I tried using perf_event_open() to set hardware breakpoints on every
allowed address between the kernel's _text and _etext. (For reasons.)
arch_uninstall_hw_breakpoint() was the only function where this immediately
blew up, with DB0 set to the address of the instruction for
`dr7 = this_cpu_read(cpu_dr7)`, where the directly preceding instruction
does `*slot = NULL;`.
I think the issue there is that we clear the breakpoint tracking state
before actually disarming the breakpoint.
Signed-off-by: Jann Horn <[email protected]>
---
arch/x86/kernel/hw_breakpoint.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kernel/hw_breakpoint.c b/arch/x86/kernel/hw_breakpoint.c
index b01644c949b2..f46a460dbd31 100644
--- a/arch/x86/kernel/hw_breakpoint.c
+++ b/arch/x86/kernel/hw_breakpoint.c
@@ -140,8 +140,11 @@ int arch_install_hw_breakpoint(struct perf_event *bp)
*
* Atomic: we hold the counter->ctx->lock and we only handle variables
* and registers local to this cpu.
+ *
+ * noinstr avoids getting hit with a breakpoint when the debug register is
+ * still active but we've already removed ourselves from bp_per_reg.
*/
-void arch_uninstall_hw_breakpoint(struct perf_event *bp)
+void noinstr arch_uninstall_hw_breakpoint(struct perf_event *bp)
{
struct arch_hw_breakpoint *info = counter_arch_bp(bp);
unsigned long dr7;
--
2.39.2