[deliverable/linux.git] / arch / arm / kernel / kprobes-common.c

/*
 * arch/arm/kernel/kprobes-common.c
 *
 * Copyright (C) 2011 Jon Medhurst <tixy@yxit.co.uk>.
 *
 * Some contents moved here from arch/arm/include/asm/kprobes-arm.c which is
 * Copyright (C) 2006, 2007 Motorola Inc.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */

#include <linux/kernel.h>
#include <linux/kprobes.h>

#include "kprobes.h"


#ifndef find_str_pc_offset

/*
 * For STR and STM instructions, an ARM core may choose to use either
 * a +8 or a +12 displacement from the current instruction's address.
 * Whichever value is chosen for a given core, it must be the same for
 * both instructions and may not change.  This function measures it.
 */

int str_pc_offset;

void __init find_str_pc_offset(void)
{
	int addr, scratch, ret;

	__asm__ (
		"sub	%[ret], pc, #4		\n\t"
		"str	pc, %[addr]		\n\t"
		"ldr	%[scr], %[addr]		\n\t"
		"sub	%[ret], %[scr], %[ret]	\n\t"
		: [ret] "=r" (ret), [scr] "=r" (scratch), [addr] "+m" (addr));

	str_pc_offset = ret;
}

#endif /* !find_str_pc_offset */


#ifndef test_load_write_pc_interworking

bool load_write_pc_interworks;

void __init test_load_write_pc_interworking(void)
{
	int arch = cpu_architecture();
	BUG_ON(arch == CPU_ARCH_UNKNOWN);
	load_write_pc_interworks = arch >= CPU_ARCH_ARMv5T;
}

#endif /* !test_load_write_pc_interworking */


void __init arm_kprobe_decode_init(void)
{
	find_str_pc_offset();
	test_load_write_pc_interworking();
}


static unsigned long __kprobes __check_eq(unsigned long cpsr)
{
	return cpsr & PSR_Z_BIT;
}

static unsigned long __kprobes __check_ne(unsigned long cpsr)
{
	return (~cpsr) & PSR_Z_BIT;
}

static unsigned long __kprobes __check_cs(unsigned long cpsr)
{
	return cpsr & PSR_C_BIT;
}

static unsigned long __kprobes __check_cc(unsigned long cpsr)
{
	return (~cpsr) & PSR_C_BIT;
}

static unsigned long __kprobes __check_mi(unsigned long cpsr)
{
	return cpsr & PSR_N_BIT;
}

static unsigned long __kprobes __check_pl(unsigned long cpsr)
{
	return (~cpsr) & PSR_N_BIT;
}

static unsigned long __kprobes __check_vs(unsigned long cpsr)
{
	return cpsr & PSR_V_BIT;
}

static unsigned long __kprobes __check_vc(unsigned long cpsr)
{
	return (~cpsr) & PSR_V_BIT;
}

static unsigned long __kprobes __check_hi(unsigned long cpsr)
{
	cpsr &= ~(cpsr >> 1); /* PSR_C_BIT &= ~PSR_Z_BIT */
	return cpsr & PSR_C_BIT;
}

static unsigned long __kprobes __check_ls(unsigned long cpsr)
{
	cpsr &= ~(cpsr >> 1); /* PSR_C_BIT &= ~PSR_Z_BIT */
	return (~cpsr) & PSR_C_BIT;
}

static unsigned long __kprobes __check_ge(unsigned long cpsr)
{
	cpsr ^= (cpsr << 3); /* PSR_N_BIT ^= PSR_V_BIT */
	return (~cpsr) & PSR_N_BIT;
}

static unsigned long __kprobes __check_lt(unsigned long cpsr)
{
	cpsr ^= (cpsr << 3); /* PSR_N_BIT ^= PSR_V_BIT */
	return cpsr & PSR_N_BIT;
}

static unsigned long __kprobes __check_gt(unsigned long cpsr)
{
	unsigned long temp = cpsr ^ (cpsr << 3); /* PSR_N_BIT ^= PSR_V_BIT */
	temp |= (cpsr << 1);			 /* PSR_N_BIT |= PSR_Z_BIT */
	return (~temp) & PSR_N_BIT;
}

static unsigned long __kprobes __check_le(unsigned long cpsr)
{
	unsigned long temp = cpsr ^ (cpsr << 3); /* PSR_N_BIT ^= PSR_V_BIT */
	temp |= (cpsr << 1);			 /* PSR_N_BIT |= PSR_Z_BIT */
	return temp & PSR_N_BIT;
}

static unsigned long __kprobes __check_al(unsigned long cpsr)
{
	return true;
}

kprobe_check_cc * const kprobe_condition_checks[16] = {
	&__check_eq, &__check_ne, &__check_cs, &__check_cc,
	&__check_mi, &__check_pl, &__check_vs, &__check_vc,
	&__check_hi, &__check_ls, &__check_ge, &__check_lt,
	&__check_gt, &__check_le, &__check_al, &__check_al
};


void __kprobes kprobe_simulate_nop(struct kprobe *p, struct pt_regs *regs)
{
}

void __kprobes kprobe_emulate_none(struct kprobe *p, struct pt_regs *regs)
{
	p->ainsn.insn_fn();
}

static void __kprobes simulate_ldm1stm1(struct kprobe *p, struct pt_regs *regs)
{
	kprobe_opcode_t insn = p->opcode;
	int rn = (insn >> 16) & 0xf;
	int lbit = insn & (1 << 20);
	int wbit = insn & (1 << 21);
	int ubit = insn & (1 << 23);
	int pbit = insn & (1 << 24);
	long *addr = (long *)regs->uregs[rn];
	int reg_bit_vector;
	int reg_count;

	reg_count = 0;
	reg_bit_vector = insn & 0xffff;
	while (reg_bit_vector) {
		reg_bit_vector &= (reg_bit_vector - 1);
		++reg_count;
	}

	if (!ubit)
		addr -= reg_count;
	addr += (!pbit == !ubit);

	reg_bit_vector = insn & 0xffff;
	while (reg_bit_vector) {
		int reg = __ffs(reg_bit_vector);
		reg_bit_vector &= (reg_bit_vector - 1);
		if (lbit)
			regs->uregs[reg] = *addr++;
		else
			*addr++ = regs->uregs[reg];
	}

	if (wbit) {
		if (!ubit)
			addr -= reg_count;
		addr -= (!pbit == !ubit);
		regs->uregs[rn] = (long)addr;
	}
}

static void __kprobes simulate_stm1_pc(struct kprobe *p, struct pt_regs *regs)
{
	regs->ARM_pc = (long)p->addr + str_pc_offset;
	simulate_ldm1stm1(p, regs);
	regs->ARM_pc = (long)p->addr + 4;
}

static void __kprobes simulate_ldm1_pc(struct kprobe *p, struct pt_regs *regs)
{
	simulate_ldm1stm1(p, regs);
	load_write_pc(regs->ARM_pc, regs);
}

static void __kprobes
emulate_generic_r0_12_noflags(struct kprobe *p, struct pt_regs *regs)
{
	register void *rregs asm("r1") = regs;
	register void *rfn asm("lr") = p->ainsn.insn_fn;

	__asm__ __volatile__ (
		"stmdb	sp!, {%[regs], r11}	\n\t"
		"ldmia	%[regs], {r0-r12}	\n\t"
#if __LINUX_ARM_ARCH__ >= 6
		"blx	%[fn]			\n\t"
#else
		"str	%[fn], [sp, #-4]!	\n\t"
		"adr	lr, 1f			\n\t"
		"ldr	pc, [sp], #4		\n\t"
		"1:				\n\t"
#endif
		"ldr	lr, [sp], #4		\n\t" /* lr = regs */
		"stmia	lr, {r0-r12}		\n\t"
		"ldr	r11, [sp], #4		\n\t"
		: [regs] "=r" (rregs), [fn] "=r" (rfn)
		: "0" (rregs), "1" (rfn)
		: "r0", "r2", "r3", "r4", "r5", "r6", "r7",
		  "r8", "r9", "r10", "r12", "memory", "cc"
		);
}

static void __kprobes
emulate_generic_r2_14_noflags(struct kprobe *p, struct pt_regs *regs)
{
	emulate_generic_r0_12_noflags(p, (struct pt_regs *)(regs->uregs+2));
}

static void __kprobes
emulate_ldm_r3_15(struct kprobe *p, struct pt_regs *regs)
{
	emulate_generic_r0_12_noflags(p, (struct pt_regs *)(regs->uregs+3));
	load_write_pc(regs->ARM_pc, regs);
}

enum kprobe_insn __kprobes
kprobe_decode_ldmstm(kprobe_opcode_t insn, struct arch_specific_insn *asi)
{
	kprobe_insn_handler_t *handler = 0;
	unsigned reglist = insn & 0xffff;
	int is_ldm = insn & 0x100000;
	int rn = (insn >> 16) & 0xf;

	if (rn <= 12 && (reglist & 0xe000) == 0) {
		/* Instruction only uses registers in the range R0..R12 */
		handler = emulate_generic_r0_12_noflags;

	} else if (rn >= 2 && (reglist & 0x8003) == 0) {
		/* Instruction only uses registers in the range R2..R14 */
		rn -= 2;
		reglist >>= 2;
		handler = emulate_generic_r2_14_noflags;

	} else if (rn >= 3 && (reglist & 0x0007) == 0) {
		/* Instruction only uses registers in the range R3..R15 */
		if (is_ldm && (reglist & 0x8000)) {
			rn -= 3;
			reglist >>= 3;
			handler = emulate_ldm_r3_15;
		}
	}

	if (handler) {
		/* We can emulate the instruction in (possibly) modified form */
		asi->insn[0] = (insn & 0xfff00000) | (rn << 16) | reglist;
		asi->insn_handler = handler;
		return INSN_GOOD;
	}

	/* Fallback to slower simulation... */
	if (reglist & 0x8000)
		handler = is_ldm ? simulate_ldm1_pc : simulate_stm1_pc;
	else
		handler = simulate_ldm1stm1;
	asi->insn_handler = handler;
	return INSN_GOOD_NO_SLOT;
}


/*
 * Prepare an instruction slot to receive an instruction for emulating.
 * This is done by placing a subroutine return after the location where the
 * instruction will be placed. We also modify ARM instructions to be
 * unconditional as the condition code will already be checked before any
 * emulation handler is called.
 */
static kprobe_opcode_t __kprobes
prepare_emulated_insn(kprobe_opcode_t insn, struct arch_specific_insn *asi,
								bool thumb)
{
#ifdef CONFIG_THUMB2_KERNEL
	if (thumb) {
		u16 *thumb_insn = (u16 *)asi->insn;
		thumb_insn[1] = 0x4770; /* Thumb bx lr */
		thumb_insn[2] = 0x4770; /* Thumb bx lr */
		return insn;
	}
	asi->insn[1] = 0xe12fff1e; /* ARM bx lr */
#else
	asi->insn[1] = 0xe1a0f00e; /* mov pc, lr */
#endif
	/* Make an ARM instruction unconditional */
	if (insn < 0xe0000000)
		insn = (insn | 0xe0000000) & ~0x10000000;
	return insn;
}

/*
 * Write a (probably modified) instruction into the slot previously prepared by
 * prepare_emulated_insn
 */
static void  __kprobes
set_emulated_insn(kprobe_opcode_t insn, struct arch_specific_insn *asi,
								bool thumb)
{
#ifdef CONFIG_THUMB2_KERNEL
	if (thumb) {
		u16 *ip = (u16 *)asi->insn;
		if (is_wide_instruction(insn))
			*ip++ = insn >> 16;
		*ip++ = insn;
		return;
	}
#endif
	asi->insn[0] = insn;
}

/*
 * When we modify the register numbers encoded in an instruction to be emulated,
 * the new values come from this define. For ARM and 32-bit Thumb instructions
 * this gives...
 *
 *	bit position	  16  12   8   4   0
 *	---------------+---+---+---+---+---+
 *	register	 r2  r0  r1  --  r3
 */
#define INSN_NEW_BITS		0x00020103

/* Each nibble has same value as that at INSN_NEW_BITS bit 16 */
#define INSN_SAMEAS16_BITS	0x22222222

/*
 * Validate and modify each of the registers encoded in an instruction.
 *
 * Each nibble in regs contains a value from enum decode_reg_type. For each
 * non-zero value, the corresponding nibble in pinsn is validated and modified
 * according to the type.
 */
static bool __kprobes decode_regs(kprobe_opcode_t* pinsn, u32 regs)
{
	kprobe_opcode_t insn = *pinsn;
	kprobe_opcode_t mask = 0xf; /* Start at least significant nibble */

	for (; regs != 0; regs >>= 4, mask <<= 4) {

		kprobe_opcode_t new_bits = INSN_NEW_BITS;

		switch (regs & 0xf) {

		case REG_TYPE_NONE:
			/* Nibble not a register, skip to next */
			continue;

		case REG_TYPE_ANY:
			/* Any register is allowed */
			break;

		case REG_TYPE_SAMEAS16:
			/* Replace register with same as at bit position 16 */
			new_bits = INSN_SAMEAS16_BITS;
			break;

		case REG_TYPE_SP:
			/* Only allow SP (R13) */
			if ((insn ^ 0xdddddddd) & mask)
				goto reject;
			break;

		case REG_TYPE_PC:
			/* Only allow PC (R15) */
			if ((insn ^ 0xffffffff) & mask)
				goto reject;
			break;

		case REG_TYPE_NOSP:
			/* Reject SP (R13) */
			if (((insn ^ 0xdddddddd) & mask) == 0)
				goto reject;
			break;

		case REG_TYPE_NOSPPC:
		case REG_TYPE_NOSPPCX:
			/* Reject SP and PC (R13 and R15) */
			if (((insn ^ 0xdddddddd) & 0xdddddddd & mask) == 0)
				goto reject;
			break;

		case REG_TYPE_NOPCWB:
			if (!is_writeback(insn))
				break; /* No writeback, so any register is OK */
			/* fall through... */
		case REG_TYPE_NOPC:
		case REG_TYPE_NOPCX:
			/* Reject PC (R15) */
			if (((insn ^ 0xffffffff) & mask) == 0)
				goto reject;
			break;
		}

		/* Replace value of nibble with new register number... */
		insn &= ~mask;
		insn |= new_bits & mask;
	}

	*pinsn = insn;
	return true;

reject:
	return false;
}

static const int decode_struct_sizes[NUM_DECODE_TYPES] = {
	[DECODE_TYPE_TABLE]	= sizeof(struct decode_table),
	[DECODE_TYPE_CUSTOM]	= sizeof(struct decode_custom),
	[DECODE_TYPE_SIMULATE]	= sizeof(struct decode_simulate),
	[DECODE_TYPE_EMULATE]	= sizeof(struct decode_emulate),
	[DECODE_TYPE_OR]	= sizeof(struct decode_or),
	[DECODE_TYPE_REJECT]	= sizeof(struct decode_reject)
};

/*
 * kprobe_decode_insn operates on data tables in order to decode an ARM
 * architecture instruction onto which a kprobe has been placed.
 *
 * These instruction decoding tables are a concatenation of entries each
 * of which consist of one of the following structs:
 *
 *	decode_table
 *	decode_custom
 *	decode_simulate
 *	decode_emulate
 *	decode_or
 *	decode_reject
 *
 * Each of these starts with a struct decode_header which has the following
 * fields:
 *
 *	type_regs
 *	mask
 *	value
 *
 * The least significant DECODE_TYPE_BITS of type_regs contains a value
 * from enum decode_type, this indicates which of the decode_* structs
 * the entry contains. The value DECODE_TYPE_END indicates the end of the
 * table.
 *
 * When the table is parsed, each entry is checked in turn to see if it
 * matches the instruction to be decoded using the test:
 *
 *	(insn & mask) == value
 *
 * If no match is found before the end of the table is reached then decoding
 * fails with INSN_REJECTED.
 *
 * When a match is found, decode_regs() is called to validate and modify each
 * of the registers encoded in the instruction; the data it uses to do this
 * is (type_regs >> DECODE_TYPE_BITS). A validation failure will cause decoding
 * to fail with INSN_REJECTED.
 *
 * Once the instruction has passed the above tests, further processing
 * depends on the type of the table entry's decode struct.
 *
 */
int __kprobes
kprobe_decode_insn(kprobe_opcode_t insn, struct arch_specific_insn *asi,
				const union decode_item *table, bool thumb)
{
	const struct decode_header *h = (struct decode_header *)table;
	const struct decode_header *next;
	bool matched = false;

	insn = prepare_emulated_insn(insn, asi, thumb);

	for (;; h = next) {
		enum decode_type type = h->type_regs.bits & DECODE_TYPE_MASK;
		u32 regs = h->type_regs.bits >> DECODE_TYPE_BITS;

		if (type == DECODE_TYPE_END)
			return INSN_REJECTED;

		next = (struct decode_header *)
				((uintptr_t)h + decode_struct_sizes[type]);

		if (!matched && (insn & h->mask.bits) != h->value.bits)
			continue;

		if (!decode_regs(&insn, regs))
			return INSN_REJECTED;

		switch (type) {

		case DECODE_TYPE_TABLE: {
			struct decode_table *d = (struct decode_table *)h;
			next = (struct decode_header *)d->table.table;
			break;
		}

		case DECODE_TYPE_CUSTOM: {
			struct decode_custom *d = (struct decode_custom *)h;
			return (*d->decoder.decoder)(insn, asi);
		}

		case DECODE_TYPE_SIMULATE: {
			struct decode_simulate *d = (struct decode_simulate *)h;
			asi->insn_handler = d->handler.handler;
			return INSN_GOOD_NO_SLOT;
		}

		case DECODE_TYPE_EMULATE: {
			struct decode_emulate *d = (struct decode_emulate *)h;
			asi->insn_handler = d->handler.handler;
			set_emulated_insn(insn, asi, thumb);
			return INSN_GOOD;
		}

		case DECODE_TYPE_OR:
			matched = true;
			break;

		case DECODE_TYPE_REJECT:
		default:
			return INSN_REJECTED;
		}
		}
	}
Commit	Line	Data
0ab4c02d JM	1	/*
	2	* arch/arm/kernel/kprobes-common.c
	3	*
	4	* Copyright (C) 2011 Jon Medhurst <tixy@yxit.co.uk>.
	5	*
6c8df330 JM	6	* Some contents moved here from arch/arm/include/asm/kprobes-arm.c which is
	7	* Copyright (C) 2006, 2007 Motorola Inc.
	8	*
0ab4c02d JM	9	* This program is free software; you can redistribute it and/or modify
	10	* it under the terms of the GNU General Public License version 2 as
	11	* published by the Free Software Foundation.
	12	*/
	13
	14	#include <linux/kernel.h>
	15	#include <linux/kprobes.h>
	16
	17	#include "kprobes.h"
	18
	19
aea49029 JM	20	#ifndef find_str_pc_offset
aea49029 JM	21
6c8df330 JM	22	/*
	23	* For STR and STM instructions, an ARM core may choose to use either
	24	* a +8 or a +12 displacement from the current instruction's address.
	25	* Whichever value is chosen for a given core, it must be the same for
	26	* both instructions and may not change. This function measures it.
	27	*/
	28
	29	int str_pc_offset;
	30
	31	void __init find_str_pc_offset(void)
	32	{
	33	int addr, scratch, ret;
	34
	35	__asm__ (
	36	"sub %[ret], pc, #4 \n\t"
	37	"str pc, %[addr] \n\t"
	38	"ldr %[scr], %[addr] \n\t"
	39	"sub %[ret], %[scr], %[ret] \n\t"
	40	: [ret] "=r" (ret), [scr] "=r" (scratch), [addr] "+m" (addr));
	41
	42	str_pc_offset = ret;
	43	}
	44
aea49029 JM	45	#endif /* !find_str_pc_offset */
aea49029 JM	46
6c8df330	47
263e368a JM	48	#ifndef test_load_write_pc_interworking
	49
	50	bool load_write_pc_interworks;
	51
	52	void __init test_load_write_pc_interworking(void)
	53	{
	54	int arch = cpu_architecture();
	55	BUG_ON(arch == CPU_ARCH_UNKNOWN);
	56	load_write_pc_interworks = arch >= CPU_ARCH_ARMv5T;
	57	}
	58
	59	#endif /* !test_load_write_pc_interworking */
	60
	61
6c8df330 JM	62	void __init arm_kprobe_decode_init(void)
	63	{
	64	find_str_pc_offset();
263e368a	65	test_load_write_pc_interworking();
6c8df330 JM	66	}
	67
	68
0ab4c02d JM	69	static unsigned long __kprobes __check_eq(unsigned long cpsr)
	70	{
	71	return cpsr & PSR_Z_BIT;
	72	}
	73
	74	static unsigned long __kprobes __check_ne(unsigned long cpsr)
	75	{
	76	return (~cpsr) & PSR_Z_BIT;
	77	}
	78
	79	static unsigned long __kprobes __check_cs(unsigned long cpsr)
	80	{
	81	return cpsr & PSR_C_BIT;
	82	}
	83
	84	static unsigned long __kprobes __check_cc(unsigned long cpsr)
	85	{
	86	return (~cpsr) & PSR_C_BIT;
	87	}
	88
	89	static unsigned long __kprobes __check_mi(unsigned long cpsr)
	90	{
	91	return cpsr & PSR_N_BIT;
	92	}
	93
	94	static unsigned long __kprobes __check_pl(unsigned long cpsr)
	95	{
	96	return (~cpsr) & PSR_N_BIT;
	97	}
	98
	99	static unsigned long __kprobes __check_vs(unsigned long cpsr)
	100	{
	101	return cpsr & PSR_V_BIT;
	102	}
	103
	104	static unsigned long __kprobes __check_vc(unsigned long cpsr)
	105	{
	106	return (~cpsr) & PSR_V_BIT;
	107	}
	108
	109	static unsigned long __kprobes __check_hi(unsigned long cpsr)
	110	{
	111	cpsr &= ~(cpsr >> 1); /* PSR_C_BIT &= ~PSR_Z_BIT */
	112	return cpsr & PSR_C_BIT;
	113	}
	114
	115	static unsigned long __kprobes __check_ls(unsigned long cpsr)
	116	{
	117	cpsr &= ~(cpsr >> 1); /* PSR_C_BIT &= ~PSR_Z_BIT */
	118	return (~cpsr) & PSR_C_BIT;
	119	}
	120
	121	static unsigned long __kprobes __check_ge(unsigned long cpsr)
	122	{
	123	cpsr ^= (cpsr << 3); /* PSR_N_BIT ^= PSR_V_BIT */
	124	return (~cpsr) & PSR_N_BIT;
	125	}
	126
	127	static unsigned long __kprobes __check_lt(unsigned long cpsr)
	128	{
	129	cpsr ^= (cpsr << 3); /* PSR_N_BIT ^= PSR_V_BIT */
	130	return cpsr & PSR_N_BIT;
	131	}
	132
133	static unsigned long __kprobes __check_gt(unsigned long cpsr)
134	{
135	unsigned long temp = cpsr ^ (cpsr << 3); /* PSR_N_BIT ^= PSR_V_BIT */
136	temp \|= (cpsr << 1); /* PSR_N_BIT \|= PSR_Z_BIT */
137	return (~temp) & PSR_N_BIT;
138	}
139
140	static unsigned long __kprobes __check_le(unsigned long cpsr)
141	{
142	unsigned long temp = cpsr ^ (cpsr << 3); /* PSR_N_BIT ^= PSR_V_BIT */
143	temp \|= (cpsr << 1); /* PSR_N_BIT \|= PSR_Z_BIT */
144	return temp & PSR_N_BIT;
145	}
146
147	static unsigned long __kprobes __check_al(unsigned long cpsr)
148	{
149	return true;
150	}
151
152	kprobe_check_cc * const kprobe_condition_checks[16] = {
153	&__check_eq, &__check_ne, &__check_cs, &__check_cc,
154	&__check_mi, &__check_pl, &__check_vs, &__check_vc,
155	&__check_hi, &__check_ls, &__check_ge, &__check_lt,
156	&__check_gt, &__check_le, &__check_al, &__check_al
157	};
0d1a095a JM	158
0d1a095a JM	159
3f92dfed JM	160	void __kprobes kprobe_simulate_nop(struct kprobe p, struct pt_regs regs)
	161	{
	162	}
	163
	164	void __kprobes kprobe_emulate_none(struct kprobe p, struct pt_regs regs)
	165	{
	166	p->ainsn.insn_fn();
	167	}
	168
235a4ce7 JM	169	static void __kprobes simulate_ldm1stm1(struct kprobe p, struct pt_regs regs)
	170	{
	171	kprobe_opcode_t insn = p->opcode;
	172	int rn = (insn >> 16) & 0xf;
	173	int lbit = insn & (1 << 20);
	174	int wbit = insn & (1 << 21);
	175	int ubit = insn & (1 << 23);
	176	int pbit = insn & (1 << 24);
	177	long addr = (long )regs->uregs[rn];
	178	int reg_bit_vector;
	179	int reg_count;
	180
	181	reg_count = 0;
	182	reg_bit_vector = insn & 0xffff;
	183	while (reg_bit_vector) {
	184	reg_bit_vector &= (reg_bit_vector - 1);
	185	++reg_count;
	186	}
	187
	188	if (!ubit)
	189	addr -= reg_count;
	190	addr += (!pbit == !ubit);
	191
	192	reg_bit_vector = insn & 0xffff;
	193	while (reg_bit_vector) {
	194	int reg = __ffs(reg_bit_vector);
	195	reg_bit_vector &= (reg_bit_vector - 1);
	196	if (lbit)
	197	regs->uregs[reg] = *addr++;
	198	else
	199	*addr++ = regs->uregs[reg];
	200	}
	201
	202	if (wbit) {
	203	if (!ubit)
	204	addr -= reg_count;
	205	addr -= (!pbit == !ubit);
	206	regs->uregs[rn] = (long)addr;
	207	}
	208	}
	209
	210	static void __kprobes simulate_stm1_pc(struct kprobe p, struct pt_regs regs)
	211	{
	212	regs->ARM_pc = (long)p->addr + str_pc_offset;
	213	simulate_ldm1stm1(p, regs);
	214	regs->ARM_pc = (long)p->addr + 4;
	215	}
	216
	217	static void __kprobes simulate_ldm1_pc(struct kprobe p, struct pt_regs regs)
	218	{
	219	simulate_ldm1stm1(p, regs);
	220	load_write_pc(regs->ARM_pc, regs);
	221	}
	222
3d4a9978 JM	223	static void __kprobes
	224	emulate_generic_r0_12_noflags(struct kprobe p, struct pt_regs regs)
	225	{
	226	register void *rregs asm("r1") = regs;
	227	register void *rfn asm("lr") = p->ainsn.insn_fn;
	228
	229	__asm__ __volatile__ (
	230	"stmdb sp!, {%[regs], r11} \n\t"
	231	"ldmia %[regs], {r0-r12} \n\t"
	232	#if __LINUX_ARM_ARCH__ >= 6
	233	"blx %[fn] \n\t"
	234	#else
	235	"str %[fn], [sp, #-4]! \n\t"
	236	"adr lr, 1f \n\t"
	237	"ldr pc, [sp], #4 \n\t"
	238	"1: \n\t"
	239	#endif
	240	"ldr lr, [sp], #4 \n\t" /* lr = regs */
	241	"stmia lr, {r0-r12} \n\t"
	242	"ldr r11, [sp], #4 \n\t"
	243	: [regs] "=r" (rregs), [fn] "=r" (rfn)
	244	: "0" (rregs), "1" (rfn)
	245	: "r0", "r2", "r3", "r4", "r5", "r6", "r7",
	246	"r8", "r9", "r10", "r12", "memory", "cc"
	247	);
	248	}
	249
	250	static void __kprobes
	251	emulate_generic_r2_14_noflags(struct kprobe p, struct pt_regs regs)
	252	{
	253	emulate_generic_r0_12_noflags(p, (struct pt_regs *)(regs->uregs+2));
	254	}
	255
	256	static void __kprobes
	257	emulate_ldm_r3_15(struct kprobe p, struct pt_regs regs)
	258	{
	259	emulate_generic_r0_12_noflags(p, (struct pt_regs *)(regs->uregs+3));
	260	load_write_pc(regs->ARM_pc, regs);
	261	}
	262
235a4ce7 JM	263	enum kprobe_insn __kprobes
	264	kprobe_decode_ldmstm(kprobe_opcode_t insn, struct arch_specific_insn *asi)
	265	{
	266	kprobe_insn_handler_t *handler = 0;
	267	unsigned reglist = insn & 0xffff;
	268	int is_ldm = insn & 0x100000;
3d4a9978 JM	269	int rn = (insn >> 16) & 0xf;
	270
	271	if (rn <= 12 && (reglist & 0xe000) == 0) {
	272	/* Instruction only uses registers in the range R0..R12 */
	273	handler = emulate_generic_r0_12_noflags;
	274
	275	} else if (rn >= 2 && (reglist & 0x8003) == 0) {
	276	/* Instruction only uses registers in the range R2..R14 */
	277	rn -= 2;
	278	reglist >>= 2;
	279	handler = emulate_generic_r2_14_noflags;
	280
	281	} else if (rn >= 3 && (reglist & 0x0007) == 0) {
	282	/* Instruction only uses registers in the range R3..R15 */
	283	if (is_ldm && (reglist & 0x8000)) {
	284	rn -= 3;
	285	reglist >>= 3;
	286	handler = emulate_ldm_r3_15;
	287	}
	288	}
	289
	290	if (handler) {
	291	/* We can emulate the instruction in (possibly) modified form */
	292	asi->insn[0] = (insn & 0xfff00000) \| (rn << 16) \| reglist;
	293	asi->insn_handler = handler;
	294	return INSN_GOOD;
	295	}
235a4ce7	296
3d4a9978	297	/* Fallback to slower simulation... */
235a4ce7 JM	298	if (reglist & 0x8000)
	299	handler = is_ldm ? simulate_ldm1_pc : simulate_stm1_pc;
	300	else
	301	handler = simulate_ldm1stm1;
	302	asi->insn_handler = handler;
	303	return INSN_GOOD_NO_SLOT;
	304	}
	305
	306
0d1a095a JM	307	/*
	308	* Prepare an instruction slot to receive an instruction for emulating.
	309	* This is done by placing a subroutine return after the location where the
	310	* instruction will be placed. We also modify ARM instructions to be
	311	* unconditional as the condition code will already be checked before any
	312	* emulation handler is called.
	313	*/
	314	static kprobe_opcode_t __kprobes
	315	prepare_emulated_insn(kprobe_opcode_t insn, struct arch_specific_insn *asi,
	316	bool thumb)
	317	{
	318	#ifdef CONFIG_THUMB2_KERNEL
	319	if (thumb) {
	320	u16 thumb_insn = (u16 )asi->insn;
	321	thumb_insn[1] = 0x4770; /* Thumb bx lr */
	322	thumb_insn[2] = 0x4770; /* Thumb bx lr */
	323	return insn;
	324	}
	325	asi->insn[1] = 0xe12fff1e; /* ARM bx lr */
	326	#else
	327	asi->insn[1] = 0xe1a0f00e; /* mov pc, lr */
	328	#endif
	329	/* Make an ARM instruction unconditional */
	330	if (insn < 0xe0000000)
	331	insn = (insn \| 0xe0000000) & ~0x10000000;
	332	return insn;
	333	}
	334
	335	/*
	336	* Write a (probably modified) instruction into the slot previously prepared by
	337	* prepare_emulated_insn
	338	*/
	339	static void __kprobes
	340	set_emulated_insn(kprobe_opcode_t insn, struct arch_specific_insn *asi,
	341	bool thumb)
	342	{
	343	#ifdef CONFIG_THUMB2_KERNEL
	344	if (thumb) {
	345	u16 ip = (u16 )asi->insn;
	346	if (is_wide_instruction(insn))
	347	*ip++ = insn >> 16;
	348	*ip++ = insn;
	349	return;
	350	}
	351	#endif
	352	asi->insn[0] = insn;
	353	}
	354
	355	/*
	356	* When we modify the register numbers encoded in an instruction to be emulated,
	357	* the new values come from this define. For ARM and 32-bit Thumb instructions
	358	* this gives...
	359	*
	360	* bit position 16 12 8 4 0
	361	* ---------------+---+---+---+---+---+
	362	* register r2 r0 r1 -- r3
	363	*/
	364	#define INSN_NEW_BITS 0x00020103
	365
	366	/* Each nibble has same value as that at INSN_NEW_BITS bit 16 */
	367	#define INSN_SAMEAS16_BITS 0x22222222
	368
	369	/*
	370	* Validate and modify each of the registers encoded in an instruction.
371	*
372	* Each nibble in regs contains a value from enum decode_reg_type. For each
373	* non-zero value, the corresponding nibble in pinsn is validated and modified
374	* according to the type.
375	*/
376	static bool __kprobes decode_regs(kprobe_opcode_t* pinsn, u32 regs)
377	{
378	kprobe_opcode_t insn = *pinsn;
379	kprobe_opcode_t mask = 0xf; /* Start at least significant nibble */
380
381	for (; regs != 0; regs >>= 4, mask <<= 4) {
382
383	kprobe_opcode_t new_bits = INSN_NEW_BITS;
384
385	switch (regs & 0xf) {
386
387	case REG_TYPE_NONE:
388	/* Nibble not a register, skip to next */
389	continue;
390
391	case REG_TYPE_ANY:
392	/* Any register is allowed */
393	break;
394
395	case REG_TYPE_SAMEAS16:
396	/* Replace register with same as at bit position 16 */
397	new_bits = INSN_SAMEAS16_BITS;
398	break;
399
400	case REG_TYPE_SP:
401	/* Only allow SP (R13) */
402	if ((insn ^ 0xdddddddd) & mask)
403	goto reject;
404	break;
405
406	case REG_TYPE_PC:
407	/* Only allow PC (R15) */
408	if ((insn ^ 0xffffffff) & mask)
409	goto reject;
410	break;
411
412	case REG_TYPE_NOSP:
413	/* Reject SP (R13) */
414	if (((insn ^ 0xdddddddd) & mask) == 0)
415	goto reject;
416	break;
417
418	case REG_TYPE_NOSPPC:
419	case REG_TYPE_NOSPPCX:
420	/* Reject SP and PC (R13 and R15) */
421	if (((insn ^ 0xdddddddd) & 0xdddddddd & mask) == 0)
422	goto reject;
423	break;
424
425	case REG_TYPE_NOPCWB:
426	if (!is_writeback(insn))
427	break; /* No writeback, so any register is OK */
428	/* fall through... */
429	case REG_TYPE_NOPC:
430	case REG_TYPE_NOPCX:
431	/* Reject PC (R15) */
432	if (((insn ^ 0xffffffff) & mask) == 0)
433	goto reject;
434	break;
435	}
436
437	/* Replace value of nibble with new register number... */
438	insn &= ~mask;
439	insn \|= new_bits & mask;
440	}
441
442	*pinsn = insn;
443	return true;
444
445	reject:
446	return false;
447	}
448
449	static const int decode_struct_sizes[NUM_DECODE_TYPES] = {
450	[DECODE_TYPE_TABLE] = sizeof(struct decode_table),
451	[DECODE_TYPE_CUSTOM] = sizeof(struct decode_custom),
452	[DECODE_TYPE_SIMULATE] = sizeof(struct decode_simulate),
453	[DECODE_TYPE_EMULATE] = sizeof(struct decode_emulate),
454	[DECODE_TYPE_OR] = sizeof(struct decode_or),
455	[DECODE_TYPE_REJECT] = sizeof(struct decode_reject)
456	};
457
458	/*
459	* kprobe_decode_insn operates on data tables in order to decode an ARM
460	* architecture instruction onto which a kprobe has been placed.
461	*
462	* These instruction decoding tables are a concatenation of entries each
463	* of which consist of one of the following structs:
464	*
465	* decode_table
466	* decode_custom
467	* decode_simulate
468	* decode_emulate
469	* decode_or
470	* decode_reject
471	*
472	* Each of these starts with a struct decode_header which has the following
473	* fields:
474	*
475	* type_regs
476	* mask
477	* value
478	*
479	* The least significant DECODE_TYPE_BITS of type_regs contains a value
480	* from enum decode_type, this indicates which of the decode_* structs
481	* the entry contains. The value DECODE_TYPE_END indicates the end of the
482	* table.
483	*
484	* When the table is parsed, each entry is checked in turn to see if it
485	* matches the instruction to be decoded using the test:
486	*
487	* (insn & mask) == value
488	*
489	* If no match is found before the end of the table is reached then decoding
490	* fails with INSN_REJECTED.
491	*
492	* When a match is found, decode_regs() is called to validate and modify each
493	* of the registers encoded in the instruction; the data it uses to do this
494	* is (type_regs >> DECODE_TYPE_BITS). A validation failure will cause decoding
495	* to fail with INSN_REJECTED.
496	*
497	* Once the instruction has passed the above tests, further processing
498	* depends on the type of the table entry's decode struct.
499	*
500	*/
501	int __kprobes
502	kprobe_decode_insn(kprobe_opcode_t insn, struct arch_specific_insn *asi,
503	const union decode_item *table, bool thumb)
504	{
505	const struct decode_header h = (struct decode_header )table;
506	const struct decode_header *next;
507	bool matched = false;
508
509	insn = prepare_emulated_insn(insn, asi, thumb);
510
511	for (;; h = next) {
512	enum decode_type type = h->type_regs.bits & DECODE_TYPE_MASK;
513	u32 regs = h->type_regs.bits >> DECODE_TYPE_BITS;
514
515	if (type == DECODE_TYPE_END)
516	return INSN_REJECTED;
517
518	next = (struct decode_header *)
519	((uintptr_t)h + decode_struct_sizes[type]);
520
521	if (!matched && (insn & h->mask.bits) != h->value.bits)
522	continue;
523
524	if (!decode_regs(&insn, regs))
525	return INSN_REJECTED;
526
527	switch (type) {
528
529	case DECODE_TYPE_TABLE: {
530	struct decode_table d = (struct decode_table )h;
531	next = (struct decode_header *)d->table.table;
532	break;
533	}
534
535	case DECODE_TYPE_CUSTOM: {
536	struct decode_custom d = (struct decode_custom )h;
537	return (*d->decoder.decoder)(insn, asi);
538	}
539
540	case DECODE_TYPE_SIMULATE: {
541	struct decode_simulate d = (struct decode_simulate )h;
542	asi->insn_handler = d->handler.handler;
543	return INSN_GOOD_NO_SLOT;
544	}
545
546	case DECODE_TYPE_EMULATE: {
547	struct decode_emulate d = (struct decode_emulate )h;
548	asi->insn_handler = d->handler.handler;
549	set_emulated_insn(insn, asi, thumb);
550	return INSN_GOOD;
551	}
552
553	case DECODE_TYPE_OR:
554	matched = true;
555	break;
556
557	case DECODE_TYPE_REJECT:
558	default:
559	return INSN_REJECTED;
560	}
561	}
562	}