linux/arch/x86/mm/fault.c
<<
>>
Prefs
   1/*
   2 *  Copyright (C) 1995  Linus Torvalds
   3 *  Copyright (C) 2001, 2002 Andi Kleen, SuSE Labs.
   4 *  Copyright (C) 2008-2009, Red Hat Inc., Ingo Molnar
   5 */
   6#include <linux/sched.h>                /* test_thread_flag(), ...      */
   7#include <linux/kdebug.h>               /* oops_begin/end, ...          */
   8#include <linux/module.h>               /* search_exception_table       */
   9#include <linux/bootmem.h>              /* max_low_pfn                  */
  10#include <linux/kprobes.h>              /* NOKPROBE_SYMBOL, ...         */
  11#include <linux/mmiotrace.h>            /* kmmio_handler, ...           */
  12#include <linux/perf_event.h>           /* perf_sw_event                */
  13#include <linux/hugetlb.h>              /* hstate_index_to_shift        */
  14#include <linux/prefetch.h>             /* prefetchw                    */
  15#include <linux/context_tracking.h>     /* exception_enter(), ...       */
  16#include <linux/uaccess.h>              /* faulthandler_disabled()      */
  17
  18#include <asm/traps.h>                  /* dotraplinkage, ...           */
  19#include <asm/pgalloc.h>                /* pgd_*(), ...                 */
  20#include <asm/kmemcheck.h>              /* kmemcheck_*(), ...           */
  21#include <asm/fixmap.h>                 /* VSYSCALL_ADDR                */
  22#include <asm/vsyscall.h>               /* emulate_vsyscall             */
  23#include <asm/vm86.h>                   /* struct vm86                  */
  24
  25#define CREATE_TRACE_POINTS
  26#include <asm/trace/exceptions.h>
  27
  28/*
  29 * Page fault error code bits:
  30 *
  31 *   bit 0 ==    0: no page found       1: protection fault
  32 *   bit 1 ==    0: read access         1: write access
  33 *   bit 2 ==    0: kernel-mode access  1: user-mode access
  34 *   bit 3 ==                           1: use of reserved bit detected
  35 *   bit 4 ==                           1: fault was an instruction fetch
  36 */
  37enum x86_pf_error_code {
  38
  39        PF_PROT         =               1 << 0,
  40        PF_WRITE        =               1 << 1,
  41        PF_USER         =               1 << 2,
  42        PF_RSVD         =               1 << 3,
  43        PF_INSTR        =               1 << 4,
  44};
  45
  46/*
  47 * Returns 0 if mmiotrace is disabled, or if the fault is not
  48 * handled by mmiotrace:
  49 */
  50static nokprobe_inline int
  51kmmio_fault(struct pt_regs *regs, unsigned long addr)
  52{
  53        if (unlikely(is_kmmio_active()))
  54                if (kmmio_handler(regs, addr) == 1)
  55                        return -1;
  56        return 0;
  57}
  58
  59static nokprobe_inline int kprobes_fault(struct pt_regs *regs)
  60{
  61        int ret = 0;
  62
  63        /* kprobe_running() needs smp_processor_id() */
  64        if (kprobes_built_in() && !user_mode(regs)) {
  65                preempt_disable();
  66                if (kprobe_running() && kprobe_fault_handler(regs, 14))
  67                        ret = 1;
  68                preempt_enable();
  69        }
  70
  71        return ret;
  72}
  73
  74/*
  75 * Prefetch quirks:
  76 *
  77 * 32-bit mode:
  78 *
  79 *   Sometimes AMD Athlon/Opteron CPUs report invalid exceptions on prefetch.
  80 *   Check that here and ignore it.
  81 *
  82 * 64-bit mode:
  83 *
  84 *   Sometimes the CPU reports invalid exceptions on prefetch.
  85 *   Check that here and ignore it.
  86 *
  87 * Opcode checker based on code by Richard Brunner.
  88 */
  89static inline int
  90check_prefetch_opcode(struct pt_regs *regs, unsigned char *instr,
  91                      unsigned char opcode, int *prefetch)
  92{
  93        unsigned char instr_hi = opcode & 0xf0;
  94        unsigned char instr_lo = opcode & 0x0f;
  95
  96        switch (instr_hi) {
  97        case 0x20:
  98        case 0x30:
  99                /*
 100                 * Values 0x26,0x2E,0x36,0x3E are valid x86 prefixes.
 101                 * In X86_64 long mode, the CPU will signal invalid
 102                 * opcode if some of these prefixes are present so
 103                 * X86_64 will never get here anyway
 104                 */
 105                return ((instr_lo & 7) == 0x6);
 106#ifdef CONFIG_X86_64
 107        case 0x40:
 108                /*
 109                 * In AMD64 long mode 0x40..0x4F are valid REX prefixes
 110                 * Need to figure out under what instruction mode the
 111                 * instruction was issued. Could check the LDT for lm,
 112                 * but for now it's good enough to assume that long
 113                 * mode only uses well known segments or kernel.
 114                 */
 115                return (!user_mode(regs) || user_64bit_mode(regs));
 116#endif
 117        case 0x60:
 118                /* 0x64 thru 0x67 are valid prefixes in all modes. */
 119                return (instr_lo & 0xC) == 0x4;
 120        case 0xF0:
 121                /* 0xF0, 0xF2, 0xF3 are valid prefixes in all modes. */
 122                return !instr_lo || (instr_lo>>1) == 1;
 123        case 0x00:
 124                /* Prefetch instruction is 0x0F0D or 0x0F18 */
 125                if (probe_kernel_address(instr, opcode))
 126                        return 0;
 127
 128                *prefetch = (instr_lo == 0xF) &&
 129                        (opcode == 0x0D || opcode == 0x18);
 130                return 0;
 131        default:
 132                return 0;
 133        }
 134}
 135
 136static int
 137is_prefetch(struct pt_regs *regs, unsigned long error_code, unsigned long addr)
 138{
 139        unsigned char *max_instr;
 140        unsigned char *instr;
 141        int prefetch = 0;
 142
 143        /*
 144         * If it was a exec (instruction fetch) fault on NX page, then
 145         * do not ignore the fault:
 146         */
 147        if (error_code & PF_INSTR)
 148                return 0;
 149
 150        instr = (void *)convert_ip_to_linear(current, regs);
 151        max_instr = instr + 15;
 152
 153        if (user_mode(regs) && instr >= (unsigned char *)TASK_SIZE_MAX)
 154                return 0;
 155
 156        while (instr < max_instr) {
 157                unsigned char opcode;
 158
 159                if (probe_kernel_address(instr, opcode))
 160                        break;
 161
 162                instr++;
 163
 164                if (!check_prefetch_opcode(regs, instr, opcode, &prefetch))
 165                        break;
 166        }
 167        return prefetch;
 168}
 169
 170static void
 171force_sig_info_fault(int si_signo, int si_code, unsigned long address,
 172                     struct task_struct *tsk, int fault)
 173{
 174        unsigned lsb = 0;
 175        siginfo_t info;
 176
 177        info.si_signo   = si_signo;
 178        info.si_errno   = 0;
 179        info.si_code    = si_code;
 180        info.si_addr    = (void __user *)address;
 181        if (fault & VM_FAULT_HWPOISON_LARGE)
 182                lsb = hstate_index_to_shift(VM_FAULT_GET_HINDEX(fault)); 
 183        if (fault & VM_FAULT_HWPOISON)
 184                lsb = PAGE_SHIFT;
 185        info.si_addr_lsb = lsb;
 186
 187        force_sig_info(si_signo, &info, tsk);
 188}
 189
 190DEFINE_SPINLOCK(pgd_lock);
 191LIST_HEAD(pgd_list);
 192
 193#ifdef CONFIG_X86_32
 194static inline pmd_t *vmalloc_sync_one(pgd_t *pgd, unsigned long address)
 195{
 196        unsigned index = pgd_index(address);
 197        pgd_t *pgd_k;
 198        pud_t *pud, *pud_k;
 199        pmd_t *pmd, *pmd_k;
 200
 201        pgd += index;
 202        pgd_k = init_mm.pgd + index;
 203
 204        if (!pgd_present(*pgd_k))
 205                return NULL;
 206
 207        /*
 208         * set_pgd(pgd, *pgd_k); here would be useless on PAE
 209         * and redundant with the set_pmd() on non-PAE. As would
 210         * set_pud.
 211         */
 212        pud = pud_offset(pgd, address);
 213        pud_k = pud_offset(pgd_k, address);
 214        if (!pud_present(*pud_k))
 215                return NULL;
 216
 217        pmd = pmd_offset(pud, address);
 218        pmd_k = pmd_offset(pud_k, address);
 219        if (!pmd_present(*pmd_k))
 220                return NULL;
 221
 222        if (!pmd_present(*pmd))
 223                set_pmd(pmd, *pmd_k);
 224        else
 225                BUG_ON(pmd_page(*pmd) != pmd_page(*pmd_k));
 226
 227        return pmd_k;
 228}
 229
 230void vmalloc_sync_all(void)
 231{
 232        unsigned long address;
 233
 234        if (SHARED_KERNEL_PMD)
 235                return;
 236
 237        for (address = VMALLOC_START & PMD_MASK;
 238             address >= TASK_SIZE && address < FIXADDR_TOP;
 239             address += PMD_SIZE) {
 240                struct page *page;
 241
 242                spin_lock(&pgd_lock);
 243                list_for_each_entry(page, &pgd_list, lru) {
 244                        spinlock_t *pgt_lock;
 245                        pmd_t *ret;
 246
 247                        /* the pgt_lock only for Xen */
 248                        pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
 249
 250                        spin_lock(pgt_lock);
 251                        ret = vmalloc_sync_one(page_address(page), address);
 252                        spin_unlock(pgt_lock);
 253
 254                        if (!ret)
 255                                break;
 256                }
 257                spin_unlock(&pgd_lock);
 258        }
 259}
 260
 261/*
 262 * 32-bit:
 263 *
 264 *   Handle a fault on the vmalloc or module mapping area
 265 */
 266static noinline int vmalloc_fault(unsigned long address)
 267{
 268        unsigned long pgd_paddr;
 269        pmd_t *pmd_k;
 270        pte_t *pte_k;
 271
 272        /* Make sure we are in vmalloc area: */
 273        if (!(address >= VMALLOC_START && address < VMALLOC_END))
 274                return -1;
 275
 276        WARN_ON_ONCE(in_nmi());
 277
 278        /*
 279         * Synchronize this task's top level page-table
 280         * with the 'reference' page table.
 281         *
 282         * Do _not_ use "current" here. We might be inside
 283         * an interrupt in the middle of a task switch..
 284         */
 285        pgd_paddr = read_cr3();
 286        pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
 287        if (!pmd_k)
 288                return -1;
 289
 290        pte_k = pte_offset_kernel(pmd_k, address);
 291        if (!pte_present(*pte_k))
 292                return -1;
 293
 294        return 0;
 295}
 296NOKPROBE_SYMBOL(vmalloc_fault);
 297
 298/*
 299 * Did it hit the DOS screen memory VA from vm86 mode?
 300 */
 301static inline void
 302check_v8086_mode(struct pt_regs *regs, unsigned long address,
 303                 struct task_struct *tsk)
 304{
 305#ifdef CONFIG_VM86
 306        unsigned long bit;
 307
 308        if (!v8086_mode(regs) || !tsk->thread.vm86)
 309                return;
 310
 311        bit = (address - 0xA0000) >> PAGE_SHIFT;
 312        if (bit < 32)
 313                tsk->thread.vm86->screen_bitmap |= 1 << bit;
 314#endif
 315}
 316
 317static bool low_pfn(unsigned long pfn)
 318{
 319        return pfn < max_low_pfn;
 320}
 321
 322static void dump_pagetable(unsigned long address)
 323{
 324        pgd_t *base = __va(read_cr3());
 325        pgd_t *pgd = &base[pgd_index(address)];
 326        pmd_t *pmd;
 327        pte_t *pte;
 328
 329#ifdef CONFIG_X86_PAE
 330        printk("*pdpt = %016Lx ", pgd_val(*pgd));
 331        if (!low_pfn(pgd_val(*pgd) >> PAGE_SHIFT) || !pgd_present(*pgd))
 332                goto out;
 333#endif
 334        pmd = pmd_offset(pud_offset(pgd, address), address);
 335        printk(KERN_CONT "*pde = %0*Lx ", sizeof(*pmd) * 2, (u64)pmd_val(*pmd));
 336
 337        /*
 338         * We must not directly access the pte in the highpte
 339         * case if the page table is located in highmem.
 340         * And let's rather not kmap-atomic the pte, just in case
 341         * it's allocated already:
 342         */
 343        if (!low_pfn(pmd_pfn(*pmd)) || !pmd_present(*pmd) || pmd_large(*pmd))
 344                goto out;
 345
 346        pte = pte_offset_kernel(pmd, address);
 347        printk("*pte = %0*Lx ", sizeof(*pte) * 2, (u64)pte_val(*pte));
 348out:
 349        printk("\n");
 350}
 351
 352#else /* CONFIG_X86_64: */
 353
 354void vmalloc_sync_all(void)
 355{
 356        sync_global_pgds(VMALLOC_START & PGDIR_MASK, VMALLOC_END, 0);
 357}
 358
 359/*
 360 * 64-bit:
 361 *
 362 *   Handle a fault on the vmalloc area
 363 *
 364 * This assumes no large pages in there.
 365 */
 366static noinline int vmalloc_fault(unsigned long address)
 367{
 368        pgd_t *pgd, *pgd_ref;
 369        pud_t *pud, *pud_ref;
 370        pmd_t *pmd, *pmd_ref;
 371        pte_t *pte, *pte_ref;
 372
 373        /* Make sure we are in vmalloc area: */
 374        if (!(address >= VMALLOC_START && address < VMALLOC_END))
 375                return -1;
 376
 377        WARN_ON_ONCE(in_nmi());
 378
 379        /*
 380         * Copy kernel mappings over when needed. This can also
 381         * happen within a race in page table update. In the later
 382         * case just flush:
 383         */
 384        pgd = pgd_offset(current->active_mm, address);
 385        pgd_ref = pgd_offset_k(address);
 386        if (pgd_none(*pgd_ref))
 387                return -1;
 388
 389        if (pgd_none(*pgd)) {
 390                set_pgd(pgd, *pgd_ref);
 391                arch_flush_lazy_mmu_mode();
 392        } else {
 393                BUG_ON(pgd_page_vaddr(*pgd) != pgd_page_vaddr(*pgd_ref));
 394        }
 395
 396        /*
 397         * Below here mismatches are bugs because these lower tables
 398         * are shared:
 399         */
 400
 401        pud = pud_offset(pgd, address);
 402        pud_ref = pud_offset(pgd_ref, address);
 403        if (pud_none(*pud_ref))
 404                return -1;
 405
 406        if (pud_none(*pud) || pud_page_vaddr(*pud) != pud_page_vaddr(*pud_ref))
 407                BUG();
 408
 409        pmd = pmd_offset(pud, address);
 410        pmd_ref = pmd_offset(pud_ref, address);
 411        if (pmd_none(*pmd_ref))
 412                return -1;
 413
 414        if (pmd_none(*pmd) || pmd_page(*pmd) != pmd_page(*pmd_ref))
 415                BUG();
 416
 417        pte_ref = pte_offset_kernel(pmd_ref, address);
 418        if (!pte_present(*pte_ref))
 419                return -1;
 420
 421        pte = pte_offset_kernel(pmd, address);
 422
 423        /*
 424         * Don't use pte_page here, because the mappings can point
 425         * outside mem_map, and the NUMA hash lookup cannot handle
 426         * that:
 427         */
 428        if (!pte_present(*pte) || pte_pfn(*pte) != pte_pfn(*pte_ref))
 429                BUG();
 430
 431        return 0;
 432}
 433NOKPROBE_SYMBOL(vmalloc_fault);
 434
 435#ifdef CONFIG_CPU_SUP_AMD
 436static const char errata93_warning[] =
 437KERN_ERR 
 438"******* Your BIOS seems to not contain a fix for K8 errata #93\n"
 439"******* Working around it, but it may cause SEGVs or burn power.\n"
 440"******* Please consider a BIOS update.\n"
 441"******* Disabling USB legacy in the BIOS may also help.\n";
 442#endif
 443
 444/*
 445 * No vm86 mode in 64-bit mode:
 446 */
 447static inline void
 448check_v8086_mode(struct pt_regs *regs, unsigned long address,
 449                 struct task_struct *tsk)
 450{
 451}
 452
 453static int bad_address(void *p)
 454{
 455        unsigned long dummy;
 456
 457        return probe_kernel_address((unsigned long *)p, dummy);
 458}
 459
 460static void dump_pagetable(unsigned long address)
 461{
 462        pgd_t *base = __va(read_cr3() & PHYSICAL_PAGE_MASK);
 463        pgd_t *pgd = base + pgd_index(address);
 464        pud_t *pud;
 465        pmd_t *pmd;
 466        pte_t *pte;
 467
 468        if (bad_address(pgd))
 469                goto bad;
 470
 471        printk("PGD %lx ", pgd_val(*pgd));
 472
 473        if (!pgd_present(*pgd))
 474                goto out;
 475
 476        pud = pud_offset(pgd, address);
 477        if (bad_address(pud))
 478                goto bad;
 479
 480        printk("PUD %lx ", pud_val(*pud));
 481        if (!pud_present(*pud) || pud_large(*pud))
 482                goto out;
 483
 484        pmd = pmd_offset(pud, address);
 485        if (bad_address(pmd))
 486                goto bad;
 487
 488        printk("PMD %lx ", pmd_val(*pmd));
 489        if (!pmd_present(*pmd) || pmd_large(*pmd))
 490                goto out;
 491
 492        pte = pte_offset_kernel(pmd, address);
 493        if (bad_address(pte))
 494                goto bad;
 495
 496        printk("PTE %lx", pte_val(*pte));
 497out:
 498        printk("\n");
 499        return;
 500bad:
 501        printk("BAD\n");
 502}
 503
 504#endif /* CONFIG_X86_64 */
 505
 506/*
 507 * Workaround for K8 erratum #93 & buggy BIOS.
 508 *
 509 * BIOS SMM functions are required to use a specific workaround
 510 * to avoid corruption of the 64bit RIP register on C stepping K8.
 511 *
 512 * A lot of BIOS that didn't get tested properly miss this.
 513 *
 514 * The OS sees this as a page fault with the upper 32bits of RIP cleared.
 515 * Try to work around it here.
 516 *
 517 * Note we only handle faults in kernel here.
 518 * Does nothing on 32-bit.
 519 */
 520static int is_errata93(struct pt_regs *regs, unsigned long address)
 521{
 522#if defined(CONFIG_X86_64) && defined(CONFIG_CPU_SUP_AMD)
 523        if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD
 524            || boot_cpu_data.x86 != 0xf)
 525                return 0;
 526
 527        if (address != regs->ip)
 528                return 0;
 529
 530        if ((address >> 32) != 0)
 531                return 0;
 532
 533        address |= 0xffffffffUL << 32;
 534        if ((address >= (u64)_stext && address <= (u64)_etext) ||
 535            (address >= MODULES_VADDR && address <= MODULES_END)) {
 536                printk_once(errata93_warning);
 537                regs->ip = address;
 538                return 1;
 539        }
 540#endif
 541        return 0;
 542}
 543
 544/*
 545 * Work around K8 erratum #100 K8 in compat mode occasionally jumps
 546 * to illegal addresses >4GB.
 547 *
 548 * We catch this in the page fault handler because these addresses
 549 * are not reachable. Just detect this case and return.  Any code
 550 * segment in LDT is compatibility mode.
 551 */
 552static int is_errata100(struct pt_regs *regs, unsigned long address)
 553{
 554#ifdef CONFIG_X86_64
 555        if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
 556                return 1;
 557#endif
 558        return 0;
 559}
 560
 561static int is_f00f_bug(struct pt_regs *regs, unsigned long address)
 562{
 563#ifdef CONFIG_X86_F00F_BUG
 564        unsigned long nr;
 565
 566        /*
 567         * Pentium F0 0F C7 C8 bug workaround:
 568         */
 569        if (boot_cpu_has_bug(X86_BUG_F00F)) {
 570                nr = (address - idt_descr.address) >> 3;
 571
 572                if (nr == 6) {
 573                        do_invalid_op(regs, 0);
 574                        return 1;
 575                }
 576        }
 577#endif
 578        return 0;
 579}
 580
 581static const char nx_warning[] = KERN_CRIT
 582"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
 583static const char smep_warning[] = KERN_CRIT
 584"unable to execute userspace code (SMEP?) (uid: %d)\n";
 585
 586static void
 587show_fault_oops(struct pt_regs *regs, unsigned long error_code,
 588                unsigned long address)
 589{
 590        if (!oops_may_print())
 591                return;
 592
 593        if (error_code & PF_INSTR) {
 594                unsigned int level;
 595                pgd_t *pgd;
 596                pte_t *pte;
 597
 598                pgd = __va(read_cr3() & PHYSICAL_PAGE_MASK);
 599                pgd += pgd_index(address);
 600
 601                pte = lookup_address_in_pgd(pgd, address, &level);
 602
 603                if (pte && pte_present(*pte) && !pte_exec(*pte))
 604                        printk(nx_warning, from_kuid(&init_user_ns, current_uid()));
 605                if (pte && pte_present(*pte) && pte_exec(*pte) &&
 606                                (pgd_flags(*pgd) & _PAGE_USER) &&
 607                                (__read_cr4() & X86_CR4_SMEP))
 608                        printk(smep_warning, from_kuid(&init_user_ns, current_uid()));
 609        }
 610
 611        printk(KERN_ALERT "BUG: unable to handle kernel ");
 612        if (address < PAGE_SIZE)
 613                printk(KERN_CONT "NULL pointer dereference");
 614        else
 615                printk(KERN_CONT "paging request");
 616
 617        printk(KERN_CONT " at %p\n", (void *) address);
 618        printk(KERN_ALERT "IP:");
 619        printk_address(regs->ip);
 620
 621        dump_pagetable(address);
 622}
 623
 624static noinline void
 625pgtable_bad(struct pt_regs *regs, unsigned long error_code,
 626            unsigned long address)
 627{
 628        struct task_struct *tsk;
 629        unsigned long flags;
 630        int sig;
 631
 632        flags = oops_begin();
 633        tsk = current;
 634        sig = SIGKILL;
 635
 636        printk(KERN_ALERT "%s: Corrupted page table at address %lx\n",
 637               tsk->comm, address);
 638        dump_pagetable(address);
 639
 640        tsk->thread.cr2         = address;
 641        tsk->thread.trap_nr     = X86_TRAP_PF;
 642        tsk->thread.error_code  = error_code;
 643
 644        if (__die("Bad pagetable", regs, error_code))
 645                sig = 0;
 646
 647        oops_end(flags, regs, sig);
 648}
 649
 650static noinline void
 651no_context(struct pt_regs *regs, unsigned long error_code,
 652           unsigned long address, int signal, int si_code)
 653{
 654        struct task_struct *tsk = current;
 655        unsigned long flags;
 656        int sig;
 657
 658        /* Are we prepared to handle this kernel fault? */
 659        if (fixup_exception(regs)) {
 660                /*
 661                 * Any interrupt that takes a fault gets the fixup. This makes
 662                 * the below recursive fault logic only apply to a faults from
 663                 * task context.
 664                 */
 665                if (in_interrupt())
 666                        return;
 667
 668                /*
 669                 * Per the above we're !in_interrupt(), aka. task context.
 670                 *
 671                 * In this case we need to make sure we're not recursively
 672                 * faulting through the emulate_vsyscall() logic.
 673                 */
 674                if (current_thread_info()->sig_on_uaccess_error && signal) {
 675                        tsk->thread.trap_nr = X86_TRAP_PF;
 676                        tsk->thread.error_code = error_code | PF_USER;
 677                        tsk->thread.cr2 = address;
 678
 679                        /* XXX: hwpoison faults will set the wrong code. */
 680                        force_sig_info_fault(signal, si_code, address, tsk, 0);
 681                }
 682
 683                /*
 684                 * Barring that, we can do the fixup and be happy.
 685                 */
 686                return;
 687        }
 688
 689        /*
 690         * 32-bit:
 691         *
 692         *   Valid to do another page fault here, because if this fault
 693         *   had been triggered by is_prefetch fixup_exception would have
 694         *   handled it.
 695         *
 696         * 64-bit:
 697         *
 698         *   Hall of shame of CPU/BIOS bugs.
 699         */
 700        if (is_prefetch(regs, error_code, address))
 701                return;
 702
 703        if (is_errata93(regs, address))
 704                return;
 705
 706        /*
 707         * Oops. The kernel tried to access some bad page. We'll have to
 708         * terminate things with extreme prejudice:
 709         */
 710        flags = oops_begin();
 711
 712        show_fault_oops(regs, error_code, address);
 713
 714        if (task_stack_end_corrupted(tsk))
 715                printk(KERN_EMERG "Thread overran stack, or stack corrupted\n");
 716
 717        tsk->thread.cr2         = address;
 718        tsk->thread.trap_nr     = X86_TRAP_PF;
 719        tsk->thread.error_code  = error_code;
 720
 721        sig = SIGKILL;
 722        if (__die("Oops", regs, error_code))
 723                sig = 0;
 724
 725        /* Executive summary in case the body of the oops scrolled away */
 726        printk(KERN_DEFAULT "CR2: %016lx\n", address);
 727
 728        oops_end(flags, regs, sig);
 729}
 730
 731/*
 732 * Print out info about fatal segfaults, if the show_unhandled_signals
 733 * sysctl is set:
 734 */
 735static inline void
 736show_signal_msg(struct pt_regs *regs, unsigned long error_code,
 737                unsigned long address, struct task_struct *tsk)
 738{
 739        if (!unhandled_signal(tsk, SIGSEGV))
 740                return;
 741
 742        if (!printk_ratelimit())
 743                return;
 744
 745        printk("%s%s[%d]: segfault at %lx ip %p sp %p error %lx",
 746                task_pid_nr(tsk) > 1 ? KERN_INFO : KERN_EMERG,
 747                tsk->comm, task_pid_nr(tsk), address,
 748                (void *)regs->ip, (void *)regs->sp, error_code);
 749
 750        print_vma_addr(KERN_CONT " in ", regs->ip);
 751
 752        printk(KERN_CONT "\n");
 753}
 754
 755static void
 756__bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
 757                       unsigned long address, int si_code)
 758{
 759        struct task_struct *tsk = current;
 760
 761        /* User mode accesses just cause a SIGSEGV */
 762        if (error_code & PF_USER) {
 763                /*
 764                 * It's possible to have interrupts off here:
 765                 */
 766                local_irq_enable();
 767
 768                /*
 769                 * Valid to do another page fault here because this one came
 770                 * from user space:
 771                 */
 772                if (is_prefetch(regs, error_code, address))
 773                        return;
 774
 775                if (is_errata100(regs, address))
 776                        return;
 777
 778#ifdef CONFIG_X86_64
 779                /*
 780                 * Instruction fetch faults in the vsyscall page might need
 781                 * emulation.
 782                 */
 783                if (unlikely((error_code & PF_INSTR) &&
 784                             ((address & ~0xfff) == VSYSCALL_ADDR))) {
 785                        if (emulate_vsyscall(regs, address))
 786                                return;
 787                }
 788#endif
 789                /* Kernel addresses are always protection faults: */
 790                if (address >= TASK_SIZE)
 791                        error_code |= PF_PROT;
 792
 793                if (likely(show_unhandled_signals))
 794                        show_signal_msg(regs, error_code, address, tsk);
 795
 796                tsk->thread.cr2         = address;
 797                tsk->thread.error_code  = error_code;
 798                tsk->thread.trap_nr     = X86_TRAP_PF;
 799
 800                force_sig_info_fault(SIGSEGV, si_code, address, tsk, 0);
 801
 802                return;
 803        }
 804
 805        if (is_f00f_bug(regs, address))
 806                return;
 807
 808        no_context(regs, error_code, address, SIGSEGV, si_code);
 809}
 810
 811static noinline void
 812bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
 813                     unsigned long address)
 814{
 815        __bad_area_nosemaphore(regs, error_code, address, SEGV_MAPERR);
 816}
 817
 818static void
 819__bad_area(struct pt_regs *regs, unsigned long error_code,
 820           unsigned long address, int si_code)
 821{
 822        struct mm_struct *mm = current->mm;
 823
 824        /*
 825         * Something tried to access memory that isn't in our memory map..
 826         * Fix it, but check if it's kernel or user first..
 827         */
 828        up_read(&mm->mmap_sem);
 829
 830        __bad_area_nosemaphore(regs, error_code, address, si_code);
 831}
 832
 833static noinline void
 834bad_area(struct pt_regs *regs, unsigned long error_code, unsigned long address)
 835{
 836        __bad_area(regs, error_code, address, SEGV_MAPERR);
 837}
 838
 839static noinline void
 840bad_area_access_error(struct pt_regs *regs, unsigned long error_code,
 841                      unsigned long address)
 842{
 843        __bad_area(regs, error_code, address, SEGV_ACCERR);
 844}
 845
 846static void
 847do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address,
 848          unsigned int fault)
 849{
 850        struct task_struct *tsk = current;
 851        int code = BUS_ADRERR;
 852
 853        /* Kernel mode? Handle exceptions or die: */
 854        if (!(error_code & PF_USER)) {
 855                no_context(regs, error_code, address, SIGBUS, BUS_ADRERR);
 856                return;
 857        }
 858
 859        /* User-space => ok to do another page fault: */
 860        if (is_prefetch(regs, error_code, address))
 861                return;
 862
 863        tsk->thread.cr2         = address;
 864        tsk->thread.error_code  = error_code;
 865        tsk->thread.trap_nr     = X86_TRAP_PF;
 866
 867#ifdef CONFIG_MEMORY_FAILURE
 868        if (fault & (VM_FAULT_HWPOISON|VM_FAULT_HWPOISON_LARGE)) {
 869                printk(KERN_ERR
 870        "MCE: Killing %s:%d due to hardware memory corruption fault at %lx\n",
 871                        tsk->comm, tsk->pid, address);
 872                code = BUS_MCEERR_AR;
 873        }
 874#endif
 875        force_sig_info_fault(SIGBUS, code, address, tsk, fault);
 876}
 877
 878static noinline void
 879mm_fault_error(struct pt_regs *regs, unsigned long error_code,
 880               unsigned long address, unsigned int fault)
 881{
 882        if (fatal_signal_pending(current) && !(error_code & PF_USER)) {
 883                no_context(regs, error_code, address, 0, 0);
 884                return;
 885        }
 886
 887        if (fault & VM_FAULT_OOM) {
 888                /* Kernel mode? Handle exceptions or die: */
 889                if (!(error_code & PF_USER)) {
 890                        no_context(regs, error_code, address,
 891                                   SIGSEGV, SEGV_MAPERR);
 892                        return;
 893                }
 894
 895                /*
 896                 * We ran out of memory, call the OOM killer, and return the
 897                 * userspace (which will retry the fault, or kill us if we got
 898                 * oom-killed):
 899                 */
 900                pagefault_out_of_memory();
 901        } else {
 902                if (fault & (VM_FAULT_SIGBUS|VM_FAULT_HWPOISON|
 903                             VM_FAULT_HWPOISON_LARGE))
 904                        do_sigbus(regs, error_code, address, fault);
 905                else if (fault & VM_FAULT_SIGSEGV)
 906                        bad_area_nosemaphore(regs, error_code, address);
 907                else
 908                        BUG();
 909        }
 910}
 911
 912static int spurious_fault_check(unsigned long error_code, pte_t *pte)
 913{
 914        if ((error_code & PF_WRITE) && !pte_write(*pte))
 915                return 0;
 916
 917        if ((error_code & PF_INSTR) && !pte_exec(*pte))
 918                return 0;
 919
 920        return 1;
 921}
 922
 923/*
 924 * Handle a spurious fault caused by a stale TLB entry.
 925 *
 926 * This allows us to lazily refresh the TLB when increasing the
 927 * permissions of a kernel page (RO -> RW or NX -> X).  Doing it
 928 * eagerly is very expensive since that implies doing a full
 929 * cross-processor TLB flush, even if no stale TLB entries exist
 930 * on other processors.
 931 *
 932 * Spurious faults may only occur if the TLB contains an entry with
 933 * fewer permission than the page table entry.  Non-present (P = 0)
 934 * and reserved bit (R = 1) faults are never spurious.
 935 *
 936 * There are no security implications to leaving a stale TLB when
 937 * increasing the permissions on a page.
 938 *
 939 * Returns non-zero if a spurious fault was handled, zero otherwise.
 940 *
 941 * See Intel Developer's Manual Vol 3 Section 4.10.4.3, bullet 3
 942 * (Optional Invalidation).
 943 */
 944static noinline int
 945spurious_fault(unsigned long error_code, unsigned long address)
 946{
 947        pgd_t *pgd;
 948        pud_t *pud;
 949        pmd_t *pmd;
 950        pte_t *pte;
 951        int ret;
 952
 953        /*
 954         * Only writes to RO or instruction fetches from NX may cause
 955         * spurious faults.
 956         *
 957         * These could be from user or supervisor accesses but the TLB
 958         * is only lazily flushed after a kernel mapping protection
 959         * change, so user accesses are not expected to cause spurious
 960         * faults.
 961         */
 962        if (error_code != (PF_WRITE | PF_PROT)
 963            && error_code != (PF_INSTR | PF_PROT))
 964                return 0;
 965
 966        pgd = init_mm.pgd + pgd_index(address);
 967        if (!pgd_present(*pgd))
 968                return 0;
 969
 970        pud = pud_offset(pgd, address);
 971        if (!pud_present(*pud))
 972                return 0;
 973
 974        if (pud_large(*pud))
 975                return spurious_fault_check(error_code, (pte_t *) pud);
 976
 977        pmd = pmd_offset(pud, address);
 978        if (!pmd_present(*pmd))
 979                return 0;
 980
 981        if (pmd_large(*pmd))
 982                return spurious_fault_check(error_code, (pte_t *) pmd);
 983
 984        pte = pte_offset_kernel(pmd, address);
 985        if (!pte_present(*pte))
 986                return 0;
 987
 988        ret = spurious_fault_check(error_code, pte);
 989        if (!ret)
 990                return 0;
 991
 992        /*
 993         * Make sure we have permissions in PMD.
 994         * If not, then there's a bug in the page tables:
 995         */
 996        ret = spurious_fault_check(error_code, (pte_t *) pmd);
 997        WARN_ONCE(!ret, "PMD has incorrect permission bits\n");
 998
 999        return ret;
1000}
1001NOKPROBE_SYMBOL(spurious_fault);
1002
1003int show_unhandled_signals = 1;
1004
1005static inline int
1006access_error(unsigned long error_code, struct vm_area_struct *vma)
1007{
1008        if (error_code & PF_WRITE) {
1009                /* write, present and write, not present: */
1010                if (unlikely(!(vma->vm_flags & VM_WRITE)))
1011                        return 1;
1012                return 0;
1013        }
1014
1015        /* read, present: */
1016        if (unlikely(error_code & PF_PROT))
1017                return 1;
1018
1019        /* read, not present: */
1020        if (unlikely(!(vma->vm_flags & (VM_READ | VM_EXEC | VM_WRITE))))
1021                return 1;
1022
1023        return 0;
1024}
1025
1026static int fault_in_kernel_space(unsigned long address)
1027{
1028        return address >= TASK_SIZE_MAX;
1029}
1030
1031static inline bool smap_violation(int error_code, struct pt_regs *regs)
1032{
1033        if (!IS_ENABLED(CONFIG_X86_SMAP))
1034                return false;
1035
1036        if (!static_cpu_has(X86_FEATURE_SMAP))
1037                return false;
1038
1039        if (error_code & PF_USER)
1040                return false;
1041
1042        if (!user_mode(regs) && (regs->flags & X86_EFLAGS_AC))
1043                return false;
1044
1045        return true;
1046}
1047
1048/*
1049 * This routine handles page faults.  It determines the address,
1050 * and the problem, and then passes it off to one of the appropriate
1051 * routines.
1052 *
1053 * This function must have noinline because both callers
1054 * {,trace_}do_page_fault() have notrace on. Having this an actual function
1055 * guarantees there's a function trace entry.
1056 */
1057static noinline void
1058__do_page_fault(struct pt_regs *regs, unsigned long error_code,
1059                unsigned long address)
1060{
1061        struct vm_area_struct *vma;
1062        struct task_struct *tsk;
1063        struct mm_struct *mm;
1064        int fault, major = 0;
1065        unsigned int flags = FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_KILLABLE;
1066
1067        tsk = current;
1068        mm = tsk->mm;
1069
1070        /*
1071         * Detect and handle instructions that would cause a page fault for
1072         * both a tracked kernel page and a userspace page.
1073         */
1074        if (kmemcheck_active(regs))
1075                kmemcheck_hide(regs);
1076        prefetchw(&mm->mmap_sem);
1077
1078        if (unlikely(kmmio_fault(regs, address)))
1079                return;
1080
1081        /*
1082         * We fault-in kernel-space virtual memory on-demand. The
1083         * 'reference' page table is init_mm.pgd.
1084         *
1085         * NOTE! We MUST NOT take any locks for this case. We may
1086         * be in an interrupt or a critical region, and should
1087         * only copy the information from the master page table,
1088         * nothing more.
1089         *
1090         * This verifies that the fault happens in kernel space
1091         * (error_code & 4) == 0, and that the fault was not a
1092         * protection error (error_code & 9) == 0.
1093         */
1094        if (unlikely(fault_in_kernel_space(address))) {
1095                if (!(error_code & (PF_RSVD | PF_USER | PF_PROT))) {
1096                        if (vmalloc_fault(address) >= 0)
1097                                return;
1098
1099                        if (kmemcheck_fault(regs, address, error_code))
1100                                return;
1101                }
1102
1103                /* Can handle a stale RO->RW TLB: */
1104                if (spurious_fault(error_code, address))
1105                        return;
1106
1107                /* kprobes don't want to hook the spurious faults: */
1108                if (kprobes_fault(regs))
1109                        return;
1110                /*
1111                 * Don't take the mm semaphore here. If we fixup a prefetch
1112                 * fault we could otherwise deadlock:
1113                 */
1114                bad_area_nosemaphore(regs, error_code, address);
1115
1116                return;
1117        }
1118
1119        /* kprobes don't want to hook the spurious faults: */
1120        if (unlikely(kprobes_fault(regs)))
1121                return;
1122
1123        if (unlikely(error_code & PF_RSVD))
1124                pgtable_bad(regs, error_code, address);
1125
1126        if (unlikely(smap_violation(error_code, regs))) {
1127                bad_area_nosemaphore(regs, error_code, address);
1128                return;
1129        }
1130
1131        /*
1132         * If we're in an interrupt, have no user context or are running
1133         * in a region with pagefaults disabled then we must not take the fault
1134         */
1135        if (unlikely(faulthandler_disabled() || !mm)) {
1136                bad_area_nosemaphore(regs, error_code, address);
1137                return;
1138        }
1139
1140        /*
1141         * It's safe to allow irq's after cr2 has been saved and the
1142         * vmalloc fault has been handled.
1143         *
1144         * User-mode registers count as a user access even for any
1145         * potential system fault or CPU buglet:
1146         */
1147        if (user_mode(regs)) {
1148                local_irq_enable();
1149                error_code |= PF_USER;
1150                flags |= FAULT_FLAG_USER;
1151        } else {
1152                if (regs->flags & X86_EFLAGS_IF)
1153                        local_irq_enable();
1154        }
1155
1156        perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, address);
1157
1158        if (error_code & PF_WRITE)
1159                flags |= FAULT_FLAG_WRITE;
1160
1161        /*
1162         * When running in the kernel we expect faults to occur only to
1163         * addresses in user space.  All other faults represent errors in
1164         * the kernel and should generate an OOPS.  Unfortunately, in the
1165         * case of an erroneous fault occurring in a code path which already
1166         * holds mmap_sem we will deadlock attempting to validate the fault
1167         * against the address space.  Luckily the kernel only validly
1168         * references user space from well defined areas of code, which are
1169         * listed in the exceptions table.
1170         *
1171         * As the vast majority of faults will be valid we will only perform
1172         * the source reference check when there is a possibility of a
1173         * deadlock. Attempt to lock the address space, if we cannot we then
1174         * validate the source. If this is invalid we can skip the address
1175         * space check, thus avoiding the deadlock:
1176         */
1177        if (unlikely(!down_read_trylock(&mm->mmap_sem))) {
1178                if ((error_code & PF_USER) == 0 &&
1179                    !search_exception_tables(regs->ip)) {
1180                        bad_area_nosemaphore(regs, error_code, address);
1181                        return;
1182                }
1183retry:
1184                down_read(&mm->mmap_sem);
1185        } else {
1186                /*
1187                 * The above down_read_trylock() might have succeeded in
1188                 * which case we'll have missed the might_sleep() from
1189                 * down_read():
1190                 */
1191                might_sleep();
1192        }
1193
1194        vma = find_vma(mm, address);
1195        if (unlikely(!vma)) {
1196                bad_area(regs, error_code, address);
1197                return;
1198        }
1199        if (likely(vma->vm_start <= address))
1200                goto good_area;
1201        if (unlikely(!(vma->vm_flags & VM_GROWSDOWN))) {
1202                bad_area(regs, error_code, address);
1203                return;
1204        }
1205        if (error_code & PF_USER) {
1206                /*
1207                 * Accessing the stack below %sp is always a bug.
1208                 * The large cushion allows instructions like enter
1209                 * and pusha to work. ("enter $65535, $31" pushes
1210                 * 32 pointers and then decrements %sp by 65535.)
1211                 */
1212                if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
1213                        bad_area(regs, error_code, address);
1214                        return;
1215                }
1216        }
1217        if (unlikely(expand_stack(vma, address))) {
1218                bad_area(regs, error_code, address);
1219                return;
1220        }
1221
1222        /*
1223         * Ok, we have a good vm_area for this memory access, so
1224         * we can handle it..
1225         */
1226good_area:
1227        if (unlikely(access_error(error_code, vma))) {
1228                bad_area_access_error(regs, error_code, address);
1229                return;
1230        }
1231
1232        /*
1233         * If for any reason at all we couldn't handle the fault,
1234         * make sure we exit gracefully rather than endlessly redo
1235         * the fault.  Since we never set FAULT_FLAG_RETRY_NOWAIT, if
1236         * we get VM_FAULT_RETRY back, the mmap_sem has been unlocked.
1237         */
1238        fault = handle_mm_fault(mm, vma, address, flags);
1239        major |= fault & VM_FAULT_MAJOR;
1240
1241        /*
1242         * If we need to retry the mmap_sem has already been released,
1243         * and if there is a fatal signal pending there is no guarantee
1244         * that we made any progress. Handle this case first.
1245         */
1246        if (unlikely(fault & VM_FAULT_RETRY)) {
1247                /* Retry at most once */
1248                if (flags & FAULT_FLAG_ALLOW_RETRY) {
1249                        flags &= ~FAULT_FLAG_ALLOW_RETRY;
1250                        flags |= FAULT_FLAG_TRIED;
1251                        if (!fatal_signal_pending(tsk))
1252                                goto retry;
1253                }
1254
1255                /* User mode? Just return to handle the fatal exception */
1256                if (flags & FAULT_FLAG_USER)
1257                        return;
1258
1259                /* Not returning to user mode? Handle exceptions or die: */
1260                no_context(regs, error_code, address, SIGBUS, BUS_ADRERR);
1261                return;
1262        }
1263
1264        up_read(&mm->mmap_sem);
1265        if (unlikely(fault & VM_FAULT_ERROR)) {
1266                mm_fault_error(regs, error_code, address, fault);
1267                return;
1268        }
1269
1270        /*
1271         * Major/minor page fault accounting. If any of the events
1272         * returned VM_FAULT_MAJOR, we account it as a major fault.
1273         */
1274        if (major) {
1275                tsk->maj_flt++;
1276                perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MAJ, 1, regs, address);
1277        } else {
1278                tsk->min_flt++;
1279                perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MIN, 1, regs, address);
1280        }
1281
1282        check_v8086_mode(regs, address, tsk);
1283}
1284NOKPROBE_SYMBOL(__do_page_fault);
1285
1286dotraplinkage void notrace
1287do_page_fault(struct pt_regs *regs, unsigned long error_code)
1288{
1289        unsigned long address = read_cr2(); /* Get the faulting address */
1290        enum ctx_state prev_state;
1291
1292        /*
1293         * We must have this function tagged with __kprobes, notrace and call
1294         * read_cr2() before calling anything else. To avoid calling any kind
1295         * of tracing machinery before we've observed the CR2 value.
1296         *
1297         * exception_{enter,exit}() contain all sorts of tracepoints.
1298         */
1299
1300        prev_state = exception_enter();
1301        __do_page_fault(regs, error_code, address);
1302        exception_exit(prev_state);
1303}
1304NOKPROBE_SYMBOL(do_page_fault);
1305
1306#ifdef CONFIG_TRACING
1307static nokprobe_inline void
1308trace_page_fault_entries(unsigned long address, struct pt_regs *regs,
1309                         unsigned long error_code)
1310{
1311        if (user_mode(regs))
1312                trace_page_fault_user(address, regs, error_code);
1313        else
1314                trace_page_fault_kernel(address, regs, error_code);
1315}
1316
1317dotraplinkage void notrace
1318trace_do_page_fault(struct pt_regs *regs, unsigned long error_code)
1319{
1320        /*
1321         * The exception_enter and tracepoint processing could
1322         * trigger another page faults (user space callchain
1323         * reading) and destroy the original cr2 value, so read
1324         * the faulting address now.
1325         */
1326        unsigned long address = read_cr2();
1327        enum ctx_state prev_state;
1328
1329        prev_state = exception_enter();
1330        trace_page_fault_entries(address, regs, error_code);
1331        __do_page_fault(regs, error_code, address);
1332        exception_exit(prev_state);
1333}
1334NOKPROBE_SYMBOL(trace_do_page_fault);
1335#endif /* CONFIG_TRACING */
1336