I would like to use register_wide_hw_breakpoint in my kernel module to observe changes to the page structs of the memory pages I am working with (for debugging purposes).
However, it seems like I can only register breakpoints in the module init function. The function returns -1 (EPERM?) if I use it from the ioctl-handler. This blogpost had me assume it should be possible.
I am running a 5.1.0 kernel on a Intel(R) Xeon(R) Silver 4215.
Example code:
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/fs.h>
#include <linux/miscdevice.h>
#include <linux/uaccess.h>
#include <linux/perf_event.h>
#include <linux/hw_breakpoint.h>
#include <linux/kallsyms.h>
static uint32_t val = 0;
void inc_val(void)
{
val++;
}
struct perf_event * __percpu *sample_hbp;
static void sample_hbp_handler(struct perf_event *bp, struct perf_sample_data *data, struct pt_regs *regs)
{
pr_info("My module: val changed!");
}
int test_hw_breakpoint(void)
{
struct perf_event_attr attr;
hw_breakpoint_init(&attr);
attr.bp_addr = (unsigned long)&val;
attr.bp_len = HW_BREAKPOINT_LEN_4;
attr.bp_type = HW_BREAKPOINT_W;
pr_info("My module: HW breakpoint at 0x%llx\n", attr.bp_addr);
sample_hbp = register_wide_hw_breakpoint(&attr, sample_hbp_handler, NULL);
if (IS_ERR((void __force *)sample_hbp))
{
int ret = PTR_ERR((void __force *)sample_hbp);
pr_info("My module: Breakpoint registration failed: %d\n", ret);
return ret;
}
inc_val();
pr_info("My module: val: %d", val);
inc_val();
pr_info("My module: val: %d", val);
unregister_wide_hw_breakpoint(sample_hbp);
return 0;
}
static int mod_open(struct inode *inode, struct file *file)
{
(void)inode;
(void)file;
pr_info("My module: Opening...\n");
return 0;
}
static int mod_release(struct inode *inode, struct file *file)
{
(void)inode;
(void)file;
pr_info("My module: Releasing...\n");
return 0;
}
static long mod_ioctl(struct file *file, unsigned num, uintptr_t param)
{
(void)file;
(void)num;
(void)param;
pr_info("My module: Ioctl...\n");
test_hw_breakpoint();
return 0;
}
static struct file_operations fops = {
.open = mod_open,
.release = mod_release,
.unlocked_ioctl = mod_ioctl,
};
static struct miscdevice mod_dev = {
.minor = MISC_DYNAMIC_MINOR,
.name = "mymod!io",
.fops = &fops,
.mode = 0666,
};
int mod_init(void)
{
int ret;
ret = misc_register(&mod_dev);
if (ret != 0)
return ret;
test_hw_breakpoint();
return 0;
}
void mod_exit(void)
{
misc_deregister(&mod_dev);
}
static int __init od_init(void)
{
int ret;
pr_info("My module: Initializing...\n");
ret = mod_init();
if (ret != 0)
return -1;
return 0;
}
static void __exit od_exit(void)
{
pr_info("My module: Terminating...\n");
mod_exit();
}
module_init(od_init)
module_exit(od_exit)
MODULE_LICENSE("GPL");
Produces the following output in dmesg:
[ +0.031269] My module: Initializing...
[ +0.000086] My module: HW breakpoint at 0xffffffffc04ae4c8
[ +0.000191] My module: val changed!
[ +0.000002] My module: val: 1
[ +0.000003] My module: val changed!
[ +0.000001] My module: val: 2
[ +0.002405] My module: Opening...
[ +0.000003] My module: Ioctl...
[ +0.000003] My module: HW breakpoint at 0xffffffffc04ae4c8
[ +0.000019] My module: Breakpoint registration failed: -1
[ +0.000003] My module: Releasing...
I don't know the memory address to observe at module initialization. Is there any way I can add a data breakpoint at runtime?
When a process issues a system call, it switches to kernel mode, but the kernel code is running in "process context". The process could, in theory, do anything while running in kernel mode. However, typical kernel code will check that the calling process has the capability to do what it is trying to do. A process has a list of capabilities of things it is allowed to do: see capabilities(7).
In OP's particular case, the unprivileged process that is issuing the ioctl call that results in the call to register_wide_hw_breakpoint is probably failing when it fails the check in the hw_breakpoint_parse function in "kernel/events/hw_breakpoint.c":
if (arch_check_bp_in_kernelspace(hw)) {
if (attr->exclude_kernel)
return -EINVAL;
/*
* Don't let unprivileged users set a breakpoint in the trap
* path to avoid trap recursion attacks.
*/
if (!capable(CAP_SYS_ADMIN))
return -EPERM;
}
Related
Just do some research of ftrace.
TCP echo program is running between two host.
When I shutdown the big switch(echo 0 > /proc/sys/kernel/ftrace_enabled ), my own kprobe module cannot work also. The printk message cannot be seen in the kernel log file. Also, The pkt modify operation failed and the pkt can be received successfully.
It really confused me a lot.
My test kprobe module is here:
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/kprobes.h>
#include <linux/skbuff.h>
#include <linux/inet.h>
/* For each probe you need to allocate a kprobe structure */
static struct kprobe kp = {
.symbol_name = "ip_rcv",
};
/* kprobe pre_handler: called just before the probed instruction is executed */
static int handler_pre(struct kprobe *p, struct pt_regs *regs)
{
struct sk_buff * skb = (struct sk_buff *)(regs->di);
u16 dst_port;
dst_port = ntohs(*((u16*)(skb->head + skb->transport_header + 2)));
if(dst_port == 50000){ //50000 is the TCP port
printk(KERN_INFO "post handler addr 0x%p skb is 0x%d\n",p->addr, regs->di);
// modify one byte to make TCP checksum wrong and drop the pkt.
*((u8*)(skb->head + skb->network_header +7))=0xab;
}
return 0;
}
/* kprobe post_handler: called after the probed instruction is executed */
static void handler_post(struct kprobe *p, struct pt_regs *regs,
unsigned long flags)
{
//printk(KERN_INFO "post handler addr 0x%p skb is 0x%d\n",p->addr, regs->di);
}
/*
* fault_handler: this is called if an exception is generated for any
* instruction within the pre- or post-handler, or when Kprobes
* single-steps the probed instruction.
*/
static int handler_fault(struct kprobe *p, struct pt_regs *regs, int trapnr)
{
printk(KERN_INFO "fault_handler: p->addr = 0x%p, trap #%dn",
p->addr, trapnr);
/* Return 0 because we don't handle the fault. */
return 0;
}
static int __init kprobe_init(void)
{
int ret;
kp.pre_handler = handler_pre;
kp.post_handler = handler_post;
kp.fault_handler = handler_fault;
ret = register_kprobe(&kp);
if (ret < 0) {
printk(KERN_INFO "register_kprobe failed, returned %d\n", ret);
return ret;
}
printk(KERN_INFO "Planted kprobe at %p\n", kp.addr);
return 0;
}
static void __exit kprobe_exit(void)
{
unregister_kprobe(&kp);
printk(KERN_INFO "kprobe at %p unregistered\n", kp.addr);
}
module_init(kprobe_init)
module_exit(kprobe_exit)
MODULE_LICENSE("GPL");
Question Closed.
Actually in sys/kernel/debug/kprobes/list we can get the list of registered kprobe. And I get this xxxxxxxxxxx k ip_rcv+0x0 [FTRACE], it means that the this kprobe is ftrace-based. ftrace-based kprobe cannot work if disable the ftrace.
The call to request_mem_region is failing (returns null).
I would say that the memory region I'm trying to access (GPIO starting at 0x3f20000) is being used.
I removed (rmmod) the module bcm28795_gpio but the request is still failing.
The modules I have loaded are (lsmod):
Module Size Used by
cfg80211 427817 0
rfkill 16018 1 cfg80211
snd_bcm2835 20511 0
snd_pcm 75890 1 snd_bcm2835
snd_timer 19160 1 snd_pcm
snd 51908 3 snd_bcm2835,snd_timer,snd_pcm
bcm2835_wdt 3225 0
uio_pdrv_genirq 3164 0
uio 8000 1 uio_pdrv_genirq
i2c_dev 5859 0
ipv6 347473 30`
cat /proc/iomem is returning the following:
00000000-3affffff : System RAM
00008000-007e7483 : Kernel code
00860000-0098e1ab : Kernel data
3f006000-3f006fff : dwc_otg
3f007000-3f007eff : /soc/dma#7e007000
3f00b840-3f00b84e : /soc/vchiq
3f00b880-3f00b8bf : /soc/mailbox#7e00b800
3f200000-3f2000b3 : /soc/gpio#7e200000
3f201000-3f201fff : /soc/uart#7e201000
3f201000-3f201fff : /soc/uart#7e201000
3f202000-3f2020ff : /soc/sdhost#7e202000
3f980000-3f98ffff : dwc_otg`
I think this issue is related to the Device Tree, but I'm not sure what do next.
The driver code:
#include <linux/module.h>
#include <linux/init.h>
#include <linux/fs.h>
#include <linux/errno.h>
#include <linux/io.h>
#include <linux/platform_device.h>
#include <linux/miscdevice.h>
#include <linux/of.h>
#include <linux/of_address.h>
#define DRIVER_NAME "tsgpio"
struct tsgpio_dev {
struct resource res;
void __iomem *virtbase;
} dev;
static const struct file_operations tsgpio_fops = {
.owner = THIS_MODULE,
};
static struct miscdevice tsgpio_misc_device = {
.minor = MISC_DYNAMIC_MINOR,
.name = DRIVER_NAME,
.fops = &tsgpio_fops,
};
static const struct of_device_id tsgpio_of_match[] = {
{ .compatible = "brcm,bcm2835-gpiomem" },
{},
};
MODULE_DEVICE_TABLE(of, tsgpio_of_match);
int __init tsgpio_probe(struct platform_device *pdev)
{
int ret;
ret = misc_register(&tsgpio_misc_device);
if (ret)
return ENODEV;
// Find address range in device tree
ret = of_address_to_resource(pdev->dev.of_node, 0, &dev.res);
if (ret) {
ret = ENOENT;
goto out_deregister;
}
// Request access to memory
if (request_mem_region(dev.res.start, resource_size(&dev.res),
DRIVER_NAME) == NULL) {
ret = EBUSY;
goto out_deregister;
}
/* Arrange access to our registers (calls ioremap) */
dev.virtbase = of_iomap(pdev->dev.of_node, 0);
if (dev.virtbase == NULL) {
ret = ENOMEM;
goto out_release_mem_region;
}
return 0;
out_release_mem_region:
release_mem_region(dev.res.start, resource_size(&dev.res));
out_deregister:
misc_deregister(&tsgpio_misc_device);
return ret;
}
int tsgpio_remove(struct platform_device *pdev)
{
iounmap(dev.virtbase);
release_mem_region(dev.res.start, resource_size(&dev.res));
misc_deregister(&tsgpio_misc_device);
return 0;
}
static struct platform_driver tsgpio_driver = {
.driver = {
.name = DRIVER_NAME,
.owner = THIS_MODULE,
.of_match_table = of_match_ptr(tsgpio_of_match),
},
.remove = __exit_p(tsgpio_remove),
};
static int __init tsgpio_init(void)
{
return platform_driver_probe(&tsgpio_driver, tsgpio_probe);
}
static void __exit tsgpio_exit(void)
{
platform_driver_unregister(&tsgpio_driver);
}
module_init(tsgpio_init);
module_exit(tsgpio_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Emanuel Oliveira");
Output from dmesg:
[ 1745.126636] tsgpio: init
[ 1745.130025] tsgpio: probe of 3f200000.gpiomem failed with error 16
Thank you!
I have written a kretprobe to hook on to the randomize_stack_top() function mentioned in fs/binfmt_elf.c file. On loading the LKM with insmod the register_kretprobe() call fails with a return value of -2. How do I go about debugging/rectifying that in order to get my module started ?
#include <linux/kernel.h>
#include <linux/slab.h>
#include <linux/module.h>
#include <linux/kprobes.h>
#include <linux/binfmts.h>
#include <linux/elf.h>
#include <linux/types.h>
#include <linux/errno.h>
#include <asm/uaccess.h>
#include <asm/current.h>
#include <asm/param.h>
/* Global variables */
int randomize_stack_retval;
// randomize_stack_top() kretprobe specific declarations
static char stack_name[NAME_MAX] = "randomize_stack_top";
static int randomize_stack_top_entry_handler(struct kretprobe_instance *ri, struct pt_regs *regs)
{
return 0;
}
static int randomize_stack_top_ret_handler(struct kretprobe_instance *ri, struct pt_regs *regs)
{
randomize_stack_retval = regs_return_value(regs); //store in global variable
printk(KERN_INFO "%d\n",randomize_stack_retval);
return 0;
}
//randomize_stack_top return probe
static struct kretprobe randomize_kretprobe = {
.handler = randomize_stack_top_ret_handler,
.entry_handler = randomize_stack_top_entry_handler,
.maxactive = NR_CPUS,
};
/* Register kretprobe */
static int __init kretprobe_init(void)
{
int ret;
randomize_kretprobe.kp.symbol_name = stack_name;
ret = register_kretprobe(&randomize_kretprobe);
if (ret < 0) {
printk(KERN_INFO "register_kretprobe failed, returned %d\n",
ret);
return -1;
}
printk(KERN_INFO "Planted return probe at %s: %p\n",
randomize_kretprobe.kp.symbol_name, randomize_kretprobe.kp.addr);
return 0;
}
/* Unregister kretprobe */
static void __exit kretprobe_exit(void)
{
unregister_kretprobe(&randomize_kretprobe);
printk(KERN_INFO "kretprobe at %p unregistered\n",
randomize_kretprobe.kp.addr);
// nmissed > 0 suggests that maxactive was set too low.
printk(KERN_INFO "Missed probing %d instances of %s\n",
randomize_kretprobe.nmissed, randomize_kretprobe.kp.symbol_name);
}
module_init(kretprobe_init);
module_exit(kretprobe_exit);
MODULE_LICENSE("GPL");
-2 corresponds to -ENOENT (you can check that in include/uapi/asm-generic/errno-base.h). Probably, it means that kprobe cannot find symbol with given name.
Note, that randomize_stack_top is static function with a short implementation and it is used only once. So it can be inlined by the gcc.
I have been following the Linux 2.6 Kernel Module Programming Guide, when I ran into the first example from Chapter 5, called procfs1.c.
It would not compile out of the box, and after checking various related questions, it still took me quite some time to figure out the correct changes to make it compile and work as intended.
Therefore, I am posting my updated code for people in the future. I am running kernel 2.6.32-279.el6.x86_64.
Here is an updated version of the example that works with kernel version 2.6.32-279.el6.x86_64.
/*
* procfs1.c - create a "file" in /proc
*
*/
#include <linux/module.h> /* Specifically, a module */
#include <linux/kernel.h> /* We're doing kernel work */
#include <linux/proc_fs.h> /* Necessary because we use the proc fs */
#define procfs_name "helloworld"
/**
* This structure hold information about the /proc file
*
*/
struct proc_dir_entry *Our_Proc_File;
static ssize_t procfile_read(struct file *filp,
char *buffer,
size_t length,
loff_t * offset)
{
int ret;
printk(KERN_INFO "procfile_read (/proc/%s) called\n", procfs_name);
if (*offset > 0) {
/* we have finished to read, return 0 */
ret = 0;
} else {
/* fill the buffer, return the buffer size */
ret = sprintf(buffer, "HelloWorld!\n");
*offset = ret;
}
return ret;
}
static struct file_operations fops = {
.owner = THIS_MODULE,
.read = procfile_read,
};
int init_module()
{
Our_Proc_File = proc_create(procfs_name, S_IFREG | S_IRUGO, NULL, &fops);
if (Our_Proc_File == NULL) {
remove_proc_entry(procfs_name, NULL);
printk(KERN_ALERT "Error: Could not initialize /proc/%s\n",
procfs_name);
return -ENOMEM;
}
Our_Proc_File->uid = 0;
Our_Proc_File->gid = 0;
Our_Proc_File->size = 37;
printk(KERN_INFO "/proc/%s created\n", procfs_name);
return 0; /* everything is ok */
}
void cleanup_module()
{
remove_proc_entry(procfs_name, NULL);
printk(KERN_INFO "/proc/%s removed\n", procfs_name);
}
After performing the command "insmod demo_device" the modules listed in /proc/modules
**demo_device 2528 0 - Live 0xe02da000**
fp_indicators 5072 1 - Live 0xe02d2000 (P)
screader 22672 1 - Live 0xe02c5000 (P)
icamdescrambler 12912 0 - Live 0xe02b2000 (P)
icamemmfilter 16208 0 - Live 0xe02a4000 (P)
icamecmfilter 14992 0 - Live 0xe0294000 (P)
but "(P)" is not avail after that.
After firing the command cat /proc/devices the device "demo_device" is not listed there.
So my question is that: what (P) stands in (cat /proc/modules) and what could be the reason that the device is not listed in (cat /proc/devices).
Thanks in Advance !!
The source code is as:
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/version.h>
#include <linux/fs.h>
#include <linux/cdev.h>
#include <linux/device.h>
#include <linux/errno.h>
#include <asm/uaccess.h>
#include "query_ioctl.h"
#define FIRST_MINOR 0
#define MINOR_CNT 1
static dev_t dev;
static struct cdev c_dev;
static struct class *cl;
static int status = 1, dignity = 3, ego = 5;
static int my_open(struct inode *i, struct file *f)
{
return 0;
}
static int my_close(struct inode *i, struct file *f)
{
return 0;
}
#if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,35))
static int my_ioctl(struct inode *i, struct file *f, unsigned int cmd, unsigned long arg)
#else
static long my_ioctl(struct file *f, unsigned int cmd, unsigned long arg)
#endif
{
query_arg_t q;
switch (cmd)
{
case QUERY_GET_VARIABLES:
q.status = status;
q.dignity = dignity;
q.ego = ego;
if (copy_to_user((query_arg_t *)arg, &q, sizeof(query_arg_t)))
{
return -EACCES;
}
break;
case QUERY_CLR_VARIABLES:
status = 0;
dignity = 0;
ego = 0;
break;
case QUERY_SET_VARIABLES:
if (copy_from_user(&q, (query_arg_t *)arg, sizeof(query_arg_t)))
{
return -EACCES;
}
status = q.status;
dignity = q.dignity;
ego = q.ego;
break;
default:
return -EINVAL;
}
return 0;
}
static struct file_operations query_fops =
{
.owner = THIS_MODULE,
.open = my_open,
.release = my_close,
#if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,35))
.ioctl = my_ioctl
#else
.unlocked_ioctl = my_ioctl
#endif
};
static int __init query_ioctl_init(void)
{
int ret;
struct device *dev_ret;
printk("Before calling alloc\n");
dev=150;
if ((ret = register_chrdev_region(dev, MINOR_CNT, "demo_device")))
{
return ret;
}
else if((ret = alloc_chrdev_region(&dev,0,MINOR_CNT,"demo_device")))
{
return ret;
}
printk("After alloc %d %d\n",ret,dev);
cdev_init(&c_dev, &query_fops);
if ((ret = cdev_add(&c_dev, dev, MINOR_CNT)) < 0)
{
return ret;
}
printk("After cdev_add\n");
if (IS_ERR(cl = class_create(THIS_MODULE, "char")))
{
cdev_del(&c_dev);
unregister_chrdev_region(dev, MINOR_CNT);
return PTR_ERR(cl);
}
printk("After class_create\n");
if (IS_ERR(dev_ret = device_create(cl, NULL, dev, NULL, "demo")))
{
class_destroy(cl);
cdev_del(&c_dev);
unregister_chrdev_region(dev, MINOR_CNT);
return PTR_ERR(dev_ret);
}
printk("After device_create\n");
return 0;
}
static void __exit query_ioctl_exit(void)
{
device_destroy(cl, dev);
class_destroy(cl);
cdev_del(&c_dev);
unregister_chrdev_region(dev, MINOR_CNT);
}
module_init(query_ioctl_init);
module_exit(query_ioctl_exit);
MODULE_LICENSE("GPL");
And after inserting the module I am able to see these messages:
$insmod demo_device.ko
Before calling alloc
After alloc 0 217055232
After cdev_add
After class_create
After device_create
$
Make sure that Major Number of the device is not preoccupied by some other device file. use the following command to check the occupied Major Numbers
cat /proc/devices
Use the following code to capture initialization error in init function
int t=register_chrdev(majorNumber,"mydev",&fops);
if(t<0)
printk(KERN_ALERT "device registration failed.");
Use dmesg to look into kernel logs
Look at module_flags_taint() in kernel/module.c.
The 'P' flag merely indicated the other modules are proprietary. The reason your device doesn't show up in /proc/devices is probably because something is wrong with the initialisation, but we can't help you with that unless you show us code.
After perfroming make clean to the linux/application source code and rebuilding it again...make it works. Now after inserting the module the corresponding entry is visibe in the /proc/devcies file :)