1. 23 May, 2021 1 commit
  2. 26 Apr, 2021 2 commits
    • Liao Chang's avatar
      riscv/kprobe: fix kernel panic when invoking sys_read traced by kprobe · b1ebaa0e
      Liao Chang authored
      The execution of sys_read end up hitting a BUG_ON() in __find_get_block
      after installing kprobe at sys_read, the BUG message like the following:
      [   65.708663] ------------[ cut here ]------------
      [   65.709987] kernel BUG at fs/buffer.c:1251!
      [   65.711283] Kernel BUG [#1]
      [   65.712032] Modules linked in:
      [   65.712925] CPU: 0 PID: 51 Comm: sh Not tainted 5.12.0-rc4 #1
      [   65.714407] Hardware name: riscv-virtio,qemu (DT)
      [   65.715696] epc : __find_get_block+0x218/0x2c8
      [   65.716835]  ra : __getblk_gfp+0x1c/0x4a
      [   65.717831] epc : ffffffe00019f11e ra : ffffffe00019f56a sp : ffffffe002437930
      [   65.719553]  gp : ffffffe000f06030 tp : ffffffe0015abc00 t0 : ffffffe00191e038
      [   65.721290]  t1 : ffffffe00191e038 t2 : 000000000000000a s0 : ffffffe002437960
      [   65.723051]  s1 : ffffffe00160ad00 a0 : ffffffe00160ad00 a1 : 000000000000012a
      [   65.724772]  a2 : 0000000000000400 a3 : 0000000000000008 a4 : 0000000000000040
      [   65.726545]  a5 : 0000000000000000 a6 : ffffffe00191e000 a7 : 0000000000000000
      [   65.728308]  s2 : 000000000000012a s3 : 0000000000000400 s4 : 0000000000000008
      [   65.730049]  s5 : 000000000000006c s6 : ffffffe00240f800 s7 : ffffffe000f080a8
      [   65.731802]  s8 : 0000000000000001 s9 : 000000000000012a s10: 0000000000000008
      [   65.733516]  s11: 0000000000000008 t3 : 00000000000003ff t4 : 000000000000000f
      [   65.734434]  t5 : 00000000000003ff t6 : 0000000000040000
      [   65.734613] status: 0000000000000100 badaddr: 0000000000000000 cause: 0000000000000003
      [   65.734901] Call Trace:
      [   65.735076] [<ffffffe00019f11e>] __find_get_block+0x218/0x2c8
      [   65.735417] [<ffffffe00020017a>] __ext4_get_inode_loc+0xb2/0x2f6
      [   65.735618] [<ffffffe000201b6c>] ext4_get_inode_loc+0x3a/0x8a
      [   65.735802] [<ffffffe000203380>] ext4_reserve_inode_write+0x2e/0x8c
      [   65.735999] [<ffffffe00020357a>] __ext4_mark_inode_dirty+0x4c/0x18e
      [   65.736208] [<ffffffe000206bb0>] ext4_dirty_inode+0x46/0x66
      [   65.736387] [<ffffffe000192914>] __mark_inode_dirty+0x12c/0x3da
      [   65.736576] [<ffffffe000180dd2>] touch_atime+0x146/0x150
      [   65.736748] [<ffffffe00010d762>] filemap_read+0x234/0x246
      [   65.736920] [<ffffffe00010d834>] generic_file_read_iter+0xc0/0x114
      [   65.737114] [<ffffffe0001f5d7a>] ext4_file_read_iter+0x42/0xea
      [   65.737310] [<ffffffe000163f2c>] new_sync_read+0xe2/0x15a
      [   65.737483] [<ffffffe000165814>] vfs_read+0xca/0xf2
      [   65.737641] [<ffffffe000165bae>] ksys_read+0x5e/0xc8
      [   65.737816] [<ffffffe000165c26>] sys_read+0xe/0x16
      [   65.737973] [<ffffffe000003972>] ret_from_syscall+0x0/0x2
      [   65.738858] ---[ end trace fe93f985456c935d ]---
      A simple reproducer looks like:
      	echo 'p:myprobe sys_read fd=%a0 buf=%a1 count=%a2' > /sys/kernel/debug/tracing/kprobe_events
      	echo 1 > /sys/kernel/debug/tracing/events/kprobes/myprobe/enable
      	cat /sys/kernel/debug/tracing/trace
      Here's what happens to hit that BUG_ON():
      1) After installing kprobe at entry of sys_read, the first instruction
         is replaced by 'ebreak' instruction on riscv64 platform.
      2) Once kernel reach the 'ebreak' instruction at the entry of sys_read,
         it trap into the riscv breakpoint handler, where it do something to
         setup for coming single-step of origin instruction, including backup
         the 'sstatus' in pt_regs, followed by disable interrupt during single
         stepping via clear 'SIE' bit of 'sstatus' in pt_regs.
      3) Then kernel restore to the instruction slot contains two instructions,
         one is original instruction at entry of sys_read, the other is 'ebreak'.
         Here it trigger a 'Instruction page fault' exception (value at 'scause'
         is '0xc'), if PF is not filled into PageTabe for that slot yet.
      4) Again kernel trap into page fault exception handler, where it choose
         different policy according to the state of running kprobe. Because
         afte 2) the state is KPROBE_HIT_SS, so kernel reset the current kprobe
         and 'pc' points back to the probe address.
      5) Because 'epc' point back to 'ebreak' instrution at sys_read probe,
         kernel trap into breakpoint handler again, and repeat the operations
         at 2), however 'sstatus' without 'SIE' is keep at 4), it cause the
         real 'sstatus' saved at 2) is overwritten by the one withou 'SIE'.
      6) When kernel cross the probe the 'sstatus' CSR restore with value
         without 'SIE', and reach __find_get_block where it requires the
         interrupt must be enabled.
      Fix this is very trivial, just restore the value of 'sstatus' in pt_regs
      with backup one at 2) when the instruction being single stepped cause a
      page fault.
      Fixes: c22b0bcb
       ("riscv: Add kprobes supported")
      Signed-off-by: default avatarLiao Chang <liaochang1@huawei.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPalmer Dabbelt <palmerdabbelt@google.com>
    • Jisheng Zhang's avatar
      riscv: kprobes: Implement alloc_insn_page() · cdd1b2bd
      Jisheng Zhang authored
      Allocate PAGE_KERNEL_READ_EXEC(read only, executable) page for kprobes
      insn page. This is to prepare for STRICT_MODULE_RWX.
      Signed-off-by: default avatarJisheng Zhang <jszhang@kernel.org>
      Signed-off-by: default avatarPalmer Dabbelt <palmerdabbelt@google.com>
  3. 17 Mar, 2021 1 commit
  4. 19 Feb, 2021 1 commit
  5. 14 Jan, 2021 1 commit
  6. 08 Sep, 2020 1 commit
  7. 03 Apr, 2020 1 commit
    • Guo Ren's avatar
      csky: Add kprobes supported · 33e53ae1
      Guo Ren authored
      This patch enable kprobes, kretprobes, ftrace interface. It utilized
      software breakpoint and single step debug exceptions, instructions
      simulation on csky.
      We use USR_BKPT replace origin instruction, and the kprobe handler
      prepares an excutable memory slot for out-of-line execution with a
      copy of the original instruction being probed. Most of instructions
      could be executed by single-step, but some instructions need origin
      pc value to execute and we need software simulate these instructions.
      Signed-off-by: default avatarGuo Ren <guoren@linux.alibaba.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Steven Rostedt (VMware) <rostedt@goodmis.org>
  8. 28 Oct, 2019 1 commit
    • James Morse's avatar
      arm64: remove __exception annotations · b6e43c0e
      James Morse authored and Catalin Marinas's avatar Catalin Marinas committed
      Since commit 73267498
       ("arm64: unwind: reference pt_regs via embedded
      stack frame") arm64 has not used the __exception annotation to dump
      the pt_regs during stack tracing. in_exception_text() has no callers.
      This annotation is only used to blacklist kprobes, it means the same as
      Section annotations like this require the functions to be grouped
      together between the start/end markers, and placed according to
      the linker script. For kprobes we also have NOKPROBE_SYMBOL() which
      logs the symbol address in a section that kprobes parses and
      blacklists at boot.
      Using NOKPROBE_SYMBOL() instead lets kprobes publish the list of
      blacklisted symbols, and saves us from having an arm64 specific
      spelling of __kprobes.
      do_debug_exception() already has a NOKPROBE_SYMBOL() annotation.
      Signed-off-by: James Morse's avatarJames Morse <james.morse@arm.com>
      Acked-by: Mark Rutland's avatarMark Rutland <mark.rutland@arm.com>
      Acked-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Signed-off-by: Catalin Marinas's avatarCatalin Marinas <catalin.marinas@arm.com>
  9. 02 Aug, 2019 1 commit
    • Masami Hiramatsu's avatar
      arm64: kprobes: Recover pstate.D in single-step exception handler · b3980e48
      Masami Hiramatsu authored
      kprobes manipulates the interrupted PSTATE for single step, and
      doesn't restore it. Thus, if we put a kprobe where the pstate.D
      (debug) masked, the mask will be cleared after the kprobe hits.
      Moreover, in the most complicated case, this can lead a kernel
      crash with below message when a nested kprobe hits.
      [  152.118921] Unexpected kernel single-step exception at EL1
      When the 1st kprobe hits, do_debug_exception() will be called.
      At this point, debug exception (= pstate.D) must be masked (=1).
      But if another kprobes hits before single-step of the first kprobe
      (e.g. inside user pre_handler), it unmask the debug exception
      (pstate.D = 0) and return.
      Then, when the 1st kprobe setting up single-step, it saves current
      DAIF, mask DAIF, enable single-step, and restore DAIF.
      However, since "D" flag in DAIF is cleared by the 2nd kprobe, the
      single-step exception happens soon after restoring DAIF.
      This has been introduced by commit 7419333f
       ("arm64: kprobe:
      Always clear pstate.D in breakpoint exception handler")
      To solve this issue, this stores all DAIF bits and restore it
      after single stepping.
      Reported-by: default avatarNaresh Kamboju <naresh.kamboju@linaro.org>
      Fixes: 7419333f
       ("arm64: kprobe: Always clear pstate.D in breakpoint exception handler")
      Reviewed-by: James Morse's avatarJames Morse <james.morse@arm.com>
      Tested-by: James Morse's avatarJames Morse <james.morse@arm.com>
      Signed-off-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Signed-off-by: default avatarWill Deacon <will@kernel.org>
  10. 24 Jun, 2019 1 commit
  11. 30 May, 2019 1 commit
  12. 09 Apr, 2019 3 commits
  13. 19 Mar, 2019 4 commits
  14. 01 Mar, 2019 1 commit
  15. 01 Feb, 2019 1 commit
  16. 02 Nov, 2018 1 commit
    • Anders Roxell's avatar
      arm64: kprobe: make page to RO mode when allocate it · 96686689
      Anders Roxell authored and Catalin Marinas's avatar Catalin Marinas committed
      Commit 1404d6f1 ("arm64: dump: Add checking for writable and exectuable pages")
      has successfully identified code that leaves a page with W+X
      [    3.245140] arm64/mm: Found insecure W+X mapping at address (____ptrval____)/0xffff000000d90000
      [    3.245771] WARNING: CPU: 0 PID: 1 at ../arch/arm64/mm/dump.c:232 note_page+0x410/0x420
      [    3.246141] Modules linked in:
      [    3.246653] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.19.0-rc5-next-20180928-00001-ge70ae259b853-dirty #62
      [    3.247008] Hardware name: linux,dummy-virt (DT)
      [    3.247347] pstate: 80000005 (Nzcv daif -PAN -UAO)
      [    3.247623] pc : note_page+0x410/0x420
      [    3.247898] lr : note_page+0x410/0x420
      [    3.248071] sp : ffff00000804bcd0
      [    3.248254] x29: ffff00000804bcd0 x28: ffff000009274000
      [    3.248578] x27: ffff00000921a000 x26: ffff80007dfff000
      [    3.248845] x25: ffff0000093f5000 x24: ffff000009526f6a
      [    3.249109] x23: 0000000000000004 x22: ffff000000d91000
      [    3.249396] x21: ffff000000d90000 x20: 0000000000000000
      [    3.249661] x19: ffff00000804bde8 x18: 0000000000000400
      [    3.249924] x17: 0000000000000000 x16: 0000000000000000
      [    3.250271] x15: ffffffffffffffff x14: 295f5f5f5f6c6176
      [    3.250594] x13: 7274705f5f5f5f28 x12: 2073736572646461
      [    3.250941] x11: 20746120676e6970 x10: 70616d20582b5720
      [    3.251252] x9 : 6572756365736e69 x8 : 3039643030303030
      [    3.251519] x7 : 306666666678302f x6 : ffff0000095467b2
      [    3.251802] x5 : 0000000000000000 x4 : 0000000000000000
      [    3.252060] x3 : 0000000000000000 x2 : ffffffffffffffff
      [    3.252323] x1 : 4d151327adc50b00 x0 : 0000000000000000
      [    3.252664] Call trace:
      [    3.252953]  note_page+0x410/0x420
      [    3.253186]  walk_pgd+0x12c/0x238
      [    3.253417]  ptdump_check_wx+0x68/0xf8
      [    3.253637]  mark_rodata_ro+0x68/0x98
      [    3.253847]  kernel_init+0x38/0x160
      [    3.254103]  ret_from_fork+0x10/0x18
      kprobes allocates a writable executable page with module_alloc() in
      order to store executable code.
      Reworked to that when allocate a page it sets mode RO. Inspired by
      commit 63fef14f
       ("kprobes/x86: Make insn buffer always ROX and use text_poke()").
      Suggested-by: default avatarArnd Bergmann <arnd@arndb.de>
      Suggested-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Acked-by: default avatarWill Deacon <will.deacon@arm.com>
      Acked-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Reviewed-by: default avatarLaura Abbott <labbott@redhat.com>
      Signed-off-by: default avatarAnders Roxell <anders.roxell@linaro.org>
      [catalin.marinas@arm.com: removed unnecessary casts]
      Signed-off-by: Catalin Marinas's avatarCatalin Marinas <catalin.marinas@arm.com>
  17. 01 Oct, 2018 1 commit
  18. 21 Jun, 2018 4 commits
    • Masami Hiramatsu's avatar
      kprobes/arm64: Fix %p uses in error messages · 0722867d
      Masami Hiramatsu authored
      Fix %p uses in error messages by removing it because
      those are redundant or meaningless.
      Signed-off-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Acked-by: default avatarWill Deacon <will.deacon@arm.com>
      Cc: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
      Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: David Howells <dhowells@redhat.com>
      Cc: David S . Miller <davem@davemloft.net>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: Jon Medhurst <tixy@linaro.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Thomas Richter <tmricht@linux.ibm.com>
      Cc: Tobin C . Harding <me@tobin.cc>
      Cc: acme@kernel.org
      Cc: akpm@linux-foundation.org
      Cc: brueckner@linux.vnet.ibm.com
      Cc: linux-arch@vger.kernel.org
      Cc: rostedt@goodmis.org
      Cc: schwidefsky@de.ibm.com
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/lkml/152491908405.9916.12425053035317241111.stgit@devbox
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
    • Masami Hiramatsu's avatar
      bpf/error-inject/kprobes: Clear current_kprobe and enable preempt in kprobe · cce188bd
      Masami Hiramatsu authored
      Clear current_kprobe and enable preemption in kprobe
      even if pre_handler returns !0.
      This simplifies function override using kprobes.
      Jprobe used to require to keep the preemption disabled and
      keep current_kprobe until it returned to original function
      entry. For this reason kprobe_int3_handler() and similar
      arch dependent kprobe handers checks pre_handler result
      and exit without enabling preemption if the result is !0.
      After removing the jprobe, Kprobes does not need to
      keep preempt disabled even if user handler returns !0
      But since the function override handler in error-inject
      and bpf is also returns !0 if it overrides a function,
      to balancing the preempt count, it enables preemption
      and reset current kprobe by itself.
      That is a bad design that is very buggy. This fixes
      such unbalanced preempt-count and current_kprobes setting
      in kprobes, bpf and error-inject.
      Note: for powerpc and x86, this removes all preempt_disable
      from kprobe_ftrace_handler because ftrace callbacks are
      called under preempt disabled.
      Signed-off-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Acked-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Acked-by: default avatarNaveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
      Cc: Alexei Starovoitov <ast@kernel.org>
      Cc: Ananth N Mavinakayanahalli <ananth@linux.vnet.ibm.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Fenghua Yu <fenghua.yu@intel.com>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: James Hogan <jhogan@kernel.org>
      Cc: Josef Bacik <jbacik@fb.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Cc: Michael Ellerman <mpe@ellerman.id.au>
      Cc: Paul Mackerras <paulus@samba.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Rich Felker <dalias@libc.org>
      Cc: Russell King <linux@armlinux.org.uk>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: Vineet Gupta <vgupta@synopsys.com>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
      Cc: linux-arch@vger.kernel.org
      Cc: linux-arm-kernel@lists.infradead.org
      Cc: linux-ia64@vger.kernel.org
      Cc: linux-mips@linux-mips.org
      Cc: linux-s390@vger.kernel.org
      Cc: linux-sh@vger.kernel.org
      Cc: linux-snps-arc@lists.infradead.org
      Cc: linuxppc-dev@lists.ozlabs.org
      Cc: sparclinux@vger.kernel.org
      Link: https://lore.kernel.org/lkml/152942494574.15209.12323837825873032258.stgit@devbox
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
    • Masami Hiramatsu's avatar
      arm64/kprobes: Don't call the ->break_handler() in arm64 kprobes code · c9abd554
      Masami Hiramatsu authored
      Don't call the ->break_handler() from the arm64 kprobes code,
      because it was only used by jprobes which got removed.
      Signed-off-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Acked-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Acked-by: default avatarWill Deacon <will.deacon@arm.com>
      Cc: Ananth N Mavinakayanahalli <ananth@linux.vnet.ibm.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: linux-arch@vger.kernel.org
      Cc: linux-arm-kernel@lists.infradead.org
      Link: https://lore.kernel.org/lkml/152942474231.15209.17684808374429473004.stgit@devbox
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
    • Masami Hiramatsu's avatar
      arm64/kprobes: Remove jprobe implementation · 2efb75cd
      Masami Hiramatsu authored
      Remove arch dependent setjump/longjump functions
      and unused fields in kprobe_ctlblk for jprobes
      from arch/arm64.
      Signed-off-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Acked-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Acked-by: default avatarWill Deacon <will.deacon@arm.com>
      Cc: Ananth N Mavinakayanahalli <ananth@linux.vnet.ibm.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: linux-arch@vger.kernel.org
      Cc: linux-arm-kernel@lists.infradead.org
      Link: https://lore.kernel.org/lkml/152942442318.15209.17767976282305601884.stgit@devbox
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
  19. 30 May, 2017 1 commit
  20. 10 Mar, 2017 1 commit
  21. 02 Mar, 2017 1 commit
  22. 24 Dec, 2016 1 commit
  23. 07 Nov, 2016 1 commit
    • Pratyush Anand's avatar
      arm64: kprobe: protect/rename few definitions to be reused by uprobe · c2249707
      Pratyush Anand authored and Catalin Marinas's avatar Catalin Marinas committed
      decode-insn code has to be reused by arm64 uprobe implementation as well.
      Therefore, this patch protects some portion of kprobe code and renames few
      other, so that decode-insn functionality can be reused by uprobe even when
      CONFIG_KPROBES is not defined.
      kprobe_opcode_t and struct arch_specific_insn are also defined by
      linux/kprobes.h, when CONFIG_KPROBES is not defined. So, protect these
      definitions in asm/probes.h.
      linux/kprobes.h already includes asm/kprobes.h. Therefore, remove inclusion
      of asm/kprobes.h from decode-insn.c.
      There are some definitions like kprobe_insn and kprobes_handler_t etc can
      be re-used by uprobe. So, it would be better to remove 'k' from their
      struct arch_specific_insn is specific to kprobe. Therefore, introduce a new
      struct arch_probe_insn which will be common for both kprobe and uprobe, so
      that decode-insn code can be shared. Modify kprobe code accordingly.
      Function arm_probe_decode_insn() will be needed by uprobe as well. So make
      it global.
      Signed-off-by: default avatarPratyush Anand <panand@redhat.com>
      Signed-off-by: Catalin Marinas's avatarCatalin Marinas <catalin.marinas@arm.com>
  24. 20 Sep, 2016 1 commit
  25. 25 Aug, 2016 2 commits
    • James Morse's avatar
      arm64: Create sections.h · ee78fdc7
      James Morse authored
      Each time new section markers are added, kernel/vmlinux.ld.S is updated,
      and new extern char __start_foo[] definitions are scattered through the
      Create asm/include/sections.h to collect these definitions (and include
      the existing asm-generic version).
      Signed-off-by: James Morse's avatarJames Morse <james.morse@arm.com>
      Reviewed-by: Mark Rutland's avatarMark Rutland <mark.rutland@arm.com>
      Tested-by: Mark Rutland's avatarMark Rutland <mark.rutland@arm.com>
      Reviewed-by: Catalin Marinas's avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
    • Pratyush Anand's avatar
      arm64: kprobe: Always clear pstate.D in breakpoint exception handler · 7419333f
      Pratyush Anand authored
      Whenever we are hitting a kprobe from a none-kprobe debug exception handler,
      we hit an infinite occurrences of "Unexpected kernel single-step exception
      at EL1"
      PSTATE.D is debug exception mask bit. It is set whenever we enter into an
      exception mode. When it is set then Watchpoint, Breakpoint, and Software
      Step exceptions are masked. However, software Breakpoint Instruction
      exceptions can never be masked. Therefore, if we ever execute a BRK
      instruction, irrespective of D-bit setting, we will be receiving a
      corresponding breakpoint exception.
      For example:
      - We are executing kprobe pre/post handler, and kprobe has been inserted in
        one of the instruction of a function called by handler. So, it executes
        BRK instruction and we land into the case of KPROBE_REENTER. (This case is
        already handled by current code)
      - We are executing uprobe handler or any other BRK handler such as in
        WARN_ON (BRK BUG_BRK_IMM), and we trace that path using kprobe.So, we
        enter into kprobe breakpoint handler,from another BRK handler.(This case
        is not being handled currently)
      In all such cases kprobe breakpoint exception will be raised when we were
      already in debug exception mode. SPSR's D bit (bit 9) shows the value of
      PSTATE.D immediately before the exception was taken. So, in above example
      cases we would find it set in kprobe breakpoint handler.  Single step
      exception will always be followed by a kprobe breakpoint exception.However,
      it will only be raised gracefully if we clear D bit while returning from
      breakpoint exception.  If D bit is set then, it results into undefined
      exception and when it's handler enables dbg then single step exception is
      generated, however it will never be handled(because address does not match
      and therefore treated as unexpected).
      This patch clears D-flag unconditionally in setup_singlestep, so that we can
      always get single step exception correctly after returning from breakpoint
      exception. Additionally, it also removes D-flag set statement for
      KPROBE_REENTER return path, because debug exception for KPROBE_REENTER will
      always take place in a debug exception state. So, D-flag will already be set
      in this case.
      Acked-by: default avatarSandeepa Prabhu <sandeepa.s.prabhu@gmail.com>
      Acked-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Signed-off-by: default avatarPratyush Anand <panand@redhat.com>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
  26. 11 Aug, 2016 1 commit
  27. 21 Jul, 2016 2 commits
    • Catalin Marinas's avatar
      arm64: kprobes: Add KASAN instrumentation around stack accesses · f7e35c5b
      Catalin Marinas authored
      This patch disables KASAN around the memcpy from/to the kernel or IRQ
      stacks to avoid warnings like below:
      BUG: KASAN: stack-out-of-bounds in setjmp_pre_handler+0xe4/0x170 at addr ffff800935cbbbc0
      Read of size 128 by task swapper/0/1
      page:ffff7e0024d72ec0 count:0 mapcount:0 mapping:          (null) index:0x0
      flags: 0x1000000000000000()
      page dumped because: kasan: bad access detected
      CPU: 4 PID: 1 Comm: swapper/0 Not tainted 4.7.0-rc4+ #1
      Hardware name: ARM Juno development board (r0) (DT)
      Call trace:
      [<ffff20000808ad88>] dump_backtrace+0x0/0x280
      [<ffff20000808b01c>] show_stack+0x14/0x20
      [<ffff200008563a64>] dump_stack+0xa4/0xc8
      [<ffff20000824a1fc>] kasan_report_error+0x4fc/0x528
      [<ffff20000824a5e8>] kasan_report+0x40/0x48
      [<ffff20000824948c>] check_memory_region+0x144/0x1a0
      [<ffff200008249814>] memcpy+0x34/0x68
      [<ffff200008c3ee2c>] setjmp_pre_handler+0xe4/0x170
      [<ffff200008c3ec5c>] kprobe_breakpoint_handler+0xec/0x1d8
      [<ffff2000080853a4>] brk_handler+0x5c/0xa0
      [<ffff2000080813f0>] do_debug_exception+0xa0/0x138
      Signed-off-by: Catalin Marinas's avatarCatalin Marinas <catalin.marinas@arm.com>
    • Marc Zyngier's avatar
      arm64: kprobes: Cleanup jprobe_return · 3b7d14e9
      Marc Zyngier authored and Catalin Marinas's avatar Catalin Marinas committed
      jprobe_return seems to have aged badly. Comments referring to
      non-existent behaviours, and a dangerous habit of messing
      with registers without telling the compiler.
      This patches applies the following remedies:
      - Fix the comments to describe the actual behaviour
      - Tidy up the asm sequence to directly assign the
        stack pointer without clobbering extra registers
      - Mark the rest of the function as unreachable() so
        that the compiler knows that there is no need for
        an epilogue
      - Stop making jprobe_return_break a global function
        (you really don't want to call that guy, and it isn't
        even a function).
      Tested with tcp_probe.
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: Catalin Marinas's avatarCatalin Marinas <catalin.marinas@arm.com>
  28. 20 Jul, 2016 1 commit
  29. 19 Jul, 2016 1 commit