KPROBE_HIT_SS; + prepare_singlestep(p, regs, kcb); + if (kcb->flags & SKIP_DELAYSLOT) { + kcb->kprobe_status = KPROBE_HIT_SSDONE; + if (p->post_handler) + p->post_handler(p, regs, 0); + resume_execution(p, regs, kcb); + preempt_enable_no_resched(); + } else + kcb->kprobe_status = KPROBE_HIT_SS; + return 1; no_kprobe: @@ -334,25 +432,6 @@ no_kprobe: } -/* - * Called after single-stepping. p->addr is the address of the - * instruction whose first byte has been replaced by the "break 0" - * instruction. To avoid the SMP problems that can occur when we - * temporarily put back the original opcode to single-step, we - * single-stepped a copy of the instruction. The address of this - * copy is p->ainsn.insn. - * - * This function prepares to return from the post-single-step - * breakpoint trap. - */ -static void __kprobes resume_execution(struct kprobe *p, - struct pt_regs *regs, - struct kprobe_ctlblk *kcb) -{ - unsigned long orig_epc = kcb->kprobe_saved_epc; - regs->cp0_epc = orig_epc + 4; -} - static inline int post_kprobe_handler(struct pt_regs *regs) { struct kprobe *cur = kprobe_running(); -- cgit v1.2.3