root/arch/x86/kernel/uprobes.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. is_prefix_bad
  2. uprobe_init_insn
  3. riprel_analyze
  4. scratch_reg
  5. riprel_pre_xol
  6. riprel_post_xol
  7. riprel_analyze
  8. riprel_pre_xol
  9. riprel_post_xol
  10. sizeof_long
  11. default_pre_xol_op
  12. emulate_push_stack
  13. default_post_xol_op
  14. default_abort_op
  15. branch_is_call
  16. is_cond_jmp_opcode
  17. check_jmp_cond
  18. branch_emulate_op
  19. push_emulate_op
  20. branch_post_xol_op
  21. branch_clear_offset
  22. branch_setup_xol_ops
  23. push_setup_xol_ops
  24. arch_uprobe_analyze_insn
  25. arch_uprobe_pre_xol
  26. arch_uprobe_xol_was_trapped
  27. arch_uprobe_post_xol
  28. arch_uprobe_exception_notify
  29. arch_uprobe_abort_xol
  30. __skip_sstep
  31. arch_uprobe_skip_sstep
  32. arch_uretprobe_hijack_return_addr
  33. arch_uretprobe_is_alive

   1 // SPDX-License-Identifier: GPL-2.0-or-later
   2 /*
   3  * User-space Probes (UProbes) for x86
   4  *
   5  * Copyright (C) IBM Corporation, 2008-2011
   6  * Authors:
   7  *      Srikar Dronamraju
   8  *      Jim Keniston
   9  */
  10 #include <linux/kernel.h>
  11 #include <linux/sched.h>
  12 #include <linux/ptrace.h>
  13 #include <linux/uprobes.h>
  14 #include <linux/uaccess.h>
  15 
  16 #include <linux/kdebug.h>
  17 #include <asm/processor.h>
  18 #include <asm/insn.h>
  19 #include <asm/mmu_context.h>
  20 
  21 /* Post-execution fixups. */
  22 
  23 /* Adjust IP back to vicinity of actual insn */
  24 #define UPROBE_FIX_IP           0x01
  25 
  26 /* Adjust the return address of a call insn */
  27 #define UPROBE_FIX_CALL         0x02
  28 
  29 /* Instruction will modify TF, don't change it */
  30 #define UPROBE_FIX_SETF         0x04
  31 
  32 #define UPROBE_FIX_RIP_SI       0x08
  33 #define UPROBE_FIX_RIP_DI       0x10
  34 #define UPROBE_FIX_RIP_BX       0x20
  35 #define UPROBE_FIX_RIP_MASK     \
  36         (UPROBE_FIX_RIP_SI | UPROBE_FIX_RIP_DI | UPROBE_FIX_RIP_BX)
  37 
  38 #define UPROBE_TRAP_NR          UINT_MAX
  39 
  40 /* Adaptations for mhiramat x86 decoder v14. */
  41 #define OPCODE1(insn)           ((insn)->opcode.bytes[0])
  42 #define OPCODE2(insn)           ((insn)->opcode.bytes[1])
  43 #define OPCODE3(insn)           ((insn)->opcode.bytes[2])
  44 #define MODRM_REG(insn)         X86_MODRM_REG((insn)->modrm.value)
  45 
  46 #define W(row, b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, ba, bb, bc, bd, be, bf)\
  47         (((b0##UL << 0x0)|(b1##UL << 0x1)|(b2##UL << 0x2)|(b3##UL << 0x3) |   \
  48           (b4##UL << 0x4)|(b5##UL << 0x5)|(b6##UL << 0x6)|(b7##UL << 0x7) |   \
  49           (b8##UL << 0x8)|(b9##UL << 0x9)|(ba##UL << 0xa)|(bb##UL << 0xb) |   \
  50           (bc##UL << 0xc)|(bd##UL << 0xd)|(be##UL << 0xe)|(bf##UL << 0xf))    \
  51          << (row % 32))
  52 
  53 /*
  54  * Good-instruction tables for 32-bit apps.  This is non-const and volatile
  55  * to keep gcc from statically optimizing it out, as variable_test_bit makes
  56  * some versions of gcc to think only *(unsigned long*) is used.
  57  *
  58  * Opcodes we'll probably never support:
  59  * 6c-6f - ins,outs. SEGVs if used in userspace
  60  * e4-e7 - in,out imm. SEGVs if used in userspace
  61  * ec-ef - in,out acc. SEGVs if used in userspace
  62  * cc - int3. SIGTRAP if used in userspace
  63  * ce - into. Not used in userspace - no kernel support to make it useful. SEGVs
  64  *      (why we support bound (62) then? it's similar, and similarly unused...)
  65  * f1 - int1. SIGTRAP if used in userspace
  66  * f4 - hlt. SEGVs if used in userspace
  67  * fa - cli. SEGVs if used in userspace
  68  * fb - sti. SEGVs if used in userspace
  69  *
  70  * Opcodes which need some work to be supported:
  71  * 07,17,1f - pop es/ss/ds
  72  *      Normally not used in userspace, but would execute if used.
  73  *      Can cause GP or stack exception if tries to load wrong segment descriptor.
  74  *      We hesitate to run them under single step since kernel's handling
  75  *      of userspace single-stepping (TF flag) is fragile.
  76  *      We can easily refuse to support push es/cs/ss/ds (06/0e/16/1e)
  77  *      on the same grounds that they are never used.
  78  * cd - int N.
  79  *      Used by userspace for "int 80" syscall entry. (Other "int N"
  80  *      cause GP -> SEGV since their IDT gates don't allow calls from CPL 3).
  81  *      Not supported since kernel's handling of userspace single-stepping
  82  *      (TF flag) is fragile.
  83  * cf - iret. Normally not used in userspace. Doesn't SEGV unless arguments are bad
  84  */
  85 #if defined(CONFIG_X86_32) || defined(CONFIG_IA32_EMULATION)
  86 static volatile u32 good_insns_32[256 / 32] = {
  87         /*      0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f         */
  88         /*      ----------------------------------------------         */
  89         W(0x00, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1) | /* 00 */
  90         W(0x10, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0) , /* 10 */
  91         W(0x20, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 20 */
  92         W(0x30, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 30 */
  93         W(0x40, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 40 */
  94         W(0x50, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 50 */
  95         W(0x60, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0) | /* 60 */
  96         W(0x70, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 70 */
  97         W(0x80, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 80 */
  98         W(0x90, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 90 */
  99         W(0xa0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* a0 */
 100         W(0xb0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* b0 */
 101         W(0xc0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0) | /* c0 */
 102         W(0xd0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* d0 */
 103         W(0xe0, 1, 1, 1, 1, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0, 0, 0) | /* e0 */
 104         W(0xf0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1)   /* f0 */
 105         /*      ----------------------------------------------         */
 106         /*      0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f         */
 107 };
 108 #else
 109 #define good_insns_32   NULL
 110 #endif
 111 
 112 /* Good-instruction tables for 64-bit apps.
 113  *
 114  * Genuinely invalid opcodes:
 115  * 06,07 - formerly push/pop es
 116  * 0e - formerly push cs
 117  * 16,17 - formerly push/pop ss
 118  * 1e,1f - formerly push/pop ds
 119  * 27,2f,37,3f - formerly daa/das/aaa/aas
 120  * 60,61 - formerly pusha/popa
 121  * 62 - formerly bound. EVEX prefix for AVX512 (not yet supported)
 122  * 82 - formerly redundant encoding of Group1
 123  * 9a - formerly call seg:ofs
 124  * ce - formerly into
 125  * d4,d5 - formerly aam/aad
 126  * d6 - formerly undocumented salc
 127  * ea - formerly jmp seg:ofs
 128  *
 129  * Opcodes we'll probably never support:
 130  * 6c-6f - ins,outs. SEGVs if used in userspace
 131  * e4-e7 - in,out imm. SEGVs if used in userspace
 132  * ec-ef - in,out acc. SEGVs if used in userspace
 133  * cc - int3. SIGTRAP if used in userspace
 134  * f1 - int1. SIGTRAP if used in userspace
 135  * f4 - hlt. SEGVs if used in userspace
 136  * fa - cli. SEGVs if used in userspace
 137  * fb - sti. SEGVs if used in userspace
 138  *
 139  * Opcodes which need some work to be supported:
 140  * cd - int N.
 141  *      Used by userspace for "int 80" syscall entry. (Other "int N"
 142  *      cause GP -> SEGV since their IDT gates don't allow calls from CPL 3).
 143  *      Not supported since kernel's handling of userspace single-stepping
 144  *      (TF flag) is fragile.
 145  * cf - iret. Normally not used in userspace. Doesn't SEGV unless arguments are bad
 146  */
 147 #if defined(CONFIG_X86_64)
 148 static volatile u32 good_insns_64[256 / 32] = {
 149         /*      0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f         */
 150         /*      ----------------------------------------------         */
 151         W(0x00, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1, 1, 1, 0, 1) | /* 00 */
 152         W(0x10, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1, 1, 1, 0, 0) , /* 10 */
 153         W(0x20, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0) | /* 20 */
 154         W(0x30, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0) , /* 30 */
 155         W(0x40, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 40 */
 156         W(0x50, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 50 */
 157         W(0x60, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0) | /* 60 */
 158         W(0x70, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 70 */
 159         W(0x80, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 80 */
 160         W(0x90, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1) , /* 90 */
 161         W(0xa0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* a0 */
 162         W(0xb0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* b0 */
 163         W(0xc0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0) | /* c0 */
 164         W(0xd0, 1, 1, 1, 1, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* d0 */
 165         W(0xe0, 1, 1, 1, 1, 0, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 0) | /* e0 */
 166         W(0xf0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1)   /* f0 */
 167         /*      ----------------------------------------------         */
 168         /*      0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f         */
 169 };
 170 #else
 171 #define good_insns_64   NULL
 172 #endif
 173 
 174 /* Using this for both 64-bit and 32-bit apps.
 175  * Opcodes we don't support:
 176  * 0f 00 - SLDT/STR/LLDT/LTR/VERR/VERW/-/- group. System insns
 177  * 0f 01 - SGDT/SIDT/LGDT/LIDT/SMSW/-/LMSW/INVLPG group.
 178  *      Also encodes tons of other system insns if mod=11.
 179  *      Some are in fact non-system: xend, xtest, rdtscp, maybe more
 180  * 0f 05 - syscall
 181  * 0f 06 - clts (CPL0 insn)
 182  * 0f 07 - sysret
 183  * 0f 08 - invd (CPL0 insn)
 184  * 0f 09 - wbinvd (CPL0 insn)
 185  * 0f 0b - ud2
 186  * 0f 30 - wrmsr (CPL0 insn) (then why rdmsr is allowed, it's also CPL0 insn?)
 187  * 0f 34 - sysenter
 188  * 0f 35 - sysexit
 189  * 0f 37 - getsec
 190  * 0f 78 - vmread (Intel VMX. CPL0 insn)
 191  * 0f 79 - vmwrite (Intel VMX. CPL0 insn)
 192  *      Note: with prefixes, these two opcodes are
 193  *      extrq/insertq/AVX512 convert vector ops.
 194  * 0f ae - group15: [f]xsave,[f]xrstor,[v]{ld,st}mxcsr,clflush[opt],
 195  *      {rd,wr}{fs,gs}base,{s,l,m}fence.
 196  *      Why? They are all user-executable.
 197  */
 198 static volatile u32 good_2byte_insns[256 / 32] = {
 199         /*      0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f         */
 200         /*      ----------------------------------------------         */
 201         W(0x00, 0, 0, 1, 1, 1, 0, 0, 0, 0, 0, 1, 0, 1, 1, 1, 1) | /* 00 */
 202         W(0x10, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 10 */
 203         W(0x20, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 20 */
 204         W(0x30, 0, 1, 1, 1, 0, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1) , /* 30 */
 205         W(0x40, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 40 */
 206         W(0x50, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 50 */
 207         W(0x60, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 60 */
 208         W(0x70, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1, 1, 1) , /* 70 */
 209         W(0x80, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 80 */
 210         W(0x90, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 90 */
 211         W(0xa0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1) | /* a0 */
 212         W(0xb0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* b0 */
 213         W(0xc0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* c0 */
 214         W(0xd0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* d0 */
 215         W(0xe0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* e0 */
 216         W(0xf0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1)   /* f0 */
 217         /*      ----------------------------------------------         */
 218         /*      0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f         */
 219 };
 220 #undef W
 221 
 222 /*
 223  * opcodes we may need to refine support for:
 224  *
 225  *  0f - 2-byte instructions: For many of these instructions, the validity
 226  *  depends on the prefix and/or the reg field.  On such instructions, we
 227  *  just consider the opcode combination valid if it corresponds to any
 228  *  valid instruction.
 229  *
 230  *  8f - Group 1 - only reg = 0 is OK
 231  *  c6-c7 - Group 11 - only reg = 0 is OK
 232  *  d9-df - fpu insns with some illegal encodings
 233  *  f2, f3 - repnz, repz prefixes.  These are also the first byte for
 234  *  certain floating-point instructions, such as addsd.
 235  *
 236  *  fe - Group 4 - only reg = 0 or 1 is OK
 237  *  ff - Group 5 - only reg = 0-6 is OK
 238  *
 239  * others -- Do we need to support these?
 240  *
 241  *  0f - (floating-point?) prefetch instructions
 242  *  07, 17, 1f - pop es, pop ss, pop ds
 243  *  26, 2e, 36, 3e - es:, cs:, ss:, ds: segment prefixes --
 244  *      but 64 and 65 (fs: and gs:) seem to be used, so we support them
 245  *  67 - addr16 prefix
 246  *  ce - into
 247  *  f0 - lock prefix
 248  */
 249 
 250 /*
 251  * TODO:
 252  * - Where necessary, examine the modrm byte and allow only valid instructions
 253  * in the different Groups and fpu instructions.
 254  */
 255 
 256 static bool is_prefix_bad(struct insn *insn)
 257 {
 258         int i;
 259 
 260         for (i = 0; i < insn->prefixes.nbytes; i++) {
 261                 insn_attr_t attr;
 262 
 263                 attr = inat_get_opcode_attribute(insn->prefixes.bytes[i]);
 264                 switch (attr) {
 265                 case INAT_MAKE_PREFIX(INAT_PFX_ES):
 266                 case INAT_MAKE_PREFIX(INAT_PFX_CS):
 267                 case INAT_MAKE_PREFIX(INAT_PFX_DS):
 268                 case INAT_MAKE_PREFIX(INAT_PFX_SS):
 269                 case INAT_MAKE_PREFIX(INAT_PFX_LOCK):
 270                         return true;
 271                 }
 272         }
 273         return false;
 274 }
 275 
 276 static int uprobe_init_insn(struct arch_uprobe *auprobe, struct insn *insn, bool x86_64)
 277 {
 278         u32 volatile *good_insns;
 279 
 280         insn_init(insn, auprobe->insn, sizeof(auprobe->insn), x86_64);
 281         /* has the side-effect of processing the entire instruction */
 282         insn_get_length(insn);
 283         if (!insn_complete(insn))
 284                 return -ENOEXEC;
 285 
 286         if (is_prefix_bad(insn))
 287                 return -ENOTSUPP;
 288 
 289         /* We should not singlestep on the exception masking instructions */
 290         if (insn_masking_exception(insn))
 291                 return -ENOTSUPP;
 292 
 293         if (x86_64)
 294                 good_insns = good_insns_64;
 295         else
 296                 good_insns = good_insns_32;
 297 
 298         if (test_bit(OPCODE1(insn), (unsigned long *)good_insns))
 299                 return 0;
 300 
 301         if (insn->opcode.nbytes == 2) {
 302                 if (test_bit(OPCODE2(insn), (unsigned long *)good_2byte_insns))
 303                         return 0;
 304         }
 305 
 306         return -ENOTSUPP;
 307 }
 308 
 309 #ifdef CONFIG_X86_64
 310 /*
 311  * If arch_uprobe->insn doesn't use rip-relative addressing, return
 312  * immediately.  Otherwise, rewrite the instruction so that it accesses
 313  * its memory operand indirectly through a scratch register.  Set
 314  * defparam->fixups accordingly. (The contents of the scratch register
 315  * will be saved before we single-step the modified instruction,
 316  * and restored afterward).
 317  *
 318  * We do this because a rip-relative instruction can access only a
 319  * relatively small area (+/- 2 GB from the instruction), and the XOL
 320  * area typically lies beyond that area.  At least for instructions
 321  * that store to memory, we can't execute the original instruction
 322  * and "fix things up" later, because the misdirected store could be
 323  * disastrous.
 324  *
 325  * Some useful facts about rip-relative instructions:
 326  *
 327  *  - There's always a modrm byte with bit layout "00 reg 101".
 328  *  - There's never a SIB byte.
 329  *  - The displacement is always 4 bytes.
 330  *  - REX.B=1 bit in REX prefix, which normally extends r/m field,
 331  *    has no effect on rip-relative mode. It doesn't make modrm byte
 332  *    with r/m=101 refer to register 1101 = R13.
 333  */
 334 static void riprel_analyze(struct arch_uprobe *auprobe, struct insn *insn)
 335 {
 336         u8 *cursor;
 337         u8 reg;
 338         u8 reg2;
 339 
 340         if (!insn_rip_relative(insn))
 341                 return;
 342 
 343         /*
 344          * insn_rip_relative() would have decoded rex_prefix, vex_prefix, modrm.
 345          * Clear REX.b bit (extension of MODRM.rm field):
 346          * we want to encode low numbered reg, not r8+.
 347          */
 348         if (insn->rex_prefix.nbytes) {
 349                 cursor = auprobe->insn + insn_offset_rex_prefix(insn);
 350                 /* REX byte has 0100wrxb layout, clearing REX.b bit */
 351                 *cursor &= 0xfe;
 352         }
 353         /*
 354          * Similar treatment for VEX3/EVEX prefix.
 355          * TODO: add XOP treatment when insn decoder supports them
 356          */
 357         if (insn->vex_prefix.nbytes >= 3) {
 358                 /*
 359                  * vex2:     c5    rvvvvLpp   (has no b bit)
 360                  * vex3/xop: c4/8f rxbmmmmm wvvvvLpp
 361                  * evex:     62    rxbR00mm wvvvv1pp zllBVaaa
 362                  * Setting VEX3.b (setting because it has inverted meaning).
 363                  * Setting EVEX.x since (in non-SIB encoding) EVEX.x
 364                  * is the 4th bit of MODRM.rm, and needs the same treatment.
 365                  * For VEX3-encoded insns, VEX3.x value has no effect in
 366                  * non-SIB encoding, the change is superfluous but harmless.
 367                  */
 368                 cursor = auprobe->insn + insn_offset_vex_prefix(insn) + 1;
 369                 *cursor |= 0x60;
 370         }
 371 
 372         /*
 373          * Convert from rip-relative addressing to register-relative addressing
 374          * via a scratch register.
 375          *
 376          * This is tricky since there are insns with modrm byte
 377          * which also use registers not encoded in modrm byte:
 378          * [i]div/[i]mul: implicitly use dx:ax
 379          * shift ops: implicitly use cx
 380          * cmpxchg: implicitly uses ax
 381          * cmpxchg8/16b: implicitly uses dx:ax and bx:cx
 382          *   Encoding: 0f c7/1 modrm
 383          *   The code below thinks that reg=1 (cx), chooses si as scratch.
 384          * mulx: implicitly uses dx: mulx r/m,r1,r2 does r1:r2 = dx * r/m.
 385          *   First appeared in Haswell (BMI2 insn). It is vex-encoded.
 386          *   Example where none of bx,cx,dx can be used as scratch reg:
 387          *   c4 e2 63 f6 0d disp32   mulx disp32(%rip),%ebx,%ecx
 388          * [v]pcmpistri: implicitly uses cx, xmm0
 389          * [v]pcmpistrm: implicitly uses xmm0
 390          * [v]pcmpestri: implicitly uses ax, dx, cx, xmm0
 391          * [v]pcmpestrm: implicitly uses ax, dx, xmm0
 392          *   Evil SSE4.2 string comparison ops from hell.
 393          * maskmovq/[v]maskmovdqu: implicitly uses (ds:rdi) as destination.
 394          *   Encoding: 0f f7 modrm, 66 0f f7 modrm, vex-encoded: c5 f9 f7 modrm.
 395          *   Store op1, byte-masked by op2 msb's in each byte, to (ds:rdi).
 396          *   AMD says it has no 3-operand form (vex.vvvv must be 1111)
 397          *   and that it can have only register operands, not mem
 398          *   (its modrm byte must have mode=11).
 399          *   If these restrictions will ever be lifted,
 400          *   we'll need code to prevent selection of di as scratch reg!
 401          *
 402          * Summary: I don't know any insns with modrm byte which
 403          * use SI register implicitly. DI register is used only
 404          * by one insn (maskmovq) and BX register is used
 405          * only by one too (cmpxchg8b).
 406          * BP is stack-segment based (may be a problem?).
 407          * AX, DX, CX are off-limits (many implicit users).
 408          * SP is unusable (it's stack pointer - think about "pop mem";
 409          * also, rsp+disp32 needs sib encoding -> insn length change).
 410          */
 411 
 412         reg = MODRM_REG(insn);  /* Fetch modrm.reg */
 413         reg2 = 0xff;            /* Fetch vex.vvvv */
 414         if (insn->vex_prefix.nbytes)
 415                 reg2 = insn->vex_prefix.bytes[2];
 416         /*
 417          * TODO: add XOP vvvv reading.
 418          *
 419          * vex.vvvv field is in bits 6-3, bits are inverted.
 420          * But in 32-bit mode, high-order bit may be ignored.
 421          * Therefore, let's consider only 3 low-order bits.
 422          */
 423         reg2 = ((reg2 >> 3) & 0x7) ^ 0x7;
 424         /*
 425          * Register numbering is ax,cx,dx,bx, sp,bp,si,di, r8..r15.
 426          *
 427          * Choose scratch reg. Order is important: must not select bx
 428          * if we can use si (cmpxchg8b case!)
 429          */
 430         if (reg != 6 && reg2 != 6) {
 431                 reg2 = 6;
 432                 auprobe->defparam.fixups |= UPROBE_FIX_RIP_SI;
 433         } else if (reg != 7 && reg2 != 7) {
 434                 reg2 = 7;
 435                 auprobe->defparam.fixups |= UPROBE_FIX_RIP_DI;
 436                 /* TODO (paranoia): force maskmovq to not use di */
 437         } else {
 438                 reg2 = 3;
 439                 auprobe->defparam.fixups |= UPROBE_FIX_RIP_BX;
 440         }
 441         /*
 442          * Point cursor at the modrm byte.  The next 4 bytes are the
 443          * displacement.  Beyond the displacement, for some instructions,
 444          * is the immediate operand.
 445          */
 446         cursor = auprobe->insn + insn_offset_modrm(insn);
 447         /*
 448          * Change modrm from "00 reg 101" to "10 reg reg2". Example:
 449          * 89 05 disp32  mov %eax,disp32(%rip) becomes
 450          * 89 86 disp32  mov %eax,disp32(%rsi)
 451          */
 452         *cursor = 0x80 | (reg << 3) | reg2;
 453 }
 454 
 455 static inline unsigned long *
 456 scratch_reg(struct arch_uprobe *auprobe, struct pt_regs *regs)
 457 {
 458         if (auprobe->defparam.fixups & UPROBE_FIX_RIP_SI)
 459                 return &regs->si;
 460         if (auprobe->defparam.fixups & UPROBE_FIX_RIP_DI)
 461                 return &regs->di;
 462         return &regs->bx;
 463 }
 464 
 465 /*
 466  * If we're emulating a rip-relative instruction, save the contents
 467  * of the scratch register and store the target address in that register.
 468  */
 469 static void riprel_pre_xol(struct arch_uprobe *auprobe, struct pt_regs *regs)
 470 {
 471         if (auprobe->defparam.fixups & UPROBE_FIX_RIP_MASK) {
 472                 struct uprobe_task *utask = current->utask;
 473                 unsigned long *sr = scratch_reg(auprobe, regs);
 474 
 475                 utask->autask.saved_scratch_register = *sr;
 476                 *sr = utask->vaddr + auprobe->defparam.ilen;
 477         }
 478 }
 479 
 480 static void riprel_post_xol(struct arch_uprobe *auprobe, struct pt_regs *regs)
 481 {
 482         if (auprobe->defparam.fixups & UPROBE_FIX_RIP_MASK) {
 483                 struct uprobe_task *utask = current->utask;
 484                 unsigned long *sr = scratch_reg(auprobe, regs);
 485 
 486                 *sr = utask->autask.saved_scratch_register;
 487         }
 488 }
 489 #else /* 32-bit: */
 490 /*
 491  * No RIP-relative addressing on 32-bit
 492  */
 493 static void riprel_analyze(struct arch_uprobe *auprobe, struct insn *insn)
 494 {
 495 }
 496 static void riprel_pre_xol(struct arch_uprobe *auprobe, struct pt_regs *regs)
 497 {
 498 }
 499 static void riprel_post_xol(struct arch_uprobe *auprobe, struct pt_regs *regs)
 500 {
 501 }
 502 #endif /* CONFIG_X86_64 */
 503 
 504 struct uprobe_xol_ops {
 505         bool    (*emulate)(struct arch_uprobe *, struct pt_regs *);
 506         int     (*pre_xol)(struct arch_uprobe *, struct pt_regs *);
 507         int     (*post_xol)(struct arch_uprobe *, struct pt_regs *);
 508         void    (*abort)(struct arch_uprobe *, struct pt_regs *);
 509 };
 510 
 511 static inline int sizeof_long(struct pt_regs *regs)
 512 {
 513         /*
 514          * Check registers for mode as in_xxx_syscall() does not apply here.
 515          */
 516         return user_64bit_mode(regs) ? 8 : 4;
 517 }
 518 
 519 static int default_pre_xol_op(struct arch_uprobe *auprobe, struct pt_regs *regs)
 520 {
 521         riprel_pre_xol(auprobe, regs);
 522         return 0;
 523 }
 524 
 525 static int emulate_push_stack(struct pt_regs *regs, unsigned long val)
 526 {
 527         unsigned long new_sp = regs->sp - sizeof_long(regs);
 528 
 529         if (copy_to_user((void __user *)new_sp, &val, sizeof_long(regs)))
 530                 return -EFAULT;
 531 
 532         regs->sp = new_sp;
 533         return 0;
 534 }
 535 
 536 /*
 537  * We have to fix things up as follows:
 538  *
 539  * Typically, the new ip is relative to the copied instruction.  We need
 540  * to make it relative to the original instruction (FIX_IP).  Exceptions
 541  * are return instructions and absolute or indirect jump or call instructions.
 542  *
 543  * If the single-stepped instruction was a call, the return address that
 544  * is atop the stack is the address following the copied instruction.  We
 545  * need to make it the address following the original instruction (FIX_CALL).
 546  *
 547  * If the original instruction was a rip-relative instruction such as
 548  * "movl %edx,0xnnnn(%rip)", we have instead executed an equivalent
 549  * instruction using a scratch register -- e.g., "movl %edx,0xnnnn(%rsi)".
 550  * We need to restore the contents of the scratch register
 551  * (FIX_RIP_reg).
 552  */
 553 static int default_post_xol_op(struct arch_uprobe *auprobe, struct pt_regs *regs)
 554 {
 555         struct uprobe_task *utask = current->utask;
 556 
 557         riprel_post_xol(auprobe, regs);
 558         if (auprobe->defparam.fixups & UPROBE_FIX_IP) {
 559                 long correction = utask->vaddr - utask->xol_vaddr;
 560                 regs->ip += correction;
 561         } else if (auprobe->defparam.fixups & UPROBE_FIX_CALL) {
 562                 regs->sp += sizeof_long(regs); /* Pop incorrect return address */
 563                 if (emulate_push_stack(regs, utask->vaddr + auprobe->defparam.ilen))
 564                         return -ERESTART;
 565         }
 566         /* popf; tell the caller to not touch TF */
 567         if (auprobe->defparam.fixups & UPROBE_FIX_SETF)
 568                 utask->autask.saved_tf = true;
 569 
 570         return 0;
 571 }
 572 
 573 static void default_abort_op(struct arch_uprobe *auprobe, struct pt_regs *regs)
 574 {
 575         riprel_post_xol(auprobe, regs);
 576 }
 577 
 578 static const struct uprobe_xol_ops default_xol_ops = {
 579         .pre_xol  = default_pre_xol_op,
 580         .post_xol = default_post_xol_op,
 581         .abort    = default_abort_op,
 582 };
 583 
 584 static bool branch_is_call(struct arch_uprobe *auprobe)
 585 {
 586         return auprobe->branch.opc1 == 0xe8;
 587 }
 588 
 589 #define CASE_COND                                       \
 590         COND(70, 71, XF(OF))                            \
 591         COND(72, 73, XF(CF))                            \
 592         COND(74, 75, XF(ZF))                            \
 593         COND(78, 79, XF(SF))                            \
 594         COND(7a, 7b, XF(PF))                            \
 595         COND(76, 77, XF(CF) || XF(ZF))                  \
 596         COND(7c, 7d, XF(SF) != XF(OF))                  \
 597         COND(7e, 7f, XF(ZF) || XF(SF) != XF(OF))
 598 
 599 #define COND(op_y, op_n, expr)                          \
 600         case 0x ## op_y: DO((expr) != 0)                \
 601         case 0x ## op_n: DO((expr) == 0)
 602 
 603 #define XF(xf)  (!!(flags & X86_EFLAGS_ ## xf))
 604 
 605 static bool is_cond_jmp_opcode(u8 opcode)
 606 {
 607         switch (opcode) {
 608         #define DO(expr)        \
 609                 return true;
 610         CASE_COND
 611         #undef  DO
 612 
 613         default:
 614                 return false;
 615         }
 616 }
 617 
 618 static bool check_jmp_cond(struct arch_uprobe *auprobe, struct pt_regs *regs)
 619 {
 620         unsigned long flags = regs->flags;
 621 
 622         switch (auprobe->branch.opc1) {
 623         #define DO(expr)        \
 624                 return expr;
 625         CASE_COND
 626         #undef  DO
 627 
 628         default:        /* not a conditional jmp */
 629                 return true;
 630         }
 631 }
 632 
 633 #undef  XF
 634 #undef  COND
 635 #undef  CASE_COND
 636 
 637 static bool branch_emulate_op(struct arch_uprobe *auprobe, struct pt_regs *regs)
 638 {
 639         unsigned long new_ip = regs->ip += auprobe->branch.ilen;
 640         unsigned long offs = (long)auprobe->branch.offs;
 641 
 642         if (branch_is_call(auprobe)) {
 643                 /*
 644                  * If it fails we execute this (mangled, see the comment in
 645                  * branch_clear_offset) insn out-of-line. In the likely case
 646                  * this should trigger the trap, and the probed application
 647                  * should die or restart the same insn after it handles the
 648                  * signal, arch_uprobe_post_xol() won't be even called.
 649                  *
 650                  * But there is corner case, see the comment in ->post_xol().
 651                  */
 652                 if (emulate_push_stack(regs, new_ip))
 653                         return false;
 654         } else if (!check_jmp_cond(auprobe, regs)) {
 655                 offs = 0;
 656         }
 657 
 658         regs->ip = new_ip + offs;
 659         return true;
 660 }
 661 
 662 static bool push_emulate_op(struct arch_uprobe *auprobe, struct pt_regs *regs)
 663 {
 664         unsigned long *src_ptr = (void *)regs + auprobe->push.reg_offset;
 665 
 666         if (emulate_push_stack(regs, *src_ptr))
 667                 return false;
 668         regs->ip += auprobe->push.ilen;
 669         return true;
 670 }
 671 
 672 static int branch_post_xol_op(struct arch_uprobe *auprobe, struct pt_regs *regs)
 673 {
 674         BUG_ON(!branch_is_call(auprobe));
 675         /*
 676          * We can only get here if branch_emulate_op() failed to push the ret
 677          * address _and_ another thread expanded our stack before the (mangled)
 678          * "call" insn was executed out-of-line. Just restore ->sp and restart.
 679          * We could also restore ->ip and try to call branch_emulate_op() again.
 680          */
 681         regs->sp += sizeof_long(regs);
 682         return -ERESTART;
 683 }
 684 
 685 static void branch_clear_offset(struct arch_uprobe *auprobe, struct insn *insn)
 686 {
 687         /*
 688          * Turn this insn into "call 1f; 1:", this is what we will execute
 689          * out-of-line if ->emulate() fails. We only need this to generate
 690          * a trap, so that the probed task receives the correct signal with
 691          * the properly filled siginfo.
 692          *
 693          * But see the comment in ->post_xol(), in the unlikely case it can
 694          * succeed. So we need to ensure that the new ->ip can not fall into
 695          * the non-canonical area and trigger #GP.
 696          *
 697          * We could turn it into (say) "pushf", but then we would need to
 698          * divorce ->insn[] and ->ixol[]. We need to preserve the 1st byte
 699          * of ->insn[] for set_orig_insn().
 700          */
 701         memset(auprobe->insn + insn_offset_immediate(insn),
 702                 0, insn->immediate.nbytes);
 703 }
 704 
 705 static const struct uprobe_xol_ops branch_xol_ops = {
 706         .emulate  = branch_emulate_op,
 707         .post_xol = branch_post_xol_op,
 708 };
 709 
 710 static const struct uprobe_xol_ops push_xol_ops = {
 711         .emulate  = push_emulate_op,
 712 };
 713 
 714 /* Returns -ENOSYS if branch_xol_ops doesn't handle this insn */
 715 static int branch_setup_xol_ops(struct arch_uprobe *auprobe, struct insn *insn)
 716 {
 717         u8 opc1 = OPCODE1(insn);
 718         int i;
 719 
 720         switch (opc1) {
 721         case 0xeb:      /* jmp 8 */
 722         case 0xe9:      /* jmp 32 */
 723         case 0x90:      /* prefix* + nop; same as jmp with .offs = 0 */
 724                 break;
 725 
 726         case 0xe8:      /* call relative */
 727                 branch_clear_offset(auprobe, insn);
 728                 break;
 729 
 730         case 0x0f:
 731                 if (insn->opcode.nbytes != 2)
 732                         return -ENOSYS;
 733                 /*
 734                  * If it is a "near" conditional jmp, OPCODE2() - 0x10 matches
 735                  * OPCODE1() of the "short" jmp which checks the same condition.
 736                  */
 737                 opc1 = OPCODE2(insn) - 0x10;
 738                 /* fall through */
 739         default:
 740                 if (!is_cond_jmp_opcode(opc1))
 741                         return -ENOSYS;
 742         }
 743 
 744         /*
 745          * 16-bit overrides such as CALLW (66 e8 nn nn) are not supported.
 746          * Intel and AMD behavior differ in 64-bit mode: Intel ignores 66 prefix.
 747          * No one uses these insns, reject any branch insns with such prefix.
 748          */
 749         for (i = 0; i < insn->prefixes.nbytes; i++) {
 750                 if (insn->prefixes.bytes[i] == 0x66)
 751                         return -ENOTSUPP;
 752         }
 753 
 754         auprobe->branch.opc1 = opc1;
 755         auprobe->branch.ilen = insn->length;
 756         auprobe->branch.offs = insn->immediate.value;
 757 
 758         auprobe->ops = &branch_xol_ops;
 759         return 0;
 760 }
 761 
 762 /* Returns -ENOSYS if push_xol_ops doesn't handle this insn */
 763 static int push_setup_xol_ops(struct arch_uprobe *auprobe, struct insn *insn)
 764 {
 765         u8 opc1 = OPCODE1(insn), reg_offset = 0;
 766 
 767         if (opc1 < 0x50 || opc1 > 0x57)
 768                 return -ENOSYS;
 769 
 770         if (insn->length > 2)
 771                 return -ENOSYS;
 772         if (insn->length == 2) {
 773                 /* only support rex_prefix 0x41 (x64 only) */
 774 #ifdef CONFIG_X86_64
 775                 if (insn->rex_prefix.nbytes != 1 ||
 776                     insn->rex_prefix.bytes[0] != 0x41)
 777                         return -ENOSYS;
 778 
 779                 switch (opc1) {
 780                 case 0x50:
 781                         reg_offset = offsetof(struct pt_regs, r8);
 782                         break;
 783                 case 0x51:
 784                         reg_offset = offsetof(struct pt_regs, r9);
 785                         break;
 786                 case 0x52:
 787                         reg_offset = offsetof(struct pt_regs, r10);
 788                         break;
 789                 case 0x53:
 790                         reg_offset = offsetof(struct pt_regs, r11);
 791                         break;
 792                 case 0x54:
 793                         reg_offset = offsetof(struct pt_regs, r12);
 794                         break;
 795                 case 0x55:
 796                         reg_offset = offsetof(struct pt_regs, r13);
 797                         break;
 798                 case 0x56:
 799                         reg_offset = offsetof(struct pt_regs, r14);
 800                         break;
 801                 case 0x57:
 802                         reg_offset = offsetof(struct pt_regs, r15);
 803                         break;
 804                 }
 805 #else
 806                 return -ENOSYS;
 807 #endif
 808         } else {
 809                 switch (opc1) {
 810                 case 0x50:
 811                         reg_offset = offsetof(struct pt_regs, ax);
 812                         break;
 813                 case 0x51:
 814                         reg_offset = offsetof(struct pt_regs, cx);
 815                         break;
 816                 case 0x52:
 817                         reg_offset = offsetof(struct pt_regs, dx);
 818                         break;
 819                 case 0x53:
 820                         reg_offset = offsetof(struct pt_regs, bx);
 821                         break;
 822                 case 0x54:
 823                         reg_offset = offsetof(struct pt_regs, sp);
 824                         break;
 825                 case 0x55:
 826                         reg_offset = offsetof(struct pt_regs, bp);
 827                         break;
 828                 case 0x56:
 829                         reg_offset = offsetof(struct pt_regs, si);
 830                         break;
 831                 case 0x57:
 832                         reg_offset = offsetof(struct pt_regs, di);
 833                         break;
 834                 }
 835         }
 836 
 837         auprobe->push.reg_offset = reg_offset;
 838         auprobe->push.ilen = insn->length;
 839         auprobe->ops = &push_xol_ops;
 840         return 0;
 841 }
 842 
 843 /**
 844  * arch_uprobe_analyze_insn - instruction analysis including validity and fixups.
 845  * @mm: the probed address space.
 846  * @arch_uprobe: the probepoint information.
 847  * @addr: virtual address at which to install the probepoint
 848  * Return 0 on success or a -ve number on error.
 849  */
 850 int arch_uprobe_analyze_insn(struct arch_uprobe *auprobe, struct mm_struct *mm, unsigned long addr)
 851 {
 852         struct insn insn;
 853         u8 fix_ip_or_call = UPROBE_FIX_IP;
 854         int ret;
 855 
 856         ret = uprobe_init_insn(auprobe, &insn, is_64bit_mm(mm));
 857         if (ret)
 858                 return ret;
 859 
 860         ret = branch_setup_xol_ops(auprobe, &insn);
 861         if (ret != -ENOSYS)
 862                 return ret;
 863 
 864         ret = push_setup_xol_ops(auprobe, &insn);
 865         if (ret != -ENOSYS)
 866                 return ret;
 867 
 868         /*
 869          * Figure out which fixups default_post_xol_op() will need to perform,
 870          * and annotate defparam->fixups accordingly.
 871          */
 872         switch (OPCODE1(&insn)) {
 873         case 0x9d:              /* popf */
 874                 auprobe->defparam.fixups |= UPROBE_FIX_SETF;
 875                 break;
 876         case 0xc3:              /* ret or lret -- ip is correct */
 877         case 0xcb:
 878         case 0xc2:
 879         case 0xca:
 880         case 0xea:              /* jmp absolute -- ip is correct */
 881                 fix_ip_or_call = 0;
 882                 break;
 883         case 0x9a:              /* call absolute - Fix return addr, not ip */
 884                 fix_ip_or_call = UPROBE_FIX_CALL;
 885                 break;
 886         case 0xff:
 887                 switch (MODRM_REG(&insn)) {
 888                 case 2: case 3:                 /* call or lcall, indirect */
 889                         fix_ip_or_call = UPROBE_FIX_CALL;
 890                         break;
 891                 case 4: case 5:                 /* jmp or ljmp, indirect */
 892                         fix_ip_or_call = 0;
 893                         break;
 894                 }
 895                 /* fall through */
 896         default:
 897                 riprel_analyze(auprobe, &insn);
 898         }
 899 
 900         auprobe->defparam.ilen = insn.length;
 901         auprobe->defparam.fixups |= fix_ip_or_call;
 902 
 903         auprobe->ops = &default_xol_ops;
 904         return 0;
 905 }
 906 
 907 /*
 908  * arch_uprobe_pre_xol - prepare to execute out of line.
 909  * @auprobe: the probepoint information.
 910  * @regs: reflects the saved user state of current task.
 911  */
 912 int arch_uprobe_pre_xol(struct arch_uprobe *auprobe, struct pt_regs *regs)
 913 {
 914         struct uprobe_task *utask = current->utask;
 915 
 916         if (auprobe->ops->pre_xol) {
 917                 int err = auprobe->ops->pre_xol(auprobe, regs);
 918                 if (err)
 919                         return err;
 920         }
 921 
 922         regs->ip = utask->xol_vaddr;
 923         utask->autask.saved_trap_nr = current->thread.trap_nr;
 924         current->thread.trap_nr = UPROBE_TRAP_NR;
 925 
 926         utask->autask.saved_tf = !!(regs->flags & X86_EFLAGS_TF);
 927         regs->flags |= X86_EFLAGS_TF;
 928         if (test_tsk_thread_flag(current, TIF_BLOCKSTEP))
 929                 set_task_blockstep(current, false);
 930 
 931         return 0;
 932 }
 933 
 934 /*
 935  * If xol insn itself traps and generates a signal(Say,
 936  * SIGILL/SIGSEGV/etc), then detect the case where a singlestepped
 937  * instruction jumps back to its own address. It is assumed that anything
 938  * like do_page_fault/do_trap/etc sets thread.trap_nr != -1.
 939  *
 940  * arch_uprobe_pre_xol/arch_uprobe_post_xol save/restore thread.trap_nr,
 941  * arch_uprobe_xol_was_trapped() simply checks that ->trap_nr is not equal to
 942  * UPROBE_TRAP_NR == -1 set by arch_uprobe_pre_xol().
 943  */
 944 bool arch_uprobe_xol_was_trapped(struct task_struct *t)
 945 {
 946         if (t->thread.trap_nr != UPROBE_TRAP_NR)
 947                 return true;
 948 
 949         return false;
 950 }
 951 
 952 /*
 953  * Called after single-stepping. To avoid the SMP problems that can
 954  * occur when we temporarily put back the original opcode to
 955  * single-step, we single-stepped a copy of the instruction.
 956  *
 957  * This function prepares to resume execution after the single-step.
 958  */
 959 int arch_uprobe_post_xol(struct arch_uprobe *auprobe, struct pt_regs *regs)
 960 {
 961         struct uprobe_task *utask = current->utask;
 962         bool send_sigtrap = utask->autask.saved_tf;
 963         int err = 0;
 964 
 965         WARN_ON_ONCE(current->thread.trap_nr != UPROBE_TRAP_NR);
 966         current->thread.trap_nr = utask->autask.saved_trap_nr;
 967 
 968         if (auprobe->ops->post_xol) {
 969                 err = auprobe->ops->post_xol(auprobe, regs);
 970                 if (err) {
 971                         /*
 972                          * Restore ->ip for restart or post mortem analysis.
 973                          * ->post_xol() must not return -ERESTART unless this
 974                          * is really possible.
 975                          */
 976                         regs->ip = utask->vaddr;
 977                         if (err == -ERESTART)
 978                                 err = 0;
 979                         send_sigtrap = false;
 980                 }
 981         }
 982         /*
 983          * arch_uprobe_pre_xol() doesn't save the state of TIF_BLOCKSTEP
 984          * so we can get an extra SIGTRAP if we do not clear TF. We need
 985          * to examine the opcode to make it right.
 986          */
 987         if (send_sigtrap)
 988                 send_sig(SIGTRAP, current, 0);
 989 
 990         if (!utask->autask.saved_tf)
 991                 regs->flags &= ~X86_EFLAGS_TF;
 992 
 993         return err;
 994 }
 995 
 996 /* callback routine for handling exceptions. */
 997 int arch_uprobe_exception_notify(struct notifier_block *self, unsigned long val, void *data)
 998 {
 999         struct die_args *args = data;
1000         struct pt_regs *regs = args->regs;
1001         int ret = NOTIFY_DONE;
1002 
1003         /* We are only interested in userspace traps */
1004         if (regs && !user_mode(regs))
1005                 return NOTIFY_DONE;
1006 
1007         switch (val) {
1008         case DIE_INT3:
1009                 if (uprobe_pre_sstep_notifier(regs))
1010                         ret = NOTIFY_STOP;
1011 
1012                 break;
1013 
1014         case DIE_DEBUG:
1015                 if (uprobe_post_sstep_notifier(regs))
1016                         ret = NOTIFY_STOP;
1017 
1018         default:
1019                 break;
1020         }
1021 
1022         return ret;
1023 }
1024 
1025 /*
1026  * This function gets called when XOL instruction either gets trapped or
1027  * the thread has a fatal signal. Reset the instruction pointer to its
1028  * probed address for the potential restart or for post mortem analysis.
1029  */
1030 void arch_uprobe_abort_xol(struct arch_uprobe *auprobe, struct pt_regs *regs)
1031 {
1032         struct uprobe_task *utask = current->utask;
1033 
1034         if (auprobe->ops->abort)
1035                 auprobe->ops->abort(auprobe, regs);
1036 
1037         current->thread.trap_nr = utask->autask.saved_trap_nr;
1038         regs->ip = utask->vaddr;
1039         /* clear TF if it was set by us in arch_uprobe_pre_xol() */
1040         if (!utask->autask.saved_tf)
1041                 regs->flags &= ~X86_EFLAGS_TF;
1042 }
1043 
1044 static bool __skip_sstep(struct arch_uprobe *auprobe, struct pt_regs *regs)
1045 {
1046         if (auprobe->ops->emulate)
1047                 return auprobe->ops->emulate(auprobe, regs);
1048         return false;
1049 }
1050 
1051 bool arch_uprobe_skip_sstep(struct arch_uprobe *auprobe, struct pt_regs *regs)
1052 {
1053         bool ret = __skip_sstep(auprobe, regs);
1054         if (ret && (regs->flags & X86_EFLAGS_TF))
1055                 send_sig(SIGTRAP, current, 0);
1056         return ret;
1057 }
1058 
1059 unsigned long
1060 arch_uretprobe_hijack_return_addr(unsigned long trampoline_vaddr, struct pt_regs *regs)
1061 {
1062         int rasize = sizeof_long(regs), nleft;
1063         unsigned long orig_ret_vaddr = 0; /* clear high bits for 32-bit apps */
1064 
1065         if (copy_from_user(&orig_ret_vaddr, (void __user *)regs->sp, rasize))
1066                 return -1;
1067 
1068         /* check whether address has been already hijacked */
1069         if (orig_ret_vaddr == trampoline_vaddr)
1070                 return orig_ret_vaddr;
1071 
1072         nleft = copy_to_user((void __user *)regs->sp, &trampoline_vaddr, rasize);
1073         if (likely(!nleft))
1074                 return orig_ret_vaddr;
1075 
1076         if (nleft != rasize) {
1077                 pr_err("return address clobbered: pid=%d, %%sp=%#lx, %%ip=%#lx\n",
1078                        current->pid, regs->sp, regs->ip);
1079 
1080                 force_sig(SIGSEGV);
1081         }
1082 
1083         return -1;
1084 }
1085 
1086 bool arch_uretprobe_is_alive(struct return_instance *ret, enum rp_check ctx,
1087                                 struct pt_regs *regs)
1088 {
1089         if (ctx == RP_CHECK_CALL) /* sp was just decremented by "call" insn */
1090                 return regs->sp < ret->stack;
1091         else
1092                 return regs->sp <= ret->stack;
1093 }

/* [<][>][^][v][top][bottom][index][help] */