Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
fault.c
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1995 Linus Torvalds
3  * Copyright (C) 2001, 2002 Andi Kleen, SuSE Labs.
4  * Copyright (C) 2008-2009, Red Hat Inc., Ingo Molnar
5  */
6 #include <linux/magic.h> /* STACK_END_MAGIC */
7 #include <linux/sched.h> /* test_thread_flag(), ... */
8 #include <linux/kdebug.h> /* oops_begin/end, ... */
9 #include <linux/module.h> /* search_exception_table */
10 #include <linux/bootmem.h> /* max_low_pfn */
11 #include <linux/kprobes.h> /* __kprobes, ... */
12 #include <linux/mmiotrace.h> /* kmmio_handler, ... */
13 #include <linux/perf_event.h> /* perf_sw_event */
14 #include <linux/hugetlb.h> /* hstate_index_to_shift */
15 #include <linux/prefetch.h> /* prefetchw */
16 
17 #include <asm/traps.h> /* dotraplinkage, ... */
18 #include <asm/pgalloc.h> /* pgd_*(), ... */
19 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
20 #include <asm/fixmap.h> /* VSYSCALL_START */
21 #include <asm/rcu.h> /* exception_enter(), ... */
22 
23 /*
24  * Page fault error code bits:
25  *
26  * bit 0 == 0: no page found 1: protection fault
27  * bit 1 == 0: read access 1: write access
28  * bit 2 == 0: kernel-mode access 1: user-mode access
29  * bit 3 == 1: use of reserved bit detected
30  * bit 4 == 1: fault was an instruction fetch
31  */
32 enum x86_pf_error_code {
33 
34  PF_PROT = 1 << 0,
35  PF_WRITE = 1 << 1,
36  PF_USER = 1 << 2,
37  PF_RSVD = 1 << 3,
38  PF_INSTR = 1 << 4,
39 };
40 
41 /*
42  * Returns 0 if mmiotrace is disabled, or if the fault is not
43  * handled by mmiotrace:
44  */
45 static inline int __kprobes
46 kmmio_fault(struct pt_regs *regs, unsigned long addr)
47 {
48  if (unlikely(is_kmmio_active()))
49  if (kmmio_handler(regs, addr) == 1)
50  return -1;
51  return 0;
52 }
53 
54 static inline int __kprobes notify_page_fault(struct pt_regs *regs)
55 {
56  int ret = 0;
57 
58  /* kprobe_running() needs smp_processor_id() */
59  if (kprobes_built_in() && !user_mode_vm(regs)) {
60  preempt_disable();
61  if (kprobe_running() && kprobe_fault_handler(regs, 14))
62  ret = 1;
63  preempt_enable();
64  }
65 
66  return ret;
67 }
68 
69 /*
70  * Prefetch quirks:
71  *
72  * 32-bit mode:
73  *
74  * Sometimes AMD Athlon/Opteron CPUs report invalid exceptions on prefetch.
75  * Check that here and ignore it.
76  *
77  * 64-bit mode:
78  *
79  * Sometimes the CPU reports invalid exceptions on prefetch.
80  * Check that here and ignore it.
81  *
82  * Opcode checker based on code by Richard Brunner.
83  */
84 static inline int
85 check_prefetch_opcode(struct pt_regs *regs, unsigned char *instr,
86  unsigned char opcode, int *prefetch)
87 {
88  unsigned char instr_hi = opcode & 0xf0;
89  unsigned char instr_lo = opcode & 0x0f;
90 
91  switch (instr_hi) {
92  case 0x20:
93  case 0x30:
94  /*
95  * Values 0x26,0x2E,0x36,0x3E are valid x86 prefixes.
96  * In X86_64 long mode, the CPU will signal invalid
97  * opcode if some of these prefixes are present so
98  * X86_64 will never get here anyway
99  */
100  return ((instr_lo & 7) == 0x6);
101 #ifdef CONFIG_X86_64
102  case 0x40:
103  /*
104  * In AMD64 long mode 0x40..0x4F are valid REX prefixes
105  * Need to figure out under what instruction mode the
106  * instruction was issued. Could check the LDT for lm,
107  * but for now it's good enough to assume that long
108  * mode only uses well known segments or kernel.
109  */
110  return (!user_mode(regs) || user_64bit_mode(regs));
111 #endif
112  case 0x60:
113  /* 0x64 thru 0x67 are valid prefixes in all modes. */
114  return (instr_lo & 0xC) == 0x4;
115  case 0xF0:
116  /* 0xF0, 0xF2, 0xF3 are valid prefixes in all modes. */
117  return !instr_lo || (instr_lo>>1) == 1;
118  case 0x00:
119  /* Prefetch instruction is 0x0F0D or 0x0F18 */
120  if (probe_kernel_address(instr, opcode))
121  return 0;
122 
123  *prefetch = (instr_lo == 0xF) &&
124  (opcode == 0x0D || opcode == 0x18);
125  return 0;
126  default:
127  return 0;
128  }
129 }
130 
131 static int
132 is_prefetch(struct pt_regs *regs, unsigned long error_code, unsigned long addr)
133 {
134  unsigned char *max_instr;
135  unsigned char *instr;
136  int prefetch = 0;
137 
138  /*
139  * If it was a exec (instruction fetch) fault on NX page, then
140  * do not ignore the fault:
141  */
142  if (error_code & PF_INSTR)
143  return 0;
144 
145  instr = (void *)convert_ip_to_linear(current, regs);
146  max_instr = instr + 15;
147 
148  if (user_mode(regs) && instr >= (unsigned char *)TASK_SIZE)
149  return 0;
150 
151  while (instr < max_instr) {
152  unsigned char opcode;
153 
154  if (probe_kernel_address(instr, opcode))
155  break;
156 
157  instr++;
158 
159  if (!check_prefetch_opcode(regs, instr, opcode, &prefetch))
160  break;
161  }
162  return prefetch;
163 }
164 
165 static void
166 force_sig_info_fault(int si_signo, int si_code, unsigned long address,
167  struct task_struct *tsk, int fault)
168 {
169  unsigned lsb = 0;
170  siginfo_t info;
171 
172  info.si_signo = si_signo;
173  info.si_errno = 0;
174  info.si_code = si_code;
175  info.si_addr = (void __user *)address;
176  if (fault & VM_FAULT_HWPOISON_LARGE)
177  lsb = hstate_index_to_shift(VM_FAULT_GET_HINDEX(fault));
178  if (fault & VM_FAULT_HWPOISON)
179  lsb = PAGE_SHIFT;
180  info.si_addr_lsb = lsb;
181 
182  force_sig_info(si_signo, &info, tsk);
183 }
184 
185 DEFINE_SPINLOCK(pgd_lock);
186 LIST_HEAD(pgd_list);
187 
188 #ifdef CONFIG_X86_32
189 static inline pmd_t *vmalloc_sync_one(pgd_t *pgd, unsigned long address)
190 {
191  unsigned index = pgd_index(address);
192  pgd_t *pgd_k;
193  pud_t *pud, *pud_k;
194  pmd_t *pmd, *pmd_k;
195 
196  pgd += index;
197  pgd_k = init_mm.pgd + index;
198 
199  if (!pgd_present(*pgd_k))
200  return NULL;
201 
202  /*
203  * set_pgd(pgd, *pgd_k); here would be useless on PAE
204  * and redundant with the set_pmd() on non-PAE. As would
205  * set_pud.
206  */
207  pud = pud_offset(pgd, address);
208  pud_k = pud_offset(pgd_k, address);
209  if (!pud_present(*pud_k))
210  return NULL;
211 
212  pmd = pmd_offset(pud, address);
213  pmd_k = pmd_offset(pud_k, address);
214  if (!pmd_present(*pmd_k))
215  return NULL;
216 
217  if (!pmd_present(*pmd))
218  set_pmd(pmd, *pmd_k);
219  else
220  BUG_ON(pmd_page(*pmd) != pmd_page(*pmd_k));
221 
222  return pmd_k;
223 }
224 
225 void vmalloc_sync_all(void)
226 {
227  unsigned long address;
228 
229  if (SHARED_KERNEL_PMD)
230  return;
231 
232  for (address = VMALLOC_START & PMD_MASK;
233  address >= TASK_SIZE && address < FIXADDR_TOP;
234  address += PMD_SIZE) {
235  struct page *page;
236 
237  spin_lock(&pgd_lock);
238  list_for_each_entry(page, &pgd_list, lru) {
239  spinlock_t *pgt_lock;
240  pmd_t *ret;
241 
242  /* the pgt_lock only for Xen */
243  pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
244 
245  spin_lock(pgt_lock);
246  ret = vmalloc_sync_one(page_address(page), address);
247  spin_unlock(pgt_lock);
248 
249  if (!ret)
250  break;
251  }
252  spin_unlock(&pgd_lock);
253  }
254 }
255 
256 /*
257  * 32-bit:
258  *
259  * Handle a fault on the vmalloc or module mapping area
260  */
261 static noinline __kprobes int vmalloc_fault(unsigned long address)
262 {
263  unsigned long pgd_paddr;
264  pmd_t *pmd_k;
265  pte_t *pte_k;
266 
267  /* Make sure we are in vmalloc area: */
268  if (!(address >= VMALLOC_START && address < VMALLOC_END))
269  return -1;
270 
271  WARN_ON_ONCE(in_nmi());
272 
273  /*
274  * Synchronize this task's top level page-table
275  * with the 'reference' page table.
276  *
277  * Do _not_ use "current" here. We might be inside
278  * an interrupt in the middle of a task switch..
279  */
280  pgd_paddr = read_cr3();
281  pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
282  if (!pmd_k)
283  return -1;
284 
285  pte_k = pte_offset_kernel(pmd_k, address);
286  if (!pte_present(*pte_k))
287  return -1;
288 
289  return 0;
290 }
291 
292 /*
293  * Did it hit the DOS screen memory VA from vm86 mode?
294  */
295 static inline void
296 check_v8086_mode(struct pt_regs *regs, unsigned long address,
297  struct task_struct *tsk)
298 {
299  unsigned long bit;
300 
301  if (!v8086_mode(regs))
302  return;
303 
304  bit = (address - 0xA0000) >> PAGE_SHIFT;
305  if (bit < 32)
306  tsk->thread.screen_bitmap |= 1 << bit;
307 }
308 
309 static bool low_pfn(unsigned long pfn)
310 {
311  return pfn < max_low_pfn;
312 }
313 
314 static void dump_pagetable(unsigned long address)
315 {
316  pgd_t *base = __va(read_cr3());
317  pgd_t *pgd = &base[pgd_index(address)];
318  pmd_t *pmd;
319  pte_t *pte;
320 
321 #ifdef CONFIG_X86_PAE
322  printk("*pdpt = %016Lx ", pgd_val(*pgd));
323  if (!low_pfn(pgd_val(*pgd) >> PAGE_SHIFT) || !pgd_present(*pgd))
324  goto out;
325 #endif
326  pmd = pmd_offset(pud_offset(pgd, address), address);
327  printk(KERN_CONT "*pde = %0*Lx ", sizeof(*pmd) * 2, (u64)pmd_val(*pmd));
328 
329  /*
330  * We must not directly access the pte in the highpte
331  * case if the page table is located in highmem.
332  * And let's rather not kmap-atomic the pte, just in case
333  * it's allocated already:
334  */
335  if (!low_pfn(pmd_pfn(*pmd)) || !pmd_present(*pmd) || pmd_large(*pmd))
336  goto out;
337 
338  pte = pte_offset_kernel(pmd, address);
339  printk("*pte = %0*Lx ", sizeof(*pte) * 2, (u64)pte_val(*pte));
340 out:
341  printk("\n");
342 }
343 
344 #else /* CONFIG_X86_64: */
345 
346 void vmalloc_sync_all(void)
347 {
348  sync_global_pgds(VMALLOC_START & PGDIR_MASK, VMALLOC_END);
349 }
350 
351 /*
352  * 64-bit:
353  *
354  * Handle a fault on the vmalloc area
355  *
356  * This assumes no large pages in there.
357  */
358 static noinline __kprobes int vmalloc_fault(unsigned long address)
359 {
360  pgd_t *pgd, *pgd_ref;
361  pud_t *pud, *pud_ref;
362  pmd_t *pmd, *pmd_ref;
363  pte_t *pte, *pte_ref;
364 
365  /* Make sure we are in vmalloc area: */
366  if (!(address >= VMALLOC_START && address < VMALLOC_END))
367  return -1;
368 
369  WARN_ON_ONCE(in_nmi());
370 
371  /*
372  * Copy kernel mappings over when needed. This can also
373  * happen within a race in page table update. In the later
374  * case just flush:
375  */
376  pgd = pgd_offset(current->active_mm, address);
377  pgd_ref = pgd_offset_k(address);
378  if (pgd_none(*pgd_ref))
379  return -1;
380 
381  if (pgd_none(*pgd))
382  set_pgd(pgd, *pgd_ref);
383  else
384  BUG_ON(pgd_page_vaddr(*pgd) != pgd_page_vaddr(*pgd_ref));
385 
386  /*
387  * Below here mismatches are bugs because these lower tables
388  * are shared:
389  */
390 
391  pud = pud_offset(pgd, address);
392  pud_ref = pud_offset(pgd_ref, address);
393  if (pud_none(*pud_ref))
394  return -1;
395 
396  if (pud_none(*pud) || pud_page_vaddr(*pud) != pud_page_vaddr(*pud_ref))
397  BUG();
398 
399  pmd = pmd_offset(pud, address);
400  pmd_ref = pmd_offset(pud_ref, address);
401  if (pmd_none(*pmd_ref))
402  return -1;
403 
404  if (pmd_none(*pmd) || pmd_page(*pmd) != pmd_page(*pmd_ref))
405  BUG();
406 
407  pte_ref = pte_offset_kernel(pmd_ref, address);
408  if (!pte_present(*pte_ref))
409  return -1;
410 
411  pte = pte_offset_kernel(pmd, address);
412 
413  /*
414  * Don't use pte_page here, because the mappings can point
415  * outside mem_map, and the NUMA hash lookup cannot handle
416  * that:
417  */
418  if (!pte_present(*pte) || pte_pfn(*pte) != pte_pfn(*pte_ref))
419  BUG();
420 
421  return 0;
422 }
423 
424 #ifdef CONFIG_CPU_SUP_AMD
425 static const char errata93_warning[] =
426 KERN_ERR
427 "******* Your BIOS seems to not contain a fix for K8 errata #93\n"
428 "******* Working around it, but it may cause SEGVs or burn power.\n"
429 "******* Please consider a BIOS update.\n"
430 "******* Disabling USB legacy in the BIOS may also help.\n";
431 #endif
432 
433 /*
434  * No vm86 mode in 64-bit mode:
435  */
436 static inline void
437 check_v8086_mode(struct pt_regs *regs, unsigned long address,
438  struct task_struct *tsk)
439 {
440 }
441 
442 static int bad_address(void *p)
443 {
444  unsigned long dummy;
445 
446  return probe_kernel_address((unsigned long *)p, dummy);
447 }
448 
449 static void dump_pagetable(unsigned long address)
450 {
451  pgd_t *base = __va(read_cr3() & PHYSICAL_PAGE_MASK);
452  pgd_t *pgd = base + pgd_index(address);
453  pud_t *pud;
454  pmd_t *pmd;
455  pte_t *pte;
456 
457  if (bad_address(pgd))
458  goto bad;
459 
460  printk("PGD %lx ", pgd_val(*pgd));
461 
462  if (!pgd_present(*pgd))
463  goto out;
464 
465  pud = pud_offset(pgd, address);
466  if (bad_address(pud))
467  goto bad;
468 
469  printk("PUD %lx ", pud_val(*pud));
470  if (!pud_present(*pud) || pud_large(*pud))
471  goto out;
472 
473  pmd = pmd_offset(pud, address);
474  if (bad_address(pmd))
475  goto bad;
476 
477  printk("PMD %lx ", pmd_val(*pmd));
478  if (!pmd_present(*pmd) || pmd_large(*pmd))
479  goto out;
480 
481  pte = pte_offset_kernel(pmd, address);
482  if (bad_address(pte))
483  goto bad;
484 
485  printk("PTE %lx", pte_val(*pte));
486 out:
487  printk("\n");
488  return;
489 bad:
490  printk("BAD\n");
491 }
492 
493 #endif /* CONFIG_X86_64 */
494 
495 /*
496  * Workaround for K8 erratum #93 & buggy BIOS.
497  *
498  * BIOS SMM functions are required to use a specific workaround
499  * to avoid corruption of the 64bit RIP register on C stepping K8.
500  *
501  * A lot of BIOS that didn't get tested properly miss this.
502  *
503  * The OS sees this as a page fault with the upper 32bits of RIP cleared.
504  * Try to work around it here.
505  *
506  * Note we only handle faults in kernel here.
507  * Does nothing on 32-bit.
508  */
509 static int is_errata93(struct pt_regs *regs, unsigned long address)
510 {
511 #if defined(CONFIG_X86_64) && defined(CONFIG_CPU_SUP_AMD)
512  if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD
513  || boot_cpu_data.x86 != 0xf)
514  return 0;
515 
516  if (address != regs->ip)
517  return 0;
518 
519  if ((address >> 32) != 0)
520  return 0;
521 
522  address |= 0xffffffffUL << 32;
523  if ((address >= (u64)_stext && address <= (u64)_etext) ||
524  (address >= MODULES_VADDR && address <= MODULES_END)) {
525  printk_once(errata93_warning);
526  regs->ip = address;
527  return 1;
528  }
529 #endif
530  return 0;
531 }
532 
533 /*
534  * Work around K8 erratum #100 K8 in compat mode occasionally jumps
535  * to illegal addresses >4GB.
536  *
537  * We catch this in the page fault handler because these addresses
538  * are not reachable. Just detect this case and return. Any code
539  * segment in LDT is compatibility mode.
540  */
541 static int is_errata100(struct pt_regs *regs, unsigned long address)
542 {
543 #ifdef CONFIG_X86_64
544  if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
545  return 1;
546 #endif
547  return 0;
548 }
549 
550 static int is_f00f_bug(struct pt_regs *regs, unsigned long address)
551 {
552 #ifdef CONFIG_X86_F00F_BUG
553  unsigned long nr;
554 
555  /*
556  * Pentium F0 0F C7 C8 bug workaround:
557  */
558  if (boot_cpu_data.f00f_bug) {
559  nr = (address - idt_descr.address) >> 3;
560 
561  if (nr == 6) {
562  do_invalid_op(regs, 0);
563  return 1;
564  }
565  }
566 #endif
567  return 0;
568 }
569 
570 static const char nx_warning[] = KERN_CRIT
571 "kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
572 
573 static void
574 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
575  unsigned long address)
576 {
577  if (!oops_may_print())
578  return;
579 
580  if (error_code & PF_INSTR) {
581  unsigned int level;
582 
583  pte_t *pte = lookup_address(address, &level);
584 
585  if (pte && pte_present(*pte) && !pte_exec(*pte))
586  printk(nx_warning, from_kuid(&init_user_ns, current_uid()));
587  }
588 
589  printk(KERN_ALERT "BUG: unable to handle kernel ");
590  if (address < PAGE_SIZE)
591  printk(KERN_CONT "NULL pointer dereference");
592  else
593  printk(KERN_CONT "paging request");
594 
595  printk(KERN_CONT " at %p\n", (void *) address);
596  printk(KERN_ALERT "IP:");
597  printk_address(regs->ip, 1);
598 
599  dump_pagetable(address);
600 }
601 
602 static noinline void
603 pgtable_bad(struct pt_regs *regs, unsigned long error_code,
604  unsigned long address)
605 {
606  struct task_struct *tsk;
607  unsigned long flags;
608  int sig;
609 
610  flags = oops_begin();
611  tsk = current;
612  sig = SIGKILL;
613 
614  printk(KERN_ALERT "%s: Corrupted page table at address %lx\n",
615  tsk->comm, address);
616  dump_pagetable(address);
617 
618  tsk->thread.cr2 = address;
619  tsk->thread.trap_nr = X86_TRAP_PF;
620  tsk->thread.error_code = error_code;
621 
622  if (__die("Bad pagetable", regs, error_code))
623  sig = 0;
624 
625  oops_end(flags, regs, sig);
626 }
627 
628 static noinline void
629 no_context(struct pt_regs *regs, unsigned long error_code,
630  unsigned long address, int signal, int si_code)
631 {
632  struct task_struct *tsk = current;
633  unsigned long *stackend;
634  unsigned long flags;
635  int sig;
636 
637  /* Are we prepared to handle this kernel fault? */
638  if (fixup_exception(regs)) {
639  if (current_thread_info()->sig_on_uaccess_error && signal) {
640  tsk->thread.trap_nr = X86_TRAP_PF;
641  tsk->thread.error_code = error_code | PF_USER;
642  tsk->thread.cr2 = address;
643 
644  /* XXX: hwpoison faults will set the wrong code. */
645  force_sig_info_fault(signal, si_code, address, tsk, 0);
646  }
647  return;
648  }
649 
650  /*
651  * 32-bit:
652  *
653  * Valid to do another page fault here, because if this fault
654  * had been triggered by is_prefetch fixup_exception would have
655  * handled it.
656  *
657  * 64-bit:
658  *
659  * Hall of shame of CPU/BIOS bugs.
660  */
661  if (is_prefetch(regs, error_code, address))
662  return;
663 
664  if (is_errata93(regs, address))
665  return;
666 
667  /*
668  * Oops. The kernel tried to access some bad page. We'll have to
669  * terminate things with extreme prejudice:
670  */
671  flags = oops_begin();
672 
673  show_fault_oops(regs, error_code, address);
674 
675  stackend = end_of_stack(tsk);
676  if (tsk != &init_task && *stackend != STACK_END_MAGIC)
677  printk(KERN_EMERG "Thread overran stack, or stack corrupted\n");
678 
679  tsk->thread.cr2 = address;
680  tsk->thread.trap_nr = X86_TRAP_PF;
681  tsk->thread.error_code = error_code;
682 
683  sig = SIGKILL;
684  if (__die("Oops", regs, error_code))
685  sig = 0;
686 
687  /* Executive summary in case the body of the oops scrolled away */
688  printk(KERN_DEFAULT "CR2: %016lx\n", address);
689 
690  oops_end(flags, regs, sig);
691 }
692 
693 /*
694  * Print out info about fatal segfaults, if the show_unhandled_signals
695  * sysctl is set:
696  */
697 static inline void
698 show_signal_msg(struct pt_regs *regs, unsigned long error_code,
699  unsigned long address, struct task_struct *tsk)
700 {
701  if (!unhandled_signal(tsk, SIGSEGV))
702  return;
703 
704  if (!printk_ratelimit())
705  return;
706 
707  printk("%s%s[%d]: segfault at %lx ip %p sp %p error %lx",
708  task_pid_nr(tsk) > 1 ? KERN_INFO : KERN_EMERG,
709  tsk->comm, task_pid_nr(tsk), address,
710  (void *)regs->ip, (void *)regs->sp, error_code);
711 
712  print_vma_addr(KERN_CONT " in ", regs->ip);
713 
714  printk(KERN_CONT "\n");
715 }
716 
717 static void
718 __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
719  unsigned long address, int si_code)
720 {
721  struct task_struct *tsk = current;
722 
723  /* User mode accesses just cause a SIGSEGV */
724  if (error_code & PF_USER) {
725  /*
726  * It's possible to have interrupts off here:
727  */
728  local_irq_enable();
729 
730  /*
731  * Valid to do another page fault here because this one came
732  * from user space:
733  */
734  if (is_prefetch(regs, error_code, address))
735  return;
736 
737  if (is_errata100(regs, address))
738  return;
739 
740 #ifdef CONFIG_X86_64
741  /*
742  * Instruction fetch faults in the vsyscall page might need
743  * emulation.
744  */
745  if (unlikely((error_code & PF_INSTR) &&
746  ((address & ~0xfff) == VSYSCALL_START))) {
747  if (emulate_vsyscall(regs, address))
748  return;
749  }
750 #endif
751 
752  if (unlikely(show_unhandled_signals))
753  show_signal_msg(regs, error_code, address, tsk);
754 
755  /* Kernel addresses are always protection faults: */
756  tsk->thread.cr2 = address;
757  tsk->thread.error_code = error_code | (address >= TASK_SIZE);
758  tsk->thread.trap_nr = X86_TRAP_PF;
759 
760  force_sig_info_fault(SIGSEGV, si_code, address, tsk, 0);
761 
762  return;
763  }
764 
765  if (is_f00f_bug(regs, address))
766  return;
767 
768  no_context(regs, error_code, address, SIGSEGV, si_code);
769 }
770 
771 static noinline void
772 bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
773  unsigned long address)
774 {
775  __bad_area_nosemaphore(regs, error_code, address, SEGV_MAPERR);
776 }
777 
778 static void
779 __bad_area(struct pt_regs *regs, unsigned long error_code,
780  unsigned long address, int si_code)
781 {
782  struct mm_struct *mm = current->mm;
783 
784  /*
785  * Something tried to access memory that isn't in our memory map..
786  * Fix it, but check if it's kernel or user first..
787  */
788  up_read(&mm->mmap_sem);
789 
790  __bad_area_nosemaphore(regs, error_code, address, si_code);
791 }
792 
793 static noinline void
794 bad_area(struct pt_regs *regs, unsigned long error_code, unsigned long address)
795 {
796  __bad_area(regs, error_code, address, SEGV_MAPERR);
797 }
798 
799 static noinline void
800 bad_area_access_error(struct pt_regs *regs, unsigned long error_code,
801  unsigned long address)
802 {
803  __bad_area(regs, error_code, address, SEGV_ACCERR);
804 }
805 
806 /* TODO: fixup for "mm-invoke-oom-killer-from-page-fault.patch" */
807 static void
808 out_of_memory(struct pt_regs *regs, unsigned long error_code,
809  unsigned long address)
810 {
811  /*
812  * We ran out of memory, call the OOM killer, and return the userspace
813  * (which will retry the fault, or kill us if we got oom-killed):
814  */
815  up_read(&current->mm->mmap_sem);
816 
817  pagefault_out_of_memory();
818 }
819 
820 static void
821 do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address,
822  unsigned int fault)
823 {
824  struct task_struct *tsk = current;
825  struct mm_struct *mm = tsk->mm;
826  int code = BUS_ADRERR;
827 
828  up_read(&mm->mmap_sem);
829 
830  /* Kernel mode? Handle exceptions or die: */
831  if (!(error_code & PF_USER)) {
832  no_context(regs, error_code, address, SIGBUS, BUS_ADRERR);
833  return;
834  }
835 
836  /* User-space => ok to do another page fault: */
837  if (is_prefetch(regs, error_code, address))
838  return;
839 
840  tsk->thread.cr2 = address;
841  tsk->thread.error_code = error_code;
842  tsk->thread.trap_nr = X86_TRAP_PF;
843 
844 #ifdef CONFIG_MEMORY_FAILURE
845  if (fault & (VM_FAULT_HWPOISON|VM_FAULT_HWPOISON_LARGE)) {
846  printk(KERN_ERR
847  "MCE: Killing %s:%d due to hardware memory corruption fault at %lx\n",
848  tsk->comm, tsk->pid, address);
849  code = BUS_MCEERR_AR;
850  }
851 #endif
852  force_sig_info_fault(SIGBUS, code, address, tsk, fault);
853 }
854 
855 static noinline int
856 mm_fault_error(struct pt_regs *regs, unsigned long error_code,
857  unsigned long address, unsigned int fault)
858 {
859  /*
860  * Pagefault was interrupted by SIGKILL. We have no reason to
861  * continue pagefault.
862  */
863  if (fatal_signal_pending(current)) {
864  if (!(fault & VM_FAULT_RETRY))
865  up_read(&current->mm->mmap_sem);
866  if (!(error_code & PF_USER))
867  no_context(regs, error_code, address, 0, 0);
868  return 1;
869  }
870  if (!(fault & VM_FAULT_ERROR))
871  return 0;
872 
873  if (fault & VM_FAULT_OOM) {
874  /* Kernel mode? Handle exceptions or die: */
875  if (!(error_code & PF_USER)) {
876  up_read(&current->mm->mmap_sem);
877  no_context(regs, error_code, address,
878  SIGSEGV, SEGV_MAPERR);
879  return 1;
880  }
881 
882  out_of_memory(regs, error_code, address);
883  } else {
884  if (fault & (VM_FAULT_SIGBUS|VM_FAULT_HWPOISON|
885  VM_FAULT_HWPOISON_LARGE))
886  do_sigbus(regs, error_code, address, fault);
887  else
888  BUG();
889  }
890  return 1;
891 }
892 
893 static int spurious_fault_check(unsigned long error_code, pte_t *pte)
894 {
895  if ((error_code & PF_WRITE) && !pte_write(*pte))
896  return 0;
897 
898  if ((error_code & PF_INSTR) && !pte_exec(*pte))
899  return 0;
900 
901  return 1;
902 }
903 
904 /*
905  * Handle a spurious fault caused by a stale TLB entry.
906  *
907  * This allows us to lazily refresh the TLB when increasing the
908  * permissions of a kernel page (RO -> RW or NX -> X). Doing it
909  * eagerly is very expensive since that implies doing a full
910  * cross-processor TLB flush, even if no stale TLB entries exist
911  * on other processors.
912  *
913  * There are no security implications to leaving a stale TLB when
914  * increasing the permissions on a page.
915  */
916 static noinline __kprobes int
917 spurious_fault(unsigned long error_code, unsigned long address)
918 {
919  pgd_t *pgd;
920  pud_t *pud;
921  pmd_t *pmd;
922  pte_t *pte;
923  int ret;
924 
925  /* Reserved-bit violation or user access to kernel space? */
926  if (error_code & (PF_USER | PF_RSVD))
927  return 0;
928 
929  pgd = init_mm.pgd + pgd_index(address);
930  if (!pgd_present(*pgd))
931  return 0;
932 
933  pud = pud_offset(pgd, address);
934  if (!pud_present(*pud))
935  return 0;
936 
937  if (pud_large(*pud))
938  return spurious_fault_check(error_code, (pte_t *) pud);
939 
940  pmd = pmd_offset(pud, address);
941  if (!pmd_present(*pmd))
942  return 0;
943 
944  if (pmd_large(*pmd))
945  return spurious_fault_check(error_code, (pte_t *) pmd);
946 
947  /*
948  * Note: don't use pte_present() here, since it returns true
949  * if the _PAGE_PROTNONE bit is set. However, this aliases the
950  * _PAGE_GLOBAL bit, which for kernel pages give false positives
951  * when CONFIG_DEBUG_PAGEALLOC is used.
952  */
953  pte = pte_offset_kernel(pmd, address);
954  if (!(pte_flags(*pte) & _PAGE_PRESENT))
955  return 0;
956 
957  ret = spurious_fault_check(error_code, pte);
958  if (!ret)
959  return 0;
960 
961  /*
962  * Make sure we have permissions in PMD.
963  * If not, then there's a bug in the page tables:
964  */
965  ret = spurious_fault_check(error_code, (pte_t *) pmd);
966  WARN_ONCE(!ret, "PMD has incorrect permission bits\n");
967 
968  return ret;
969 }
970 
971 int show_unhandled_signals = 1;
972 
973 static inline int
974 access_error(unsigned long error_code, struct vm_area_struct *vma)
975 {
976  if (error_code & PF_WRITE) {
977  /* write, present and write, not present: */
978  if (unlikely(!(vma->vm_flags & VM_WRITE)))
979  return 1;
980  return 0;
981  }
982 
983  /* read, present: */
984  if (unlikely(error_code & PF_PROT))
985  return 1;
986 
987  /* read, not present: */
988  if (unlikely(!(vma->vm_flags & (VM_READ | VM_EXEC | VM_WRITE))))
989  return 1;
990 
991  return 0;
992 }
993 
994 static int fault_in_kernel_space(unsigned long address)
995 {
996  return address >= TASK_SIZE_MAX;
997 }
998 
999 static inline bool smap_violation(int error_code, struct pt_regs *regs)
1000 {
1001  if (error_code & PF_USER)
1002  return false;
1003 
1004  if (!user_mode_vm(regs) && (regs->flags & X86_EFLAGS_AC))
1005  return false;
1006 
1007  return true;
1008 }
1009 
1010 /*
1011  * This routine handles page faults. It determines the address,
1012  * and the problem, and then passes it off to one of the appropriate
1013  * routines.
1014  */
1015 static void __kprobes
1016 __do_page_fault(struct pt_regs *regs, unsigned long error_code)
1017 {
1018  struct vm_area_struct *vma;
1019  struct task_struct *tsk;
1020  unsigned long address;
1021  struct mm_struct *mm;
1022  int fault;
1023  int write = error_code & PF_WRITE;
1024  unsigned int flags = FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_KILLABLE |
1025  (write ? FAULT_FLAG_WRITE : 0);
1026 
1027  tsk = current;
1028  mm = tsk->mm;
1029 
1030  /* Get the faulting address: */
1031  address = read_cr2();
1032 
1033  /*
1034  * Detect and handle instructions that would cause a page fault for
1035  * both a tracked kernel page and a userspace page.
1036  */
1037  if (kmemcheck_active(regs))
1038  kmemcheck_hide(regs);
1039  prefetchw(&mm->mmap_sem);
1040 
1041  if (unlikely(kmmio_fault(regs, address)))
1042  return;
1043 
1044  /*
1045  * We fault-in kernel-space virtual memory on-demand. The
1046  * 'reference' page table is init_mm.pgd.
1047  *
1048  * NOTE! We MUST NOT take any locks for this case. We may
1049  * be in an interrupt or a critical region, and should
1050  * only copy the information from the master page table,
1051  * nothing more.
1052  *
1053  * This verifies that the fault happens in kernel space
1054  * (error_code & 4) == 0, and that the fault was not a
1055  * protection error (error_code & 9) == 0.
1056  */
1057  if (unlikely(fault_in_kernel_space(address))) {
1058  if (!(error_code & (PF_RSVD | PF_USER | PF_PROT))) {
1059  if (vmalloc_fault(address) >= 0)
1060  return;
1061 
1062  if (kmemcheck_fault(regs, address, error_code))
1063  return;
1064  }
1065 
1066  /* Can handle a stale RO->RW TLB: */
1067  if (spurious_fault(error_code, address))
1068  return;
1069 
1070  /* kprobes don't want to hook the spurious faults: */
1071  if (notify_page_fault(regs))
1072  return;
1073  /*
1074  * Don't take the mm semaphore here. If we fixup a prefetch
1075  * fault we could otherwise deadlock:
1076  */
1077  bad_area_nosemaphore(regs, error_code, address);
1078 
1079  return;
1080  }
1081 
1082  /* kprobes don't want to hook the spurious faults: */
1083  if (unlikely(notify_page_fault(regs)))
1084  return;
1085  /*
1086  * It's safe to allow irq's after cr2 has been saved and the
1087  * vmalloc fault has been handled.
1088  *
1089  * User-mode registers count as a user access even for any
1090  * potential system fault or CPU buglet:
1091  */
1092  if (user_mode_vm(regs)) {
1093  local_irq_enable();
1094  error_code |= PF_USER;
1095  } else {
1096  if (regs->flags & X86_EFLAGS_IF)
1097  local_irq_enable();
1098  }
1099 
1100  if (unlikely(error_code & PF_RSVD))
1101  pgtable_bad(regs, error_code, address);
1102 
1103  if (static_cpu_has(X86_FEATURE_SMAP)) {
1104  if (unlikely(smap_violation(error_code, regs))) {
1105  bad_area_nosemaphore(regs, error_code, address);
1106  return;
1107  }
1108  }
1109 
1110  perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, address);
1111 
1112  /*
1113  * If we're in an interrupt, have no user context or are running
1114  * in an atomic region then we must not take the fault:
1115  */
1116  if (unlikely(in_atomic() || !mm)) {
1117  bad_area_nosemaphore(regs, error_code, address);
1118  return;
1119  }
1120 
1121  /*
1122  * When running in the kernel we expect faults to occur only to
1123  * addresses in user space. All other faults represent errors in
1124  * the kernel and should generate an OOPS. Unfortunately, in the
1125  * case of an erroneous fault occurring in a code path which already
1126  * holds mmap_sem we will deadlock attempting to validate the fault
1127  * against the address space. Luckily the kernel only validly
1128  * references user space from well defined areas of code, which are
1129  * listed in the exceptions table.
1130  *
1131  * As the vast majority of faults will be valid we will only perform
1132  * the source reference check when there is a possibility of a
1133  * deadlock. Attempt to lock the address space, if we cannot we then
1134  * validate the source. If this is invalid we can skip the address
1135  * space check, thus avoiding the deadlock:
1136  */
1137  if (unlikely(!down_read_trylock(&mm->mmap_sem))) {
1138  if ((error_code & PF_USER) == 0 &&
1139  !search_exception_tables(regs->ip)) {
1140  bad_area_nosemaphore(regs, error_code, address);
1141  return;
1142  }
1143 retry:
1144  down_read(&mm->mmap_sem);
1145  } else {
1146  /*
1147  * The above down_read_trylock() might have succeeded in
1148  * which case we'll have missed the might_sleep() from
1149  * down_read():
1150  */
1151  might_sleep();
1152  }
1153 
1154  vma = find_vma(mm, address);
1155  if (unlikely(!vma)) {
1156  bad_area(regs, error_code, address);
1157  return;
1158  }
1159  if (likely(vma->vm_start <= address))
1160  goto good_area;
1161  if (unlikely(!(vma->vm_flags & VM_GROWSDOWN))) {
1162  bad_area(regs, error_code, address);
1163  return;
1164  }
1165  if (error_code & PF_USER) {
1166  /*
1167  * Accessing the stack below %sp is always a bug.
1168  * The large cushion allows instructions like enter
1169  * and pusha to work. ("enter $65535, $31" pushes
1170  * 32 pointers and then decrements %sp by 65535.)
1171  */
1172  if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
1173  bad_area(regs, error_code, address);
1174  return;
1175  }
1176  }
1177  if (unlikely(expand_stack(vma, address))) {
1178  bad_area(regs, error_code, address);
1179  return;
1180  }
1181 
1182  /*
1183  * Ok, we have a good vm_area for this memory access, so
1184  * we can handle it..
1185  */
1186 good_area:
1187  if (unlikely(access_error(error_code, vma))) {
1188  bad_area_access_error(regs, error_code, address);
1189  return;
1190  }
1191 
1192  /*
1193  * If for any reason at all we couldn't handle the fault,
1194  * make sure we exit gracefully rather than endlessly redo
1195  * the fault:
1196  */
1197  fault = handle_mm_fault(mm, vma, address, flags);
1198 
1199  if (unlikely(fault & (VM_FAULT_RETRY|VM_FAULT_ERROR))) {
1200  if (mm_fault_error(regs, error_code, address, fault))
1201  return;
1202  }
1203 
1204  /*
1205  * Major/minor page fault accounting is only done on the
1206  * initial attempt. If we go through a retry, it is extremely
1207  * likely that the page will be found in page cache at that point.
1208  */
1209  if (flags & FAULT_FLAG_ALLOW_RETRY) {
1210  if (fault & VM_FAULT_MAJOR) {
1211  tsk->maj_flt++;
1212  perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MAJ, 1,
1213  regs, address);
1214  } else {
1215  tsk->min_flt++;
1216  perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MIN, 1,
1217  regs, address);
1218  }
1219  if (fault & VM_FAULT_RETRY) {
1220  /* Clear FAULT_FLAG_ALLOW_RETRY to avoid any risk
1221  * of starvation. */
1222  flags &= ~FAULT_FLAG_ALLOW_RETRY;
1223  flags |= FAULT_FLAG_TRIED;
1224  goto retry;
1225  }
1226  }
1227 
1228  check_v8086_mode(regs, address, tsk);
1229 
1230  up_read(&mm->mmap_sem);
1231 }
1232 
1233 dotraplinkage void __kprobes
1234 do_page_fault(struct pt_regs *regs, unsigned long error_code)
1235 {
1236  exception_enter(regs);
1237  __do_page_fault(regs, error_code);
1238  exception_exit(regs);
1239 }
Generated on Thu Jan 10 2013 12:53:56 for Linux Kernel by   doxygen 1.8.2