2020-12-17 16:01:42 +00:00
|
|
|
// SPDX-License-Identifier: GPL-2.0+
|
|
|
|
|
|
2021-09-14 23:39:25 +09:00
|
|
|
#define pr_fmt(fmt) "kprobes: " fmt
|
|
|
|
|
|
2020-12-17 16:01:42 +00:00
|
|
|
#include <linux/kprobes.h>
|
|
|
|
|
#include <linux/extable.h>
|
|
|
|
|
#include <linux/slab.h>
|
|
|
|
|
#include <linux/stop_machine.h>
|
2024-03-21 09:36:23 -07:00
|
|
|
#include <linux/vmalloc.h>
|
2020-12-17 16:01:42 +00:00
|
|
|
#include <asm/ptrace.h>
|
|
|
|
|
#include <linux/uaccess.h>
|
|
|
|
|
#include <asm/sections.h>
|
|
|
|
|
#include <asm/cacheflush.h>
|
|
|
|
|
#include <asm/bug.h>
|
2024-10-23 19:27:06 +03:00
|
|
|
#include <asm/text-patching.h>
|
2020-12-17 16:01:42 +00:00
|
|
|
|
|
|
|
|
#include "decode-insn.h"
|
|
|
|
|
|
|
|
|
|
DEFINE_PER_CPU(struct kprobe *, current_kprobe) = NULL;
|
|
|
|
|
DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk);
|
|
|
|
|
|
|
|
|
|
static void __kprobes
|
2021-04-19 00:29:19 +08:00
|
|
|
post_kprobe_handler(struct kprobe *, struct kprobe_ctlblk *, struct pt_regs *);
|
2020-12-17 16:01:42 +00:00
|
|
|
|
|
|
|
|
static void __kprobes arch_prepare_ss_slot(struct kprobe *p)
|
|
|
|
|
{
|
2024-03-27 09:04:44 -07:00
|
|
|
size_t len = GET_INSN_LENGTH(p->opcode);
|
2023-02-15 21:52:02 +08:00
|
|
|
u32 insn = __BUG_INSN_32;
|
2020-12-17 16:01:42 +00:00
|
|
|
|
2024-03-27 09:04:44 -07:00
|
|
|
p->ainsn.api.restore = (unsigned long)p->addr + len;
|
2020-12-17 16:01:42 +00:00
|
|
|
|
2024-03-27 09:04:44 -07:00
|
|
|
patch_text_nosync(p->ainsn.api.insn, &p->opcode, len);
|
2024-11-19 12:10:56 +01:00
|
|
|
patch_text_nosync((void *)p->ainsn.api.insn + len, &insn, GET_INSN_LENGTH(insn));
|
2020-12-17 16:01:42 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void __kprobes arch_prepare_simulate(struct kprobe *p)
|
|
|
|
|
{
|
|
|
|
|
p->ainsn.api.restore = 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void __kprobes arch_simulate_insn(struct kprobe *p, struct pt_regs *regs)
|
|
|
|
|
{
|
|
|
|
|
struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
|
|
|
|
|
|
|
|
|
|
if (p->ainsn.api.handler)
|
|
|
|
|
p->ainsn.api.handler((u32)p->opcode,
|
|
|
|
|
(unsigned long)p->addr, regs);
|
|
|
|
|
|
2021-04-19 00:29:19 +08:00
|
|
|
post_kprobe_handler(p, kcb, regs);
|
2020-12-17 16:01:42 +00:00
|
|
|
}
|
|
|
|
|
|
2023-01-31 23:06:04 -05:00
|
|
|
static bool __kprobes arch_check_kprobe(struct kprobe *p)
|
|
|
|
|
{
|
|
|
|
|
unsigned long tmp = (unsigned long)p->addr - p->offset;
|
|
|
|
|
unsigned long addr = (unsigned long)p->addr;
|
|
|
|
|
|
|
|
|
|
while (tmp <= addr) {
|
|
|
|
|
if (tmp == addr)
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
tmp += GET_INSN_LENGTH(*(u16 *)tmp);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-17 16:01:42 +00:00
|
|
|
int __kprobes arch_prepare_kprobe(struct kprobe *p)
|
|
|
|
|
{
|
2023-02-04 01:35:31 -05:00
|
|
|
u16 *insn = (u16 *)p->addr;
|
2020-12-17 16:01:42 +00:00
|
|
|
|
2023-02-04 01:35:31 -05:00
|
|
|
if ((unsigned long)insn & 0x1)
|
2021-09-14 23:39:25 +09:00
|
|
|
return -EILSEQ;
|
2020-12-17 16:01:42 +00:00
|
|
|
|
2023-01-31 23:06:04 -05:00
|
|
|
if (!arch_check_kprobe(p))
|
|
|
|
|
return -EILSEQ;
|
|
|
|
|
|
2020-12-17 16:01:42 +00:00
|
|
|
/* copy instruction */
|
2023-02-04 01:35:31 -05:00
|
|
|
p->opcode = (kprobe_opcode_t)(*insn++);
|
|
|
|
|
if (GET_INSN_LENGTH(p->opcode) == 4)
|
|
|
|
|
p->opcode |= (kprobe_opcode_t)(*insn) << 16;
|
2020-12-17 16:01:42 +00:00
|
|
|
|
|
|
|
|
/* decode instruction */
|
|
|
|
|
switch (riscv_probe_decode_insn(p->addr, &p->ainsn.api)) {
|
|
|
|
|
case INSN_REJECTED: /* insn not supported */
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
case INSN_GOOD_NO_SLOT: /* insn need simulation */
|
|
|
|
|
p->ainsn.api.insn = NULL;
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case INSN_GOOD: /* instruction uses slot */
|
|
|
|
|
p->ainsn.api.insn = get_insn_slot();
|
|
|
|
|
if (!p->ainsn.api.insn)
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* prepare the instruction */
|
|
|
|
|
if (p->ainsn.api.insn)
|
|
|
|
|
arch_prepare_ss_slot(p);
|
|
|
|
|
else
|
|
|
|
|
arch_prepare_simulate(p);
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* install breakpoint in text */
|
|
|
|
|
void __kprobes arch_arm_kprobe(struct kprobe *p)
|
|
|
|
|
{
|
2024-03-27 09:04:44 -07:00
|
|
|
size_t len = GET_INSN_LENGTH(p->opcode);
|
|
|
|
|
u32 insn = len == 4 ? __BUG_INSN_32 : __BUG_INSN_16;
|
2023-02-15 21:52:02 +08:00
|
|
|
|
2024-03-27 09:04:44 -07:00
|
|
|
patch_text(p->addr, &insn, len);
|
2020-12-17 16:01:42 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* remove breakpoint from text */
|
|
|
|
|
void __kprobes arch_disarm_kprobe(struct kprobe *p)
|
|
|
|
|
{
|
2024-03-27 09:04:44 -07:00
|
|
|
size_t len = GET_INSN_LENGTH(p->opcode);
|
|
|
|
|
|
|
|
|
|
patch_text(p->addr, &p->opcode, len);
|
2020-12-17 16:01:42 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void __kprobes arch_remove_kprobe(struct kprobe *p)
|
|
|
|
|
{
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void __kprobes save_previous_kprobe(struct kprobe_ctlblk *kcb)
|
|
|
|
|
{
|
|
|
|
|
kcb->prev_kprobe.kp = kprobe_running();
|
|
|
|
|
kcb->prev_kprobe.status = kcb->kprobe_status;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void __kprobes restore_previous_kprobe(struct kprobe_ctlblk *kcb)
|
|
|
|
|
{
|
|
|
|
|
__this_cpu_write(current_kprobe, kcb->prev_kprobe.kp);
|
|
|
|
|
kcb->kprobe_status = kcb->prev_kprobe.status;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void __kprobes set_current_kprobe(struct kprobe *p)
|
|
|
|
|
{
|
|
|
|
|
__this_cpu_write(current_kprobe, p);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Interrupts need to be disabled before single-step mode is set, and not
|
|
|
|
|
* reenabled until after single-step mode ends.
|
|
|
|
|
* Without disabling interrupt on local CPU, there is a chance of
|
|
|
|
|
* interrupt occurrence in the period of exception return and start of
|
|
|
|
|
* out-of-line single-step, that result in wrongly single stepping
|
|
|
|
|
* into the interrupt handler.
|
|
|
|
|
*/
|
|
|
|
|
static void __kprobes kprobes_save_local_irqflag(struct kprobe_ctlblk *kcb,
|
|
|
|
|
struct pt_regs *regs)
|
|
|
|
|
{
|
|
|
|
|
kcb->saved_status = regs->status;
|
|
|
|
|
regs->status &= ~SR_SPIE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void __kprobes kprobes_restore_local_irqflag(struct kprobe_ctlblk *kcb,
|
|
|
|
|
struct pt_regs *regs)
|
|
|
|
|
{
|
|
|
|
|
regs->status = kcb->saved_status;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void __kprobes setup_singlestep(struct kprobe *p,
|
|
|
|
|
struct pt_regs *regs,
|
|
|
|
|
struct kprobe_ctlblk *kcb, int reenter)
|
|
|
|
|
{
|
|
|
|
|
unsigned long slot;
|
|
|
|
|
|
|
|
|
|
if (reenter) {
|
|
|
|
|
save_previous_kprobe(kcb);
|
|
|
|
|
set_current_kprobe(p);
|
|
|
|
|
kcb->kprobe_status = KPROBE_REENTER;
|
|
|
|
|
} else {
|
|
|
|
|
kcb->kprobe_status = KPROBE_HIT_SS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (p->ainsn.api.insn) {
|
|
|
|
|
/* prepare for single stepping */
|
|
|
|
|
slot = (unsigned long)p->ainsn.api.insn;
|
|
|
|
|
|
|
|
|
|
/* IRQs and single stepping do not mix well. */
|
|
|
|
|
kprobes_save_local_irqflag(kcb, regs);
|
|
|
|
|
|
|
|
|
|
instruction_pointer_set(regs, slot);
|
|
|
|
|
} else {
|
|
|
|
|
/* insn simulation */
|
|
|
|
|
arch_simulate_insn(p, regs);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int __kprobes reenter_kprobe(struct kprobe *p,
|
|
|
|
|
struct pt_regs *regs,
|
|
|
|
|
struct kprobe_ctlblk *kcb)
|
|
|
|
|
{
|
|
|
|
|
switch (kcb->kprobe_status) {
|
|
|
|
|
case KPROBE_HIT_SSDONE:
|
|
|
|
|
case KPROBE_HIT_ACTIVE:
|
|
|
|
|
kprobes_inc_nmissed_count(p);
|
|
|
|
|
setup_singlestep(p, regs, kcb, 1);
|
|
|
|
|
break;
|
|
|
|
|
case KPROBE_HIT_SS:
|
|
|
|
|
case KPROBE_REENTER:
|
2021-09-14 23:39:25 +09:00
|
|
|
pr_warn("Failed to recover from reentered kprobes.\n");
|
2020-12-17 16:01:42 +00:00
|
|
|
dump_kprobe(p);
|
|
|
|
|
BUG();
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
WARN_ON(1);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void __kprobes
|
2021-04-19 00:29:19 +08:00
|
|
|
post_kprobe_handler(struct kprobe *cur, struct kprobe_ctlblk *kcb, struct pt_regs *regs)
|
2020-12-17 16:01:42 +00:00
|
|
|
{
|
|
|
|
|
/* return addr restore if non-branching insn */
|
|
|
|
|
if (cur->ainsn.api.restore != 0)
|
|
|
|
|
regs->epc = cur->ainsn.api.restore;
|
|
|
|
|
|
|
|
|
|
/* restore back original saved kprobe variables and continue */
|
|
|
|
|
if (kcb->kprobe_status == KPROBE_REENTER) {
|
|
|
|
|
restore_previous_kprobe(kcb);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* call post handler */
|
|
|
|
|
kcb->kprobe_status = KPROBE_HIT_SSDONE;
|
|
|
|
|
if (cur->post_handler) {
|
|
|
|
|
/* post_handler can hit breakpoint and single step
|
|
|
|
|
* again, so we enable D-flag for recursive exception.
|
|
|
|
|
*/
|
|
|
|
|
cur->post_handler(cur, regs, 0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
reset_current_kprobe();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int __kprobes kprobe_fault_handler(struct pt_regs *regs, unsigned int trapnr)
|
|
|
|
|
{
|
|
|
|
|
struct kprobe *cur = kprobe_running();
|
|
|
|
|
struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
|
|
|
|
|
|
|
|
|
|
switch (kcb->kprobe_status) {
|
|
|
|
|
case KPROBE_HIT_SS:
|
|
|
|
|
case KPROBE_REENTER:
|
|
|
|
|
/*
|
|
|
|
|
* We are here because the instruction being single
|
|
|
|
|
* stepped caused a page fault. We reset the current
|
|
|
|
|
* kprobe and the ip points back to the probe address
|
|
|
|
|
* and allow the page fault handler to continue as a
|
|
|
|
|
* normal page fault.
|
|
|
|
|
*/
|
|
|
|
|
regs->epc = (unsigned long) cur->addr;
|
2021-02-28 12:10:22 +01:00
|
|
|
BUG_ON(!instruction_pointer(regs));
|
2020-12-17 16:01:42 +00:00
|
|
|
|
|
|
|
|
if (kcb->kprobe_status == KPROBE_REENTER)
|
|
|
|
|
restore_previous_kprobe(kcb);
|
riscv/kprobe: fix kernel panic when invoking sys_read traced by kprobe
The execution of sys_read end up hitting a BUG_ON() in __find_get_block
after installing kprobe at sys_read, the BUG message like the following:
[ 65.708663] ------------[ cut here ]------------
[ 65.709987] kernel BUG at fs/buffer.c:1251!
[ 65.711283] Kernel BUG [#1]
[ 65.712032] Modules linked in:
[ 65.712925] CPU: 0 PID: 51 Comm: sh Not tainted 5.12.0-rc4 #1
[ 65.714407] Hardware name: riscv-virtio,qemu (DT)
[ 65.715696] epc : __find_get_block+0x218/0x2c8
[ 65.716835] ra : __getblk_gfp+0x1c/0x4a
[ 65.717831] epc : ffffffe00019f11e ra : ffffffe00019f56a sp : ffffffe002437930
[ 65.719553] gp : ffffffe000f06030 tp : ffffffe0015abc00 t0 : ffffffe00191e038
[ 65.721290] t1 : ffffffe00191e038 t2 : 000000000000000a s0 : ffffffe002437960
[ 65.723051] s1 : ffffffe00160ad00 a0 : ffffffe00160ad00 a1 : 000000000000012a
[ 65.724772] a2 : 0000000000000400 a3 : 0000000000000008 a4 : 0000000000000040
[ 65.726545] a5 : 0000000000000000 a6 : ffffffe00191e000 a7 : 0000000000000000
[ 65.728308] s2 : 000000000000012a s3 : 0000000000000400 s4 : 0000000000000008
[ 65.730049] s5 : 000000000000006c s6 : ffffffe00240f800 s7 : ffffffe000f080a8
[ 65.731802] s8 : 0000000000000001 s9 : 000000000000012a s10: 0000000000000008
[ 65.733516] s11: 0000000000000008 t3 : 00000000000003ff t4 : 000000000000000f
[ 65.734434] t5 : 00000000000003ff t6 : 0000000000040000
[ 65.734613] status: 0000000000000100 badaddr: 0000000000000000 cause: 0000000000000003
[ 65.734901] Call Trace:
[ 65.735076] [<ffffffe00019f11e>] __find_get_block+0x218/0x2c8
[ 65.735417] [<ffffffe00020017a>] __ext4_get_inode_loc+0xb2/0x2f6
[ 65.735618] [<ffffffe000201b6c>] ext4_get_inode_loc+0x3a/0x8a
[ 65.735802] [<ffffffe000203380>] ext4_reserve_inode_write+0x2e/0x8c
[ 65.735999] [<ffffffe00020357a>] __ext4_mark_inode_dirty+0x4c/0x18e
[ 65.736208] [<ffffffe000206bb0>] ext4_dirty_inode+0x46/0x66
[ 65.736387] [<ffffffe000192914>] __mark_inode_dirty+0x12c/0x3da
[ 65.736576] [<ffffffe000180dd2>] touch_atime+0x146/0x150
[ 65.736748] [<ffffffe00010d762>] filemap_read+0x234/0x246
[ 65.736920] [<ffffffe00010d834>] generic_file_read_iter+0xc0/0x114
[ 65.737114] [<ffffffe0001f5d7a>] ext4_file_read_iter+0x42/0xea
[ 65.737310] [<ffffffe000163f2c>] new_sync_read+0xe2/0x15a
[ 65.737483] [<ffffffe000165814>] vfs_read+0xca/0xf2
[ 65.737641] [<ffffffe000165bae>] ksys_read+0x5e/0xc8
[ 65.737816] [<ffffffe000165c26>] sys_read+0xe/0x16
[ 65.737973] [<ffffffe000003972>] ret_from_syscall+0x0/0x2
[ 65.738858] ---[ end trace fe93f985456c935d ]---
A simple reproducer looks like:
echo 'p:myprobe sys_read fd=%a0 buf=%a1 count=%a2' > /sys/kernel/debug/tracing/kprobe_events
echo 1 > /sys/kernel/debug/tracing/events/kprobes/myprobe/enable
cat /sys/kernel/debug/tracing/trace
Here's what happens to hit that BUG_ON():
1) After installing kprobe at entry of sys_read, the first instruction
is replaced by 'ebreak' instruction on riscv64 platform.
2) Once kernel reach the 'ebreak' instruction at the entry of sys_read,
it trap into the riscv breakpoint handler, where it do something to
setup for coming single-step of origin instruction, including backup
the 'sstatus' in pt_regs, followed by disable interrupt during single
stepping via clear 'SIE' bit of 'sstatus' in pt_regs.
3) Then kernel restore to the instruction slot contains two instructions,
one is original instruction at entry of sys_read, the other is 'ebreak'.
Here it trigger a 'Instruction page fault' exception (value at 'scause'
is '0xc'), if PF is not filled into PageTabe for that slot yet.
4) Again kernel trap into page fault exception handler, where it choose
different policy according to the state of running kprobe. Because
afte 2) the state is KPROBE_HIT_SS, so kernel reset the current kprobe
and 'pc' points back to the probe address.
5) Because 'epc' point back to 'ebreak' instrution at sys_read probe,
kernel trap into breakpoint handler again, and repeat the operations
at 2), however 'sstatus' without 'SIE' is keep at 4), it cause the
real 'sstatus' saved at 2) is overwritten by the one withou 'SIE'.
6) When kernel cross the probe the 'sstatus' CSR restore with value
without 'SIE', and reach __find_get_block where it requires the
interrupt must be enabled.
Fix this is very trivial, just restore the value of 'sstatus' in pt_regs
with backup one at 2) when the instruction being single stepped cause a
page fault.
Fixes: c22b0bcb1dd02 ("riscv: Add kprobes supported")
Signed-off-by: Liao Chang <liaochang1@huawei.com>
Cc: stable@vger.kernel.org
Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
2021-03-30 16:18:48 +08:00
|
|
|
else {
|
|
|
|
|
kprobes_restore_local_irqflag(kcb, regs);
|
2020-12-17 16:01:42 +00:00
|
|
|
reset_current_kprobe();
|
riscv/kprobe: fix kernel panic when invoking sys_read traced by kprobe
The execution of sys_read end up hitting a BUG_ON() in __find_get_block
after installing kprobe at sys_read, the BUG message like the following:
[ 65.708663] ------------[ cut here ]------------
[ 65.709987] kernel BUG at fs/buffer.c:1251!
[ 65.711283] Kernel BUG [#1]
[ 65.712032] Modules linked in:
[ 65.712925] CPU: 0 PID: 51 Comm: sh Not tainted 5.12.0-rc4 #1
[ 65.714407] Hardware name: riscv-virtio,qemu (DT)
[ 65.715696] epc : __find_get_block+0x218/0x2c8
[ 65.716835] ra : __getblk_gfp+0x1c/0x4a
[ 65.717831] epc : ffffffe00019f11e ra : ffffffe00019f56a sp : ffffffe002437930
[ 65.719553] gp : ffffffe000f06030 tp : ffffffe0015abc00 t0 : ffffffe00191e038
[ 65.721290] t1 : ffffffe00191e038 t2 : 000000000000000a s0 : ffffffe002437960
[ 65.723051] s1 : ffffffe00160ad00 a0 : ffffffe00160ad00 a1 : 000000000000012a
[ 65.724772] a2 : 0000000000000400 a3 : 0000000000000008 a4 : 0000000000000040
[ 65.726545] a5 : 0000000000000000 a6 : ffffffe00191e000 a7 : 0000000000000000
[ 65.728308] s2 : 000000000000012a s3 : 0000000000000400 s4 : 0000000000000008
[ 65.730049] s5 : 000000000000006c s6 : ffffffe00240f800 s7 : ffffffe000f080a8
[ 65.731802] s8 : 0000000000000001 s9 : 000000000000012a s10: 0000000000000008
[ 65.733516] s11: 0000000000000008 t3 : 00000000000003ff t4 : 000000000000000f
[ 65.734434] t5 : 00000000000003ff t6 : 0000000000040000
[ 65.734613] status: 0000000000000100 badaddr: 0000000000000000 cause: 0000000000000003
[ 65.734901] Call Trace:
[ 65.735076] [<ffffffe00019f11e>] __find_get_block+0x218/0x2c8
[ 65.735417] [<ffffffe00020017a>] __ext4_get_inode_loc+0xb2/0x2f6
[ 65.735618] [<ffffffe000201b6c>] ext4_get_inode_loc+0x3a/0x8a
[ 65.735802] [<ffffffe000203380>] ext4_reserve_inode_write+0x2e/0x8c
[ 65.735999] [<ffffffe00020357a>] __ext4_mark_inode_dirty+0x4c/0x18e
[ 65.736208] [<ffffffe000206bb0>] ext4_dirty_inode+0x46/0x66
[ 65.736387] [<ffffffe000192914>] __mark_inode_dirty+0x12c/0x3da
[ 65.736576] [<ffffffe000180dd2>] touch_atime+0x146/0x150
[ 65.736748] [<ffffffe00010d762>] filemap_read+0x234/0x246
[ 65.736920] [<ffffffe00010d834>] generic_file_read_iter+0xc0/0x114
[ 65.737114] [<ffffffe0001f5d7a>] ext4_file_read_iter+0x42/0xea
[ 65.737310] [<ffffffe000163f2c>] new_sync_read+0xe2/0x15a
[ 65.737483] [<ffffffe000165814>] vfs_read+0xca/0xf2
[ 65.737641] [<ffffffe000165bae>] ksys_read+0x5e/0xc8
[ 65.737816] [<ffffffe000165c26>] sys_read+0xe/0x16
[ 65.737973] [<ffffffe000003972>] ret_from_syscall+0x0/0x2
[ 65.738858] ---[ end trace fe93f985456c935d ]---
A simple reproducer looks like:
echo 'p:myprobe sys_read fd=%a0 buf=%a1 count=%a2' > /sys/kernel/debug/tracing/kprobe_events
echo 1 > /sys/kernel/debug/tracing/events/kprobes/myprobe/enable
cat /sys/kernel/debug/tracing/trace
Here's what happens to hit that BUG_ON():
1) After installing kprobe at entry of sys_read, the first instruction
is replaced by 'ebreak' instruction on riscv64 platform.
2) Once kernel reach the 'ebreak' instruction at the entry of sys_read,
it trap into the riscv breakpoint handler, where it do something to
setup for coming single-step of origin instruction, including backup
the 'sstatus' in pt_regs, followed by disable interrupt during single
stepping via clear 'SIE' bit of 'sstatus' in pt_regs.
3) Then kernel restore to the instruction slot contains two instructions,
one is original instruction at entry of sys_read, the other is 'ebreak'.
Here it trigger a 'Instruction page fault' exception (value at 'scause'
is '0xc'), if PF is not filled into PageTabe for that slot yet.
4) Again kernel trap into page fault exception handler, where it choose
different policy according to the state of running kprobe. Because
afte 2) the state is KPROBE_HIT_SS, so kernel reset the current kprobe
and 'pc' points back to the probe address.
5) Because 'epc' point back to 'ebreak' instrution at sys_read probe,
kernel trap into breakpoint handler again, and repeat the operations
at 2), however 'sstatus' without 'SIE' is keep at 4), it cause the
real 'sstatus' saved at 2) is overwritten by the one withou 'SIE'.
6) When kernel cross the probe the 'sstatus' CSR restore with value
without 'SIE', and reach __find_get_block where it requires the
interrupt must be enabled.
Fix this is very trivial, just restore the value of 'sstatus' in pt_regs
with backup one at 2) when the instruction being single stepped cause a
page fault.
Fixes: c22b0bcb1dd02 ("riscv: Add kprobes supported")
Signed-off-by: Liao Chang <liaochang1@huawei.com>
Cc: stable@vger.kernel.org
Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
2021-03-30 16:18:48 +08:00
|
|
|
}
|
2020-12-17 16:01:42 +00:00
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
case KPROBE_HIT_ACTIVE:
|
|
|
|
|
case KPROBE_HIT_SSDONE:
|
|
|
|
|
/*
|
|
|
|
|
* In case the user-specified fault handler returned
|
|
|
|
|
* zero, try to fix up.
|
|
|
|
|
*/
|
|
|
|
|
if (fixup_exception(regs))
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool __kprobes
|
|
|
|
|
kprobe_breakpoint_handler(struct pt_regs *regs)
|
|
|
|
|
{
|
|
|
|
|
struct kprobe *p, *cur_kprobe;
|
|
|
|
|
struct kprobe_ctlblk *kcb;
|
|
|
|
|
unsigned long addr = instruction_pointer(regs);
|
|
|
|
|
|
|
|
|
|
kcb = get_kprobe_ctlblk();
|
|
|
|
|
cur_kprobe = kprobe_running();
|
|
|
|
|
|
|
|
|
|
p = get_kprobe((kprobe_opcode_t *) addr);
|
|
|
|
|
|
|
|
|
|
if (p) {
|
|
|
|
|
if (cur_kprobe) {
|
|
|
|
|
if (reenter_kprobe(p, regs, kcb))
|
|
|
|
|
return true;
|
|
|
|
|
} else {
|
|
|
|
|
/* Probe hit */
|
|
|
|
|
set_current_kprobe(p);
|
|
|
|
|
kcb->kprobe_status = KPROBE_HIT_ACTIVE;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If we have no pre-handler or it returned 0, we
|
|
|
|
|
* continue with normal processing. If we have a
|
|
|
|
|
* pre-handler and it returned non-zero, it will
|
|
|
|
|
* modify the execution path and no need to single
|
|
|
|
|
* stepping. Let's just reset current kprobe and exit.
|
|
|
|
|
*
|
|
|
|
|
* pre_handler can hit a breakpoint and can step thru
|
|
|
|
|
* before return.
|
|
|
|
|
*/
|
|
|
|
|
if (!p->pre_handler || !p->pre_handler(p, regs))
|
|
|
|
|
setup_singlestep(p, regs, kcb, 0);
|
|
|
|
|
else
|
|
|
|
|
reset_current_kprobe();
|
|
|
|
|
}
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* The breakpoint instruction was removed right
|
|
|
|
|
* after we hit it. Another cpu has removed
|
|
|
|
|
* either a probepoint or a debugger breakpoint
|
|
|
|
|
* at this address. In either case, no further
|
|
|
|
|
* handling of this interrupt is appropriate.
|
|
|
|
|
* Return back to original instruction, and continue.
|
|
|
|
|
*/
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool __kprobes
|
|
|
|
|
kprobe_single_step_handler(struct pt_regs *regs)
|
|
|
|
|
{
|
|
|
|
|
struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
|
2021-04-19 00:29:19 +08:00
|
|
|
unsigned long addr = instruction_pointer(regs);
|
|
|
|
|
struct kprobe *cur = kprobe_running();
|
2020-12-17 16:01:42 +00:00
|
|
|
|
2021-04-19 00:29:19 +08:00
|
|
|
if (cur && (kcb->kprobe_status & (KPROBE_HIT_SS | KPROBE_REENTER)) &&
|
|
|
|
|
((unsigned long)&cur->ainsn.api.insn[0] + GET_INSN_LENGTH(cur->opcode) == addr)) {
|
2020-12-17 16:01:42 +00:00
|
|
|
kprobes_restore_local_irqflag(kcb, regs);
|
2021-04-19 00:29:19 +08:00
|
|
|
post_kprobe_handler(cur, kcb, regs);
|
2020-12-17 16:01:42 +00:00
|
|
|
return true;
|
|
|
|
|
}
|
2021-04-19 00:29:19 +08:00
|
|
|
/* not ours, kprobes should ignore it */
|
2020-12-17 16:01:42 +00:00
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Provide a blacklist of symbols identifying ranges which cannot be kprobed.
|
|
|
|
|
* This blacklist is exposed to userspace via debugfs (kprobes/blacklist).
|
|
|
|
|
*/
|
|
|
|
|
int __init arch_populate_kprobe_blacklist(void)
|
|
|
|
|
{
|
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
|
|
ret = kprobe_add_area_blacklist((unsigned long)__irqentry_text_start,
|
|
|
|
|
(unsigned long)__irqentry_text_end);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int __kprobes arch_trampoline_kprobe(struct kprobe *p)
|
|
|
|
|
{
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int __init arch_init_kprobes(void)
|
|
|
|
|
{
|
|
|
|
|
return 0;
|
|
|
|
|
}
|