13 files changed, 448 insertions, 296 deletions
diff --git a/arch/Kconfig b/arch/Kconfig
index acb664397945..eef3bbb97075 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -128,6 +128,9 @@ config HAVE_DEFAULT_NO_SPIN_MUTEXES
 config HAVE_HW_BREAKPOINT
        bool
+        depends on HAVE_PERF_EVENTS
+        select ANON_INODES
+        select PERF_EVENTS
 source "kernel/gcov/Kconfig"
diff --git a/arch/x86/include/asm/Kbuild b/arch/x86/include/asm/Kbuild
index 4a8e80cdcfa5..9f828f87ca35 100644
--- a/arch/x86/include/asm/Kbuild
+++ b/arch/x86/include/asm/Kbuild
@@ -10,6 +10,7 @@ header-y += ptrace-abi.h
 header-y += sigcontext32.h
 header-y += ucontext.h
 header-y += processor-flags.h
+header-y += hw_breakpoint.h
 unifdef-y += e820.h
 unifdef-y += ist.h
diff --git a/arch/x86/include/asm/debugreg.h b/arch/x86/include/asm/debugreg.h
index 23439fbb1d0e..9a3333c91f9a 100644
--- a/arch/x86/include/asm/debugreg.h
+++ b/arch/x86/include/asm/debugreg.h
@@ -75,13 +75,8 @@
 */
 #ifdef __KERNEL__
-/* For process management */
+DECLARE_PER_CPU(unsigned long, dr7);
-extern void flush_thread_hw_breakpoint(struct task_struct *tsk);
-extern int copy_thread_hw_breakpoint(struct task_struct *tsk,
-                struct task_struct *child, unsigned long clone_flags);
-/* For CPU management */
-extern void load_debug_registers(void);
 static inline void hw_breakpoint_disable(void)
 {
        /* Zero the control register for HW Breakpoint */
@@ -94,6 +89,10 @@ static inline void hw_breakpoint_disable(void)
        set_debugreg(0UL, 3);
 }
+#ifdef CONFIG_KVM
+extern void hw_breakpoint_restore(void);
+#endif
 #endif  /* __KERNEL__ */
 #endif /* _ASM_X86_DEBUGREG_H */
diff --git a/arch/x86/include/asm/hw_breakpoint.h b/arch/x86/include/asm/hw_breakpoint.h
index 3cfca8e2b5f6..0675a7c4c20e 100644
--- a/arch/x86/include/asm/hw_breakpoint.h
+++ b/arch/x86/include/asm/hw_breakpoint.h
@@ -4,6 +4,11 @@
 #ifdef  __KERNEL__
 #define __ARCH_HW_BREAKPOINT_H
+/*
+ * The name should probably be something dealt in
+ * a higher level. While dealing with the user
+ * (display/resolving)
+ */
 struct arch_hw_breakpoint {
        char            *name; /* Contains name of the symbol to set bkpt */
        unsigned long   address;
@@ -12,44 +17,57 @@ struct arch_hw_breakpoint {
 };
 #include <linux/kdebug.h>
-#include <linux/hw_breakpoint.h>
+#include <linux/percpu.h>
+#include <linux/list.h>
 /* Available HW breakpoint length encodings */
-#define HW_BREAKPOINT_LEN_1             0x40
+#define X86_BREAKPOINT_LEN_1            0x40
-#define HW_BREAKPOINT_LEN_2             0x44
+#define X86_BREAKPOINT_LEN_2            0x44
-#define HW_BREAKPOINT_LEN_4             0x4c
+#define X86_BREAKPOINT_LEN_4            0x4c
-#define HW_BREAKPOINT_LEN_EXECUTE       0x40
+#define X86_BREAKPOINT_LEN_EXECUTE      0x40
 #ifdef CONFIG_X86_64
-#define HW_BREAKPOINT_LEN_8             0x48
+#define X86_BREAKPOINT_LEN_8            0x48
 #endif
 /* Available HW breakpoint type encodings */
 /* trigger on instruction execute */
-#define HW_BREAKPOINT_EXECUTE   0x80
+#define X86_BREAKPOINT_EXECUTE  0x80
 /* trigger on memory write */
-#define HW_BREAKPOINT_WRITE     0x81
+#define X86_BREAKPOINT_WRITE    0x81
 /* trigger on memory read or write */
-#define HW_BREAKPOINT_RW        0x83
+#define X86_BREAKPOINT_RW       0x83
 /* Total number of available HW breakpoint registers */
 #define HBP_NUM 4
-extern struct hw_breakpoint *hbp_kernel[HBP_NUM];
+struct perf_event;
-DECLARE_PER_CPU(struct hw_breakpoint*, this_hbp_kernel[HBP_NUM]);
+struct pmu;
-extern unsigned int hbp_user_refcount[HBP_NUM];
-extern void arch_install_thread_hw_breakpoint(struct task_struct *tsk);
-extern void arch_uninstall_thread_hw_breakpoint(void);
 extern int arch_check_va_in_userspace(unsigned long va, u8 hbp_len);
-extern int arch_validate_hwbkpt_settings(struct hw_breakpoint *bp,
+extern int arch_validate_hwbkpt_settings(struct perf_event *bp,
-                                                struct task_struct *tsk);
+                                         struct task_struct *tsk);
-extern void arch_update_user_hw_breakpoint(int pos, struct task_struct *tsk);
-extern void arch_flush_thread_hw_breakpoint(struct task_struct *tsk);
-extern void arch_update_kernel_hw_breakpoint(void *);
 extern int hw_breakpoint_exceptions_notify(struct notifier_block *unused,
-                                     unsigned long val, void *data);
+                                           unsigned long val, void *data);
+int arch_install_hw_breakpoint(struct perf_event *bp);
+void arch_uninstall_hw_breakpoint(struct perf_event *bp);
+void hw_breakpoint_pmu_read(struct perf_event *bp);
+void hw_breakpoint_pmu_unthrottle(struct perf_event *bp);
+extern void
+arch_fill_perf_breakpoint(struct perf_event *bp);
+unsigned long encode_dr7(int drnum, unsigned int len, unsigned int type);
+int decode_dr7(unsigned long dr7, int bpnum, unsigned *len, unsigned *type);
+extern int arch_bp_generic_fields(int x86_len, int x86_type,
+                                  int *gen_len, int *gen_type);
+extern struct pmu perf_ops_bp;
 #endif  /* __KERNEL__ */
 #endif  /* _I386_HW_BREAKPOINT_H */
diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
index 61aafb71c7ef..820f3000f736 100644
--- a/arch/x86/include/asm/processor.h
+++ b/arch/x86/include/asm/processor.h
@@ -423,6 +423,8 @@ extern unsigned int xstate_size;
 extern void free_thread_xstate(struct task_struct *);
 extern struct kmem_cache *task_xstate_cachep;
+struct perf_event;
 struct thread_struct {
        /* Cached TLS descriptors: */
        struct desc_struct      tls_array[GDT_ENTRY_TLS_ENTRIES];
@@ -444,12 +446,10 @@ struct thread_struct {
        unsigned long           fs;
 #endif
        unsigned long           gs;
-        /* Hardware debugging registers: */
+        /* Save middle states of ptrace breakpoints */
-        unsigned long           debugreg[HBP_NUM];
+        struct perf_event       *ptrace_bps[HBP_NUM];
-        unsigned long           debugreg6;
+        /* Debug status used for traps, single steps, etc... */
-        unsigned long           debugreg7;
+        unsigned long           debugreg6;
-        /* Hardware breakpoint info */
-        struct hw_breakpoint    *hbp[HBP_NUM];
        /* Fault info: */
        unsigned long           cr2;
        unsigned long           trap_no;
diff --git a/arch/x86/kernel/hw_breakpoint.c b/arch/x86/kernel/hw_breakpoint.c
index 9316a9de4de3..e622620790bd 100644
--- a/arch/x86/kernel/hw_breakpoint.c
+++ b/arch/x86/kernel/hw_breakpoint.c
@@ -15,6 +15,7 @@
 *
 * Copyright (C) 2007 Alan Stern
 * Copyright (C) 2009 IBM Corporation
+ * Copyright (C) 2009 Frederic Weisbecker <fweisbec@gmail.com>
 */
 /*
@@ -22,6 +23,8 @@
 * using the CPU's debug registers.
 */
+#include <linux/perf_event.h>
+#include <linux/hw_breakpoint.h>
 #include <linux/irqflags.h>
 #include <linux/notifier.h>
 #include <linux/kallsyms.h>
@@ -38,26 +41,24 @@
 #include <asm/processor.h>
 #include <asm/debugreg.h>
-/* Unmasked kernel DR7 value */
+/* Per cpu debug control register value */
-static unsigned long kdr7;
+DEFINE_PER_CPU(unsigned long, dr7);
+/* Per cpu debug address registers values */
+static DEFINE_PER_CPU(unsigned long, cpu_debugreg[HBP_NUM]);
 /*
- * Masks for the bits corresponding to registers DR0 - DR3 in DR7 register.
+ * Stores the breakpoints currently in use on each breakpoint address
- * Used to clear and verify the status of bits corresponding to DR0 - DR3
+ * register for each cpus
 */
-static const unsigned long      dr7_masks[HBP_NUM] = {
+static DEFINE_PER_CPU(struct perf_event *, bp_per_reg[HBP_NUM]);
-        0x000f0003,     /* LEN0, R/W0, G0, L0 */
-        0x00f0000c,     /* LEN1, R/W1, G1, L1 */
-        0x0f000030,     /* LEN2, R/W2, G2, L2 */
-        0xf00000c0      /* LEN3, R/W3, G3, L3 */
-};
 /*
 * Encode the length, type, Exact, and Enable bits for a particular breakpoint
 * as stored in debug register 7.
 */
-static unsigned long encode_dr7(int drnum, unsigned int len, unsigned int type)
+unsigned long encode_dr7(int drnum, unsigned int len, unsigned int type)
 {
        unsigned long bp_info;
@@ -68,64 +69,89 @@ static unsigned long encode_dr7(int drnum, unsigned int len, unsigned int type)
        return bp_info;
 }
-void arch_update_kernel_hw_breakpoint(void *unused)
+/*
+ * Decode the length and type bits for a particular breakpoint as
+ * stored in debug register 7.  Return the "enabled" status.
+ */
+int decode_dr7(unsigned long dr7, int bpnum, unsigned *len, unsigned *type)
 {
-        struct hw_breakpoint *bp;
+        int bp_info = dr7 >> (DR_CONTROL_SHIFT + bpnum * DR_CONTROL_SIZE);
-        int i, cpu = get_cpu();
-        unsigned long temp_kdr7 = 0;
-        /* Don't allow debug exceptions while we update the registers */
-        set_debugreg(0UL, 7);
-        for (i = hbp_kernel_pos; i < HBP_NUM; i++) {
+        *len = (bp_info & 0xc) | 0x40;
-                per_cpu(this_hbp_kernel[i], cpu) = bp = hbp_kernel[i];
+        *type = (bp_info & 0x3) | 0x80;
-                if (bp) {
-                        temp_kdr7 |= encode_dr7(i, bp->info.len, bp->info.type);
-                        set_debugreg(bp->info.address, i);
-                }
-        }
-        /* No need to set DR6. Update the debug registers with kernel-space
+        return (dr7 >> (bpnum * DR_ENABLE_SIZE)) & 0x3;
-         * breakpoint values from kdr7 and user-space requests from the
-         * current process
-         */
-        kdr7 = temp_kdr7;
-        set_debugreg(kdr7 | current->thread.debugreg7, 7);
-        put_cpu();
 }
 /*
- * Install the thread breakpoints in their debug registers.
+ * Install a perf counter breakpoint.
+ *
+ * We seek a free debug address register and use it for this
+ * breakpoint. Eventually we enable it in the debug control register.
+ *
+ * Atomic: we hold the counter->ctx->lock and we only handle variables
+ * and registers local to this cpu.
 */
-void arch_install_thread_hw_breakpoint(struct task_struct *tsk)
+int arch_install_hw_breakpoint(struct perf_event *bp)
 {
-        struct thread_struct *thread = &(tsk->thread);
+        struct arch_hw_breakpoint *info = counter_arch_bp(bp);
+        unsigned long *dr7;
-        switch (hbp_kernel_pos) {
+        int i;
-        case 4:
-                set_debugreg(thread->debugreg[3], 3);
+        for (i = 0; i < HBP_NUM; i++) {
-        case 3:
+                struct perf_event **slot = &__get_cpu_var(bp_per_reg[i]);
-                set_debugreg(thread->debugreg[2], 2);
-        case 2:
+                if (!*slot) {
-                set_debugreg(thread->debugreg[1], 1);
+                        *slot = bp;
-        case 1:
+                        break;
-                set_debugreg(thread->debugreg[0], 0);
+                }
-        default:
-                break;
        }
-        /* No need to set DR6 */
+        if (WARN_ONCE(i == HBP_NUM, "Can't find any breakpoint slot"))
-        set_debugreg((kdr7 | thread->debugreg7), 7);
+                return -EBUSY;
+        set_debugreg(info->address, i);
+        __get_cpu_var(cpu_debugreg[i]) = info->address;
+        dr7 = &__get_cpu_var(dr7);
+        *dr7 |= encode_dr7(i, info->len, info->type);
+        set_debugreg(*dr7, 7);
+        return 0;
 }
 /*
- * Install the debug register values for just the kernel, no thread.
+ * Uninstall the breakpoint contained in the given counter.
+ *
+ * First we search the debug address register it uses and then we disable
+ * it.
+ *
+ * Atomic: we hold the counter->ctx->lock and we only handle variables
+ * and registers local to this cpu.
 */
-void arch_uninstall_thread_hw_breakpoint(void)
+void arch_uninstall_hw_breakpoint(struct perf_event *bp)
 {
-        /* Clear the user-space portion of debugreg7 by setting only kdr7 */
+        struct arch_hw_breakpoint *info = counter_arch_bp(bp);
-        set_debugreg(kdr7, 7);
+        unsigned long *dr7;
+        int i;
+        for (i = 0; i < HBP_NUM; i++) {
+                struct perf_event **slot = &__get_cpu_var(bp_per_reg[i]);
+                if (*slot == bp) {
+                        *slot = NULL;
+                        break;
+                }
+        }
+        if (WARN_ONCE(i == HBP_NUM, "Can't find any breakpoint slot"))
+                return;
+        dr7 = &__get_cpu_var(dr7);
+        *dr7 &= ~encode_dr7(i, info->len, info->type);
+        set_debugreg(*dr7, 7);
 }
 static int get_hbp_len(u8 hbp_len)
@@ -133,17 +159,17 @@ static int get_hbp_len(u8 hbp_len)
        unsigned int len_in_bytes = 0;
        switch (hbp_len) {
-        case HW_BREAKPOINT_LEN_1:
+        case X86_BREAKPOINT_LEN_1:
                len_in_bytes = 1;
                break;
-        case HW_BREAKPOINT_LEN_2:
+        case X86_BREAKPOINT_LEN_2:
                len_in_bytes = 2;
                break;
-        case HW_BREAKPOINT_LEN_4:
+        case X86_BREAKPOINT_LEN_4:
                len_in_bytes = 4;
                break;
 #ifdef CONFIG_X86_64
-        case HW_BREAKPOINT_LEN_8:
+        case X86_BREAKPOINT_LEN_8:
                len_in_bytes = 8;
                break;
 #endif
@@ -178,67 +204,146 @@ static int arch_check_va_in_kernelspace(unsigned long va, u8 hbp_len)
 /*
 * Store a breakpoint's encoded address, length, and type.
 */
-static int arch_store_info(struct hw_breakpoint *bp, struct task_struct *tsk)
+static int arch_store_info(struct perf_event *bp)
 {
-        /*
+        struct arch_hw_breakpoint *info = counter_arch_bp(bp);
-         * User-space requests will always have the address field populated
-         * Symbol names from user-space are rejected
-         */
-        if (tsk && bp->info.name)
-                return -EINVAL;
        /*
         * For kernel-addresses, either the address or symbol name can be
         * specified.
         */
-        if (bp->info.name)
+        if (info->name)
-                bp->info.address = (unsigned long)
+                info->address = (unsigned long)
-                                        kallsyms_lookup_name(bp->info.name);
+                                kallsyms_lookup_name(info->name);
-        if (bp->info.address)
+        if (info->address)
                return 0;
        return -EINVAL;
 }
-/*
+int arch_bp_generic_fields(int x86_len, int x86_type,
- * Validate the arch-specific HW Breakpoint register settings
+                           int *gen_len, int *gen_type)
- */
-int arch_validate_hwbkpt_settings(struct hw_breakpoint *bp,
-                                                struct task_struct *tsk)
 {
-        unsigned int align;
+        /* Len */
-        int ret = -EINVAL;
+        switch (x86_len) {
+        case X86_BREAKPOINT_LEN_1:
+                *gen_len = HW_BREAKPOINT_LEN_1;
+                break;
+        case X86_BREAKPOINT_LEN_2:
+                *gen_len = HW_BREAKPOINT_LEN_2;
+                break;
+        case X86_BREAKPOINT_LEN_4:
+                *gen_len = HW_BREAKPOINT_LEN_4;
+                break;
+#ifdef CONFIG_X86_64
+        case X86_BREAKPOINT_LEN_8:
+                *gen_len = HW_BREAKPOINT_LEN_8;
+                break;
+#endif
+        default:
+                return -EINVAL;
+        }
-        switch (bp->info.type) {
+        /* Type */
-        /*
+        switch (x86_type) {
-         * Ptrace-refactoring code
+        case X86_BREAKPOINT_EXECUTE:
-         * For now, we'll allow instruction breakpoint only for user-space
+                *gen_type = HW_BREAKPOINT_X;
-         * addresses
-         */
-        case HW_BREAKPOINT_EXECUTE:
-                if ((!arch_check_va_in_userspace(bp->info.address,
-                                                        bp->info.len)) &&
-                        bp->info.len != HW_BREAKPOINT_LEN_EXECUTE)
-                        return ret;
                break;
-        case HW_BREAKPOINT_WRITE:
+        case X86_BREAKPOINT_WRITE:
+                *gen_type = HW_BREAKPOINT_W;
                break;
-        case HW_BREAKPOINT_RW:
+        case X86_BREAKPOINT_RW:
+                *gen_type = HW_BREAKPOINT_W | HW_BREAKPOINT_R;
                break;
        default:
-                return ret;
+                return -EINVAL;
        }
-        switch (bp->info.len) {
+        return 0;
+}
+static int arch_build_bp_info(struct perf_event *bp)
+{
+        struct arch_hw_breakpoint *info = counter_arch_bp(bp);
+        info->address = bp->attr.bp_addr;
+        /* Len */
+        switch (bp->attr.bp_len) {
        case HW_BREAKPOINT_LEN_1:
-                align = 0;
+                info->len = X86_BREAKPOINT_LEN_1;
                break;
        case HW_BREAKPOINT_LEN_2:
-                align = 1;
+                info->len = X86_BREAKPOINT_LEN_2;
                break;
        case HW_BREAKPOINT_LEN_4:
-                align = 3;
+                info->len = X86_BREAKPOINT_LEN_4;
                break;
 #ifdef CONFIG_X86_64
        case HW_BREAKPOINT_LEN_8:
+                info->len = X86_BREAKPOINT_LEN_8;
+                break;
+#endif
+        default:
+                return -EINVAL;
+        }
+        /* Type */
+        switch (bp->attr.bp_type) {
+        case HW_BREAKPOINT_W:
+                info->type = X86_BREAKPOINT_WRITE;
+                break;
+        case HW_BREAKPOINT_W | HW_BREAKPOINT_R:
+                info->type = X86_BREAKPOINT_RW;
+                break;
+        case HW_BREAKPOINT_X:
+                info->type = X86_BREAKPOINT_EXECUTE;
+                break;
+        default:
+                return -EINVAL;
+        }
+        return 0;
+}
+/*
+ * Validate the arch-specific HW Breakpoint register settings
+ */
+int arch_validate_hwbkpt_settings(struct perf_event *bp,
+                                  struct task_struct *tsk)
+{
+        struct arch_hw_breakpoint *info = counter_arch_bp(bp);
+        unsigned int align;
+        int ret;
+        ret = arch_build_bp_info(bp);
+        if (ret)
+                return ret;
+        ret = -EINVAL;
+        if (info->type == X86_BREAKPOINT_EXECUTE)
+                /*
+                 * Ptrace-refactoring code
+                 * For now, we'll allow instruction breakpoint only for user-space
+                 * addresses
+                 */
+                if ((!arch_check_va_in_userspace(info->address, info->len)) &&
+                        info->len != X86_BREAKPOINT_EXECUTE)
+                        return ret;
+        switch (info->len) {
+        case X86_BREAKPOINT_LEN_1:
+                align = 0;
+                break;
+        case X86_BREAKPOINT_LEN_2:
+                align = 1;
+                break;
+        case X86_BREAKPOINT_LEN_4:
+                align = 3;
+                break;
+#ifdef CONFIG_X86_64
+        case X86_BREAKPOINT_LEN_8:
                align = 7;
                break;
 #endif
@@ -246,8 +351,8 @@ int arch_validate_hwbkpt_settings(struct hw_breakpoint *bp,
                return ret;
        }
-        if (bp->triggered)
+        if (bp->callback)
-                ret = arch_store_info(bp, tsk);
+                ret = arch_store_info(bp);
        if (ret < 0)
                return ret;
@@ -255,44 +360,47 @@ int arch_validate_hwbkpt_settings(struct hw_breakpoint *bp,
         * Check that the low-order bits of the address are appropriate
         * for the alignment implied by len.
         */
-        if (bp->info.address & align)
+        if (info->address & align)
                return -EINVAL;
        /* Check that the virtual address is in the proper range */
        if (tsk) {
-                if (!arch_check_va_in_userspace(bp->info.address, bp->info.len))
+                if (!arch_check_va_in_userspace(info->address, info->len))
                        return -EFAULT;
        } else {
-                if (!arch_check_va_in_kernelspace(bp->info.address,
+                if (!arch_check_va_in_kernelspace(info->address, info->len))
-                                                                bp->info.len))
                        return -EFAULT;
        }
        return 0;
 }
-void arch_update_user_hw_breakpoint(int pos, struct task_struct *tsk)
+/*
+ * Release the user breakpoints used by ptrace
+ */
+void flush_ptrace_hw_breakpoint(struct task_struct *tsk)
 {
-        struct thread_struct *thread = &(tsk->thread);
+        int i;
-        struct hw_breakpoint *bp = thread->hbp[pos];
+        struct thread_struct *t = &tsk->thread;
-        thread->debugreg7 &= ~dr7_masks[pos];
+        for (i = 0; i < HBP_NUM; i++) {
-        if (bp) {
+                unregister_hw_breakpoint(t->ptrace_bps[i]);
-                thread->debugreg[pos] = bp->info.address;
+                t->ptrace_bps[i] = NULL;
-                thread->debugreg7 |= encode_dr7(pos, bp->info.len,
+        }
-                                                        bp->info.type);
-        } else
-                thread->debugreg[pos] = 0;
 }
-void arch_flush_thread_hw_breakpoint(struct task_struct *tsk)
+#ifdef CONFIG_KVM
+void hw_breakpoint_restore(void)
 {
-        int i;
+        set_debugreg(__get_cpu_var(cpu_debugreg[0]), 0);
-        struct thread_struct *thread = &(tsk->thread);
+        set_debugreg(__get_cpu_var(cpu_debugreg[1]), 1);
+        set_debugreg(__get_cpu_var(cpu_debugreg[2]), 2);
-        thread->debugreg7 = 0;
+        set_debugreg(__get_cpu_var(cpu_debugreg[3]), 3);
-        for (i = 0; i < HBP_NUM; i++)
+        set_debugreg(current->thread.debugreg6, 6);
-                thread->debugreg[i] = 0;
+        set_debugreg(__get_cpu_var(dr7), 7);
 }
+EXPORT_SYMBOL_GPL(hw_breakpoint_restore);
+#endif
 /*
 * Handle debug exception notifications.
@@ -313,7 +421,7 @@ void arch_flush_thread_hw_breakpoint(struct task_struct *tsk)
 static int __kprobes hw_breakpoint_handler(struct die_args *args)
 {
        int i, cpu, rc = NOTIFY_STOP;
-        struct hw_breakpoint *bp;
+        struct perf_event *bp;
        unsigned long dr7, dr6;
        unsigned long *dr6_p;
@@ -325,10 +433,6 @@ static int __kprobes hw_breakpoint_handler(struct die_args *args)
        if ((dr6 & DR_TRAP_BITS) == 0)
                return NOTIFY_DONE;
-        /* Lazy debug register switching */
-        if (!test_tsk_thread_flag(current, TIF_DEBUG))
-                arch_uninstall_thread_hw_breakpoint();
        get_debugreg(dr7, 7);
        /* Disable breakpoints during exception handling */
        set_debugreg(0UL, 7);
@@ -344,17 +448,18 @@ static int __kprobes hw_breakpoint_handler(struct die_args *args)
        for (i = 0; i < HBP_NUM; ++i) {
                if (likely(!(dr6 & (DR_TRAP0 << i))))
                        continue;
                /*
-                 * Find the corresponding hw_breakpoint structure and
+                 * The counter may be concurrently released but that can only
-                 * invoke its triggered callback.
+                 * occur from a call_rcu() path. We can then safely fetch
+                 * the breakpoint, use its callback, touch its counter
+                 * while we are in an rcu_read_lock() path.
                 */
-                if (i >= hbp_kernel_pos)
+                rcu_read_lock();
-                        bp = per_cpu(this_hbp_kernel[i], cpu);
-                else {
+                bp = per_cpu(bp_per_reg[i], cpu);
-                        bp = current->thread.hbp[i];
+                if (bp)
-                        if (bp)
+                        rc = NOTIFY_DONE;
-                                rc = NOTIFY_DONE;
-                }
                /*
                 * Reset the 'i'th TRAP bit in dr6 to denote completion of
                 * exception handling
@@ -362,19 +467,23 @@ static int __kprobes hw_breakpoint_handler(struct die_args *args)
                (*dr6_p) &= ~(DR_TRAP0 << i);
                /*
                 * bp can be NULL due to lazy debug register switching
-                 * or due to the delay between updates of hbp_kernel_pos
+                 * or due to concurrent perf counter removing.
-                 * and this_hbp_kernel.
                 */
-                if (!bp)
+                if (!bp) {
-                        continue;
+                        rcu_read_unlock();
+                        break;
+                }
+                (bp->callback)(bp, args->regs);
-                (bp->triggered)(bp, args->regs);
+                rcu_read_unlock();
        }
        if (dr6 & (~DR_TRAP_BITS))
                rc = NOTIFY_DONE;
        set_debugreg(dr7, 7);
        put_cpu();
        return rc;
 }
@@ -389,3 +498,13 @@ int __kprobes hw_breakpoint_exceptions_notify(
        return hw_breakpoint_handler(data);
 }
+void hw_breakpoint_pmu_read(struct perf_event *bp)
+{
+        /* TODO */
+}
+void hw_breakpoint_pmu_unthrottle(struct perf_event *bp)
+{
+        /* TODO */
+}
diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
index cf8ee0016307..744508e7cfdd 100644
--- a/arch/x86/kernel/process.c
+++ b/arch/x86/kernel/process.c
@@ -10,6 +10,7 @@
 #include <linux/clockchips.h>
 #include <linux/random.h>
 #include <trace/events/power.h>
+#include <linux/hw_breakpoint.h>
 #include <asm/system.h>
 #include <asm/apic.h>
 #include <asm/syscalls.h>
@@ -18,7 +19,6 @@
 #include <asm/i387.h>
 #include <asm/ds.h>
 #include <asm/debugreg.h>
-#include <asm/hw_breakpoint.h>
 unsigned long idle_halt;
 EXPORT_SYMBOL(idle_halt);
@@ -47,8 +47,6 @@ void free_thread_xstate(struct task_struct *tsk)
                kmem_cache_free(task_xstate_cachep, tsk->thread.xstate);
                tsk->thread.xstate = NULL;
        }
-        if (unlikely(test_tsk_thread_flag(tsk, TIF_DEBUG)))
-                flush_thread_hw_breakpoint(tsk);
        WARN(tsk->thread.ds_ctx, "leaking DS context\n");
 }
@@ -107,8 +105,7 @@ void flush_thread(void)
        }
 #endif
-        if (unlikely(test_tsk_thread_flag(tsk, TIF_DEBUG)))
+        flush_ptrace_hw_breakpoint(tsk);
-                flush_thread_hw_breakpoint(tsk);
        memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
        /*
         * Forget coprocessor state..
diff --git a/arch/x86/kernel/process_32.c b/arch/x86/kernel/process_32.c
index 209e74801763..d5bd3132ee70 100644
--- a/arch/x86/kernel/process_32.c
+++ b/arch/x86/kernel/process_32.c
@@ -59,7 +59,6 @@
 #include <asm/syscalls.h>
 #include <asm/ds.h>
 #include <asm/debugreg.h>
-#include <asm/hw_breakpoint.h>
 asmlinkage void ret_from_fork(void) __asm__("ret_from_fork");
@@ -264,9 +263,8 @@ int copy_thread(unsigned long clone_flags, unsigned long sp,
        p->thread.io_bitmap_ptr = NULL;
        tsk = current;
        err = -ENOMEM;
-        if (unlikely(test_tsk_thread_flag(tsk, TIF_DEBUG)))
-                if (copy_thread_hw_breakpoint(tsk, p, clone_flags))
+        memset(p->thread.ptrace_bps, 0, sizeof(p->thread.ptrace_bps));
-                        goto out;
        if (unlikely(test_tsk_thread_flag(tsk, TIF_IO_BITMAP))) {
                p->thread.io_bitmap_ptr = kmemdup(tsk->thread.io_bitmap_ptr,
@@ -287,13 +285,10 @@ int copy_thread(unsigned long clone_flags, unsigned long sp,
                err = do_set_thread_area(p, -1,
                        (struct user_desc __user *)childregs->si, 0);
-out:
        if (err && p->thread.io_bitmap_ptr) {
                kfree(p->thread.io_bitmap_ptr);
                p->thread.io_bitmap_max = 0;
        }
-        if (err)
-                flush_thread_hw_breakpoint(p);
        clear_tsk_thread_flag(p, TIF_DS_AREA_MSR);
        p->thread.ds_ctx = NULL;
@@ -437,23 +432,6 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
                lazy_load_gs(next->gs);
        percpu_write(current_task, next_p);
-        /*
-         * There's a problem with moving the arch_install_thread_hw_breakpoint()
-         * call before current is updated.  Suppose a kernel breakpoint is
-         * triggered in between the two, the hw-breakpoint handler will see that
-         * the 'current' task does not have TIF_DEBUG flag set and will think it
-         * is leftover from an old task (lazy switching) and will erase it. Then
-         * until the next context switch, no user-breakpoints will be installed.
-         *
-         * The real problem is that it's impossible to update both current and
-         * physical debug registers at the same instant, so there will always be
-         * a window in which they disagree and a breakpoint might get triggered.
-         * Since we use lazy switching, we are forced to assume that a
-         * disagreement means that current is correct and the exception is due
-         * to lazy debug register switching.
-         */
-        if (unlikely(test_tsk_thread_flag(next_p, TIF_DEBUG)))
-                arch_install_thread_hw_breakpoint(next_p);
        return prev_p;
 }
diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
index 72edac026a78..5bafdec34441 100644
--- a/arch/x86/kernel/process_64.c
+++ b/arch/x86/kernel/process_64.c
@@ -53,7 +53,6 @@
 #include <asm/syscalls.h>
 #include <asm/ds.h>
 #include <asm/debugreg.h>
-#include <asm/hw_breakpoint.h>
 asmlinkage extern void ret_from_fork(void);
@@ -244,8 +243,6 @@ void release_thread(struct task_struct *dead_task)
                        BUG();
                }
        }
-        if (unlikely(dead_task->thread.debugreg7))
-                flush_thread_hw_breakpoint(dead_task);
 }
 static inline void set_32bit_tls(struct task_struct *t, int tls, u32 addr)
@@ -309,9 +306,7 @@ int copy_thread(unsigned long clone_flags, unsigned long sp,
        savesegment(ds, p->thread.ds);
        err = -ENOMEM;
-        if (unlikely(test_tsk_thread_flag(me, TIF_DEBUG)))
+        memset(p->thread.ptrace_bps, 0, sizeof(p->thread.ptrace_bps));
-                if (copy_thread_hw_breakpoint(me, p, clone_flags))
-                        goto out;
        if (unlikely(test_tsk_thread_flag(me, TIF_IO_BITMAP))) {
                p->thread.io_bitmap_ptr = kmalloc(IO_BITMAP_BYTES, GFP_KERNEL);
@@ -351,8 +346,6 @@ out:
                kfree(p->thread.io_bitmap_ptr);
                p->thread.io_bitmap_max = 0;
        }
-        if (err)
-                flush_thread_hw_breakpoint(p);
        return err;
 }
@@ -508,23 +501,6 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
         */
        if (preload_fpu)
                __math_state_restore();
-        /*
-         * There's a problem with moving the arch_install_thread_hw_breakpoint()
-         * call before current is updated.  Suppose a kernel breakpoint is
-         * triggered in between the two, the hw-breakpoint handler will see that
-         * the 'current' task does not have TIF_DEBUG flag set and will think it
-         * is leftover from an old task (lazy switching) and will erase it. Then
-         * until the next context switch, no user-breakpoints will be installed.
-         *
-         * The real problem is that it's impossible to update both current and
-         * physical debug registers at the same instant, so there will always be
-         * a window in which they disagree and a breakpoint might get triggered.
-         * Since we use lazy switching, we are forced to assume that a
-         * disagreement means that current is correct and the exception is due
-         * to lazy debug register switching.
-         */
-        if (unlikely(test_tsk_thread_flag(next_p, TIF_DEBUG)))
-                arch_install_thread_hw_breakpoint(next_p);
        return prev_p;
 }
diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c
index 267cb85b479c..e79610d95971 100644
--- a/arch/x86/kernel/ptrace.c
+++ b/arch/x86/kernel/ptrace.c
@@ -22,6 +22,8 @@
 #include <linux/seccomp.h>
 #include <linux/signal.h>
 #include <linux/workqueue.h>
+#include <linux/perf_event.h>
+#include <linux/hw_breakpoint.h>
 #include <asm/uaccess.h>
 #include <asm/pgtable.h>
@@ -441,54 +443,59 @@ static int genregs_set(struct task_struct *target,
        return ret;
 }
-/*
+static void ptrace_triggered(struct perf_event *bp, void *data)
- * Decode the length and type bits for a particular breakpoint as
- * stored in debug register 7.  Return the "enabled" status.
- */
-static int decode_dr7(unsigned long dr7, int bpnum, unsigned *len,
-                unsigned *type)
-{
-        int bp_info = dr7 >> (DR_CONTROL_SHIFT + bpnum * DR_CONTROL_SIZE);
-        *len = (bp_info & 0xc) | 0x40;
-        *type = (bp_info & 0x3) | 0x80;
-        return (dr7 >> (bpnum * DR_ENABLE_SIZE)) & 0x3;
-}
-static void ptrace_triggered(struct hw_breakpoint *bp, struct pt_regs *regs)
 {
-        struct thread_struct *thread = &(current->thread);
        int i;
+        struct thread_struct *thread = &(current->thread);
        /*
         * Store in the virtual DR6 register the fact that the breakpoint
         * was hit so the thread's debugger will see it.
         */
-        for (i = 0; i < hbp_kernel_pos; i++)
+        for (i = 0; i < HBP_NUM; i++) {
-                /*
+                if (thread->ptrace_bps[i] == bp)
-                 * We will check bp->info.address against the address stored in
-                 * thread's hbp structure and not debugreg[i]. This is to ensure
-                 * that the corresponding bit for 'i' in DR7 register is enabled
-                 */
-                if (bp->info.address == thread->hbp[i]->info.address)
                        break;
+        }
        thread->debugreg6 |= (DR_TRAP0 << i);
 }
 /*
+ * Walk through every ptrace breakpoints for this thread and
+ * build the dr7 value on top of their attributes.
+ *
+ */
+static unsigned long ptrace_get_dr7(struct perf_event *bp[])
+{
+        int i;
+        int dr7 = 0;
+        struct arch_hw_breakpoint *info;
+        for (i = 0; i < HBP_NUM; i++) {
+                if (bp[i] && !bp[i]->attr.disabled) {
+                        info = counter_arch_bp(bp[i]);
+                        dr7 |= encode_dr7(i, info->len, info->type);
+                }
+        }
+        return dr7;
+}
+/*
 * Handle ptrace writes to debug register 7.
 */
 static int ptrace_write_dr7(struct task_struct *tsk, unsigned long data)
 {
        struct thread_struct *thread = &(tsk->thread);
-        unsigned long old_dr7 = thread->debugreg7;
+        unsigned long old_dr7;
        int i, orig_ret = 0, rc = 0;
        int enabled, second_pass = 0;
        unsigned len, type;
-        struct hw_breakpoint *bp;
+        int gen_len, gen_type;
+        struct perf_event *bp;
        data &= ~DR_CONTROL_RESERVED;
+        old_dr7 = ptrace_get_dr7(thread->ptrace_bps);
 restore:
        /*
         * Loop through all the hardware breakpoints, making the
@@ -496,11 +503,12 @@ restore:
         */
        for (i = 0; i < HBP_NUM; i++) {
                enabled = decode_dr7(data, i, &len, &type);
-                bp = thread->hbp[i];
+                bp = thread->ptrace_bps[i];
                if (!enabled) {
                        if (bp) {
-                                /* Don't unregister the breakpoints right-away,
+                                /*
+                                 * Don't unregister the breakpoints right-away,
                                 * unless all register_user_hw_breakpoint()
                                 * requests have succeeded. This prevents
                                 * any window of opportunity for debug
@@ -508,27 +516,45 @@ restore:
                                 */
                                if (!second_pass)
                                        continue;
-                                unregister_user_hw_breakpoint(tsk, bp);
+                                thread->ptrace_bps[i] = NULL;
-                                kfree(bp);
+                                unregister_hw_breakpoint(bp);
                        }
                        continue;
                }
+                /*
+                 * We shoud have at least an inactive breakpoint at this
+                 * slot. It means the user is writing dr7 without having
+                 * written the address register first
+                 */
                if (!bp) {
-                        rc = -ENOMEM;
+                        rc = -EINVAL;
-                        bp = kzalloc(sizeof(struct hw_breakpoint), GFP_KERNEL);
+                        break;
-                        if (bp) {
+                }
-                                bp->info.address = thread->debugreg[i];
-                                bp->triggered = ptrace_triggered;
+                rc = arch_bp_generic_fields(len, type, &gen_len, &gen_type);
-                                bp->info.len = len;
-                                bp->info.type = type;
-                                rc = register_user_hw_breakpoint(tsk, bp);
-                                if (rc)
-                                        kfree(bp);
-                        }
-                } else
-                        rc = modify_user_hw_breakpoint(tsk, bp);
                if (rc)
                        break;
+                /*
+                 * This is a temporary thing as bp is unregistered/registered
+                 * to simulate modification
+                 */
+                bp = modify_user_hw_breakpoint(bp, bp->attr.bp_addr, gen_len,
+                                               gen_type, bp->callback,
+                                               tsk, true);
+                thread->ptrace_bps[i] = NULL;
+                if (!bp) { /* incorrect bp, or we have a bug in bp API */
+                        rc = -EINVAL;
+                        break;
+                }
+                if (IS_ERR(bp)) {
+                        rc = PTR_ERR(bp);
+                        bp = NULL;
+                        break;
+                }
+                thread->ptrace_bps[i] = bp;
        }
        /*
         * Make a second pass to free the remaining unused breakpoints
@@ -553,15 +579,63 @@ static unsigned long ptrace_get_debugreg(struct task_struct *tsk, int n)
        struct thread_struct *thread = &(tsk->thread);
        unsigned long val = 0;
-        if (n < HBP_NUM)
+        if (n < HBP_NUM) {
-                val = thread->debugreg[n];
+                struct perf_event *bp;
-        else if (n == 6)
+                bp = thread->ptrace_bps[n];
+                if (!bp)
+                        return 0;
+                val = bp->hw.info.address;
+        } else if (n == 6) {
                val = thread->debugreg6;
-        else if (n == 7)
+         } else if (n == 7) {
-                val = thread->debugreg7;
+                val = ptrace_get_dr7(thread->ptrace_bps);
+        }
        return val;
 }
+static int ptrace_set_breakpoint_addr(struct task_struct *tsk, int nr,
+                                      unsigned long addr)
+{
+        struct perf_event *bp;
+        struct thread_struct *t = &tsk->thread;
+        if (!t->ptrace_bps[nr]) {
+                /*
+                 * Put stub len and type to register (reserve) an inactive but
+                 * correct bp
+                 */
+                bp = register_user_hw_breakpoint(addr, HW_BREAKPOINT_LEN_1,
+                                                 HW_BREAKPOINT_W,
+                                                 ptrace_triggered, tsk,
+                                                 false);
+        } else {
+                bp = t->ptrace_bps[nr];
+                t->ptrace_bps[nr] = NULL;
+                bp = modify_user_hw_breakpoint(bp, addr, bp->attr.bp_len,
+                                               bp->attr.bp_type,
+                                               bp->callback,
+                                               tsk,
+                                               bp->attr.disabled);
+        }
+        if (!bp)
+                return -EIO;
+        /*
+         * CHECKME: the previous code returned -EIO if the addr wasn't a
+         * valid task virtual addr. The new one will return -EINVAL in this
+         * case.
+         * -EINVAL may be what we want for in-kernel breakpoints users, but
+         * -EIO looks better for ptrace, since we refuse a register writing
+         * for the user. And anyway this is the previous behaviour.
+         */
+        if (IS_ERR(bp))
+                return PTR_ERR(bp);
+        t->ptrace_bps[nr] = bp;
+        return 0;
+}
 /*
 * Handle PTRACE_POKEUSR calls for the debug register area.
 */
@@ -575,19 +649,13 @@ int ptrace_set_debugreg(struct task_struct *tsk, int n, unsigned long val)
                return -EIO;
        if (n == 6) {
-                tsk->thread.debugreg6 = val;
+                thread->debugreg6 = val;
                goto ret_path;
        }
        if (n < HBP_NUM) {
-                if (thread->hbp[n]) {
+                rc = ptrace_set_breakpoint_addr(tsk, n, val);
-                        if (arch_check_va_in_userspace(val,
+                if (rc)
-                                        thread->hbp[n]->info.len) == 0) {
+                        return rc;
-                                rc = -EIO;
-                                goto ret_path;
-                        }
-                        thread->hbp[n]->info.address = val;
-                }
-                thread->debugreg[n] = val;
        }
        /* All that's left is DR7 */
        if (n == 7)
diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c
index 213a7a3e4562..565ebc65920e 100644
--- a/arch/x86/kernel/smpboot.c
+++ b/arch/x86/kernel/smpboot.c
@@ -64,7 +64,6 @@
 #include <asm/apic.h>
 #include <asm/setup.h>
 #include <asm/uv/uv.h>
-#include <asm/debugreg.h>
 #include <linux/mc146818rtc.h>
 #include <asm/smpboot_hooks.h>
@@ -328,7 +327,6 @@ notrace static void __cpuinit start_secondary(void *unused)
        x86_cpuinit.setup_percpu_clockev();
        wmb();
-        load_debug_registers();
        cpu_idle();
 }
@@ -1269,7 +1267,6 @@ void cpu_disable_common(void)
        remove_cpu_from_maps(cpu);
        unlock_vector_lock();
        fixup_irqs();
-        hw_breakpoint_disable();
 }
 int native_cpu_disable(void)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index fc2974adf9b6..22dee7aa7813 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -42,6 +42,7 @@
 #define CREATE_TRACE_POINTS
 #include "trace.h"
+#include <asm/debugreg.h>
 #include <asm/uaccess.h>
 #include <asm/msr.h>
 #include <asm/desc.h>
@@ -3643,14 +3644,15 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
        trace_kvm_entry(vcpu->vcpu_id);
        kvm_x86_ops->run(vcpu, kvm_run);
-        if (unlikely(vcpu->arch.switch_db_regs || test_thread_flag(TIF_DEBUG))) {
+        /*
-                set_debugreg(current->thread.debugreg[0], 0);
+         * If the guest has used debug registers, at least dr7
-                set_debugreg(current->thread.debugreg[1], 1);
+         * will be disabled while returning to the host.
-                set_debugreg(current->thread.debugreg[2], 2);
+         * If we don't have active breakpoints in the host, we don't
-                set_debugreg(current->thread.debugreg[3], 3);
+         * care about the messed up debug address registers. But if
-                set_debugreg(current->thread.debugreg6, 6);
+         * we have some of them active, restore the old state.
-                set_debugreg(current->thread.debugreg7, 7);
+         */
-        }
+        if (__get_cpu_var(dr7) & DR_GLOBAL_ENABLE_MASK)
+                hw_breakpoint_restore();
        set_bit(KVM_REQ_KICK, &vcpu->requests);
        local_irq_enable();
diff --git a/arch/x86/power/cpu.c b/arch/x86/power/cpu.c
index e09a44fc4664..0a979f3e5b8a 100644
--- a/arch/x86/power/cpu.c
+++ b/arch/x86/power/cpu.c
@@ -105,7 +105,6 @@ static void __save_processor_state(struct saved_context *ctxt)
        ctxt->cr4 = read_cr4();
        ctxt->cr8 = read_cr8();
 #endif
-        hw_breakpoint_disable();
 }
 /* Needed by apm.c */
@@ -144,11 +143,6 @@ static void fix_processor_context(void)
 #endif
        load_TR_desc();                         /* This does ltr */
        load_LDT(&current->active_mm->context); /* This does lldt */
-        /*
-         * Now maybe reload the debug registers
-         */
-        load_debug_registers();
 }
 /**