Re: [PATCH v13 bpf-next 1/1] rethook: x86: Add rethook x86 implementation

[Peter Zijlstra <peterz@infradead.org>]

On Wed, Mar 23, 2022 at 11:34:59AM +0900, Masami Hiramatsu wrote:
> Add rethook for x86 implementation. Most of the code has been copied from
> kretprobes on x86.

Right; as said, I'm really unhappy with growing a carbon copy of this
stuff instead of sharing. Can we *please* keep it a single instance?
Them being basically indentical, it should be trivial to have
CONFIG_KPROBE_ON_RETHOOK (or somesuch) and just share this.

Also, what's rethook for anyway?

> diff --git a/arch/x86/kernel/kprobes/common.h b/arch/x86/kernel/kprobes/common.h
> index 7d3a2e2daf01..c993521d4933 100644
> --- a/arch/x86/kernel/kprobes/common.h
> +++ b/arch/x86/kernel/kprobes/common.h
> @@ -6,6 +6,7 @@
>  
>  #include <asm/asm.h>
>  #include <asm/frame.h>
> +#include <asm/insn.h>
>  
>  #ifdef CONFIG_X86_64
>  
> diff --git a/arch/x86/kernel/rethook.c b/arch/x86/kernel/rethook.c
> new file mode 100644
> index 000000000000..3e916361c33b
> --- /dev/null
> +++ b/arch/x86/kernel/rethook.c
> @@ -0,0 +1,121 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * x86 implementation of rethook. Mostly copied from arch/x86/kernel/kprobes/core.c.
> + */
> +#include <linux/bug.h>
> +#include <linux/rethook.h>
> +#include <linux/kprobes.h>
> +#include <linux/objtool.h>
> +
> +#include "kprobes/common.h"
> +
> +__visible void arch_rethook_trampoline_callback(struct pt_regs *regs);
> +
> +/*
> + * When a target function returns, this code saves registers and calls
> + * arch_rethook_trampoline_callback(), which calls the rethook handler.
> + */
> +asm(
> +	".text\n"
> +	".global arch_rethook_trampoline\n"
> +	".type arch_rethook_trampoline, @function\n"
> +	"arch_rethook_trampoline:\n"
> +#ifdef CONFIG_X86_64
> +	ANNOTATE_NOENDBR	/* This is only jumped from ret instruction */
> +	/* Push a fake return address to tell the unwinder it's a kretprobe. */
> +	"	pushq $arch_rethook_trampoline\n"
> +	UNWIND_HINT_FUNC
	"	pushq $" __stringify(__KERNEL_DS) "\n" /* %ss */
	/* Save the 'sp - 16', this will be fixed later. */
> +	"	pushq %rsp\n"
> +	"	pushfq\n"
> +	SAVE_REGS_STRING
> +	"	movq %rsp, %rdi\n"
> +	"	call arch_rethook_trampoline_callback\n"
> +	RESTORE_REGS_STRING
	/* In the callback function, 'regs->flags' is copied to 'regs->ss'. */

	this comment could do with a 'why' though... Because neither
	this nor the one in the handler really explains why it is
	important to have popf last

	"	addq $16, %rsp\n"
> +	"	popfq\n"
> +#else

same for i386:

> +	/* Push a fake return address to tell the unwinder it's a kretprobe. */
> +	"	pushl $arch_rethook_trampoline\n"
> +	UNWIND_HINT_FUNC
	/* Save the 'sp - 8', this will be fixed later. */
	"	pushl %ss\n"
> +	"	pushl %esp\n"
> +	"	pushfl\n"
> +	SAVE_REGS_STRING
> +	"	movl %esp, %eax\n"
> +	"	call arch_rethook_trampoline_callback\n"
> +	RESTORE_REGS_STRING
	/* In the callback function, 'regs->flags' is copied to 'regs->ss'. */
	"	addl $8, %esp\n"
> +	"	popfl\n"
> +#endif
> +	ASM_RET
> +	".size arch_rethook_trampoline, .-arch_rethook_trampoline\n"
> +);
> +NOKPROBE_SYMBOL(arch_rethook_trampoline);
> +
> +/*
> + * Called from arch_rethook_trampoline
> + */
> +__used __visible void arch_rethook_trampoline_callback(struct pt_regs *regs)
> +{
> +	unsigned long *frame_pointer;
> +
> +	/* fixup registers */
> +	regs->cs = __KERNEL_CS;
> +#ifdef CONFIG_X86_32
> +	regs->gs = 0;
> +#endif
> +	regs->ip = (unsigned long)&arch_rethook_trampoline;
> +	regs->orig_ax = ~0UL;
	regs->sp += 2*sizeof(long);
> +	frame_pointer = &regs->sp + 1;
> +
> +	/*
> +	 * The return address at 'frame_pointer' is recovered by the
> +	 * arch_rethook_fixup_return() which called from this
> +	 * rethook_trampoline_handler().
> +	 */
> +	rethook_trampoline_handler(regs, (unsigned long)frame_pointer);
> +
> +	/*
> +	 * Copy FLAGS to 'pt_regs::sp' so that arch_rethook_trapmoline()
> +	 * can do RET right after POPF.
> +	 */
	regs->ss = regs->flags;
> +}
> +NOKPROBE_SYMBOL(arch_rethook_trampoline_callback);