2 * User-space Probes (UProbes) for x86
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation; either version 2 of the License, or
7 * (at your option) any later version.
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
18 * Copyright (C) IBM Corporation, 2008-2011
23 #include <linux/kernel.h>
24 #include <linux/sched.h>
25 #include <linux/ptrace.h>
26 #include <linux/uprobes.h>
27 #include <linux/uaccess.h>
29 #include <linux/kdebug.h>
30 #include <asm/processor.h>
32 #include <asm/mmu_context.h>
34 /* Post-execution fixups. */
36 /* Adjust IP back to vicinity of actual insn */
37 #define UPROBE_FIX_IP 0x01
39 /* Adjust the return address of a call insn */
40 #define UPROBE_FIX_CALL 0x02
42 /* Instruction will modify TF, don't change it */
43 #define UPROBE_FIX_SETF 0x04
45 #define UPROBE_FIX_RIP_SI 0x08
46 #define UPROBE_FIX_RIP_DI 0x10
47 #define UPROBE_FIX_RIP_BX 0x20
48 #define UPROBE_FIX_RIP_MASK \
49 (UPROBE_FIX_RIP_SI | UPROBE_FIX_RIP_DI | UPROBE_FIX_RIP_BX)
51 #define UPROBE_TRAP_NR UINT_MAX
53 /* Adaptations for mhiramat x86 decoder v14. */
54 #define OPCODE1(insn) ((insn)->opcode.bytes[0])
55 #define OPCODE2(insn) ((insn)->opcode.bytes[1])
56 #define OPCODE3(insn) ((insn)->opcode.bytes[2])
57 #define MODRM_REG(insn) X86_MODRM_REG((insn)->modrm.value)
59 #define W(row, b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, ba, bb, bc, bd, be, bf)\
60 (((b0##UL << 0x0)|(b1##UL << 0x1)|(b2##UL << 0x2)|(b3##UL << 0x3) | \
61 (b4##UL << 0x4)|(b5##UL << 0x5)|(b6##UL << 0x6)|(b7##UL << 0x7) | \
62 (b8##UL << 0x8)|(b9##UL << 0x9)|(ba##UL << 0xa)|(bb##UL << 0xb) | \
63 (bc##UL << 0xc)|(bd##UL << 0xd)|(be##UL << 0xe)|(bf##UL << 0xf)) \
67 * Good-instruction tables for 32-bit apps. This is non-const and volatile
68 * to keep gcc from statically optimizing it out, as variable_test_bit makes
69 * some versions of gcc to think only *(unsigned long*) is used.
71 * Opcodes we'll probably never support:
72 * 6c-6f - ins,outs. SEGVs if used in userspace
73 * e4-e7 - in,out imm. SEGVs if used in userspace
74 * ec-ef - in,out acc. SEGVs if used in userspace
75 * cc - int3. SIGTRAP if used in userspace
76 * ce - into. Not used in userspace - no kernel support to make it useful. SEGVs
77 * (why we support bound (62) then? it's similar, and similarly unused...)
78 * f1 - int1. SIGTRAP if used in userspace
79 * f4 - hlt. SEGVs if used in userspace
80 * fa - cli. SEGVs if used in userspace
81 * fb - sti. SEGVs if used in userspace
83 * Opcodes which need some work to be supported:
84 * 07,17,1f - pop es/ss/ds
85 * Normally not used in userspace, but would execute if used.
86 * Can cause GP or stack exception if tries to load wrong segment descriptor.
87 * We hesitate to run them under single step since kernel's handling
88 * of userspace single-stepping (TF flag) is fragile.
89 * We can easily refuse to support push es/cs/ss/ds (06/0e/16/1e)
90 * on the same grounds that they are never used.
92 * Used by userspace for "int 80" syscall entry. (Other "int N"
93 * cause GP -> SEGV since their IDT gates don't allow calls from CPL 3).
94 * Not supported since kernel's handling of userspace single-stepping
95 * (TF flag) is fragile.
96 * cf - iret. Normally not used in userspace. Doesn't SEGV unless arguments are bad
98 #if defined(CONFIG_X86_32) || defined(CONFIG_IA32_EMULATION)
99 static volatile u32 good_insns_32[256 / 32] = {
100 /* 0 1 2 3 4 5 6 7 8 9 a b c d e f */
101 /* ---------------------------------------------- */
102 W(0x00, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1) | /* 00 */
103 W(0x10, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0) , /* 10 */
104 W(0x20, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 20 */
105 W(0x30, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 30 */
106 W(0x40, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 40 */
107 W(0x50, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 50 */
108 W(0x60, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0) | /* 60 */
109 W(0x70, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 70 */
110 W(0x80, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 80 */
111 W(0x90, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 90 */
112 W(0xa0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* a0 */
113 W(0xb0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* b0 */
114 W(0xc0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0) | /* c0 */
115 W(0xd0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* d0 */
116 W(0xe0, 1, 1, 1, 1, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0, 0, 0) | /* e0 */
117 W(0xf0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1) /* f0 */
118 /* ---------------------------------------------- */
119 /* 0 1 2 3 4 5 6 7 8 9 a b c d e f */
122 #define good_insns_32 NULL
125 /* Good-instruction tables for 64-bit apps.
127 * Genuinely invalid opcodes:
128 * 06,07 - formerly push/pop es
129 * 0e - formerly push cs
130 * 16,17 - formerly push/pop ss
131 * 1e,1f - formerly push/pop ds
132 * 27,2f,37,3f - formerly daa/das/aaa/aas
133 * 60,61 - formerly pusha/popa
134 * 62 - formerly bound. EVEX prefix for AVX512 (not yet supported)
135 * 82 - formerly redundant encoding of Group1
136 * 9a - formerly call seg:ofs
138 * d4,d5 - formerly aam/aad
139 * d6 - formerly undocumented salc
140 * ea - formerly jmp seg:ofs
142 * Opcodes we'll probably never support:
143 * 6c-6f - ins,outs. SEGVs if used in userspace
144 * e4-e7 - in,out imm. SEGVs if used in userspace
145 * ec-ef - in,out acc. SEGVs if used in userspace
146 * cc - int3. SIGTRAP if used in userspace
147 * f1 - int1. SIGTRAP if used in userspace
148 * f4 - hlt. SEGVs if used in userspace
149 * fa - cli. SEGVs if used in userspace
150 * fb - sti. SEGVs if used in userspace
152 * Opcodes which need some work to be supported:
154 * Used by userspace for "int 80" syscall entry. (Other "int N"
155 * cause GP -> SEGV since their IDT gates don't allow calls from CPL 3).
156 * Not supported since kernel's handling of userspace single-stepping
157 * (TF flag) is fragile.
158 * cf - iret. Normally not used in userspace. Doesn't SEGV unless arguments are bad
160 #if defined(CONFIG_X86_64)
161 static volatile u32 good_insns_64[256 / 32] = {
162 /* 0 1 2 3 4 5 6 7 8 9 a b c d e f */
163 /* ---------------------------------------------- */
164 W(0x00, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1, 1, 1, 0, 1) | /* 00 */
165 W(0x10, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1, 1, 1, 0, 0) , /* 10 */
166 W(0x20, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0) | /* 20 */
167 W(0x30, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0) , /* 30 */
168 W(0x40, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 40 */
169 W(0x50, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 50 */
170 W(0x60, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0) | /* 60 */
171 W(0x70, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 70 */
172 W(0x80, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 80 */
173 W(0x90, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1) , /* 90 */
174 W(0xa0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* a0 */
175 W(0xb0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* b0 */
176 W(0xc0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0) | /* c0 */
177 W(0xd0, 1, 1, 1, 1, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* d0 */
178 W(0xe0, 1, 1, 1, 1, 0, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 0) | /* e0 */
179 W(0xf0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1) /* f0 */
180 /* ---------------------------------------------- */
181 /* 0 1 2 3 4 5 6 7 8 9 a b c d e f */
184 #define good_insns_64 NULL
187 /* Using this for both 64-bit and 32-bit apps.
188 * Opcodes we don't support:
189 * 0f 00 - SLDT/STR/LLDT/LTR/VERR/VERW/-/- group. System insns
190 * 0f 01 - SGDT/SIDT/LGDT/LIDT/SMSW/-/LMSW/INVLPG group.
191 * Also encodes tons of other system insns if mod=11.
192 * Some are in fact non-system: xend, xtest, rdtscp, maybe more
194 * 0f 06 - clts (CPL0 insn)
196 * 0f 08 - invd (CPL0 insn)
197 * 0f 09 - wbinvd (CPL0 insn)
199 * 0f 30 - wrmsr (CPL0 insn) (then why rdmsr is allowed, it's also CPL0 insn?)
203 * 0f 78 - vmread (Intel VMX. CPL0 insn)
204 * 0f 79 - vmwrite (Intel VMX. CPL0 insn)
205 * Note: with prefixes, these two opcodes are
206 * extrq/insertq/AVX512 convert vector ops.
207 * 0f ae - group15: [f]xsave,[f]xrstor,[v]{ld,st}mxcsr,clflush[opt],
208 * {rd,wr}{fs,gs}base,{s,l,m}fence.
209 * Why? They are all user-executable.
211 static volatile u32 good_2byte_insns[256 / 32] = {
212 /* 0 1 2 3 4 5 6 7 8 9 a b c d e f */
213 /* ---------------------------------------------- */
214 W(0x00, 0, 0, 1, 1, 1, 0, 0, 0, 0, 0, 1, 0, 1, 1, 1, 1) | /* 00 */
215 W(0x10, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 10 */
216 W(0x20, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 20 */
217 W(0x30, 0, 1, 1, 1, 0, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1) , /* 30 */
218 W(0x40, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 40 */
219 W(0x50, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 50 */
220 W(0x60, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 60 */
221 W(0x70, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1, 1, 1) , /* 70 */
222 W(0x80, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 80 */
223 W(0x90, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 90 */
224 W(0xa0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1) | /* a0 */
225 W(0xb0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* b0 */
226 W(0xc0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* c0 */
227 W(0xd0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* d0 */
228 W(0xe0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* e0 */
229 W(0xf0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) /* f0 */
230 /* ---------------------------------------------- */
231 /* 0 1 2 3 4 5 6 7 8 9 a b c d e f */
236 * opcodes we may need to refine support for:
238 * 0f - 2-byte instructions: For many of these instructions, the validity
239 * depends on the prefix and/or the reg field. On such instructions, we
240 * just consider the opcode combination valid if it corresponds to any
243 * 8f - Group 1 - only reg = 0 is OK
244 * c6-c7 - Group 11 - only reg = 0 is OK
245 * d9-df - fpu insns with some illegal encodings
246 * f2, f3 - repnz, repz prefixes. These are also the first byte for
247 * certain floating-point instructions, such as addsd.
249 * fe - Group 4 - only reg = 0 or 1 is OK
250 * ff - Group 5 - only reg = 0-6 is OK
252 * others -- Do we need to support these?
254 * 0f - (floating-point?) prefetch instructions
255 * 07, 17, 1f - pop es, pop ss, pop ds
256 * 26, 2e, 36, 3e - es:, cs:, ss:, ds: segment prefixes --
257 * but 64 and 65 (fs: and gs:) seem to be used, so we support them
265 * - Where necessary, examine the modrm byte and allow only valid instructions
266 * in the different Groups and fpu instructions.
269 static bool is_prefix_bad(struct insn *insn)
274 for_each_insn_prefix(insn, i, p) {
277 attr = inat_get_opcode_attribute(p);
279 case INAT_MAKE_PREFIX(INAT_PFX_ES):
280 case INAT_MAKE_PREFIX(INAT_PFX_CS):
281 case INAT_MAKE_PREFIX(INAT_PFX_DS):
282 case INAT_MAKE_PREFIX(INAT_PFX_SS):
283 case INAT_MAKE_PREFIX(INAT_PFX_LOCK):
290 static int uprobe_init_insn(struct arch_uprobe *auprobe, struct insn *insn, bool x86_64)
292 u32 volatile *good_insns;
294 insn_init(insn, auprobe->insn, sizeof(auprobe->insn), x86_64);
295 /* has the side-effect of processing the entire instruction */
296 insn_get_length(insn);
297 if (!insn_complete(insn))
300 if (is_prefix_bad(insn))
303 /* We should not singlestep on the exception masking instructions */
304 if (insn_masking_exception(insn))
308 good_insns = good_insns_64;
310 good_insns = good_insns_32;
312 if (test_bit(OPCODE1(insn), (unsigned long *)good_insns))
315 if (insn->opcode.nbytes == 2) {
316 if (test_bit(OPCODE2(insn), (unsigned long *)good_2byte_insns))
325 * If arch_uprobe->insn doesn't use rip-relative addressing, return
326 * immediately. Otherwise, rewrite the instruction so that it accesses
327 * its memory operand indirectly through a scratch register. Set
328 * defparam->fixups accordingly. (The contents of the scratch register
329 * will be saved before we single-step the modified instruction,
330 * and restored afterward).
332 * We do this because a rip-relative instruction can access only a
333 * relatively small area (+/- 2 GB from the instruction), and the XOL
334 * area typically lies beyond that area. At least for instructions
335 * that store to memory, we can't execute the original instruction
336 * and "fix things up" later, because the misdirected store could be
339 * Some useful facts about rip-relative instructions:
341 * - There's always a modrm byte with bit layout "00 reg 101".
342 * - There's never a SIB byte.
343 * - The displacement is always 4 bytes.
344 * - REX.B=1 bit in REX prefix, which normally extends r/m field,
345 * has no effect on rip-relative mode. It doesn't make modrm byte
346 * with r/m=101 refer to register 1101 = R13.
348 static void riprel_analyze(struct arch_uprobe *auprobe, struct insn *insn)
354 if (!insn_rip_relative(insn))
358 * insn_rip_relative() would have decoded rex_prefix, vex_prefix, modrm.
359 * Clear REX.b bit (extension of MODRM.rm field):
360 * we want to encode low numbered reg, not r8+.
362 if (insn->rex_prefix.nbytes) {
363 cursor = auprobe->insn + insn_offset_rex_prefix(insn);
364 /* REX byte has 0100wrxb layout, clearing REX.b bit */
368 * Similar treatment for VEX3/EVEX prefix.
369 * TODO: add XOP treatment when insn decoder supports them
371 if (insn->vex_prefix.nbytes >= 3) {
373 * vex2: c5 rvvvvLpp (has no b bit)
374 * vex3/xop: c4/8f rxbmmmmm wvvvvLpp
375 * evex: 62 rxbR00mm wvvvv1pp zllBVaaa
376 * Setting VEX3.b (setting because it has inverted meaning).
377 * Setting EVEX.x since (in non-SIB encoding) EVEX.x
378 * is the 4th bit of MODRM.rm, and needs the same treatment.
379 * For VEX3-encoded insns, VEX3.x value has no effect in
380 * non-SIB encoding, the change is superfluous but harmless.
382 cursor = auprobe->insn + insn_offset_vex_prefix(insn) + 1;
387 * Convert from rip-relative addressing to register-relative addressing
388 * via a scratch register.
390 * This is tricky since there are insns with modrm byte
391 * which also use registers not encoded in modrm byte:
392 * [i]div/[i]mul: implicitly use dx:ax
393 * shift ops: implicitly use cx
394 * cmpxchg: implicitly uses ax
395 * cmpxchg8/16b: implicitly uses dx:ax and bx:cx
396 * Encoding: 0f c7/1 modrm
397 * The code below thinks that reg=1 (cx), chooses si as scratch.
398 * mulx: implicitly uses dx: mulx r/m,r1,r2 does r1:r2 = dx * r/m.
399 * First appeared in Haswell (BMI2 insn). It is vex-encoded.
400 * Example where none of bx,cx,dx can be used as scratch reg:
401 * c4 e2 63 f6 0d disp32 mulx disp32(%rip),%ebx,%ecx
402 * [v]pcmpistri: implicitly uses cx, xmm0
403 * [v]pcmpistrm: implicitly uses xmm0
404 * [v]pcmpestri: implicitly uses ax, dx, cx, xmm0
405 * [v]pcmpestrm: implicitly uses ax, dx, xmm0
406 * Evil SSE4.2 string comparison ops from hell.
407 * maskmovq/[v]maskmovdqu: implicitly uses (ds:rdi) as destination.
408 * Encoding: 0f f7 modrm, 66 0f f7 modrm, vex-encoded: c5 f9 f7 modrm.
409 * Store op1, byte-masked by op2 msb's in each byte, to (ds:rdi).
410 * AMD says it has no 3-operand form (vex.vvvv must be 1111)
411 * and that it can have only register operands, not mem
412 * (its modrm byte must have mode=11).
413 * If these restrictions will ever be lifted,
414 * we'll need code to prevent selection of di as scratch reg!
416 * Summary: I don't know any insns with modrm byte which
417 * use SI register implicitly. DI register is used only
418 * by one insn (maskmovq) and BX register is used
419 * only by one too (cmpxchg8b).
420 * BP is stack-segment based (may be a problem?).
421 * AX, DX, CX are off-limits (many implicit users).
422 * SP is unusable (it's stack pointer - think about "pop mem";
423 * also, rsp+disp32 needs sib encoding -> insn length change).
426 reg = MODRM_REG(insn); /* Fetch modrm.reg */
427 reg2 = 0xff; /* Fetch vex.vvvv */
428 if (insn->vex_prefix.nbytes)
429 reg2 = insn->vex_prefix.bytes[2];
431 * TODO: add XOP vvvv reading.
433 * vex.vvvv field is in bits 6-3, bits are inverted.
434 * But in 32-bit mode, high-order bit may be ignored.
435 * Therefore, let's consider only 3 low-order bits.
437 reg2 = ((reg2 >> 3) & 0x7) ^ 0x7;
439 * Register numbering is ax,cx,dx,bx, sp,bp,si,di, r8..r15.
441 * Choose scratch reg. Order is important: must not select bx
442 * if we can use si (cmpxchg8b case!)
444 if (reg != 6 && reg2 != 6) {
446 auprobe->defparam.fixups |= UPROBE_FIX_RIP_SI;
447 } else if (reg != 7 && reg2 != 7) {
449 auprobe->defparam.fixups |= UPROBE_FIX_RIP_DI;
450 /* TODO (paranoia): force maskmovq to not use di */
453 auprobe->defparam.fixups |= UPROBE_FIX_RIP_BX;
456 * Point cursor at the modrm byte. The next 4 bytes are the
457 * displacement. Beyond the displacement, for some instructions,
458 * is the immediate operand.
460 cursor = auprobe->insn + insn_offset_modrm(insn);
462 * Change modrm from "00 reg 101" to "10 reg reg2". Example:
463 * 89 05 disp32 mov %eax,disp32(%rip) becomes
464 * 89 86 disp32 mov %eax,disp32(%rsi)
466 *cursor = 0x80 | (reg << 3) | reg2;
469 static inline unsigned long *
470 scratch_reg(struct arch_uprobe *auprobe, struct pt_regs *regs)
472 if (auprobe->defparam.fixups & UPROBE_FIX_RIP_SI)
474 if (auprobe->defparam.fixups & UPROBE_FIX_RIP_DI)
480 * If we're emulating a rip-relative instruction, save the contents
481 * of the scratch register and store the target address in that register.
483 static void riprel_pre_xol(struct arch_uprobe *auprobe, struct pt_regs *regs)
485 if (auprobe->defparam.fixups & UPROBE_FIX_RIP_MASK) {
486 struct uprobe_task *utask = current->utask;
487 unsigned long *sr = scratch_reg(auprobe, regs);
489 utask->autask.saved_scratch_register = *sr;
490 *sr = utask->vaddr + auprobe->defparam.ilen;
494 static void riprel_post_xol(struct arch_uprobe *auprobe, struct pt_regs *regs)
496 if (auprobe->defparam.fixups & UPROBE_FIX_RIP_MASK) {
497 struct uprobe_task *utask = current->utask;
498 unsigned long *sr = scratch_reg(auprobe, regs);
500 *sr = utask->autask.saved_scratch_register;
505 * No RIP-relative addressing on 32-bit
507 static void riprel_analyze(struct arch_uprobe *auprobe, struct insn *insn)
510 static void riprel_pre_xol(struct arch_uprobe *auprobe, struct pt_regs *regs)
513 static void riprel_post_xol(struct arch_uprobe *auprobe, struct pt_regs *regs)
516 #endif /* CONFIG_X86_64 */
518 struct uprobe_xol_ops {
519 bool (*emulate)(struct arch_uprobe *, struct pt_regs *);
520 int (*pre_xol)(struct arch_uprobe *, struct pt_regs *);
521 int (*post_xol)(struct arch_uprobe *, struct pt_regs *);
522 void (*abort)(struct arch_uprobe *, struct pt_regs *);
525 static inline int sizeof_long(struct pt_regs *regs)
528 * Check registers for mode as in_xxx_syscall() does not apply here.
530 return user_64bit_mode(regs) ? 8 : 4;
533 static int default_pre_xol_op(struct arch_uprobe *auprobe, struct pt_regs *regs)
535 riprel_pre_xol(auprobe, regs);
539 static int emulate_push_stack(struct pt_regs *regs, unsigned long val)
541 unsigned long new_sp = regs->sp - sizeof_long(regs);
543 if (copy_to_user((void __user *)new_sp, &val, sizeof_long(regs)))
551 * We have to fix things up as follows:
553 * Typically, the new ip is relative to the copied instruction. We need
554 * to make it relative to the original instruction (FIX_IP). Exceptions
555 * are return instructions and absolute or indirect jump or call instructions.
557 * If the single-stepped instruction was a call, the return address that
558 * is atop the stack is the address following the copied instruction. We
559 * need to make it the address following the original instruction (FIX_CALL).
561 * If the original instruction was a rip-relative instruction such as
562 * "movl %edx,0xnnnn(%rip)", we have instead executed an equivalent
563 * instruction using a scratch register -- e.g., "movl %edx,0xnnnn(%rsi)".
564 * We need to restore the contents of the scratch register
567 static int default_post_xol_op(struct arch_uprobe *auprobe, struct pt_regs *regs)
569 struct uprobe_task *utask = current->utask;
571 riprel_post_xol(auprobe, regs);
572 if (auprobe->defparam.fixups & UPROBE_FIX_IP) {
573 long correction = utask->vaddr - utask->xol_vaddr;
574 regs->ip += correction;
575 } else if (auprobe->defparam.fixups & UPROBE_FIX_CALL) {
576 regs->sp += sizeof_long(regs); /* Pop incorrect return address */
577 if (emulate_push_stack(regs, utask->vaddr + auprobe->defparam.ilen))
580 /* popf; tell the caller to not touch TF */
581 if (auprobe->defparam.fixups & UPROBE_FIX_SETF)
582 utask->autask.saved_tf = true;
587 static void default_abort_op(struct arch_uprobe *auprobe, struct pt_regs *regs)
589 riprel_post_xol(auprobe, regs);
592 static const struct uprobe_xol_ops default_xol_ops = {
593 .pre_xol = default_pre_xol_op,
594 .post_xol = default_post_xol_op,
595 .abort = default_abort_op,
598 static bool branch_is_call(struct arch_uprobe *auprobe)
600 return auprobe->branch.opc1 == 0xe8;
604 COND(70, 71, XF(OF)) \
605 COND(72, 73, XF(CF)) \
606 COND(74, 75, XF(ZF)) \
607 COND(78, 79, XF(SF)) \
608 COND(7a, 7b, XF(PF)) \
609 COND(76, 77, XF(CF) || XF(ZF)) \
610 COND(7c, 7d, XF(SF) != XF(OF)) \
611 COND(7e, 7f, XF(ZF) || XF(SF) != XF(OF))
613 #define COND(op_y, op_n, expr) \
614 case 0x ## op_y: DO((expr) != 0) \
615 case 0x ## op_n: DO((expr) == 0)
617 #define XF(xf) (!!(flags & X86_EFLAGS_ ## xf))
619 static bool is_cond_jmp_opcode(u8 opcode)
632 static bool check_jmp_cond(struct arch_uprobe *auprobe, struct pt_regs *regs)
634 unsigned long flags = regs->flags;
636 switch (auprobe->branch.opc1) {
642 default: /* not a conditional jmp */
651 static bool branch_emulate_op(struct arch_uprobe *auprobe, struct pt_regs *regs)
653 unsigned long new_ip = regs->ip += auprobe->branch.ilen;
654 unsigned long offs = (long)auprobe->branch.offs;
656 if (branch_is_call(auprobe)) {
658 * If it fails we execute this (mangled, see the comment in
659 * branch_clear_offset) insn out-of-line. In the likely case
660 * this should trigger the trap, and the probed application
661 * should die or restart the same insn after it handles the
662 * signal, arch_uprobe_post_xol() won't be even called.
664 * But there is corner case, see the comment in ->post_xol().
666 if (emulate_push_stack(regs, new_ip))
668 } else if (!check_jmp_cond(auprobe, regs)) {
672 regs->ip = new_ip + offs;
676 static bool push_emulate_op(struct arch_uprobe *auprobe, struct pt_regs *regs)
678 unsigned long *src_ptr = (void *)regs + auprobe->push.reg_offset;
680 if (emulate_push_stack(regs, *src_ptr))
682 regs->ip += auprobe->push.ilen;
686 static int branch_post_xol_op(struct arch_uprobe *auprobe, struct pt_regs *regs)
688 BUG_ON(!branch_is_call(auprobe));
690 * We can only get here if branch_emulate_op() failed to push the ret
691 * address _and_ another thread expanded our stack before the (mangled)
692 * "call" insn was executed out-of-line. Just restore ->sp and restart.
693 * We could also restore ->ip and try to call branch_emulate_op() again.
695 regs->sp += sizeof_long(regs);
699 static void branch_clear_offset(struct arch_uprobe *auprobe, struct insn *insn)
702 * Turn this insn into "call 1f; 1:", this is what we will execute
703 * out-of-line if ->emulate() fails. We only need this to generate
704 * a trap, so that the probed task receives the correct signal with
705 * the properly filled siginfo.
707 * But see the comment in ->post_xol(), in the unlikely case it can
708 * succeed. So we need to ensure that the new ->ip can not fall into
709 * the non-canonical area and trigger #GP.
711 * We could turn it into (say) "pushf", but then we would need to
712 * divorce ->insn[] and ->ixol[]. We need to preserve the 1st byte
713 * of ->insn[] for set_orig_insn().
715 memset(auprobe->insn + insn_offset_immediate(insn),
716 0, insn->immediate.nbytes);
719 static const struct uprobe_xol_ops branch_xol_ops = {
720 .emulate = branch_emulate_op,
721 .post_xol = branch_post_xol_op,
724 static const struct uprobe_xol_ops push_xol_ops = {
725 .emulate = push_emulate_op,
728 /* Returns -ENOSYS if branch_xol_ops doesn't handle this insn */
729 static int branch_setup_xol_ops(struct arch_uprobe *auprobe, struct insn *insn)
731 u8 opc1 = OPCODE1(insn);
736 case 0xeb: /* jmp 8 */
737 case 0xe9: /* jmp 32 */
738 case 0x90: /* prefix* + nop; same as jmp with .offs = 0 */
741 case 0xe8: /* call relative */
742 branch_clear_offset(auprobe, insn);
746 if (insn->opcode.nbytes != 2)
749 * If it is a "near" conditional jmp, OPCODE2() - 0x10 matches
750 * OPCODE1() of the "short" jmp which checks the same condition.
752 opc1 = OPCODE2(insn) - 0x10;
754 if (!is_cond_jmp_opcode(opc1))
759 * 16-bit overrides such as CALLW (66 e8 nn nn) are not supported.
760 * Intel and AMD behavior differ in 64-bit mode: Intel ignores 66 prefix.
761 * No one uses these insns, reject any branch insns with such prefix.
763 for_each_insn_prefix(insn, i, p) {
768 auprobe->branch.opc1 = opc1;
769 auprobe->branch.ilen = insn->length;
770 auprobe->branch.offs = insn->immediate.value;
772 auprobe->ops = &branch_xol_ops;
776 /* Returns -ENOSYS if push_xol_ops doesn't handle this insn */
777 static int push_setup_xol_ops(struct arch_uprobe *auprobe, struct insn *insn)
779 u8 opc1 = OPCODE1(insn), reg_offset = 0;
781 if (opc1 < 0x50 || opc1 > 0x57)
784 if (insn->length > 2)
786 if (insn->length == 2) {
787 /* only support rex_prefix 0x41 (x64 only) */
789 if (insn->rex_prefix.nbytes != 1 ||
790 insn->rex_prefix.bytes[0] != 0x41)
795 reg_offset = offsetof(struct pt_regs, r8);
798 reg_offset = offsetof(struct pt_regs, r9);
801 reg_offset = offsetof(struct pt_regs, r10);
804 reg_offset = offsetof(struct pt_regs, r11);
807 reg_offset = offsetof(struct pt_regs, r12);
810 reg_offset = offsetof(struct pt_regs, r13);
813 reg_offset = offsetof(struct pt_regs, r14);
816 reg_offset = offsetof(struct pt_regs, r15);
825 reg_offset = offsetof(struct pt_regs, ax);
828 reg_offset = offsetof(struct pt_regs, cx);
831 reg_offset = offsetof(struct pt_regs, dx);
834 reg_offset = offsetof(struct pt_regs, bx);
837 reg_offset = offsetof(struct pt_regs, sp);
840 reg_offset = offsetof(struct pt_regs, bp);
843 reg_offset = offsetof(struct pt_regs, si);
846 reg_offset = offsetof(struct pt_regs, di);
851 auprobe->push.reg_offset = reg_offset;
852 auprobe->push.ilen = insn->length;
853 auprobe->ops = &push_xol_ops;
858 * arch_uprobe_analyze_insn - instruction analysis including validity and fixups.
859 * @mm: the probed address space.
860 * @arch_uprobe: the probepoint information.
861 * @addr: virtual address at which to install the probepoint
862 * Return 0 on success or a -ve number on error.
864 int arch_uprobe_analyze_insn(struct arch_uprobe *auprobe, struct mm_struct *mm, unsigned long addr)
867 u8 fix_ip_or_call = UPROBE_FIX_IP;
870 ret = uprobe_init_insn(auprobe, &insn, is_64bit_mm(mm));
874 ret = branch_setup_xol_ops(auprobe, &insn);
878 ret = push_setup_xol_ops(auprobe, &insn);
883 * Figure out which fixups default_post_xol_op() will need to perform,
884 * and annotate defparam->fixups accordingly.
886 switch (OPCODE1(&insn)) {
887 case 0x9d: /* popf */
888 auprobe->defparam.fixups |= UPROBE_FIX_SETF;
890 case 0xc3: /* ret or lret -- ip is correct */
894 case 0xea: /* jmp absolute -- ip is correct */
897 case 0x9a: /* call absolute - Fix return addr, not ip */
898 fix_ip_or_call = UPROBE_FIX_CALL;
901 switch (MODRM_REG(&insn)) {
902 case 2: case 3: /* call or lcall, indirect */
903 fix_ip_or_call = UPROBE_FIX_CALL;
905 case 4: case 5: /* jmp or ljmp, indirect */
911 riprel_analyze(auprobe, &insn);
914 auprobe->defparam.ilen = insn.length;
915 auprobe->defparam.fixups |= fix_ip_or_call;
917 auprobe->ops = &default_xol_ops;
922 * arch_uprobe_pre_xol - prepare to execute out of line.
923 * @auprobe: the probepoint information.
924 * @regs: reflects the saved user state of current task.
926 int arch_uprobe_pre_xol(struct arch_uprobe *auprobe, struct pt_regs *regs)
928 struct uprobe_task *utask = current->utask;
930 if (auprobe->ops->pre_xol) {
931 int err = auprobe->ops->pre_xol(auprobe, regs);
936 regs->ip = utask->xol_vaddr;
937 utask->autask.saved_trap_nr = current->thread.trap_nr;
938 current->thread.trap_nr = UPROBE_TRAP_NR;
940 utask->autask.saved_tf = !!(regs->flags & X86_EFLAGS_TF);
941 regs->flags |= X86_EFLAGS_TF;
942 if (test_tsk_thread_flag(current, TIF_BLOCKSTEP))
943 set_task_blockstep(current, false);
949 * If xol insn itself traps and generates a signal(Say,
950 * SIGILL/SIGSEGV/etc), then detect the case where a singlestepped
951 * instruction jumps back to its own address. It is assumed that anything
952 * like do_page_fault/do_trap/etc sets thread.trap_nr != -1.
954 * arch_uprobe_pre_xol/arch_uprobe_post_xol save/restore thread.trap_nr,
955 * arch_uprobe_xol_was_trapped() simply checks that ->trap_nr is not equal to
956 * UPROBE_TRAP_NR == -1 set by arch_uprobe_pre_xol().
958 bool arch_uprobe_xol_was_trapped(struct task_struct *t)
960 if (t->thread.trap_nr != UPROBE_TRAP_NR)
967 * Called after single-stepping. To avoid the SMP problems that can
968 * occur when we temporarily put back the original opcode to
969 * single-step, we single-stepped a copy of the instruction.
971 * This function prepares to resume execution after the single-step.
973 int arch_uprobe_post_xol(struct arch_uprobe *auprobe, struct pt_regs *regs)
975 struct uprobe_task *utask = current->utask;
976 bool send_sigtrap = utask->autask.saved_tf;
979 WARN_ON_ONCE(current->thread.trap_nr != UPROBE_TRAP_NR);
980 current->thread.trap_nr = utask->autask.saved_trap_nr;
982 if (auprobe->ops->post_xol) {
983 err = auprobe->ops->post_xol(auprobe, regs);
986 * Restore ->ip for restart or post mortem analysis.
987 * ->post_xol() must not return -ERESTART unless this
988 * is really possible.
990 regs->ip = utask->vaddr;
991 if (err == -ERESTART)
993 send_sigtrap = false;
997 * arch_uprobe_pre_xol() doesn't save the state of TIF_BLOCKSTEP
998 * so we can get an extra SIGTRAP if we do not clear TF. We need
999 * to examine the opcode to make it right.
1002 send_sig(SIGTRAP, current, 0);
1004 if (!utask->autask.saved_tf)
1005 regs->flags &= ~X86_EFLAGS_TF;
1010 /* callback routine for handling exceptions. */
1011 int arch_uprobe_exception_notify(struct notifier_block *self, unsigned long val, void *data)
1013 struct die_args *args = data;
1014 struct pt_regs *regs = args->regs;
1015 int ret = NOTIFY_DONE;
1017 /* We are only interested in userspace traps */
1018 if (regs && !user_mode(regs))
1023 if (uprobe_pre_sstep_notifier(regs))
1029 if (uprobe_post_sstep_notifier(regs))
1040 * This function gets called when XOL instruction either gets trapped or
1041 * the thread has a fatal signal. Reset the instruction pointer to its
1042 * probed address for the potential restart or for post mortem analysis.
1044 void arch_uprobe_abort_xol(struct arch_uprobe *auprobe, struct pt_regs *regs)
1046 struct uprobe_task *utask = current->utask;
1048 if (auprobe->ops->abort)
1049 auprobe->ops->abort(auprobe, regs);
1051 current->thread.trap_nr = utask->autask.saved_trap_nr;
1052 regs->ip = utask->vaddr;
1053 /* clear TF if it was set by us in arch_uprobe_pre_xol() */
1054 if (!utask->autask.saved_tf)
1055 regs->flags &= ~X86_EFLAGS_TF;
1058 static bool __skip_sstep(struct arch_uprobe *auprobe, struct pt_regs *regs)
1060 if (auprobe->ops->emulate)
1061 return auprobe->ops->emulate(auprobe, regs);
1065 bool arch_uprobe_skip_sstep(struct arch_uprobe *auprobe, struct pt_regs *regs)
1067 bool ret = __skip_sstep(auprobe, regs);
1068 if (ret && (regs->flags & X86_EFLAGS_TF))
1069 send_sig(SIGTRAP, current, 0);
1074 arch_uretprobe_hijack_return_addr(unsigned long trampoline_vaddr, struct pt_regs *regs)
1076 int rasize = sizeof_long(regs), nleft;
1077 unsigned long orig_ret_vaddr = 0; /* clear high bits for 32-bit apps */
1079 if (copy_from_user(&orig_ret_vaddr, (void __user *)regs->sp, rasize))
1082 /* check whether address has been already hijacked */
1083 if (orig_ret_vaddr == trampoline_vaddr)
1084 return orig_ret_vaddr;
1086 nleft = copy_to_user((void __user *)regs->sp, &trampoline_vaddr, rasize);
1088 return orig_ret_vaddr;
1090 if (nleft != rasize) {
1091 pr_err("return address clobbered: pid=%d, %%sp=%#lx, %%ip=%#lx\n",
1092 current->pid, regs->sp, regs->ip);
1094 force_sig(SIGSEGV, current);
1100 bool arch_uretprobe_is_alive(struct return_instance *ret, enum rp_check ctx,
1101 struct pt_regs *regs)
1103 if (ctx == RP_CHECK_CALL) /* sp was just decremented by "call" insn */
1104 return regs->sp < ret->stack;
1106 return regs->sp <= ret->stack;