The decoding of these instructions got the register indexed and
immediate indexed forms the wrong way around, causing incorrect
emulation.

Instructions like "LDRD Rx, [Rx]" were corrupting Rx because the base
register writeback was being performed unconditionally, overwriting the
value just loaded from memory. The fix is to only writeback the base
register when that form of the instruction is used. Note, now that we
reject probing writeback with PC the emulation code doesn't need the
check rn!=15.
Signed-off-by: NJon Medhurst <tixy@yxit.co.uk>
Signed-off-by: NNicolas Pitre <nicolas.pitre@linaro.org>

Using PC as an base register with writeback is UNPREDICTABLE, as is non
word-sized loads or stores of PC. (We only really care about preventing
loads to PC but it keeps the code simpler if we also exclude stores.)
Signed-off-by: NJon Medhurst <tixy@yxit.co.uk>
Signed-off-by: NNicolas Pitre <nicolas.pitre@linaro.org>

The decoding of these instructions got the register indexed and
immediate indexed forms the wrong way around, causing incorrect
emulation.
Signed-off-by: NJon Medhurst <tixy@yxit.co.uk>
Signed-off-by: NNicolas Pitre <nicolas.pitre@linaro.org>

The emulation code for STREX and LDREX instructions is faulty, however,
rather than attempting to fix this we reject probes of these
instructions. We do this because they can never succeed in gaining
exclusive access as the exception framework clears the exclusivity
monitor when a probes breakpoint is hit. (This is a general problem
when probing all instructions executing between a LDREX and its
corresponding STREX and can lead to infinite retry loops.)
Signed-off-by: NJon Medhurst <tixy@yxit.co.uk>
Signed-off-by: NNicolas Pitre <nicolas.pitre@linaro.org>

The instructions space for 'Multiply and multiply-accumulate'
instructions contains some undefined patterns. We need to reject
probing of these because they may in future become defined and the
kprobes code may then emulate them faultily.

This has already happened with the new MLS instruction which this patch
also adds correct decoding for as well as tightening up other decoding
tests. (Before this patch the wrong emulation routine was being called
for MLS though it still produced correct results.)
Signed-off-by: NJon Medhurst <tixy@yxit.co.uk>
Signed-off-by: NNicolas Pitre <nicolas.pitre@linaro.org>

Signed-off-by: NJon Medhurst <tixy@yxit.co.uk>
Signed-off-by: NNicolas Pitre <nicolas.pitre@linaro.org>

Signed-off-by: NJon Medhurst <tixy@yxit.co.uk>
Signed-off-by: NNicolas Pitre <nicolas.pitre@linaro.org>

The MRS instruction should set mode and interrupt bits in the read value
so it is simpler to use a new simulation routine (simulate_mrs) rather
than some modified emulation.

prep_emulate_rd12 is now unused and removed.
Signed-off-by: NJon Medhurst <tixy@yxit.co.uk>
Signed-off-by: NNicolas Pitre <nicolas.pitre@linaro.org>

We need to reject probing of instructions which read SPSR because
we can't handle this as the value in SPSR is lost when the exception
handler for the probe breakpoint first runs.

This patch also fixes the bitmask for MRS instructions decoding to
include checking bits 5-7.
Signed-off-by: NJon Medhurst <tixy@yxit.co.uk>
Signed-off-by: NNicolas Pitre <nicolas.pitre@linaro.org>

Emulation of instructions like "ADD rd, rn, #<const>" would result in a
corrupted value for rd.
Signed-off-by: NJon Medhurst <tixy@yxit.co.uk>
Signed-off-by: NNicolas Pitre <nicolas.pitre@linaro.org>

Probing these instructions was corrupting R0 because the emulation code
didn't account for the fact that they don't write a result to a
register.
Signed-off-by: NJon Medhurst <tixy@yxit.co.uk>
Signed-off-by: NNicolas Pitre <nicolas.pitre@linaro.org>

Now we have the framework code handling conditionally executed
instructions we can remove redundant checks in individual simulation
routines.
Signed-off-by: NJon Medhurst <tixy@yxit.co.uk>
Signed-off-by: NNicolas Pitre <nicolas.pitre@linaro.org>

When a kprobe is placed onto conditionally executed ARM instructions,
many of the emulation routines used to single step them produce corrupt
register results. Rather than fix all of these cases we modify the
framework which calls them to test the relevant condition flags and, if
the test fails, skip calling the emulation code.
Signed-off-by: NJon Medhurst <tixy@yxit.co.uk>
Signed-off-by: NNicolas Pitre <nicolas.pitre@linaro.org>

Currently emulate_ldrd and emulate_strd don't even have the adjustment
of the PC value, so in case of Rn == PC, it will not update the PC
incorrectly but instead load/store from the wrong address.  Let's add
both the adjustment of the PC value and the check for PC == PC.
Signed-off-by: NViktor Rosendahl <viktor.rosendahl@nokia.com>
Signed-off-by: NNicolas Pitre <nicolas.pitre@linaro.org>

The Rn value from the emulation is unconditionally written back;
this is fine as long as Rn != PC because in that case, even if the
instruction isn't a write back instruction, it will only result in the
same value being written back.

In case Rn == PC, then the emulated instruction doesn't have the
actual PC value in Rn but an adjusted value; when this is written
back, it will result in the PC being incorrectly updated.

An altenative solution would be to check bits 24 and 22 to see whether
the instruction actually is a write back instruction or not. I think
it's enough to check whether Rn != PC,  because:
- it's looks cheaper than the alternative
- to my understaning it's not permitted to update the PC with a write
back instruction, so we don't lose any ability to emulate legal
instructions.
- in case of writing back for non write back instructions where Rn != PC, it doesn't matter because the values are the same.

Regarding the second point above, it would possibly be prudent to add
some checking to prep_emulate_ldr_str(), so that instructions with
both write back and Rn == PC would be rejected.
Signed-off-by: NViktor Rosendahl <viktor.rosendahl@nokia.com>
Signed-off-by: NRussell King <rmk+kernel@arm.linux.org.uk>

Marcin Slusarz says:

> In arch/arm/kernel/kprobes-decode.c there's a function
> arm_kprobe_decode_insn which does:
>
> } else if ((insn & 0x0e000000) == 0x0c400000) {
> ...
>
> This is always false, so code below is dead.
> I found this bug by coccinelle (http://coccinelle.lip6.fr/).
Reported-by: NMarcin Slusarz <marcin.slusarz@gmail.com>
Signed-off-by: NNicolas Pitre <nicolas.pitre@linaro.org>
Signed-off-by: NRussell King <rmk+kernel@arm.linux.org.uk>

The MOVW instruction moves a 16-bit immediate into the bottom halfword
of the destination register.

This patch ensures that kprobes leaves the 16-bit immediate intact, rather
than assume a 12-bit immediate and mask out the upper 4 bits.
Acked-by: NNicolas Pitre <nicolas.pitre@linaro.org>
Signed-off-by: NWill Deacon <will.deacon@arm.com>
Signed-off-by: NRussell King <rmk+kernel@arm.linux.org.uk>

From: Bin Yang <bin.yang@marvell.com>

Cc: stable@kernel.org
Signed-off-by: NBin Yang <bin.yang@marvell.com>
Signed-off-by: NNicolas Pitre <nicolas.pitre@linaro.org>
Signed-off-by: NRussell King <rmk+kernel@arm.linux.org.uk>

Logic for the p bit was reversed.
Signed-off-by: NNicolas Pitre <nico@marvell.com>
Signed-off-by: NRussell King <rmk+kernel@arm.linux.org.uk>

The ARM kprobes arithmetic immediate instruction decoder
(space_cccc_001x()) was accidentally zero'ing out not only the Rn and
Rd arguments, but the lower nibble of the immediate argument as well
-- this patch fixes this.
Signed-off-by: NLennert Buytenhek <buytenh@marvell.com>
Acked-by: NNicolas Pitre <nico@marvell.com>

This is the code implementing instruction single-stepping for kprobes
on ARM.

To get around the limitation of no Next-PC and no hardware single-
stepping, all kprobe'd instructions are split into three camps:
simulation, emulation, and rejected. "Simulated" instructions are
those instructions which behavior is reproduced by straight C code.
"Emulated" instructions are ones that are copied, slightly altered
and executed directly in the instruction slot to reproduce their
behavior.  "Rejected" instructions are ones that could be simulated,
but work hasn't been put into simulating them. These instructions
should be very rare, if not unencountered, in the kernel. If ever
needed, code could be added to simulate them.

One might wonder why this and the ptrace singlestep facility are not
sharing some code.  Both approaches are fundamentally different because
the ptrace code regains control after the stepped instruction by installing
a breakpoint after the instruction itself, and possibly at the location
where the instruction might be branching to, instead of simulating or
emulating the target instruction.

The ptrace approach isn't suitable for kprobes because the breakpoints
would have to be moved back, and the icache flushed, everytime the
probe is hit to let normal code execution resume, which would have a
significant performance impact. It is also racy on SMP since another
CPU could, with the right timing, sail through the probe point without
being caught.  Because ptrace single-stepping always result in a
different process to be scheduled, the concern for performance is much
less significant.

On the other hand, the kprobes approach isn't (currently) suitable for
ptrace because it has no provision for proper user space memory
protection and translation, and even if that was implemented, the gain
wouldn't be worth the added complexity in the ptrace path compared to
the current approach.

So, until kprobes does support user space, both kprobes and ptrace are
best kept independent and separate.
Signed-off-by: NQuentin Barnes <qbarnes@gmail.com>
Signed-off-by: NAbhishek Sagar <sagar.abhishek@gmail.com>
Signed-off-by: NNicolas Pitre <nico@marvell.com>