[GIT PULL] x86 breakpoint regression fix

[GIT PULL] x86 breakpoint regression fix

[Frederic Weisbecker]

Ingo,

Please pull the perf/urgent branch that can be found at:

git://git.kernel.org/pub/scm/linux/kernel/git/frederic/random-tracing.git
	perf/urgent

Thanks,
	Frederic
---

Frederic Weisbecker (1):
      x86: Send a SIGTRAP for user icebp traps


 arch/x86/kernel/traps.c |   11 ++++++++++-
 1 files changed, 10 insertions(+), 1 deletions(-)

---
commit 0ba3546b92759463d30fb9ea014c7f42e1c551c2
Author: Frederic Weisbecker <fweisbec@gmail.com>
Date:   Wed Jun 30 15:09:06 2010 +0200

    x86: Send a SIGTRAP for user icebp traps
    
    Before we had a generic breakpoint layer, x86 used to send a
    sigtrap for any debug event that happened in userspace,
    except if it was caused by lazy dr7 switches.
    
    Currently we only send such signal for single step or breakpoint
    events.
    
    However, there are three other kind of debug exceptions:
    
    - debug register access detected: trigger an exception if the
      next instruction touches the debug registers. We don't use
      it.
    - task switch, but we don't use tss.
    - icebp/int01 trap. This instruction (0xf1) is undocumented and
      generates an int 1 exception. Unlike single step through TF
      flag, it doesn't set the single step origin of the exception
      in dr6.
    
    icebp then used to be reported in userspace using trap signals
    but this have been incidentally broken with the new breakpoint
    code. Reenable this. Since this is the only debug event that
    doesn't set anything in dr6, this is all we have to check.
    
    This fixes a regression in Wine where World Of Warcraft got broken
    as it uses this for software protection checks purposes. And
    probably other apps do.
    
    Reported-by: Alexandre Julliard <julliard@winehq.org>
    Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
    Cc: Ingo Molnar <mingo@elte.hu>
    Cc: H. Peter Anvin <hpa@zytor.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Prasad <prasad@linux.vnet.ibm.com>
    Cc: 2.6.33.x 2.6.34.x <stable@kernel.org>

diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
index 142d70c..725ef4d 100644
--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
@@ -526,6 +526,7 @@ asmlinkage __kprobes struct pt_regs *sync_regs(struct pt_regs *eregs)
 dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code)
 {
 	struct task_struct *tsk = current;
+	int user_icebp = 0;
 	unsigned long dr6;
 	int si_code;
 
@@ -534,6 +535,14 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code)
 	/* Filter out all the reserved bits which are preset to 1 */
 	dr6 &= ~DR6_RESERVED;
 
+	/*
+	 * If dr6 has no reason to give us about the origin of this trap,
+	 * then it's very likely the result of an icebp/int01 trap.
+	 * User wants a sigtrap for that.
+	 */
+	if (!dr6 && user_mode(regs))
+		user_icebp = 1;
+
 	/* Catch kmemcheck conditions first of all! */
 	if ((dr6 & DR_STEP) && kmemcheck_trap(regs))
 		return;
@@ -575,7 +584,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code)
 		regs->flags &= ~X86_EFLAGS_TF;
 	}
 	si_code = get_si_code(tsk->thread.debugreg6);
-	if (tsk->thread.debugreg6 & (DR_STEP | DR_TRAP_BITS))
+	if (tsk->thread.debugreg6 & (DR_STEP | DR_TRAP_BITS) || user_icebp)
 		send_sigtrap(tsk, regs, error_code, si_code);
 	preempt_conditional_cli(regs);
 

Re: [GIT PULL] x86 breakpoint regression fix

[Frederic Weisbecker]

On Wed, Jun 30, 2010 at 04:02:39PM +0200, Frederic Weisbecker wrote:
> Ingo,
> 
> Please pull the perf/urgent branch that can be found at:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/frederic/random-tracing.git
> 	perf/urgent


Please actually pull my perf/urgent-2 branch, it has the appropriate
Tested-by tag.

Thanks.

Re: [GIT PULL] x86 breakpoint regression fix

[Maciej W. Rozycki]

On Wed, 30 Jun 2010, Frederic Weisbecker wrote:

>     - icebp/int01 trap. This instruction (0xf1) is undocumented and
>       generates an int 1 exception. Unlike single step through TF
>       flag, it doesn't set the single step origin of the exception
>       in dr6.

 Not quite completely undocumented, but a bit obscure indeed.  GDB calls 
this instruction ICEBP and some Intel sources -- INT1.  It's been around 
for a while (at least since 80286) and is mostly used by in-circuit 
emulators (hence the name GDB uses).

  Maciej

Re: [GIT PULL] x86 breakpoint regression fix

[Ingo Molnar]

* Frederic Weisbecker <fweisbec@gmail.com> wrote:

> On Wed, Jun 30, 2010 at 04:02:39PM +0200, Frederic Weisbecker wrote:
> > Ingo,
> > 
> > Please pull the perf/urgent branch that can be found at:
> > 
> > git://git.kernel.org/pub/scm/linux/kernel/git/frederic/random-tracing.git
> > 	perf/urgent
> 
> 
> Please actually pull my perf/urgent-2 branch, it has the appropriate
> Tested-by tag.

Pulled, thanks Frederic!

	Ingo

Re: [GIT PULL] x86 breakpoint regression fix

[Frederic Weisbecker]

On Wed, Jun 30, 2010 at 03:40:51PM +0100, Maciej W. Rozycki wrote:
> On Wed, 30 Jun 2010, Frederic Weisbecker wrote:
> 
> >     - icebp/int01 trap. This instruction (0xf1) is undocumented and
> >       generates an int 1 exception. Unlike single step through TF
> >       flag, it doesn't set the single step origin of the exception
> >       in dr6.
> 
>  Not quite completely undocumented, but a bit obscure indeed.  GDB calls 
> this instruction ICEBP and some Intel sources -- INT1.  It's been around 
> for a while (at least since 80286) and is mostly used by in-circuit 
> emulators (hence the name GDB uses).


Right, in fact it was quite easy to find any documentation about it, it's
just officially undocumented.

[PATCH -stable 2.6.33.x] x86: Send a SIGTRAP for user icebp traps

[Frederic Weisbecker]

Before we had a generic breakpoint layer, x86 used to send a
sigtrap for any debug event that happened in userspace,
except if it was caused by lazy dr7 switches.

Currently we only send such signal for single step or breakpoint
events.

However, there are three other kind of debug exceptions:

- debug register access detected: trigger an exception if the
  next instruction touches the debug registers. We don't use
  it.
- task switch, but we don't use tss.
- icebp/int01 trap. This instruction (0xf1) is undocumented and
  generates an int 1 exception. Unlike single step through TF
  flag, it doesn't set the single step origin of the exception
  in dr6.

icebp then used to be reported in userspace using trap signals
but this have been incidentally broken with the new breakpoint
code. Reenable this. Since this is the only debug event that
doesn't set anything in dr6, this is all we have to check.

This fixes a regression in Wine where World Of Warcraft got broken
as it uses this for software protection checks purposes. And
probably other apps do.

Reported-and-tested-by: Alexandre Julliard <julliard@winehq.org>
Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Prasad <prasad@linux.vnet.ibm.com>
---
 arch/x86/kernel/traps.c |   11 ++++++++++-
 1 files changed, 10 insertions(+), 1 deletions(-)

diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
index 3339917..b1e85b0 100644
--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
@@ -529,11 +529,20 @@ asmlinkage __kprobes struct pt_regs *sync_regs(struct pt_regs *eregs)
 dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code)
 {
 	struct task_struct *tsk = current;
+	int user_icebp = 0;
 	unsigned long dr6;
 	int si_code;
 
 	get_debugreg(dr6, 6);
 
+	/*
+	 * If dr6 has no reason to give us about the origin of this trap,
+	 * then it's very likely the result of an icebp/int01 trap.
+	 * User wants a sigtrap for that.
+	 */
+	if (!(dr6 & ~0xffff0ff0) && user_mode(regs))
+		user_icebp = 1;
+
 	/* Catch kmemcheck conditions first of all! */
 	if ((dr6 & DR_STEP) && kmemcheck_trap(regs))
 		return;
@@ -575,7 +584,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code)
 		regs->flags &= ~X86_EFLAGS_TF;
 	}
 	si_code = get_si_code(tsk->thread.debugreg6);
-	if (tsk->thread.debugreg6 & (DR_STEP | DR_TRAP_BITS))
+	if (tsk->thread.debugreg6 & (DR_STEP | DR_TRAP_BITS) || user_icebp)
 		send_sigtrap(tsk, regs, error_code, si_code);
 	preempt_conditional_cli(regs);
 
-- 
1.6.2.3

Re: [GIT PULL] x86 breakpoint regression fix

[Maciej W. Rozycki]

On Wed, 30 Jun 2010, Frederic Weisbecker wrote:

> Right, in fact it was quite easy to find any documentation about it, it's
> just officially undocumented.

 I think it's simply not a part of the architecture.  IOW they are free to 
remove it at any time, though most likely it will be kept forever.  It's 
not like rocket science or whatever else to be kept hidden -- "everybody" 
knows this instruction (myself for at least 15 years).  That's stuff like 
FFREEP, etc. ;)

  Maciej