2014-11-18 06:33:06

by David Long

[permalink] [raw]
Subject: [PATCH v3 0/5] ARM64: Add kernel probes(Kprobes) support

From: "David A. Long" <[email protected]>

This patchset is heavily based on Sandeepa Prabhu's ARM v8 kprobes patches, first
seen in October 2013. This version attempts to address concerns raised by
reviewers and also fixes problems discovered during testing, particularly during
SMP testing.

This patchset adds support for kernel probes(kprobes), jump probes(jprobes)
and return probes(kretprobes) support for ARM64.

Kprobes mechanism makes use of software breakpoint and single stepping
support available in the ARM v8 kernel.

Changes since v2 include:

1) Removal of NOP padding in kprobe XOL slots. Slots are now exactly one
instruction long.
2) Disabling of interrupts during execution in single-step mode.
3) Fixing of numerous problems in instruction simulation code.
4) Support for the HAVE_REGS_AND_STACK_ACCESS_API feature is added, to allow
access to kprobes through debugfs.
5) kprobes is *not* enabled in defconfig.
6) Numerous complaints from checkpatch have been cleaned up, although a couple
remain as removing the function pointer typedefs results in ugly code.

David A. Long (1):
arm64: Add HAVE_REGS_AND_STACK_ACCESS_API feature

Sandeepa Prabhu (4):
arm64: Kprobes with single stepping support
arm64: Kprobes instruction simulation support
arm64: Add kernel return probes support(kretprobes)
kprobes: Add arm64 case in kprobe example module

arch/arm64/Kconfig | 3 +
arch/arm64/include/asm/kprobes.h | 61 +++
arch/arm64/include/asm/probes.h | 50 +++
arch/arm64/include/asm/ptrace.h | 32 +-
arch/arm64/include/uapi/asm/ptrace.h | 36 ++
arch/arm64/kernel/Makefile | 3 +
arch/arm64/kernel/kprobes-arm64.c | 313 ++++++++++++++
arch/arm64/kernel/kprobes-arm64.h | 30 ++
arch/arm64/kernel/kprobes.c | 702 +++++++++++++++++++++++++++++++
arch/arm64/kernel/kprobes.h | 30 ++
arch/arm64/kernel/probes-condn-check.c | 122 ++++++
arch/arm64/kernel/probes-decode.h | 110 +++++
arch/arm64/kernel/probes-simulate-insn.c | 174 ++++++++
arch/arm64/kernel/probes-simulate-insn.h | 33 ++
arch/arm64/kernel/ptrace.c | 119 ++++++
arch/arm64/kernel/vmlinux.lds.S | 1 +
samples/kprobes/kprobe_example.c | 8 +
17 files changed, 1826 insertions(+), 1 deletion(-)
create mode 100644 arch/arm64/include/asm/kprobes.h
create mode 100644 arch/arm64/include/asm/probes.h
create mode 100644 arch/arm64/kernel/kprobes-arm64.c
create mode 100644 arch/arm64/kernel/kprobes-arm64.h
create mode 100644 arch/arm64/kernel/kprobes.c
create mode 100644 arch/arm64/kernel/kprobes.h
create mode 100644 arch/arm64/kernel/probes-condn-check.c
create mode 100644 arch/arm64/kernel/probes-decode.h
create mode 100644 arch/arm64/kernel/probes-simulate-insn.c
create mode 100644 arch/arm64/kernel/probes-simulate-insn.h

--
1.8.1.2


2014-11-18 06:33:03

by David Long

[permalink] [raw]
Subject: [PATCH v3 1/5] arm64: Kprobes with single stepping support

From: Sandeepa Prabhu <[email protected]>

Add support for basic kernel probes(kprobes) and jump probes
(jprobes) for ARM64.

Kprobes will utilize software breakpoint and single step debug
exceptions supported on ARM v8.

software breakpoint is placed at the probe address to trap the
kernel execution into kprobe handler.

ARM v8 support single stepping to be enabled while exception return
(ERET) with next PC in exception return address (ELR_EL1).
kprobe handler prepares a executable memory slot for out-of-line
execution with the copy of the original instruction under probe, and
enable single stepping from the instruction slot. With this scheme,
the instruction is executed with the exact same register context
'except PC' that points to instruction slot.

Debug mask(PSTATE.D) is enabled only when single stepping a recursive
kprobes i.e. during kprobes reenter so that probes instruction can be
single stepped within the kprobe handler -exception- context.
The recursion depth of kprobe is always 2, i.e. upon probe re-entry,
any further re-entry is prevented by not calling handlers and the case
counted as missed kprobe)

Single stepping from slot has drawback on PC-relative accesses
like branching and symbolic literals access as offset from new PC
(slot address) may not be ensured to fit in immediate value of
opcode, Such instructions needs simulation, so reject
probing such instructions.

Instructions generating exceptions or cpu mode change are rejected,
and not allowed to insert probe for these instructions.

Instructions using Exclusive Monitor are rejected right too.

System instructions are mostly enabled for stepping, except MSR
immediate that update "daif" flags in PSTATE, which are not safe
for probing -rejected.

Changes since v4:
from David Long:
1) Removed unnecessary addtion of NOP after out-of-line instruction.
from Will Cohen:
2) Disable local irq while executing out of line instruction.

Signed-off-by: Sandeepa Prabhu <[email protected]>
Signed-off-by: William Cohen <[email protected]>
Signed-off-by: David A. Long <[email protected]>
---
arch/arm64/Kconfig | 1 +
arch/arm64/include/asm/kprobes.h | 60 ++++
arch/arm64/include/asm/probes.h | 50 ++++
arch/arm64/include/asm/ptrace.h | 3 +-
arch/arm64/kernel/Makefile | 1 +
arch/arm64/kernel/kprobes-arm64.c | 211 ++++++++++++++
arch/arm64/kernel/kprobes-arm64.h | 28 ++
arch/arm64/kernel/kprobes.c | 561 ++++++++++++++++++++++++++++++++++++++
arch/arm64/kernel/kprobes.h | 30 ++
arch/arm64/kernel/probes-decode.h | 110 ++++++++
arch/arm64/kernel/vmlinux.lds.S | 1 +
11 files changed, 1055 insertions(+), 1 deletion(-)
create mode 100644 arch/arm64/include/asm/kprobes.h
create mode 100644 arch/arm64/include/asm/probes.h
create mode 100644 arch/arm64/kernel/kprobes-arm64.c
create mode 100644 arch/arm64/kernel/kprobes-arm64.h
create mode 100644 arch/arm64/kernel/kprobes.c
create mode 100644 arch/arm64/kernel/kprobes.h
create mode 100644 arch/arm64/kernel/probes-decode.h

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 9532f8d..256ef90 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -60,6 +60,7 @@ config ARM64
select HAVE_PERF_USER_STACK_DUMP
select HAVE_RCU_TABLE_FREE
select HAVE_SYSCALL_TRACEPOINTS
+ select HAVE_KPROBES if !XIP_KERNEL
select IRQ_DOMAIN
select MODULES_USE_ELF_RELA
select NO_BOOTMEM
diff --git a/arch/arm64/include/asm/kprobes.h b/arch/arm64/include/asm/kprobes.h
new file mode 100644
index 0000000..b35d3b9
--- /dev/null
+++ b/arch/arm64/include/asm/kprobes.h
@@ -0,0 +1,60 @@
+/*
+ * arch/arm64/include/asm/kprobes.h
+ *
+ * Copyright (C) 2013 Linaro Limited
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ */
+
+#ifndef _ARM_KPROBES_H
+#define _ARM_KPROBES_H
+
+#include <linux/types.h>
+#include <linux/ptrace.h>
+#include <linux/percpu.h>
+
+#define __ARCH_WANT_KPROBES_INSN_SLOT
+#define MAX_INSN_SIZE 1
+#define MAX_STACK_SIZE 128
+
+#define flush_insn_slot(p) do { } while (0)
+#define kretprobe_blacklist_size 0
+
+#include <asm/probes.h>
+
+struct prev_kprobe {
+ struct kprobe *kp;
+ unsigned int status;
+};
+
+/* Single step context for kprobe */
+struct kprobe_step_ctx {
+#define KPROBES_STEP_NONE 0x0
+#define KPROBES_STEP_PENDING 0x1
+ unsigned long ss_status;
+ unsigned long match_addr;
+};
+
+/* per-cpu kprobe control block */
+struct kprobe_ctlblk {
+ unsigned int kprobe_status;
+ unsigned long saved_irqflag;
+ struct prev_kprobe prev_kprobe;
+ struct kprobe_step_ctx ss_ctx;
+ struct pt_regs jprobe_saved_regs;
+ char jprobes_stack[MAX_STACK_SIZE];
+};
+
+void arch_remove_kprobe(struct kprobe *);
+int kprobe_fault_handler(struct pt_regs *regs, unsigned int fsr);
+int kprobe_exceptions_notify(struct notifier_block *self,
+ unsigned long val, void *data);
+
+#endif /* _ARM_KPROBES_H */
diff --git a/arch/arm64/include/asm/probes.h b/arch/arm64/include/asm/probes.h
new file mode 100644
index 0000000..9dba74d
--- /dev/null
+++ b/arch/arm64/include/asm/probes.h
@@ -0,0 +1,50 @@
+/*
+ * arch/arm64/include/asm/probes.h
+ *
+ * Copyright (C) 2013 Linaro Limited
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ */
+#ifndef _ARM_PROBES_H
+#define _ARM_PROBES_H
+
+struct kprobe;
+struct arch_specific_insn;
+
+typedef u32 kprobe_opcode_t;
+typedef unsigned long (kprobes_pstate_check_t)(unsigned long);
+typedef unsigned long
+(kprobes_condition_check_t)(struct kprobe *p, struct pt_regs *);
+typedef void
+(kprobes_prepare_t)(struct kprobe *, struct arch_specific_insn *);
+typedef void (kprobes_handler_t) (u32 opcode, long addr, struct pt_regs *);
+
+enum pc_restore_type {
+ NO_RESTORE,
+ RESTORE_PC,
+};
+
+struct kprobe_pc_restore {
+ enum pc_restore_type type;
+ unsigned long addr;
+};
+
+/* architecture specific copy of original instruction */
+struct arch_specific_insn {
+ kprobe_opcode_t *insn;
+ kprobes_pstate_check_t *pstate_cc;
+ kprobes_condition_check_t *check_condn;
+ kprobes_prepare_t *prepare;
+ kprobes_handler_t *handler;
+ /* restore address after step xol */
+ struct kprobe_pc_restore restore;
+};
+
+#endif
diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h
index 41ed9e1..d3e782a 100644
--- a/arch/arm64/include/asm/ptrace.h
+++ b/arch/arm64/include/asm/ptrace.h
@@ -174,7 +174,8 @@ static inline int valid_user_regs(struct user_pt_regs *regs)
return 0;
}

-#define instruction_pointer(regs) ((unsigned long)(regs)->pc)
+#define instruction_pointer(regs) ((regs)->pc)
+#define stack_pointer(regs) ((regs)->sp)

#ifdef CONFIG_SMP
extern unsigned long profile_pc(struct pt_regs *regs);
diff --git a/arch/arm64/kernel/Makefile b/arch/arm64/kernel/Makefile
index 5bd029b..df08c0e 100644
--- a/arch/arm64/kernel/Makefile
+++ b/arch/arm64/kernel/Makefile
@@ -29,6 +29,7 @@ arm64-obj-$(CONFIG_ARM64_CPU_SUSPEND) += sleep.o suspend.o
arm64-obj-$(CONFIG_CPU_IDLE) += cpuidle.o
arm64-obj-$(CONFIG_JUMP_LABEL) += jump_label.o
arm64-obj-$(CONFIG_KGDB) += kgdb.o
+arm64-obj-$(CONFIG_KPROBES) += kprobes.o kprobes-arm64.o
arm64-obj-$(CONFIG_EFI) += efi.o efi-stub.o efi-entry.o
arm64-obj-$(CONFIG_PCI) += pci.o

diff --git a/arch/arm64/kernel/kprobes-arm64.c b/arch/arm64/kernel/kprobes-arm64.c
new file mode 100644
index 0000000..30d1c14
--- /dev/null
+++ b/arch/arm64/kernel/kprobes-arm64.c
@@ -0,0 +1,211 @@
+/*
+ * arch/arm64/kernel/kprobes-arm64.c
+ *
+ * Copyright (C) 2013 Linaro Limited.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ */
+
+#include <linux/kernel.h>
+#include <linux/kprobes.h>
+#include <linux/module.h>
+#include <asm/kprobes.h>
+
+#include "probes-decode.h"
+#include "kprobes-arm64.h"
+
+/* AArch64 instruction decode table for kprobes:
+ * The instruction will fall into one of the 3 groups:
+ * 1. Single stepped out-of-the-line slot.
+ * -Most instructions fall in this group, those does not
+ * depend on PC address.
+ *
+ * 2. Should be simulated because of PC-relative/literal access.
+ * -All branching and PC-relative insrtcutions are simulated
+ * in C code, making use of saved pt_regs
+ * Catch: SIMD/NEON register context are not saved while
+ * entering debug exception, so are rejected for now.
+ *
+ * 3. Cannot be probed(not safe) so are rejected.
+ * - Exception generation and exception return instructions
+ * - Exclusive monitor(LDREX/STREX family)
+ *
+ */
+static const struct aarch64_decode_item aarch64_decode_table[] = {
+ /*
+ * Data processing - PC relative(literal) addressing:
+ * Encoding: xxx1 0000 xxxx xxxx xxxx xxxx xxxx xxxx
+ */
+ DECODE_REJECT(0x10000000, 0x1F000000),
+
+ /*
+ * Data processing - Add/Substract Immediate:
+ * Encoding: xxx1 0001 xxxx xxxx xxxx xxxx xxxx xxxx
+ */
+ DECODE_SINGLESTEP(0x11000000, 0x1F000000),
+
+ /*
+ * Data processing
+ * Encoding:
+ * xxx1 0010 0xxx xxxx xxxx xxxx xxxx xxxx (Logical)
+ * xxx1 0010 1xxx xxxx xxxx xxxx xxxx xxxx (Move wide)
+ * xxx1 0011 0xxx xxxx xxxx xxxx xxxx xxxx (Bitfield)
+ * xxx1 0011 1xxx xxxx xxxx xxxx xxxx xxxx (Extract)
+ */
+ DECODE_SINGLESTEP(0x12000000, 0x1E000000),
+
+ /*
+ * Data processing - SIMD/FP/AdvSIMD/Crypto-AES/SHA
+ * Encoding: xxx0 111x xxxx xxxx xxxx xxxx xxxx xxxx
+ * Encoding: xxx1 111x xxxx xxxx xxxx xxxx xxxx xxxx
+ */
+ DECODE_SINGLESTEP(0x0E000000, 0x0E000000),
+
+ /*
+ * Data processing - Register
+ * Encoding: xxxx 101x xxxx xxxx xxxx xxxx xxxx xxxx
+ */
+ DECODE_SINGLESTEP(0x0A000000, 0x0E000000),
+
+ /* Branching Instructions
+ *
+ * Encoding:
+ * x001 01xx xxxx xxxx xxxx xxxx xxxx xxxx (uncondtional Branch)
+ * x011 010x xxxx xxxx xxxx xxxx xxxx xxxx (compare & branch)
+ * x011 011x xxxx xxxx xxxx xxxx xxxx xxxx (Test & Branch)
+ * 0101 010x xxxx xxxx xxxx xxxx xxxx xxxx (Conditional, immediate)
+ * 1101 011x xxxx xxxx xxxx xxxx xxxx xxxx (Unconditional,register)
+ */
+ DECODE_REJECT(0x14000000, 0x7C000000),
+ DECODE_REJECT(0x14000000, 0x7C000000),
+ DECODE_REJECT(0x34000000, 0x7E000000),
+ DECODE_REJECT(0x36000000, 0x7E000000),
+ DECODE_REJECT(0x54000000, 0xFE000000),
+ DECODE_REJECT(0xD6000000, 0xFE000000),
+
+ /* System insn:
+ * Encoding: 1101 0101 00xx xxxx xxxx xxxx xxxx xxxx
+ *
+ * Note: MSR immediate (update PSTATE daif) is not safe handling
+ * within kprobes, rejected.
+ *
+ * Don't re-arrange these decode table entries.
+ */
+ DECODE_REJECT(0xD500401F, 0xFFF8F01F),
+ DECODE_SINGLESTEP(0xD5000000, 0xFFC00000),
+
+ /* Exception Generation:
+ * Encoding: 1101 0100 xxxx xxxx xxxx xxxx xxxx xxxx
+ * Instructions: SVC, HVC, SMC, BRK, HLT, DCPS1, DCPS2, DCPS3
+ */
+ DECODE_REJECT(0xD4000000, 0xFF000000),
+
+ /*
+ * Load/Store - Exclusive monitor
+ * Encoding: xx00 1000 xxxx xxxx xxxx xxxx xxxx xxxx
+ *
+ * Reject exlusive monitor'ed instructions
+ */
+ DECODE_REJECT(0x08000000, 0x3F000000),
+
+ /*
+ * Load/Store - PC relative(literal):
+ * Encoding: xx01 1x00 xxxx xxxx xxxx xxxx xxxx xxxx
+ */
+ DECODE_REJECT(0x18000000, 0x3B000000),
+
+ /*
+ * Load/Store - Register Pair
+ * Encoding:
+ * xx10 1x00 0xxx xxxx xxxx xxxx xxxx xxxx
+ * xx10 1x00 1xxx xxxx xxxx xxxx xxxx xxxx
+ * xx10 1x01 0xxx xxxx xxxx xxxx xxxx xxxx
+ * xx10 1x01 1xxx xxxx xxxx xxxx xxxx xxxx
+ */
+ DECODE_SINGLESTEP(0x28000000, 0x3A000000),
+
+ /*
+ * Load/Store - Register
+ * Encoding:
+ * xx11 1x00 xx0x xxxx xxxx 00xx xxxx xxxx (unscaled imm)
+ * xx11 1x00 xx0x xxxx xxxx 01xx xxxx xxxx (imm post-indexed)
+ * xx11 1x00 xx0x xxxx xxxx 10xx xxxx xxxx (unpriviledged)
+ * xx11 1x00 xx0x xxxx xxxx 11xx xxxx xxxx (imm pre-indexed)
+ *
+ * xx11 1x00 xx10 xxxx xxxx xx10 xxxx xxxx (register offset)
+ *
+ * xx11 1x01 xxxx xxxx xxxx xxxx xxxx xxxx (unsigned imm)
+ */
+ DECODE_SINGLESTEP(0x38000000, 0x3B200000),
+ DECODE_SINGLESTEP(0x38200200, 0x38300300),
+ DECODE_SINGLESTEP(0x39000000, 0x3B000000),
+
+ /*
+ * Load/Store - AdvSIMD
+ * Encoding:
+ * 0x00 1100 0x00 0000 xxxx xxxx xxxx xxxx (Multiple-structure)
+ * 0x00 1100 1x0x xxxx xxxx xxxx xxxx xxxx (Multi-struct post-indexed)
+ * 0x00 1101 0xx0 0000 xxxx xxxx xxxx xxxx (Single-structure))
+ * 0x00 1101 1xxx xxxx xxxx xxxx xxxx xxxx (Single-struct post-index)
+ */
+ DECODE_SINGLESTEP(0x0C000000, 0xBFBF0000),
+ DECODE_SINGLESTEP(0x0C800000, 0xBFA00000),
+ DECODE_SINGLESTEP(0x0D000000, 0xBF9F0000),
+ DECODE_SINGLESTEP(0x0D800000, 0xBF800000),
+
+ /* Unallocated: xxx0 0xxx xxxx xxxx xxxx xxxx xxxx xxxx */
+ DECODE_REJECT(0x00000000, 0x18000000),
+ DECODE_END,
+};
+
+static int __kprobes
+kprobe_decode_insn(kprobe_opcode_t insn, struct arch_specific_insn *asi,
+ const struct aarch64_decode_item *tbl)
+{
+ unsigned int entry, ret = INSN_REJECTED;
+
+ for (entry = 0; !decode_table_end(tbl[entry]); entry++) {
+ if (decode_table_hit(tbl[entry], insn))
+ break;
+ }
+
+ switch (decode_get_type(tbl[entry])) {
+ case DECODE_TYPE_END:
+ case DECODE_TYPE_REJECT:
+ default:
+ ret = INSN_REJECTED;
+ break;
+
+ case DECODE_TYPE_SINGLESTEP:
+ ret = INSN_GOOD;
+ break;
+
+ case DECODE_TYPE_SIMULATE:
+ ret = INSN_REJECTED;
+ break;
+
+ case DECODE_TYPE_TABLE:
+ /* recurse with next level decode table */
+ ret = kprobe_decode_insn(insn, asi,
+ decode_sub_table(tbl[entry]));
+ };
+ return ret;
+}
+
+/* Return:
+ * INSN_REJECTED If instruction is one not allowed to kprobe,
+ * INSN_GOOD If instruction is supported and uses instruction slot,
+ * INSN_GOOD_NO_SLOT If instruction is supported but doesn't use its slot.
+ */
+enum kprobe_insn __kprobes
+arm_kprobe_decode_insn(kprobe_opcode_t insn, struct arch_specific_insn *asi)
+{
+ return kprobe_decode_insn(insn, asi, aarch64_decode_table);
+}
diff --git a/arch/arm64/kernel/kprobes-arm64.h b/arch/arm64/kernel/kprobes-arm64.h
new file mode 100644
index 0000000..87e7891
--- /dev/null
+++ b/arch/arm64/kernel/kprobes-arm64.h
@@ -0,0 +1,28 @@
+/*
+ * arch/arm64/kernel/kprobes-arm64.h
+ *
+ * Copyright (C) 2013 Linaro Limited.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ */
+
+#ifndef _ARM_KERNEL_KPROBES_ARM64_H
+#define _ARM_KERNEL_KPROBES_ARM64_H
+
+enum kprobe_insn {
+ INSN_REJECTED,
+ INSN_GOOD_NO_SLOT,
+ INSN_GOOD,
+};
+
+enum kprobe_insn __kprobes
+arm_kprobe_decode_insn(kprobe_opcode_t insn, struct arch_specific_insn *asi);
+
+#endif /* _ARM_KERNEL_KPROBES_ARM64_H */
diff --git a/arch/arm64/kernel/kprobes.c b/arch/arm64/kernel/kprobes.c
new file mode 100644
index 0000000..ca7fa10
--- /dev/null
+++ b/arch/arm64/kernel/kprobes.c
@@ -0,0 +1,561 @@
+/*
+ * arch/arm64/kernel/kprobes.c
+ *
+ * Kprobes support for ARM64
+ *
+ * Copyright (C) 2013 Linaro Limited.
+ * Author: Sandeepa Prabhu <[email protected]>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ */
+#include <linux/kernel.h>
+#include <linux/kprobes.h>
+#include <linux/module.h>
+#include <linux/slab.h>
+#include <linux/stop_machine.h>
+#include <linux/stringify.h>
+#include <asm/traps.h>
+#include <asm/ptrace.h>
+#include <asm/cacheflush.h>
+#include <asm/debug-monitors.h>
+#include <asm/system_misc.h>
+#include <asm/insn.h>
+
+#include "kprobes.h"
+#include "kprobes-arm64.h"
+
+#define MIN_STACK_SIZE(addr) min((unsigned long)MAX_STACK_SIZE, \
+ (unsigned long)current_thread_info() + THREAD_START_SP - (addr))
+
+DEFINE_PER_CPU(struct kprobe *, current_kprobe) = NULL;
+DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk);
+
+static void __kprobes arch_prepare_ss_slot(struct kprobe *p)
+{
+ /* prepare insn slot */
+ p->ainsn.insn[0] = p->opcode;
+
+ flush_icache_range((uintptr_t) (p->ainsn.insn),
+ (uintptr_t) (p->ainsn.insn) + MAX_INSN_SIZE);
+
+ /*
+ * Needs restoring of return address after stepping xol.
+ */
+ p->ainsn.restore.addr = (unsigned long) p->addr +
+ sizeof(kprobe_opcode_t);
+ p->ainsn.restore.type = RESTORE_PC;
+}
+
+int __kprobes arch_prepare_kprobe(struct kprobe *p)
+{
+ kprobe_opcode_t insn;
+ unsigned long probe_addr = (unsigned long)p->addr;
+
+ /* copy instruction */
+ insn = *p->addr;
+ p->opcode = insn;
+
+ if (in_exception_text(probe_addr))
+ return -EINVAL;
+
+ /* decode instruction */
+ switch (arm_kprobe_decode_insn(insn, &p->ainsn)) {
+ case INSN_REJECTED: /* insn not supported */
+ return -EINVAL;
+
+ case INSN_GOOD_NO_SLOT: /* insn need simulation */
+ return -EINVAL;
+
+ case INSN_GOOD: /* instruction uses slot */
+ p->ainsn.insn = get_insn_slot();
+ if (!p->ainsn.insn)
+ return -ENOMEM;
+ break;
+ };
+
+ /* prepare the instruction */
+ arch_prepare_ss_slot(p);
+
+ return 0;
+}
+
+static int __kprobes patch_text(kprobe_opcode_t *addr, u32 opcode)
+{
+ void *addrs[1];
+ u32 insns[1];
+
+ addrs[0] = (void *)addr;
+ insns[0] = (u32)opcode;
+
+ return aarch64_insn_patch_text_sync(addrs, insns, 1);
+}
+
+/* arm kprobe: install breakpoint in text */
+void __kprobes arch_arm_kprobe(struct kprobe *p)
+{
+ patch_text(p->addr, BRK64_OPCODE_KPROBES);
+}
+
+/* disarm kprobe: remove breakpoint from text */
+void __kprobes arch_disarm_kprobe(struct kprobe *p)
+{
+ patch_text(p->addr, p->opcode);
+}
+
+void __kprobes arch_remove_kprobe(struct kprobe *p)
+{
+ if (p->ainsn.insn) {
+ free_insn_slot(p->ainsn.insn, 0);
+ p->ainsn.insn = NULL;
+ }
+}
+
+static void __kprobes save_previous_kprobe(struct kprobe_ctlblk *kcb)
+{
+ kcb->prev_kprobe.kp = kprobe_running();
+ kcb->prev_kprobe.status = kcb->kprobe_status;
+}
+
+static void __kprobes restore_previous_kprobe(struct kprobe_ctlblk *kcb)
+{
+ __this_cpu_write(current_kprobe, kcb->prev_kprobe.kp);
+ kcb->kprobe_status = kcb->prev_kprobe.status;
+}
+
+static void __kprobes set_current_kprobe(struct kprobe *p)
+{
+ __this_cpu_write(current_kprobe, p);
+}
+
+/*
+ * Debug flag (D-flag) is disabled upon exception entry.
+ * Kprobes need to unmask D-flag -ONLY- in case of recursive
+ * probe i.e. when probe hit from kprobe handler context upon
+ * executing the pre/post handlers. In this case we return with
+ * D-flag unmasked so that single-stepping can be carried-out.
+ *
+ * Keep D-flag masked in all other cases.
+ */
+static void __kprobes
+spsr_set_debug_flag(struct pt_regs *regs, int mask)
+{
+ unsigned long spsr = regs->pstate;
+
+ if (mask)
+ spsr |= PSR_D_BIT;
+ else
+ spsr &= ~PSR_D_BIT;
+
+ regs->pstate = spsr;
+}
+
+/*
+ * Interrupt needs to be disabled for the duration from probe hitting
+ * breakpoint exception until kprobe is processed completely.
+ * Without disabling interrupt on local CPU, there is a chance of
+ * interrupt occurrence in the period of exception return and start of
+ * out-of-line single-step, that result in wrongly single stepping
+ * the interrupt handler.
+ */
+static void __kprobes kprobes_save_local_irqflag(struct pt_regs *regs)
+{
+ struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
+
+ kcb->saved_irqflag = regs->pstate;
+ regs->pstate |= PSR_I_BIT;
+}
+
+static void __kprobes kprobes_restore_local_irqflag(struct pt_regs *regs)
+{
+ struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
+
+ if (kcb->saved_irqflag & PSR_I_BIT)
+ regs->pstate |= PSR_I_BIT;
+ else
+ regs->pstate &= ~PSR_I_BIT;
+}
+
+static void __kprobes
+set_ss_context(struct kprobe_ctlblk *kcb, unsigned long addr)
+{
+ kcb->ss_ctx.ss_status = KPROBES_STEP_PENDING;
+ kcb->ss_ctx.match_addr = addr + sizeof(kprobe_opcode_t);
+}
+
+static void __kprobes clear_ss_context(struct kprobe_ctlblk *kcb)
+{
+ kcb->ss_ctx.ss_status = KPROBES_STEP_NONE;
+ kcb->ss_ctx.match_addr = 0;
+}
+
+static void __kprobes
+skip_singlestep_missed(struct kprobe_ctlblk *kcb, struct pt_regs *regs)
+{
+ /* set return addr to next pc to continue */
+ instruction_pointer(regs) += sizeof(kprobe_opcode_t);
+
+ if (kcb->kprobe_status != KPROBE_REENTER)
+ kprobes_restore_local_irqflag(regs);
+
+}
+
+static void __kprobes setup_singlestep(struct kprobe *p,
+ struct pt_regs *regs,
+ struct kprobe_ctlblk *kcb, int reenter)
+{
+ unsigned long slot;
+
+ if (reenter) {
+ save_previous_kprobe(kcb);
+ set_current_kprobe(p);
+ kcb->kprobe_status = KPROBE_REENTER;
+ } else {
+ kcb->kprobe_status = KPROBE_HIT_SS;
+ }
+
+ if (p->ainsn.insn) {
+ /* prepare for single stepping */
+ slot = (unsigned long)p->ainsn.insn;
+
+ set_ss_context(kcb, slot); /* mark pending ss */
+
+ if (kcb->kprobe_status == KPROBE_REENTER)
+ spsr_set_debug_flag(regs, 0);
+
+ /* IRQs and single stepping do not mix well. */
+ local_irq_disable();
+ kernel_enable_single_step(regs);
+ instruction_pointer(regs) = slot;
+ } else {
+ BUG();
+ }
+}
+
+static int __kprobes reenter_kprobe(struct kprobe *p,
+ struct pt_regs *regs,
+ struct kprobe_ctlblk *kcb)
+{
+ switch (kcb->kprobe_status) {
+ case KPROBE_HIT_SSDONE:
+ case KPROBE_HIT_ACTIVE:
+ if (!p->ainsn.check_condn || p->ainsn.check_condn(p, regs)) {
+ kprobes_inc_nmissed_count(p);
+ setup_singlestep(p, regs, kcb, 1);
+ } else {
+ /* condition check failed, skip stepping */
+ skip_singlestep_missed(kcb, regs);
+ }
+ break;
+ case KPROBE_HIT_SS:
+ pr_warn("Unrecoverable kprobe detected at %p.\n", p->addr);
+ dump_kprobe(p);
+ BUG();
+ break;
+ default:
+ WARN_ON(1);
+ return 0;
+ }
+
+ return 1;
+}
+
+static void __kprobes
+post_kprobe_handler(struct kprobe_ctlblk *kcb, struct pt_regs *regs)
+{
+ struct kprobe *cur = kprobe_running();
+
+ if (!cur)
+ return;
+
+ /* return addr restore if non-branching insn */
+ if (cur->ainsn.restore.type == RESTORE_PC) {
+ instruction_pointer(regs) = cur->ainsn.restore.addr;
+ if (!instruction_pointer(regs))
+ BUG();
+ }
+
+ /* restore back original saved kprobe variables and continue */
+ if (kcb->kprobe_status == KPROBE_REENTER) {
+ restore_previous_kprobe(kcb);
+ return;
+ }
+ /* call post handler */
+ kcb->kprobe_status = KPROBE_HIT_SSDONE;
+ if (cur->post_handler) {
+ /* post_handler can hit breakpoint and single step
+ * again, so we enable D-flag for recursive exception.
+ */
+ cur->post_handler(cur, regs, 0);
+ }
+
+ reset_current_kprobe();
+ kprobes_restore_local_irqflag(regs);
+}
+
+int __kprobes kprobe_fault_handler(struct pt_regs *regs, unsigned int fsr)
+{
+ struct kprobe *cur = kprobe_running();
+ struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
+
+ switch (kcb->kprobe_status) {
+ case KPROBE_HIT_SS:
+ case KPROBE_REENTER:
+ /*
+ * We are here because the instruction being single
+ * stepped caused a page fault. We reset the current
+ * kprobe and the ip points back to the probe address
+ * and allow the page fault handler to continue as a
+ * normal page fault.
+ */
+ instruction_pointer(regs) = (unsigned long)cur->addr;
+ if (!instruction_pointer(regs))
+ BUG();
+ if (kcb->kprobe_status == KPROBE_REENTER)
+ restore_previous_kprobe(kcb);
+ else
+ reset_current_kprobe();
+
+ break;
+ case KPROBE_HIT_ACTIVE:
+ case KPROBE_HIT_SSDONE:
+ /*
+ * We increment the nmissed count for accounting,
+ * we can also use npre/npostfault count for accounting
+ * these specific fault cases.
+ */
+ kprobes_inc_nmissed_count(cur);
+
+ /*
+ * We come here because instructions in the pre/post
+ * handler caused the page_fault, this could happen
+ * if handler tries to access user space by
+ * copy_from_user(), get_user() etc. Let the
+ * user-specified handler try to fix it first.
+ */
+ if (cur->fault_handler && cur->fault_handler(cur, regs, fsr))
+ return 1;
+
+ /*
+ * In case the user-specified fault handler returned
+ * zero, try to fix up.
+ */
+ if (fixup_exception(regs))
+ return 1;
+
+ break;
+ default:
+ break;
+ }
+ return 0;
+}
+
+int __kprobes kprobe_exceptions_notify(struct notifier_block *self,
+ unsigned long val, void *data)
+{
+ return NOTIFY_DONE;
+}
+
+void __kprobes kprobe_handler(struct pt_regs *regs)
+{
+ struct kprobe *p, *cur;
+ struct kprobe_ctlblk *kcb;
+ unsigned long addr = instruction_pointer(regs);
+
+ kcb = get_kprobe_ctlblk();
+ cur = kprobe_running();
+
+ p = get_kprobe((kprobe_opcode_t *) addr);
+
+ if (p) {
+ if (cur) {
+ if (reenter_kprobe(p, regs, kcb))
+ return;
+ } else if (!p->ainsn.check_condn ||
+ p->ainsn.check_condn(p, regs)) {
+ /* Probe hit and conditional execution check ok. */
+ set_current_kprobe(p);
+ kcb->kprobe_status = KPROBE_HIT_ACTIVE;
+
+ /*
+ * If we have no pre-handler or it returned 0, we
+ * continue with normal processing. If we have a
+ * pre-handler and it returned non-zero, it prepped
+ * for calling the break_handler below on re-entry,
+ * so get out doing nothing more here.
+ *
+ * pre_handler can hit a breakpoint and can step thru
+ * before return, keep PSTATE D-flag enabled until
+ * pre_handler return back.
+ */
+ if (!p->pre_handler || !p->pre_handler(p, regs)) {
+ kcb->kprobe_status = KPROBE_HIT_SS;
+ setup_singlestep(p, regs, kcb, 0);
+ return;
+ }
+ } else {
+ /*
+ * Breakpoint hit but conditional check failed,
+ * so just skip the instruction (NOP behaviour)
+ */
+ skip_singlestep_missed(kcb, regs);
+ return;
+ }
+ } else if (*(kprobe_opcode_t *) addr != BRK64_OPCODE_KPROBES) {
+ /*
+ * The breakpoint instruction was removed right
+ * after we hit it. Another cpu has removed
+ * either a probepoint or a debugger breakpoint
+ * at this address. In either case, no further
+ * handling of this interrupt is appropriate.
+ * Return back to original instruction, and continue.
+ */
+ kprobes_restore_local_irqflag(regs);
+ return;
+ } else if (cur) {
+ /* We probably hit a jprobe. Call its break handler. */
+ if (cur->break_handler && cur->break_handler(cur, regs)) {
+ kcb->kprobe_status = KPROBE_HIT_SS;
+ setup_singlestep(cur, regs, kcb, 0);
+ return;
+ }
+ } else {
+ /* breakpoint is removed, now in a race
+ * Return back to original instruction & continue.
+ */
+ kprobes_restore_local_irqflag(regs);
+ }
+}
+
+static int __kprobes
+kprobe_ss_hit(struct kprobe_ctlblk *kcb, unsigned long addr)
+{
+ if ((kcb->ss_ctx.ss_status == KPROBES_STEP_PENDING)
+ && (kcb->ss_ctx.match_addr == addr)) {
+ clear_ss_context(kcb); /* clear pending ss */
+ return DBG_HOOK_HANDLED;
+ }
+ /* not ours, kprobes should ignore it */
+ return DBG_HOOK_ERROR;
+}
+
+static int __kprobes
+kprobe_single_step_handler(struct pt_regs *regs, unsigned int esr)
+{
+ struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
+ int retval;
+
+ /* return error if this is not our step */
+ retval = kprobe_ss_hit(kcb, instruction_pointer(regs));
+
+ if (retval == DBG_HOOK_HANDLED) {
+ kernel_disable_single_step();
+
+ if (kcb->kprobe_status == KPROBE_REENTER)
+ spsr_set_debug_flag(regs, 1);
+
+ post_kprobe_handler(kcb, regs);
+ }
+
+ return retval;
+}
+
+static int __kprobes
+kprobe_breakpoint_handler(struct pt_regs *regs, unsigned int esr)
+{
+ kprobes_save_local_irqflag(regs);
+ kprobe_handler(regs);
+ return DBG_HOOK_HANDLED;
+}
+
+int __kprobes setjmp_pre_handler(struct kprobe *p, struct pt_regs *regs)
+{
+ struct jprobe *jp = container_of(p, struct jprobe, kp);
+ struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
+ long stack_ptr = stack_pointer(regs);
+
+ kcb->jprobe_saved_regs = *regs;
+ memcpy(kcb->jprobes_stack, (void *)stack_ptr,
+ MIN_STACK_SIZE(stack_ptr));
+
+ instruction_pointer(regs) = (long)jp->entry;
+ preempt_disable();
+ return 1;
+}
+
+void __kprobes jprobe_return(void)
+{
+ struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
+
+ /*
+ * Jprobe handler return by entering break exception,
+ * encoded same as kprobe, but with following conditions
+ * -a magic number in x0 to identify from rest of other kprobes.
+ * -restore stack addr to original saved pt_regs
+ */
+ asm volatile ("ldr x0, [%0]\n\t"
+ "mov sp, x0\n\t"
+ "ldr x0, =" __stringify(JPROBES_MAGIC_NUM) "\n\t"
+ "BRK %1\n\t"
+ "NOP\n\t"
+ :
+ : "r"(&kcb->jprobe_saved_regs.sp),
+ "I"(BRK64_ESR_KPROBES)
+ : "memory");
+}
+
+int __kprobes longjmp_break_handler(struct kprobe *p, struct pt_regs *regs)
+{
+ struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
+ long stack_addr = kcb->jprobe_saved_regs.sp;
+ long orig_sp = stack_pointer(regs);
+ struct jprobe *jp = container_of(p, struct jprobe, kp);
+
+ if (regs->regs[0] == JPROBES_MAGIC_NUM) {
+ if (orig_sp != stack_addr) {
+ struct pt_regs *saved_regs =
+ (struct pt_regs *)kcb->jprobe_saved_regs.sp;
+ pr_err("current sp %lx does not match saved sp %lx\n",
+ orig_sp, stack_addr);
+ pr_err("Saved registers for jprobe %p\n", jp);
+ show_regs(saved_regs);
+ pr_err("Current registers\n");
+ show_regs(regs);
+ BUG();
+ }
+ *regs = kcb->jprobe_saved_regs;
+ memcpy((void *)stack_addr, kcb->jprobes_stack,
+ MIN_STACK_SIZE(stack_addr));
+ preempt_enable_no_resched();
+ kprobes_restore_local_irqflag(regs);
+ return 1;
+ }
+ return 0;
+}
+
+/* Break Handler hook */
+static struct break_hook kprobes_break_hook = {
+ .esr_mask = BRK64_ESR_MASK,
+ .esr_val = BRK64_ESR_KPROBES,
+ .fn = kprobe_breakpoint_handler,
+};
+
+/* Single Step handler hook */
+static struct step_hook kprobes_step_hook = {
+ .fn = kprobe_single_step_handler,
+};
+
+int __init arch_init_kprobes(void)
+{
+ register_break_hook(&kprobes_break_hook);
+ register_step_hook(&kprobes_step_hook);
+
+ return 0;
+}
diff --git a/arch/arm64/kernel/kprobes.h b/arch/arm64/kernel/kprobes.h
new file mode 100644
index 0000000..93c54b4
--- /dev/null
+++ b/arch/arm64/kernel/kprobes.h
@@ -0,0 +1,30 @@
+/*
+ * arch/arm64/kernel/kprobes.h
+ *
+ * Copyright (C) 2013 Linaro Limited.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ */
+
+#ifndef _ARM_KERNEL_KPROBES_H
+#define _ARM_KERNEL_KPROBES_H
+
+/* BRK opcodes with ESR encoding */
+#define BRK64_ESR_MASK 0xFFFF
+#define BRK64_ESR_KPROBES 0x0004
+#define BRK64_OPCODE_KPROBES 0xD4200080 /* "brk 0x4" */
+#define ARCH64_NOP_OPCODE 0xD503201F
+
+#define JPROBES_MAGIC_NUM 0xa5a5a5a5a5a5a5a5
+
+/* Move this out to appropriate header file */
+int fixup_exception(struct pt_regs *regs);
+
+#endif /* _ARM_KERNEL_KPROBES_H */
diff --git a/arch/arm64/kernel/probes-decode.h b/arch/arm64/kernel/probes-decode.h
new file mode 100644
index 0000000..3650ab3
--- /dev/null
+++ b/arch/arm64/kernel/probes-decode.h
@@ -0,0 +1,110 @@
+/*
+ * arch/arm64/kernel/probes-decode.h
+ *
+ * Copyright (C) 2013 Linaro Limited.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ */
+
+#ifndef _ARM_KERNEL_PROBES_DECODE_H
+#define _ARM_KERNEL_PROBES_DECODE_H
+
+/*
+ * The following definitions and macros are used to build instruction
+ * decoding tables.
+ */
+enum decode_type {
+ DECODE_TYPE_END,
+ DECODE_TYPE_SINGLESTEP,
+ DECODE_TYPE_SIMULATE,
+ DECODE_TYPE_TABLE,
+ DECODE_TYPE_REJECT,
+};
+
+struct aarch64_decode_item;
+
+struct aarch64_decode_header {
+ enum decode_type type;
+ u32 mask;
+ u32 val;
+};
+
+struct aarch64_decode_actions {
+ kprobes_prepare_t *prepare;
+ kprobes_handler_t *handler;
+};
+
+struct aarch64_decode_table {
+ const struct aarch64_decode_item *tbl;
+};
+
+union aarch64_decode_handler {
+ struct aarch64_decode_actions actions;
+ struct aarch64_decode_table table;
+};
+
+struct aarch64_decode_item {
+ struct aarch64_decode_header header;
+ union aarch64_decode_handler decode;
+};
+
+#define decode_get_type(_entry) ((_entry).header.type)
+
+#define decode_table_end(_entry) \
+ ((_entry).header.type == DECODE_TYPE_END)
+
+#define decode_table_hit(_entry, insn) \
+ ((insn & (_entry).header.mask) == (_entry).header.val)
+
+#define decode_prepare_fn(_entry) ((_entry).decode.actions.prepare)
+#define decode_handler_fn(_entry) ((_entry).decode.actions.handler)
+#define decode_sub_table(_entry) ((_entry).decode.table.tbl)
+
+#define DECODE_ADD_HEADER(_type, _val, _mask) \
+ .header = { \
+ .type = _type, \
+ .mask = _mask, \
+ .val = _val, \
+ },
+
+#define DECODE_ADD_ACTION(_prepare, _handler) \
+ .decode = { \
+ .actions = { \
+ .prepare = _prepare, \
+ .handler = _handler, \
+ } \
+ },
+
+#define DECODE_ADD_TABLE(_table) \
+ .decode = { \
+ .table = {.tbl = _table} \
+ },
+
+#define DECODE_REJECT(_v, _m) \
+ { DECODE_ADD_HEADER(DECODE_TYPE_REJECT, _v, _m) }
+
+#define DECODE_SINGLESTEP(_v, _m) \
+ { DECODE_ADD_HEADER(DECODE_TYPE_SINGLESTEP, _v, _m) }
+
+#define DECODE_SIMULATE(_v, _m, _p, _h) \
+ { DECODE_ADD_HEADER(DECODE_TYPE_SIMULATE, _v, _m) \
+ DECODE_ADD_ACTION(_p, _h) }
+
+#define DECODE_TABLE(_v, _m, _table) \
+ { DECODE_ADD_HEADER(DECODE_TYPE_TABLE, _v, _m) \
+ DECODE_ADD_TABLE(_table) }
+
+#define DECODE_LITERAL(_v, _m, _p, _h) DECODE_SIMULATE(_v, _m, _p, _h)
+#define DECODE_BRANCH(_v, _m, _p, _h) DECODE_SIMULATE(_v, _m, _p, _h)
+
+/* should be the last element in decode structure */
+#define DECODE_END { .header = {.type = DECODE_TYPE_END, } }
+
+#endif /* _ARM_KERNEL_PROBES_DECODE_H */
diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S
index edf8715..ab7720b 100644
--- a/arch/arm64/kernel/vmlinux.lds.S
+++ b/arch/arm64/kernel/vmlinux.lds.S
@@ -63,6 +63,7 @@ SECTIONS
TEXT_TEXT
SCHED_TEXT
LOCK_TEXT
+ KPROBES_TEXT
HYPERVISOR_TEXT
*(.fixup)
*(.gnu.warning)
--
1.8.1.2

2014-11-18 06:33:13

by David Long

[permalink] [raw]
Subject: [PATCH v3 4/5] kprobes: Add arm64 case in kprobe example module

From: Sandeepa Prabhu <[email protected]>

Add info prints in sample kprobe handlers for ARM64

Signed-off-by: Sandeepa Prabhu <[email protected]>
---
samples/kprobes/kprobe_example.c | 8 ++++++++
1 file changed, 8 insertions(+)

diff --git a/samples/kprobes/kprobe_example.c b/samples/kprobes/kprobe_example.c
index 366db1a..51d459c 100644
--- a/samples/kprobes/kprobe_example.c
+++ b/samples/kprobes/kprobe_example.c
@@ -42,6 +42,10 @@ static int handler_pre(struct kprobe *p, struct pt_regs *regs)
" ex1 = 0x%lx\n",
p->addr, regs->pc, regs->ex1);
#endif
+#ifdef CONFIG_ARM64
+ pr_info("pre_handler: p->addr = 0x%p, pc = 0x%lx\n",
+ p->addr, (long)regs->pc);
+#endif

/* A dump_stack() here will give a stack backtrace */
return 0;
@@ -67,6 +71,10 @@ static void handler_post(struct kprobe *p, struct pt_regs *regs,
printk(KERN_INFO "post_handler: p->addr = 0x%p, ex1 = 0x%lx\n",
p->addr, regs->ex1);
#endif
+#ifdef CONFIG_ARM64
+ pr_info("post_handler: p->addr = 0x%p, pc = 0x%lx\n",
+ p->addr, (long)regs->pc);
+#endif
}

/*
--
1.8.1.2

2014-11-18 06:33:12

by David Long

[permalink] [raw]
Subject: [PATCH v3 3/5] arm64: Add kernel return probes support(kretprobes)

From: Sandeepa Prabhu <[email protected]>

AArch64 ISA does not instructions to pop PC register value
from stack(like ARM v7 has ldmia {...,pc}) without using
one of the general purpose registers. This means return probes
cannot return to the actual return address directly without
modifying register context, and without trapping into debug exception.

So like many other architectures, we prepare a global routine
with NOPs, which serve as trampoline to hack away the
function return address, by placing an extra kprobe on the
trampoline entry.

The pre-handler of this special trampoline' kprobe execute return
probe handler functions and restore original return address in ELR_EL1,
this way, saved pt_regs still hold the original register context to be
carried back to the probed kernel function.

Signed-off-by: Sandeepa Prabhu <[email protected]>
Signed-off-by: David A. Long <[email protected]>
---
arch/arm64/Kconfig | 1 +
arch/arm64/include/asm/kprobes.h | 1 +
arch/arm64/kernel/kprobes.c | 114 ++++++++++++++++++++++++++++++++++++++-
3 files changed, 115 insertions(+), 1 deletion(-)

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 256ef90..02f31b7 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -61,6 +61,7 @@ config ARM64
select HAVE_RCU_TABLE_FREE
select HAVE_SYSCALL_TRACEPOINTS
select HAVE_KPROBES if !XIP_KERNEL
+ select HAVE_KRETPROBES if HAVE_KPROBES
select IRQ_DOMAIN
select MODULES_USE_ELF_RELA
select NO_BOOTMEM
diff --git a/arch/arm64/include/asm/kprobes.h b/arch/arm64/include/asm/kprobes.h
index b35d3b9..a2de3b8 100644
--- a/arch/arm64/include/asm/kprobes.h
+++ b/arch/arm64/include/asm/kprobes.h
@@ -56,5 +56,6 @@ void arch_remove_kprobe(struct kprobe *);
int kprobe_fault_handler(struct pt_regs *regs, unsigned int fsr);
int kprobe_exceptions_notify(struct notifier_block *self,
unsigned long val, void *data);
+void kretprobe_trampoline(void);

#endif /* _ARM_KPROBES_H */
diff --git a/arch/arm64/kernel/kprobes.c b/arch/arm64/kernel/kprobes.c
index 789ab61..be7c330 100644
--- a/arch/arm64/kernel/kprobes.c
+++ b/arch/arm64/kernel/kprobes.c
@@ -569,6 +569,117 @@ int __kprobes longjmp_break_handler(struct kprobe *p, struct pt_regs *regs)
return 0;
}

+/*
+ * Kretprobes: kernel return probes handling
+ *
+ * AArch64 mode does not support popping the PC value from the
+ * stack like on ARM 32-bit (ldmia {..,pc}), so atleast one
+ * register need to be used to achieve branching/return.
+ * It means return probes cannot return back to the original
+ * return address directly without modifying the register context.
+ *
+ * So like other architectures, we prepare a global routine
+ * with NOPs, which serve as trampoline address that hack away the
+ * function return, with the exact register context.
+ * Placing a kprobe on trampoline routine entry will trap again to
+ * execute return probe handlers and restore original return address
+ * in ELR_EL1, this way saved pt_regs still hold the original
+ * register values to be carried back to the caller.
+ */
+static void __used kretprobe_trampoline_holder(void)
+{
+ asm volatile (".global kretprobe_trampoline\n"
+ "kretprobe_trampoline:\n"
+ "NOP\n\t"
+ "NOP\n\t");
+}
+
+static int __kprobes
+trampoline_probe_handler(struct kprobe *p, struct pt_regs *regs)
+{
+ struct kretprobe_instance *ri = NULL;
+ struct hlist_head *head, empty_rp;
+ struct hlist_node *tmp;
+ unsigned long flags, orig_ret_addr = 0;
+ unsigned long trampoline_address =
+ (unsigned long)&kretprobe_trampoline;
+
+ INIT_HLIST_HEAD(&empty_rp);
+ kretprobe_hash_lock(current, &head, &flags);
+
+ /*
+ * It is possible to have multiple instances associated with a given
+ * task either because multiple functions in the call path have
+ * a return probe installed on them, and/or more than one return
+ * probe was registered for a target function.
+ *
+ * We can handle this because:
+ * - instances are always inserted at the head of the list
+ * - when multiple return probes are registered for the same
+ * function, the first instance's ret_addr will point to the
+ * real return address, and all the rest will point to
+ * kretprobe_trampoline
+ */
+ hlist_for_each_entry_safe(ri, tmp, head, hlist) {
+ if (ri->task != current)
+ /* another task is sharing our hash bucket */
+ continue;
+
+ if (ri->rp && ri->rp->handler) {
+ __this_cpu_write(current_kprobe, &ri->rp->kp);
+ get_kprobe_ctlblk()->kprobe_status = KPROBE_HIT_ACTIVE;
+ ri->rp->handler(ri, regs);
+ __this_cpu_write(current_kprobe, NULL);
+ }
+
+ orig_ret_addr = (unsigned long)ri->ret_addr;
+ recycle_rp_inst(ri, &empty_rp);
+
+ if (orig_ret_addr != trampoline_address)
+ /*
+ * This is the real return address. Any other
+ * instances associated with this task are for
+ * other calls deeper on the call stack
+ */
+ break;
+ }
+
+ kretprobe_assert(ri, orig_ret_addr, trampoline_address);
+ /* restore the original return address */
+ instruction_pointer(regs) = orig_ret_addr;
+ reset_current_kprobe();
+ kretprobe_hash_unlock(current, &flags);
+
+ hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) {
+ hlist_del(&ri->hlist);
+ kfree(ri);
+ }
+
+ kprobes_restore_local_irqflag(regs);
+
+ /* return 1 so that post handlers not called */
+ return 1;
+}
+
+void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
+ struct pt_regs *regs)
+{
+ ri->ret_addr = (kprobe_opcode_t *)regs->regs[30];
+
+ /* replace return addr (x30) with trampoline */
+ regs->regs[30] = (long)&kretprobe_trampoline;
+}
+
+static struct kprobe trampoline = {
+ .addr = (kprobe_opcode_t *) &kretprobe_trampoline,
+ .pre_handler = trampoline_probe_handler
+};
+
+int __kprobes arch_trampoline_kprobe(struct kprobe *p)
+{
+ return p->addr == (kprobe_opcode_t *) &kretprobe_trampoline;
+}
+
/* Break Handler hook */
static struct break_hook kprobes_break_hook = {
.esr_mask = BRK64_ESR_MASK,
@@ -586,5 +697,6 @@ int __init arch_init_kprobes(void)
register_break_hook(&kprobes_break_hook);
register_step_hook(&kprobes_step_hook);

- return 0;
+ /* register trampoline for kret probe */
+ return register_kprobe(&trampoline);
}
--
1.8.1.2

2014-11-18 06:33:10

by David Long

[permalink] [raw]
Subject: [PATCH v3 2/5] arm64: Kprobes instruction simulation support

From: Sandeepa Prabhu <[email protected]>

Add support for AArch64 instruction simulation in kprobes.

Kprobes need simulation of instructions that cannot be stepped
right-away from different memory location. i.e. those instructions
that uses PC-relative addressing. In simulation, the behaviour
of the instruction is implemented using copy of pt_regs.

Following instruction catagories are simulated:
- All branching instructions(conditional, register, and immediate)
- Literal access instructions(load-literal, adr/adrp)

conditional execution are limited to branching instructions in
ARM v8. If conditions at PSTATE does not match the condition fields
of opcode, the instruction is effectively NOP. Kprobes consider
this case as 'miss'.

changes since v4:
from David A. Long:
1) Fix bogus simulate_ldrsw_literal() semantics.
from Will Cohen:
2) Remove PC adjustments when simulating an instruction.
3) Fix displacement calculations.

Signed-off-by: Sandeepa Prabhu <[email protected]>
Signed-off-by: William Cohen <[email protected]>
Signed-off-by: David A. Long <[email protected]>
---
arch/arm64/kernel/Makefile | 4 +-
arch/arm64/kernel/kprobes-arm64.c | 120 +++++++++++++++++++--
arch/arm64/kernel/kprobes-arm64.h | 2 +
arch/arm64/kernel/kprobes.c | 35 ++++++-
arch/arm64/kernel/probes-condn-check.c | 122 ++++++++++++++++++++++
arch/arm64/kernel/probes-simulate-insn.c | 174 +++++++++++++++++++++++++++++++
arch/arm64/kernel/probes-simulate-insn.h | 33 ++++++
7 files changed, 477 insertions(+), 13 deletions(-)
create mode 100644 arch/arm64/kernel/probes-condn-check.c
create mode 100644 arch/arm64/kernel/probes-simulate-insn.c
create mode 100644 arch/arm64/kernel/probes-simulate-insn.h

diff --git a/arch/arm64/kernel/Makefile b/arch/arm64/kernel/Makefile
index df08c0e..fc9922f 100644
--- a/arch/arm64/kernel/Makefile
+++ b/arch/arm64/kernel/Makefile
@@ -29,7 +29,9 @@ arm64-obj-$(CONFIG_ARM64_CPU_SUSPEND) += sleep.o suspend.o
arm64-obj-$(CONFIG_CPU_IDLE) += cpuidle.o
arm64-obj-$(CONFIG_JUMP_LABEL) += jump_label.o
arm64-obj-$(CONFIG_KGDB) += kgdb.o
-arm64-obj-$(CONFIG_KPROBES) += kprobes.o kprobes-arm64.o
+arm64-obj-$(CONFIG_KPROBES) += kprobes.o kprobes-arm64.o \
+ probes-simulate-insn.o \
+ probes-condn-check.o
arm64-obj-$(CONFIG_EFI) += efi.o efi-stub.o efi-entry.o
arm64-obj-$(CONFIG_PCI) += pci.o

diff --git a/arch/arm64/kernel/kprobes-arm64.c b/arch/arm64/kernel/kprobes-arm64.c
index 30d1c14..bee7816 100644
--- a/arch/arm64/kernel/kprobes-arm64.c
+++ b/arch/arm64/kernel/kprobes-arm64.c
@@ -20,6 +20,101 @@

#include "probes-decode.h"
#include "kprobes-arm64.h"
+#include "probes-simulate-insn.h"
+
+/*
+ * condition check functions for kprobes simulation
+ */
+static unsigned long __kprobes
+__check_pstate(struct kprobe *p, struct pt_regs *regs)
+{
+ struct arch_specific_insn *asi = &p->ainsn;
+ unsigned long pstate = regs->pstate & 0xffffffff;
+
+ return asi->pstate_cc(pstate);
+}
+
+static unsigned long __kprobes
+__check_cbz(struct kprobe *p, struct pt_regs *regs)
+{
+ return check_cbz((u32)p->opcode, regs);
+}
+
+static unsigned long __kprobes
+__check_cbnz(struct kprobe *p, struct pt_regs *regs)
+{
+ return check_cbnz((u32)p->opcode, regs);
+}
+
+static unsigned long __kprobes
+__check_tbz(struct kprobe *p, struct pt_regs *regs)
+{
+ return check_tbz((u32)p->opcode, regs);
+}
+
+static unsigned long __kprobes
+__check_tbnz(struct kprobe *p, struct pt_regs *regs)
+{
+ return check_tbnz((u32)p->opcode, regs);
+}
+
+/*
+ * prepare functions for instruction simulation
+ */
+static void __kprobes
+prepare_none(struct kprobe *p, struct arch_specific_insn *asi)
+{
+}
+
+static void __kprobes
+prepare_bcond(struct kprobe *p, struct arch_specific_insn *asi)
+{
+ kprobe_opcode_t insn = p->opcode;
+
+ asi->check_condn = __check_pstate;
+ asi->pstate_cc = kprobe_condition_checks[insn & 0xf];
+}
+
+static void __kprobes
+prepare_cbz_cbnz(struct kprobe *p, struct arch_specific_insn *asi)
+{
+ kprobe_opcode_t insn = p->opcode;
+
+ asi->check_condn = (insn & (1 << 24)) ? __check_cbnz : __check_cbz;
+}
+
+static void __kprobes
+prepare_tbz_tbnz(struct kprobe *p, struct arch_specific_insn *asi)
+{
+ kprobe_opcode_t insn = p->opcode;
+
+ asi->check_condn = (insn & (1 << 24)) ? __check_tbnz : __check_tbz;
+}
+
+
+/* Load literal (PC-relative) instructions
+ * Encoding: xx01 1x00 xxxx xxxx xxxx xxxx xxxx xxxx
+ *
+ * opcode[26]: V=0, Load GP registers, simulate them.
+ * Encoding: xx01 1000 xxxx xxxx xxxx xxxx xxxx xxxx
+ * opcode[31:30]: op = 00, 01 - LDR literal
+ * opcode[31:30]: op = 10, - LDRSW literal
+ *
+ * 1. V=1 -Load FP/AdvSIMD registers
+ * Encoding: xx01 1100 xxxx xxxx xxxx xxxx xxxx xxxx
+ * 2. V=0,opc=11 -PRFM(Prefetch literal)
+ * Encoding: 1101 1000 xxxx xxxx xxxx xxxx xxxx xxxx
+ * Reject FP/AdvSIMD literal load & PRFM literal.
+ */
+static const struct aarch64_decode_item load_literal_subtable[] = {
+ DECODE_REJECT(0x1C000000, 0x3F000000),
+ DECODE_REJECT(0xD8000000, 0xFF000000),
+ DECODE_LITERAL(0x18000000, 0xBF000000, prepare_none,
+ simulate_ldr_literal),
+ DECODE_LITERAL(0x98000000, 0xFF000000, prepare_none,
+ simulate_ldrsw_literal),
+ DECODE_END,
+};

/* AArch64 instruction decode table for kprobes:
* The instruction will fall into one of the 3 groups:
@@ -43,7 +138,8 @@ static const struct aarch64_decode_item aarch64_decode_table[] = {
* Data processing - PC relative(literal) addressing:
* Encoding: xxx1 0000 xxxx xxxx xxxx xxxx xxxx xxxx
*/
- DECODE_REJECT(0x10000000, 0x1F000000),
+ DECODE_LITERAL(0x10000000, 0x1F000000, prepare_none,
+ simulate_adr_adrp),

/*
* Data processing - Add/Substract Immediate:
@@ -83,12 +179,16 @@ static const struct aarch64_decode_item aarch64_decode_table[] = {
* 0101 010x xxxx xxxx xxxx xxxx xxxx xxxx (Conditional, immediate)
* 1101 011x xxxx xxxx xxxx xxxx xxxx xxxx (Unconditional,register)
*/
- DECODE_REJECT(0x14000000, 0x7C000000),
- DECODE_REJECT(0x14000000, 0x7C000000),
- DECODE_REJECT(0x34000000, 0x7E000000),
- DECODE_REJECT(0x36000000, 0x7E000000),
- DECODE_REJECT(0x54000000, 0xFE000000),
- DECODE_REJECT(0xD6000000, 0xFE000000),
+ DECODE_BRANCH(0x14000000, 0x7C000000, prepare_none,
+ simulate_b_bl),
+ DECODE_BRANCH(0x34000000, 0x7E000000, prepare_cbz_cbnz,
+ simulate_cbz_cbnz),
+ DECODE_BRANCH(0x36000000, 0x7E000000, prepare_tbz_tbnz,
+ simulate_tbz_tbnz),
+ DECODE_BRANCH(0x54000000, 0xFE000000, prepare_bcond,
+ simulate_b_cond),
+ DECODE_BRANCH(0xD6000000, 0xFE000000, prepare_none,
+ simulate_br_blr_ret),

/* System insn:
* Encoding: 1101 0101 00xx xxxx xxxx xxxx xxxx xxxx
@@ -119,7 +219,7 @@ static const struct aarch64_decode_item aarch64_decode_table[] = {
* Load/Store - PC relative(literal):
* Encoding: xx01 1x00 xxxx xxxx xxxx xxxx xxxx xxxx
*/
- DECODE_REJECT(0x18000000, 0x3B000000),
+ DECODE_TABLE(0x18000000, 0x3B000000, load_literal_subtable),

/*
* Load/Store - Register Pair
@@ -188,7 +288,9 @@ kprobe_decode_insn(kprobe_opcode_t insn, struct arch_specific_insn *asi,
break;

case DECODE_TYPE_SIMULATE:
- ret = INSN_REJECTED;
+ asi->prepare = decode_prepare_fn(tbl[entry]);
+ asi->handler = decode_handler_fn(tbl[entry]);
+ ret = INSN_GOOD_NO_SLOT;
break;

case DECODE_TYPE_TABLE:
diff --git a/arch/arm64/kernel/kprobes-arm64.h b/arch/arm64/kernel/kprobes-arm64.h
index 87e7891..ff8a55f 100644
--- a/arch/arm64/kernel/kprobes-arm64.h
+++ b/arch/arm64/kernel/kprobes-arm64.h
@@ -22,6 +22,8 @@ enum kprobe_insn {
INSN_GOOD,
};

+extern kprobes_pstate_check_t * const kprobe_condition_checks[16];
+
enum kprobe_insn __kprobes
arm_kprobe_decode_insn(kprobe_opcode_t insn, struct arch_specific_insn *asi);

diff --git a/arch/arm64/kernel/kprobes.c b/arch/arm64/kernel/kprobes.c
index ca7fa10..789ab61 100644
--- a/arch/arm64/kernel/kprobes.c
+++ b/arch/arm64/kernel/kprobes.c
@@ -38,6 +38,9 @@
DEFINE_PER_CPU(struct kprobe *, current_kprobe) = NULL;
DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk);

+static void __kprobes
+post_kprobe_handler(struct kprobe_ctlblk *, struct pt_regs *);
+
static void __kprobes arch_prepare_ss_slot(struct kprobe *p)
{
/* prepare insn slot */
@@ -54,6 +57,27 @@ static void __kprobes arch_prepare_ss_slot(struct kprobe *p)
p->ainsn.restore.type = RESTORE_PC;
}

+static void __kprobes arch_prepare_simulate(struct kprobe *p)
+{
+ if (p->ainsn.prepare)
+ p->ainsn.prepare(p, &p->ainsn);
+
+ /* This instructions is not executed xol. No need to adjust the PC */
+ p->ainsn.restore.addr = 0;
+ p->ainsn.restore.type = NO_RESTORE;
+}
+
+static void __kprobes arch_simulate_insn(struct kprobe *p, struct pt_regs *regs)
+{
+ struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
+
+ if (p->ainsn.handler)
+ p->ainsn.handler((u32)p->opcode, (long)p->addr, regs);
+
+ /* single step simulated, now go for post processing */
+ post_kprobe_handler(kcb, regs);
+}
+
int __kprobes arch_prepare_kprobe(struct kprobe *p)
{
kprobe_opcode_t insn;
@@ -72,7 +96,8 @@ int __kprobes arch_prepare_kprobe(struct kprobe *p)
return -EINVAL;

case INSN_GOOD_NO_SLOT: /* insn need simulation */
- return -EINVAL;
+ p->ainsn.insn = NULL;
+ break;

case INSN_GOOD: /* instruction uses slot */
p->ainsn.insn = get_insn_slot();
@@ -82,7 +107,10 @@ int __kprobes arch_prepare_kprobe(struct kprobe *p)
};

/* prepare the instruction */
- arch_prepare_ss_slot(p);
+ if (p->ainsn.insn)
+ arch_prepare_ss_slot(p);
+ else
+ arch_prepare_simulate(p);

return 0;
}
@@ -235,7 +263,8 @@ static void __kprobes setup_singlestep(struct kprobe *p,
kernel_enable_single_step(regs);
instruction_pointer(regs) = slot;
} else {
- BUG();
+ /* insn simulation */
+ arch_simulate_insn(p, regs);
}
}

diff --git a/arch/arm64/kernel/probes-condn-check.c b/arch/arm64/kernel/probes-condn-check.c
new file mode 100644
index 0000000..e68aa0c
--- /dev/null
+++ b/arch/arm64/kernel/probes-condn-check.c
@@ -0,0 +1,122 @@
+/*
+ * arch/arm64/kernel/probes-condn-check.c
+ *
+ * Copyright (C) 2013 Linaro Limited
+ *
+ * Copied from: arch/arm/kernel/kprobes-common.c
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * Description:
+ *
+ * AArch64 and AArch32 shares same conditional(CNZV) flags encoding.
+ * This file implements conditional check helpers compatible with
+ * both AArch64 and AArch32 modes. Uprobes on v8 can handle both 32-bit
+ * & 64-bit user-space instructions, so we abstract the common functions
+ * in this file. While AArch64 and AArch32 specific instruction handling
+ * are implemented in separate files, this file contains common bits.
+ */
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <asm/probes.h>
+
+static unsigned long __kprobes __check_eq(unsigned long pstate)
+{
+ return pstate & PSR_Z_BIT;
+}
+
+static unsigned long __kprobes __check_ne(unsigned long pstate)
+{
+ return (~pstate) & PSR_Z_BIT;
+}
+
+static unsigned long __kprobes __check_cs(unsigned long pstate)
+{
+ return pstate & PSR_C_BIT;
+}
+
+static unsigned long __kprobes __check_cc(unsigned long pstate)
+{
+ return (~pstate) & PSR_C_BIT;
+}
+
+static unsigned long __kprobes __check_mi(unsigned long pstate)
+{
+ return pstate & PSR_N_BIT;
+}
+
+static unsigned long __kprobes __check_pl(unsigned long pstate)
+{
+ return (~pstate) & PSR_N_BIT;
+}
+
+static unsigned long __kprobes __check_vs(unsigned long pstate)
+{
+ return pstate & PSR_V_BIT;
+}
+
+static unsigned long __kprobes __check_vc(unsigned long pstate)
+{
+ return (~pstate) & PSR_V_BIT;
+}
+
+static unsigned long __kprobes __check_hi(unsigned long pstate)
+{
+ pstate &= ~(pstate >> 1); /* PSR_C_BIT &= ~PSR_Z_BIT */
+ return pstate & PSR_C_BIT;
+}
+
+static unsigned long __kprobes __check_ls(unsigned long pstate)
+{
+ pstate &= ~(pstate >> 1); /* PSR_C_BIT &= ~PSR_Z_BIT */
+ return (~pstate) & PSR_C_BIT;
+}
+
+static unsigned long __kprobes __check_ge(unsigned long pstate)
+{
+ pstate ^= (pstate << 3); /* PSR_N_BIT ^= PSR_V_BIT */
+ return (~pstate) & PSR_N_BIT;
+}
+
+static unsigned long __kprobes __check_lt(unsigned long pstate)
+{
+ pstate ^= (pstate << 3); /* PSR_N_BIT ^= PSR_V_BIT */
+ return pstate & PSR_N_BIT;
+}
+
+static unsigned long __kprobes __check_gt(unsigned long pstate)
+{
+ /*PSR_N_BIT ^= PSR_V_BIT */
+ unsigned long temp = pstate ^ (pstate << 3);
+
+ temp |= (pstate << 1); /*PSR_N_BIT |= PSR_Z_BIT */
+ return (~temp) & PSR_N_BIT;
+}
+
+static unsigned long __kprobes __check_le(unsigned long pstate)
+{
+ /*PSR_N_BIT ^= PSR_V_BIT */
+ unsigned long temp = pstate ^ (pstate << 3);
+
+ temp |= (pstate << 1); /*PSR_N_BIT |= PSR_Z_BIT */
+ return temp & PSR_N_BIT;
+}
+
+static unsigned long __kprobes __check_al(unsigned long pstate)
+{
+ return true;
+}
+
+kprobes_pstate_check_t * const kprobe_condition_checks[16] = {
+ &__check_eq, &__check_ne, &__check_cs, &__check_cc,
+ &__check_mi, &__check_pl, &__check_vs, &__check_vc,
+ &__check_hi, &__check_ls, &__check_ge, &__check_lt,
+ &__check_gt, &__check_le, &__check_al, &__check_al
+};
diff --git a/arch/arm64/kernel/probes-simulate-insn.c b/arch/arm64/kernel/probes-simulate-insn.c
new file mode 100644
index 0000000..a224c91
--- /dev/null
+++ b/arch/arm64/kernel/probes-simulate-insn.c
@@ -0,0 +1,174 @@
+/*
+ * arch/arm64/kernel/probes-simulate-insn.c
+ *
+ * Copyright (C) 2013 Linaro Limited.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ */
+
+#include <linux/kernel.h>
+#include <linux/kprobes.h>
+#include <linux/module.h>
+
+#include "probes-simulate-insn.h"
+
+#define sign_extend(x, signbit) \
+ ((x) | (0 - ((x) & (1 << (signbit)))))
+
+#define bbl_displacement(insn) \
+ sign_extend(((insn) & 0x3ffffff) << 2, 27)
+
+#define bcond_displacement(insn) \
+ sign_extend(((insn >> 5) & 0x7ffff) << 2, 21)
+
+#define cbz_displacement(insn) \
+ sign_extend(((insn >> 5) & 0x7ffff) << 2, 21)
+
+#define tbz_displacement(insn) \
+ sign_extend(((insn >> 5) & 0x3fff) << 2, 15)
+
+#define ldr_displacement(insn) \
+ sign_extend(((insn >> 5) & 0x7ffff) << 2, 21)
+
+
+unsigned long __kprobes check_cbz(u32 opcode, struct pt_regs *regs)
+{
+ int xn = opcode & 0x1f;
+
+ return (opcode & (1 << 31)) ?
+ !(regs->regs[xn]) : !(regs->regs[xn] & 0xffffffff);
+}
+
+unsigned long __kprobes check_cbnz(u32 opcode, struct pt_regs *regs)
+{
+ int xn = opcode & 0x1f;
+
+ return (opcode & (1 << 31)) ?
+ (regs->regs[xn]) : (regs->regs[xn] & 0xffffffff);
+}
+
+unsigned long __kprobes check_tbz(u32 opcode, struct pt_regs *regs)
+{
+ int xn = opcode & 0x1f;
+ int bit_pos = ((opcode & (1 << 31)) >> 26) | ((opcode >> 19) & 0x1f);
+
+ return ~((regs->regs[xn] >> bit_pos) & 0x1);
+}
+
+unsigned long __kprobes check_tbnz(u32 opcode, struct pt_regs *regs)
+{
+ int xn = opcode & 0x1f;
+ int bit_pos = ((opcode & (1 << 31)) >> 26) | ((opcode >> 19) & 0x1f);
+
+ return (regs->regs[xn] >> bit_pos) & 0x1;
+}
+
+/*
+ * instruction simulate functions
+ */
+void __kprobes simulate_none(u32 opcode, long addr, struct pt_regs *regs)
+{
+}
+
+void __kprobes
+simulate_adr_adrp(u32 opcode, long addr, struct pt_regs *regs)
+{
+ long imm, xn, val;
+
+ xn = opcode & 0x1f;
+ imm = ((opcode >> 3) & 0x1ffffc) | ((opcode >> 29) & 0x3);
+ imm = sign_extend(imm, 20);
+ if (opcode & 0x80000000)
+ val = (imm<<12) + (addr & 0xfffffffffffff000);
+ else
+ val = imm + addr;
+
+ regs->regs[xn] = val;
+
+ instruction_pointer(regs) += 4;
+}
+
+void __kprobes
+simulate_b_bl(u32 opcode, long addr, struct pt_regs *regs)
+{
+ int disp = bbl_displacement(opcode);
+
+ /* Link register is x30 */
+ if (opcode & (1 << 31))
+ regs->regs[30] = addr + 4;
+
+ instruction_pointer(regs) = addr + disp;
+}
+
+void __kprobes
+simulate_b_cond(u32 opcode, long addr, struct pt_regs *regs)
+{
+ int disp = bcond_displacement(opcode);
+
+ instruction_pointer(regs) = addr + disp;
+}
+
+void __kprobes
+simulate_br_blr_ret(u32 opcode, long addr, struct pt_regs *regs)
+{
+ int xn = (opcode >> 5) & 0x1f;
+
+ /* Link register is x30 */
+ if (((opcode >> 21) & 0x3) == 1)
+ regs->regs[30] = addr + 4;
+
+ instruction_pointer(regs) = regs->regs[xn];
+}
+
+void __kprobes
+simulate_cbz_cbnz(u32 opcode, long addr, struct pt_regs *regs)
+{
+ int disp = cbz_displacement(opcode);
+
+ instruction_pointer(regs) = addr + disp;
+}
+
+void __kprobes
+simulate_tbz_tbnz(u32 opcode, long addr, struct pt_regs *regs)
+{
+ int disp = tbz_displacement(opcode);
+
+ instruction_pointer(regs) = addr + disp;
+}
+
+void __kprobes
+simulate_ldr_literal(u32 opcode, long addr, struct pt_regs *regs)
+{
+ u64 *load_addr;
+ int xn = opcode & 0x1f;
+ int disp = ldr_displacement(opcode);
+
+ load_addr = (u64 *) (addr + disp);
+
+ if (opcode & (1 << 30)) /* x0-x31 */
+ regs->regs[xn] = *load_addr;
+ else /* w0-w31 */
+ *(u32 *) (&regs->regs[xn]) = (*(u32 *) (load_addr));
+
+ instruction_pointer(regs) += 4;
+}
+
+void __kprobes
+simulate_ldrsw_literal(u32 opcode, long addr, struct pt_regs *regs)
+{
+ s32 *load_addr;
+ int xn = opcode & 0x1f;
+ int disp = ldr_displacement(opcode);
+
+ load_addr = (s32 *) (addr + disp);
+ regs->regs[xn] = *load_addr;
+
+ instruction_pointer(regs) += 4;
+}
diff --git a/arch/arm64/kernel/probes-simulate-insn.h b/arch/arm64/kernel/probes-simulate-insn.h
new file mode 100644
index 0000000..406f5c2
--- /dev/null
+++ b/arch/arm64/kernel/probes-simulate-insn.h
@@ -0,0 +1,33 @@
+/*
+ * arch/arm64/kernel/probes-simulate-insn.h
+ *
+ * Copyright (C) 2013 Linaro Limited
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ */
+
+#ifndef _ARM_KERNEL_PROBES_SIMULATE_INSN_H
+#define _ARM_KERNEL_PROBES_SIMULATE_INSN_H
+
+unsigned long check_cbz(u32 opcode, struct pt_regs *regs);
+unsigned long check_cbnz(u32 opcode, struct pt_regs *regs);
+unsigned long check_tbz(u32 opcode, struct pt_regs *regs);
+unsigned long check_tbnz(u32 opcode, struct pt_regs *regs);
+void simulate_none(u32 opcode, long addr, struct pt_regs *regs);
+void simulate_adr_adrp(u32 opcode, long addr, struct pt_regs *regs);
+void simulate_b_bl(u32 opcode, long addr, struct pt_regs *regs);
+void simulate_b_cond(u32 opcode, long addr, struct pt_regs *regs);
+void simulate_br_blr_ret(u32 opcode, long addr, struct pt_regs *regs);
+void simulate_cbz_cbnz(u32 opcode, long addr, struct pt_regs *regs);
+void simulate_tbz_tbnz(u32 opcode, long addr, struct pt_regs *regs);
+void simulate_ldr_literal(u32 opcode, long addr, struct pt_regs *regs);
+void simulate_ldrsw_literal(u32 opcode, long addr, struct pt_regs *regs);
+
+#endif /* _ARM_KERNEL_PROBES_SIMULATE_INSN_H */
--
1.8.1.2

2014-11-18 06:34:27

by David Long

[permalink] [raw]
Subject: [PATCH v3 5/5] arm64: Add HAVE_REGS_AND_STACK_ACCESS_API feature

From: "David A. Long" <[email protected]>

Add HAVE_REGS_AND_STACK_ACCESS_API feature for arm64.

Signed-off-by: David A. Long <[email protected]>
---
arch/arm64/Kconfig | 1 +
arch/arm64/include/asm/ptrace.h | 29 +++++++++
arch/arm64/include/uapi/asm/ptrace.h | 36 +++++++++++
arch/arm64/kernel/ptrace.c | 119 +++++++++++++++++++++++++++++++++++
4 files changed, 185 insertions(+)

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 02f31b7..bc9b516 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -58,6 +58,7 @@ config ARM64
select HAVE_PERF_EVENTS
select HAVE_PERF_REGS
select HAVE_PERF_USER_STACK_DUMP
+ select HAVE_REGS_AND_STACK_ACCESS_API
select HAVE_RCU_TABLE_FREE
select HAVE_SYSCALL_TRACEPOINTS
select HAVE_KPROBES if !XIP_KERNEL
diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h
index d3e782a..24cc048 100644
--- a/arch/arm64/include/asm/ptrace.h
+++ b/arch/arm64/include/asm/ptrace.h
@@ -111,6 +111,8 @@ struct pt_regs {
u64 syscallno;
};

+#define MAX_REG_OFFSET (offsetof(struct pt_regs, orig_x0))
+
#define arch_has_single_step() (1)

#ifdef CONFIG_COMPAT
@@ -139,11 +141,38 @@ struct pt_regs {
#define user_stack_pointer(regs) \
(!compat_user_mode(regs) ? (regs)->sp : (regs)->compat_sp)

+/**
+ * regs_get_register() - get register value from its offset
+ * @regs: pt_regs from which register value is gotten
+ * @offset: offset number of the register.
+ *
+ * regs_get_register returns the value of a register whose offset from @regs.
+ * The @offset is the offset of the register in struct pt_regs.
+ * If @offset is bigger than MAX_REG_OFFSET, this returns 0.
+ */
+static inline u64 regs_get_register(struct pt_regs *regs,
+ unsigned int offset)
+{
+ if (unlikely(offset > MAX_REG_OFFSET))
+ return 0;
+ return *(u64 *)((u64)regs + offset);
+}
+
+/* Valid only for Kernel mode traps. */
+static inline unsigned long kernel_stack_pointer(struct pt_regs *regs)
+{
+ return regs->ARM_sp;
+}
+
static inline unsigned long regs_return_value(struct pt_regs *regs)
{
return regs->regs[0];
}

+extern int regs_query_register_offset(const char *name);
+extern unsigned long regs_get_kernel_stack_nth(struct pt_regs *regs,
+ unsigned int n);
+
/*
* Are the current registers suitable for user mode? (used to maintain
* security in signal handlers)
diff --git a/arch/arm64/include/uapi/asm/ptrace.h b/arch/arm64/include/uapi/asm/ptrace.h
index 6913643..700d28b 100644
--- a/arch/arm64/include/uapi/asm/ptrace.h
+++ b/arch/arm64/include/uapi/asm/ptrace.h
@@ -61,6 +61,42 @@

#ifndef __ASSEMBLY__

+#define ARM_cpsr pstate
+#define ARM_pc pc
+#define ARM_sp sp
+#define ARM_lr regs[30]
+#define ARM_fp regs[29]
+#define ARM_x28 regs[28]
+#define ARM_x27 regs[27]
+#define ARM_x26 regs[26]
+#define ARM_x25 regs[25]
+#define ARM_x24 regs[24]
+#define ARM_x23 regs[23]
+#define ARM_x22 regs[22]
+#define ARM_x21 regs[21]
+#define ARM_x20 regs[20]
+#define ARM_x19 regs[19]
+#define ARM_x18 regs[18]
+#define ARM_ip1 regs[17]
+#define ARM_ip0 regs[16]
+#define ARM_x15 regs[15]
+#define ARM_x14 regs[14]
+#define ARM_x13 regs[13]
+#define ARM_x12 regs[12]
+#define ARM_x11 regs[11]
+#define ARM_x10 regs[10]
+#define ARM_x9 regs[9]
+#define ARM_x8 regs[8]
+#define ARM_x7 regs[7]
+#define ARM_x6 regs[6]
+#define ARM_x5 regs[5]
+#define ARM_x4 regs[4]
+#define ARM_x3 regs[3]
+#define ARM_x2 regs[2]
+#define ARM_x1 regs[1]
+#define ARM_x0 regs[0]
+#define ARM_ORIG_x0 orig_x0
+
/*
* User structures for general purpose, floating point and debug registers.
*/
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 8a4ae8e..36a94c8 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -47,6 +47,125 @@
#define CREATE_TRACE_POINTS
#include <trace/events/syscalls.h>

+struct pt_regs_offset {
+ const char *name;
+ int offset;
+};
+
+#define REG_OFFSET_NAME(r) \
+ {.name = #r, .offset = offsetof(struct pt_regs, ARM_##r)}
+#define REG_OFFSET_END {.name = NULL, .offset = 0}
+
+static const struct pt_regs_offset regoffset_table[] = {
+ REG_OFFSET_NAME(x0),
+ REG_OFFSET_NAME(x1),
+ REG_OFFSET_NAME(x2),
+ REG_OFFSET_NAME(x3),
+ REG_OFFSET_NAME(x4),
+ REG_OFFSET_NAME(x5),
+ REG_OFFSET_NAME(x6),
+ REG_OFFSET_NAME(x7),
+ REG_OFFSET_NAME(x8),
+ REG_OFFSET_NAME(x9),
+ REG_OFFSET_NAME(x10),
+ REG_OFFSET_NAME(x11),
+ REG_OFFSET_NAME(x12),
+ REG_OFFSET_NAME(x13),
+ REG_OFFSET_NAME(x14),
+ REG_OFFSET_NAME(x15),
+ REG_OFFSET_NAME(ip0),
+ REG_OFFSET_NAME(ip1),
+ REG_OFFSET_NAME(x18),
+ REG_OFFSET_NAME(x19),
+ REG_OFFSET_NAME(x20),
+ REG_OFFSET_NAME(x21),
+ REG_OFFSET_NAME(x22),
+ REG_OFFSET_NAME(x23),
+ REG_OFFSET_NAME(x24),
+ REG_OFFSET_NAME(x25),
+ REG_OFFSET_NAME(x26),
+ REG_OFFSET_NAME(x27),
+ REG_OFFSET_NAME(x28),
+ REG_OFFSET_NAME(fp),
+ REG_OFFSET_NAME(lr),
+/*
+ REG_OFFSET_NAME(ip),
+*/
+ REG_OFFSET_NAME(sp),
+ REG_OFFSET_NAME(pc),
+ REG_OFFSET_NAME(cpsr),
+ REG_OFFSET_NAME(ORIG_x0),
+ REG_OFFSET_END,
+};
+
+/**
+ * regs_query_register_offset() - query register offset from its name
+ * @name: the name of a register
+ *
+ * regs_query_register_offset() returns the offset of a register in struct
+ * pt_regs from its name. If the name is invalid, this returns -EINVAL;
+ */
+int regs_query_register_offset(const char *name)
+{
+ const struct pt_regs_offset *roff;
+
+ for (roff = regoffset_table; roff->name != NULL; roff++)
+ if (!strcmp(roff->name, name))
+ return roff->offset;
+ return -EINVAL;
+}
+
+/**
+ * regs_query_register_name() - query register name from its offset
+ * @offset: the offset of a register in struct pt_regs.
+ *
+ * regs_query_register_name() returns the name of a register from its
+ * offset in struct pt_regs. If the @offset is invalid, this returns NULL;
+ */
+const char *regs_query_register_name(unsigned int offset)
+{
+ const struct pt_regs_offset *roff;
+
+ for (roff = regoffset_table; roff->name != NULL; roff++)
+ if (roff->offset == offset)
+ return roff->name;
+ return NULL;
+}
+
+/**
+ * regs_within_kernel_stack() - check the address in the stack
+ * @regs: pt_regs which contains kernel stack pointer.
+ * @addr: address which is checked.
+ *
+ * regs_within_kernel_stack() checks @addr is within the kernel stack page(s).
+ * If @addr is within the kernel stack, it returns true. If not, returns false.
+ */
+bool regs_within_kernel_stack(struct pt_regs *regs, unsigned long addr)
+{
+ return ((addr & ~(THREAD_SIZE - 1)) ==
+ (kernel_stack_pointer(regs) & ~(THREAD_SIZE - 1)));
+}
+
+/**
+ * regs_get_kernel_stack_nth() - get Nth entry of the stack
+ * @regs: pt_regs which contains kernel stack pointer.
+ * @n: stack entry number.
+ *
+ * regs_get_kernel_stack_nth() returns @n th entry of the kernel stack which
+ * is specified by @regs. If the @n th entry is NOT in the kernel stack,
+ * this returns 0.
+ */
+unsigned long regs_get_kernel_stack_nth(struct pt_regs *regs, unsigned int n)
+{
+ unsigned long *addr = (unsigned long *)kernel_stack_pointer(regs);
+
+ addr += n;
+ if (regs_within_kernel_stack(regs, (unsigned long)addr))
+ return *addr;
+ else
+ return 0;
+}
+
/*
* TODO: does not yet catch signals sent when the child dies.
* in exit.c or in signal.c.
--
1.8.1.2

2014-11-18 13:28:45

by Jon Medhurst (Tixy)

[permalink] [raw]
Subject: Re: [PATCH v3 1/5] arm64: Kprobes with single stepping support

On Tue, 2014-11-18 at 01:32 -0500, David Long wrote:
> From: Sandeepa Prabhu <[email protected]>
>
> Add support for basic kernel probes(kprobes) and jump probes
> (jprobes) for ARM64.
>
> Kprobes will utilize software breakpoint and single step debug
> exceptions supported on ARM v8.
>
> software breakpoint is placed at the probe address to trap the
> kernel execution into kprobe handler.
>
> ARM v8 support single stepping to be enabled while exception return
> (ERET) with next PC in exception return address (ELR_EL1).
> kprobe handler prepares a executable memory slot for out-of-line
> execution with the copy of the original instruction under probe, and
> enable single stepping from the instruction slot. With this scheme,
> the instruction is executed with the exact same register context
> 'except PC' that points to instruction slot.
>
> Debug mask(PSTATE.D) is enabled only when single stepping a recursive
> kprobes i.e. during kprobes reenter so that probes instruction can be
> single stepped within the kprobe handler -exception- context.

Does this mean that at the point the probed instruction is
single-stepped there is nothing extra that has been pushed on on the
kernel stack by any kprobes handling code? I just want to check that you
aren't going to hit the problems that the 32-bit kprobes code is
currently being fixed for [1].

The simulated instructions in patch 2 don't access the stack, so they
are safe from the problem.

[1] http://lists.infradead.org/pipermail/linux-arm-kernel/2014-November/303525.html

--
Tixy

2014-11-18 14:39:58

by William Cohen

[permalink] [raw]
Subject: Re: [PATCH v3 1/5] arm64: Kprobes with single stepping support

On 11/18/2014 01:32 AM, David Long wrote:
> From: Sandeepa Prabhu <[email protected]>
>
> Add support for basic kernel probes(kprobes) and jump probes
> (jprobes) for ARM64.
>
> Kprobes will utilize software breakpoint and single step debug
> exceptions supported on ARM v8.
>
> software breakpoint is placed at the probe address to trap the
> kernel execution into kprobe handler.
>
> ARM v8 support single stepping to be enabled while exception return
> (ERET) with next PC in exception return address (ELR_EL1).
> kprobe handler prepares a executable memory slot for out-of-line
> execution with the copy of the original instruction under probe, and
> enable single stepping from the instruction slot. With this scheme,
> the instruction is executed with the exact same register context
> 'except PC' that points to instruction slot.
>
> Debug mask(PSTATE.D) is enabled only when single stepping a recursive
> kprobes i.e. during kprobes reenter so that probes instruction can be
> single stepped within the kprobe handler -exception- context.
> The recursion depth of kprobe is always 2, i.e. upon probe re-entry,
> any further re-entry is prevented by not calling handlers and the case
> counted as missed kprobe)
>
> Single stepping from slot has drawback on PC-relative accesses
> like branching and symbolic literals access as offset from new PC
> (slot address) may not be ensured to fit in immediate value of
> opcode, Such instructions needs simulation, so reject
> probing such instructions.

The above paragraph doesn't seem correct. arm64 kprobes does allow probing instructions that can't be single stepped XOL. kprobes will use simulation in those cases. It might be simpler describe the three possible methods of handling a potential probe point: single step instruction xol, instruction simulation, and reject probe point, then for each describe why it would be used.

>
> Instructions generating exceptions or cpu mode change are rejected,
> and not allowed to insert probe for these instructions.
>
> Instructions using Exclusive Monitor are rejected right too.
>
> System instructions are mostly enabled for stepping, except MSR
> immediate that update "daif" flags in PSTATE, which are not safe
> for probing -rejected.
>
> Changes since v4:
> from David Long:
> 1) Removed unnecessary addtion of NOP after out-of-line instruction.
> from Will Cohen:
> 2) Disable local irq while executing out of line instruction.
>
> Signed-off-by: Sandeepa Prabhu <[email protected]>
> Signed-off-by: William Cohen <[email protected]>
> Signed-off-by: David A. Long <[email protected]>
> ---
> arch/arm64/Kconfig | 1 +
> arch/arm64/include/asm/kprobes.h | 60 ++++
> arch/arm64/include/asm/probes.h | 50 ++++
> arch/arm64/include/asm/ptrace.h | 3 +-
> arch/arm64/kernel/Makefile | 1 +
> arch/arm64/kernel/kprobes-arm64.c | 211 ++++++++++++++
> arch/arm64/kernel/kprobes-arm64.h | 28 ++
> arch/arm64/kernel/kprobes.c | 561 ++++++++++++++++++++++++++++++++++++++
> arch/arm64/kernel/kprobes.h | 30 ++
> arch/arm64/kernel/probes-decode.h | 110 ++++++++
> arch/arm64/kernel/vmlinux.lds.S | 1 +
> 11 files changed, 1055 insertions(+), 1 deletion(-)
> create mode 100644 arch/arm64/include/asm/kprobes.h
> create mode 100644 arch/arm64/include/asm/probes.h
> create mode 100644 arch/arm64/kernel/kprobes-arm64.c
> create mode 100644 arch/arm64/kernel/kprobes-arm64.h
> create mode 100644 arch/arm64/kernel/kprobes.c
> create mode 100644 arch/arm64/kernel/kprobes.h
> create mode 100644 arch/arm64/kernel/probes-decode.h
>
> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> index 9532f8d..256ef90 100644
> --- a/arch/arm64/Kconfig
> +++ b/arch/arm64/Kconfig
> @@ -60,6 +60,7 @@ config ARM64
> select HAVE_PERF_USER_STACK_DUMP
> select HAVE_RCU_TABLE_FREE
> select HAVE_SYSCALL_TRACEPOINTS
> + select HAVE_KPROBES if !XIP_KERNEL
> select IRQ_DOMAIN
> select MODULES_USE_ELF_RELA
> select NO_BOOTMEM
> diff --git a/arch/arm64/include/asm/kprobes.h b/arch/arm64/include/asm/kprobes.h
> new file mode 100644
> index 0000000..b35d3b9
> --- /dev/null
> +++ b/arch/arm64/include/asm/kprobes.h
> @@ -0,0 +1,60 @@
> +/*
> + * arch/arm64/include/asm/kprobes.h
> + *
> + * Copyright (C) 2013 Linaro Limited
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * General Public License for more details.
> + */
> +
> +#ifndef _ARM_KPROBES_H
> +#define _ARM_KPROBES_H
> +
> +#include <linux/types.h>
> +#include <linux/ptrace.h>
> +#include <linux/percpu.h>
> +
> +#define __ARCH_WANT_KPROBES_INSN_SLOT
> +#define MAX_INSN_SIZE 1
> +#define MAX_STACK_SIZE 128
> +
> +#define flush_insn_slot(p) do { } while (0)
> +#define kretprobe_blacklist_size 0
> +
> +#include <asm/probes.h>
> +
> +struct prev_kprobe {
> + struct kprobe *kp;
> + unsigned int status;
> +};
> +
> +/* Single step context for kprobe */
> +struct kprobe_step_ctx {
> +#define KPROBES_STEP_NONE 0x0
> +#define KPROBES_STEP_PENDING 0x1
> + unsigned long ss_status;
> + unsigned long match_addr;
> +};
> +
> +/* per-cpu kprobe control block */
> +struct kprobe_ctlblk {
> + unsigned int kprobe_status;
> + unsigned long saved_irqflag;
> + struct prev_kprobe prev_kprobe;
> + struct kprobe_step_ctx ss_ctx;
> + struct pt_regs jprobe_saved_regs;
> + char jprobes_stack[MAX_STACK_SIZE];
> +};
> +
> +void arch_remove_kprobe(struct kprobe *);
> +int kprobe_fault_handler(struct pt_regs *regs, unsigned int fsr);
> +int kprobe_exceptions_notify(struct notifier_block *self,
> + unsigned long val, void *data);
> +
> +#endif /* _ARM_KPROBES_H */
> diff --git a/arch/arm64/include/asm/probes.h b/arch/arm64/include/asm/probes.h
> new file mode 100644
> index 0000000..9dba74d
> --- /dev/null
> +++ b/arch/arm64/include/asm/probes.h
> @@ -0,0 +1,50 @@
> +/*
> + * arch/arm64/include/asm/probes.h
> + *
> + * Copyright (C) 2013 Linaro Limited
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * General Public License for more details.
> + */
> +#ifndef _ARM_PROBES_H
> +#define _ARM_PROBES_H
> +
> +struct kprobe;
> +struct arch_specific_insn;
> +
> +typedef u32 kprobe_opcode_t;
> +typedef unsigned long (kprobes_pstate_check_t)(unsigned long);
> +typedef unsigned long
> +(kprobes_condition_check_t)(struct kprobe *p, struct pt_regs *);
> +typedef void
> +(kprobes_prepare_t)(struct kprobe *, struct arch_specific_insn *);
> +typedef void (kprobes_handler_t) (u32 opcode, long addr, struct pt_regs *);
> +
> +enum pc_restore_type {
> + NO_RESTORE,
> + RESTORE_PC,
> +};
> +
> +struct kprobe_pc_restore {
> + enum pc_restore_type type;
> + unsigned long addr;
> +};
> +
> +/* architecture specific copy of original instruction */
> +struct arch_specific_insn {
> + kprobe_opcode_t *insn;
> + kprobes_pstate_check_t *pstate_cc;
> + kprobes_condition_check_t *check_condn;
> + kprobes_prepare_t *prepare;
> + kprobes_handler_t *handler;
> + /* restore address after step xol */
> + struct kprobe_pc_restore restore;
> +};
> +
> +#endif
> diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h
> index 41ed9e1..d3e782a 100644
> --- a/arch/arm64/include/asm/ptrace.h
> +++ b/arch/arm64/include/asm/ptrace.h
> @@ -174,7 +174,8 @@ static inline int valid_user_regs(struct user_pt_regs *regs)
> return 0;
> }
>
> -#define instruction_pointer(regs) ((unsigned long)(regs)->pc)
> +#define instruction_pointer(regs) ((regs)->pc)
> +#define stack_pointer(regs) ((regs)->sp)
>
> #ifdef CONFIG_SMP
> extern unsigned long profile_pc(struct pt_regs *regs);
> diff --git a/arch/arm64/kernel/Makefile b/arch/arm64/kernel/Makefile
> index 5bd029b..df08c0e 100644
> --- a/arch/arm64/kernel/Makefile
> +++ b/arch/arm64/kernel/Makefile
> @@ -29,6 +29,7 @@ arm64-obj-$(CONFIG_ARM64_CPU_SUSPEND) += sleep.o suspend.o
> arm64-obj-$(CONFIG_CPU_IDLE) += cpuidle.o
> arm64-obj-$(CONFIG_JUMP_LABEL) += jump_label.o
> arm64-obj-$(CONFIG_KGDB) += kgdb.o
> +arm64-obj-$(CONFIG_KPROBES) += kprobes.o kprobes-arm64.o
> arm64-obj-$(CONFIG_EFI) += efi.o efi-stub.o efi-entry.o
> arm64-obj-$(CONFIG_PCI) += pci.o
>
> diff --git a/arch/arm64/kernel/kprobes-arm64.c b/arch/arm64/kernel/kprobes-arm64.c
> new file mode 100644
> index 0000000..30d1c14
> --- /dev/null
> +++ b/arch/arm64/kernel/kprobes-arm64.c
> @@ -0,0 +1,211 @@
> +/*
> + * arch/arm64/kernel/kprobes-arm64.c
> + *
> + * Copyright (C) 2013 Linaro Limited.
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * General Public License for more details.
> + */
> +
> +#include <linux/kernel.h>
> +#include <linux/kprobes.h>
> +#include <linux/module.h>
> +#include <asm/kprobes.h>
> +
> +#include "probes-decode.h"
> +#include "kprobes-arm64.h"
> +
> +/* AArch64 instruction decode table for kprobes:
> + * The instruction will fall into one of the 3 groups:
> + * 1. Single stepped out-of-the-line slot.
> + * -Most instructions fall in this group, those does not
> + * depend on PC address.
> + *
> + * 2. Should be simulated because of PC-relative/literal access.
> + * -All branching and PC-relative insrtcutions are simulated
> + * in C code, making use of saved pt_regs
> + * Catch: SIMD/NEON register context are not saved while
> + * entering debug exception, so are rejected for now.
> + *
> + * 3. Cannot be probed(not safe) so are rejected.
> + * - Exception generation and exception return instructions
> + * - Exclusive monitor(LDREX/STREX family)
> + *
> + */
> +static const struct aarch64_decode_item aarch64_decode_table[] = {
> + /*
> + * Data processing - PC relative(literal) addressing:
> + * Encoding: xxx1 0000 xxxx xxxx xxxx xxxx xxxx xxxx
> + */
> + DECODE_REJECT(0x10000000, 0x1F000000),
> +
> + /*
> + * Data processing - Add/Substract Immediate:
> + * Encoding: xxx1 0001 xxxx xxxx xxxx xxxx xxxx xxxx
> + */
> + DECODE_SINGLESTEP(0x11000000, 0x1F000000),
> +
> + /*
> + * Data processing
> + * Encoding:
> + * xxx1 0010 0xxx xxxx xxxx xxxx xxxx xxxx (Logical)
> + * xxx1 0010 1xxx xxxx xxxx xxxx xxxx xxxx (Move wide)
> + * xxx1 0011 0xxx xxxx xxxx xxxx xxxx xxxx (Bitfield)
> + * xxx1 0011 1xxx xxxx xxxx xxxx xxxx xxxx (Extract)
> + */
> + DECODE_SINGLESTEP(0x12000000, 0x1E000000),
> +
> + /*
> + * Data processing - SIMD/FP/AdvSIMD/Crypto-AES/SHA
> + * Encoding: xxx0 111x xxxx xxxx xxxx xxxx xxxx xxxx
> + * Encoding: xxx1 111x xxxx xxxx xxxx xxxx xxxx xxxx
> + */
> + DECODE_SINGLESTEP(0x0E000000, 0x0E000000),
> +
> + /*
> + * Data processing - Register
> + * Encoding: xxxx 101x xxxx xxxx xxxx xxxx xxxx xxxx
> + */
> + DECODE_SINGLESTEP(0x0A000000, 0x0E000000),
> +
> + /* Branching Instructions
> + *
> + * Encoding:
> + * x001 01xx xxxx xxxx xxxx xxxx xxxx xxxx (uncondtional Branch)
> + * x011 010x xxxx xxxx xxxx xxxx xxxx xxxx (compare & branch)
> + * x011 011x xxxx xxxx xxxx xxxx xxxx xxxx (Test & Branch)
> + * 0101 010x xxxx xxxx xxxx xxxx xxxx xxxx (Conditional, immediate)
> + * 1101 011x xxxx xxxx xxxx xxxx xxxx xxxx (Unconditional,register)
> + */
> + DECODE_REJECT(0x14000000, 0x7C000000),
> + DECODE_REJECT(0x14000000, 0x7C000000),
> + DECODE_REJECT(0x34000000, 0x7E000000),
> + DECODE_REJECT(0x36000000, 0x7E000000),
> + DECODE_REJECT(0x54000000, 0xFE000000),
> + DECODE_REJECT(0xD6000000, 0xFE000000),
> +
> + /* System insn:
> + * Encoding: 1101 0101 00xx xxxx xxxx xxxx xxxx xxxx
> + *
> + * Note: MSR immediate (update PSTATE daif) is not safe handling
> + * within kprobes, rejected.
> + *
> + * Don't re-arrange these decode table entries.
> + */
> + DECODE_REJECT(0xD500401F, 0xFFF8F01F),
> + DECODE_SINGLESTEP(0xD5000000, 0xFFC00000),
> +
> + /* Exception Generation:
> + * Encoding: 1101 0100 xxxx xxxx xxxx xxxx xxxx xxxx
> + * Instructions: SVC, HVC, SMC, BRK, HLT, DCPS1, DCPS2, DCPS3
> + */
> + DECODE_REJECT(0xD4000000, 0xFF000000),
> +
> + /*
> + * Load/Store - Exclusive monitor
> + * Encoding: xx00 1000 xxxx xxxx xxxx xxxx xxxx xxxx
> + *
> + * Reject exlusive monitor'ed instructions
> + */
> + DECODE_REJECT(0x08000000, 0x3F000000),
> +
> + /*
> + * Load/Store - PC relative(literal):
> + * Encoding: xx01 1x00 xxxx xxxx xxxx xxxx xxxx xxxx
> + */
> + DECODE_REJECT(0x18000000, 0x3B000000),
> +
> + /*
> + * Load/Store - Register Pair
> + * Encoding:
> + * xx10 1x00 0xxx xxxx xxxx xxxx xxxx xxxx
> + * xx10 1x00 1xxx xxxx xxxx xxxx xxxx xxxx
> + * xx10 1x01 0xxx xxxx xxxx xxxx xxxx xxxx
> + * xx10 1x01 1xxx xxxx xxxx xxxx xxxx xxxx
> + */
> + DECODE_SINGLESTEP(0x28000000, 0x3A000000),
> +
> + /*
> + * Load/Store - Register
> + * Encoding:
> + * xx11 1x00 xx0x xxxx xxxx 00xx xxxx xxxx (unscaled imm)
> + * xx11 1x00 xx0x xxxx xxxx 01xx xxxx xxxx (imm post-indexed)
> + * xx11 1x00 xx0x xxxx xxxx 10xx xxxx xxxx (unpriviledged)
> + * xx11 1x00 xx0x xxxx xxxx 11xx xxxx xxxx (imm pre-indexed)
> + *
> + * xx11 1x00 xx10 xxxx xxxx xx10 xxxx xxxx (register offset)
> + *
> + * xx11 1x01 xxxx xxxx xxxx xxxx xxxx xxxx (unsigned imm)
> + */
> + DECODE_SINGLESTEP(0x38000000, 0x3B200000),
> + DECODE_SINGLESTEP(0x38200200, 0x38300300),
> + DECODE_SINGLESTEP(0x39000000, 0x3B000000),
> +
> + /*
> + * Load/Store - AdvSIMD
> + * Encoding:
> + * 0x00 1100 0x00 0000 xxxx xxxx xxxx xxxx (Multiple-structure)
> + * 0x00 1100 1x0x xxxx xxxx xxxx xxxx xxxx (Multi-struct post-indexed)
> + * 0x00 1101 0xx0 0000 xxxx xxxx xxxx xxxx (Single-structure))
> + * 0x00 1101 1xxx xxxx xxxx xxxx xxxx xxxx (Single-struct post-index)
> + */
> + DECODE_SINGLESTEP(0x0C000000, 0xBFBF0000),
> + DECODE_SINGLESTEP(0x0C800000, 0xBFA00000),
> + DECODE_SINGLESTEP(0x0D000000, 0xBF9F0000),
> + DECODE_SINGLESTEP(0x0D800000, 0xBF800000),
> +
> + /* Unallocated: xxx0 0xxx xxxx xxxx xxxx xxxx xxxx xxxx */
> + DECODE_REJECT(0x00000000, 0x18000000),
> + DECODE_END,
> +};
> +
> +static int __kprobes
> +kprobe_decode_insn(kprobe_opcode_t insn, struct arch_specific_insn *asi,
> + const struct aarch64_decode_item *tbl)
> +{
> + unsigned int entry, ret = INSN_REJECTED;
> +
> + for (entry = 0; !decode_table_end(tbl[entry]); entry++) {
> + if (decode_table_hit(tbl[entry], insn))
> + break;
> + }
> +
> + switch (decode_get_type(tbl[entry])) {
> + case DECODE_TYPE_END:
> + case DECODE_TYPE_REJECT:
> + default:
> + ret = INSN_REJECTED;
> + break;
> +
> + case DECODE_TYPE_SINGLESTEP:
> + ret = INSN_GOOD;
> + break;
> +
> + case DECODE_TYPE_SIMULATE:
> + ret = INSN_REJECTED;
> + break;
> +
> + case DECODE_TYPE_TABLE:
> + /* recurse with next level decode table */
> + ret = kprobe_decode_insn(insn, asi,
> + decode_sub_table(tbl[entry]));
> + };
> + return ret;
> +}
> +
> +/* Return:
> + * INSN_REJECTED If instruction is one not allowed to kprobe,
> + * INSN_GOOD If instruction is supported and uses instruction slot,
> + * INSN_GOOD_NO_SLOT If instruction is supported but doesn't use its slot.
> + */
> +enum kprobe_insn __kprobes
> +arm_kprobe_decode_insn(kprobe_opcode_t insn, struct arch_specific_insn *asi)
> +{
> + return kprobe_decode_insn(insn, asi, aarch64_decode_table);
> +}
> diff --git a/arch/arm64/kernel/kprobes-arm64.h b/arch/arm64/kernel/kprobes-arm64.h
> new file mode 100644
> index 0000000..87e7891
> --- /dev/null
> +++ b/arch/arm64/kernel/kprobes-arm64.h
> @@ -0,0 +1,28 @@
> +/*
> + * arch/arm64/kernel/kprobes-arm64.h
> + *
> + * Copyright (C) 2013 Linaro Limited.
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * General Public License for more details.
> + */
> +
> +#ifndef _ARM_KERNEL_KPROBES_ARM64_H
> +#define _ARM_KERNEL_KPROBES_ARM64_H
> +
> +enum kprobe_insn {
> + INSN_REJECTED,
> + INSN_GOOD_NO_SLOT,
> + INSN_GOOD,
> +};
> +
> +enum kprobe_insn __kprobes
> +arm_kprobe_decode_insn(kprobe_opcode_t insn, struct arch_specific_insn *asi);
> +
> +#endif /* _ARM_KERNEL_KPROBES_ARM64_H */
> diff --git a/arch/arm64/kernel/kprobes.c b/arch/arm64/kernel/kprobes.c
> new file mode 100644
> index 0000000..ca7fa10
> --- /dev/null
> +++ b/arch/arm64/kernel/kprobes.c
> @@ -0,0 +1,561 @@
> +/*
> + * arch/arm64/kernel/kprobes.c
> + *
> + * Kprobes support for ARM64
> + *
> + * Copyright (C) 2013 Linaro Limited.
> + * Author: Sandeepa Prabhu <[email protected]>
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * General Public License for more details.
> + *
> + */
> +#include <linux/kernel.h>
> +#include <linux/kprobes.h>
> +#include <linux/module.h>
> +#include <linux/slab.h>
> +#include <linux/stop_machine.h>
> +#include <linux/stringify.h>
> +#include <asm/traps.h>
> +#include <asm/ptrace.h>
> +#include <asm/cacheflush.h>
> +#include <asm/debug-monitors.h>
> +#include <asm/system_misc.h>
> +#include <asm/insn.h>
> +
> +#include "kprobes.h"
> +#include "kprobes-arm64.h"
> +
> +#define MIN_STACK_SIZE(addr) min((unsigned long)MAX_STACK_SIZE, \
> + (unsigned long)current_thread_info() + THREAD_START_SP - (addr))
> +
> +DEFINE_PER_CPU(struct kprobe *, current_kprobe) = NULL;
> +DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk);
> +
> +static void __kprobes arch_prepare_ss_slot(struct kprobe *p)
> +{
> + /* prepare insn slot */
> + p->ainsn.insn[0] = p->opcode;
> +
> + flush_icache_range((uintptr_t) (p->ainsn.insn),
> + (uintptr_t) (p->ainsn.insn) + MAX_INSN_SIZE);
> +
> + /*
> + * Needs restoring of return address after stepping xol.
> + */
> + p->ainsn.restore.addr = (unsigned long) p->addr +
> + sizeof(kprobe_opcode_t);
> + p->ainsn.restore.type = RESTORE_PC;
> +}
> +
> +int __kprobes arch_prepare_kprobe(struct kprobe *p)
> +{
> + kprobe_opcode_t insn;
> + unsigned long probe_addr = (unsigned long)p->addr;
> +
> + /* copy instruction */
> + insn = *p->addr;
> + p->opcode = insn;
> +
> + if (in_exception_text(probe_addr))
> + return -EINVAL;
> +
> + /* decode instruction */
> + switch (arm_kprobe_decode_insn(insn, &p->ainsn)) {
> + case INSN_REJECTED: /* insn not supported */
> + return -EINVAL;
> +
> + case INSN_GOOD_NO_SLOT: /* insn need simulation */
> + return -EINVAL;
> +
> + case INSN_GOOD: /* instruction uses slot */
> + p->ainsn.insn = get_insn_slot();
> + if (!p->ainsn.insn)
> + return -ENOMEM;
> + break;
> + };
> +
> + /* prepare the instruction */
> + arch_prepare_ss_slot(p);
> +
> + return 0;
> +}
> +
> +static int __kprobes patch_text(kprobe_opcode_t *addr, u32 opcode)
> +{
> + void *addrs[1];
> + u32 insns[1];
> +
> + addrs[0] = (void *)addr;
> + insns[0] = (u32)opcode;
> +
> + return aarch64_insn_patch_text_sync(addrs, insns, 1);
> +}
> +
> +/* arm kprobe: install breakpoint in text */
> +void __kprobes arch_arm_kprobe(struct kprobe *p)
> +{
> + patch_text(p->addr, BRK64_OPCODE_KPROBES);
> +}
> +
> +/* disarm kprobe: remove breakpoint from text */
> +void __kprobes arch_disarm_kprobe(struct kprobe *p)
> +{
> + patch_text(p->addr, p->opcode);
> +}
> +
> +void __kprobes arch_remove_kprobe(struct kprobe *p)
> +{
> + if (p->ainsn.insn) {
> + free_insn_slot(p->ainsn.insn, 0);
> + p->ainsn.insn = NULL;
> + }
> +}
> +
> +static void __kprobes save_previous_kprobe(struct kprobe_ctlblk *kcb)
> +{
> + kcb->prev_kprobe.kp = kprobe_running();
> + kcb->prev_kprobe.status = kcb->kprobe_status;
> +}
> +
> +static void __kprobes restore_previous_kprobe(struct kprobe_ctlblk *kcb)
> +{
> + __this_cpu_write(current_kprobe, kcb->prev_kprobe.kp);
> + kcb->kprobe_status = kcb->prev_kprobe.status;
> +}
> +
> +static void __kprobes set_current_kprobe(struct kprobe *p)
> +{
> + __this_cpu_write(current_kprobe, p);
> +}
> +
> +/*
> + * Debug flag (D-flag) is disabled upon exception entry.
> + * Kprobes need to unmask D-flag -ONLY- in case of recursive
> + * probe i.e. when probe hit from kprobe handler context upon
> + * executing the pre/post handlers. In this case we return with
> + * D-flag unmasked so that single-stepping can be carried-out.
> + *
> + * Keep D-flag masked in all other cases.
> + */
> +static void __kprobes
> +spsr_set_debug_flag(struct pt_regs *regs, int mask)
> +{
> + unsigned long spsr = regs->pstate;
> +
> + if (mask)
> + spsr |= PSR_D_BIT;
> + else
> + spsr &= ~PSR_D_BIT;
> +
> + regs->pstate = spsr;
> +}
> +
> +/*
> + * Interrupt needs to be disabled for the duration from probe hitting
> + * breakpoint exception until kprobe is processed completely.
> + * Without disabling interrupt on local CPU, there is a chance of
> + * interrupt occurrence in the period of exception return and start of
> + * out-of-line single-step, that result in wrongly single stepping
> + * the interrupt handler.
> + */
> +static void __kprobes kprobes_save_local_irqflag(struct pt_regs *regs)
> +{
> + struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
> +
> + kcb->saved_irqflag = regs->pstate;
> + regs->pstate |= PSR_I_BIT;
> +}
> +
> +static void __kprobes kprobes_restore_local_irqflag(struct pt_regs *regs)
> +{
> + struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
> +
> + if (kcb->saved_irqflag & PSR_I_BIT)
> + regs->pstate |= PSR_I_BIT;
> + else
> + regs->pstate &= ~PSR_I_BIT;
> +}
> +
> +static void __kprobes
> +set_ss_context(struct kprobe_ctlblk *kcb, unsigned long addr)
> +{
> + kcb->ss_ctx.ss_status = KPROBES_STEP_PENDING;
> + kcb->ss_ctx.match_addr = addr + sizeof(kprobe_opcode_t);
> +}
> +
> +static void __kprobes clear_ss_context(struct kprobe_ctlblk *kcb)
> +{
> + kcb->ss_ctx.ss_status = KPROBES_STEP_NONE;
> + kcb->ss_ctx.match_addr = 0;
> +}
> +
> +static void __kprobes
> +skip_singlestep_missed(struct kprobe_ctlblk *kcb, struct pt_regs *regs)
> +{
> + /* set return addr to next pc to continue */
> + instruction_pointer(regs) += sizeof(kprobe_opcode_t);
> +
> + if (kcb->kprobe_status != KPROBE_REENTER)
> + kprobes_restore_local_irqflag(regs);
> +
> +}
> +
> +static void __kprobes setup_singlestep(struct kprobe *p,
> + struct pt_regs *regs,
> + struct kprobe_ctlblk *kcb, int reenter)
> +{
> + unsigned long slot;
> +
> + if (reenter) {
> + save_previous_kprobe(kcb);
> + set_current_kprobe(p);
> + kcb->kprobe_status = KPROBE_REENTER;
> + } else {
> + kcb->kprobe_status = KPROBE_HIT_SS;
> + }
> +
> + if (p->ainsn.insn) {
> + /* prepare for single stepping */
> + slot = (unsigned long)p->ainsn.insn;
> +
> + set_ss_context(kcb, slot); /* mark pending ss */
> +
> + if (kcb->kprobe_status == KPROBE_REENTER)
> + spsr_set_debug_flag(regs, 0);
> +
> + /* IRQs and single stepping do not mix well. */
> + local_irq_disable();
> + kernel_enable_single_step(regs);
> + instruction_pointer(regs) = slot;
> + } else {
> + BUG();
> + }
> +}
> +
> +static int __kprobes reenter_kprobe(struct kprobe *p,
> + struct pt_regs *regs,
> + struct kprobe_ctlblk *kcb)
> +{
> + switch (kcb->kprobe_status) {
> + case KPROBE_HIT_SSDONE:
> + case KPROBE_HIT_ACTIVE:
> + if (!p->ainsn.check_condn || p->ainsn.check_condn(p, regs)) {
> + kprobes_inc_nmissed_count(p);
> + setup_singlestep(p, regs, kcb, 1);
> + } else {
> + /* condition check failed, skip stepping */
> + skip_singlestep_missed(kcb, regs);
> + }
> + break;
> + case KPROBE_HIT_SS:
> + pr_warn("Unrecoverable kprobe detected at %p.\n", p->addr);
> + dump_kprobe(p);
> + BUG();
> + break;
> + default:
> + WARN_ON(1);
> + return 0;
> + }
> +
> + return 1;
> +}
> +
> +static void __kprobes
> +post_kprobe_handler(struct kprobe_ctlblk *kcb, struct pt_regs *regs)
> +{
> + struct kprobe *cur = kprobe_running();
> +
> + if (!cur)
> + return;
> +
> + /* return addr restore if non-branching insn */
> + if (cur->ainsn.restore.type == RESTORE_PC) {
> + instruction_pointer(regs) = cur->ainsn.restore.addr;
> + if (!instruction_pointer(regs))
> + BUG();
> + }
> +
> + /* restore back original saved kprobe variables and continue */
> + if (kcb->kprobe_status == KPROBE_REENTER) {
> + restore_previous_kprobe(kcb);
> + return;
> + }
> + /* call post handler */
> + kcb->kprobe_status = KPROBE_HIT_SSDONE;
> + if (cur->post_handler) {
> + /* post_handler can hit breakpoint and single step
> + * again, so we enable D-flag for recursive exception.
> + */
> + cur->post_handler(cur, regs, 0);
> + }
> +
> + reset_current_kprobe();
> + kprobes_restore_local_irqflag(regs);
> +}
> +
> +int __kprobes kprobe_fault_handler(struct pt_regs *regs, unsigned int fsr)
> +{
> + struct kprobe *cur = kprobe_running();
> + struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
> +
> + switch (kcb->kprobe_status) {
> + case KPROBE_HIT_SS:
> + case KPROBE_REENTER:
> + /*
> + * We are here because the instruction being single
> + * stepped caused a page fault. We reset the current
> + * kprobe and the ip points back to the probe address
> + * and allow the page fault handler to continue as a
> + * normal page fault.
> + */
> + instruction_pointer(regs) = (unsigned long)cur->addr;
> + if (!instruction_pointer(regs))
> + BUG();
> + if (kcb->kprobe_status == KPROBE_REENTER)
> + restore_previous_kprobe(kcb);
> + else
> + reset_current_kprobe();
> +
> + break;
> + case KPROBE_HIT_ACTIVE:
> + case KPROBE_HIT_SSDONE:
> + /*
> + * We increment the nmissed count for accounting,
> + * we can also use npre/npostfault count for accounting
> + * these specific fault cases.
> + */
> + kprobes_inc_nmissed_count(cur);
> +
> + /*
> + * We come here because instructions in the pre/post
> + * handler caused the page_fault, this could happen
> + * if handler tries to access user space by
> + * copy_from_user(), get_user() etc. Let the
> + * user-specified handler try to fix it first.
> + */
> + if (cur->fault_handler && cur->fault_handler(cur, regs, fsr))
> + return 1;
> +
> + /*
> + * In case the user-specified fault handler returned
> + * zero, try to fix up.
> + */
> + if (fixup_exception(regs))
> + return 1;
> +
> + break;
> + default:
> + break;
> + }
> + return 0;
> +}
> +
> +int __kprobes kprobe_exceptions_notify(struct notifier_block *self,
> + unsigned long val, void *data)
> +{
> + return NOTIFY_DONE;
> +}
> +
> +void __kprobes kprobe_handler(struct pt_regs *regs)
> +{
> + struct kprobe *p, *cur;
> + struct kprobe_ctlblk *kcb;
> + unsigned long addr = instruction_pointer(regs);
> +
> + kcb = get_kprobe_ctlblk();
> + cur = kprobe_running();
> +
> + p = get_kprobe((kprobe_opcode_t *) addr);
> +
> + if (p) {
> + if (cur) {
> + if (reenter_kprobe(p, regs, kcb))
> + return;
> + } else if (!p->ainsn.check_condn ||
> + p->ainsn.check_condn(p, regs)) {
> + /* Probe hit and conditional execution check ok. */
> + set_current_kprobe(p);
> + kcb->kprobe_status = KPROBE_HIT_ACTIVE;
> +
> + /*
> + * If we have no pre-handler or it returned 0, we
> + * continue with normal processing. If we have a
> + * pre-handler and it returned non-zero, it prepped
> + * for calling the break_handler below on re-entry,
> + * so get out doing nothing more here.
> + *
> + * pre_handler can hit a breakpoint and can step thru
> + * before return, keep PSTATE D-flag enabled until
> + * pre_handler return back.
> + */
> + if (!p->pre_handler || !p->pre_handler(p, regs)) {
> + kcb->kprobe_status = KPROBE_HIT_SS;
> + setup_singlestep(p, regs, kcb, 0);
> + return;
> + }
> + } else {
> + /*
> + * Breakpoint hit but conditional check failed,
> + * so just skip the instruction (NOP behaviour)
> + */
> + skip_singlestep_missed(kcb, regs);
> + return;
> + }
> + } else if (*(kprobe_opcode_t *) addr != BRK64_OPCODE_KPROBES) {
> + /*
> + * The breakpoint instruction was removed right
> + * after we hit it. Another cpu has removed
> + * either a probepoint or a debugger breakpoint
> + * at this address. In either case, no further
> + * handling of this interrupt is appropriate.
> + * Return back to original instruction, and continue.
> + */
> + kprobes_restore_local_irqflag(regs);
> + return;
> + } else if (cur) {
> + /* We probably hit a jprobe. Call its break handler. */
> + if (cur->break_handler && cur->break_handler(cur, regs)) {
> + kcb->kprobe_status = KPROBE_HIT_SS;
> + setup_singlestep(cur, regs, kcb, 0);
> + return;
> + }
> + } else {
> + /* breakpoint is removed, now in a race
> + * Return back to original instruction & continue.
> + */
> + kprobes_restore_local_irqflag(regs);
> + }
> +}
> +
> +static int __kprobes
> +kprobe_ss_hit(struct kprobe_ctlblk *kcb, unsigned long addr)
> +{
> + if ((kcb->ss_ctx.ss_status == KPROBES_STEP_PENDING)
> + && (kcb->ss_ctx.match_addr == addr)) {
> + clear_ss_context(kcb); /* clear pending ss */
> + return DBG_HOOK_HANDLED;
> + }
> + /* not ours, kprobes should ignore it */
> + return DBG_HOOK_ERROR;
> +}
> +
> +static int __kprobes
> +kprobe_single_step_handler(struct pt_regs *regs, unsigned int esr)
> +{
> + struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
> + int retval;
> +
> + /* return error if this is not our step */
> + retval = kprobe_ss_hit(kcb, instruction_pointer(regs));
> +
> + if (retval == DBG_HOOK_HANDLED) {
> + kernel_disable_single_step();
> +
> + if (kcb->kprobe_status == KPROBE_REENTER)
> + spsr_set_debug_flag(regs, 1);
> +
> + post_kprobe_handler(kcb, regs);
> + }
> +
> + return retval;
> +}
> +
> +static int __kprobes
> +kprobe_breakpoint_handler(struct pt_regs *regs, unsigned int esr)
> +{
> + kprobes_save_local_irqflag(regs);
> + kprobe_handler(regs);
> + return DBG_HOOK_HANDLED;
> +}
> +
> +int __kprobes setjmp_pre_handler(struct kprobe *p, struct pt_regs *regs)
> +{
> + struct jprobe *jp = container_of(p, struct jprobe, kp);
> + struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
> + long stack_ptr = stack_pointer(regs);
> +
> + kcb->jprobe_saved_regs = *regs;
> + memcpy(kcb->jprobes_stack, (void *)stack_ptr,
> + MIN_STACK_SIZE(stack_ptr));
> +
> + instruction_pointer(regs) = (long)jp->entry;
> + preempt_disable();
> + return 1;
> +}
> +
> +void __kprobes jprobe_return(void)
> +{
> + struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
> +
> + /*
> + * Jprobe handler return by entering break exception,
> + * encoded same as kprobe, but with following conditions
> + * -a magic number in x0 to identify from rest of other kprobes.
> + * -restore stack addr to original saved pt_regs
> + */
> + asm volatile ("ldr x0, [%0]\n\t"
> + "mov sp, x0\n\t"
> + "ldr x0, =" __stringify(JPROBES_MAGIC_NUM) "\n\t"
> + "BRK %1\n\t"
> + "NOP\n\t"
> + :
> + : "r"(&kcb->jprobe_saved_regs.sp),
> + "I"(BRK64_ESR_KPROBES)
> + : "memory");
> +}
> +
> +int __kprobes longjmp_break_handler(struct kprobe *p, struct pt_regs *regs)
> +{
> + struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
> + long stack_addr = kcb->jprobe_saved_regs.sp;
> + long orig_sp = stack_pointer(regs);
> + struct jprobe *jp = container_of(p, struct jprobe, kp);
> +
> + if (regs->regs[0] == JPROBES_MAGIC_NUM) {
> + if (orig_sp != stack_addr) {
> + struct pt_regs *saved_regs =
> + (struct pt_regs *)kcb->jprobe_saved_regs.sp;
> + pr_err("current sp %lx does not match saved sp %lx\n",
> + orig_sp, stack_addr);
> + pr_err("Saved registers for jprobe %p\n", jp);
> + show_regs(saved_regs);
> + pr_err("Current registers\n");
> + show_regs(regs);
> + BUG();
> + }
> + *regs = kcb->jprobe_saved_regs;
> + memcpy((void *)stack_addr, kcb->jprobes_stack,
> + MIN_STACK_SIZE(stack_addr));
> + preempt_enable_no_resched();
> + kprobes_restore_local_irqflag(regs);
> + return 1;
> + }
> + return 0;
> +}
> +
> +/* Break Handler hook */
> +static struct break_hook kprobes_break_hook = {
> + .esr_mask = BRK64_ESR_MASK,
> + .esr_val = BRK64_ESR_KPROBES,
> + .fn = kprobe_breakpoint_handler,
> +};
> +
> +/* Single Step handler hook */
> +static struct step_hook kprobes_step_hook = {
> + .fn = kprobe_single_step_handler,
> +};
> +
> +int __init arch_init_kprobes(void)
> +{
> + register_break_hook(&kprobes_break_hook);
> + register_step_hook(&kprobes_step_hook);
> +
> + return 0;
> +}
> diff --git a/arch/arm64/kernel/kprobes.h b/arch/arm64/kernel/kprobes.h
> new file mode 100644
> index 0000000..93c54b4
> --- /dev/null
> +++ b/arch/arm64/kernel/kprobes.h
> @@ -0,0 +1,30 @@
> +/*
> + * arch/arm64/kernel/kprobes.h
> + *
> + * Copyright (C) 2013 Linaro Limited.
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * General Public License for more details.
> + */
> +
> +#ifndef _ARM_KERNEL_KPROBES_H
> +#define _ARM_KERNEL_KPROBES_H
> +
> +/* BRK opcodes with ESR encoding */
> +#define BRK64_ESR_MASK 0xFFFF
> +#define BRK64_ESR_KPROBES 0x0004
> +#define BRK64_OPCODE_KPROBES 0xD4200080 /* "brk 0x4" */
> +#define ARCH64_NOP_OPCODE 0xD503201F
> +
> +#define JPROBES_MAGIC_NUM 0xa5a5a5a5a5a5a5a5
> +
> +/* Move this out to appropriate header file */
> +int fixup_exception(struct pt_regs *regs);
> +
> +#endif /* _ARM_KERNEL_KPROBES_H */
> diff --git a/arch/arm64/kernel/probes-decode.h b/arch/arm64/kernel/probes-decode.h
> new file mode 100644
> index 0000000..3650ab3
> --- /dev/null
> +++ b/arch/arm64/kernel/probes-decode.h
> @@ -0,0 +1,110 @@
> +/*
> + * arch/arm64/kernel/probes-decode.h
> + *
> + * Copyright (C) 2013 Linaro Limited.
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * General Public License for more details.
> + */
> +
> +#ifndef _ARM_KERNEL_PROBES_DECODE_H
> +#define _ARM_KERNEL_PROBES_DECODE_H
> +
> +/*
> + * The following definitions and macros are used to build instruction
> + * decoding tables.
> + */
> +enum decode_type {
> + DECODE_TYPE_END,
> + DECODE_TYPE_SINGLESTEP,
> + DECODE_TYPE_SIMULATE,
> + DECODE_TYPE_TABLE,
> + DECODE_TYPE_REJECT,
> +};
> +
> +struct aarch64_decode_item;
> +
> +struct aarch64_decode_header {
> + enum decode_type type;
> + u32 mask;
> + u32 val;
> +};
> +
> +struct aarch64_decode_actions {
> + kprobes_prepare_t *prepare;
> + kprobes_handler_t *handler;
> +};
> +
> +struct aarch64_decode_table {
> + const struct aarch64_decode_item *tbl;
> +};
> +
> +union aarch64_decode_handler {
> + struct aarch64_decode_actions actions;
> + struct aarch64_decode_table table;
> +};
> +
> +struct aarch64_decode_item {
> + struct aarch64_decode_header header;
> + union aarch64_decode_handler decode;
> +};
> +
> +#define decode_get_type(_entry) ((_entry).header.type)
> +
> +#define decode_table_end(_entry) \
> + ((_entry).header.type == DECODE_TYPE_END)
> +
> +#define decode_table_hit(_entry, insn) \
> + ((insn & (_entry).header.mask) == (_entry).header.val)
> +
> +#define decode_prepare_fn(_entry) ((_entry).decode.actions.prepare)
> +#define decode_handler_fn(_entry) ((_entry).decode.actions.handler)
> +#define decode_sub_table(_entry) ((_entry).decode.table.tbl)
> +
> +#define DECODE_ADD_HEADER(_type, _val, _mask) \
> + .header = { \
> + .type = _type, \
> + .mask = _mask, \
> + .val = _val, \
> + },
> +
> +#define DECODE_ADD_ACTION(_prepare, _handler) \
> + .decode = { \
> + .actions = { \
> + .prepare = _prepare, \
> + .handler = _handler, \
> + } \
> + },
> +
> +#define DECODE_ADD_TABLE(_table) \
> + .decode = { \
> + .table = {.tbl = _table} \
> + },
> +
> +#define DECODE_REJECT(_v, _m) \
> + { DECODE_ADD_HEADER(DECODE_TYPE_REJECT, _v, _m) }
> +
> +#define DECODE_SINGLESTEP(_v, _m) \
> + { DECODE_ADD_HEADER(DECODE_TYPE_SINGLESTEP, _v, _m) }
> +
> +#define DECODE_SIMULATE(_v, _m, _p, _h) \
> + { DECODE_ADD_HEADER(DECODE_TYPE_SIMULATE, _v, _m) \
> + DECODE_ADD_ACTION(_p, _h) }
> +
> +#define DECODE_TABLE(_v, _m, _table) \
> + { DECODE_ADD_HEADER(DECODE_TYPE_TABLE, _v, _m) \
> + DECODE_ADD_TABLE(_table) }
> +
> +#define DECODE_LITERAL(_v, _m, _p, _h) DECODE_SIMULATE(_v, _m, _p, _h)
> +#define DECODE_BRANCH(_v, _m, _p, _h) DECODE_SIMULATE(_v, _m, _p, _h)
> +
> +/* should be the last element in decode structure */
> +#define DECODE_END { .header = {.type = DECODE_TYPE_END, } }
> +
> +#endif /* _ARM_KERNEL_PROBES_DECODE_H */
> diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S
> index edf8715..ab7720b 100644
> --- a/arch/arm64/kernel/vmlinux.lds.S
> +++ b/arch/arm64/kernel/vmlinux.lds.S
> @@ -63,6 +63,7 @@ SECTIONS
> TEXT_TEXT
> SCHED_TEXT
> LOCK_TEXT
> + KPROBES_TEXT
> HYPERVISOR_TEXT
> *(.fixup)
> *(.gnu.warning)
>

2014-11-18 14:40:29

by William Cohen

[permalink] [raw]
Subject: Re: [PATCH v3 1/5] arm64: Kprobes with single stepping support

On 11/18/2014 01:32 AM, David Long wrote:
> From: Sandeepa Prabhu <[email protected]>
>
> Add support for basic kernel probes(kprobes) and jump probes
> (jprobes) for ARM64.
>
> Kprobes will utilize software breakpoint and single step debug
> exceptions supported on ARM v8.
>
> software breakpoint is placed at the probe address to trap the
> kernel execution into kprobe handler.
>
> ARM v8 support single stepping to be enabled while exception return
> (ERET) with next PC in exception return address (ELR_EL1).
> kprobe handler prepares a executable memory slot for out-of-line
> execution with the copy of the original instruction under probe, and
> enable single stepping from the instruction slot. With this scheme,
> the instruction is executed with the exact same register context
> 'except PC' that points to instruction slot.
>
> Debug mask(PSTATE.D) is enabled only when single stepping a recursive
> kprobes i.e. during kprobes reenter so that probes instruction can be
> single stepped within the kprobe handler -exception- context.
> The recursion depth of kprobe is always 2, i.e. upon probe re-entry,
> any further re-entry is prevented by not calling handlers and the case
> counted as missed kprobe)
>
> Single stepping from slot has drawback on PC-relative accesses
> like branching and symbolic literals access as offset from new PC
> (slot address) may not be ensured to fit in immediate value of
> opcode, Such instructions needs simulation, so reject
> probing such instructions.

The above paragraph doesn't seem correct. arm64 kprobes does allow probing instructions that can't be single stepped XOL. kprobes will use simulation in those cases. It might be simpler describe the three possible methods of handling a potential probe point: single step instruction xol, instruction simulation, and reject probe point, then for each describe why it would be used.

-Will

>
> Instructions generating exceptions or cpu mode change are rejected,
> and not allowed to insert probe for these instructions.
>
> Instructions using Exclusive Monitor are rejected right too.
>
> System instructions are mostly enabled for stepping, except MSR
> immediate that update "daif" flags in PSTATE, which are not safe
> for probing -rejected.
>
> Changes since v4:
> from David Long:
> 1) Removed unnecessary addtion of NOP after out-of-line instruction.
> from Will Cohen:
> 2) Disable local irq while executing out of line instruction.
>
> Signed-off-by: Sandeepa Prabhu <[email protected]>
> Signed-off-by: William Cohen <[email protected]>
> Signed-off-by: David A. Long <[email protected]>
> ---
> arch/arm64/Kconfig | 1 +
> arch/arm64/include/asm/kprobes.h | 60 ++++
> arch/arm64/include/asm/probes.h | 50 ++++
> arch/arm64/include/asm/ptrace.h | 3 +-
> arch/arm64/kernel/Makefile | 1 +
> arch/arm64/kernel/kprobes-arm64.c | 211 ++++++++++++++
> arch/arm64/kernel/kprobes-arm64.h | 28 ++
> arch/arm64/kernel/kprobes.c | 561 ++++++++++++++++++++++++++++++++++++++
> arch/arm64/kernel/kprobes.h | 30 ++
> arch/arm64/kernel/probes-decode.h | 110 ++++++++
> arch/arm64/kernel/vmlinux.lds.S | 1 +
> 11 files changed, 1055 insertions(+), 1 deletion(-)
> create mode 100644 arch/arm64/include/asm/kprobes.h
> create mode 100644 arch/arm64/include/asm/probes.h
> create mode 100644 arch/arm64/kernel/kprobes-arm64.c
> create mode 100644 arch/arm64/kernel/kprobes-arm64.h
> create mode 100644 arch/arm64/kernel/kprobes.c
> create mode 100644 arch/arm64/kernel/kprobes.h
> create mode 100644 arch/arm64/kernel/probes-decode.h
>
> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> index 9532f8d..256ef90 100644
> --- a/arch/arm64/Kconfig
> +++ b/arch/arm64/Kconfig
> @@ -60,6 +60,7 @@ config ARM64
> select HAVE_PERF_USER_STACK_DUMP
> select HAVE_RCU_TABLE_FREE
> select HAVE_SYSCALL_TRACEPOINTS
> + select HAVE_KPROBES if !XIP_KERNEL
> select IRQ_DOMAIN
> select MODULES_USE_ELF_RELA
> select NO_BOOTMEM
> diff --git a/arch/arm64/include/asm/kprobes.h b/arch/arm64/include/asm/kprobes.h
> new file mode 100644
> index 0000000..b35d3b9
> --- /dev/null
> +++ b/arch/arm64/include/asm/kprobes.h
> @@ -0,0 +1,60 @@
> +/*
> + * arch/arm64/include/asm/kprobes.h
> + *
> + * Copyright (C) 2013 Linaro Limited
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * General Public License for more details.
> + */
> +
> +#ifndef _ARM_KPROBES_H
> +#define _ARM_KPROBES_H
> +
> +#include <linux/types.h>
> +#include <linux/ptrace.h>
> +#include <linux/percpu.h>
> +
> +#define __ARCH_WANT_KPROBES_INSN_SLOT
> +#define MAX_INSN_SIZE 1
> +#define MAX_STACK_SIZE 128
> +
> +#define flush_insn_slot(p) do { } while (0)
> +#define kretprobe_blacklist_size 0
> +
> +#include <asm/probes.h>
> +
> +struct prev_kprobe {
> + struct kprobe *kp;
> + unsigned int status;
> +};
> +
> +/* Single step context for kprobe */
> +struct kprobe_step_ctx {
> +#define KPROBES_STEP_NONE 0x0
> +#define KPROBES_STEP_PENDING 0x1
> + unsigned long ss_status;
> + unsigned long match_addr;
> +};
> +
> +/* per-cpu kprobe control block */
> +struct kprobe_ctlblk {
> + unsigned int kprobe_status;
> + unsigned long saved_irqflag;
> + struct prev_kprobe prev_kprobe;
> + struct kprobe_step_ctx ss_ctx;
> + struct pt_regs jprobe_saved_regs;
> + char jprobes_stack[MAX_STACK_SIZE];
> +};
> +
> +void arch_remove_kprobe(struct kprobe *);
> +int kprobe_fault_handler(struct pt_regs *regs, unsigned int fsr);
> +int kprobe_exceptions_notify(struct notifier_block *self,
> + unsigned long val, void *data);
> +
> +#endif /* _ARM_KPROBES_H */
> diff --git a/arch/arm64/include/asm/probes.h b/arch/arm64/include/asm/probes.h
> new file mode 100644
> index 0000000..9dba74d
> --- /dev/null
> +++ b/arch/arm64/include/asm/probes.h
> @@ -0,0 +1,50 @@
> +/*
> + * arch/arm64/include/asm/probes.h
> + *
> + * Copyright (C) 2013 Linaro Limited
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * General Public License for more details.
> + */
> +#ifndef _ARM_PROBES_H
> +#define _ARM_PROBES_H
> +
> +struct kprobe;
> +struct arch_specific_insn;
> +
> +typedef u32 kprobe_opcode_t;
> +typedef unsigned long (kprobes_pstate_check_t)(unsigned long);
> +typedef unsigned long
> +(kprobes_condition_check_t)(struct kprobe *p, struct pt_regs *);
> +typedef void
> +(kprobes_prepare_t)(struct kprobe *, struct arch_specific_insn *);
> +typedef void (kprobes_handler_t) (u32 opcode, long addr, struct pt_regs *);
> +
> +enum pc_restore_type {
> + NO_RESTORE,
> + RESTORE_PC,
> +};
> +
> +struct kprobe_pc_restore {
> + enum pc_restore_type type;
> + unsigned long addr;
> +};
> +
> +/* architecture specific copy of original instruction */
> +struct arch_specific_insn {
> + kprobe_opcode_t *insn;
> + kprobes_pstate_check_t *pstate_cc;
> + kprobes_condition_check_t *check_condn;
> + kprobes_prepare_t *prepare;
> + kprobes_handler_t *handler;
> + /* restore address after step xol */
> + struct kprobe_pc_restore restore;
> +};
> +
> +#endif
> diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h
> index 41ed9e1..d3e782a 100644
> --- a/arch/arm64/include/asm/ptrace.h
> +++ b/arch/arm64/include/asm/ptrace.h
> @@ -174,7 +174,8 @@ static inline int valid_user_regs(struct user_pt_regs *regs)
> return 0;
> }
>
> -#define instruction_pointer(regs) ((unsigned long)(regs)->pc)
> +#define instruction_pointer(regs) ((regs)->pc)
> +#define stack_pointer(regs) ((regs)->sp)
>
> #ifdef CONFIG_SMP
> extern unsigned long profile_pc(struct pt_regs *regs);
> diff --git a/arch/arm64/kernel/Makefile b/arch/arm64/kernel/Makefile
> index 5bd029b..df08c0e 100644
> --- a/arch/arm64/kernel/Makefile
> +++ b/arch/arm64/kernel/Makefile
> @@ -29,6 +29,7 @@ arm64-obj-$(CONFIG_ARM64_CPU_SUSPEND) += sleep.o suspend.o
> arm64-obj-$(CONFIG_CPU_IDLE) += cpuidle.o
> arm64-obj-$(CONFIG_JUMP_LABEL) += jump_label.o
> arm64-obj-$(CONFIG_KGDB) += kgdb.o
> +arm64-obj-$(CONFIG_KPROBES) += kprobes.o kprobes-arm64.o
> arm64-obj-$(CONFIG_EFI) += efi.o efi-stub.o efi-entry.o
> arm64-obj-$(CONFIG_PCI) += pci.o
>
> diff --git a/arch/arm64/kernel/kprobes-arm64.c b/arch/arm64/kernel/kprobes-arm64.c
> new file mode 100644
> index 0000000..30d1c14
> --- /dev/null
> +++ b/arch/arm64/kernel/kprobes-arm64.c
> @@ -0,0 +1,211 @@
> +/*
> + * arch/arm64/kernel/kprobes-arm64.c
> + *
> + * Copyright (C) 2013 Linaro Limited.
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * General Public License for more details.
> + */
> +
> +#include <linux/kernel.h>
> +#include <linux/kprobes.h>
> +#include <linux/module.h>
> +#include <asm/kprobes.h>
> +
> +#include "probes-decode.h"
> +#include "kprobes-arm64.h"
> +
> +/* AArch64 instruction decode table for kprobes:
> + * The instruction will fall into one of the 3 groups:
> + * 1. Single stepped out-of-the-line slot.
> + * -Most instructions fall in this group, those does not
> + * depend on PC address.
> + *
> + * 2. Should be simulated because of PC-relative/literal access.
> + * -All branching and PC-relative insrtcutions are simulated
> + * in C code, making use of saved pt_regs
> + * Catch: SIMD/NEON register context are not saved while
> + * entering debug exception, so are rejected for now.
> + *
> + * 3. Cannot be probed(not safe) so are rejected.
> + * - Exception generation and exception return instructions
> + * - Exclusive monitor(LDREX/STREX family)
> + *
> + */
> +static const struct aarch64_decode_item aarch64_decode_table[] = {
> + /*
> + * Data processing - PC relative(literal) addressing:
> + * Encoding: xxx1 0000 xxxx xxxx xxxx xxxx xxxx xxxx
> + */
> + DECODE_REJECT(0x10000000, 0x1F000000),
> +
> + /*
> + * Data processing - Add/Substract Immediate:
> + * Encoding: xxx1 0001 xxxx xxxx xxxx xxxx xxxx xxxx
> + */
> + DECODE_SINGLESTEP(0x11000000, 0x1F000000),
> +
> + /*
> + * Data processing
> + * Encoding:
> + * xxx1 0010 0xxx xxxx xxxx xxxx xxxx xxxx (Logical)
> + * xxx1 0010 1xxx xxxx xxxx xxxx xxxx xxxx (Move wide)
> + * xxx1 0011 0xxx xxxx xxxx xxxx xxxx xxxx (Bitfield)
> + * xxx1 0011 1xxx xxxx xxxx xxxx xxxx xxxx (Extract)
> + */
> + DECODE_SINGLESTEP(0x12000000, 0x1E000000),
> +
> + /*
> + * Data processing - SIMD/FP/AdvSIMD/Crypto-AES/SHA
> + * Encoding: xxx0 111x xxxx xxxx xxxx xxxx xxxx xxxx
> + * Encoding: xxx1 111x xxxx xxxx xxxx xxxx xxxx xxxx
> + */
> + DECODE_SINGLESTEP(0x0E000000, 0x0E000000),
> +
> + /*
> + * Data processing - Register
> + * Encoding: xxxx 101x xxxx xxxx xxxx xxxx xxxx xxxx
> + */
> + DECODE_SINGLESTEP(0x0A000000, 0x0E000000),
> +
> + /* Branching Instructions
> + *
> + * Encoding:
> + * x001 01xx xxxx xxxx xxxx xxxx xxxx xxxx (uncondtional Branch)
> + * x011 010x xxxx xxxx xxxx xxxx xxxx xxxx (compare & branch)
> + * x011 011x xxxx xxxx xxxx xxxx xxxx xxxx (Test & Branch)
> + * 0101 010x xxxx xxxx xxxx xxxx xxxx xxxx (Conditional, immediate)
> + * 1101 011x xxxx xxxx xxxx xxxx xxxx xxxx (Unconditional,register)
> + */
> + DECODE_REJECT(0x14000000, 0x7C000000),
> + DECODE_REJECT(0x14000000, 0x7C000000),
> + DECODE_REJECT(0x34000000, 0x7E000000),
> + DECODE_REJECT(0x36000000, 0x7E000000),
> + DECODE_REJECT(0x54000000, 0xFE000000),
> + DECODE_REJECT(0xD6000000, 0xFE000000),
> +
> + /* System insn:
> + * Encoding: 1101 0101 00xx xxxx xxxx xxxx xxxx xxxx
> + *
> + * Note: MSR immediate (update PSTATE daif) is not safe handling
> + * within kprobes, rejected.
> + *
> + * Don't re-arrange these decode table entries.
> + */
> + DECODE_REJECT(0xD500401F, 0xFFF8F01F),
> + DECODE_SINGLESTEP(0xD5000000, 0xFFC00000),
> +
> + /* Exception Generation:
> + * Encoding: 1101 0100 xxxx xxxx xxxx xxxx xxxx xxxx
> + * Instructions: SVC, HVC, SMC, BRK, HLT, DCPS1, DCPS2, DCPS3
> + */
> + DECODE_REJECT(0xD4000000, 0xFF000000),
> +
> + /*
> + * Load/Store - Exclusive monitor
> + * Encoding: xx00 1000 xxxx xxxx xxxx xxxx xxxx xxxx
> + *
> + * Reject exlusive monitor'ed instructions
> + */
> + DECODE_REJECT(0x08000000, 0x3F000000),
> +
> + /*
> + * Load/Store - PC relative(literal):
> + * Encoding: xx01 1x00 xxxx xxxx xxxx xxxx xxxx xxxx
> + */
> + DECODE_REJECT(0x18000000, 0x3B000000),
> +
> + /*
> + * Load/Store - Register Pair
> + * Encoding:
> + * xx10 1x00 0xxx xxxx xxxx xxxx xxxx xxxx
> + * xx10 1x00 1xxx xxxx xxxx xxxx xxxx xxxx
> + * xx10 1x01 0xxx xxxx xxxx xxxx xxxx xxxx
> + * xx10 1x01 1xxx xxxx xxxx xxxx xxxx xxxx
> + */
> + DECODE_SINGLESTEP(0x28000000, 0x3A000000),
> +
> + /*
> + * Load/Store - Register
> + * Encoding:
> + * xx11 1x00 xx0x xxxx xxxx 00xx xxxx xxxx (unscaled imm)
> + * xx11 1x00 xx0x xxxx xxxx 01xx xxxx xxxx (imm post-indexed)
> + * xx11 1x00 xx0x xxxx xxxx 10xx xxxx xxxx (unpriviledged)
> + * xx11 1x00 xx0x xxxx xxxx 11xx xxxx xxxx (imm pre-indexed)
> + *
> + * xx11 1x00 xx10 xxxx xxxx xx10 xxxx xxxx (register offset)
> + *
> + * xx11 1x01 xxxx xxxx xxxx xxxx xxxx xxxx (unsigned imm)
> + */
> + DECODE_SINGLESTEP(0x38000000, 0x3B200000),
> + DECODE_SINGLESTEP(0x38200200, 0x38300300),
> + DECODE_SINGLESTEP(0x39000000, 0x3B000000),
> +
> + /*
> + * Load/Store - AdvSIMD
> + * Encoding:
> + * 0x00 1100 0x00 0000 xxxx xxxx xxxx xxxx (Multiple-structure)
> + * 0x00 1100 1x0x xxxx xxxx xxxx xxxx xxxx (Multi-struct post-indexed)
> + * 0x00 1101 0xx0 0000 xxxx xxxx xxxx xxxx (Single-structure))
> + * 0x00 1101 1xxx xxxx xxxx xxxx xxxx xxxx (Single-struct post-index)
> + */
> + DECODE_SINGLESTEP(0x0C000000, 0xBFBF0000),
> + DECODE_SINGLESTEP(0x0C800000, 0xBFA00000),
> + DECODE_SINGLESTEP(0x0D000000, 0xBF9F0000),
> + DECODE_SINGLESTEP(0x0D800000, 0xBF800000),
> +
> + /* Unallocated: xxx0 0xxx xxxx xxxx xxxx xxxx xxxx xxxx */
> + DECODE_REJECT(0x00000000, 0x18000000),
> + DECODE_END,
> +};
> +
> +static int __kprobes
> +kprobe_decode_insn(kprobe_opcode_t insn, struct arch_specific_insn *asi,
> + const struct aarch64_decode_item *tbl)
> +{
> + unsigned int entry, ret = INSN_REJECTED;
> +
> + for (entry = 0; !decode_table_end(tbl[entry]); entry++) {
> + if (decode_table_hit(tbl[entry], insn))
> + break;
> + }
> +
> + switch (decode_get_type(tbl[entry])) {
> + case DECODE_TYPE_END:
> + case DECODE_TYPE_REJECT:
> + default:
> + ret = INSN_REJECTED;
> + break;
> +
> + case DECODE_TYPE_SINGLESTEP:
> + ret = INSN_GOOD;
> + break;
> +
> + case DECODE_TYPE_SIMULATE:
> + ret = INSN_REJECTED;
> + break;
> +
> + case DECODE_TYPE_TABLE:
> + /* recurse with next level decode table */
> + ret = kprobe_decode_insn(insn, asi,
> + decode_sub_table(tbl[entry]));
> + };
> + return ret;
> +}
> +
> +/* Return:
> + * INSN_REJECTED If instruction is one not allowed to kprobe,
> + * INSN_GOOD If instruction is supported and uses instruction slot,
> + * INSN_GOOD_NO_SLOT If instruction is supported but doesn't use its slot.
> + */
> +enum kprobe_insn __kprobes
> +arm_kprobe_decode_insn(kprobe_opcode_t insn, struct arch_specific_insn *asi)
> +{
> + return kprobe_decode_insn(insn, asi, aarch64_decode_table);
> +}
> diff --git a/arch/arm64/kernel/kprobes-arm64.h b/arch/arm64/kernel/kprobes-arm64.h
> new file mode 100644
> index 0000000..87e7891
> --- /dev/null
> +++ b/arch/arm64/kernel/kprobes-arm64.h
> @@ -0,0 +1,28 @@
> +/*
> + * arch/arm64/kernel/kprobes-arm64.h
> + *
> + * Copyright (C) 2013 Linaro Limited.
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * General Public License for more details.
> + */
> +
> +#ifndef _ARM_KERNEL_KPROBES_ARM64_H
> +#define _ARM_KERNEL_KPROBES_ARM64_H
> +
> +enum kprobe_insn {
> + INSN_REJECTED,
> + INSN_GOOD_NO_SLOT,
> + INSN_GOOD,
> +};
> +
> +enum kprobe_insn __kprobes
> +arm_kprobe_decode_insn(kprobe_opcode_t insn, struct arch_specific_insn *asi);
> +
> +#endif /* _ARM_KERNEL_KPROBES_ARM64_H */
> diff --git a/arch/arm64/kernel/kprobes.c b/arch/arm64/kernel/kprobes.c
> new file mode 100644
> index 0000000..ca7fa10
> --- /dev/null
> +++ b/arch/arm64/kernel/kprobes.c
> @@ -0,0 +1,561 @@
> +/*
> + * arch/arm64/kernel/kprobes.c
> + *
> + * Kprobes support for ARM64
> + *
> + * Copyright (C) 2013 Linaro Limited.
> + * Author: Sandeepa Prabhu <[email protected]>
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * General Public License for more details.
> + *
> + */
> +#include <linux/kernel.h>
> +#include <linux/kprobes.h>
> +#include <linux/module.h>
> +#include <linux/slab.h>
> +#include <linux/stop_machine.h>
> +#include <linux/stringify.h>
> +#include <asm/traps.h>
> +#include <asm/ptrace.h>
> +#include <asm/cacheflush.h>
> +#include <asm/debug-monitors.h>
> +#include <asm/system_misc.h>
> +#include <asm/insn.h>
> +
> +#include "kprobes.h"
> +#include "kprobes-arm64.h"
> +
> +#define MIN_STACK_SIZE(addr) min((unsigned long)MAX_STACK_SIZE, \
> + (unsigned long)current_thread_info() + THREAD_START_SP - (addr))
> +
> +DEFINE_PER_CPU(struct kprobe *, current_kprobe) = NULL;
> +DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk);
> +
> +static void __kprobes arch_prepare_ss_slot(struct kprobe *p)
> +{
> + /* prepare insn slot */
> + p->ainsn.insn[0] = p->opcode;
> +
> + flush_icache_range((uintptr_t) (p->ainsn.insn),
> + (uintptr_t) (p->ainsn.insn) + MAX_INSN_SIZE);
> +
> + /*
> + * Needs restoring of return address after stepping xol.
> + */
> + p->ainsn.restore.addr = (unsigned long) p->addr +
> + sizeof(kprobe_opcode_t);
> + p->ainsn.restore.type = RESTORE_PC;
> +}
> +
> +int __kprobes arch_prepare_kprobe(struct kprobe *p)
> +{
> + kprobe_opcode_t insn;
> + unsigned long probe_addr = (unsigned long)p->addr;
> +
> + /* copy instruction */
> + insn = *p->addr;
> + p->opcode = insn;
> +
> + if (in_exception_text(probe_addr))
> + return -EINVAL;
> +
> + /* decode instruction */
> + switch (arm_kprobe_decode_insn(insn, &p->ainsn)) {
> + case INSN_REJECTED: /* insn not supported */
> + return -EINVAL;
> +
> + case INSN_GOOD_NO_SLOT: /* insn need simulation */
> + return -EINVAL;
> +
> + case INSN_GOOD: /* instruction uses slot */
> + p->ainsn.insn = get_insn_slot();
> + if (!p->ainsn.insn)
> + return -ENOMEM;
> + break;
> + };
> +
> + /* prepare the instruction */
> + arch_prepare_ss_slot(p);
> +
> + return 0;
> +}
> +
> +static int __kprobes patch_text(kprobe_opcode_t *addr, u32 opcode)
> +{
> + void *addrs[1];
> + u32 insns[1];
> +
> + addrs[0] = (void *)addr;
> + insns[0] = (u32)opcode;
> +
> + return aarch64_insn_patch_text_sync(addrs, insns, 1);
> +}
> +
> +/* arm kprobe: install breakpoint in text */
> +void __kprobes arch_arm_kprobe(struct kprobe *p)
> +{
> + patch_text(p->addr, BRK64_OPCODE_KPROBES);
> +}
> +
> +/* disarm kprobe: remove breakpoint from text */
> +void __kprobes arch_disarm_kprobe(struct kprobe *p)
> +{
> + patch_text(p->addr, p->opcode);
> +}
> +
> +void __kprobes arch_remove_kprobe(struct kprobe *p)
> +{
> + if (p->ainsn.insn) {
> + free_insn_slot(p->ainsn.insn, 0);
> + p->ainsn.insn = NULL;
> + }
> +}
> +
> +static void __kprobes save_previous_kprobe(struct kprobe_ctlblk *kcb)
> +{
> + kcb->prev_kprobe.kp = kprobe_running();
> + kcb->prev_kprobe.status = kcb->kprobe_status;
> +}
> +
> +static void __kprobes restore_previous_kprobe(struct kprobe_ctlblk *kcb)
> +{
> + __this_cpu_write(current_kprobe, kcb->prev_kprobe.kp);
> + kcb->kprobe_status = kcb->prev_kprobe.status;
> +}
> +
> +static void __kprobes set_current_kprobe(struct kprobe *p)
> +{
> + __this_cpu_write(current_kprobe, p);
> +}
> +
> +/*
> + * Debug flag (D-flag) is disabled upon exception entry.
> + * Kprobes need to unmask D-flag -ONLY- in case of recursive
> + * probe i.e. when probe hit from kprobe handler context upon
> + * executing the pre/post handlers. In this case we return with
> + * D-flag unmasked so that single-stepping can be carried-out.
> + *
> + * Keep D-flag masked in all other cases.
> + */
> +static void __kprobes
> +spsr_set_debug_flag(struct pt_regs *regs, int mask)
> +{
> + unsigned long spsr = regs->pstate;
> +
> + if (mask)
> + spsr |= PSR_D_BIT;
> + else
> + spsr &= ~PSR_D_BIT;
> +
> + regs->pstate = spsr;
> +}
> +
> +/*
> + * Interrupt needs to be disabled for the duration from probe hitting
> + * breakpoint exception until kprobe is processed completely.
> + * Without disabling interrupt on local CPU, there is a chance of
> + * interrupt occurrence in the period of exception return and start of
> + * out-of-line single-step, that result in wrongly single stepping
> + * the interrupt handler.
> + */
> +static void __kprobes kprobes_save_local_irqflag(struct pt_regs *regs)
> +{
> + struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
> +
> + kcb->saved_irqflag = regs->pstate;
> + regs->pstate |= PSR_I_BIT;
> +}
> +
> +static void __kprobes kprobes_restore_local_irqflag(struct pt_regs *regs)
> +{
> + struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
> +
> + if (kcb->saved_irqflag & PSR_I_BIT)
> + regs->pstate |= PSR_I_BIT;
> + else
> + regs->pstate &= ~PSR_I_BIT;
> +}
> +
> +static void __kprobes
> +set_ss_context(struct kprobe_ctlblk *kcb, unsigned long addr)
> +{
> + kcb->ss_ctx.ss_status = KPROBES_STEP_PENDING;
> + kcb->ss_ctx.match_addr = addr + sizeof(kprobe_opcode_t);
> +}
> +
> +static void __kprobes clear_ss_context(struct kprobe_ctlblk *kcb)
> +{
> + kcb->ss_ctx.ss_status = KPROBES_STEP_NONE;
> + kcb->ss_ctx.match_addr = 0;
> +}
> +
> +static void __kprobes
> +skip_singlestep_missed(struct kprobe_ctlblk *kcb, struct pt_regs *regs)
> +{
> + /* set return addr to next pc to continue */
> + instruction_pointer(regs) += sizeof(kprobe_opcode_t);
> +
> + if (kcb->kprobe_status != KPROBE_REENTER)
> + kprobes_restore_local_irqflag(regs);
> +
> +}
> +
> +static void __kprobes setup_singlestep(struct kprobe *p,
> + struct pt_regs *regs,
> + struct kprobe_ctlblk *kcb, int reenter)
> +{
> + unsigned long slot;
> +
> + if (reenter) {
> + save_previous_kprobe(kcb);
> + set_current_kprobe(p);
> + kcb->kprobe_status = KPROBE_REENTER;
> + } else {
> + kcb->kprobe_status = KPROBE_HIT_SS;
> + }
> +
> + if (p->ainsn.insn) {
> + /* prepare for single stepping */
> + slot = (unsigned long)p->ainsn.insn;
> +
> + set_ss_context(kcb, slot); /* mark pending ss */
> +
> + if (kcb->kprobe_status == KPROBE_REENTER)
> + spsr_set_debug_flag(regs, 0);
> +
> + /* IRQs and single stepping do not mix well. */
> + local_irq_disable();
> + kernel_enable_single_step(regs);
> + instruction_pointer(regs) = slot;
> + } else {
> + BUG();
> + }
> +}
> +
> +static int __kprobes reenter_kprobe(struct kprobe *p,
> + struct pt_regs *regs,
> + struct kprobe_ctlblk *kcb)
> +{
> + switch (kcb->kprobe_status) {
> + case KPROBE_HIT_SSDONE:
> + case KPROBE_HIT_ACTIVE:
> + if (!p->ainsn.check_condn || p->ainsn.check_condn(p, regs)) {
> + kprobes_inc_nmissed_count(p);
> + setup_singlestep(p, regs, kcb, 1);
> + } else {
> + /* condition check failed, skip stepping */
> + skip_singlestep_missed(kcb, regs);
> + }
> + break;
> + case KPROBE_HIT_SS:
> + pr_warn("Unrecoverable kprobe detected at %p.\n", p->addr);
> + dump_kprobe(p);
> + BUG();
> + break;
> + default:
> + WARN_ON(1);
> + return 0;
> + }
> +
> + return 1;
> +}
> +
> +static void __kprobes
> +post_kprobe_handler(struct kprobe_ctlblk *kcb, struct pt_regs *regs)
> +{
> + struct kprobe *cur = kprobe_running();
> +
> + if (!cur)
> + return;
> +
> + /* return addr restore if non-branching insn */
> + if (cur->ainsn.restore.type == RESTORE_PC) {
> + instruction_pointer(regs) = cur->ainsn.restore.addr;
> + if (!instruction_pointer(regs))
> + BUG();
> + }
> +
> + /* restore back original saved kprobe variables and continue */
> + if (kcb->kprobe_status == KPROBE_REENTER) {
> + restore_previous_kprobe(kcb);
> + return;
> + }
> + /* call post handler */
> + kcb->kprobe_status = KPROBE_HIT_SSDONE;
> + if (cur->post_handler) {
> + /* post_handler can hit breakpoint and single step
> + * again, so we enable D-flag for recursive exception.
> + */
> + cur->post_handler(cur, regs, 0);
> + }
> +
> + reset_current_kprobe();
> + kprobes_restore_local_irqflag(regs);
> +}
> +
> +int __kprobes kprobe_fault_handler(struct pt_regs *regs, unsigned int fsr)
> +{
> + struct kprobe *cur = kprobe_running();
> + struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
> +
> + switch (kcb->kprobe_status) {
> + case KPROBE_HIT_SS:
> + case KPROBE_REENTER:
> + /*
> + * We are here because the instruction being single
> + * stepped caused a page fault. We reset the current
> + * kprobe and the ip points back to the probe address
> + * and allow the page fault handler to continue as a
> + * normal page fault.
> + */
> + instruction_pointer(regs) = (unsigned long)cur->addr;
> + if (!instruction_pointer(regs))
> + BUG();
> + if (kcb->kprobe_status == KPROBE_REENTER)
> + restore_previous_kprobe(kcb);
> + else
> + reset_current_kprobe();
> +
> + break;
> + case KPROBE_HIT_ACTIVE:
> + case KPROBE_HIT_SSDONE:
> + /*
> + * We increment the nmissed count for accounting,
> + * we can also use npre/npostfault count for accounting
> + * these specific fault cases.
> + */
> + kprobes_inc_nmissed_count(cur);
> +
> + /*
> + * We come here because instructions in the pre/post
> + * handler caused the page_fault, this could happen
> + * if handler tries to access user space by
> + * copy_from_user(), get_user() etc. Let the
> + * user-specified handler try to fix it first.
> + */
> + if (cur->fault_handler && cur->fault_handler(cur, regs, fsr))
> + return 1;
> +
> + /*
> + * In case the user-specified fault handler returned
> + * zero, try to fix up.
> + */
> + if (fixup_exception(regs))
> + return 1;
> +
> + break;
> + default:
> + break;
> + }
> + return 0;
> +}
> +
> +int __kprobes kprobe_exceptions_notify(struct notifier_block *self,
> + unsigned long val, void *data)
> +{
> + return NOTIFY_DONE;
> +}
> +
> +void __kprobes kprobe_handler(struct pt_regs *regs)
> +{
> + struct kprobe *p, *cur;
> + struct kprobe_ctlblk *kcb;
> + unsigned long addr = instruction_pointer(regs);
> +
> + kcb = get_kprobe_ctlblk();
> + cur = kprobe_running();
> +
> + p = get_kprobe((kprobe_opcode_t *) addr);
> +
> + if (p) {
> + if (cur) {
> + if (reenter_kprobe(p, regs, kcb))
> + return;
> + } else if (!p->ainsn.check_condn ||
> + p->ainsn.check_condn(p, regs)) {
> + /* Probe hit and conditional execution check ok. */
> + set_current_kprobe(p);
> + kcb->kprobe_status = KPROBE_HIT_ACTIVE;
> +
> + /*
> + * If we have no pre-handler or it returned 0, we
> + * continue with normal processing. If we have a
> + * pre-handler and it returned non-zero, it prepped
> + * for calling the break_handler below on re-entry,
> + * so get out doing nothing more here.
> + *
> + * pre_handler can hit a breakpoint and can step thru
> + * before return, keep PSTATE D-flag enabled until
> + * pre_handler return back.
> + */
> + if (!p->pre_handler || !p->pre_handler(p, regs)) {
> + kcb->kprobe_status = KPROBE_HIT_SS;
> + setup_singlestep(p, regs, kcb, 0);
> + return;
> + }
> + } else {
> + /*
> + * Breakpoint hit but conditional check failed,
> + * so just skip the instruction (NOP behaviour)
> + */
> + skip_singlestep_missed(kcb, regs);
> + return;
> + }
> + } else if (*(kprobe_opcode_t *) addr != BRK64_OPCODE_KPROBES) {
> + /*
> + * The breakpoint instruction was removed right
> + * after we hit it. Another cpu has removed
> + * either a probepoint or a debugger breakpoint
> + * at this address. In either case, no further
> + * handling of this interrupt is appropriate.
> + * Return back to original instruction, and continue.
> + */
> + kprobes_restore_local_irqflag(regs);
> + return;
> + } else if (cur) {
> + /* We probably hit a jprobe. Call its break handler. */
> + if (cur->break_handler && cur->break_handler(cur, regs)) {
> + kcb->kprobe_status = KPROBE_HIT_SS;
> + setup_singlestep(cur, regs, kcb, 0);
> + return;
> + }
> + } else {
> + /* breakpoint is removed, now in a race
> + * Return back to original instruction & continue.
> + */
> + kprobes_restore_local_irqflag(regs);
> + }
> +}
> +
> +static int __kprobes
> +kprobe_ss_hit(struct kprobe_ctlblk *kcb, unsigned long addr)
> +{
> + if ((kcb->ss_ctx.ss_status == KPROBES_STEP_PENDING)
> + && (kcb->ss_ctx.match_addr == addr)) {
> + clear_ss_context(kcb); /* clear pending ss */
> + return DBG_HOOK_HANDLED;
> + }
> + /* not ours, kprobes should ignore it */
> + return DBG_HOOK_ERROR;
> +}
> +
> +static int __kprobes
> +kprobe_single_step_handler(struct pt_regs *regs, unsigned int esr)
> +{
> + struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
> + int retval;
> +
> + /* return error if this is not our step */
> + retval = kprobe_ss_hit(kcb, instruction_pointer(regs));
> +
> + if (retval == DBG_HOOK_HANDLED) {
> + kernel_disable_single_step();
> +
> + if (kcb->kprobe_status == KPROBE_REENTER)
> + spsr_set_debug_flag(regs, 1);
> +
> + post_kprobe_handler(kcb, regs);
> + }
> +
> + return retval;
> +}
> +
> +static int __kprobes
> +kprobe_breakpoint_handler(struct pt_regs *regs, unsigned int esr)
> +{
> + kprobes_save_local_irqflag(regs);
> + kprobe_handler(regs);
> + return DBG_HOOK_HANDLED;
> +}
> +
> +int __kprobes setjmp_pre_handler(struct kprobe *p, struct pt_regs *regs)
> +{
> + struct jprobe *jp = container_of(p, struct jprobe, kp);
> + struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
> + long stack_ptr = stack_pointer(regs);
> +
> + kcb->jprobe_saved_regs = *regs;
> + memcpy(kcb->jprobes_stack, (void *)stack_ptr,
> + MIN_STACK_SIZE(stack_ptr));
> +
> + instruction_pointer(regs) = (long)jp->entry;
> + preempt_disable();
> + return 1;
> +}
> +
> +void __kprobes jprobe_return(void)
> +{
> + struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
> +
> + /*
> + * Jprobe handler return by entering break exception,
> + * encoded same as kprobe, but with following conditions
> + * -a magic number in x0 to identify from rest of other kprobes.
> + * -restore stack addr to original saved pt_regs
> + */
> + asm volatile ("ldr x0, [%0]\n\t"
> + "mov sp, x0\n\t"
> + "ldr x0, =" __stringify(JPROBES_MAGIC_NUM) "\n\t"
> + "BRK %1\n\t"
> + "NOP\n\t"
> + :
> + : "r"(&kcb->jprobe_saved_regs.sp),
> + "I"(BRK64_ESR_KPROBES)
> + : "memory");
> +}
> +
> +int __kprobes longjmp_break_handler(struct kprobe *p, struct pt_regs *regs)
> +{
> + struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
> + long stack_addr = kcb->jprobe_saved_regs.sp;
> + long orig_sp = stack_pointer(regs);
> + struct jprobe *jp = container_of(p, struct jprobe, kp);
> +
> + if (regs->regs[0] == JPROBES_MAGIC_NUM) {
> + if (orig_sp != stack_addr) {
> + struct pt_regs *saved_regs =
> + (struct pt_regs *)kcb->jprobe_saved_regs.sp;
> + pr_err("current sp %lx does not match saved sp %lx\n",
> + orig_sp, stack_addr);
> + pr_err("Saved registers for jprobe %p\n", jp);
> + show_regs(saved_regs);
> + pr_err("Current registers\n");
> + show_regs(regs);
> + BUG();
> + }
> + *regs = kcb->jprobe_saved_regs;
> + memcpy((void *)stack_addr, kcb->jprobes_stack,
> + MIN_STACK_SIZE(stack_addr));
> + preempt_enable_no_resched();
> + kprobes_restore_local_irqflag(regs);
> + return 1;
> + }
> + return 0;
> +}
> +
> +/* Break Handler hook */
> +static struct break_hook kprobes_break_hook = {
> + .esr_mask = BRK64_ESR_MASK,
> + .esr_val = BRK64_ESR_KPROBES,
> + .fn = kprobe_breakpoint_handler,
> +};
> +
> +/* Single Step handler hook */
> +static struct step_hook kprobes_step_hook = {
> + .fn = kprobe_single_step_handler,
> +};
> +
> +int __init arch_init_kprobes(void)
> +{
> + register_break_hook(&kprobes_break_hook);
> + register_step_hook(&kprobes_step_hook);
> +
> + return 0;
> +}
> diff --git a/arch/arm64/kernel/kprobes.h b/arch/arm64/kernel/kprobes.h
> new file mode 100644
> index 0000000..93c54b4
> --- /dev/null
> +++ b/arch/arm64/kernel/kprobes.h
> @@ -0,0 +1,30 @@
> +/*
> + * arch/arm64/kernel/kprobes.h
> + *
> + * Copyright (C) 2013 Linaro Limited.
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * General Public License for more details.
> + */
> +
> +#ifndef _ARM_KERNEL_KPROBES_H
> +#define _ARM_KERNEL_KPROBES_H
> +
> +/* BRK opcodes with ESR encoding */
> +#define BRK64_ESR_MASK 0xFFFF
> +#define BRK64_ESR_KPROBES 0x0004
> +#define BRK64_OPCODE_KPROBES 0xD4200080 /* "brk 0x4" */
> +#define ARCH64_NOP_OPCODE 0xD503201F
> +
> +#define JPROBES_MAGIC_NUM 0xa5a5a5a5a5a5a5a5
> +
> +/* Move this out to appropriate header file */
> +int fixup_exception(struct pt_regs *regs);
> +
> +#endif /* _ARM_KERNEL_KPROBES_H */
> diff --git a/arch/arm64/kernel/probes-decode.h b/arch/arm64/kernel/probes-decode.h
> new file mode 100644
> index 0000000..3650ab3
> --- /dev/null
> +++ b/arch/arm64/kernel/probes-decode.h
> @@ -0,0 +1,110 @@
> +/*
> + * arch/arm64/kernel/probes-decode.h
> + *
> + * Copyright (C) 2013 Linaro Limited.
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * General Public License for more details.
> + */
> +
> +#ifndef _ARM_KERNEL_PROBES_DECODE_H
> +#define _ARM_KERNEL_PROBES_DECODE_H
> +
> +/*
> + * The following definitions and macros are used to build instruction
> + * decoding tables.
> + */
> +enum decode_type {
> + DECODE_TYPE_END,
> + DECODE_TYPE_SINGLESTEP,
> + DECODE_TYPE_SIMULATE,
> + DECODE_TYPE_TABLE,
> + DECODE_TYPE_REJECT,
> +};
> +
> +struct aarch64_decode_item;
> +
> +struct aarch64_decode_header {
> + enum decode_type type;
> + u32 mask;
> + u32 val;
> +};
> +
> +struct aarch64_decode_actions {
> + kprobes_prepare_t *prepare;
> + kprobes_handler_t *handler;
> +};
> +
> +struct aarch64_decode_table {
> + const struct aarch64_decode_item *tbl;
> +};
> +
> +union aarch64_decode_handler {
> + struct aarch64_decode_actions actions;
> + struct aarch64_decode_table table;
> +};
> +
> +struct aarch64_decode_item {
> + struct aarch64_decode_header header;
> + union aarch64_decode_handler decode;
> +};
> +
> +#define decode_get_type(_entry) ((_entry).header.type)
> +
> +#define decode_table_end(_entry) \
> + ((_entry).header.type == DECODE_TYPE_END)
> +
> +#define decode_table_hit(_entry, insn) \
> + ((insn & (_entry).header.mask) == (_entry).header.val)
> +
> +#define decode_prepare_fn(_entry) ((_entry).decode.actions.prepare)
> +#define decode_handler_fn(_entry) ((_entry).decode.actions.handler)
> +#define decode_sub_table(_entry) ((_entry).decode.table.tbl)
> +
> +#define DECODE_ADD_HEADER(_type, _val, _mask) \
> + .header = { \
> + .type = _type, \
> + .mask = _mask, \
> + .val = _val, \
> + },
> +
> +#define DECODE_ADD_ACTION(_prepare, _handler) \
> + .decode = { \
> + .actions = { \
> + .prepare = _prepare, \
> + .handler = _handler, \
> + } \
> + },
> +
> +#define DECODE_ADD_TABLE(_table) \
> + .decode = { \
> + .table = {.tbl = _table} \
> + },
> +
> +#define DECODE_REJECT(_v, _m) \
> + { DECODE_ADD_HEADER(DECODE_TYPE_REJECT, _v, _m) }
> +
> +#define DECODE_SINGLESTEP(_v, _m) \
> + { DECODE_ADD_HEADER(DECODE_TYPE_SINGLESTEP, _v, _m) }
> +
> +#define DECODE_SIMULATE(_v, _m, _p, _h) \
> + { DECODE_ADD_HEADER(DECODE_TYPE_SIMULATE, _v, _m) \
> + DECODE_ADD_ACTION(_p, _h) }
> +
> +#define DECODE_TABLE(_v, _m, _table) \
> + { DECODE_ADD_HEADER(DECODE_TYPE_TABLE, _v, _m) \
> + DECODE_ADD_TABLE(_table) }
> +
> +#define DECODE_LITERAL(_v, _m, _p, _h) DECODE_SIMULATE(_v, _m, _p, _h)
> +#define DECODE_BRANCH(_v, _m, _p, _h) DECODE_SIMULATE(_v, _m, _p, _h)
> +
> +/* should be the last element in decode structure */
> +#define DECODE_END { .header = {.type = DECODE_TYPE_END, } }
> +
> +#endif /* _ARM_KERNEL_PROBES_DECODE_H */
> diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S
> index edf8715..ab7720b 100644
> --- a/arch/arm64/kernel/vmlinux.lds.S
> +++ b/arch/arm64/kernel/vmlinux.lds.S
> @@ -63,6 +63,7 @@ SECTIONS
> TEXT_TEXT
> SCHED_TEXT
> LOCK_TEXT
> + KPROBES_TEXT
> HYPERVISOR_TEXT
> *(.fixup)
> *(.gnu.warning)
>

2014-11-18 14:44:26

by William Cohen

[permalink] [raw]
Subject: Re: [PATCH v3 2/5] arm64: Kprobes instruction simulation support

On 11/18/2014 01:32 AM, David Long wrote:
> From: Sandeepa Prabhu <[email protected]>
>
> Add support for AArch64 instruction simulation in kprobes.
>
> Kprobes need simulation of instructions that cannot be stepped
> right-away from different memory location. i.e. those instructions
> that uses PC-relative addressing. In simulation, the behaviour
> of the instruction is implemented using copy of pt_regs.
>
> Following instruction catagories are simulated:
> - All branching instructions(conditional, register, and immediate)
> - Literal access instructions(load-literal, adr/adrp)
>
> conditional execution are limited to branching instructions in
> ARM v8. If conditions at PSTATE does not match the condition fields
> of opcode, the instruction is effectively NOP. Kprobes consider
> this case as 'miss'.
>
> changes since v4:
> from David A. Long:
> 1) Fix bogus simulate_ldrsw_literal() semantics.
> from Will Cohen:
> 2) Remove PC adjustments when simulating an instruction.

Add missing PC updates for some instruction simulation.

> 3) Fix displacement calculations.
>
> Signed-off-by: Sandeepa Prabhu <[email protected]>
> Signed-off-by: William Cohen <[email protected]>
> Signed-off-by: David A. Long <[email protected]>
> ---
> arch/arm64/kernel/Makefile | 4 +-
> arch/arm64/kernel/kprobes-arm64.c | 120 +++++++++++++++++++--
> arch/arm64/kernel/kprobes-arm64.h | 2 +
> arch/arm64/kernel/kprobes.c | 35 ++++++-
> arch/arm64/kernel/probes-condn-check.c | 122 ++++++++++++++++++++++
> arch/arm64/kernel/probes-simulate-insn.c | 174 +++++++++++++++++++++++++++++++
> arch/arm64/kernel/probes-simulate-insn.h | 33 ++++++
> 7 files changed, 477 insertions(+), 13 deletions(-)
> create mode 100644 arch/arm64/kernel/probes-condn-check.c
> create mode 100644 arch/arm64/kernel/probes-simulate-insn.c
> create mode 100644 arch/arm64/kernel/probes-simulate-insn.h
>
> diff --git a/arch/arm64/kernel/Makefile b/arch/arm64/kernel/Makefile
> index df08c0e..fc9922f 100644
> --- a/arch/arm64/kernel/Makefile
> +++ b/arch/arm64/kernel/Makefile
> @@ -29,7 +29,9 @@ arm64-obj-$(CONFIG_ARM64_CPU_SUSPEND) += sleep.o suspend.o
> arm64-obj-$(CONFIG_CPU_IDLE) += cpuidle.o
> arm64-obj-$(CONFIG_JUMP_LABEL) += jump_label.o
> arm64-obj-$(CONFIG_KGDB) += kgdb.o
> -arm64-obj-$(CONFIG_KPROBES) += kprobes.o kprobes-arm64.o
> +arm64-obj-$(CONFIG_KPROBES) += kprobes.o kprobes-arm64.o \
> + probes-simulate-insn.o \
> + probes-condn-check.o
> arm64-obj-$(CONFIG_EFI) += efi.o efi-stub.o efi-entry.o
> arm64-obj-$(CONFIG_PCI) += pci.o
>
> diff --git a/arch/arm64/kernel/kprobes-arm64.c b/arch/arm64/kernel/kprobes-arm64.c
> index 30d1c14..bee7816 100644
> --- a/arch/arm64/kernel/kprobes-arm64.c
> +++ b/arch/arm64/kernel/kprobes-arm64.c
> @@ -20,6 +20,101 @@
>
> #include "probes-decode.h"
> #include "kprobes-arm64.h"
> +#include "probes-simulate-insn.h"
> +
> +/*
> + * condition check functions for kprobes simulation
> + */
> +static unsigned long __kprobes
> +__check_pstate(struct kprobe *p, struct pt_regs *regs)
> +{
> + struct arch_specific_insn *asi = &p->ainsn;
> + unsigned long pstate = regs->pstate & 0xffffffff;
> +
> + return asi->pstate_cc(pstate);
> +}
> +
> +static unsigned long __kprobes
> +__check_cbz(struct kprobe *p, struct pt_regs *regs)
> +{
> + return check_cbz((u32)p->opcode, regs);
> +}
> +
> +static unsigned long __kprobes
> +__check_cbnz(struct kprobe *p, struct pt_regs *regs)
> +{
> + return check_cbnz((u32)p->opcode, regs);
> +}
> +
> +static unsigned long __kprobes
> +__check_tbz(struct kprobe *p, struct pt_regs *regs)
> +{
> + return check_tbz((u32)p->opcode, regs);
> +}
> +
> +static unsigned long __kprobes
> +__check_tbnz(struct kprobe *p, struct pt_regs *regs)
> +{
> + return check_tbnz((u32)p->opcode, regs);
> +}
> +
> +/*
> + * prepare functions for instruction simulation
> + */
> +static void __kprobes
> +prepare_none(struct kprobe *p, struct arch_specific_insn *asi)
> +{
> +}
> +
> +static void __kprobes
> +prepare_bcond(struct kprobe *p, struct arch_specific_insn *asi)
> +{
> + kprobe_opcode_t insn = p->opcode;
> +
> + asi->check_condn = __check_pstate;
> + asi->pstate_cc = kprobe_condition_checks[insn & 0xf];
> +}
> +
> +static void __kprobes
> +prepare_cbz_cbnz(struct kprobe *p, struct arch_specific_insn *asi)
> +{
> + kprobe_opcode_t insn = p->opcode;
> +
> + asi->check_condn = (insn & (1 << 24)) ? __check_cbnz : __check_cbz;
> +}
> +
> +static void __kprobes
> +prepare_tbz_tbnz(struct kprobe *p, struct arch_specific_insn *asi)
> +{
> + kprobe_opcode_t insn = p->opcode;
> +
> + asi->check_condn = (insn & (1 << 24)) ? __check_tbnz : __check_tbz;
> +}
> +
> +
> +/* Load literal (PC-relative) instructions
> + * Encoding: xx01 1x00 xxxx xxxx xxxx xxxx xxxx xxxx
> + *
> + * opcode[26]: V=0, Load GP registers, simulate them.
> + * Encoding: xx01 1000 xxxx xxxx xxxx xxxx xxxx xxxx
> + * opcode[31:30]: op = 00, 01 - LDR literal
> + * opcode[31:30]: op = 10, - LDRSW literal
> + *
> + * 1. V=1 -Load FP/AdvSIMD registers
> + * Encoding: xx01 1100 xxxx xxxx xxxx xxxx xxxx xxxx
> + * 2. V=0,opc=11 -PRFM(Prefetch literal)
> + * Encoding: 1101 1000 xxxx xxxx xxxx xxxx xxxx xxxx
> + * Reject FP/AdvSIMD literal load & PRFM literal.
> + */
> +static const struct aarch64_decode_item load_literal_subtable[] = {
> + DECODE_REJECT(0x1C000000, 0x3F000000),
> + DECODE_REJECT(0xD8000000, 0xFF000000),
> + DECODE_LITERAL(0x18000000, 0xBF000000, prepare_none,
> + simulate_ldr_literal),
> + DECODE_LITERAL(0x98000000, 0xFF000000, prepare_none,
> + simulate_ldrsw_literal),
> + DECODE_END,
> +};
>
> /* AArch64 instruction decode table for kprobes:
> * The instruction will fall into one of the 3 groups:
> @@ -43,7 +138,8 @@ static const struct aarch64_decode_item aarch64_decode_table[] = {
> * Data processing - PC relative(literal) addressing:
> * Encoding: xxx1 0000 xxxx xxxx xxxx xxxx xxxx xxxx
> */
> - DECODE_REJECT(0x10000000, 0x1F000000),
> + DECODE_LITERAL(0x10000000, 0x1F000000, prepare_none,
> + simulate_adr_adrp),
>
> /*
> * Data processing - Add/Substract Immediate:
> @@ -83,12 +179,16 @@ static const struct aarch64_decode_item aarch64_decode_table[] = {
> * 0101 010x xxxx xxxx xxxx xxxx xxxx xxxx (Conditional, immediate)
> * 1101 011x xxxx xxxx xxxx xxxx xxxx xxxx (Unconditional,register)
> */
> - DECODE_REJECT(0x14000000, 0x7C000000),
> - DECODE_REJECT(0x14000000, 0x7C000000),
> - DECODE_REJECT(0x34000000, 0x7E000000),
> - DECODE_REJECT(0x36000000, 0x7E000000),
> - DECODE_REJECT(0x54000000, 0xFE000000),
> - DECODE_REJECT(0xD6000000, 0xFE000000),
> + DECODE_BRANCH(0x14000000, 0x7C000000, prepare_none,
> + simulate_b_bl),
> + DECODE_BRANCH(0x34000000, 0x7E000000, prepare_cbz_cbnz,
> + simulate_cbz_cbnz),
> + DECODE_BRANCH(0x36000000, 0x7E000000, prepare_tbz_tbnz,
> + simulate_tbz_tbnz),
> + DECODE_BRANCH(0x54000000, 0xFE000000, prepare_bcond,
> + simulate_b_cond),
> + DECODE_BRANCH(0xD6000000, 0xFE000000, prepare_none,
> + simulate_br_blr_ret),
>
> /* System insn:
> * Encoding: 1101 0101 00xx xxxx xxxx xxxx xxxx xxxx
> @@ -119,7 +219,7 @@ static const struct aarch64_decode_item aarch64_decode_table[] = {
> * Load/Store - PC relative(literal):
> * Encoding: xx01 1x00 xxxx xxxx xxxx xxxx xxxx xxxx
> */
> - DECODE_REJECT(0x18000000, 0x3B000000),
> + DECODE_TABLE(0x18000000, 0x3B000000, load_literal_subtable),
>
> /*
> * Load/Store - Register Pair
> @@ -188,7 +288,9 @@ kprobe_decode_insn(kprobe_opcode_t insn, struct arch_specific_insn *asi,
> break;
>
> case DECODE_TYPE_SIMULATE:
> - ret = INSN_REJECTED;
> + asi->prepare = decode_prepare_fn(tbl[entry]);
> + asi->handler = decode_handler_fn(tbl[entry]);
> + ret = INSN_GOOD_NO_SLOT;
> break;
>
> case DECODE_TYPE_TABLE:
> diff --git a/arch/arm64/kernel/kprobes-arm64.h b/arch/arm64/kernel/kprobes-arm64.h
> index 87e7891..ff8a55f 100644
> --- a/arch/arm64/kernel/kprobes-arm64.h
> +++ b/arch/arm64/kernel/kprobes-arm64.h
> @@ -22,6 +22,8 @@ enum kprobe_insn {
> INSN_GOOD,
> };
>
> +extern kprobes_pstate_check_t * const kprobe_condition_checks[16];
> +
> enum kprobe_insn __kprobes
> arm_kprobe_decode_insn(kprobe_opcode_t insn, struct arch_specific_insn *asi);
>
> diff --git a/arch/arm64/kernel/kprobes.c b/arch/arm64/kernel/kprobes.c
> index ca7fa10..789ab61 100644
> --- a/arch/arm64/kernel/kprobes.c
> +++ b/arch/arm64/kernel/kprobes.c
> @@ -38,6 +38,9 @@
> DEFINE_PER_CPU(struct kprobe *, current_kprobe) = NULL;
> DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk);
>
> +static void __kprobes
> +post_kprobe_handler(struct kprobe_ctlblk *, struct pt_regs *);
> +
> static void __kprobes arch_prepare_ss_slot(struct kprobe *p)
> {
> /* prepare insn slot */
> @@ -54,6 +57,27 @@ static void __kprobes arch_prepare_ss_slot(struct kprobe *p)
> p->ainsn.restore.type = RESTORE_PC;
> }
>
> +static void __kprobes arch_prepare_simulate(struct kprobe *p)
> +{
> + if (p->ainsn.prepare)
> + p->ainsn.prepare(p, &p->ainsn);
> +
> + /* This instructions is not executed xol. No need to adjust the PC */
> + p->ainsn.restore.addr = 0;
> + p->ainsn.restore.type = NO_RESTORE;
> +}
> +
> +static void __kprobes arch_simulate_insn(struct kprobe *p, struct pt_regs *regs)
> +{
> + struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
> +
> + if (p->ainsn.handler)
> + p->ainsn.handler((u32)p->opcode, (long)p->addr, regs);
> +
> + /* single step simulated, now go for post processing */
> + post_kprobe_handler(kcb, regs);
> +}
> +
> int __kprobes arch_prepare_kprobe(struct kprobe *p)
> {
> kprobe_opcode_t insn;
> @@ -72,7 +96,8 @@ int __kprobes arch_prepare_kprobe(struct kprobe *p)
> return -EINVAL;
>
> case INSN_GOOD_NO_SLOT: /* insn need simulation */
> - return -EINVAL;
> + p->ainsn.insn = NULL;
> + break;
>
> case INSN_GOOD: /* instruction uses slot */
> p->ainsn.insn = get_insn_slot();
> @@ -82,7 +107,10 @@ int __kprobes arch_prepare_kprobe(struct kprobe *p)
> };
>
> /* prepare the instruction */
> - arch_prepare_ss_slot(p);
> + if (p->ainsn.insn)
> + arch_prepare_ss_slot(p);
> + else
> + arch_prepare_simulate(p);
>
> return 0;
> }
> @@ -235,7 +263,8 @@ static void __kprobes setup_singlestep(struct kprobe *p,
> kernel_enable_single_step(regs);
> instruction_pointer(regs) = slot;
> } else {
> - BUG();
> + /* insn simulation */
> + arch_simulate_insn(p, regs);
> }
> }
>
> diff --git a/arch/arm64/kernel/probes-condn-check.c b/arch/arm64/kernel/probes-condn-check.c
> new file mode 100644
> index 0000000..e68aa0c
> --- /dev/null
> +++ b/arch/arm64/kernel/probes-condn-check.c
> @@ -0,0 +1,122 @@
> +/*
> + * arch/arm64/kernel/probes-condn-check.c
> + *
> + * Copyright (C) 2013 Linaro Limited
> + *
> + * Copied from: arch/arm/kernel/kprobes-common.c
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * General Public License for more details.
> + *
> + * Description:
> + *
> + * AArch64 and AArch32 shares same conditional(CNZV) flags encoding.
> + * This file implements conditional check helpers compatible with
> + * both AArch64 and AArch32 modes. Uprobes on v8 can handle both 32-bit
> + * & 64-bit user-space instructions, so we abstract the common functions
> + * in this file. While AArch64 and AArch32 specific instruction handling
> + * are implemented in separate files, this file contains common bits.
> + */
> +#include <linux/kernel.h>
> +#include <linux/module.h>
> +#include <asm/probes.h>
> +
> +static unsigned long __kprobes __check_eq(unsigned long pstate)
> +{
> + return pstate & PSR_Z_BIT;
> +}
> +
> +static unsigned long __kprobes __check_ne(unsigned long pstate)
> +{
> + return (~pstate) & PSR_Z_BIT;
> +}
> +
> +static unsigned long __kprobes __check_cs(unsigned long pstate)
> +{
> + return pstate & PSR_C_BIT;
> +}
> +
> +static unsigned long __kprobes __check_cc(unsigned long pstate)
> +{
> + return (~pstate) & PSR_C_BIT;
> +}
> +
> +static unsigned long __kprobes __check_mi(unsigned long pstate)
> +{
> + return pstate & PSR_N_BIT;
> +}
> +
> +static unsigned long __kprobes __check_pl(unsigned long pstate)
> +{
> + return (~pstate) & PSR_N_BIT;
> +}
> +
> +static unsigned long __kprobes __check_vs(unsigned long pstate)
> +{
> + return pstate & PSR_V_BIT;
> +}
> +
> +static unsigned long __kprobes __check_vc(unsigned long pstate)
> +{
> + return (~pstate) & PSR_V_BIT;
> +}
> +
> +static unsigned long __kprobes __check_hi(unsigned long pstate)
> +{
> + pstate &= ~(pstate >> 1); /* PSR_C_BIT &= ~PSR_Z_BIT */
> + return pstate & PSR_C_BIT;
> +}
> +
> +static unsigned long __kprobes __check_ls(unsigned long pstate)
> +{
> + pstate &= ~(pstate >> 1); /* PSR_C_BIT &= ~PSR_Z_BIT */
> + return (~pstate) & PSR_C_BIT;
> +}
> +
> +static unsigned long __kprobes __check_ge(unsigned long pstate)
> +{
> + pstate ^= (pstate << 3); /* PSR_N_BIT ^= PSR_V_BIT */
> + return (~pstate) & PSR_N_BIT;
> +}
> +
> +static unsigned long __kprobes __check_lt(unsigned long pstate)
> +{
> + pstate ^= (pstate << 3); /* PSR_N_BIT ^= PSR_V_BIT */
> + return pstate & PSR_N_BIT;
> +}
> +
> +static unsigned long __kprobes __check_gt(unsigned long pstate)
> +{
> + /*PSR_N_BIT ^= PSR_V_BIT */
> + unsigned long temp = pstate ^ (pstate << 3);
> +
> + temp |= (pstate << 1); /*PSR_N_BIT |= PSR_Z_BIT */
> + return (~temp) & PSR_N_BIT;
> +}
> +
> +static unsigned long __kprobes __check_le(unsigned long pstate)
> +{
> + /*PSR_N_BIT ^= PSR_V_BIT */
> + unsigned long temp = pstate ^ (pstate << 3);
> +
> + temp |= (pstate << 1); /*PSR_N_BIT |= PSR_Z_BIT */
> + return temp & PSR_N_BIT;
> +}
> +
> +static unsigned long __kprobes __check_al(unsigned long pstate)
> +{
> + return true;
> +}
> +
> +kprobes_pstate_check_t * const kprobe_condition_checks[16] = {
> + &__check_eq, &__check_ne, &__check_cs, &__check_cc,
> + &__check_mi, &__check_pl, &__check_vs, &__check_vc,
> + &__check_hi, &__check_ls, &__check_ge, &__check_lt,
> + &__check_gt, &__check_le, &__check_al, &__check_al
> +};
> diff --git a/arch/arm64/kernel/probes-simulate-insn.c b/arch/arm64/kernel/probes-simulate-insn.c
> new file mode 100644
> index 0000000..a224c91
> --- /dev/null
> +++ b/arch/arm64/kernel/probes-simulate-insn.c
> @@ -0,0 +1,174 @@
> +/*
> + * arch/arm64/kernel/probes-simulate-insn.c
> + *
> + * Copyright (C) 2013 Linaro Limited.
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * General Public License for more details.
> + */
> +
> +#include <linux/kernel.h>
> +#include <linux/kprobes.h>
> +#include <linux/module.h>
> +
> +#include "probes-simulate-insn.h"
> +
> +#define sign_extend(x, signbit) \
> + ((x) | (0 - ((x) & (1 << (signbit)))))
> +
> +#define bbl_displacement(insn) \
> + sign_extend(((insn) & 0x3ffffff) << 2, 27)
> +
> +#define bcond_displacement(insn) \
> + sign_extend(((insn >> 5) & 0x7ffff) << 2, 21)
> +
> +#define cbz_displacement(insn) \
> + sign_extend(((insn >> 5) & 0x7ffff) << 2, 21)
> +
> +#define tbz_displacement(insn) \
> + sign_extend(((insn >> 5) & 0x3fff) << 2, 15)
> +
> +#define ldr_displacement(insn) \
> + sign_extend(((insn >> 5) & 0x7ffff) << 2, 21)
> +
> +
> +unsigned long __kprobes check_cbz(u32 opcode, struct pt_regs *regs)
> +{
> + int xn = opcode & 0x1f;
> +
> + return (opcode & (1 << 31)) ?
> + !(regs->regs[xn]) : !(regs->regs[xn] & 0xffffffff);
> +}
> +
> +unsigned long __kprobes check_cbnz(u32 opcode, struct pt_regs *regs)
> +{
> + int xn = opcode & 0x1f;
> +
> + return (opcode & (1 << 31)) ?
> + (regs->regs[xn]) : (regs->regs[xn] & 0xffffffff);
> +}
> +
> +unsigned long __kprobes check_tbz(u32 opcode, struct pt_regs *regs)
> +{
> + int xn = opcode & 0x1f;
> + int bit_pos = ((opcode & (1 << 31)) >> 26) | ((opcode >> 19) & 0x1f);
> +
> + return ~((regs->regs[xn] >> bit_pos) & 0x1);
> +}
> +
> +unsigned long __kprobes check_tbnz(u32 opcode, struct pt_regs *regs)
> +{
> + int xn = opcode & 0x1f;
> + int bit_pos = ((opcode & (1 << 31)) >> 26) | ((opcode >> 19) & 0x1f);
> +
> + return (regs->regs[xn] >> bit_pos) & 0x1;
> +}
> +
> +/*
> + * instruction simulate functions
> + */
> +void __kprobes simulate_none(u32 opcode, long addr, struct pt_regs *regs)
> +{
> +}
> +
> +void __kprobes
> +simulate_adr_adrp(u32 opcode, long addr, struct pt_regs *regs)
> +{
> + long imm, xn, val;
> +
> + xn = opcode & 0x1f;
> + imm = ((opcode >> 3) & 0x1ffffc) | ((opcode >> 29) & 0x3);
> + imm = sign_extend(imm, 20);
> + if (opcode & 0x80000000)
> + val = (imm<<12) + (addr & 0xfffffffffffff000);
> + else
> + val = imm + addr;
> +
> + regs->regs[xn] = val;
> +
> + instruction_pointer(regs) += 4;
> +}
> +
> +void __kprobes
> +simulate_b_bl(u32 opcode, long addr, struct pt_regs *regs)
> +{
> + int disp = bbl_displacement(opcode);
> +
> + /* Link register is x30 */
> + if (opcode & (1 << 31))
> + regs->regs[30] = addr + 4;
> +
> + instruction_pointer(regs) = addr + disp;
> +}
> +
> +void __kprobes
> +simulate_b_cond(u32 opcode, long addr, struct pt_regs *regs)
> +{
> + int disp = bcond_displacement(opcode);
> +
> + instruction_pointer(regs) = addr + disp;
> +}
> +
> +void __kprobes
> +simulate_br_blr_ret(u32 opcode, long addr, struct pt_regs *regs)
> +{
> + int xn = (opcode >> 5) & 0x1f;
> +
> + /* Link register is x30 */
> + if (((opcode >> 21) & 0x3) == 1)
> + regs->regs[30] = addr + 4;
> +
> + instruction_pointer(regs) = regs->regs[xn];
> +}
> +
> +void __kprobes
> +simulate_cbz_cbnz(u32 opcode, long addr, struct pt_regs *regs)
> +{
> + int disp = cbz_displacement(opcode);
> +
> + instruction_pointer(regs) = addr + disp;
> +}
> +
> +void __kprobes
> +simulate_tbz_tbnz(u32 opcode, long addr, struct pt_regs *regs)
> +{
> + int disp = tbz_displacement(opcode);
> +
> + instruction_pointer(regs) = addr + disp;
> +}
> +
> +void __kprobes
> +simulate_ldr_literal(u32 opcode, long addr, struct pt_regs *regs)
> +{
> + u64 *load_addr;
> + int xn = opcode & 0x1f;
> + int disp = ldr_displacement(opcode);
> +
> + load_addr = (u64 *) (addr + disp);
> +
> + if (opcode & (1 << 30)) /* x0-x31 */
> + regs->regs[xn] = *load_addr;
> + else /* w0-w31 */
> + *(u32 *) (&regs->regs[xn]) = (*(u32 *) (load_addr));
> +
> + instruction_pointer(regs) += 4;
> +}
> +
> +void __kprobes
> +simulate_ldrsw_literal(u32 opcode, long addr, struct pt_regs *regs)
> +{
> + s32 *load_addr;
> + int xn = opcode & 0x1f;
> + int disp = ldr_displacement(opcode);
> +
> + load_addr = (s32 *) (addr + disp);
> + regs->regs[xn] = *load_addr;
> +
> + instruction_pointer(regs) += 4;
> +}
> diff --git a/arch/arm64/kernel/probes-simulate-insn.h b/arch/arm64/kernel/probes-simulate-insn.h
> new file mode 100644
> index 0000000..406f5c2
> --- /dev/null
> +++ b/arch/arm64/kernel/probes-simulate-insn.h
> @@ -0,0 +1,33 @@
> +/*
> + * arch/arm64/kernel/probes-simulate-insn.h
> + *
> + * Copyright (C) 2013 Linaro Limited
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * General Public License for more details.
> + */
> +
> +#ifndef _ARM_KERNEL_PROBES_SIMULATE_INSN_H
> +#define _ARM_KERNEL_PROBES_SIMULATE_INSN_H
> +
> +unsigned long check_cbz(u32 opcode, struct pt_regs *regs);
> +unsigned long check_cbnz(u32 opcode, struct pt_regs *regs);
> +unsigned long check_tbz(u32 opcode, struct pt_regs *regs);
> +unsigned long check_tbnz(u32 opcode, struct pt_regs *regs);
> +void simulate_none(u32 opcode, long addr, struct pt_regs *regs);
> +void simulate_adr_adrp(u32 opcode, long addr, struct pt_regs *regs);
> +void simulate_b_bl(u32 opcode, long addr, struct pt_regs *regs);
> +void simulate_b_cond(u32 opcode, long addr, struct pt_regs *regs);
> +void simulate_br_blr_ret(u32 opcode, long addr, struct pt_regs *regs);
> +void simulate_cbz_cbnz(u32 opcode, long addr, struct pt_regs *regs);
> +void simulate_tbz_tbnz(u32 opcode, long addr, struct pt_regs *regs);
> +void simulate_ldr_literal(u32 opcode, long addr, struct pt_regs *regs);
> +void simulate_ldrsw_literal(u32 opcode, long addr, struct pt_regs *regs);
> +
> +#endif /* _ARM_KERNEL_PROBES_SIMULATE_INSN_H */
>

2014-11-18 14:52:36

by Will Deacon

[permalink] [raw]
Subject: Re: [PATCH v3 5/5] arm64: Add HAVE_REGS_AND_STACK_ACCESS_API feature

Hi David,

On Tue, Nov 18, 2014 at 06:32:55AM +0000, David Long wrote:
> From: "David A. Long" <[email protected]>
>
> Add HAVE_REGS_AND_STACK_ACCESS_API feature for arm64.

[...]

> diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h
> index d3e782a..24cc048 100644
> --- a/arch/arm64/include/asm/ptrace.h
> +++ b/arch/arm64/include/asm/ptrace.h
> @@ -111,6 +111,8 @@ struct pt_regs {
> u64 syscallno;
> };
>
> +#define MAX_REG_OFFSET (offsetof(struct pt_regs, orig_x0))

Is orig_x0 actually useful to this API? If not, we could instead operate on
the user_pt_regs structure, and define the maximum offset in terms of sizeof
that.

> +#define ARM_cpsr pstate
> +#define ARM_pc pc
> +#define ARM_sp sp
> +#define ARM_lr regs[30]
> +#define ARM_fp regs[29]
> +#define ARM_x28 regs[28]
> +#define ARM_x27 regs[27]

[...]

I don't think we need these #defines.

Will

2014-11-18 14:56:50

by Will Deacon

[permalink] [raw]
Subject: Re: [PATCH v3 1/5] arm64: Kprobes with single stepping support

Hello,

On Tue, Nov 18, 2014 at 06:32:51AM +0000, David Long wrote:
> From: Sandeepa Prabhu <[email protected]>
>
> Add support for basic kernel probes(kprobes) and jump probes
> (jprobes) for ARM64.
>
> Kprobes will utilize software breakpoint and single step debug
> exceptions supported on ARM v8.
>
> software breakpoint is placed at the probe address to trap the
> kernel execution into kprobe handler.
>
> ARM v8 support single stepping to be enabled while exception return
> (ERET) with next PC in exception return address (ELR_EL1).
> kprobe handler prepares a executable memory slot for out-of-line
> execution with the copy of the original instruction under probe, and
> enable single stepping from the instruction slot. With this scheme,
> the instruction is executed with the exact same register context
> 'except PC' that points to instruction slot.
>
> Debug mask(PSTATE.D) is enabled only when single stepping a recursive
> kprobes i.e. during kprobes reenter so that probes instruction can be
> single stepped within the kprobe handler -exception- context.
> The recursion depth of kprobe is always 2, i.e. upon probe re-entry,
> any further re-entry is prevented by not calling handlers and the case
> counted as missed kprobe)
>
> Single stepping from slot has drawback on PC-relative accesses
> like branching and symbolic literals access as offset from new PC
> (slot address) may not be ensured to fit in immediate value of
> opcode, Such instructions needs simulation, so reject
> probing such instructions.
>
> Instructions generating exceptions or cpu mode change are rejected,
> and not allowed to insert probe for these instructions.
>
> Instructions using Exclusive Monitor are rejected right too.
>
> System instructions are mostly enabled for stepping, except MSR
> immediate that update "daif" flags in PSTATE, which are not safe
> for probing -rejected.

One thing I noticed looking through this patch is that we're effectively
reinventing a bunch of the instruction decoding logic that we already have
in the kernel (introduced since Sandeepa last sent his patch).

Could you take a look at include/asm/insn.h and kernel/insn.c please, and
see if you can at least consolidate some of this? Some of it should be easy
(i.e. reusing masks, using existing #defines to construct BRK encodings),
but I appreciate there may be places where kprobes needs to add extra bits,
in which case I'd really like to keep this all together if at all possible.

We're currently in a position where the module loader, BPF jit, ftrace and
the proposed alternative patching scheme are all using the same instruction
manipulation functions, so we should try to continue that trend if we can.

Thanks,

Will

2014-11-18 15:46:06

by William Cohen

[permalink] [raw]
Subject: Re: [PATCH v3 3/5] arm64: Add kernel return probes support(kretprobes)

On 11/18/2014 01:32 AM, David Long wrote:
> From: Sandeepa Prabhu <[email protected]>
>
> AArch64 ISA does not instructions to pop PC register value
> from stack(like ARM v7 has ldmia {...,pc}) without using
> one of the general purpose registers. This means return probes
> cannot return to the actual return address directly without
> modifying register context, and without trapping into debug exception.

The first might read better with something like:

Unlike the ARMv7 (ldmia {...,pc}) the AArch64 ISA cannot directly pop the PC register value from the stack without using one of the general purpose registers.

-Will
>
> So like many other architectures, we prepare a global routine
> with NOPs, which serve as trampoline to hack away the
> function return address, by placing an extra kprobe on the
> trampoline entry.
>
> The pre-handler of this special trampoline' kprobe execute return
> probe handler functions and restore original return address in ELR_EL1,
> this way, saved pt_regs still hold the original register context to be
> carried back to the probed kernel function.
>
> Signed-off-by: Sandeepa Prabhu <[email protected]>
> Signed-off-by: David A. Long <[email protected]>
> ---
> arch/arm64/Kconfig | 1 +
> arch/arm64/include/asm/kprobes.h | 1 +
> arch/arm64/kernel/kprobes.c | 114 ++++++++++++++++++++++++++++++++++++++-
> 3 files changed, 115 insertions(+), 1 deletion(-)
>
> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> index 256ef90..02f31b7 100644
> --- a/arch/arm64/Kconfig
> +++ b/arch/arm64/Kconfig
> @@ -61,6 +61,7 @@ config ARM64
> select HAVE_RCU_TABLE_FREE
> select HAVE_SYSCALL_TRACEPOINTS
> select HAVE_KPROBES if !XIP_KERNEL
> + select HAVE_KRETPROBES if HAVE_KPROBES
> select IRQ_DOMAIN
> select MODULES_USE_ELF_RELA
> select NO_BOOTMEM
> diff --git a/arch/arm64/include/asm/kprobes.h b/arch/arm64/include/asm/kprobes.h
> index b35d3b9..a2de3b8 100644
> --- a/arch/arm64/include/asm/kprobes.h
> +++ b/arch/arm64/include/asm/kprobes.h
> @@ -56,5 +56,6 @@ void arch_remove_kprobe(struct kprobe *);
> int kprobe_fault_handler(struct pt_regs *regs, unsigned int fsr);
> int kprobe_exceptions_notify(struct notifier_block *self,
> unsigned long val, void *data);
> +void kretprobe_trampoline(void);
>
> #endif /* _ARM_KPROBES_H */
> diff --git a/arch/arm64/kernel/kprobes.c b/arch/arm64/kernel/kprobes.c
> index 789ab61..be7c330 100644
> --- a/arch/arm64/kernel/kprobes.c
> +++ b/arch/arm64/kernel/kprobes.c
> @@ -569,6 +569,117 @@ int __kprobes longjmp_break_handler(struct kprobe *p, struct pt_regs *regs)
> return 0;
> }
>
> +/*
> + * Kretprobes: kernel return probes handling
> + *
> + * AArch64 mode does not support popping the PC value from the
> + * stack like on ARM 32-bit (ldmia {..,pc}), so atleast one
> + * register need to be used to achieve branching/return.
> + * It means return probes cannot return back to the original
> + * return address directly without modifying the register context.
> + *
> + * So like other architectures, we prepare a global routine
> + * with NOPs, which serve as trampoline address that hack away the
> + * function return, with the exact register context.
> + * Placing a kprobe on trampoline routine entry will trap again to
> + * execute return probe handlers and restore original return address
> + * in ELR_EL1, this way saved pt_regs still hold the original
> + * register values to be carried back to the caller.
> + */
> +static void __used kretprobe_trampoline_holder(void)
> +{
> + asm volatile (".global kretprobe_trampoline\n"
> + "kretprobe_trampoline:\n"
> + "NOP\n\t"
> + "NOP\n\t");
> +}
> +
> +static int __kprobes
> +trampoline_probe_handler(struct kprobe *p, struct pt_regs *regs)
> +{
> + struct kretprobe_instance *ri = NULL;
> + struct hlist_head *head, empty_rp;
> + struct hlist_node *tmp;
> + unsigned long flags, orig_ret_addr = 0;
> + unsigned long trampoline_address =
> + (unsigned long)&kretprobe_trampoline;
> +
> + INIT_HLIST_HEAD(&empty_rp);
> + kretprobe_hash_lock(current, &head, &flags);
> +
> + /*
> + * It is possible to have multiple instances associated with a given
> + * task either because multiple functions in the call path have
> + * a return probe installed on them, and/or more than one return
> + * probe was registered for a target function.
> + *
> + * We can handle this because:
> + * - instances are always inserted at the head of the list
> + * - when multiple return probes are registered for the same
> + * function, the first instance's ret_addr will point to the
> + * real return address, and all the rest will point to
> + * kretprobe_trampoline
> + */
> + hlist_for_each_entry_safe(ri, tmp, head, hlist) {
> + if (ri->task != current)
> + /* another task is sharing our hash bucket */
> + continue;
> +
> + if (ri->rp && ri->rp->handler) {
> + __this_cpu_write(current_kprobe, &ri->rp->kp);
> + get_kprobe_ctlblk()->kprobe_status = KPROBE_HIT_ACTIVE;
> + ri->rp->handler(ri, regs);
> + __this_cpu_write(current_kprobe, NULL);
> + }
> +
> + orig_ret_addr = (unsigned long)ri->ret_addr;
> + recycle_rp_inst(ri, &empty_rp);
> +
> + if (orig_ret_addr != trampoline_address)
> + /*
> + * This is the real return address. Any other
> + * instances associated with this task are for
> + * other calls deeper on the call stack
> + */
> + break;
> + }
> +
> + kretprobe_assert(ri, orig_ret_addr, trampoline_address);
> + /* restore the original return address */
> + instruction_pointer(regs) = orig_ret_addr;
> + reset_current_kprobe();
> + kretprobe_hash_unlock(current, &flags);
> +
> + hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) {
> + hlist_del(&ri->hlist);
> + kfree(ri);
> + }
> +
> + kprobes_restore_local_irqflag(regs);
> +
> + /* return 1 so that post handlers not called */
> + return 1;
> +}
> +
> +void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
> + struct pt_regs *regs)
> +{
> + ri->ret_addr = (kprobe_opcode_t *)regs->regs[30];
> +
> + /* replace return addr (x30) with trampoline */
> + regs->regs[30] = (long)&kretprobe_trampoline;
> +}
> +
> +static struct kprobe trampoline = {
> + .addr = (kprobe_opcode_t *) &kretprobe_trampoline,
> + .pre_handler = trampoline_probe_handler
> +};
> +
> +int __kprobes arch_trampoline_kprobe(struct kprobe *p)
> +{
> + return p->addr == (kprobe_opcode_t *) &kretprobe_trampoline;
> +}
> +
> /* Break Handler hook */
> static struct break_hook kprobes_break_hook = {
> .esr_mask = BRK64_ESR_MASK,
> @@ -586,5 +697,6 @@ int __init arch_init_kprobes(void)
> register_break_hook(&kprobes_break_hook);
> register_step_hook(&kprobes_step_hook);
>
> - return 0;
> + /* register trampoline for kret probe */
> + return register_kprobe(&trampoline);
> }
>

2014-11-19 11:21:27

by Sandeepa Prabhu

[permalink] [raw]
Subject: Re: [PATCH v3 1/5] arm64: Kprobes with single stepping support

On 18 November 2014 20:26, Will Deacon <[email protected]> wrote:

> One thing I noticed looking through this patch is that we're effectively
> reinventing a bunch of the instruction decoding logic that we already have
> in the kernel (introduced since Sandeepa last sent his patch).
>
> Could you take a look at include/asm/insn.h and kernel/insn.c please, and
> see if you can at least consolidate some of this? Some of it should be easy
> (i.e. reusing masks, using existing #defines to construct BRK encodings),
> but I appreciate there may be places where kprobes needs to add extra bits,
> in which case I'd really like to keep this all together if at all possible.
>
> We're currently in a position where the module loader, BPF jit, ftrace and
> the proposed alternative patching scheme are all using the same instruction
> manipulation functions, so we should try to continue that trend if we can.
Will,

kernel/insn.c support generating instruction encodings(forming opcodes
with given specifications), so for kprobes, only BRK encoding can use
this mechanism.
For instruction simulation, the instruction behavior should be
simulated on saved pt_regs, which is not supported on insn.c routines,
so still need probes-simulate-insn.c. Please point me if I am missing
something here.

>
> Thanks,
>
> Will

2014-11-19 11:25:58

by Will Deacon

[permalink] [raw]
Subject: Re: [PATCH v3 1/5] arm64: Kprobes with single stepping support

On Wed, Nov 19, 2014 at 11:21:24AM +0000, Sandeepa Prabhu wrote:
> On 18 November 2014 20:26, Will Deacon <[email protected]> wrote:
>
> > One thing I noticed looking through this patch is that we're effectively
> > reinventing a bunch of the instruction decoding logic that we already have
> > in the kernel (introduced since Sandeepa last sent his patch).
> >
> > Could you take a look at include/asm/insn.h and kernel/insn.c please, and
> > see if you can at least consolidate some of this? Some of it should be easy
> > (i.e. reusing masks, using existing #defines to construct BRK encodings),
> > but I appreciate there may be places where kprobes needs to add extra bits,
> > in which case I'd really like to keep this all together if at all possible.
> >
> > We're currently in a position where the module loader, BPF jit, ftrace and
> > the proposed alternative patching scheme are all using the same instruction
> > manipulation functions, so we should try to continue that trend if we can.
> Will,
>
> kernel/insn.c support generating instruction encodings(forming opcodes
> with given specifications), so for kprobes, only BRK encoding can use
> this mechanism.
> For instruction simulation, the instruction behavior should be
> simulated on saved pt_regs, which is not supported on insn.c routines,
> so still need probes-simulate-insn.c. Please point me if I am missing
> something here.

I was thinking of the magic hex numbers in the kprobes decode tables, which
seem to correspond directly to the instruction classes described in insn.c

Keeping the actual emulation code separate makes sense.

Will

2014-11-19 14:55:26

by David Long

[permalink] [raw]
Subject: Re: [PATCH v3 1/5] arm64: Kprobes with single stepping support

On 11/19/14 06:25, Will Deacon wrote:
> On Wed, Nov 19, 2014 at 11:21:24AM +0000, Sandeepa Prabhu wrote:
>> On 18 November 2014 20:26, Will Deacon <[email protected]> wrote:
>>
>>> One thing I noticed looking through this patch is that we're effectively
>>> reinventing a bunch of the instruction decoding logic that we already have
>>> in the kernel (introduced since Sandeepa last sent his patch).
>>>
>>> Could you take a look at include/asm/insn.h and kernel/insn.c please, and
>>> see if you can at least consolidate some of this? Some of it should be easy
>>> (i.e. reusing masks, using existing #defines to construct BRK encodings),
>>> but I appreciate there may be places where kprobes needs to add extra bits,
>>> in which case I'd really like to keep this all together if at all possible.
>>>
>>> We're currently in a position where the module loader, BPF jit, ftrace and
>>> the proposed alternative patching scheme are all using the same instruction
>>> manipulation functions, so we should try to continue that trend if we can.
>> Will,
>>
>> kernel/insn.c support generating instruction encodings(forming opcodes
>> with given specifications), so for kprobes, only BRK encoding can use
>> this mechanism.
>> For instruction simulation, the instruction behavior should be
>> simulated on saved pt_regs, which is not supported on insn.c routines,
>> so still need probes-simulate-insn.c. Please point me if I am missing
>> something here.
>
> I was thinking of the magic hex numbers in the kprobes decode tables, which
> seem to correspond directly to the instruction classes described in insn.c
>
> Keeping the actual emulation code separate makes sense.
>
> Will

Of course that follows the model of the much more complex arm32
kprobes/uprobes decoding. I can have a go at replacing it with insn.c
calls.

-dl

2014-11-20 05:10:11

by Sandeepa Prabhu

[permalink] [raw]
Subject: Re: [PATCH v3 1/5] arm64: Kprobes with single stepping support

On 19 November 2014 20:25, David Long <[email protected]> wrote:
>> I was thinking of the magic hex numbers in the kprobes decode tables,
>> which
>> seem to correspond directly to the instruction classes described in insn.c
>>
>> Keeping the actual emulation code separate makes sense.
>>
>> Will
>
>
> Of course that follows the model of the much more complex arm32
> kprobes/uprobes decoding. I can have a go at replacing it with insn.c
> calls.
well, the magic hex numbers were derived directly from ARMv8 ARM
Tabled C4.1 thru C4.6 and bit-masking would be faster search, but
surely you can give a try with insn.c (this would consume lot of
function calls to arrive at same decision).
~Sandeepa
>
> -dl
>

Subject: Re: [PATCH v3 5/5] arm64: Add HAVE_REGS_AND_STACK_ACCESS_API feature

(2014/11/18 23:52), Will Deacon wrote:
> Hi David,
>
> On Tue, Nov 18, 2014 at 06:32:55AM +0000, David Long wrote:
>> From: "David A. Long" <[email protected]>
>>
>> Add HAVE_REGS_AND_STACK_ACCESS_API feature for arm64.
>
> [...]
>
>> diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h
>> index d3e782a..24cc048 100644
>> --- a/arch/arm64/include/asm/ptrace.h
>> +++ b/arch/arm64/include/asm/ptrace.h
>> @@ -111,6 +111,8 @@ struct pt_regs {
>> u64 syscallno;
>> };
>>
>> +#define MAX_REG_OFFSET (offsetof(struct pt_regs, orig_x0))
>
> Is orig_x0 actually useful to this API? If not, we could instead operate on
> the user_pt_regs structure, and define the maximum offset in terms of sizeof
> that.

It depends on the architecture, but this patch provides the common interface
for kprobe-tracer. I think this code looks OK, since kprobe-tracer doesn't
use user_pt_regs.

>
>> +#define ARM_cpsr pstate
>> +#define ARM_pc pc
>> +#define ARM_sp sp
>> +#define ARM_lr regs[30]
>> +#define ARM_fp regs[29]
>> +#define ARM_x28 regs[28]
>> +#define ARM_x27 regs[27]
>
> [...]
>
> I don't think we need these #defines.

Agreed.

Thank you,


--
Masami HIRAMATSU
Software Platform Research Dept. Linux Technology Research Center
Hitachi, Ltd., Yokohama Research Laboratory
E-mail: [email protected]

2014-11-20 15:02:12

by Steve Capper

[permalink] [raw]
Subject: Re: [PATCH v3 0/5] ARM64: Add kernel probes(Kprobes) support

On Tue, Nov 18, 2014 at 01:32:50AM -0500, David Long wrote:
> From: "David A. Long" <[email protected]>
>
> This patchset is heavily based on Sandeepa Prabhu's ARM v8 kprobes patches, first
> seen in October 2013. This version attempts to address concerns raised by
> reviewers and also fixes problems discovered during testing, particularly during
> SMP testing.
>
> This patchset adds support for kernel probes(kprobes), jump probes(jprobes)
> and return probes(kretprobes) support for ARM64.
>
> Kprobes mechanism makes use of software breakpoint and single stepping
> support available in the ARM v8 kernel.
>
> Changes since v2 include:
>
> 1) Removal of NOP padding in kprobe XOL slots. Slots are now exactly one
> instruction long.
> 2) Disabling of interrupts during execution in single-step mode.
> 3) Fixing of numerous problems in instruction simulation code.
> 4) Support for the HAVE_REGS_AND_STACK_ACCESS_API feature is added, to allow
> access to kprobes through debugfs.
> 5) kprobes is *not* enabled in defconfig.
> 6) Numerous complaints from checkpatch have been cleaned up, although a couple
> remain as removing the function pointer typedefs results in ugly code.

Hi David,
I've been playing with this on a Juno board.
I ran into one crash, which I'm not yet sure is an issue, but thought I
would flag it.

I opted to put a kprobe on memcpy, this is an assembler function so I
located it via:
$ nm ./vmlinux | grep \ memcpy$
fffffe0000408a00 T memcpy

Then placed a probe as follows:
echo "p:memcpy 0xfffffe0000408a00 %x2" > /sys/kernel/debug/tracing/kprobe_events

I was able to cat out the /sys/kernel/debug/tracing/trace_pipe file and
activate the probe via:
echo 1 > /sys/kernel/debug/tracing/events/kprobes/enable

Everything worked well, and I got the expected output.

I then tried to record events with perf via:
perf record -e kprobes:memcpy -a sleep 5

Then I got an, easily reproducible, panic (pasted below).

The point of failure in the panic was:
fs/buffer.c:1257

static inline void check_irqs_on(void)
{
#ifdef irqs_disabled
BUG_ON(irqs_disabled());
#endif
}

I will do some more digging; but I have managed to code up an ftrace
static probe on memcpy and record that using perf on arm64 without
issue.

Cheers,
--
Steve


The panic I got:
Kernel panic - not syncing: BUG!
CPU: 2 PID: 2065 Comm: perf Not tainted 3.18.0-rc5+ #2085
Call trace:
[<fffffe0000096d60>] dump_backtrace+0x0/0x138
[<fffffe0000096eb4>] show_stack+0x1c/0x28
[<fffffe000063109c>] dump_stack+0x74/0x94
[<fffffe000062f618>] panic+0xec/0x230
[<fffffe000021abdc>] __find_get_block+0x164/0x184 <--- fs/buffer.c:1257
[<fffffe000021b644>] __getblk_gfp+0x34/0x70
[<fffffe000027afe4>] ext4_getblk+0x84/0x200
[<fffffe0000284d38>] ext4_find_entry+0x2a8/0x4ac
[<fffffe0000284f8c>] ext4_lookup+0x50/0x170
[<fffffe00001ef780>] lookup_real+0x3c/0x7c
[<fffffe00001f0294>] __lookup_hash+0x50/0x6c
[<fffffe00001f2544>] lookup_slow+0x48/0xfc
[<fffffe00001f290c>] link_path_walk+0x314/0x8fc
[<fffffe00001f4d3c>] path_openat+0x94/0x63c
[<fffffe00001f60bc>] do_filp_open+0x3c/0xa8
[<fffffe00001eb8d4>] do_open_exec+0x2c/0x10c
[<fffffe00001ed5e4>] do_execve+0x194/0x514
[<fffffe00001edbac>] SyS_execve+0x30/0x44
CPU1: stopping
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 3.18.0-rc5+ #2085
Call trace:
[<fffffe0000096d60>] dump_backtrace+0x0/0x138
[<fffffe0000096eb4>] show_stack+0x1c/0x28
[<fffffe000063109c>] dump_stack+0x74/0x94
[<fffffe000009ba68>] handle_IPI+0x1e4/0x1fc
[<fffffe0000090328>] gic_handle_irq+0x80/0x88
Exception stack(0xfffffe094046be20 to 0xfffffe094046bf40)
be20: 00000001 00000000 00000e12 00000000 4046bf60 fffffe09 00094168 fffffe00
be40: 00000000 00000000 00000000 00000000 7fe60bcc fffffe09 00000000 01000000
be60: 000000dc 00000000 40590000 fffffe09 c86433fb 001c6b77 ffffc9db 00000000
be80: 404175a0 fffffe09 4046bd80 fffffe09 000003ff 00000000 7ebb0020 fffffe00
bea0: ffffffd0 ffffff80 d88957c0 000003ff ffffffd0 ffffff80 92046590 000003ff
bec0: 001e6cd0 fffffe00 924ef810 000003ff d8895570 000003ff 00000001 00000000
bee0: 00000e12 00000000 40468000 fffffe09 00a20c98 fffffe00 00a221c0 fffffe00
bf00: 009fb000 fffffe00 00666678 fffffe00 009f9cf1 fffffe00 007f2bf0 fffffe00
bf20: 00000001 00000000 4046bf60 fffffe09 00094164 fffffe00 4046bf60 fffffe09
[<fffffe0000092ce4>] el1_irq+0x64/0xc0
[<fffffe00000eedb0>] cpu_startup_entry+0x17c/0x1dc
[<fffffe000009b478>] secondary_start_kernel+0x11c/0x12c
CPU3: stopping
CPU: 3 PID: 0 Comm: swapper/3 Not tainted 3.18.0-rc5+ #2085
Call trace:
[<fffffe0000096d60>] dump_backtrace+0x0/0x138
[<fffffe0000096eb4>] show_stack+0x1c/0x28
[<fffffe000063109c>] dump_stack+0x74/0x94
[<fffffe000009ba68>] handle_IPI+0x1e4/0x1fc
[<fffffe0000090328>] gic_handle_irq+0x80/0x88
Exception stack(0xfffffe0940473e20 to 0xfffffe0940473f40)
3e20: 00000003 00000000 00000e12 00000000 40473f60 fffffe09 00094168 fffffe00
3e40: 00000000 00000000 00000000 00000000 7fea0bcc fffffe09 00000000 01000000
3e60: 00000000 00000000 41023e58 fffffe09 41023e58 fffffe09 7fea12e8 fffffe09
3e80: 40418c20 fffffe09 40473d80 fffffe09 000003ff 00000000 00667ff0 fffffe00
3ea0: 82f76000 000003ff 0041b230 00000000 0041b248 00000000 b4c583d5 000e8b8e
3ec0: 0010a6e0 fffffe00 82ece204 000003ff 0000000d 00000000 00000003 00000000
3ee0: 00000e12 00000000 40470000 fffffe09 00a20c98 fffffe00 00a221c0 fffffe00
3f00: 009fb000 fffffe00 00666678 fffffe00 009f9cf1 fffffe00 007f2bf0 fffffe00
3f20: 00000001 00000000 40473f60 fffffe09 00094164 fffffe00 40473f60 fffffe09
[<fffffe0000092ce4>] el1_irq+0x64/0xc0
[<fffffe00000eedb0>] cpu_startup_entry+0x17c/0x1dc
[<fffffe000009b478>] secondary_start_kernel+0x11c/0x12c
CPU5: stopping
CPU: 5 PID: 0 Comm: swapper/5 Not tainted 3.18.0-rc5+ #2085
Call trace:
[<fffffe0000096d60>] dump_backtrace+0x0/0x138
[<fffffe0000096eb4>] show_stack+0x1c/0x28
[<fffffe000063109c>] dump_stack+0x74/0x94
[<fffffe000009ba68>] handle_IPI+0x1e4/0x1fc
[<fffffe0000090328>] gic_handle_irq+0x80/0x88
Exception stack(0xfffffe094047be20 to 0xfffffe094047bf40)
be20: 00000005 00000000 00000e12 00000000 4047bf60 fffffe09 00094168 fffffe00
be40: 00000000 00000000 00000000 00000000 7fee0bcc fffffe09 00000000 01000000
be60: 00000020 00000000 0ccccccd 00000000 4184f3c5 0015dcf7 00000000 00000000
be80: 4041a2a0 fffffe09 4047bd80 fffffe09 000003ff 00000000 00667ff0 fffffe00
bea0: 001c43f0 fffffdff 001c4188 fffffdff 00000000 00000000 b2d46590 000003ff
bec0: 000ba99c fffffe00 b2b56050 000003ff fb2c5b90 000003ff 00000005 00000000
bee0: 00000e12 00000000 40478000 fffffe09 00a20c98 fffffe00 00a221c0 fffffe00
bf00: 009fb000 fffffe00 00666678 fffffe00 009f9cf1 fffffe00 007f2bf0 fffffe00
bf20: 00000001 00000000 4047bf60 fffffe09 00094164 fffffe00 4047bf60 fffffe09
[<fffffe0000092ce4>] el1_irq+0x64/0xc0
[<fffffe00000eedb0>] cpu_startup_entry+0x17c/0x1dc
[<fffffe000009b478>] secondary_start_kernel+0x11c/0x12c
CPU4: stopping
CPU: 4 PID: 0 Comm: swapper/4 Not tainted 3.18.0-rc5+ #2085
Call trace:
[<fffffe0000096d60>] dump_backtrace+0x0/0x138
[<fffffe0000096eb4>] show_stack+0x1c/0x28
[<fffffe000063109c>] dump_stack+0x74/0x94
[<fffffe000009ba68>] handle_IPI+0x1e4/0x1fc
[<fffffe0000090328>] gic_handle_irq+0x80/0x88
Exception stack(0xfffffe0940477e20 to 0xfffffe0940477f40)
7e20: 00000004 00000000 00000e12 00000000 40477f60 fffffe09 00094168 fffffe00
7e40: 00000000 00000000 00000000 00000000 7fec0bcc fffffe09 00000000 01000000
7e60: 00000000 00000000 7fec11a8 fffffe09 41013e58 fffffe09 7fec12e8 fffffe09
7e80: 40419760 fffffe09 40477d80 fffffe09 000003ff 00000000 00667ff0 fffffe00
7ea0: 009f3f90 fffffe00 001c4380 fffffdff 6577200a 676f6c62 7ec86590 000003ff
7ec0: 000ba99c fffffe00 7ea96050 000003ff f5b27140 000003ff 00000004 00000000
7ee0: 00000e12 00000000 40474000 fffffe09 00a20c98 fffffe00 00a221c0 fffffe00
7f00: 009fb000 fffffe00 00666678 fffffe00 009f9cf1 fffffe00 007f2bf0 fffffe00
7f20: 00000001 00000000 40477f60 fffffe09 00094164 fffffe00 40477f60 fffffe09
[<fffffe0000092ce4>] el1_irq+0x64/0xc0
[<fffffe00000eedb0>] cpu_startup_entry+0x17c/0x1dc
[<fffffe000009b478>] secondary_start_kernel+0x11c/0x12c
CPU0: stopping
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 3.18.0-rc5+ #2085
Call trace:
[<fffffe0000096d60>] dump_backtrace+0x0/0x138
[<fffffe0000096eb4>] show_stack+0x1c/0x28
[<fffffe000063109c>] dump_stack+0x74/0x94
[<fffffe000009ba68>] handle_IPI+0x1e4/0x1fc
[<fffffe0000090328>] gic_handle_irq+0x80/0x88
Exception stack(0xfffffe0000953de0 to 0xfffffe0000953f00)
3de0: 00a60000 fffffe00 00000000 00000000 00953f20 fffffe00 00094168 fffffe00
3e00: 00000000 00000000 00000000 00000000 7fe40bcc fffffe09 00000000 01000000
3e20: 0099a140 fffffe00 00000018 00000000 4184f3c5 0015dcf7 ffffc9d0 00000000
3e40: 00986e80 fffffe00 00953d40 fffffe00 d8895820 000003ff d8895820 000003ff
3e60: 005573f8 00000000 00000000 00000000 00000000 00000000 92046590 000003ff
3e80: 001710a8 fffffe00 91fc5180 000003ff d8895470 000003ff 00a60000 fffffe00
3ea0: 00000000 00000000 00950000 fffffe00 00a20c98 fffffe00 00a221c0 fffffe00
3ec0: 009fb000 fffffe00 00666678 fffffe00 009f9cf1 fffffe00 007f2bf0 fffffe00
3ee0: 00000001 00000000 00953f20 fffffe00 00094164 fffffe00 00953f20 fffffe00
[<fffffe0000092ce4>] el1_irq+0x64/0xc0
[<fffffe00000eedb0>] cpu_startup_entry+0x17c/0x1dc
[<fffffe000062d1a4>] rest_init+0x74/0x80
[<fffffe00008a0984>] start_kernel+0x3a4/0x3bc
---[ end Kernel panic - not syncing: BUG!

2014-11-21 04:28:35

by David Long

[permalink] [raw]
Subject: Re: [PATCH v3 1/5] arm64: Kprobes with single stepping support

On 11/18/14 08:28, Jon Medhurst (Tixy) wrote:
> On Tue, 2014-11-18 at 01:32 -0500, David Long wrote:
>> From: Sandeepa Prabhu <[email protected]>
>>
>> Add support for basic kernel probes(kprobes) and jump probes
>> (jprobes) for ARM64.
>>
>> Kprobes will utilize software breakpoint and single step debug
>> exceptions supported on ARM v8.
>>
>> software breakpoint is placed at the probe address to trap the
>> kernel execution into kprobe handler.
>>
>> ARM v8 support single stepping to be enabled while exception return
>> (ERET) with next PC in exception return address (ELR_EL1).
>> kprobe handler prepares a executable memory slot for out-of-line
>> execution with the copy of the original instruction under probe, and
>> enable single stepping from the instruction slot. With this scheme,
>> the instruction is executed with the exact same register context
>> 'except PC' that points to instruction slot.
>>
>> Debug mask(PSTATE.D) is enabled only when single stepping a recursive
>> kprobes i.e. during kprobes reenter so that probes instruction can be
>> single stepped within the kprobe handler -exception- context.
>
> Does this mean that at the point the probed instruction is
> single-stepped there is nothing extra that has been pushed on on the
> kernel stack by any kprobes handling code? I just want to check that you
> aren't going to hit the problems that the 32-bit kprobes code is
> currently being fixed for [1].
>
> The simulated instructions in patch 2 don't access the stack, so they
> are safe from the problem.
>
> [1] http://lists.infradead.org/pipermail/linux-arm-kernel/2014-November/303525.html
>

Took me a while to read through the background on this. I believe it is
true nothing extra is put on the stack in the single-step case.

-dl

2014-11-21 06:16:42

by David Long

[permalink] [raw]
Subject: Re: [PATCH v3 5/5] arm64: Add HAVE_REGS_AND_STACK_ACCESS_API feature

On 11/18/14 09:52, Will Deacon wrote:
> Hi David,
>
> On Tue, Nov 18, 2014 at 06:32:55AM +0000, David Long wrote:
>> From: "David A. Long" <[email protected]>
>>
>> Add HAVE_REGS_AND_STACK_ACCESS_API feature for arm64.
>
> [...]
>
>> diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h
>> index d3e782a..24cc048 100644
>> --- a/arch/arm64/include/asm/ptrace.h
>> +++ b/arch/arm64/include/asm/ptrace.h
>> @@ -111,6 +111,8 @@ struct pt_regs {
>> u64 syscallno;
>> };
>>
>> +#define MAX_REG_OFFSET (offsetof(struct pt_regs, orig_x0))
>
> Is orig_x0 actually useful to this API? If not, we could instead operate on
> the user_pt_regs structure, and define the maximum offset in terms of sizeof
> that.
>

I agree. I don't think the orig_x0 field should be exposed through this
API.

>> +#define ARM_cpsr pstate
>> +#define ARM_pc pc
>> +#define ARM_sp sp
>> +#define ARM_lr regs[30]
>> +#define ARM_fp regs[29]
>> +#define ARM_x28 regs[28]
>> +#define ARM_x27 regs[27]
>
> [...]
>
> I don't think we need these #defines.
>
> Will

These are used in the REG_OFFSET_NAME macro. This is all borrowed from
arch/arm/ code. I didn't see a need to redesign it.

-dl

2014-11-26 06:46:16

by David Long

[permalink] [raw]
Subject: Re: [PATCH v3 1/5] arm64: Kprobes with single stepping support

On 11/19/14 09:55, David Long wrote:
> On 11/19/14 06:25, Will Deacon wrote:
>> On Wed, Nov 19, 2014 at 11:21:24AM +0000, Sandeepa Prabhu wrote:
>>> On 18 November 2014 20:26, Will Deacon <[email protected]> wrote:
>>>
>>>> One thing I noticed looking through this patch is that we're
>>>> effectively
>>>> reinventing a bunch of the instruction decoding logic that we
>>>> already have
>>>> in the kernel (introduced since Sandeepa last sent his patch).
>>>>
>>>> Could you take a look at include/asm/insn.h and kernel/insn.c
>>>> please, and
>>>> see if you can at least consolidate some of this? Some of it should
>>>> be easy
>>>> (i.e. reusing masks, using existing #defines to construct BRK
>>>> encodings),
>>>> but I appreciate there may be places where kprobes needs to add
>>>> extra bits,
>>>> in which case I'd really like to keep this all together if at all
>>>> possible.
>>>>
>>>> We're currently in a position where the module loader, BPF jit,
>>>> ftrace and
>>>> the proposed alternative patching scheme are all using the same
>>>> instruction
>>>> manipulation functions, so we should try to continue that trend if
>>>> we can.
>>> Will,
>>>
>>> kernel/insn.c support generating instruction encodings(forming opcodes
>>> with given specifications), so for kprobes, only BRK encoding can use
>>> this mechanism.
>>> For instruction simulation, the instruction behavior should be
>>> simulated on saved pt_regs, which is not supported on insn.c routines,
>>> so still need probes-simulate-insn.c. Please point me if I am missing
>>> something here.
>>
>> I was thinking of the magic hex numbers in the kprobes decode tables,
>> which
>> seem to correspond directly to the instruction classes described in
>> insn.c
>>
>> Keeping the actual emulation code separate makes sense.
>>
>> Will
>
> Of course that follows the model of the much more complex arm32
> kprobes/uprobes decoding. I can have a go at replacing it with insn.c
> calls.
>
> -dl
>

While the existing aarch64_get_insn_class() function in insn.c is
somewhat useful here what is really needed is a function that identifies
if an instruction uses the pc (branch, load literal, load address).
Such instructions cannot be arbitrarily moved around in isolation, and
do not fall neatly into the existing "class"es. I've written a simple
aarch64_insn_uses_pc() function to add to insn.c but I'd like to hear
agreement that this is a good approach before sending out the patch.
Thoughts?

-dl

Subject: Re: [PATCH v3 0/5] ARM64: Add kernel probes(Kprobes) support

(2014/11/21 0:02), Steve Capper wrote:
> On Tue, Nov 18, 2014 at 01:32:50AM -0500, David Long wrote:
>> From: "David A. Long" <[email protected]>
>>
>> This patchset is heavily based on Sandeepa Prabhu's ARM v8 kprobes patches, first
>> seen in October 2013. This version attempts to address concerns raised by
>> reviewers and also fixes problems discovered during testing, particularly during
>> SMP testing.
>>
>> This patchset adds support for kernel probes(kprobes), jump probes(jprobes)
>> and return probes(kretprobes) support for ARM64.
>>
>> Kprobes mechanism makes use of software breakpoint and single stepping
>> support available in the ARM v8 kernel.
>>
>> Changes since v2 include:
>>
>> 1) Removal of NOP padding in kprobe XOL slots. Slots are now exactly one
>> instruction long.
>> 2) Disabling of interrupts during execution in single-step mode.
>> 3) Fixing of numerous problems in instruction simulation code.
>> 4) Support for the HAVE_REGS_AND_STACK_ACCESS_API feature is added, to allow
>> access to kprobes through debugfs.
>> 5) kprobes is *not* enabled in defconfig.
>> 6) Numerous complaints from checkpatch have been cleaned up, although a couple
>> remain as removing the function pointer typedefs results in ugly code.
>
> Hi David,
> I've been playing with this on a Juno board.
> I ran into one crash, which I'm not yet sure is an issue, but thought I
> would flag it.
>
> I opted to put a kprobe on memcpy, this is an assembler function so I
> located it via:
> $ nm ./vmlinux | grep \ memcpy$
> fffffe0000408a00 T memcpy
>
> Then placed a probe as follows:
> echo "p:memcpy 0xfffffe0000408a00 %x2" > /sys/kernel/debug/tracing/kprobe_events

You can also do "p:memcpy memcpy %x2" > ...

>
> I was able to cat out the /sys/kernel/debug/tracing/trace_pipe file and
> activate the probe via:
> echo 1 > /sys/kernel/debug/tracing/events/kprobes/enable
>
> Everything worked well, and I got the expected output.
>
> I then tried to record events with perf via:
> perf record -e kprobes:memcpy -a sleep 5
>
> Then I got an, easily reproducible, panic (pasted below).

On x86, I didn't get a panic.

>
> The point of failure in the panic was:
> fs/buffer.c:1257
>
> static inline void check_irqs_on(void)
> {
> #ifdef irqs_disabled
> BUG_ON(irqs_disabled());
> #endif
> }
>
> I will do some more digging; but I have managed to code up an ftrace
> static probe on memcpy and record that using perf on arm64 without
> issue.

Yeah, this can be a bug related to kprobes recursive call.
Could you do "cat /sys/kernel/debug/tracing/kprobe_profile" (before
run perf)?
The first digit is # of hit, and the second is # of missed (since
recursively called).

On x86, right after tracing by ftrace, we have no missed probe.

# cat /sys/kernel/debug/tracing/kprobe_profile
memcpy 4547 0

But after tracing by perf, many missed events I could see.

# cat /sys/kernel/debug/tracing/kprobe_profile
memcpy 413983 7632

So I guess this can be related to the recursive call (which
is correctly handled on x86).

Thank you,

--
Masami HIRAMATSU
Software Platform Research Dept. Linux Technology Research Center
Hitachi, Ltd., Yokohama Research Laboratory
E-mail: [email protected]

2014-11-26 10:03:38

by Steve Capper

[permalink] [raw]
Subject: Re: [PATCH v3 0/5] ARM64: Add kernel probes(Kprobes) support

On Wed, Nov 26, 2014 at 05:33:05PM +0900, Masami Hiramatsu wrote:
> (2014/11/21 0:02), Steve Capper wrote:
> > On Tue, Nov 18, 2014 at 01:32:50AM -0500, David Long wrote:
> >> From: "David A. Long" <[email protected]>
> >>
> >> This patchset is heavily based on Sandeepa Prabhu's ARM v8 kprobes patches, first
> >> seen in October 2013. This version attempts to address concerns raised by
> >> reviewers and also fixes problems discovered during testing, particularly during
> >> SMP testing.
> >>
> >> This patchset adds support for kernel probes(kprobes), jump probes(jprobes)
> >> and return probes(kretprobes) support for ARM64.
> >>
> >> Kprobes mechanism makes use of software breakpoint and single stepping
> >> support available in the ARM v8 kernel.
> >>
> >> Changes since v2 include:
> >>
> >> 1) Removal of NOP padding in kprobe XOL slots. Slots are now exactly one
> >> instruction long.
> >> 2) Disabling of interrupts during execution in single-step mode.
> >> 3) Fixing of numerous problems in instruction simulation code.
> >> 4) Support for the HAVE_REGS_AND_STACK_ACCESS_API feature is added, to allow
> >> access to kprobes through debugfs.
> >> 5) kprobes is *not* enabled in defconfig.
> >> 6) Numerous complaints from checkpatch have been cleaned up, although a couple
> >> remain as removing the function pointer typedefs results in ugly code.
> >
> > Hi David,
> > I've been playing with this on a Juno board.
> > I ran into one crash, which I'm not yet sure is an issue, but thought I
> > would flag it.
> >
> > I opted to put a kprobe on memcpy, this is an assembler function so I
> > located it via:
> > $ nm ./vmlinux | grep \ memcpy$
> > fffffe0000408a00 T memcpy
> >
> > Then placed a probe as follows:
> > echo "p:memcpy 0xfffffe0000408a00 %x2" > /sys/kernel/debug/tracing/kprobe_events
>
> You can also do "p:memcpy memcpy %x2" > ...

Thanks, that is easier :-).

>
> >
> > I was able to cat out the /sys/kernel/debug/tracing/trace_pipe file and
> > activate the probe via:
> > echo 1 > /sys/kernel/debug/tracing/events/kprobes/enable
> >
> > Everything worked well, and I got the expected output.
> >
> > I then tried to record events with perf via:
> > perf record -e kprobes:memcpy -a sleep 5
> >
> > Then I got an, easily reproducible, panic (pasted below).
>
> On x86, I didn't get a panic.
>
> >
> > The point of failure in the panic was:
> > fs/buffer.c:1257
> >
> > static inline void check_irqs_on(void)
> > {
> > #ifdef irqs_disabled
> > BUG_ON(irqs_disabled());
> > #endif
> > }
> >
> > I will do some more digging; but I have managed to code up an ftrace
> > static probe on memcpy and record that using perf on arm64 without
> > issue.
>
> Yeah, this can be a bug related to kprobes recursive call.
> Could you do "cat /sys/kernel/debug/tracing/kprobe_profile" (before
> run perf)?
> The first digit is # of hit, and the second is # of missed (since
> recursively called).
>
> On x86, right after tracing by ftrace, we have no missed probe.
>
> # cat /sys/kernel/debug/tracing/kprobe_profile
> memcpy 4547 0
>
> But after tracing by perf, many missed events I could see.
>
> # cat /sys/kernel/debug/tracing/kprobe_profile
> memcpy 413983 7632
>
> So I guess this can be related to the recursive call (which
> is correctly handled on x86).
>

Before running perf, I got the following:

# cat /sys/kernel/debug/tracing/kprobe_profile
memcpy 838 0

Unfortunately, after the crash, I was then unable to take any other
measurements.

I rebooted, set up the kprobe, then ran `./hackbench 100 process 1000',
to try and exacerbate things, and got the following:
# cat /sys/kernel/debug/tracing/kprobe_profile
memcpy 100677 0

So no missed events thusfar.

Cheers,
--
Steve

2014-11-26 10:09:21

by Will Deacon

[permalink] [raw]
Subject: Re: [PATCH v3 1/5] arm64: Kprobes with single stepping support

On Wed, Nov 26, 2014 at 06:46:12AM +0000, David Long wrote:
> On 11/19/14 09:55, David Long wrote:
> > On 11/19/14 06:25, Will Deacon wrote:
> >> I was thinking of the magic hex numbers in the kprobes decode tables,
> >> which
> >> seem to correspond directly to the instruction classes described in
> >> insn.c
> >>
> >> Keeping the actual emulation code separate makes sense.
> >>
> > Of course that follows the model of the much more complex arm32
> > kprobes/uprobes decoding. I can have a go at replacing it with insn.c
> > calls.
>
> While the existing aarch64_get_insn_class() function in insn.c is
> somewhat useful here what is really needed is a function that identifies
> if an instruction uses the pc (branch, load literal, load address).
> Such instructions cannot be arbitrarily moved around in isolation, and
> do not fall neatly into the existing "class"es. I've written a simple
> aarch64_insn_uses_pc() function to add to insn.c but I'd like to hear
> agreement that this is a good approach before sending out the patch.
> Thoughts?

I'm perfectly happy with extending insn.c with extra helpers if they're
useful to you.

Will

2014-11-26 17:47:06

by David Long

[permalink] [raw]
Subject: Re: [PATCH v3 0/5] ARM64: Add kernel probes(Kprobes) support

On 11/26/14 05:03, Steve Capper wrote:
> On Wed, Nov 26, 2014 at 05:33:05PM +0900, Masami Hiramatsu wrote:
>> (2014/11/21 0:02), Steve Capper wrote:
>>> On Tue, Nov 18, 2014 at 01:32:50AM -0500, David Long wrote:
>>>> From: "David A. Long" <[email protected]>
>>>>
>>>> This patchset is heavily based on Sandeepa Prabhu's ARM v8 kprobes patches, first
>>>> seen in October 2013. This version attempts to address concerns raised by
>>>> reviewers and also fixes problems discovered during testing, particularly during
>>>> SMP testing.
>>>>
>>>> This patchset adds support for kernel probes(kprobes), jump probes(jprobes)
>>>> and return probes(kretprobes) support for ARM64.
>>>>
>>>> Kprobes mechanism makes use of software breakpoint and single stepping
>>>> support available in the ARM v8 kernel.
>>>>
>>>> Changes since v2 include:
>>>>
>>>> 1) Removal of NOP padding in kprobe XOL slots. Slots are now exactly one
>>>> instruction long.
>>>> 2) Disabling of interrupts during execution in single-step mode.
>>>> 3) Fixing of numerous problems in instruction simulation code.
>>>> 4) Support for the HAVE_REGS_AND_STACK_ACCESS_API feature is added, to allow
>>>> access to kprobes through debugfs.
>>>> 5) kprobes is *not* enabled in defconfig.
>>>> 6) Numerous complaints from checkpatch have been cleaned up, although a couple
>>>> remain as removing the function pointer typedefs results in ugly code.
>>>
>>> Hi David,
>>> I've been playing with this on a Juno board.
>>> I ran into one crash, which I'm not yet sure is an issue, but thought I
>>> would flag it.
>>>
>>> I opted to put a kprobe on memcpy, this is an assembler function so I
>>> located it via:
>>> $ nm ./vmlinux | grep \ memcpy$
>>> fffffe0000408a00 T memcpy
>>>
>>> Then placed a probe as follows:
>>> echo "p:memcpy 0xfffffe0000408a00 %x2" > /sys/kernel/debug/tracing/kprobe_events
>>
>> You can also do "p:memcpy memcpy %x2" > ...
>
> Thanks, that is easier :-).
>
>>
>>>
>>> I was able to cat out the /sys/kernel/debug/tracing/trace_pipe file and
>>> activate the probe via:
>>> echo 1 > /sys/kernel/debug/tracing/events/kprobes/enable
>>>
>>> Everything worked well, and I got the expected output.
>>>
>>> I then tried to record events with perf via:
>>> perf record -e kprobes:memcpy -a sleep 5
>>>
>>> Then I got an, easily reproducible, panic (pasted below).
>>
>> On x86, I didn't get a panic.
>>
>>>
>>> The point of failure in the panic was:
>>> fs/buffer.c:1257
>>>
>>> static inline void check_irqs_on(void)
>>> {
>>> #ifdef irqs_disabled
>>> BUG_ON(irqs_disabled());
>>> #endif
>>> }
>>>
>>> I will do some more digging; but I have managed to code up an ftrace
>>> static probe on memcpy and record that using perf on arm64 without
>>> issue.
>>
>> Yeah, this can be a bug related to kprobes recursive call.
>> Could you do "cat /sys/kernel/debug/tracing/kprobe_profile" (before
>> run perf)?
>> The first digit is # of hit, and the second is # of missed (since
>> recursively called).
>>
>> On x86, right after tracing by ftrace, we have no missed probe.
>>
>> # cat /sys/kernel/debug/tracing/kprobe_profile
>> memcpy 4547 0
>>
>> But after tracing by perf, many missed events I could see.
>>
>> # cat /sys/kernel/debug/tracing/kprobe_profile
>> memcpy 413983 7632
>>
>> So I guess this can be related to the recursive call (which
>> is correctly handled on x86).
>>
>
> Before running perf, I got the following:
>
> # cat /sys/kernel/debug/tracing/kprobe_profile
> memcpy 838 0
>
> Unfortunately, after the crash, I was then unable to take any other
> measurements.
>
> I rebooted, set up the kprobe, then ran `./hackbench 100 process 1000',
> to try and exacerbate things, and got the following:
> # cat /sys/kernel/debug/tracing/kprobe_profile
> memcpy 100677 0
>
> So no missed events thusfar.
>
> Cheers,
>

So I take it from this we can conclude the problem is not reliably
reproducible?

-dl

2014-11-26 18:59:43

by Steve Capper

[permalink] [raw]
Subject: Re: [PATCH v3 0/5] ARM64: Add kernel probes(Kprobes) support

On 26 November 2014 at 17:46, David Long <[email protected]> wrote:
> On 11/26/14 05:03, Steve Capper wrote:
>>
>> On Wed, Nov 26, 2014 at 05:33:05PM +0900, Masami Hiramatsu wrote:
>>>
>>> (2014/11/21 0:02), Steve Capper wrote:
>>>>
>>>> On Tue, Nov 18, 2014 at 01:32:50AM -0500, David Long wrote:
>>>>>
>>>>> From: "David A. Long" <[email protected]>
>>>>>
>>>>> This patchset is heavily based on Sandeepa Prabhu's ARM v8 kprobes
>>>>> patches, first
>>>>> seen in October 2013. This version attempts to address concerns raised
>>>>> by
>>>>> reviewers and also fixes problems discovered during testing,
>>>>> particularly during
>>>>> SMP testing.
>>>>>
>>>>> This patchset adds support for kernel probes(kprobes), jump
>>>>> probes(jprobes)
>>>>> and return probes(kretprobes) support for ARM64.
>>>>>
>>>>> Kprobes mechanism makes use of software breakpoint and single stepping
>>>>> support available in the ARM v8 kernel.
>>>>>
>>>>> Changes since v2 include:
>>>>>
>>>>> 1) Removal of NOP padding in kprobe XOL slots. Slots are now exactly
>>>>> one
>>>>> instruction long.
>>>>> 2) Disabling of interrupts during execution in single-step mode.
>>>>> 3) Fixing of numerous problems in instruction simulation code.
>>>>> 4) Support for the HAVE_REGS_AND_STACK_ACCESS_API feature is added, to
>>>>> allow
>>>>> access to kprobes through debugfs.
>>>>> 5) kprobes is *not* enabled in defconfig.
>>>>> 6) Numerous complaints from checkpatch have been cleaned up, although a
>>>>> couple
>>>>> remain as removing the function pointer typedefs results in ugly code.
>>>>
>>>>
>>>> Hi David,
>>>> I've been playing with this on a Juno board.
>>>> I ran into one crash, which I'm not yet sure is an issue, but thought I
>>>> would flag it.
>>>>
>>>> I opted to put a kprobe on memcpy, this is an assembler function so I
>>>> located it via:
>>>> $ nm ./vmlinux | grep \ memcpy$
>>>> fffffe0000408a00 T memcpy
>>>>
>>>> Then placed a probe as follows:
>>>> echo "p:memcpy 0xfffffe0000408a00 %x2" >
>>>> /sys/kernel/debug/tracing/kprobe_events
>>>
>>>
>>> You can also do "p:memcpy memcpy %x2" > ...
>>
>>
>> Thanks, that is easier :-).
>>
>>>
>>>>
>>>> I was able to cat out the /sys/kernel/debug/tracing/trace_pipe file and
>>>> activate the probe via:
>>>> echo 1 > /sys/kernel/debug/tracing/events/kprobes/enable
>>>>
>>>> Everything worked well, and I got the expected output.
>>>>
>>>> I then tried to record events with perf via:
>>>> perf record -e kprobes:memcpy -a sleep 5
>>>>
>>>> Then I got an, easily reproducible, panic (pasted below).
>>>
>>>
>>> On x86, I didn't get a panic.
>>>
>>>>
>>>> The point of failure in the panic was:
>>>> fs/buffer.c:1257
>>>>
>>>> static inline void check_irqs_on(void)
>>>> {
>>>> #ifdef irqs_disabled
>>>> BUG_ON(irqs_disabled());
>>>> #endif
>>>> }
>>>>
>>>> I will do some more digging; but I have managed to code up an ftrace
>>>> static probe on memcpy and record that using perf on arm64 without
>>>> issue.
>>>
>>>
>>> Yeah, this can be a bug related to kprobes recursive call.
>>> Could you do "cat /sys/kernel/debug/tracing/kprobe_profile" (before
>>> run perf)?
>>> The first digit is # of hit, and the second is # of missed (since
>>> recursively called).
>>>
>>> On x86, right after tracing by ftrace, we have no missed probe.
>>>
>>> # cat /sys/kernel/debug/tracing/kprobe_profile
>>> memcpy 4547
>>> 0
>>>
>>> But after tracing by perf, many missed events I could see.
>>>
>>> # cat /sys/kernel/debug/tracing/kprobe_profile
>>> memcpy 413983
>>> 7632
>>>
>>> So I guess this can be related to the recursive call (which
>>> is correctly handled on x86).
>>>
>>
>> Before running perf, I got the following:
>>
>> # cat /sys/kernel/debug/tracing/kprobe_profile
>> memcpy 838
>> 0
>>
>> Unfortunately, after the crash, I was then unable to take any other
>> measurements.
>>
>> I rebooted, set up the kprobe, then ran `./hackbench 100 process 1000',
>> to try and exacerbate things, and got the following:
>> # cat /sys/kernel/debug/tracing/kprobe_profile
>> memcpy 100677
>> 0
>>
>> So no missed events thusfar.
>>
>> Cheers,
>>
>
> So I take it from this we can conclude the problem is not reliably
> reproducible?
>

The crash is extremely easy to reproduce.

I've not observed any missed events on a kprobe on an arm64 system
that's still alive.
My (limited!) understanding is that this suggests there could be a
problem with how missed events from a recursive call to memcpy are
being handled.

Cheers,
--
Steve

Subject: Re: [PATCH v3 0/5] ARM64: Add kernel probes(Kprobes) support

(2014/11/26 19:03), Steve Capper wrote:
> On Wed, Nov 26, 2014 at 05:33:05PM +0900, Masami Hiramatsu wrote:
>> (2014/11/21 0:02), Steve Capper wrote:
>>> On Tue, Nov 18, 2014 at 01:32:50AM -0500, David Long wrote:
>>>> From: "David A. Long" <[email protected]>
>>>>
>>>> This patchset is heavily based on Sandeepa Prabhu's ARM v8 kprobes patches, first
>>>> seen in October 2013. This version attempts to address concerns raised by
>>>> reviewers and also fixes problems discovered during testing, particularly during
>>>> SMP testing.
>>>>
>>>> This patchset adds support for kernel probes(kprobes), jump probes(jprobes)
>>>> and return probes(kretprobes) support for ARM64.
>>>>
>>>> Kprobes mechanism makes use of software breakpoint and single stepping
>>>> support available in the ARM v8 kernel.
>>>>
>>>> Changes since v2 include:
>>>>
>>>> 1) Removal of NOP padding in kprobe XOL slots. Slots are now exactly one
>>>> instruction long.
>>>> 2) Disabling of interrupts during execution in single-step mode.
>>>> 3) Fixing of numerous problems in instruction simulation code.
>>>> 4) Support for the HAVE_REGS_AND_STACK_ACCESS_API feature is added, to allow
>>>> access to kprobes through debugfs.
>>>> 5) kprobes is *not* enabled in defconfig.
>>>> 6) Numerous complaints from checkpatch have been cleaned up, although a couple
>>>> remain as removing the function pointer typedefs results in ugly code.
>>>
>>> Hi David,
>>> I've been playing with this on a Juno board.
>>> I ran into one crash, which I'm not yet sure is an issue, but thought I
>>> would flag it.
>>>
>>> I opted to put a kprobe on memcpy, this is an assembler function so I
>>> located it via:
>>> $ nm ./vmlinux | grep \ memcpy$
>>> fffffe0000408a00 T memcpy
>>>
>>> Then placed a probe as follows:
>>> echo "p:memcpy 0xfffffe0000408a00 %x2" > /sys/kernel/debug/tracing/kprobe_events
>>
>> You can also do "p:memcpy memcpy %x2" > ...
>
> Thanks, that is easier :-).
>
>>
>>>
>>> I was able to cat out the /sys/kernel/debug/tracing/trace_pipe file and
>>> activate the probe via:
>>> echo 1 > /sys/kernel/debug/tracing/events/kprobes/enable
>>>
>>> Everything worked well, and I got the expected output.
>>>
>>> I then tried to record events with perf via:
>>> perf record -e kprobes:memcpy -a sleep 5
>>>
>>> Then I got an, easily reproducible, panic (pasted below).
>>
>> On x86, I didn't get a panic.
>>
>>>
>>> The point of failure in the panic was:
>>> fs/buffer.c:1257
>>>
>>> static inline void check_irqs_on(void)
>>> {
>>> #ifdef irqs_disabled
>>> BUG_ON(irqs_disabled());
>>> #endif
>>> }
>>>
>>> I will do some more digging; but I have managed to code up an ftrace
>>> static probe on memcpy and record that using perf on arm64 without
>>> issue.
>>
>> Yeah, this can be a bug related to kprobes recursive call.
>> Could you do "cat /sys/kernel/debug/tracing/kprobe_profile" (before
>> run perf)?
>> The first digit is # of hit, and the second is # of missed (since
>> recursively called).
>>
>> On x86, right after tracing by ftrace, we have no missed probe.
>>
>> # cat /sys/kernel/debug/tracing/kprobe_profile
>> memcpy 4547 0
>>
>> But after tracing by perf, many missed events I could see.
>>
>> # cat /sys/kernel/debug/tracing/kprobe_profile
>> memcpy 413983 7632
>>
>> So I guess this can be related to the recursive call (which
>> is correctly handled on x86).
>>
>
> Before running perf, I got the following:
>
> # cat /sys/kernel/debug/tracing/kprobe_profile
> memcpy 838 0
>
> Unfortunately, after the crash, I was then unable to take any other
> measurements.

Yes, but we can ensure that the recursion must be occur by
probing kprobe-tracer (ftrace) itself.

E.g.
Ensure trace_event_buffer_lock_reserve exists.
# grep trace_event_buffer_lock_reserve /proc/kallsyms
ffffffff8113a100 T trace_event_buffer_lock_reserve

Define a probe on it.
# echo p:test trace_event_buffer_lock_reserve > kprobe_events

And enable with another event (because this probe is not hit unless
other events hit)

# echo 1 > events/kprobes/test/enable
# echo 1 > events/sched/sched_process_exec/enable

If recursive call has a problem, you'll have a panic if you execute
any command. Anyway, on x86, we can see below result.

# cat kprobe_profile
test 1 1

So, the half of all probes will be missed.

Thank you,

--
Masami HIRAMATSU
Software Platform Research Dept. Linux Technology Research Center
Hitachi, Ltd., Yokohama Research Laboratory
E-mail: [email protected]

Subject: Re: Re: [PATCH v3 0/5] ARM64: Add kernel probes(Kprobes) support

(2014/11/27 3:59), Steve Capper wrote:
> The crash is extremely easy to reproduce.
>
> I've not observed any missed events on a kprobe on an arm64 system
> that's still alive.
> My (limited!) understanding is that this suggests there could be a
> problem with how missed events from a recursive call to memcpy are
> being handled.

I think so too. BTW, could you bisect that? :)

Thank you,


--
Masami HIRAMATSU
Software Platform Research Dept. Linux Technology Research Center
Hitachi, Ltd., Yokohama Research Laboratory
E-mail: [email protected]

2014-11-28 16:01:18

by Steve Capper

[permalink] [raw]
Subject: Re: Re: [PATCH v3 0/5] ARM64: Add kernel probes(Kprobes) support

On 27 November 2014 at 06:07, Masami Hiramatsu
<[email protected]> wrote:
> (2014/11/27 3:59), Steve Capper wrote:
>> The crash is extremely easy to reproduce.
>>
>> I've not observed any missed events on a kprobe on an arm64 system
>> that's still alive.
>> My (limited!) understanding is that this suggests there could be a
>> problem with how missed events from a recursive call to memcpy are
>> being handled.
>
> I think so too. BTW, could you bisect that? :)
>

I can't bisect, but the following functions look suspicious to me
(again I'm new to kprobes...):
kprobes_save_local_irqflag
kprobes_restore_local_irqflag

I think these are breaking somehow when nested (i.e. from a recursive probe).

That would explain why the state of play of the interrupts is in an
unexpected state in the crash I reported:
"The point of failure in the panic was:
fs/buffer.c:1257

static inline void check_irqs_on(void)
{
#ifdef irqs_disabled
BUG_ON(irqs_disabled());
#endif
}
"

This is all new to me so I'm still at the head-scratching stage.

David,
Does the above make sense to you? Have you managed to reproduce the crash I get?

Cheers,
--
Steve

Subject: Re: Re: Re: [PATCH v3 0/5] ARM64: Add kernel probes(Kprobes) support

(2014/11/29 1:01), Steve Capper wrote:
> On 27 November 2014 at 06:07, Masami Hiramatsu
> <[email protected]> wrote:
>> (2014/11/27 3:59), Steve Capper wrote:
>>> The crash is extremely easy to reproduce.
>>>
>>> I've not observed any missed events on a kprobe on an arm64 system
>>> that's still alive.
>>> My (limited!) understanding is that this suggests there could be a
>>> problem with how missed events from a recursive call to memcpy are
>>> being handled.
>>
>> I think so too. BTW, could you bisect that? :)
>>
>
> I can't bisect, but the following functions look suspicious to me
> (again I'm new to kprobes...):
> kprobes_save_local_irqflag
> kprobes_restore_local_irqflag
>
> I think these are breaking somehow when nested (i.e. from a recursive probe).

Agreed. On x86, prev_kprobe has old_flags and saved_flags, this
at least must have saved_irqflag and save/restore it in
save/restore_previous_kprobe().

What about adding this?

struct prev_kprobe {
struct kprobe *kp;
unsigned int status;
+ unsigned long saved_irqflag;
};

and

static void __kprobes save_previous_kprobe(struct kprobe_ctlblk *kcb)
{
kcb->prev_kprobe.kp = kprobe_running();
kcb->prev_kprobe.status = kcb->kprobe_status;
+ kcb->prev_kprobe.saved_irqflag = kcb->saved_irqflag;
}

static void __kprobes restore_previous_kprobe(struct kprobe_ctlblk *kcb)
{
__this_cpu_write(current_kprobe, kcb->prev_kprobe.kp);
kcb->kprobe_status = kcb->prev_kprobe.status;
+ kcb->saved_irqflag = kcb->prev_kprobe.saved_irqflag;
}



> That would explain why the state of play of the interrupts is in an
> unexpected state in the crash I reported:
> "The point of failure in the panic was:
> fs/buffer.c:1257
>
> static inline void check_irqs_on(void)
> {
> #ifdef irqs_disabled
> BUG_ON(irqs_disabled());
> #endif
> }
> "
>
> This is all new to me so I'm still at the head-scratching stage.

Ah, I see.

Thank you,

>
> David,
> Does the above make sense to you? Have you managed to reproduce the crash I get?
>
> Cheers,
> --
> Steve
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>


--
Masami HIRAMATSU
Software Platform Research Dept. Linux Technology Research Center
Hitachi, Ltd., Yokohama Research Laboratory
E-mail: [email protected]

2014-12-02 19:28:19

by William Cohen

[permalink] [raw]
Subject: Re: [PATCH v3 0/5] ARM64: Add kernel probes(Kprobes) support

On 12/01/2014 04:37 AM, Masami Hiramatsu wrote:
> (2014/11/29 1:01), Steve Capper wrote:
>> On 27 November 2014 at 06:07, Masami Hiramatsu
>> <[email protected]> wrote:
>>> (2014/11/27 3:59), Steve Capper wrote:
>>>> The crash is extremely easy to reproduce.
>>>>
>>>> I've not observed any missed events on a kprobe on an arm64 system
>>>> that's still alive.
>>>> My (limited!) understanding is that this suggests there could be a
>>>> problem with how missed events from a recursive call to memcpy are
>>>> being handled.
>>>
>>> I think so too. BTW, could you bisect that? :)
>>>
>>
>> I can't bisect, but the following functions look suspicious to me
>> (again I'm new to kprobes...):
>> kprobes_save_local_irqflag
>> kprobes_restore_local_irqflag
>>
>> I think these are breaking somehow when nested (i.e. from a recursive probe).
>
> Agreed. On x86, prev_kprobe has old_flags and saved_flags, this
> at least must have saved_irqflag and save/restore it in
> save/restore_previous_kprobe().
>
> What about adding this?
>
> struct prev_kprobe {
> struct kprobe *kp;
> unsigned int status;
> + unsigned long saved_irqflag;
> };
>
> and
>
> static void __kprobes save_previous_kprobe(struct kprobe_ctlblk *kcb)
> {
> kcb->prev_kprobe.kp = kprobe_running();
> kcb->prev_kprobe.status = kcb->kprobe_status;
> + kcb->prev_kprobe.saved_irqflag = kcb->saved_irqflag;
> }
>
> static void __kprobes restore_previous_kprobe(struct kprobe_ctlblk *kcb)
> {
> __this_cpu_write(current_kprobe, kcb->prev_kprobe.kp);
> kcb->kprobe_status = kcb->prev_kprobe.status;
> + kcb->saved_irqflag = kcb->prev_kprobe.saved_irqflag;
> }
>

Hi Masami and Dave,

I have applied the suggested patch above to my local kernel. However, I have noticed systemtap testsuite consistently getting panics when running both before AND after applying that patch to the kernel. Any thoughts on why "perf stat" would cause that? Below is an example output

-Will

# perf stat make install

...

Running ./systemtap/notest.exp ...
Running ./systemtap.apps/java.exp ...
[ 6734.986063] Bad mode in FIQ handler detected, code 0x56000000
[ 6734.991788] CPU: 0 PID: 3968 Comm: stap Tainted: G E 3.18.0-rc5kp3+ #3
[ 6734.999317] Hardware name: APM X-Gene Mustang board (DT)
[ 6735.004602] task: fffffe0016c25a00 ti: fffffe03d8aa8000 task.ti: fffffe03d8aa8000
[ 6735.012052] PC is at 0x3ff7fc0d1fc
[ 6735.015434] LR is at 0x3ff7fc31838
[ 6735.018815] pc : [<000003ff7fc0d1fc>] lr : [<000003ff7fc31838>] pstate: 00000000
[ 6735.026172] sp : fffffe03d8aabff0
[ 6735.029467] x29: 000003fffe4f6460 x28: 000003ff7fb23640
[ 6735.034772] x27: 000003ff7fb23578 x26: 000000000059a420
[ 6735.040074] x25: 000000000000005f x24: 000003ff7fb3f000
[ 6735.045375] x23: 000000004178ee40 x22: 0000000000000006
[ 6735.050680] x21: 0000000000000001 x20: 0000000000008000
[ 6735.055980] x19: 000000004178ee40 x18: 000003fffe4f64a0
[ 6735.061282] x17: 000003ff7fc0d1fc x16: 000003ff7fd00008
[ 6735.066585] x15: 00000013cd9f3df0 x14: 0000000051c4a1f8
[ 6735.071886] x13: 0000000001519f64 x12: 000000000000000e
[ 6735.077187] x11: 646f6d2f62696c2f x10: 6174732f706d742f
[ 6735.082488] x9 : 312e332f73656c75 x8 : 0000000000000038
[ 6735.087790] x7 : 5f34366372617073 x6 : 000000000000007c
[ 6735.093094] x5 : 0000000000000000 x4 : 0000000000000001
[ 6735.098397] x3 : 0000000000000000 x2 : 0000000000000000
[ 6735.103697] x1 : 0000000000000001 x0 : 0000000000008030
[ 6735.108999]
[ 6735.110483] Bad mode in Synchronous Abort handler detected, code 0x8600000f
[ 6735.117408] CPU: 0 PID: 3968 Comm: stap Tainted: G E 3.18.0-rc5kp3+ #3
[ 6735.124936] Hardware name: APM X-Gene Mustang board (DT)
[ 6735.130220] task: fffffe0016c25a00 ti: fffffe03d8aa8000 task.ti: fffffe03d8aa8000
[ 6735.137662] PC is at 0x3ff7fc31838
[ 6735.141044] LR is at 0x3ff7fc31838
[ 6735.144426] pc : [<000003ff7fc31838>] lr : [<000003ff7fc31838>] pstate: 600003c5
[ 6735.151782] sp : fffffe03d8aabed0
[ 6735.155077] x29: 000003fffe4f6460 x28: 000003ff7fb23640
[ 6735.160380] x27: 000003ff7fb23578 x26: 000000000059a420
[ 6735.165681] x25: 000000000000005f x24: 000003ff7fb3f000
[ 6735.170983] x23: 0000000000000000 x22: 000003ff7fc0d1fc
[ 6735.176285] x21: fffffe03d8aabff0 x20: 0000000000008000
[ 6735.181587] x19: 000000004178ee40 x18: 000003fffe4f64a0
[ 6735.186888] x17: 000003ff7fc0d1fc x16: 000003ff7fd00008
[ 6735.192189] x15: 00000013cd9f3df0 x14: 30303030203a6574
[ 6735.197490] x13: fffffe00008eda38 x12: cb88537fdc8cb000
[ 6735.202792] x11: fffffe03d8aabb70 x10: fffffe03d8aabb70
[ 6735.208094] x9 : 000000000000015f x8 : 0000000000000000
[ 6735.213395] x7 : 0000000000000200 x6 : fffffe0000095cd4
[ 6735.218698] x5 : fffffe0300030001 x4 : 0000000000000000
[ 6735.224001] x3 : fffffe03d8aabc80 x2 : 000000000000027e
[ 6735.229304] x1 : cb88537fdc8cb000 x0 : cb88537fdc8cb000
[ 6735.234607]
[ 6735.236088] Internal error: Oops - bad mode: 0 [#1] SMP
[ 6735.241285] Modules linked in: xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 iptable_filter ip_tables bridge stp llc cfg80211 rfkill vfat fat nfsd uio_pdrv_genirq uio xfs libcrc32c dm_mirror dm_region_hash dm_log dm_mod realtek(E)
[ 6735.273612] CPU: 0 PID: 3968 Comm: stap Tainted: G E 3.18.0-rc5kp3+ #3
[ 6735.281140] Hardware name: APM X-Gene Mustang board (DT)
[ 6735.286422] task: fffffe0016c25a00 ti: fffffe03d8aa8000 task.ti: fffffe03d8aa8000
[ 6735.293865] PC is at 0x3ff7fc31838
[ 6735.297246] LR is at 0x3ff7fc31838
[ 6735.300627] pc : [<000003ff7fc31838>] lr : [<000003ff7fc31838>] pstate: 600003c5
[ 6735.307982] sp : fffffe03d8aabed0
[ 6735.311277] x29: 000003fffe4f6460 x28: 000003ff7fb23640
[ 6735.316580] x27: 000003ff7fb23578 x26: 000000000059a420
[ 6735.321882] x25: 000000000000005f x24: 000003ff7fb3f000
[ 6735.327184] x23: 0000000000000000 x22: 000003ff7fc0d1fc
[ 6735.332485] x21: fffffe03d8aabff0 x20: 0000000000008000
[ 6735.337790] x19: 000000004178ee40 x18: 000003fffe4f64a0
[ 6735.343093] x17: 000003ff7fc0d1fc x16: 000003ff7fd00008
[ 6735.348393] x15: 00000013cd9f3df0 x14: 30303030203a6574
[ 6735.353695] x13: fffffe00008eda38 x12: cb88537fdc8cb000
[ 6735.358997] x11: fffffe03d8aabb70 x10: fffffe03d8aabb70
[ 6735.364299] x9 : 000000000000015f x8 : 0000000000000000
[ 6735.369602] x7 : 0000000000000200 x6 : fffffe0000095cd4
[ 6735.374905] x5 : fffffe0300030001 x4 : 0000000000000000
[ 6735.380207] x3 : fffffe03d8aabc80 x2 : 000000000000027e
[ 6735.385507] x1 : cb88537fdc8cb000 x0 : cb88537fdc8cb000
[ 6735.390810]
[ 6735.392290] Process stap (pid: 3968, stack limit = 0xfffffe03d8aa8058)
[ 6735.398784] Stack: (0xfffffe03d8aabed0 to 0xfffffe03d8aac000)
[ 6735.404500] bec0: 00008030 00000000 00000001 00000000
[ 6735.412634] bee0: 00000000 00000000 00000000 00000000 00000001 00000000 00000000 00000000
[ 6735.420768] bf00: 0000007c 00000000 72617073 5f343663 00000038 00000000 73656c75 312e332f
[ 6735.428902] bf20: 706d742f 6174732f 62696c2f 646f6d2f 0000000e 00000000 01519f64 00000000
[ 6735.437037] bf40: 51c4a1f8 00000000 cd9f3df0 00000013 7fd00008 000003ff 7fc0d1fc 000003ff
[ 6735.445171] bf60: fe4f64a0 000003ff 4178ee40 00000000 00008000 00000000 00000001 00000000
[ 6735.453305] bf80: 00000006 00000000 4178ee40 00000000 7fb3f000 000003ff 0000005f 00000000
[ 6735.461439] bfa0: 0059a420 00000000 7fb23578 000003ff 7fb23640 000003ff fe4f6460 000003ff
[ 6735.469574] bfc0: 7fc31838 000003ff d8aabff0 fffffe03 7fc0d1fc 000003ff 00000000 00000000
[ 6735.477709] bfe0: ffffff9c ffffffff 00000038 00000000 00001030 18770000 00000048 00001034
[ 6735.485841] Call trace:
[ 6735.488274] Code: d2800600 f2a00200 d2a00214 97fdf3b7 (aa0003f3)
[ 6735.494367] ---[ end trace ca753992e46532e9 ]---
[ 6735.498961] Kernel panic - not syncing: Fatal exception
[ 6735.504162] CPU6: stopping
[ 6735.506858] CPU: 6 PID: 0 Comm: swapper/6 Tainted: G D E 3.18.0-rc5kp3+ #3
[ 6735.514560] Hardware name: APM X-Gene Mustang board (DT)
[ 6735.519843] Call trace:
[ 6735.522281] [<fffffe0000096b70>] dump_backtrace+0x0/0x184
[ 6735.527653] [<fffffe0000096d04>] show_stack+0x10/0x1c
[ 6735.532679] [<fffffe000069a0f8>] dump_stack+0x74/0x98
[ 6735.537703] [<fffffe000009b578>] handle_IPI+0x184/0x200
[ 6735.542901] [<fffffe0000090370>] gic_handle_irq+0x74/0x7c
[ 6735.548270] Exception stack(0xfffffe03dbebfe20 to 0xfffffe03dbebff40)
[ 6735.554678] fe20: 00000006 00000000 dbebc000 fffffe03 dbebff60 fffffe03 000940b4 fffffe00
[ 6735.562813] fe40: 00000000 00000000 00000000 00000000 fbf40fc0 fffffe03 fbf40d0c fffffe03
[ 6735.570948] fe60: 00000008 00000000 00000010 00000000 44a22180 00000626 01097980 fffffe00
[ 6735.579083] fe80: dbe1ae20 fffffe03 dbebfd50 fffffe03 0009d014 00000001 006d82f8 fffffe00
[ 6735.587217] fea0: 00000000 00000000 1e4347c0 fffffe00 00c10df0 fffffe00 05711f7c 0037a8e7
[ 6735.595351] fec0: 001ec620 fffffe00 004f0468 00000000 e30dd8e0 000003ff 00000006 00000000
[ 6735.603486] fee0: dbebc000 fffffe03 00cd0518 fffffe00 00c9e000 fffffe00 00cd2560 fffffe00
[ 6735.611621] ff00: 00cd0e18 fffffe00 00c9d812 fffffe00 00000001 00000000 008ec980 fffffe00
[ 6735.619756] ff20: 006d67e8 fffffe00 dbebff60 fffffe03 000940b0 fffffe00 dbebff60 fffffe03
[ 6735.627890] [<fffffe0000092ce0>] el1_irq+0x60/0xc0
[ 6735.632656] [<fffffe00000ecf84>] cpu_startup_entry+0x118/0x1bc
[ 6735.638457] [<fffffe000009b054>] secondary_start_kernel+0x100/0x110
[ 6735.644690] CPU7: stopping
[ 6735.647385] CPU: 7 PID: 0 Comm: swapper/7 Tainted: G D E 3.18.0-rc5kp3+ #3
[ 6735.655087] Hardware name: APM X-Gene Mustang board (DT)
[ 6735.660368] Call trace:
[ 6735.662802] [<fffffe0000096b70>] dump_backtrace+0x0/0x184
[ 6735.668173] [<fffffe0000096d04>] show_stack+0x10/0x1c
[ 6735.673197] [<fffffe000069a0f8>] dump_stack+0x74/0x98
[ 6735.678221] [<fffffe000009b578>] handle_IPI+0x184/0x200
[ 6735.683417] [<fffffe0000090370>] gic_handle_irq+0x74/0x7c
[ 6735.688786] Exception stack(0xfffffe03dbec3e20 to 0xfffffe03dbec3f40)
[ 6735.695193] 3e20: 00000007 00000000 dbec0000 fffffe03 dbec3f60 fffffe03 000940b4 fffffe00
[ 6735.703327] 3e40: 00000000 00000000 00000000 00000000 fbf60fc0 fffffe03 fbf60d0c fffffe03
[ 6735.711463] 3e60: 00000020 00000000 00000010 00000000 1a4d6580 00000620 fbf61788 fffffe03
[ 6735.719598] 3e80: dbe1b960 fffffe03 dbec3d50 fffffe03 0009d1a4 00000001 00000040 00000000
[ 6735.727732] 3ea0: 00000001 00000000 00000000 00000000 00000000 00000000 b96c1a6a 00261821
[ 6735.735866] 3ec0: 000b8af0 fffffe00 a48e0010 000003ff d69cf010 000003ff 00000007 00000000
[ 6735.744001] 3ee0: dbec0000 fffffe03 00cd0518 fffffe00 00c9e000 fffffe00 00cd2560 fffffe00
[ 6735.752134] 3f00: 00cd0e18 fffffe00 00c9d812 fffffe00 00000001 00000000 008ec980 fffffe00
[ 6735.760268] 3f20: 006d67e8 fffffe00 dbec3f60 fffffe03 000940b0 fffffe00 dbec3f60 fffffe03
[ 6735.768402] [<fffffe0000092ce0>] el1_irq+0x60/0xc0
[ 6735.773167] [<fffffe00000ecf84>] cpu_startup_entry+0x118/0x1bc
[ 6735.778968] [<fffffe000009b054>] secondary_start_kernel+0x100/0x110
[ 6735.785202] CPU2: stopping
[ 6735.787896] CPU: 2 PID: 0 Comm: swapper/2 Tainted: G D E 3.18.0-rc5kp3+ #3
[ 6735.795598] Hardware name: APM X-Gene Mustang board (DT)
[ 6735.800881] Call trace:
[ 6735.803316] [<fffffe0000096b70>] dump_backtrace+0x0/0x184
[ 6735.808687] [<fffffe0000096d04>] show_stack+0x10/0x1c
[ 6735.813712] [<fffffe000069a0f8>] dump_stack+0x74/0x98
[ 6735.818736] [<fffffe000009b578>] handle_IPI+0x184/0x200
[ 6735.823932] [<fffffe0000090370>] gic_handle_irq+0x74/0x7c
[ 6735.829301] Exception stack(0xfffffe03dbeafe20 to 0xfffffe03dbeaff40)
[ 6735.835708] fe20: 00000002 00000000 dbeac000 fffffe03 dbeaff60 fffffe03 000940b4 fffffe00
[ 6735.843843] fe40: 00000000 00000000 00000000 00000000 fbec0fc0 fffffe03 fbec0d0c fffffe03
[ 6735.851978] fe60: 00000000 00000000 dbeafee0 fffffe03 0000003f 00000000 00000000 00000000
[ 6735.860113] fe80: dbe18120 fffffe03 dbeafd50 fffffe03 0009d18f 00000001 006d82f8 fffffe00
[ 6735.868248] fea0: 01010101 01010101 00000028 00000000 fffffffe 0fffffff 00000000 00000000
[ 6735.876382] fec0: 001f8794 fffffe00 840d20c0 000003ff 0000000d 00000000 00000002 00000000
[ 6735.884518] fee0: dbeac000 fffffe03 00cd0518 fffffe00 00c9e000 fffffe00 00cd2560 fffffe00
[ 6735.892652] ff00: 00cd0e18 fffffe00 00c9d812 fffffe00 00000001 00000000 008ec980 fffffe00
[ 6735.900786] ff20: 006d67e8 fffffe00 dbeaff60 fffffe03 000940b0 fffffe00 dbeaff60 fffffe03
[ 6735.908919] [<fffffe0000092ce0>] el1_irq+0x60/0xc0
[ 6735.913685] [<fffffe00000ecf84>] cpu_startup_entry+0x118/0x1bc
[ 6735.919487] [<fffffe000009b054>] secondary_start_kernel+0x100/0x110
[ 6735.925720] CPU3: stopping
[ 6735.928413] CPU: 3 PID: 0 Comm: swapper/3 Tainted: G D E 3.18.0-rc5kp3+ #3
[ 6735.936115] Hardware name: APM X-Gene Mustang board (DT)
[ 6735.941397] Call trace:
[ 6735.943831] [<fffffe0000096b70>] dump_backtrace+0x0/0x184
[ 6735.949202] [<fffffe0000096d04>] show_stack+0x10/0x1c
[ 6735.954226] [<fffffe000069a0f8>] dump_stack+0x74/0x98
[ 6735.959250] [<fffffe000009b578>] handle_IPI+0x184/0x200
[ 6735.964446] [<fffffe0000090370>] gic_handle_irq+0x74/0x7c
[ 6735.969815] Exception stack(0xfffffe03dbeb3e20 to 0xfffffe03dbeb3f40)
[ 6735.976222] 3e20: 00000003 00000000 dbeb0000 fffffe03 dbeb3f60 fffffe03 000940b4 fffffe00
[ 6735.984358] 3e40: 00000000 00000000 00000000 00000000 fbee0fc0 fffffe03 fbee0d0c fffffe03
[ 6735.992492] 3e60: 00000008 00000000 00000010 00000000 66819c80 0000065e d5647e20 fffffe03
[ 6736.000627] 3e80: dc109838 fffffe03 00000001 00000000 00001001 00000000 00000040 00000000
[ 6736.008761] 3ea0: 00000018 00000000 e8000000 00000003 00000001 00000000 e45e1b65 003ba59e
[ 6736.016895] 3ec0: 0010a39c fffffe00 a5d85cb0 000003ff f7dad6c0 000003ff 00000003 00000000
[ 6736.025030] 3ee0: dbeb0000 fffffe03 00cd0518 fffffe00 00c9e000 fffffe00 00cd2560 fffffe00
[ 6736.033163] 3f00: 00cd0e18 fffffe00 00c9d812 fffffe00 00000001 00000000 008ec980 fffffe00
[ 6736.041297] 3f20: 006d67e8 fffffe00 dbeb3f60 fffffe03 000940b0 fffffe00 dbeb3f60 fffffe03
[ 6736.049431] [<fffffe0000092ce0>] el1_irq+0x60/0xc0
[ 6736.054196] [<fffffe00000ecf84>] cpu_startup_entry+0x118/0x1bc
[ 6736.059998] [<fffffe000009b054>] secondary_start_kernel+0x100/0x110
[ 6736.066232] CPU5: stopping
[ 6736.068928] CPU: 5 PID: 0 Comm: swapper/5 Tainted: G D E 3.18.0-rc5kp3+ #3
[ 6736.076631] Hardware name: APM X-Gene Mustang board (DT)
[ 6736.081914] Call trace:
[ 6736.084350] [<fffffe0000096b70>] dump_backtrace+0x0/0x184
[ 6736.089721] [<fffffe0000096d04>] show_stack+0x10/0x1c
[ 6736.094746] [<fffffe000069a0f8>] dump_stack+0x74/0x98
[ 6736.099770] [<fffffe000009b578>] handle_IPI+0x184/0x200
[ 6736.104966] [<fffffe0000090370>] gic_handle_irq+0x74/0x7c
[ 6736.110335] Exception stack(0xfffffe03dbebbe20 to 0xfffffe03dbebbf40)
[ 6736.116742] be20: 00000005 00000000 dbeb8000 fffffe03 dbebbf60 fffffe03 000940b4 fffffe00
[ 6736.124877] be40: 00000000 00000000 00000000 00000000 fbf20fc0 fffffe03 fbf20d0c fffffe03
[ 6736.133011] be60: 00000008 00000000 00000010 00000000 87aec580 00000623 d565b840 fffffe03
[ 6736.141145] be80: dbe1a2e0 fffffe03 dbebbd50 fffffe03 0009d0db 00000001 00055dbd 00000000
[ 6736.149279] bea0: 00000018 00000000 e8000000 00000003 00000000 00000000 e035cf9c 0014f62d
[ 6736.157413] bec0: 001f8794 fffffe00 aa6720c0 000003ff 0000000d 00000000 00000005 00000000
[ 6736.165547] bee0: dbeb8000 fffffe03 00cd0518 fffffe00 00c9e000 fffffe00 00cd2560 fffffe00
[ 6736.173681] bf00: 00cd0e18 fffffe00 00c9d812 fffffe00 00000001 00000000 008ec980 fffffe00
[ 6736.181815] bf20: 006d67e8 fffffe00 dbebbf60 fffffe03 000940b0 fffffe00 dbebbf60 fffffe03
[ 6736.189949] [<fffffe0000092ce0>] el1_irq+0x60/0xc0
[ 6736.194714] [<fffffe00000ecf84>] cpu_startup_entry+0x118/0x1bc
[ 6736.200515] [<fffffe000009b054>] secondary_start_kernel+0x100/0x110
[ 6736.206749] CPU4: stopping
[ 6736.209442] CPU: 4 PID: 0 Comm: swapper/4 Tainted: G D E 3.18.0-rc5kp3+ #3
[ 6736.217144] Hardware name: APM X-Gene Mustang board (DT)
[ 6736.222425] Call trace:
[ 6736.224859] [<fffffe0000096b70>] dump_backtrace+0x0/0x184
[ 6736.230230] [<fffffe0000096d04>] show_stack+0x10/0x1c
[ 6736.235254] [<fffffe000069a0f8>] dump_stack+0x74/0x98
[ 6736.240278] [<fffffe000009b578>] handle_IPI+0x184/0x200
[ 6736.245474] [<fffffe0000090370>] gic_handle_irq+0x74/0x7c
[ 6736.250843] Exception stack(0xfffffe03dbeb7e20 to 0xfffffe03dbeb7f40)
[ 6736.257251] 7e20: 00000004 00000000 dbeb4000 fffffe03 dbeb7f60 fffffe03 000940b4 fffffe00
[ 6736.265385] 7e40: 00000000 00000000 00000000 00000000 fbf00fc0 fffffe03 fbf00d0c fffffe03
[ 6736.273519] 7e60: 00000000 00000000 fbf01788 fffffe03 d4dd6800 00000620 d5387d10 fffffe03
[ 6736.281653] 7e80: dbe197a0 fffffe03 dbeb7d50 fffffe03 0009d0ec 00000001 0009d7c5 00000000
[ 6736.289787] 7ea0: 00000018 00000000 e8000000 00000003 00000000 00000000 427abb63 002672da
[ 6736.297923] 7ec0: 00229414 fffffe00 8851ab88 000003ff 0000000d 00000000 00000004 00000000
[ 6736.306057] 7ee0: dbeb4000 fffffe03 00cd0518 fffffe00 00c9e000 fffffe00 00cd2560 fffffe00
[ 6736.314191] 7f00: 00cd0e18 fffffe00 00c9d812 fffffe00 00000001 00000000 008ec980 fffffe00
[ 6736.322326] 7f20: 006d67e8 fffffe00 dbeb7f60 fffffe03 000940b0 fffffe00 dbeb7f60 fffffe03
[ 6736.330459] [<fffffe0000092ce0>] el1_irq+0x60/0xc0
[ 6736.335224] [<fffffe00000ecf84>] cpu_startup_entry+0x118/0x1bc
[ 6736.341026] [<fffffe000009b054>] secondary_start_kernel+0x100/0x110
[ 6736.347260] CPU1: stopping
[ 6736.349957] CPU: 1 PID: 628 Comm: rs:main Q:Reg Tainted: G D E 3.18.0-rc5kp3+ #3
[ 6736.358179] Hardware name: APM X-Gene Mustang board (DT)
[ 6736.363462] Call trace:
[ 6736.365897] [<fffffe0000096b70>] dump_backtrace+0x0/0x184
[ 6736.371268] [<fffffe0000096d04>] show_stack+0x10/0x1c
[ 6736.376293] [<fffffe000069a0f8>] dump_stack+0x74/0x98
[ 6736.381317] [<fffffe000009b578>] handle_IPI+0x184/0x200
[ 6736.386513] [<fffffe0000090370>] gic_handle_irq+0x74/0x7c
[ 6736.391882] Exception stack(0xfffffe00010f75f0 to 0xfffffe00010f7710)
[ 6736.398289] 75e0: 00bc1000 fffffe00 00000000 00000000
[ 6736.406423] 7600: 010f7730 fffffe00 000b9714 fffffe00 00000040 00000000 00cd0e80 fffffe00
[ 6736.414557] 7620: 00cd0000 fffffe00 00000040 00000000 00cd0e80 fffffe00 0009d1a8 00000001
[ 6736.422691] 7640: 0000000a 00000000 fbea1788 fffffe03 00000020 00000000 00000000 00000000
[ 6736.430825] 7660: 006d82fc fffffe00 006d82f8 fffffe00 00000018 00000000 e8000000 00000003
[ 6736.438959] 7680: 00c00000 fffffe00 f2e8383d 0017e03a 001e4d60 fffffe00 a7e8fa20 000003ff
[ 6736.447093] 76a0: a60ae420 000003ff 00bc1000 fffffe00 00000000 00000000 00000001 00000000
[ 6736.455228] 76c0: 00000082 00000000 60000145 00000000 00c9dd90 fffffe00 00c66000 fffffe00
[ 6736.463362] 76e0: 00c00000 fffffe00 00bb0c70 fffffe00 1fc7a800 fffffe00 010f7730 fffffe00
[ 6736.471496] 7700: 000b9688 fffffe00 010f7730 fffffe00
[ 6736.476520] [<fffffe0000092ce0>] el1_irq+0x60/0xc0
[ 6736.481285] [<fffffe00000b9b74>] irq_exit+0x90/0xd0
[ 6736.486138] [<fffffe00000f8c48>] __handle_domain_irq+0x68/0xb4
[ 6736.491940] [<fffffe000009032c>] gic_handle_irq+0x30/0x7c
[ 6736.497309] Exception stack(0xfffffe00010f7820 to 0xfffffe00010f7940)
[ 6736.503715] 7820: 00db49f0 fffffe00 00000140 00000000 010f7960 fffffe00 0069fe40 fffffe00
[ 6736.511851] 7840: 00db49f0 fffffe00 00000140 00000000 00002eb3 00000000 00004006 00000000
[ 6736.519985] 7860: 00002eb2 00000000 000ecb74 fffffe00 dc8cb000 cb88537f 0002da98 00000000
[ 6736.528119] 7880: 0002da99 00000000 00000000 00000000 dc8cb000 cb88537f 00061cbb 00000000
[ 6736.536253] 78a0: 00000018 00000000 e8000000 00000003 00000000 00000000 f2e8383d 0017e03a
[ 6736.544159] SMP: failed to stop secondary CPUs
[ 6736.544162] ---[ end Kernel panic - not syncing: Fatal exception
[ 6736.554775] 78c0: 001e4d60 fffffe00 a7e8fa20 000003ff a60ae420 000003ff 00db49f0 fffffe00
[ 6736.562911] 78e0: 00000140 00000000 010f79f8 fffffe00 00cd0000 fffffe00 14e76800 fffffe00
[ 6736.571045] 7900: 00400040 00000000 00c66000 fffffe00 00748ca8 fffffe00 00748ee8 fffffe00
[ 6736.579179] 7920: 1fc7a800 fffffe00 010f7960 fffffe00 0040434c fffffe00 010f7960 fffffe00
[ 6736.587312] [<fffffe0000092ce0>] el1_irq+0x60/0xc0
[ 6736.592079] [<fffffe00003f17fc>] tty_port_block_til_ready+0x14c/0x2e4
[ 6736.598485] [<fffffe0000407818>] uart_open+0xc4/0x148
[ 6736.603510] [<fffffe00003e94c0>] tty_open+0x15c/0x584
[ 6736.608535] [<fffffe00001e9b94>] chrdev_open+0xc8/0x190
[ 6736.613733] [<fffffe00001e332c>] do_dentry_open+0x1c8/0x2e0
[ 6736.619275] [<fffffe00001e38cc>] vfs_open+0x3c/0x48
[ 6736.624126] [<fffffe00001f28ac>] do_last+0x154/0xd0c
[ 6736.629064] [<fffffe00001f3520>] path_openat+0xbc/0x688
[ 6736.634260] [<fffffe00001f4afc>] do_filp_open+0x3c/0xb0
[ 6736.639458] [<fffffe00001e4c64>] do_sys_open+0x160/0x234
[ 6736.644741] [<fffffe00001e4d6c>] SyS_openat+0xc/0x18


>
>
>> That would explain why the state of play of the interrupts is in an
>> unexpected state in the crash I reported:
>> "The point of failure in the panic was:
>> fs/buffer.c:1257
>>
>> static inline void check_irqs_on(void)
>> {
>> #ifdef irqs_disabled
>> BUG_ON(irqs_disabled());
>> #endif
>> }
>> "
>>
>> This is all new to me so I'm still at the head-scratching stage.
>
> Ah, I see.
>
> Thank you,
>
>>
>> David,
>> Does the above make sense to you? Have you managed to reproduce the crash I get?
>>
>> Cheers,
>> --
>> Steve
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
>> the body of a message to [email protected]
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>> Please read the FAQ at http://www.tux.org/lkml/
>>
>
>

2014-12-02 20:01:45

by William Cohen

[permalink] [raw]
Subject: Re: [PATCH v3 0/5] ARM64: Add kernel probes(Kprobes) support

On 12/02/2014 02:27 PM, William Cohen wrote:

> Hi Masami and Dave,
>
> I have applied the suggested patch above to my local kernel. However, I have noticed systemtap testsuite consistently getting panics when running both before AND after applying that patch to the kernel. Any thoughts on why "perf stat" would cause that? Below is an example output
>
> -Will

This problem doesn't look like it is related to the kprobes support. It can be triggered without running kprobes related code such as a "perf stat make" on a user-space build. It's failure looks similar to:

http://lists.infradead.org/pipermail/linux-arm-kernel/2014-June/265814.html

-Will
>
> # perf stat make install
>
> ...
>
> Running ./systemtap/notest.exp ...
> Running ./systemtap.apps/java.exp ...
> [ 6734.986063] Bad mode in FIQ handler detected, code 0x56000000
> [ 6734.991788] CPU: 0 PID: 3968 Comm: stap Tainted: G E 3.18.0-rc5kp3+ #3
> [ 6734.999317] Hardware name: APM X-Gene Mustang board (DT)
> [ 6735.004602] task: fffffe0016c25a00 ti: fffffe03d8aa8000 task.ti: fffffe03d8aa8000
> [ 6735.012052] PC is at 0x3ff7fc0d1fc
> [ 6735.015434] LR is at 0x3ff7fc31838
> [ 6735.018815] pc : [<000003ff7fc0d1fc>] lr : [<000003ff7fc31838>] pstate: 00000000
> [ 6735.026172] sp : fffffe03d8aabff0
> [ 6735.029467] x29: 000003fffe4f6460 x28: 000003ff7fb23640
> [ 6735.034772] x27: 000003ff7fb23578 x26: 000000000059a420
> [ 6735.040074] x25: 000000000000005f x24: 000003ff7fb3f000
> [ 6735.045375] x23: 000000004178ee40 x22: 0000000000000006
> [ 6735.050680] x21: 0000000000000001 x20: 0000000000008000
> [ 6735.055980] x19: 000000004178ee40 x18: 000003fffe4f64a0
> [ 6735.061282] x17: 000003ff7fc0d1fc x16: 000003ff7fd00008
> [ 6735.066585] x15: 00000013cd9f3df0 x14: 0000000051c4a1f8
> [ 6735.071886] x13: 0000000001519f64 x12: 000000000000000e
> [ 6735.077187] x11: 646f6d2f62696c2f x10: 6174732f706d742f
> [ 6735.082488] x9 : 312e332f73656c75 x8 : 0000000000000038
> [ 6735.087790] x7 : 5f34366372617073 x6 : 000000000000007c
> [ 6735.093094] x5 : 0000000000000000 x4 : 0000000000000001
> [ 6735.098397] x3 : 0000000000000000 x2 : 0000000000000000
> [ 6735.103697] x1 : 0000000000000001 x0 : 0000000000008030
> [ 6735.108999]
> [ 6735.110483] Bad mode in Synchronous Abort handler detected, code 0x8600000f
> [ 6735.117408] CPU: 0 PID: 3968 Comm: stap Tainted: G E 3.18.0-rc5kp3+ #3
> [ 6735.124936] Hardware name: APM X-Gene Mustang board (DT)
> [ 6735.130220] task: fffffe0016c25a00 ti: fffffe03d8aa8000 task.ti: fffffe03d8aa8000
> [ 6735.137662] PC is at 0x3ff7fc31838
> [ 6735.141044] LR is at 0x3ff7fc31838
> [ 6735.144426] pc : [<000003ff7fc31838>] lr : [<000003ff7fc31838>] pstate: 600003c5
> [ 6735.151782] sp : fffffe03d8aabed0
> [ 6735.155077] x29: 000003fffe4f6460 x28: 000003ff7fb23640
> [ 6735.160380] x27: 000003ff7fb23578 x26: 000000000059a420
> [ 6735.165681] x25: 000000000000005f x24: 000003ff7fb3f000
> [ 6735.170983] x23: 0000000000000000 x22: 000003ff7fc0d1fc
> [ 6735.176285] x21: fffffe03d8aabff0 x20: 0000000000008000
> [ 6735.181587] x19: 000000004178ee40 x18: 000003fffe4f64a0
> [ 6735.186888] x17: 000003ff7fc0d1fc x16: 000003ff7fd00008
> [ 6735.192189] x15: 00000013cd9f3df0 x14: 30303030203a6574
> [ 6735.197490] x13: fffffe00008eda38 x12: cb88537fdc8cb000
> [ 6735.202792] x11: fffffe03d8aabb70 x10: fffffe03d8aabb70
> [ 6735.208094] x9 : 000000000000015f x8 : 0000000000000000
> [ 6735.213395] x7 : 0000000000000200 x6 : fffffe0000095cd4
> [ 6735.218698] x5 : fffffe0300030001 x4 : 0000000000000000
> [ 6735.224001] x3 : fffffe03d8aabc80 x2 : 000000000000027e
> [ 6735.229304] x1 : cb88537fdc8cb000 x0 : cb88537fdc8cb000

<snip>

Subject: Re: Re: [PATCH v3 0/5] ARM64: Add kernel probes(Kprobes) support

(2014/12/03 4:27), William Cohen wrote:
> On 12/01/2014 04:37 AM, Masami Hiramatsu wrote:
>> (2014/11/29 1:01), Steve Capper wrote:
>>> On 27 November 2014 at 06:07, Masami Hiramatsu
>>> <[email protected]> wrote:
>>>> (2014/11/27 3:59), Steve Capper wrote:
>>>>> The crash is extremely easy to reproduce.
>>>>>
>>>>> I've not observed any missed events on a kprobe on an arm64 system
>>>>> that's still alive.
>>>>> My (limited!) understanding is that this suggests there could be a
>>>>> problem with how missed events from a recursive call to memcpy are
>>>>> being handled.
>>>>
>>>> I think so too. BTW, could you bisect that? :)
>>>>
>>>
>>> I can't bisect, but the following functions look suspicious to me
>>> (again I'm new to kprobes...):
>>> kprobes_save_local_irqflag
>>> kprobes_restore_local_irqflag
>>>
>>> I think these are breaking somehow when nested (i.e. from a recursive probe).
>>
>> Agreed. On x86, prev_kprobe has old_flags and saved_flags, this
>> at least must have saved_irqflag and save/restore it in
>> save/restore_previous_kprobe().
>>
>> What about adding this?
>>
>> struct prev_kprobe {
>> struct kprobe *kp;
>> unsigned int status;
>> + unsigned long saved_irqflag;
>> };
>>
>> and
>>
>> static void __kprobes save_previous_kprobe(struct kprobe_ctlblk *kcb)
>> {
>> kcb->prev_kprobe.kp = kprobe_running();
>> kcb->prev_kprobe.status = kcb->kprobe_status;
>> + kcb->prev_kprobe.saved_irqflag = kcb->saved_irqflag;
>> }
>>
>> static void __kprobes restore_previous_kprobe(struct kprobe_ctlblk *kcb)
>> {
>> __this_cpu_write(current_kprobe, kcb->prev_kprobe.kp);
>> kcb->kprobe_status = kcb->prev_kprobe.status;
>> + kcb->saved_irqflag = kcb->prev_kprobe.saved_irqflag;
>> }
>>
>
> Hi Masami and Dave,
>
> I have applied the suggested patch above to my local kernel. However, I have noticed systemtap testsuite consistently getting panics when running both before AND after applying that patch to the kernel. Any thoughts on why "perf stat" would cause that? Below is an example output

Thanks for reporting. But it seems another bug, which is related to
perf subsystem and irqflag recovering process.
Please make sure by using ftrace to test as Steve reported for this bug.
We'd better fix bugs one by one...

Thank you,

>
> -Will
>
> # perf stat make install
>
> ...
>
> Running ./systemtap/notest.exp ...
> Running ./systemtap.apps/java.exp ...
> [ 6734.986063] Bad mode in FIQ handler detected, code 0x56000000
> [ 6734.991788] CPU: 0 PID: 3968 Comm: stap Tainted: G E 3.18.0-rc5kp3+ #3
> [ 6734.999317] Hardware name: APM X-Gene Mustang board (DT)
> [ 6735.004602] task: fffffe0016c25a00 ti: fffffe03d8aa8000 task.ti: fffffe03d8aa8000
> [ 6735.012052] PC is at 0x3ff7fc0d1fc
> [ 6735.015434] LR is at 0x3ff7fc31838
> [ 6735.018815] pc : [<000003ff7fc0d1fc>] lr : [<000003ff7fc31838>] pstate: 00000000
> [ 6735.026172] sp : fffffe03d8aabff0
> [ 6735.029467] x29: 000003fffe4f6460 x28: 000003ff7fb23640
> [ 6735.034772] x27: 000003ff7fb23578 x26: 000000000059a420
> [ 6735.040074] x25: 000000000000005f x24: 000003ff7fb3f000
> [ 6735.045375] x23: 000000004178ee40 x22: 0000000000000006
> [ 6735.050680] x21: 0000000000000001 x20: 0000000000008000
> [ 6735.055980] x19: 000000004178ee40 x18: 000003fffe4f64a0
> [ 6735.061282] x17: 000003ff7fc0d1fc x16: 000003ff7fd00008
> [ 6735.066585] x15: 00000013cd9f3df0 x14: 0000000051c4a1f8
> [ 6735.071886] x13: 0000000001519f64 x12: 000000000000000e
> [ 6735.077187] x11: 646f6d2f62696c2f x10: 6174732f706d742f
> [ 6735.082488] x9 : 312e332f73656c75 x8 : 0000000000000038
> [ 6735.087790] x7 : 5f34366372617073 x6 : 000000000000007c
> [ 6735.093094] x5 : 0000000000000000 x4 : 0000000000000001
> [ 6735.098397] x3 : 0000000000000000 x2 : 0000000000000000
> [ 6735.103697] x1 : 0000000000000001 x0 : 0000000000008030
> [ 6735.108999]
> [ 6735.110483] Bad mode in Synchronous Abort handler detected, code 0x8600000f
> [ 6735.117408] CPU: 0 PID: 3968 Comm: stap Tainted: G E 3.18.0-rc5kp3+ #3
> [ 6735.124936] Hardware name: APM X-Gene Mustang board (DT)
> [ 6735.130220] task: fffffe0016c25a00 ti: fffffe03d8aa8000 task.ti: fffffe03d8aa8000
> [ 6735.137662] PC is at 0x3ff7fc31838
> [ 6735.141044] LR is at 0x3ff7fc31838
> [ 6735.144426] pc : [<000003ff7fc31838>] lr : [<000003ff7fc31838>] pstate: 600003c5
> [ 6735.151782] sp : fffffe03d8aabed0
> [ 6735.155077] x29: 000003fffe4f6460 x28: 000003ff7fb23640
> [ 6735.160380] x27: 000003ff7fb23578 x26: 000000000059a420
> [ 6735.165681] x25: 000000000000005f x24: 000003ff7fb3f000
> [ 6735.170983] x23: 0000000000000000 x22: 000003ff7fc0d1fc
> [ 6735.176285] x21: fffffe03d8aabff0 x20: 0000000000008000
> [ 6735.181587] x19: 000000004178ee40 x18: 000003fffe4f64a0
> [ 6735.186888] x17: 000003ff7fc0d1fc x16: 000003ff7fd00008
> [ 6735.192189] x15: 00000013cd9f3df0 x14: 30303030203a6574
> [ 6735.197490] x13: fffffe00008eda38 x12: cb88537fdc8cb000
> [ 6735.202792] x11: fffffe03d8aabb70 x10: fffffe03d8aabb70
> [ 6735.208094] x9 : 000000000000015f x8 : 0000000000000000
> [ 6735.213395] x7 : 0000000000000200 x6 : fffffe0000095cd4
> [ 6735.218698] x5 : fffffe0300030001 x4 : 0000000000000000
> [ 6735.224001] x3 : fffffe03d8aabc80 x2 : 000000000000027e
> [ 6735.229304] x1 : cb88537fdc8cb000 x0 : cb88537fdc8cb000
> [ 6735.234607]
> [ 6735.236088] Internal error: Oops - bad mode: 0 [#1] SMP
> [ 6735.241285] Modules linked in: xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 iptable_filter ip_tables bridge stp llc cfg80211 rfkill vfat fat nfsd uio_pdrv_genirq uio xfs libcrc32c dm_mirror dm_region_hash dm_log dm_mod realtek(E)
> [ 6735.273612] CPU: 0 PID: 3968 Comm: stap Tainted: G E 3.18.0-rc5kp3+ #3
> [ 6735.281140] Hardware name: APM X-Gene Mustang board (DT)
> [ 6735.286422] task: fffffe0016c25a00 ti: fffffe03d8aa8000 task.ti: fffffe03d8aa8000
> [ 6735.293865] PC is at 0x3ff7fc31838
> [ 6735.297246] LR is at 0x3ff7fc31838
> [ 6735.300627] pc : [<000003ff7fc31838>] lr : [<000003ff7fc31838>] pstate: 600003c5
> [ 6735.307982] sp : fffffe03d8aabed0
> [ 6735.311277] x29: 000003fffe4f6460 x28: 000003ff7fb23640
> [ 6735.316580] x27: 000003ff7fb23578 x26: 000000000059a420
> [ 6735.321882] x25: 000000000000005f x24: 000003ff7fb3f000
> [ 6735.327184] x23: 0000000000000000 x22: 000003ff7fc0d1fc
> [ 6735.332485] x21: fffffe03d8aabff0 x20: 0000000000008000
> [ 6735.337790] x19: 000000004178ee40 x18: 000003fffe4f64a0
> [ 6735.343093] x17: 000003ff7fc0d1fc x16: 000003ff7fd00008
> [ 6735.348393] x15: 00000013cd9f3df0 x14: 30303030203a6574
> [ 6735.353695] x13: fffffe00008eda38 x12: cb88537fdc8cb000
> [ 6735.358997] x11: fffffe03d8aabb70 x10: fffffe03d8aabb70
> [ 6735.364299] x9 : 000000000000015f x8 : 0000000000000000
> [ 6735.369602] x7 : 0000000000000200 x6 : fffffe0000095cd4
> [ 6735.374905] x5 : fffffe0300030001 x4 : 0000000000000000
> [ 6735.380207] x3 : fffffe03d8aabc80 x2 : 000000000000027e
> [ 6735.385507] x1 : cb88537fdc8cb000 x0 : cb88537fdc8cb000
> [ 6735.390810]
> [ 6735.392290] Process stap (pid: 3968, stack limit = 0xfffffe03d8aa8058)
> [ 6735.398784] Stack: (0xfffffe03d8aabed0 to 0xfffffe03d8aac000)
> [ 6735.404500] bec0: 00008030 00000000 00000001 00000000
> [ 6735.412634] bee0: 00000000 00000000 00000000 00000000 00000001 00000000 00000000 00000000
> [ 6735.420768] bf00: 0000007c 00000000 72617073 5f343663 00000038 00000000 73656c75 312e332f
> [ 6735.428902] bf20: 706d742f 6174732f 62696c2f 646f6d2f 0000000e 00000000 01519f64 00000000
> [ 6735.437037] bf40: 51c4a1f8 00000000 cd9f3df0 00000013 7fd00008 000003ff 7fc0d1fc 000003ff
> [ 6735.445171] bf60: fe4f64a0 000003ff 4178ee40 00000000 00008000 00000000 00000001 00000000
> [ 6735.453305] bf80: 00000006 00000000 4178ee40 00000000 7fb3f000 000003ff 0000005f 00000000
> [ 6735.461439] bfa0: 0059a420 00000000 7fb23578 000003ff 7fb23640 000003ff fe4f6460 000003ff
> [ 6735.469574] bfc0: 7fc31838 000003ff d8aabff0 fffffe03 7fc0d1fc 000003ff 00000000 00000000
> [ 6735.477709] bfe0: ffffff9c ffffffff 00000038 00000000 00001030 18770000 00000048 00001034
> [ 6735.485841] Call trace:
> [ 6735.488274] Code: d2800600 f2a00200 d2a00214 97fdf3b7 (aa0003f3)
> [ 6735.494367] ---[ end trace ca753992e46532e9 ]---
> [ 6735.498961] Kernel panic - not syncing: Fatal exception
> [ 6735.504162] CPU6: stopping
> [ 6735.506858] CPU: 6 PID: 0 Comm: swapper/6 Tainted: G D E 3.18.0-rc5kp3+ #3
> [ 6735.514560] Hardware name: APM X-Gene Mustang board (DT)
> [ 6735.519843] Call trace:
> [ 6735.522281] [<fffffe0000096b70>] dump_backtrace+0x0/0x184
> [ 6735.527653] [<fffffe0000096d04>] show_stack+0x10/0x1c
> [ 6735.532679] [<fffffe000069a0f8>] dump_stack+0x74/0x98
> [ 6735.537703] [<fffffe000009b578>] handle_IPI+0x184/0x200
> [ 6735.542901] [<fffffe0000090370>] gic_handle_irq+0x74/0x7c
> [ 6735.548270] Exception stack(0xfffffe03dbebfe20 to 0xfffffe03dbebff40)
> [ 6735.554678] fe20: 00000006 00000000 dbebc000 fffffe03 dbebff60 fffffe03 000940b4 fffffe00
> [ 6735.562813] fe40: 00000000 00000000 00000000 00000000 fbf40fc0 fffffe03 fbf40d0c fffffe03
> [ 6735.570948] fe60: 00000008 00000000 00000010 00000000 44a22180 00000626 01097980 fffffe00
> [ 6735.579083] fe80: dbe1ae20 fffffe03 dbebfd50 fffffe03 0009d014 00000001 006d82f8 fffffe00
> [ 6735.587217] fea0: 00000000 00000000 1e4347c0 fffffe00 00c10df0 fffffe00 05711f7c 0037a8e7
> [ 6735.595351] fec0: 001ec620 fffffe00 004f0468 00000000 e30dd8e0 000003ff 00000006 00000000
> [ 6735.603486] fee0: dbebc000 fffffe03 00cd0518 fffffe00 00c9e000 fffffe00 00cd2560 fffffe00
> [ 6735.611621] ff00: 00cd0e18 fffffe00 00c9d812 fffffe00 00000001 00000000 008ec980 fffffe00
> [ 6735.619756] ff20: 006d67e8 fffffe00 dbebff60 fffffe03 000940b0 fffffe00 dbebff60 fffffe03
> [ 6735.627890] [<fffffe0000092ce0>] el1_irq+0x60/0xc0
> [ 6735.632656] [<fffffe00000ecf84>] cpu_startup_entry+0x118/0x1bc
> [ 6735.638457] [<fffffe000009b054>] secondary_start_kernel+0x100/0x110
> [ 6735.644690] CPU7: stopping
> [ 6735.647385] CPU: 7 PID: 0 Comm: swapper/7 Tainted: G D E 3.18.0-rc5kp3+ #3
> [ 6735.655087] Hardware name: APM X-Gene Mustang board (DT)
> [ 6735.660368] Call trace:
> [ 6735.662802] [<fffffe0000096b70>] dump_backtrace+0x0/0x184
> [ 6735.668173] [<fffffe0000096d04>] show_stack+0x10/0x1c
> [ 6735.673197] [<fffffe000069a0f8>] dump_stack+0x74/0x98
> [ 6735.678221] [<fffffe000009b578>] handle_IPI+0x184/0x200
> [ 6735.683417] [<fffffe0000090370>] gic_handle_irq+0x74/0x7c
> [ 6735.688786] Exception stack(0xfffffe03dbec3e20 to 0xfffffe03dbec3f40)
> [ 6735.695193] 3e20: 00000007 00000000 dbec0000 fffffe03 dbec3f60 fffffe03 000940b4 fffffe00
> [ 6735.703327] 3e40: 00000000 00000000 00000000 00000000 fbf60fc0 fffffe03 fbf60d0c fffffe03
> [ 6735.711463] 3e60: 00000020 00000000 00000010 00000000 1a4d6580 00000620 fbf61788 fffffe03
> [ 6735.719598] 3e80: dbe1b960 fffffe03 dbec3d50 fffffe03 0009d1a4 00000001 00000040 00000000
> [ 6735.727732] 3ea0: 00000001 00000000 00000000 00000000 00000000 00000000 b96c1a6a 00261821
> [ 6735.735866] 3ec0: 000b8af0 fffffe00 a48e0010 000003ff d69cf010 000003ff 00000007 00000000
> [ 6735.744001] 3ee0: dbec0000 fffffe03 00cd0518 fffffe00 00c9e000 fffffe00 00cd2560 fffffe00
> [ 6735.752134] 3f00: 00cd0e18 fffffe00 00c9d812 fffffe00 00000001 00000000 008ec980 fffffe00
> [ 6735.760268] 3f20: 006d67e8 fffffe00 dbec3f60 fffffe03 000940b0 fffffe00 dbec3f60 fffffe03
> [ 6735.768402] [<fffffe0000092ce0>] el1_irq+0x60/0xc0
> [ 6735.773167] [<fffffe00000ecf84>] cpu_startup_entry+0x118/0x1bc
> [ 6735.778968] [<fffffe000009b054>] secondary_start_kernel+0x100/0x110
> [ 6735.785202] CPU2: stopping
> [ 6735.787896] CPU: 2 PID: 0 Comm: swapper/2 Tainted: G D E 3.18.0-rc5kp3+ #3
> [ 6735.795598] Hardware name: APM X-Gene Mustang board (DT)
> [ 6735.800881] Call trace:
> [ 6735.803316] [<fffffe0000096b70>] dump_backtrace+0x0/0x184
> [ 6735.808687] [<fffffe0000096d04>] show_stack+0x10/0x1c
> [ 6735.813712] [<fffffe000069a0f8>] dump_stack+0x74/0x98
> [ 6735.818736] [<fffffe000009b578>] handle_IPI+0x184/0x200
> [ 6735.823932] [<fffffe0000090370>] gic_handle_irq+0x74/0x7c
> [ 6735.829301] Exception stack(0xfffffe03dbeafe20 to 0xfffffe03dbeaff40)
> [ 6735.835708] fe20: 00000002 00000000 dbeac000 fffffe03 dbeaff60 fffffe03 000940b4 fffffe00
> [ 6735.843843] fe40: 00000000 00000000 00000000 00000000 fbec0fc0 fffffe03 fbec0d0c fffffe03
> [ 6735.851978] fe60: 00000000 00000000 dbeafee0 fffffe03 0000003f 00000000 00000000 00000000
> [ 6735.860113] fe80: dbe18120 fffffe03 dbeafd50 fffffe03 0009d18f 00000001 006d82f8 fffffe00
> [ 6735.868248] fea0: 01010101 01010101 00000028 00000000 fffffffe 0fffffff 00000000 00000000
> [ 6735.876382] fec0: 001f8794 fffffe00 840d20c0 000003ff 0000000d 00000000 00000002 00000000
> [ 6735.884518] fee0: dbeac000 fffffe03 00cd0518 fffffe00 00c9e000 fffffe00 00cd2560 fffffe00
> [ 6735.892652] ff00: 00cd0e18 fffffe00 00c9d812 fffffe00 00000001 00000000 008ec980 fffffe00
> [ 6735.900786] ff20: 006d67e8 fffffe00 dbeaff60 fffffe03 000940b0 fffffe00 dbeaff60 fffffe03
> [ 6735.908919] [<fffffe0000092ce0>] el1_irq+0x60/0xc0
> [ 6735.913685] [<fffffe00000ecf84>] cpu_startup_entry+0x118/0x1bc
> [ 6735.919487] [<fffffe000009b054>] secondary_start_kernel+0x100/0x110
> [ 6735.925720] CPU3: stopping
> [ 6735.928413] CPU: 3 PID: 0 Comm: swapper/3 Tainted: G D E 3.18.0-rc5kp3+ #3
> [ 6735.936115] Hardware name: APM X-Gene Mustang board (DT)
> [ 6735.941397] Call trace:
> [ 6735.943831] [<fffffe0000096b70>] dump_backtrace+0x0/0x184
> [ 6735.949202] [<fffffe0000096d04>] show_stack+0x10/0x1c
> [ 6735.954226] [<fffffe000069a0f8>] dump_stack+0x74/0x98
> [ 6735.959250] [<fffffe000009b578>] handle_IPI+0x184/0x200
> [ 6735.964446] [<fffffe0000090370>] gic_handle_irq+0x74/0x7c
> [ 6735.969815] Exception stack(0xfffffe03dbeb3e20 to 0xfffffe03dbeb3f40)
> [ 6735.976222] 3e20: 00000003 00000000 dbeb0000 fffffe03 dbeb3f60 fffffe03 000940b4 fffffe00
> [ 6735.984358] 3e40: 00000000 00000000 00000000 00000000 fbee0fc0 fffffe03 fbee0d0c fffffe03
> [ 6735.992492] 3e60: 00000008 00000000 00000010 00000000 66819c80 0000065e d5647e20 fffffe03
> [ 6736.000627] 3e80: dc109838 fffffe03 00000001 00000000 00001001 00000000 00000040 00000000
> [ 6736.008761] 3ea0: 00000018 00000000 e8000000 00000003 00000001 00000000 e45e1b65 003ba59e
> [ 6736.016895] 3ec0: 0010a39c fffffe00 a5d85cb0 000003ff f7dad6c0 000003ff 00000003 00000000
> [ 6736.025030] 3ee0: dbeb0000 fffffe03 00cd0518 fffffe00 00c9e000 fffffe00 00cd2560 fffffe00
> [ 6736.033163] 3f00: 00cd0e18 fffffe00 00c9d812 fffffe00 00000001 00000000 008ec980 fffffe00
> [ 6736.041297] 3f20: 006d67e8 fffffe00 dbeb3f60 fffffe03 000940b0 fffffe00 dbeb3f60 fffffe03
> [ 6736.049431] [<fffffe0000092ce0>] el1_irq+0x60/0xc0
> [ 6736.054196] [<fffffe00000ecf84>] cpu_startup_entry+0x118/0x1bc
> [ 6736.059998] [<fffffe000009b054>] secondary_start_kernel+0x100/0x110
> [ 6736.066232] CPU5: stopping
> [ 6736.068928] CPU: 5 PID: 0 Comm: swapper/5 Tainted: G D E 3.18.0-rc5kp3+ #3
> [ 6736.076631] Hardware name: APM X-Gene Mustang board (DT)
> [ 6736.081914] Call trace:
> [ 6736.084350] [<fffffe0000096b70>] dump_backtrace+0x0/0x184
> [ 6736.089721] [<fffffe0000096d04>] show_stack+0x10/0x1c
> [ 6736.094746] [<fffffe000069a0f8>] dump_stack+0x74/0x98
> [ 6736.099770] [<fffffe000009b578>] handle_IPI+0x184/0x200
> [ 6736.104966] [<fffffe0000090370>] gic_handle_irq+0x74/0x7c
> [ 6736.110335] Exception stack(0xfffffe03dbebbe20 to 0xfffffe03dbebbf40)
> [ 6736.116742] be20: 00000005 00000000 dbeb8000 fffffe03 dbebbf60 fffffe03 000940b4 fffffe00
> [ 6736.124877] be40: 00000000 00000000 00000000 00000000 fbf20fc0 fffffe03 fbf20d0c fffffe03
> [ 6736.133011] be60: 00000008 00000000 00000010 00000000 87aec580 00000623 d565b840 fffffe03
> [ 6736.141145] be80: dbe1a2e0 fffffe03 dbebbd50 fffffe03 0009d0db 00000001 00055dbd 00000000
> [ 6736.149279] bea0: 00000018 00000000 e8000000 00000003 00000000 00000000 e035cf9c 0014f62d
> [ 6736.157413] bec0: 001f8794 fffffe00 aa6720c0 000003ff 0000000d 00000000 00000005 00000000
> [ 6736.165547] bee0: dbeb8000 fffffe03 00cd0518 fffffe00 00c9e000 fffffe00 00cd2560 fffffe00
> [ 6736.173681] bf00: 00cd0e18 fffffe00 00c9d812 fffffe00 00000001 00000000 008ec980 fffffe00
> [ 6736.181815] bf20: 006d67e8 fffffe00 dbebbf60 fffffe03 000940b0 fffffe00 dbebbf60 fffffe03
> [ 6736.189949] [<fffffe0000092ce0>] el1_irq+0x60/0xc0
> [ 6736.194714] [<fffffe00000ecf84>] cpu_startup_entry+0x118/0x1bc
> [ 6736.200515] [<fffffe000009b054>] secondary_start_kernel+0x100/0x110
> [ 6736.206749] CPU4: stopping
> [ 6736.209442] CPU: 4 PID: 0 Comm: swapper/4 Tainted: G D E 3.18.0-rc5kp3+ #3
> [ 6736.217144] Hardware name: APM X-Gene Mustang board (DT)
> [ 6736.222425] Call trace:
> [ 6736.224859] [<fffffe0000096b70>] dump_backtrace+0x0/0x184
> [ 6736.230230] [<fffffe0000096d04>] show_stack+0x10/0x1c
> [ 6736.235254] [<fffffe000069a0f8>] dump_stack+0x74/0x98
> [ 6736.240278] [<fffffe000009b578>] handle_IPI+0x184/0x200
> [ 6736.245474] [<fffffe0000090370>] gic_handle_irq+0x74/0x7c
> [ 6736.250843] Exception stack(0xfffffe03dbeb7e20 to 0xfffffe03dbeb7f40)
> [ 6736.257251] 7e20: 00000004 00000000 dbeb4000 fffffe03 dbeb7f60 fffffe03 000940b4 fffffe00
> [ 6736.265385] 7e40: 00000000 00000000 00000000 00000000 fbf00fc0 fffffe03 fbf00d0c fffffe03
> [ 6736.273519] 7e60: 00000000 00000000 fbf01788 fffffe03 d4dd6800 00000620 d5387d10 fffffe03
> [ 6736.281653] 7e80: dbe197a0 fffffe03 dbeb7d50 fffffe03 0009d0ec 00000001 0009d7c5 00000000
> [ 6736.289787] 7ea0: 00000018 00000000 e8000000 00000003 00000000 00000000 427abb63 002672da
> [ 6736.297923] 7ec0: 00229414 fffffe00 8851ab88 000003ff 0000000d 00000000 00000004 00000000
> [ 6736.306057] 7ee0: dbeb4000 fffffe03 00cd0518 fffffe00 00c9e000 fffffe00 00cd2560 fffffe00
> [ 6736.314191] 7f00: 00cd0e18 fffffe00 00c9d812 fffffe00 00000001 00000000 008ec980 fffffe00
> [ 6736.322326] 7f20: 006d67e8 fffffe00 dbeb7f60 fffffe03 000940b0 fffffe00 dbeb7f60 fffffe03
> [ 6736.330459] [<fffffe0000092ce0>] el1_irq+0x60/0xc0
> [ 6736.335224] [<fffffe00000ecf84>] cpu_startup_entry+0x118/0x1bc
> [ 6736.341026] [<fffffe000009b054>] secondary_start_kernel+0x100/0x110
> [ 6736.347260] CPU1: stopping
> [ 6736.349957] CPU: 1 PID: 628 Comm: rs:main Q:Reg Tainted: G D E 3.18.0-rc5kp3+ #3
> [ 6736.358179] Hardware name: APM X-Gene Mustang board (DT)
> [ 6736.363462] Call trace:
> [ 6736.365897] [<fffffe0000096b70>] dump_backtrace+0x0/0x184
> [ 6736.371268] [<fffffe0000096d04>] show_stack+0x10/0x1c
> [ 6736.376293] [<fffffe000069a0f8>] dump_stack+0x74/0x98
> [ 6736.381317] [<fffffe000009b578>] handle_IPI+0x184/0x200
> [ 6736.386513] [<fffffe0000090370>] gic_handle_irq+0x74/0x7c
> [ 6736.391882] Exception stack(0xfffffe00010f75f0 to 0xfffffe00010f7710)
> [ 6736.398289] 75e0: 00bc1000 fffffe00 00000000 00000000
> [ 6736.406423] 7600: 010f7730 fffffe00 000b9714 fffffe00 00000040 00000000 00cd0e80 fffffe00
> [ 6736.414557] 7620: 00cd0000 fffffe00 00000040 00000000 00cd0e80 fffffe00 0009d1a8 00000001
> [ 6736.422691] 7640: 0000000a 00000000 fbea1788 fffffe03 00000020 00000000 00000000 00000000
> [ 6736.430825] 7660: 006d82fc fffffe00 006d82f8 fffffe00 00000018 00000000 e8000000 00000003
> [ 6736.438959] 7680: 00c00000 fffffe00 f2e8383d 0017e03a 001e4d60 fffffe00 a7e8fa20 000003ff
> [ 6736.447093] 76a0: a60ae420 000003ff 00bc1000 fffffe00 00000000 00000000 00000001 00000000
> [ 6736.455228] 76c0: 00000082 00000000 60000145 00000000 00c9dd90 fffffe00 00c66000 fffffe00
> [ 6736.463362] 76e0: 00c00000 fffffe00 00bb0c70 fffffe00 1fc7a800 fffffe00 010f7730 fffffe00
> [ 6736.471496] 7700: 000b9688 fffffe00 010f7730 fffffe00
> [ 6736.476520] [<fffffe0000092ce0>] el1_irq+0x60/0xc0
> [ 6736.481285] [<fffffe00000b9b74>] irq_exit+0x90/0xd0
> [ 6736.486138] [<fffffe00000f8c48>] __handle_domain_irq+0x68/0xb4
> [ 6736.491940] [<fffffe000009032c>] gic_handle_irq+0x30/0x7c
> [ 6736.497309] Exception stack(0xfffffe00010f7820 to 0xfffffe00010f7940)
> [ 6736.503715] 7820: 00db49f0 fffffe00 00000140 00000000 010f7960 fffffe00 0069fe40 fffffe00
> [ 6736.511851] 7840: 00db49f0 fffffe00 00000140 00000000 00002eb3 00000000 00004006 00000000
> [ 6736.519985] 7860: 00002eb2 00000000 000ecb74 fffffe00 dc8cb000 cb88537f 0002da98 00000000
> [ 6736.528119] 7880: 0002da99 00000000 00000000 00000000 dc8cb000 cb88537f 00061cbb 00000000
> [ 6736.536253] 78a0: 00000018 00000000 e8000000 00000003 00000000 00000000 f2e8383d 0017e03a
> [ 6736.544159] SMP: failed to stop secondary CPUs
> [ 6736.544162] ---[ end Kernel panic - not syncing: Fatal exception
> [ 6736.554775] 78c0: 001e4d60 fffffe00 a7e8fa20 000003ff a60ae420 000003ff 00db49f0 fffffe00
> [ 6736.562911] 78e0: 00000140 00000000 010f79f8 fffffe00 00cd0000 fffffe00 14e76800 fffffe00
> [ 6736.571045] 7900: 00400040 00000000 00c66000 fffffe00 00748ca8 fffffe00 00748ee8 fffffe00
> [ 6736.579179] 7920: 1fc7a800 fffffe00 010f7960 fffffe00 0040434c fffffe00 010f7960 fffffe00
> [ 6736.587312] [<fffffe0000092ce0>] el1_irq+0x60/0xc0
> [ 6736.592079] [<fffffe00003f17fc>] tty_port_block_til_ready+0x14c/0x2e4
> [ 6736.598485] [<fffffe0000407818>] uart_open+0xc4/0x148
> [ 6736.603510] [<fffffe00003e94c0>] tty_open+0x15c/0x584
> [ 6736.608535] [<fffffe00001e9b94>] chrdev_open+0xc8/0x190
> [ 6736.613733] [<fffffe00001e332c>] do_dentry_open+0x1c8/0x2e0
> [ 6736.619275] [<fffffe00001e38cc>] vfs_open+0x3c/0x48
> [ 6736.624126] [<fffffe00001f28ac>] do_last+0x154/0xd0c
> [ 6736.629064] [<fffffe00001f3520>] path_openat+0xbc/0x688
> [ 6736.634260] [<fffffe00001f4afc>] do_filp_open+0x3c/0xb0
> [ 6736.639458] [<fffffe00001e4c64>] do_sys_open+0x160/0x234
> [ 6736.644741] [<fffffe00001e4d6c>] SyS_openat+0xc/0x18
>
>
>>
>>
>>> That would explain why the state of play of the interrupts is in an
>>> unexpected state in the crash I reported:
>>> "The point of failure in the panic was:
>>> fs/buffer.c:1257
>>>
>>> static inline void check_irqs_on(void)
>>> {
>>> #ifdef irqs_disabled
>>> BUG_ON(irqs_disabled());
>>> #endif
>>> }
>>> "
>>>
>>> This is all new to me so I'm still at the head-scratching stage.
>>
>> Ah, I see.
>>
>> Thank you,
>>
>>>
>>> David,
>>> Does the above make sense to you? Have you managed to reproduce the crash I get?
>>>
>>> Cheers,
>>> --
>>> Steve
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
>>> the body of a message to [email protected]
>>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>> Please read the FAQ at http://www.tux.org/lkml/
>>>
>>
>>
>
>


--
Masami HIRAMATSU
Software Platform Research Dept. Linux Technology Research Center
Hitachi, Ltd., Yokohama Research Laboratory
E-mail: [email protected]

2014-12-03 15:20:26

by William Cohen

[permalink] [raw]
Subject: Re: [PATCH v3 0/5] ARM64: Add kernel probes(Kprobes) support

On 12/01/2014 04:37 AM, Masami Hiramatsu wrote:
> (2014/11/29 1:01), Steve Capper wrote:
>> On 27 November 2014 at 06:07, Masami Hiramatsu
>> <[email protected]> wrote:
>>> (2014/11/27 3:59), Steve Capper wrote:
>>>> The crash is extremely easy to reproduce.
>>>>
>>>> I've not observed any missed events on a kprobe on an arm64 system
>>>> that's still alive.
>>>> My (limited!) understanding is that this suggests there could be a
>>>> problem with how missed events from a recursive call to memcpy are
>>>> being handled.
>>>
>>> I think so too. BTW, could you bisect that? :)
>>>
>>
>> I can't bisect, but the following functions look suspicious to me
>> (again I'm new to kprobes...):
>> kprobes_save_local_irqflag
>> kprobes_restore_local_irqflag
>>
>> I think these are breaking somehow when nested (i.e. from a recursive probe).
>
> Agreed. On x86, prev_kprobe has old_flags and saved_flags, this
> at least must have saved_irqflag and save/restore it in
> save/restore_previous_kprobe().
>
> What about adding this?
>
> struct prev_kprobe {
> struct kprobe *kp;
> unsigned int status;
> + unsigned long saved_irqflag;
> };
>
> and
>
> static void __kprobes save_previous_kprobe(struct kprobe_ctlblk *kcb)
> {
> kcb->prev_kprobe.kp = kprobe_running();
> kcb->prev_kprobe.status = kcb->kprobe_status;
> + kcb->prev_kprobe.saved_irqflag = kcb->saved_irqflag;
> }
>
> static void __kprobes restore_previous_kprobe(struct kprobe_ctlblk *kcb)
> {
> __this_cpu_write(current_kprobe, kcb->prev_kprobe.kp);
> kcb->kprobe_status = kcb->prev_kprobe.status;
> + kcb->saved_irqflag = kcb->prev_kprobe.saved_irqflag;
> }
>
>

I have noticed with the aarch64 kprobe patches and recent kernel I can get the machine to end up getting stuck and printing out endless strings of

[187694.855843] Unexpected kernel single-step exception at EL1
[187694.861385] Unexpected kernel single-step exception at EL1
[187694.866926] Unexpected kernel single-step exception at EL1
[187694.872467] Unexpected kernel single-step exception at EL1
[187694.878009] Unexpected kernel single-step exception at EL1
[187694.883550] Unexpected kernel single-step exception at EL1

I can reproduce this pretty easily on my machine with functioncallcount.stp from https://sourceware.org/systemtap/examples/profiling/functioncallcount.stp and the following steps:

# stap -p4 -k -m mm_probes -w functioncallcount.stp "*@mm/*.c" -c "sleep 1"
# staprun mm_probes.ko -c "sleep 1"

-Will

>
>
>> That would explain why the state of play of the interrupts is in an
>> unexpected state in the crash I reported:
>> "The point of failure in the panic was:
>> fs/buffer.c:1257
>>
>> static inline void check_irqs_on(void)
>> {
>> #ifdef irqs_disabled
>> BUG_ON(irqs_disabled());
>> #endif
>> }
>> "
>>
>> This is all new to me so I'm still at the head-scratching stage.
>
> Ah, I see.
>
> Thank you,
>
>>
>> David,
>> Does the above make sense to you? Have you managed to reproduce the crash I get?
>>
>> Cheers,
>> --
>> Steve
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
>> the body of a message to [email protected]
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>> Please read the FAQ at http://www.tux.org/lkml/
>>
>
>

2014-12-03 22:54:44

by David Long

[permalink] [raw]
Subject: Re: [PATCH v3 0/5] ARM64: Add kernel probes(Kprobes) support

On 12/03/14 09:54, William Cohen wrote:
> On 12/01/2014 04:37 AM, Masami Hiramatsu wrote:
>> (2014/11/29 1:01), Steve Capper wrote:
>>> On 27 November 2014 at 06:07, Masami Hiramatsu
>>> <[email protected]> wrote:
>>>> (2014/11/27 3:59), Steve Capper wrote:
>>>>> The crash is extremely easy to reproduce.
>>>>>
>>>>> I've not observed any missed events on a kprobe on an arm64 system
>>>>> that's still alive.
>>>>> My (limited!) understanding is that this suggests there could be a
>>>>> problem with how missed events from a recursive call to memcpy are
>>>>> being handled.
>>>>
>>>> I think so too. BTW, could you bisect that? :)
>>>>
>>>
>>> I can't bisect, but the following functions look suspicious to me
>>> (again I'm new to kprobes...):
>>> kprobes_save_local_irqflag
>>> kprobes_restore_local_irqflag
>>>
>>> I think these are breaking somehow when nested (i.e. from a recursive probe).
>>
>> Agreed. On x86, prev_kprobe has old_flags and saved_flags, this
>> at least must have saved_irqflag and save/restore it in
>> save/restore_previous_kprobe().
>>
>> What about adding this?
>>
>> struct prev_kprobe {
>> struct kprobe *kp;
>> unsigned int status;
>> + unsigned long saved_irqflag;
>> };
>>
>> and
>>
>> static void __kprobes save_previous_kprobe(struct kprobe_ctlblk *kcb)
>> {
>> kcb->prev_kprobe.kp = kprobe_running();
>> kcb->prev_kprobe.status = kcb->kprobe_status;
>> + kcb->prev_kprobe.saved_irqflag = kcb->saved_irqflag;
>> }
>>
>> static void __kprobes restore_previous_kprobe(struct kprobe_ctlblk *kcb)
>> {
>> __this_cpu_write(current_kprobe, kcb->prev_kprobe.kp);
>> kcb->kprobe_status = kcb->prev_kprobe.status;
>> + kcb->saved_irqflag = kcb->prev_kprobe.saved_irqflag;
>> }
>>
>>
>
> I have noticed with the aarch64 kprobe patches and recent kernel I can get the machine to end up getting stuck and printing out endless strings of
>
> [187694.855843] Unexpected kernel single-step exception at EL1
> [187694.861385] Unexpected kernel single-step exception at EL1
> [187694.866926] Unexpected kernel single-step exception at EL1
> [187694.872467] Unexpected kernel single-step exception at EL1
> [187694.878009] Unexpected kernel single-step exception at EL1
> [187694.883550] Unexpected kernel single-step exception at EL1
>
> I can reproduce this pretty easily on my machine with functioncallcount.stp from https://sourceware.org/systemtap/examples/profiling/functioncallcount.stp and the following steps:
>
> # stap -p4 -k -m mm_probes -w functioncallcount.stp "*@mm/*.c" -c "sleep 1"
> # staprun mm_probes.ko -c "sleep 1"
>
> -Will

I did a fresh checkout and build of systemtap and tried the above. I'm
not yet seeing this problem. It does remind me of the problem we saw
before debug exception handling in entry.S was patched in v3.18-rc1, but
you say you are using recent kernel sources.

>>
>>
>>> That would explain why the state of play of the interrupts is in an
>>> unexpected state in the crash I reported:
>>> "The point of failure in the panic was:
>>> fs/buffer.c:1257
>>>
>>> static inline void check_irqs_on(void)
>>> {
>>> #ifdef irqs_disabled
>>> BUG_ON(irqs_disabled());
>>> #endif
>>> }
>>> "
>>>
>>> This is all new to me so I'm still at the head-scratching stage.
>>
>> Ah, I see.
>>
>> Thank you,
>>
>>>
>>> David,
>>> Does the above make sense to you? Have you managed to reproduce the crash I get?
>>>
>>> Cheers,
>>> --
>>> Steve

I have easily produced a crash although it doesn't look to me like the
same one. I'm getting a NULL pointer dereference. The PMU stuff (used
by perf record|stat -e) should be quite independent of kprobes though.

-dl

2014-12-04 00:03:01

by David Long

[permalink] [raw]
Subject: Re: [PATCH v3 0/5] ARM64: Add kernel probes(Kprobes) support

On 12/03/14 17:54, David Long wrote:
> On 12/03/14 09:54, William Cohen wrote:
>> On 12/01/2014 04:37 AM, Masami Hiramatsu wrote:
>>> (2014/11/29 1:01), Steve Capper wrote:

[...]

>>>> That would explain why the state of play of the interrupts is in an
>>>> unexpected state in the crash I reported:
>>>> "The point of failure in the panic was:
>>>> fs/buffer.c:1257
>>>>
>>>> static inline void check_irqs_on(void)
>>>> {
>>>> #ifdef irqs_disabled
>>>> BUG_ON(irqs_disabled());
>>>> #endif
>>>> }
>>>> "
>>>>
>>>> This is all new to me so I'm still at the head-scratching stage.
>>>
>>> Ah, I see.
>>>
>>> Thank you,
>>>
>>>>
>>>> David,
>>>> Does the above make sense to you? Have you managed to reproduce the
>>>> crash I get?
>>>>
>>>> Cheers,
>>>> --
>>>> Steve
>
> I have easily produced a crash although it doesn't look to me like the
> same one. I'm getting a NULL pointer dereference. The PMU stuff (used
> by perf record|stat -e) should be quite independent of kprobes though.
>
> -dl
>

Oops, never mind the above bit. I see this is not PMU-related, but use
of kprobes through perf. My bad.

-dl

2014-12-04 01:17:04

by William Cohen

[permalink] [raw]
Subject: Re: [PATCH v3 0/5] ARM64: Add kernel probes(Kprobes) support

On 12/03/2014 05:54 PM, David Long wrote:
> On 12/03/14 09:54, William Cohen wrote:
>> On 12/01/2014 04:37 AM, Masami Hiramatsu wrote:
>>> (2014/11/29 1:01), Steve Capper wrote:
>>>> On 27 November 2014 at 06:07, Masami Hiramatsu
>>>> <[email protected]> wrote:
>>>>> (2014/11/27 3:59), Steve Capper wrote:
>>>>>> The crash is extremely easy to reproduce.
>>>>>>
>>>>>> I've not observed any missed events on a kprobe on an arm64 system
>>>>>> that's still alive.
>>>>>> My (limited!) understanding is that this suggests there could be a
>>>>>> problem with how missed events from a recursive call to memcpy are
>>>>>> being handled.
>>>>>
>>>>> I think so too. BTW, could you bisect that? :)
>>>>>
>>>>
>>>> I can't bisect, but the following functions look suspicious to me
>>>> (again I'm new to kprobes...):
>>>> kprobes_save_local_irqflag
>>>> kprobes_restore_local_irqflag
>>>>
>>>> I think these are breaking somehow when nested (i.e. from a recursive probe).
>>>
>>> Agreed. On x86, prev_kprobe has old_flags and saved_flags, this
>>> at least must have saved_irqflag and save/restore it in
>>> save/restore_previous_kprobe().
>>>
>>> What about adding this?
>>>
>>> struct prev_kprobe {
>>> struct kprobe *kp;
>>> unsigned int status;
>>> + unsigned long saved_irqflag;
>>> };
>>>
>>> and
>>>
>>> static void __kprobes save_previous_kprobe(struct kprobe_ctlblk *kcb)
>>> {
>>> kcb->prev_kprobe.kp = kprobe_running();
>>> kcb->prev_kprobe.status = kcb->kprobe_status;
>>> + kcb->prev_kprobe.saved_irqflag = kcb->saved_irqflag;
>>> }
>>>
>>> static void __kprobes restore_previous_kprobe(struct kprobe_ctlblk *kcb)
>>> {
>>> __this_cpu_write(current_kprobe, kcb->prev_kprobe.kp);
>>> kcb->kprobe_status = kcb->prev_kprobe.status;
>>> + kcb->saved_irqflag = kcb->prev_kprobe.saved_irqflag;
>>> }
>>>
>>>
>>
>> I have noticed with the aarch64 kprobe patches and recent kernel I can get the machine to end up getting stuck and printing out endless strings of
>>
>> [187694.855843] Unexpected kernel single-step exception at EL1
>> [187694.861385] Unexpected kernel single-step exception at EL1
>> [187694.866926] Unexpected kernel single-step exception at EL1
>> [187694.872467] Unexpected kernel single-step exception at EL1
>> [187694.878009] Unexpected kernel single-step exception at EL1
>> [187694.883550] Unexpected kernel single-step exception at EL1
>>
>> I can reproduce this pretty easily on my machine with functioncallcount.stp from https://sourceware.org/systemtap/examples/profiling/functioncallcount.stp and the following steps:
>>
>> # stap -p4 -k -m mm_probes -w functioncallcount.stp "*@mm/*.c" -c "sleep 1"
>> # staprun mm_probes.ko -c "sleep 1"
>>
>> -Will
>
> I did a fresh checkout and build of systemtap and tried the above. I'm not yet seeing this problem. It does remind me of the problem we saw before debug exception handling in entry.S was patched in v3.18-rc1, but you say you are using recent kernel sources.
>

Hi Dave,

I saw this problem with a 3.18.0-rc5 based kernel. Today I built a kernel based on 3.18.0-0.rc6.git0.1.x1 with the patches and I didn't see the problem with the unexpected kernel single-step exception. I am not sure if maybe there was some problem function being probed in the 3.18.0-rc5 kernel but not with the 3.18.0-rc6 kernel or maybe some difference in the config between the kernels. It seemed wiser to mention it.

>>>
>>>
>>>> That would explain why the state of play of the interrupts is in an
>>>> unexpected state in the crash I reported:
>>>> "The point of failure in the panic was:
>>>> fs/buffer.c:1257
>>>>
>>>> static inline void check_irqs_on(void)
>>>> {
>>>> #ifdef irqs_disabled
>>>> BUG_ON(irqs_disabled());
>>>> #endif
>>>> }
>>>> "
>>>>
>>>> This is all new to me so I'm still at the head-scratching stage.
>>>
>>> Ah, I see.
>>>
>>> Thank you,
>>>
>>>>
>>>> David,
>>>> Does the above make sense to you? Have you managed to reproduce the crash I get?
>>>>
>>>> Cheers,
>>>> --
>>>> Steve
>
> I have easily produced a crash although it doesn't look to me like the same one. I'm getting a NULL pointer dereference. The PMU stuff (used by perf record|stat -e) should be quite independent of kprobes though.
>
> -dl

The perf issue seems to be independent and can be reproduced without using any kprobe support. I need to get a simple reproducer and mention it on the linux-perf-user list.

-Will

2014-12-04 02:48:23

by David Long

[permalink] [raw]
Subject: Re: [PATCH v3 0/5] ARM64: Add kernel probes(Kprobes) support

On 12/03/14 20:16, William Cohen wrote:

[...]

>
> The perf issue seems to be independent and can be reproduced without using any kprobe support. I need to get a simple reproducer and mention it on the linux-perf-user list.
>
> -Will
>


OK, my confusion came from all the different things perf can use. I
have not yet been able to reproduce the "perf stat" failure, but I do
see the failure with Steve's example using tracepoints. I had thought
that was using kprobes, but apparently it just uses tracepoints. These
look like two different failures to me: One related to tracepoints, and
one in the PMU driver.

Since this seems unrelated to kprobes I don't plan on pursuing these
particular problems.

-dl

2014-12-04 10:21:38

by Steve Capper

[permalink] [raw]
Subject: Re: [PATCH v3 0/5] ARM64: Add kernel probes(Kprobes) support

On 4 December 2014 at 02:48, David Long <[email protected]> wrote:
> On 12/03/14 20:16, William Cohen wrote:
>
> [...]
>
>>
>> The perf issue seems to be independent and can be reproduced without using
>> any kprobe support. I need to get a simple reproducer and mention it on the
>> linux-perf-user list.
>>
>> -Will
>>
>
>
> OK, my confusion came from all the different things perf can use. I have
> not yet been able to reproduce the "perf stat" failure, but I do see the
> failure with Steve's example using tracepoints. I had thought that was
> using kprobes, but apparently it just uses tracepoints. These look like two
> different failures to me: One related to tracepoints, and one in the PMU
> driver.
>
> Since this seems unrelated to kprobes I don't plan on pursuing these
> particular problems.
>
> -dl
>

Sorry for the late reply...

The example I had was:
echo "p:memcpy memcpy %x2" > /sys/kernel/debug/tracing/kprobe_events
perf record -e kprobes:memcpy -a sleep 5

[then crash due to IRQs being unexpectedly disabled in the ext4 code]

Isn't that a kprobe problem?

Cheers,
--
Steve

Subject: Re: Re: [PATCH v3 0/5] ARM64: Add kernel probes(Kprobes) support

(2014/12/04 19:21), Steve Capper wrote:
> On 4 December 2014 at 02:48, David Long <[email protected]> wrote:
>> On 12/03/14 20:16, William Cohen wrote:
>>
>> [...]
>>
>>>
>>> The perf issue seems to be independent and can be reproduced without using
>>> any kprobe support. I need to get a simple reproducer and mention it on the
>>> linux-perf-user list.
>>>
>>> -Will
>>>
>>
>>
>> OK, my confusion came from all the different things perf can use. I have
>> not yet been able to reproduce the "perf stat" failure, but I do see the
>> failure with Steve's example using tracepoints. I had thought that was
>> using kprobes, but apparently it just uses tracepoints. These look like two
>> different failures to me: One related to tracepoints, and one in the PMU
>> driver.
>>
>> Since this seems unrelated to kprobes I don't plan on pursuing these
>> particular problems.
>>
>> -dl
>>
>
> Sorry for the late reply...
>
> The example I had was:
> echo "p:memcpy memcpy %x2" > /sys/kernel/debug/tracing/kprobe_events
> perf record -e kprobes:memcpy -a sleep 5
>
> [then crash due to IRQs being unexpectedly disabled in the ext4 code]
>
> Isn't that a kprobe problem?
>

It should be a kprobe problem. As I mentioned, if you set a probe on
trace_event_buffer_lock_reserve() instead of memcpy(), the same problem
may happen without using perf. (It is enough enabling the new event to
reproduce the problem, I guess)

The problem what Will reported was different one. He used "perf stat"
which never touch the kprobes itself, and solved in newer kernel (as
he reported)

I'd like to ask you to try my fix on your machine, with my reproducing
methods. (do not use sytemtap nor perf, those can have other issues)

Thank you,

--
Masami HIRAMATSU
Software Platform Research Dept. Linux Technology Research Center
Hitachi, Ltd., Yokohama Research Laboratory
E-mail: [email protected]

2014-12-04 11:29:34

by Steve Capper

[permalink] [raw]
Subject: Re: Re: [PATCH v3 0/5] ARM64: Add kernel probes(Kprobes) support

On 4 December 2014 at 10:43, Masami Hiramatsu
<[email protected]> wrote:
> (2014/12/04 19:21), Steve Capper wrote:
>> On 4 December 2014 at 02:48, David Long <[email protected]> wrote:
>>> On 12/03/14 20:16, William Cohen wrote:
>>>
>>> [...]
>>>
>>>>
>>>> The perf issue seems to be independent and can be reproduced without using
>>>> any kprobe support. I need to get a simple reproducer and mention it on the
>>>> linux-perf-user list.
>>>>
>>>> -Will
>>>>
>>>
>>>
>>> OK, my confusion came from all the different things perf can use. I have
>>> not yet been able to reproduce the "perf stat" failure, but I do see the
>>> failure with Steve's example using tracepoints. I had thought that was
>>> using kprobes, but apparently it just uses tracepoints. These look like two
>>> different failures to me: One related to tracepoints, and one in the PMU
>>> driver.
>>>
>>> Since this seems unrelated to kprobes I don't plan on pursuing these
>>> particular problems.
>>>
>>> -dl
>>>
>>
>> Sorry for the late reply...
>>
>> The example I had was:
>> echo "p:memcpy memcpy %x2" > /sys/kernel/debug/tracing/kprobe_events
>> perf record -e kprobes:memcpy -a sleep 5
>>
>> [then crash due to IRQs being unexpectedly disabled in the ext4 code]
>>
>> Isn't that a kprobe problem?
>>
>
> It should be a kprobe problem. As I mentioned, if you set a probe on
> trace_event_buffer_lock_reserve() instead of memcpy(), the same problem
> may happen without using perf. (It is enough enabling the new event to
> reproduce the problem, I guess)
>
> The problem what Will reported was different one. He used "perf stat"
> which never touch the kprobes itself, and solved in newer kernel (as
> he reported)
>
> I'd like to ask you to try my fix on your machine, with my reproducing
> methods. (do not use sytemtap nor perf, those can have other issues)
>

Thank you Masami,

I tried the following commands:

echo "p:trace_event_buffer_lock_reserve
trace_event_buffer_lock_reserve" >
/sys/kernel/debug/tracing/kprobe_events
echo 1 > /sys/kernel/debug/tracing/events/kprobes/enable
echo 1 > /sys/kernel/debug/tracing/events/sched/sched_process_exec/enable

The system appeared okay, I then cat'ed out:
# cat /sys/kernel/debug/tracing/kprobe_profile
trace_event_buffer_lock_reserve 25 25

I got similar output (i.e. no crashes) both with and without the
interrupt fix you recommended.

I'm not sure how to interpret this, please let me know if you would
like me to run any other tests?

(I did also try your proposed fix with perf + memcpy and that crashed
in a similar way as before).

Cheers,
--
Steve

Subject: Re: [PATCH v3 0/5] ARM64: Add kernel probes(Kprobes) support

(2014/12/04 20:29), Steve Capper wrote:

>> I'd like to ask you to try my fix on your machine, with my reproducing
>> methods. (do not use sytemtap nor perf, those can have other issues)
>>
>
> Thank you Masami,
>
> I tried the following commands:
>
> echo "p:trace_event_buffer_lock_reserve
> trace_event_buffer_lock_reserve" >
> /sys/kernel/debug/tracing/kprobe_events
> echo 1 > /sys/kernel/debug/tracing/events/kprobes/enable
> echo 1 > /sys/kernel/debug/tracing/events/sched/sched_process_exec/enable
>
> The system appeared okay, I then cat'ed out:
> # cat /sys/kernel/debug/tracing/kprobe_profile
> trace_event_buffer_lock_reserve 25 25
>
> I got similar output (i.e. no crashes) both with and without the
> interrupt fix you recommended.
>
> I'm not sure how to interpret this, please let me know if you would
> like me to run any other tests?
>
> (I did also try your proposed fix with perf + memcpy and that crashed
> in a similar way as before).

Hmm, then the bug is still there, and the bug may not be in the recursive
call path... We need to find another suspicious code in the patch.


Thank you,


--
Masami HIRAMATSU
Software Platform Research Dept. Linux Technology Research Center
Hitachi, Ltd., Yokohama Research Laboratory
E-mail: [email protected]

2014-12-05 05:08:52

by William Cohen

[permalink] [raw]
Subject: Re: [PATCH v3 0/5] ARM64: Add kernel probes(Kprobes) support

On 12/03/2014 08:16 PM, William Cohen wrote:
> On 12/03/2014 05:54 PM, David Long wrote:
>> On 12/03/14 09:54, William Cohen wrote:
>>> On 12/01/2014 04:37 AM, Masami Hiramatsu wrote:
>>>> (2014/11/29 1:01), Steve Capper wrote:
>>>>> On 27 November 2014 at 06:07, Masami Hiramatsu
>>>>> <[email protected]> wrote:
>>>>>> (2014/11/27 3:59), Steve Capper wrote:
>>>>>>> The crash is extremely easy to reproduce.
>>>>>>>
>>>>>>> I've not observed any missed events on a kprobe on an arm64 system
>>>>>>> that's still alive.
>>>>>>> My (limited!) understanding is that this suggests there could be a
>>>>>>> problem with how missed events from a recursive call to memcpy are
>>>>>>> being handled.
>>>>>>
>>>>>> I think so too. BTW, could you bisect that? :)
>>>>>>
>>>>>
>>>>> I can't bisect, but the following functions look suspicious to me
>>>>> (again I'm new to kprobes...):
>>>>> kprobes_save_local_irqflag
>>>>> kprobes_restore_local_irqflag
>>>>>
>>>>> I think these are breaking somehow when nested (i.e. from a recursive probe).
>>>>
>>>> Agreed. On x86, prev_kprobe has old_flags and saved_flags, this
>>>> at least must have saved_irqflag and save/restore it in
>>>> save/restore_previous_kprobe().
>>>>
>>>> What about adding this?
>>>>
>>>> struct prev_kprobe {
>>>> struct kprobe *kp;
>>>> unsigned int status;
>>>> + unsigned long saved_irqflag;
>>>> };
>>>>
>>>> and
>>>>
>>>> static void __kprobes save_previous_kprobe(struct kprobe_ctlblk *kcb)
>>>> {
>>>> kcb->prev_kprobe.kp = kprobe_running();
>>>> kcb->prev_kprobe.status = kcb->kprobe_status;
>>>> + kcb->prev_kprobe.saved_irqflag = kcb->saved_irqflag;
>>>> }
>>>>
>>>> static void __kprobes restore_previous_kprobe(struct kprobe_ctlblk *kcb)
>>>> {
>>>> __this_cpu_write(current_kprobe, kcb->prev_kprobe.kp);
>>>> kcb->kprobe_status = kcb->prev_kprobe.status;
>>>> + kcb->saved_irqflag = kcb->prev_kprobe.saved_irqflag;
>>>> }
>>>>
>>>>
>>>
>>> I have noticed with the aarch64 kprobe patches and recent kernel I can get the machine to end up getting stuck and printing out endless strings of
>>>
>>> [187694.855843] Unexpected kernel single-step exception at EL1
>>> [187694.861385] Unexpected kernel single-step exception at EL1
>>> [187694.866926] Unexpected kernel single-step exception at EL1
>>> [187694.872467] Unexpected kernel single-step exception at EL1
>>> [187694.878009] Unexpected kernel single-step exception at EL1
>>> [187694.883550] Unexpected kernel single-step exception at EL1
>>>
>>> I can reproduce this pretty easily on my machine with functioncallcount.stp from https://sourceware.org/systemtap/examples/profiling/functioncallcount.stp and the following steps:
>>>
>>> # stap -p4 -k -m mm_probes -w functioncallcount.stp "*@mm/*.c" -c "sleep 1"
>>> # staprun mm_probes.ko -c "sleep 1"
>>>
>>> -Will
>>
>> I did a fresh checkout and build of systemtap and tried the above. I'm not yet seeing this problem. It does remind me of the problem we saw before debug exception handling in entry.S was patched in v3.18-rc1, but you say you are using recent kernel sources.
>>
>
> Hi Dave,
>
> I saw this problem with a 3.18.0-rc5 based kernel. Today I built a kernel based on 3.18.0-0.rc6.git0.1.x1 with the patches and I didn't see the problem with the unexpected kernel single-step exception. I am not sure if maybe there was some problem function being probed in the 3.18.0-rc5 kernel but not with the 3.18.0-rc6 kernel or maybe some difference in the config between the kernels. It seemed wiser to mention it.
>

I saw this problem with the 3.18.0-rc6 kernel today. Note that this kernel did not have the patch for save_irqflag masami suggested above. It seems to be an intermittent problem and doesn't occur every time. The particular systemtap test that is triggering the problem installs a lot of probe points and this could be triggering some problem with nested kprobes.

-Will

2014-12-09 13:33:58

by Steve Capper

[permalink] [raw]
Subject: Re: [PATCH v3 0/5] ARM64: Add kernel probes(Kprobes) support

On Thu, Dec 04, 2014 at 08:53:03PM +0900, Masami Hiramatsu wrote:
> (2014/12/04 20:29), Steve Capper wrote:
>
> >> I'd like to ask you to try my fix on your machine, with my reproducing
> >> methods. (do not use sytemtap nor perf, those can have other issues)
> >>
> >
> > Thank you Masami,
> >
> > I tried the following commands:
> >
> > echo "p:trace_event_buffer_lock_reserve
> > trace_event_buffer_lock_reserve" >
> > /sys/kernel/debug/tracing/kprobe_events
> > echo 1 > /sys/kernel/debug/tracing/events/kprobes/enable
> > echo 1 > /sys/kernel/debug/tracing/events/sched/sched_process_exec/enable
> >
> > The system appeared okay, I then cat'ed out:
> > # cat /sys/kernel/debug/tracing/kprobe_profile
> > trace_event_buffer_lock_reserve 25 25
> >
> > I got similar output (i.e. no crashes) both with and without the
> > interrupt fix you recommended.
> >
> > I'm not sure how to interpret this, please let me know if you would
> > like me to run any other tests?
> >
> > (I did also try your proposed fix with perf + memcpy and that crashed
> > in a similar way as before).
>
> Hmm, then the bug is still there, and the bug may not be in the recursive
> call path... We need to find another suspicious code in the patch.
>

Not sure if this is helpful, but the following also caused a crash for
me:

echo "p:trace_event_buffer_lock_reserve trace_event_buffer_lock_reserve" > /sys/kernel/debug/tracing/kprobe_events
echo "p:memcpy memcpy" >> /sys/kernel/debug/tracing/kprobe_events
echo 1 > /sys/kernel/debug/tracing/events/kprobes/enable

[immediate crash]

The crash point for me is in the arm64 ASID allocator, it again looks
like the interrupts are in an unexpected state.
(check_and_switch_context goes down the irqs disabled code path, I
think incorrectly).

This occurred for me both with and without the proposed irq saving fix.

I will do some more digging.

Cheers,
--
Steve

2014-12-09 14:27:25

by David Long

[permalink] [raw]
Subject: Re: [PATCH v3 0/5] ARM64: Add kernel probes(Kprobes) support

On 12/09/14 08:33, Steve Capper wrote:
> On Thu, Dec 04, 2014 at 08:53:03PM +0900, Masami Hiramatsu wrote:
>> (2014/12/04 20:29), Steve Capper wrote:
>>
>>>> I'd like to ask you to try my fix on your machine, with my reproducing
>>>> methods. (do not use sytemtap nor perf, those can have other issues)
>>>>
>>>
>>> Thank you Masami,
>>>
>>> I tried the following commands:
>>>
>>> echo "p:trace_event_buffer_lock_reserve
>>> trace_event_buffer_lock_reserve" >
>>> /sys/kernel/debug/tracing/kprobe_events
>>> echo 1 > /sys/kernel/debug/tracing/events/kprobes/enable
>>> echo 1 > /sys/kernel/debug/tracing/events/sched/sched_process_exec/enable
>>>
>>> The system appeared okay, I then cat'ed out:
>>> # cat /sys/kernel/debug/tracing/kprobe_profile
>>> trace_event_buffer_lock_reserve 25 25
>>>
>>> I got similar output (i.e. no crashes) both with and without the
>>> interrupt fix you recommended.
>>>
>>> I'm not sure how to interpret this, please let me know if you would
>>> like me to run any other tests?
>>>
>>> (I did also try your proposed fix with perf + memcpy and that crashed
>>> in a similar way as before).
>>
>> Hmm, then the bug is still there, and the bug may not be in the recursive
>> call path... We need to find another suspicious code in the patch.
>>
>
> Not sure if this is helpful, but the following also caused a crash for
> me:
>
> echo "p:trace_event_buffer_lock_reserve trace_event_buffer_lock_reserve" > /sys/kernel/debug/tracing/kprobe_events
> echo "p:memcpy memcpy" >> /sys/kernel/debug/tracing/kprobe_events
> echo 1 > /sys/kernel/debug/tracing/events/kprobes/enable
>
> [immediate crash]
>
> The crash point for me is in the arm64 ASID allocator, it again looks
> like the interrupts are in an unexpected state.
> (check_and_switch_context goes down the irqs disabled code path, I
> think incorrectly).
>
> This occurred for me both with and without the proposed irq saving fix.
>
> I will do some more digging.
>

Thanks, more information is good.

-dl

2014-12-10 16:38:35

by Steve Capper

[permalink] [raw]
Subject: Re: [PATCH v3 0/5] ARM64: Add kernel probes(Kprobes) support

On Tue, Dec 09, 2014 at 09:27:18AM -0500, David Long wrote:
> On 12/09/14 08:33, Steve Capper wrote:
> >On Thu, Dec 04, 2014 at 08:53:03PM +0900, Masami Hiramatsu wrote:

[...]

> >
> >Not sure if this is helpful, but the following also caused a crash for
> >me:
> >
> >echo "p:trace_event_buffer_lock_reserve trace_event_buffer_lock_reserve" > /sys/kernel/debug/tracing/kprobe_events
> >echo "p:memcpy memcpy" >> /sys/kernel/debug/tracing/kprobe_events
> >echo 1 > /sys/kernel/debug/tracing/events/kprobes/enable
> >
> >[immediate crash]
> >
> >The crash point for me is in the arm64 ASID allocator, it again looks
> >like the interrupts are in an unexpected state.
> >(check_and_switch_context goes down the irqs disabled code path, I
> >think incorrectly).
> >
> >This occurred for me both with and without the proposed irq saving fix.
> >
> >I will do some more digging.
> >
>
> Thanks, more information is good.
>

Hi,

Some good news, I think I've fixed the problem I've been experiencing.

Basically, I've torn out all the interrupt save/restore and have
narrowed the scope to just sandwich the instruction single-step. This
simplifies a lot of logic, and I've now been able to perf record a
kprobe on memcpy (and the trace_event_buffer_lock_reserve + memcpy
test) without any issues on a Juno platform.

I may have been somewhat over-zealous with the chainsaw, so please do
put this fix through its paces.

Cheers,
--
Steve


>From d3f4d80ce19bec71bd03209beb2fbfd8084d6543 Mon Sep 17 00:00:00 2001
From: Steve Capper <[email protected]>
Date: Mon, 1 Dec 2014 11:30:10 +0000
Subject: [PATCH] Fix the interrupt handling for kprobes

---
arch/arm64/kernel/kprobes.c | 16 ++--------------
1 file changed, 2 insertions(+), 14 deletions(-)

diff --git a/arch/arm64/kernel/kprobes.c b/arch/arm64/kernel/kprobes.c
index be7c330..d39d826 100644
--- a/arch/arm64/kernel/kprobes.c
+++ b/arch/arm64/kernel/kprobes.c
@@ -229,10 +229,6 @@ skip_singlestep_missed(struct kprobe_ctlblk *kcb, struct pt_regs *regs)
{
/* set return addr to next pc to continue */
instruction_pointer(regs) += sizeof(kprobe_opcode_t);
-
- if (kcb->kprobe_status != KPROBE_REENTER)
- kprobes_restore_local_irqflag(regs);
-
}

static void __kprobes setup_singlestep(struct kprobe *p,
@@ -259,7 +255,7 @@ static void __kprobes setup_singlestep(struct kprobe *p,
spsr_set_debug_flag(regs, 0);

/* IRQs and single stepping do not mix well. */
- local_irq_disable();
+ kprobes_save_local_irqflag(regs);
kernel_enable_single_step(regs);
instruction_pointer(regs) = slot;
} else {
@@ -326,7 +322,6 @@ post_kprobe_handler(struct kprobe_ctlblk *kcb, struct pt_regs *regs)
}

reset_current_kprobe();
- kprobes_restore_local_irqflag(regs);
}

int __kprobes kprobe_fault_handler(struct pt_regs *regs, unsigned int fsr)
@@ -380,8 +375,6 @@ int __kprobes kprobe_fault_handler(struct pt_regs *regs, unsigned int fsr)
return 1;

break;
- default:
- break;
}
return 0;
}
@@ -446,7 +439,6 @@ void __kprobes kprobe_handler(struct pt_regs *regs)
* handling of this interrupt is appropriate.
* Return back to original instruction, and continue.
*/
- kprobes_restore_local_irqflag(regs);
return;
} else if (cur) {
/* We probably hit a jprobe. Call its break handler. */
@@ -459,7 +451,6 @@ void __kprobes kprobe_handler(struct pt_regs *regs)
/* breakpoint is removed, now in a race
* Return back to original instruction & continue.
*/
- kprobes_restore_local_irqflag(regs);
}
}

@@ -485,6 +476,7 @@ kprobe_single_step_handler(struct pt_regs *regs, unsigned int esr)
retval = kprobe_ss_hit(kcb, instruction_pointer(regs));

if (retval == DBG_HOOK_HANDLED) {
+ kprobes_restore_local_irqflag(regs);
kernel_disable_single_step();

if (kcb->kprobe_status == KPROBE_REENTER)
@@ -499,7 +491,6 @@ kprobe_single_step_handler(struct pt_regs *regs, unsigned int esr)
static int __kprobes
kprobe_breakpoint_handler(struct pt_regs *regs, unsigned int esr)
{
- kprobes_save_local_irqflag(regs);
kprobe_handler(regs);
return DBG_HOOK_HANDLED;
}
@@ -563,7 +554,6 @@ int __kprobes longjmp_break_handler(struct kprobe *p, struct pt_regs *regs)
memcpy((void *)stack_addr, kcb->jprobes_stack,
MIN_STACK_SIZE(stack_addr));
preempt_enable_no_resched();
- kprobes_restore_local_irqflag(regs);
return 1;
}
return 0;
@@ -655,8 +645,6 @@ trampoline_probe_handler(struct kprobe *p, struct pt_regs *regs)
kfree(ri);
}

- kprobes_restore_local_irqflag(regs);
-
/* return 1 so that post handlers not called */
return 1;
}
--
1.9.3

2014-12-12 22:42:35

by David Long

[permalink] [raw]
Subject: Re: [PATCH v3 0/5] ARM64: Add kernel probes(Kprobes) support

On 12/10/14 11:38, Steve Capper wrote:
> On Tue, Dec 09, 2014 at 09:27:18AM -0500, David Long wrote:
>> On 12/09/14 08:33, Steve Capper wrote:
>>> On Thu, Dec 04, 2014 at 08:53:03PM +0900, Masami Hiramatsu wrote:
>
> [...]
>
>>>
>>> Not sure if this is helpful, but the following also caused a crash for
>>> me:
>>>
>>> echo "p:trace_event_buffer_lock_reserve trace_event_buffer_lock_reserve" > /sys/kernel/debug/tracing/kprobe_events
>>> echo "p:memcpy memcpy" >> /sys/kernel/debug/tracing/kprobe_events
>>> echo 1 > /sys/kernel/debug/tracing/events/kprobes/enable
>>>
>>> [immediate crash]
>>>
>>> The crash point for me is in the arm64 ASID allocator, it again looks
>>> like the interrupts are in an unexpected state.
>>> (check_and_switch_context goes down the irqs disabled code path, I
>>> think incorrectly).
>>>
>>> This occurred for me both with and without the proposed irq saving fix.
>>>
>>> I will do some more digging.
>>>
>>
>> Thanks, more information is good.
>>
>
> Hi,
>
> Some good news, I think I've fixed the problem I've been experiencing.
>
> Basically, I've torn out all the interrupt save/restore and have
> narrowed the scope to just sandwich the instruction single-step. This
> simplifies a lot of logic, and I've now been able to perf record a
> kprobe on memcpy (and the trace_event_buffer_lock_reserve + memcpy
> test) without any issues on a Juno platform.
>
> I may have been somewhat over-zealous with the chainsaw, so please do
> put this fix through its paces.
>
> Cheers,
> --
> Steve
>
>
> From d3f4d80ce19bec71bd03209beb2fbfd8084d6543 Mon Sep 17 00:00:00 2001
> From: Steve Capper <[email protected]>
> Date: Mon, 1 Dec 2014 11:30:10 +0000
> Subject: [PATCH] Fix the interrupt handling for kprobes
>
> ---
> arch/arm64/kernel/kprobes.c | 16 ++--------------
> 1 file changed, 2 insertions(+), 14 deletions(-)
>
> diff --git a/arch/arm64/kernel/kprobes.c b/arch/arm64/kernel/kprobes.c
> index be7c330..d39d826 100644
> --- a/arch/arm64/kernel/kprobes.c
> +++ b/arch/arm64/kernel/kprobes.c
> @@ -229,10 +229,6 @@ skip_singlestep_missed(struct kprobe_ctlblk *kcb, struct pt_regs *regs)
> {
> /* set return addr to next pc to continue */
> instruction_pointer(regs) += sizeof(kprobe_opcode_t);
> -
> - if (kcb->kprobe_status != KPROBE_REENTER)
> - kprobes_restore_local_irqflag(regs);
> -
> }
>
> static void __kprobes setup_singlestep(struct kprobe *p,
> @@ -259,7 +255,7 @@ static void __kprobes setup_singlestep(struct kprobe *p,
> spsr_set_debug_flag(regs, 0);
>
> /* IRQs and single stepping do not mix well. */
> - local_irq_disable();
> + kprobes_save_local_irqflag(regs);
> kernel_enable_single_step(regs);
> instruction_pointer(regs) = slot;
> } else {
> @@ -326,7 +322,6 @@ post_kprobe_handler(struct kprobe_ctlblk *kcb, struct pt_regs *regs)
> }
>
> reset_current_kprobe();
> - kprobes_restore_local_irqflag(regs);
> }
>
> int __kprobes kprobe_fault_handler(struct pt_regs *regs, unsigned int fsr)
> @@ -380,8 +375,6 @@ int __kprobes kprobe_fault_handler(struct pt_regs *regs, unsigned int fsr)
> return 1;
>
> break;
> - default:
> - break;
> }
> return 0;
> }
> @@ -446,7 +439,6 @@ void __kprobes kprobe_handler(struct pt_regs *regs)
> * handling of this interrupt is appropriate.
> * Return back to original instruction, and continue.
> */
> - kprobes_restore_local_irqflag(regs);
> return;
> } else if (cur) {
> /* We probably hit a jprobe. Call its break handler. */
> @@ -459,7 +451,6 @@ void __kprobes kprobe_handler(struct pt_regs *regs)
> /* breakpoint is removed, now in a race
> * Return back to original instruction & continue.
> */
> - kprobes_restore_local_irqflag(regs);
> }
> }
>
> @@ -485,6 +476,7 @@ kprobe_single_step_handler(struct pt_regs *regs, unsigned int esr)
> retval = kprobe_ss_hit(kcb, instruction_pointer(regs));
>
> if (retval == DBG_HOOK_HANDLED) {
> + kprobes_restore_local_irqflag(regs);
> kernel_disable_single_step();
>
> if (kcb->kprobe_status == KPROBE_REENTER)
> @@ -499,7 +491,6 @@ kprobe_single_step_handler(struct pt_regs *regs, unsigned int esr)
> static int __kprobes
> kprobe_breakpoint_handler(struct pt_regs *regs, unsigned int esr)
> {
> - kprobes_save_local_irqflag(regs);
> kprobe_handler(regs);
> return DBG_HOOK_HANDLED;
> }
> @@ -563,7 +554,6 @@ int __kprobes longjmp_break_handler(struct kprobe *p, struct pt_regs *regs)
> memcpy((void *)stack_addr, kcb->jprobes_stack,
> MIN_STACK_SIZE(stack_addr));
> preempt_enable_no_resched();
> - kprobes_restore_local_irqflag(regs);
> return 1;
> }
> return 0;
> @@ -655,8 +645,6 @@ trampoline_probe_handler(struct kprobe *p, struct pt_regs *regs)
> kfree(ri);
> }
>
> - kprobes_restore_local_irqflag(regs);
> -
> /* return 1 so that post handlers not called */
> return 1;
> }
>

Sorry for the delay in responding. The assumption with the existing
code is that you can't enable single-stepping in MDSCR until you disable
interrupts. But since we get to that point (in this case) with debug
exceptions masked in daif I suppose this is an unnecessary constraint,
as you have demonstrated. I do actually wonder if we need to set the
bit in MDSCR_EL1 at all since we're also setting it in the spsr in the
regs structure that will be restored when the eret is done, but it looks
like kernel_enable_single_step() sets both.

-dl


2014-12-12 23:10:23

by Steve Capper

[permalink] [raw]
Subject: Re: [PATCH v3 0/5] ARM64: Add kernel probes(Kprobes) support

On 12 December 2014 at 22:42, David Long <[email protected]> wrote:
> On 12/10/14 11:38, Steve Capper wrote:
>>
>> On Tue, Dec 09, 2014 at 09:27:18AM -0500, David Long wrote:
>>>
>>> On 12/09/14 08:33, Steve Capper wrote:
>>>>
>>>> On Thu, Dec 04, 2014 at 08:53:03PM +0900, Masami Hiramatsu wrote:
>>
>>
>> [...]
>>
>>>>
>>>> Not sure if this is helpful, but the following also caused a crash for
>>>> me:
>>>>
>>>> echo "p:trace_event_buffer_lock_reserve trace_event_buffer_lock_reserve"
>>>> > /sys/kernel/debug/tracing/kprobe_events
>>>> echo "p:memcpy memcpy" >> /sys/kernel/debug/tracing/kprobe_events
>>>> echo 1 > /sys/kernel/debug/tracing/events/kprobes/enable
>>>>
>>>> [immediate crash]
>>>>
>>>> The crash point for me is in the arm64 ASID allocator, it again looks
>>>> like the interrupts are in an unexpected state.
>>>> (check_and_switch_context goes down the irqs disabled code path, I
>>>> think incorrectly).
>>>>
>>>> This occurred for me both with and without the proposed irq saving fix.
>>>>
>>>> I will do some more digging.
>>>>
>>>
>>> Thanks, more information is good.
>>>
>>
>> Hi,
>>
>> Some good news, I think I've fixed the problem I've been experiencing.
>>
>> Basically, I've torn out all the interrupt save/restore and have
>> narrowed the scope to just sandwich the instruction single-step. This
>> simplifies a lot of logic, and I've now been able to perf record a
>> kprobe on memcpy (and the trace_event_buffer_lock_reserve + memcpy
>> test) without any issues on a Juno platform.
>>
>> I may have been somewhat over-zealous with the chainsaw, so please do
>> put this fix through its paces.
>>
>> Cheers,
>> --
>> Steve
>>
>>
>> From d3f4d80ce19bec71bd03209beb2fbfd8084d6543 Mon Sep 17 00:00:00 2001
>> From: Steve Capper <[email protected]>
>> Date: Mon, 1 Dec 2014 11:30:10 +0000
>> Subject: [PATCH] Fix the interrupt handling for kprobes
>>
>> ---
>> arch/arm64/kernel/kprobes.c | 16 ++--------------
>> 1 file changed, 2 insertions(+), 14 deletions(-)
>>
>> diff --git a/arch/arm64/kernel/kprobes.c b/arch/arm64/kernel/kprobes.c
>> index be7c330..d39d826 100644
>> --- a/arch/arm64/kernel/kprobes.c
>> +++ b/arch/arm64/kernel/kprobes.c
>> @@ -229,10 +229,6 @@ skip_singlestep_missed(struct kprobe_ctlblk *kcb,
>> struct pt_regs *regs)
>> {
>> /* set return addr to next pc to continue */
>> instruction_pointer(regs) += sizeof(kprobe_opcode_t);
>> -
>> - if (kcb->kprobe_status != KPROBE_REENTER)
>> - kprobes_restore_local_irqflag(regs);
>> -
>> }
>>
>> static void __kprobes setup_singlestep(struct kprobe *p,
>> @@ -259,7 +255,7 @@ static void __kprobes setup_singlestep(struct kprobe
>> *p,
>> spsr_set_debug_flag(regs, 0);
>>
>> /* IRQs and single stepping do not mix well. */
>> - local_irq_disable();
>> + kprobes_save_local_irqflag(regs);
>> kernel_enable_single_step(regs);
>> instruction_pointer(regs) = slot;
>> } else {
>> @@ -326,7 +322,6 @@ post_kprobe_handler(struct kprobe_ctlblk *kcb, struct
>> pt_regs *regs)
>> }
>>
>> reset_current_kprobe();
>> - kprobes_restore_local_irqflag(regs);
>> }
>>
>> int __kprobes kprobe_fault_handler(struct pt_regs *regs, unsigned int
>> fsr)
>> @@ -380,8 +375,6 @@ int __kprobes kprobe_fault_handler(struct pt_regs
>> *regs, unsigned int fsr)
>> return 1;
>>
>> break;
>> - default:
>> - break;
>> }
>> return 0;
>> }
>> @@ -446,7 +439,6 @@ void __kprobes kprobe_handler(struct pt_regs *regs)
>> * handling of this interrupt is appropriate.
>> * Return back to original instruction, and continue.
>> */
>> - kprobes_restore_local_irqflag(regs);
>> return;
>> } else if (cur) {
>> /* We probably hit a jprobe. Call its break handler. */
>> @@ -459,7 +451,6 @@ void __kprobes kprobe_handler(struct pt_regs *regs)
>> /* breakpoint is removed, now in a race
>> * Return back to original instruction & continue.
>> */
>> - kprobes_restore_local_irqflag(regs);
>> }
>> }
>>
>> @@ -485,6 +476,7 @@ kprobe_single_step_handler(struct pt_regs *regs,
>> unsigned int esr)
>> retval = kprobe_ss_hit(kcb, instruction_pointer(regs));
>>
>> if (retval == DBG_HOOK_HANDLED) {
>> + kprobes_restore_local_irqflag(regs);
>> kernel_disable_single_step();
>>
>> if (kcb->kprobe_status == KPROBE_REENTER)
>> @@ -499,7 +491,6 @@ kprobe_single_step_handler(struct pt_regs *regs,
>> unsigned int esr)
>> static int __kprobes
>> kprobe_breakpoint_handler(struct pt_regs *regs, unsigned int esr)
>> {
>> - kprobes_save_local_irqflag(regs);
>> kprobe_handler(regs);
>> return DBG_HOOK_HANDLED;
>> }
>> @@ -563,7 +554,6 @@ int __kprobes longjmp_break_handler(struct kprobe *p,
>> struct pt_regs *regs)
>> memcpy((void *)stack_addr, kcb->jprobes_stack,
>> MIN_STACK_SIZE(stack_addr));
>> preempt_enable_no_resched();
>> - kprobes_restore_local_irqflag(regs);
>> return 1;
>> }
>> return 0;
>> @@ -655,8 +645,6 @@ trampoline_probe_handler(struct kprobe *p, struct
>> pt_regs *regs)
>> kfree(ri);
>> }
>>
>> - kprobes_restore_local_irqflag(regs);
>> -
>> /* return 1 so that post handlers not called */
>> return 1;
>> }
>>
>
> Sorry for the delay in responding. The assumption with the existing code is
> that you can't enable single-stepping in MDSCR until you disable interrupts.
> But since we get to that point (in this case) with debug exceptions masked
> in daif I suppose this is an unnecessary constraint, as you have
> demonstrated. I do actually wonder if we need to set the bit in MDSCR_EL1
> at all since we're also setting it in the spsr in the regs structure that
> will be restored when the eret is done, but it looks like
> kernel_enable_single_step() sets both.
>

I do think we need to disable interrupts, but only when we're about to
single-step.
(My explanation before was imprecise, apologies).
The change I posted disables interrupts in __kprobes_single_step, and
restores them in kprobe_single_step_handler.
I did try removing the interrupt logic completely, but this then
resulted in a system hang after a few seconds.

I will think about MDSCR_EL1, when I'm awake :-).

Cheers,
--
Steve

Subject: Re: [PATCH v3 0/5] ARM64: Add kernel probes(Kprobes) support

(2014/12/13 8:10), Steve Capper wrote:
> On 12 December 2014 at 22:42, David Long <[email protected]> wrote:
>> On 12/10/14 11:38, Steve Capper wrote:
>>>
>>> On Tue, Dec 09, 2014 at 09:27:18AM -0500, David Long wrote:
>>>>
>>>> On 12/09/14 08:33, Steve Capper wrote:
>>>>>
>>>>> On Thu, Dec 04, 2014 at 08:53:03PM +0900, Masami Hiramatsu wrote:
>>>
>>>
>>> [...]
>>>
>>>>>
>>>>> Not sure if this is helpful, but the following also caused a crash for
>>>>> me:
>>>>>
>>>>> echo "p:trace_event_buffer_lock_reserve trace_event_buffer_lock_reserve"
>>>>>> /sys/kernel/debug/tracing/kprobe_events
>>>>> echo "p:memcpy memcpy" >> /sys/kernel/debug/tracing/kprobe_events
>>>>> echo 1 > /sys/kernel/debug/tracing/events/kprobes/enable
>>>>>
>>>>> [immediate crash]
>>>>>
>>>>> The crash point for me is in the arm64 ASID allocator, it again looks
>>>>> like the interrupts are in an unexpected state.
>>>>> (check_and_switch_context goes down the irqs disabled code path, I
>>>>> think incorrectly).
>>>>>
>>>>> This occurred for me both with and without the proposed irq saving fix.
>>>>>
>>>>> I will do some more digging.
>>>>>
>>>>
>>>> Thanks, more information is good.
>>>>
>>>
>>> Hi,
>>>
>>> Some good news, I think I've fixed the problem I've been experiencing.
>>>
>>> Basically, I've torn out all the interrupt save/restore and have
>>> narrowed the scope to just sandwich the instruction single-step. This
>>> simplifies a lot of logic, and I've now been able to perf record a
>>> kprobe on memcpy (and the trace_event_buffer_lock_reserve + memcpy
>>> test) without any issues on a Juno platform.
>>>
>>> I may have been somewhat over-zealous with the chainsaw, so please do
>>> put this fix through its paces.
>>>
>>> Cheers,
>>> --
>>> Steve
>>>
>>>
>>> From d3f4d80ce19bec71bd03209beb2fbfd8084d6543 Mon Sep 17 00:00:00 2001
>>> From: Steve Capper <[email protected]>
>>> Date: Mon, 1 Dec 2014 11:30:10 +0000
>>> Subject: [PATCH] Fix the interrupt handling for kprobes
>>>
>>> ---
>>> arch/arm64/kernel/kprobes.c | 16 ++--------------
>>> 1 file changed, 2 insertions(+), 14 deletions(-)
>>>
>>> diff --git a/arch/arm64/kernel/kprobes.c b/arch/arm64/kernel/kprobes.c
>>> index be7c330..d39d826 100644
>>> --- a/arch/arm64/kernel/kprobes.c
>>> +++ b/arch/arm64/kernel/kprobes.c
>>> @@ -229,10 +229,6 @@ skip_singlestep_missed(struct kprobe_ctlblk *kcb,
>>> struct pt_regs *regs)
>>> {
>>> /* set return addr to next pc to continue */
>>> instruction_pointer(regs) += sizeof(kprobe_opcode_t);
>>> -
>>> - if (kcb->kprobe_status != KPROBE_REENTER)
>>> - kprobes_restore_local_irqflag(regs);
>>> -
>>> }
>>>
>>> static void __kprobes setup_singlestep(struct kprobe *p,
>>> @@ -259,7 +255,7 @@ static void __kprobes setup_singlestep(struct kprobe
>>> *p,
>>> spsr_set_debug_flag(regs, 0);
>>>
>>> /* IRQs and single stepping do not mix well. */
>>> - local_irq_disable();
>>> + kprobes_save_local_irqflag(regs);
>>> kernel_enable_single_step(regs);
>>> instruction_pointer(regs) = slot;
>>> } else {
>>> @@ -326,7 +322,6 @@ post_kprobe_handler(struct kprobe_ctlblk *kcb, struct
>>> pt_regs *regs)
>>> }
>>>
>>> reset_current_kprobe();
>>> - kprobes_restore_local_irqflag(regs);
>>> }
>>>
>>> int __kprobes kprobe_fault_handler(struct pt_regs *regs, unsigned int
>>> fsr)
>>> @@ -380,8 +375,6 @@ int __kprobes kprobe_fault_handler(struct pt_regs
>>> *regs, unsigned int fsr)
>>> return 1;
>>>
>>> break;
>>> - default:
>>> - break;
>>> }
>>> return 0;
>>> }
>>> @@ -446,7 +439,6 @@ void __kprobes kprobe_handler(struct pt_regs *regs)
>>> * handling of this interrupt is appropriate.
>>> * Return back to original instruction, and continue.
>>> */
>>> - kprobes_restore_local_irqflag(regs);
>>> return;
>>> } else if (cur) {
>>> /* We probably hit a jprobe. Call its break handler. */
>>> @@ -459,7 +451,6 @@ void __kprobes kprobe_handler(struct pt_regs *regs)
>>> /* breakpoint is removed, now in a race
>>> * Return back to original instruction & continue.
>>> */
>>> - kprobes_restore_local_irqflag(regs);
>>> }
>>> }
>>>
>>> @@ -485,6 +476,7 @@ kprobe_single_step_handler(struct pt_regs *regs,
>>> unsigned int esr)
>>> retval = kprobe_ss_hit(kcb, instruction_pointer(regs));
>>>
>>> if (retval == DBG_HOOK_HANDLED) {
>>> + kprobes_restore_local_irqflag(regs);
>>> kernel_disable_single_step();
>>>
>>> if (kcb->kprobe_status == KPROBE_REENTER)
>>> @@ -499,7 +491,6 @@ kprobe_single_step_handler(struct pt_regs *regs,
>>> unsigned int esr)
>>> static int __kprobes
>>> kprobe_breakpoint_handler(struct pt_regs *regs, unsigned int esr)
>>> {
>>> - kprobes_save_local_irqflag(regs);
>>> kprobe_handler(regs);
>>> return DBG_HOOK_HANDLED;
>>> }
>>> @@ -563,7 +554,6 @@ int __kprobes longjmp_break_handler(struct kprobe *p,
>>> struct pt_regs *regs)
>>> memcpy((void *)stack_addr, kcb->jprobes_stack,
>>> MIN_STACK_SIZE(stack_addr));
>>> preempt_enable_no_resched();
>>> - kprobes_restore_local_irqflag(regs);
>>> return 1;
>>> }
>>> return 0;
>>> @@ -655,8 +645,6 @@ trampoline_probe_handler(struct kprobe *p, struct
>>> pt_regs *regs)
>>> kfree(ri);
>>> }
>>>
>>> - kprobes_restore_local_irqflag(regs);
>>> -
>>> /* return 1 so that post handlers not called */
>>> return 1;
>>> }
>>>
>>
>> Sorry for the delay in responding. The assumption with the existing code is
>> that you can't enable single-stepping in MDSCR until you disable interrupts.
>> But since we get to that point (in this case) with debug exceptions masked
>> in daif I suppose this is an unnecessary constraint, as you have
>> demonstrated. I do actually wonder if we need to set the bit in MDSCR_EL1
>> at all since we're also setting it in the spsr in the regs structure that
>> will be restored when the eret is done, but it looks like
>> kernel_enable_single_step() sets both.
>>
>
> I do think we need to disable interrupts, but only when we're about to
> single-step.
> (My explanation before was imprecise, apologies).
> The change I posted disables interrupts in __kprobes_single_step, and
> restores them in kprobe_single_step_handler.
> I did try removing the interrupt logic completely, but this then
> resulted in a system hang after a few seconds.

By the way, on ARM64, kprobe handler runs under (normal) interrupts enabled?
On x86, the sw breakpoint interrupt automatically disables interrupts, so
original kprobes is designed as run under local-irq-disabled environment.
Maybe we should consider disabling irq at early stage of kprobe handler if
it is correct.

Thank you,

--
Masami HIRAMATSU
Software Platform Research Dept. Linux Technology Research Center
Hitachi, Ltd., Yokohama Research Laboratory
E-mail: [email protected]

2014-12-15 06:29:29

by David Long

[permalink] [raw]
Subject: Re: [PATCH v3 0/5] ARM64: Add kernel probes(Kprobes) support

On 12/12/14 18:10, Steve Capper wrote:
> On 12 December 2014 at 22:42, David Long <[email protected]> wrote:
>> On 12/10/14 11:38, Steve Capper wrote:
>>>
>>> On Tue, Dec 09, 2014 at 09:27:18AM -0500, David Long wrote:
>>>>
>>>> On 12/09/14 08:33, Steve Capper wrote:
>>>>>
>>>>> On Thu, Dec 04, 2014 at 08:53:03PM +0900, Masami Hiramatsu wrote:
>>>
>>>
>>> [...]
>>>
>>>>>
>>>>> Not sure if this is helpful, but the following also caused a crash for
>>>>> me:
>>>>>
>>>>> echo "p:trace_event_buffer_lock_reserve trace_event_buffer_lock_reserve"
>>>>>> /sys/kernel/debug/tracing/kprobe_events
>>>>> echo "p:memcpy memcpy" >> /sys/kernel/debug/tracing/kprobe_events
>>>>> echo 1 > /sys/kernel/debug/tracing/events/kprobes/enable
>>>>>
>>>>> [immediate crash]
>>>>>
>>>>> The crash point for me is in the arm64 ASID allocator, it again looks
>>>>> like the interrupts are in an unexpected state.
>>>>> (check_and_switch_context goes down the irqs disabled code path, I
>>>>> think incorrectly).
>>>>>
>>>>> This occurred for me both with and without the proposed irq saving fix.
>>>>>
>>>>> I will do some more digging.
>>>>>
>>>>
>>>> Thanks, more information is good.
>>>>
>>>
>>> Hi,
>>>
>>> Some good news, I think I've fixed the problem I've been experiencing.
>>>
>>> Basically, I've torn out all the interrupt save/restore and have
>>> narrowed the scope to just sandwich the instruction single-step. This
>>> simplifies a lot of logic, and I've now been able to perf record a
>>> kprobe on memcpy (and the trace_event_buffer_lock_reserve + memcpy
>>> test) without any issues on a Juno platform.
>>>
>>> I may have been somewhat over-zealous with the chainsaw, so please do
>>> put this fix through its paces.
>>>
>>> Cheers,
>>> --
>>> Steve
>>>
>>>
>>> From d3f4d80ce19bec71bd03209beb2fbfd8084d6543 Mon Sep 17 00:00:00 2001
>>> From: Steve Capper <[email protected]>
>>> Date: Mon, 1 Dec 2014 11:30:10 +0000
>>> Subject: [PATCH] Fix the interrupt handling for kprobes
>>>
>>> ---
>>> arch/arm64/kernel/kprobes.c | 16 ++--------------
>>> 1 file changed, 2 insertions(+), 14 deletions(-)
>>>
>>> diff --git a/arch/arm64/kernel/kprobes.c b/arch/arm64/kernel/kprobes.c
>>> index be7c330..d39d826 100644
>>> --- a/arch/arm64/kernel/kprobes.c
>>> +++ b/arch/arm64/kernel/kprobes.c
>>> @@ -229,10 +229,6 @@ skip_singlestep_missed(struct kprobe_ctlblk *kcb,
>>> struct pt_regs *regs)
>>> {
>>> /* set return addr to next pc to continue */
>>> instruction_pointer(regs) += sizeof(kprobe_opcode_t);
>>> -
>>> - if (kcb->kprobe_status != KPROBE_REENTER)
>>> - kprobes_restore_local_irqflag(regs);
>>> -
>>> }
>>>
>>> static void __kprobes setup_singlestep(struct kprobe *p,
>>> @@ -259,7 +255,7 @@ static void __kprobes setup_singlestep(struct kprobe
>>> *p,
>>> spsr_set_debug_flag(regs, 0);
>>>
>>> /* IRQs and single stepping do not mix well. */
>>> - local_irq_disable();
>>> + kprobes_save_local_irqflag(regs);
>>> kernel_enable_single_step(regs);
>>> instruction_pointer(regs) = slot;
>>> } else {
>>> @@ -326,7 +322,6 @@ post_kprobe_handler(struct kprobe_ctlblk *kcb, struct
>>> pt_regs *regs)
>>> }
>>>
>>> reset_current_kprobe();
>>> - kprobes_restore_local_irqflag(regs);
>>> }
>>>
>>> int __kprobes kprobe_fault_handler(struct pt_regs *regs, unsigned int
>>> fsr)
>>> @@ -380,8 +375,6 @@ int __kprobes kprobe_fault_handler(struct pt_regs
>>> *regs, unsigned int fsr)
>>> return 1;
>>>
>>> break;
>>> - default:
>>> - break;
>>> }
>>> return 0;
>>> }
>>> @@ -446,7 +439,6 @@ void __kprobes kprobe_handler(struct pt_regs *regs)
>>> * handling of this interrupt is appropriate.
>>> * Return back to original instruction, and continue.
>>> */
>>> - kprobes_restore_local_irqflag(regs);
>>> return;
>>> } else if (cur) {
>>> /* We probably hit a jprobe. Call its break handler. */
>>> @@ -459,7 +451,6 @@ void __kprobes kprobe_handler(struct pt_regs *regs)
>>> /* breakpoint is removed, now in a race
>>> * Return back to original instruction & continue.
>>> */
>>> - kprobes_restore_local_irqflag(regs);
>>> }
>>> }
>>>
>>> @@ -485,6 +476,7 @@ kprobe_single_step_handler(struct pt_regs *regs,
>>> unsigned int esr)
>>> retval = kprobe_ss_hit(kcb, instruction_pointer(regs));
>>>
>>> if (retval == DBG_HOOK_HANDLED) {
>>> + kprobes_restore_local_irqflag(regs);
>>> kernel_disable_single_step();
>>>
>>> if (kcb->kprobe_status == KPROBE_REENTER)
>>> @@ -499,7 +491,6 @@ kprobe_single_step_handler(struct pt_regs *regs,
>>> unsigned int esr)
>>> static int __kprobes
>>> kprobe_breakpoint_handler(struct pt_regs *regs, unsigned int esr)
>>> {
>>> - kprobes_save_local_irqflag(regs);
>>> kprobe_handler(regs);
>>> return DBG_HOOK_HANDLED;
>>> }
>>> @@ -563,7 +554,6 @@ int __kprobes longjmp_break_handler(struct kprobe *p,
>>> struct pt_regs *regs)
>>> memcpy((void *)stack_addr, kcb->jprobes_stack,
>>> MIN_STACK_SIZE(stack_addr));
>>> preempt_enable_no_resched();
>>> - kprobes_restore_local_irqflag(regs);
>>> return 1;
>>> }
>>> return 0;
>>> @@ -655,8 +645,6 @@ trampoline_probe_handler(struct kprobe *p, struct
>>> pt_regs *regs)
>>> kfree(ri);
>>> }
>>>
>>> - kprobes_restore_local_irqflag(regs);
>>> -
>>> /* return 1 so that post handlers not called */
>>> return 1;
>>> }
>>>
>>
>> Sorry for the delay in responding. The assumption with the existing code is
>> that you can't enable single-stepping in MDSCR until you disable interrupts.
>> But since we get to that point (in this case) with debug exceptions masked
>> in daif I suppose this is an unnecessary constraint, as you have
>> demonstrated. I do actually wonder if we need to set the bit in MDSCR_EL1
>> at all since we're also setting it in the spsr in the regs structure that
>> will be restored when the eret is done, but it looks like
>> kernel_enable_single_step() sets both.
>>
>
> I do think we need to disable interrupts, but only when we're about to
> single-step.
> (My explanation before was imprecise, apologies).
> The change I posted disables interrupts in __kprobes_single_step, and
> restores them in kprobe_single_step_handler.
> I did try removing the interrupt logic completely, but this then
> resulted in a system hang after a few seconds.
>

I worded that badly. You still have to disable interrupts but I had
thought we needed to do that before setting SS in MDSCR. You've shown
we can do it anytime before we unmask debug exceptions.

> I will think about MDSCR_EL1, when I'm awake :-).
>
> Cheers,
> --
> Steve
>

2014-12-22 10:10:50

by Pratyush Anand

[permalink] [raw]
Subject: Re: [PATCH v3 1/5] arm64: Kprobes with single stepping support

Hi Dave,

On Tue, Nov 18, 2014 at 12:02 PM, David Long <[email protected]> wrote:
> From: Sandeepa Prabhu <[email protected]>
>
> Add support for basic kernel probes(kprobes) and jump probes
> (jprobes) for ARM64.

Some part of the code can be reused for uprobes as well. I think,
there would still be next
revision. So, if you can re-factor those parts in v4.

[...]


> +++ b/arch/arm64/include/asm/probes.h
> @@ -0,0 +1,50 @@
> +/*
> + * arch/arm64/include/asm/probes.h
> + *
> + * Copyright (C) 2013 Linaro Limited
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * General Public License for more details.
> + */
> +#ifndef _ARM_PROBES_H
> +#define _ARM_PROBES_H
> +
> +struct kprobe;
> +struct arch_specific_insn;
> +
> +typedef u32 kprobe_opcode_t;
> +typedef unsigned long (kprobes_pstate_check_t)(unsigned long);
> +typedef unsigned long
> +(kprobes_condition_check_t)(struct kprobe *p, struct pt_regs *);

To be used for uprobe:
p->opcode and p->ainsn can be passed in stead of p.

> +typedef void
> +(kprobes_prepare_t)(struct kprobe *, struct arch_specific_insn *);

ditto.. can pass p->opcode in stead of p.

> +typedef void (kprobes_handler_t) (u32 opcode, long addr, struct pt_regs *);
> +
> +enum pc_restore_type {
> + NO_RESTORE,
> + RESTORE_PC,
> +};
> +
> +struct kprobe_pc_restore {
> + enum pc_restore_type type;
> + unsigned long addr;
> +};
> +
> +/* architecture specific copy of original instruction */
> +struct arch_specific_insn {
> + kprobe_opcode_t *insn;
> + kprobes_pstate_check_t *pstate_cc;
> + kprobes_condition_check_t *check_condn;
> + kprobes_prepare_t *prepare;
> + kprobes_handler_t *handler;
> + /* restore address after step xol */
> + struct kprobe_pc_restore restore;
> +};

Probably it would be better to keep name as probe_xxxx in stead of kprobe_xxxx.

> +
> +#endif

[...]

> diff --git a/arch/arm64/kernel/kprobes-arm64.c b/arch/arm64/kernel/kprobes-arm64.c

I think most of the stuff of this file can be used for uprobe. So what
about keeping
name as probes-arm64.c


> new file mode 100644
> index 0000000..30d1c14

[...]

[...]

> +enum kprobe_insn __kprobes
> +arm_kprobe_decode_insn(kprobe_opcode_t insn, struct arch_specific_insn *asi)
> +{
> + return kprobe_decode_insn(insn, asi, aarch64_decode_table);
> +}

may be we can replace kprobe to probe for the above function as well.


[...]



> +/*
> + * arch/arm64/kernel/kprobes.h
> + *
> + * Copyright (C) 2013 Linaro Limited.
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * General Public License for more details.
> + */
> +
> +#ifndef _ARM_KERNEL_KPROBES_H
> +#define _ARM_KERNEL_KPROBES_H
> +
> +/* BRK opcodes with ESR encoding */
> +#define BRK64_ESR_MASK 0xFFFF
> +#define BRK64_ESR_KPROBES 0x0004
> +#define BRK64_OPCODE_KPROBES 0xD4200080 /* "brk 0x4" */
> +#define ARCH64_NOP_OPCODE 0xD503201F

Probably these definitions can be kept in asm/insn.h. There we can add another
BRK64_OPCODE_UPROBES with different brk code.


~Pratyush