ARM: 6005/1: arm: kprobes: fix register corruption with jprobes

[safe/jmp/linux-2.6] / arch / arm / kernel / kprobes.c

diff --git a/arch/arm/kernel/kprobes.c b/arch/arm/kernel/kprobes.c
index 450ee2c..610e0f5 100644 (file)
--- a/arch/arm/kernel/kprobes.c
+++ b/arch/arm/kernel/kprobes.c
@@ -22,16 +22,11 @@
 #include <linux/kernel.h>
 #include <linux/kprobes.h>
 #include <linux/module.h>
+#include <linux/stop_machine.h>
 #include <linux/stringify.h>
 #include <asm/traps.h>
 #include <asm/cacheflush.h>
 
-/*
- * This undefined instruction must be unique and
- * reserved solely for kprobes' use.
- */
-#define KPROBE_BREAKPOINT_INSTRUCTION  0xe7f001f8
-
 #define MIN_STACK_SIZE(addr)                           \
        min((unsigned long)MAX_STACK_SIZE,              \
            (unsigned long)current_thread_info() + THREAD_START_SP - (addr))
@@ -72,7 +67,7 @@ int __kprobes arch_prepare_kprobe(struct kprobe *p)
                        return -ENOMEM;
                for (is = 0; is < MAX_INSN_SIZE; ++is)
                        p->ainsn.insn[is] = tmp_insn[is];
-               flush_insns(&p->ainsn.insn, MAX_INSN_SIZE);
+               flush_insns(p->ainsn.insn, MAX_INSN_SIZE);
                break;
 
        case INSN_GOOD_NO_SLOT: /* instruction doesn't need insn slot */
@@ -89,18 +84,30 @@ void __kprobes arch_arm_kprobe(struct kprobe *p)
        flush_insns(p->addr, 1);
 }
 
+/*
+ * The actual disarming is done here on each CPU and synchronized using
+ * stop_machine. This synchronization is necessary on SMP to avoid removing
+ * a probe between the moment the 'Undefined Instruction' exception is raised
+ * and the moment the exception handler reads the faulting instruction from
+ * memory.
+ */
+int __kprobes __arch_disarm_kprobe(void *p)
+{
+       struct kprobe *kp = p;
+       *kp->addr = kp->opcode;
+       flush_insns(kp->addr, 1);
+       return 0;
+}
+
 void __kprobes arch_disarm_kprobe(struct kprobe *p)
 {
-       *p->addr = p->opcode;
-       flush_insns(p->addr, 1);
+       stop_machine(__arch_disarm_kprobe, p, &cpu_online_map);
 }
 
 void __kprobes arch_remove_kprobe(struct kprobe *p)
 {
        if (p->ainsn.insn) {
-               mutex_lock(&kprobe_mutex);
                free_insn_slot(p->ainsn.insn, 0);
-               mutex_unlock(&kprobe_mutex);
                p->ainsn.insn = NULL;
        }
 }
@@ -206,9 +213,12 @@ void __kprobes kprobe_handler(struct pt_regs *regs)
        }
 }
 
-static int kprobe_trap_handler(struct pt_regs *regs, unsigned int instr)
+static int __kprobes kprobe_trap_handler(struct pt_regs *regs, unsigned int instr)
 {
+       unsigned long flags;
+       local_irq_save(flags);
        kprobe_handler(regs);
+       local_irq_restore(flags);
        return 0;
 }
 
@@ -280,7 +290,7 @@ int __kprobes kprobe_exceptions_notify(struct notifier_block *self,
  * for kretprobe handlers which should normally be interested in r0 only
  * anyway.
  */
-static void __attribute__((naked)) __kprobes kretprobe_trampoline(void)
+void __naked __kprobes kretprobe_trampoline(void)
 {
        __asm__ __volatile__ (
                "stmdb  sp!, {r0 - r11}         \n\t"
@@ -302,8 +312,7 @@ static __used __kprobes void *trampoline_handler(struct pt_regs *regs)
        unsigned long trampoline_address = (unsigned long)&kretprobe_trampoline;
 
        INIT_HLIST_HEAD(&empty_rp);
-       spin_lock_irqsave(&kretprobe_lock, flags);
-       head = kretprobe_inst_table_head(current);
+       kretprobe_hash_lock(current, &head, &flags);
 
        /*
         * It is possible to have multiple instances associated with a given
@@ -343,7 +352,7 @@ static __used __kprobes void *trampoline_handler(struct pt_regs *regs)
        }
 
        kretprobe_assert(ri, orig_ret_address, trampoline_address);
-       spin_unlock_irqrestore(&kretprobe_lock, flags);
+       kretprobe_hash_unlock(current, &flags);
 
        hlist_for_each_entry_safe(ri, node, tmp, &empty_rp, hlist) {
                hlist_del(&ri->hlist);
@@ -353,7 +362,6 @@ static __used __kprobes void *trampoline_handler(struct pt_regs *regs)
        return (void *)orig_ret_address;
 }
 
-/* Called with kretprobe_lock held. */
 void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
                                      struct pt_regs *regs)
 {
@@ -385,6 +393,14 @@ void __kprobes jprobe_return(void)
                /*
                 * Setup an empty pt_regs. Fill SP and PC fields as
                 * they're needed by longjmp_break_handler.
+                *
+                * We allocate some slack between the original SP and start of
+                * our fabricated regs. To be precise we want to have worst case
+                * covered which is STMFD with all 16 regs so we allocate 2 *
+                * sizeof(struct_pt_regs)).
+                *
+                * This is to prevent any simulated instruction from writing
+                * over the regs when they are accessing the stack.
                 */
                "sub    sp, %0, %1              \n\t"
                "ldr    r0, ="__stringify(JPROBE_MAGIC_ADDR)"\n\t"
@@ -402,7 +418,7 @@ void __kprobes jprobe_return(void)
                "ldmia  sp, {r0 - pc}           \n\t"
                :
                : "r" (kcb->jprobe_saved_regs.ARM_sp),
-                 "I" (sizeof(struct pt_regs)),
+                 "I" (sizeof(struct pt_regs) * 2),
                  "J" (offsetof(struct pt_regs, ARM_sp)),
                  "J" (offsetof(struct pt_regs, ARM_pc)),
                  "J" (offsetof(struct pt_regs, ARM_cpsr))
@@ -437,6 +453,11 @@ int __kprobes longjmp_break_handler(struct kprobe *p, struct pt_regs *regs)
        return 0;
 }
 
+int __kprobes arch_trampoline_kprobe(struct kprobe *p)
+{
+       return 0;
+}
+
 static struct undef_hook kprobes_break_hook = {
        .instr_mask     = 0xffffffff,
        .instr_val      = KPROBE_BREAKPOINT_INSTRUCTION,