aboutsummaryrefslogtreecommitdiffstats
path: root/arch
diff options
context:
space:
mode:
authorDavid S. Miller <davem@sunset.davemloft.net>2006-12-10 05:42:03 -0500
committerDavid S. Miller <davem@sunset.davemloft.net>2006-12-10 05:42:03 -0500
commitf0882589666440d573f657cb3a1d5f66f3caa157 (patch)
treeb2c7d133a0c6140950e928e592cf1f3cf867d4d2 /arch
parent2f149228bb30ea08bfde740178f832d5c9081005 (diff)
[SPARC64]: Fix several kprobes bugs.
- relbranch_fixup(), for non-branches, would end up setting regs->tnpc incorrectly, in fact it would set it equal to regs->tpc which would cause that instruction to execute twice Also, if this is not a PC-relative branch, we should just leave regs->tnpc as-is. This covers cases like 'jmpl' which branch to absolute values. - To be absolutely %100 safe, we need to flush the instruction cache for all assignments to kprobe->ainsn.insn[], including cases like add_aggr_kprobe() - prev_kprobe's status field needs to be 'unsigned long' to match the type of the value it is saving - jprobes were totally broken: = jprobe_return() can run in the stack frame of the jprobe handler, or in an even deeper stack frame, thus we'll be in the wrong register window than the one from the original probe state. So unwind using 'restore' instructions, if necessary, right before we do the jprobe_return() breakpoint trap. = There is no reason to save/restore the register window saved at %sp at jprobe trigger time. Those registers cannot be modified by the jprobe handler. Also, this code was saving and restoring "sizeof (struct sparc_stackf)" bytes. Depending upon the caller, this could clobber unrelated stack frame pieces if there is only a basic 128-byte register window stored on the stack, without the argument save area. So just saving and restoring struct pt_regs is sufficient. = Kill the "jprobe_saved_esp", totally unused. Also, delete "jprobe_saved_regs_location", with the stack frame unwind now done explicitly by jprobe_return(), this check is superfluous. Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'arch')
-rw-r--r--arch/sparc64/kernel/kprobes.c91
1 files changed, 43 insertions, 48 deletions
diff --git a/arch/sparc64/kernel/kprobes.c b/arch/sparc64/kernel/kprobes.c
index 8e75ed762fd8..ae221f0d4a6f 100644
--- a/arch/sparc64/kernel/kprobes.c
+++ b/arch/sparc64/kernel/kprobes.c
@@ -45,7 +45,11 @@ DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk);
45int __kprobes arch_prepare_kprobe(struct kprobe *p) 45int __kprobes arch_prepare_kprobe(struct kprobe *p)
46{ 46{
47 p->ainsn.insn[0] = *p->addr; 47 p->ainsn.insn[0] = *p->addr;
48 flushi(&p->ainsn.insn[0]);
49
48 p->ainsn.insn[1] = BREAKPOINT_INSTRUCTION_2; 50 p->ainsn.insn[1] = BREAKPOINT_INSTRUCTION_2;
51 flushi(&p->ainsn.insn[1]);
52
49 p->opcode = *p->addr; 53 p->opcode = *p->addr;
50 return 0; 54 return 0;
51} 55}
@@ -185,16 +189,19 @@ no_kprobe:
185/* If INSN is a relative control transfer instruction, 189/* If INSN is a relative control transfer instruction,
186 * return the corrected branch destination value. 190 * return the corrected branch destination value.
187 * 191 *
188 * The original INSN location was REAL_PC, it actually 192 * regs->tpc and regs->tnpc still hold the values of the
189 * executed at PC and produced destination address NPC. 193 * program counters at the time of trap due to the execution
194 * of the BREAKPOINT_INSTRUCTION_2 at p->ainsn.insn[1]
195 *
190 */ 196 */
191static unsigned long __kprobes relbranch_fixup(u32 insn, unsigned long real_pc, 197static unsigned long __kprobes relbranch_fixup(u32 insn, struct kprobe *p,
192 unsigned long pc, 198 struct pt_regs *regs)
193 unsigned long npc)
194{ 199{
200 unsigned long real_pc = (unsigned long) p->addr;
201
195 /* Branch not taken, no mods necessary. */ 202 /* Branch not taken, no mods necessary. */
196 if (npc == pc + 0x4UL) 203 if (regs->tnpc == regs->tpc + 0x4UL)
197 return real_pc + 0x4UL; 204 return real_pc + 0x8UL;
198 205
199 /* The three cases are call, branch w/prediction, 206 /* The three cases are call, branch w/prediction,
200 * and traditional branch. 207 * and traditional branch.
@@ -202,14 +209,21 @@ static unsigned long __kprobes relbranch_fixup(u32 insn, unsigned long real_pc,
202 if ((insn & 0xc0000000) == 0x40000000 || 209 if ((insn & 0xc0000000) == 0x40000000 ||
203 (insn & 0xc1c00000) == 0x00400000 || 210 (insn & 0xc1c00000) == 0x00400000 ||
204 (insn & 0xc1c00000) == 0x00800000) { 211 (insn & 0xc1c00000) == 0x00800000) {
212 unsigned long ainsn_addr;
213
214 ainsn_addr = (unsigned long) &p->ainsn.insn[0];
215
205 /* The instruction did all the work for us 216 /* The instruction did all the work for us
206 * already, just apply the offset to the correct 217 * already, just apply the offset to the correct
207 * instruction location. 218 * instruction location.
208 */ 219 */
209 return (real_pc + (npc - pc)); 220 return (real_pc + (regs->tnpc - ainsn_addr));
210 } 221 }
211 222
212 return real_pc + 0x4UL; 223 /* It is jmpl or some other absolute PC modification instruction,
224 * leave NPC as-is.
225 */
226 return regs->tnpc;
213} 227}
214 228
215/* If INSN is an instruction which writes it's PC location 229/* If INSN is an instruction which writes it's PC location
@@ -220,12 +234,12 @@ static void __kprobes retpc_fixup(struct pt_regs *regs, u32 insn,
220{ 234{
221 unsigned long *slot = NULL; 235 unsigned long *slot = NULL;
222 236
223 /* Simplest cast is call, which always uses %o7 */ 237 /* Simplest case is 'call', which always uses %o7 */
224 if ((insn & 0xc0000000) == 0x40000000) { 238 if ((insn & 0xc0000000) == 0x40000000) {
225 slot = &regs->u_regs[UREG_I7]; 239 slot = &regs->u_regs[UREG_I7];
226 } 240 }
227 241
228 /* Jmpl encodes the register inside of the opcode */ 242 /* 'jmpl' encodes the register inside of the opcode */
229 if ((insn & 0xc1f80000) == 0x81c00000) { 243 if ((insn & 0xc1f80000) == 0x81c00000) {
230 unsigned long rd = ((insn >> 25) & 0x1f); 244 unsigned long rd = ((insn >> 25) & 0x1f);
231 245
@@ -247,11 +261,11 @@ static void __kprobes retpc_fixup(struct pt_regs *regs, u32 insn,
247 261
248/* 262/*
249 * Called after single-stepping. p->addr is the address of the 263 * Called after single-stepping. p->addr is the address of the
250 * instruction whose first byte has been replaced by the breakpoint 264 * instruction which has been replaced by the breakpoint
251 * instruction. To avoid the SMP problems that can occur when we 265 * instruction. To avoid the SMP problems that can occur when we
252 * temporarily put back the original opcode to single-step, we 266 * temporarily put back the original opcode to single-step, we
253 * single-stepped a copy of the instruction. The address of this 267 * single-stepped a copy of the instruction. The address of this
254 * copy is p->ainsn.insn. 268 * copy is &p->ainsn.insn[0].
255 * 269 *
256 * This function prepares to return from the post-single-step 270 * This function prepares to return from the post-single-step
257 * breakpoint trap. 271 * breakpoint trap.
@@ -261,11 +275,11 @@ static void __kprobes resume_execution(struct kprobe *p,
261{ 275{
262 u32 insn = p->ainsn.insn[0]; 276 u32 insn = p->ainsn.insn[0];
263 277
278 regs->tnpc = relbranch_fixup(insn, p, regs);
279
280 /* This assignment must occur after relbranch_fixup() */
264 regs->tpc = kcb->kprobe_orig_tnpc; 281 regs->tpc = kcb->kprobe_orig_tnpc;
265 regs->tnpc = relbranch_fixup(insn, 282
266 (unsigned long) p->addr,
267 (unsigned long) &p->ainsn.insn[0],
268 regs->tnpc);
269 retpc_fixup(regs, insn, (unsigned long) p->addr); 283 retpc_fixup(regs, insn, (unsigned long) p->addr);
270 284
271 regs->tstate = ((regs->tstate & ~TSTATE_PIL) | 285 regs->tstate = ((regs->tstate & ~TSTATE_PIL) |
@@ -430,17 +444,8 @@ int __kprobes setjmp_pre_handler(struct kprobe *p, struct pt_regs *regs)
430 struct jprobe *jp = container_of(p, struct jprobe, kp); 444 struct jprobe *jp = container_of(p, struct jprobe, kp);
431 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); 445 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
432 446
433 kcb->jprobe_saved_regs_location = regs;
434 memcpy(&(kcb->jprobe_saved_regs), regs, sizeof(*regs)); 447 memcpy(&(kcb->jprobe_saved_regs), regs, sizeof(*regs));
435 448
436 /* Save a whole stack frame, this gets arguments
437 * pushed onto the stack after using up all the
438 * arg registers.
439 */
440 memcpy(&(kcb->jprobe_saved_stack),
441 (char *) (regs->u_regs[UREG_FP] + STACK_BIAS),
442 sizeof(kcb->jprobe_saved_stack));
443
444 regs->tpc = (unsigned long) jp->entry; 449 regs->tpc = (unsigned long) jp->entry;
445 regs->tnpc = ((unsigned long) jp->entry) + 0x4UL; 450 regs->tnpc = ((unsigned long) jp->entry) + 0x4UL;
446 regs->tstate |= TSTATE_PIL; 451 regs->tstate |= TSTATE_PIL;
@@ -450,10 +455,19 @@ int __kprobes setjmp_pre_handler(struct kprobe *p, struct pt_regs *regs)
450 455
451void __kprobes jprobe_return(void) 456void __kprobes jprobe_return(void)
452{ 457{
453 __asm__ __volatile__( 458 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
454 ".globl jprobe_return_trap_instruction\n" 459 register unsigned long orig_fp asm("g1");
460
461 orig_fp = kcb->jprobe_saved_regs.u_regs[UREG_FP];
462 __asm__ __volatile__("\n"
463"1: cmp %%sp, %0\n\t"
464 "blu,a,pt %%xcc, 1b\n\t"
465 " restore\n\t"
466 ".globl jprobe_return_trap_instruction\n"
455"jprobe_return_trap_instruction:\n\t" 467"jprobe_return_trap_instruction:\n\t"
456 "ta 0x70"); 468 "ta 0x70"
469 : /* no outputs */
470 : "r" (orig_fp));
457} 471}
458 472
459extern void jprobe_return_trap_instruction(void); 473extern void jprobe_return_trap_instruction(void);
@@ -466,26 +480,7 @@ int __kprobes longjmp_break_handler(struct kprobe *p, struct pt_regs *regs)
466 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); 480 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
467 481
468 if (addr == (u32 *) jprobe_return_trap_instruction) { 482 if (addr == (u32 *) jprobe_return_trap_instruction) {
469 if (kcb->jprobe_saved_regs_location != regs) {
470 printk("JPROBE: Current regs (%p) does not match "
471 "saved regs (%p).\n",
472 regs, kcb->jprobe_saved_regs_location);
473 printk("JPROBE: Saved registers\n");
474 __show_regs(kcb->jprobe_saved_regs_location);
475 printk("JPROBE: Current registers\n");
476 __show_regs(regs);
477 BUG();
478 }
479 /* Restore old register state. Do pt_regs
480 * first so that UREG_FP is the original one for
481 * the stack frame restore.
482 */
483 memcpy(regs, &(kcb->jprobe_saved_regs), sizeof(*regs)); 483 memcpy(regs, &(kcb->jprobe_saved_regs), sizeof(*regs));
484
485 memcpy((char *) (regs->u_regs[UREG_FP] + STACK_BIAS),
486 &(kcb->jprobe_saved_stack),
487 sizeof(kcb->jprobe_saved_stack));
488
489 preempt_enable_no_resched(); 484 preempt_enable_no_resched();
490 return 1; 485 return 1;
491 } 486 }