2 * Copyright (C) 1995 Linus Torvalds
3 * Copyright (C) 2001, 2002 Andi Kleen, SuSE Labs.
4 * Copyright (C) 2008-2009, Red Hat Inc., Ingo Molnar
6 #include <linux/sched.h> /* test_thread_flag(), ... */
7 #include <linux/kdebug.h> /* oops_begin/end, ... */
8 #include <linux/extable.h> /* search_exception_tables */
9 #include <linux/bootmem.h> /* max_low_pfn */
10 #include <linux/kprobes.h> /* NOKPROBE_SYMBOL, ... */
11 #include <linux/mmiotrace.h> /* kmmio_handler, ... */
12 #include <linux/perf_event.h> /* perf_sw_event */
13 #include <linux/hugetlb.h> /* hstate_index_to_shift */
14 #include <linux/prefetch.h> /* prefetchw */
15 #include <linux/context_tracking.h> /* exception_enter(), ... */
16 #include <linux/uaccess.h> /* faulthandler_disabled() */
18 #include <asm/cpufeature.h> /* boot_cpu_has, ... */
19 #include <asm/traps.h> /* dotraplinkage, ... */
20 #include <asm/pgalloc.h> /* pgd_*(), ... */
21 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
22 #include <asm/fixmap.h> /* VSYSCALL_ADDR */
23 #include <asm/vsyscall.h> /* emulate_vsyscall */
24 #include <asm/vm86.h> /* struct vm86 */
25 #include <asm/mmu_context.h> /* vma_pkey() */
26 #include <asm/sections.h>
28 #define CREATE_TRACE_POINTS
29 #include <asm/trace/exceptions.h>
32 * Page fault error code bits:
34 * bit 0 == 0: no page found 1: protection fault
35 * bit 1 == 0: read access 1: write access
36 * bit 2 == 0: kernel-mode access 1: user-mode access
37 * bit 3 == 1: use of reserved bit detected
38 * bit 4 == 1: fault was an instruction fetch
39 * bit 5 == 1: protection keys block access
41 enum x86_pf_error_code {
52 * Returns 0 if mmiotrace is disabled, or if the fault is not
53 * handled by mmiotrace:
55 static nokprobe_inline int
56 kmmio_fault(struct pt_regs *regs, unsigned long addr)
58 if (unlikely(is_kmmio_active()))
59 if (kmmio_handler(regs, addr) == 1)
64 static nokprobe_inline int kprobes_fault(struct pt_regs *regs)
68 /* kprobe_running() needs smp_processor_id() */
69 if (kprobes_built_in() && !user_mode(regs)) {
71 if (kprobe_running() && kprobe_fault_handler(regs, 14))
84 * Sometimes AMD Athlon/Opteron CPUs report invalid exceptions on prefetch.
85 * Check that here and ignore it.
89 * Sometimes the CPU reports invalid exceptions on prefetch.
90 * Check that here and ignore it.
92 * Opcode checker based on code by Richard Brunner.
95 check_prefetch_opcode(struct pt_regs *regs, unsigned char *instr,
96 unsigned char opcode, int *prefetch)
98 unsigned char instr_hi = opcode & 0xf0;
99 unsigned char instr_lo = opcode & 0x0f;
105 * Values 0x26,0x2E,0x36,0x3E are valid x86 prefixes.
106 * In X86_64 long mode, the CPU will signal invalid
107 * opcode if some of these prefixes are present so
108 * X86_64 will never get here anyway
110 return ((instr_lo & 7) == 0x6);
114 * In AMD64 long mode 0x40..0x4F are valid REX prefixes
115 * Need to figure out under what instruction mode the
116 * instruction was issued. Could check the LDT for lm,
117 * but for now it's good enough to assume that long
118 * mode only uses well known segments or kernel.
120 return (!user_mode(regs) || user_64bit_mode(regs));
123 /* 0x64 thru 0x67 are valid prefixes in all modes. */
124 return (instr_lo & 0xC) == 0x4;
126 /* 0xF0, 0xF2, 0xF3 are valid prefixes in all modes. */
127 return !instr_lo || (instr_lo>>1) == 1;
129 /* Prefetch instruction is 0x0F0D or 0x0F18 */
130 if (probe_kernel_address(instr, opcode))
133 *prefetch = (instr_lo == 0xF) &&
134 (opcode == 0x0D || opcode == 0x18);
142 is_prefetch(struct pt_regs *regs, unsigned long error_code, unsigned long addr)
144 unsigned char *max_instr;
145 unsigned char *instr;
149 * If it was a exec (instruction fetch) fault on NX page, then
150 * do not ignore the fault:
152 if (error_code & PF_INSTR)
155 instr = (void *)convert_ip_to_linear(current, regs);
156 max_instr = instr + 15;
158 if (user_mode(regs) && instr >= (unsigned char *)TASK_SIZE_MAX)
161 while (instr < max_instr) {
162 unsigned char opcode;
164 if (probe_kernel_address(instr, opcode))
169 if (!check_prefetch_opcode(regs, instr, opcode, &prefetch))
176 * A protection key fault means that the PKRU value did not allow
177 * access to some PTE. Userspace can figure out what PKRU was
178 * from the XSAVE state, and this function fills out a field in
179 * siginfo so userspace can discover which protection key was set
182 * If we get here, we know that the hardware signaled a PF_PK
183 * fault and that there was a VMA once we got in the fault
184 * handler. It does *not* guarantee that the VMA we find here
185 * was the one that we faulted on.
187 * 1. T1 : mprotect_key(foo, PAGE_SIZE, pkey=4);
188 * 2. T1 : set PKRU to deny access to pkey=4, touches page
190 * 4. T2: mprotect_key(foo, PAGE_SIZE, pkey=5);
191 * 5. T1 : enters fault handler, takes mmap_sem, etc...
192 * 6. T1 : reaches here, sees vma_pkey(vma)=5, when we really
193 * faulted on a pte with its pkey=4.
195 static void fill_sig_info_pkey(int si_signo, int si_code, siginfo_t *info,
198 /* This is effectively an #ifdef */
199 if (!boot_cpu_has(X86_FEATURE_OSPKE))
202 /* Fault not from Protection Keys: nothing to do */
203 if ((si_code != SEGV_PKUERR) || (si_signo != SIGSEGV))
206 * force_sig_info_fault() is called from a number of
207 * contexts, some of which have a VMA and some of which
208 * do not. The PF_PK handing happens after we have a
209 * valid VMA, so we should never reach this without a
213 WARN_ONCE(1, "PKU fault with no VMA passed in");
218 * si_pkey should be thought of as a strong hint, but not
219 * absolutely guranteed to be 100% accurate because of
220 * the race explained above.
222 info->si_pkey = *pkey;
226 force_sig_info_fault(int si_signo, int si_code, unsigned long address,
227 struct task_struct *tsk, u32 *pkey, int fault)
232 info.si_signo = si_signo;
234 info.si_code = si_code;
235 info.si_addr = (void __user *)address;
236 if (fault & VM_FAULT_HWPOISON_LARGE)
237 lsb = hstate_index_to_shift(VM_FAULT_GET_HINDEX(fault));
238 if (fault & VM_FAULT_HWPOISON)
240 info.si_addr_lsb = lsb;
242 fill_sig_info_pkey(si_signo, si_code, &info, pkey);
244 force_sig_info(si_signo, &info, tsk);
247 DEFINE_SPINLOCK(pgd_lock);
251 static inline pmd_t *vmalloc_sync_one(pgd_t *pgd, unsigned long address)
253 unsigned index = pgd_index(address);
259 pgd_k = init_mm.pgd + index;
261 if (!pgd_present(*pgd_k))
265 * set_pgd(pgd, *pgd_k); here would be useless on PAE
266 * and redundant with the set_pmd() on non-PAE. As would
269 pud = pud_offset(pgd, address);
270 pud_k = pud_offset(pgd_k, address);
271 if (!pud_present(*pud_k))
274 pmd = pmd_offset(pud, address);
275 pmd_k = pmd_offset(pud_k, address);
277 if (pmd_present(*pmd) != pmd_present(*pmd_k))
278 set_pmd(pmd, *pmd_k);
280 if (!pmd_present(*pmd_k))
283 BUG_ON(pmd_pfn(*pmd) != pmd_pfn(*pmd_k));
288 static void vmalloc_sync(void)
290 unsigned long address;
292 if (SHARED_KERNEL_PMD)
295 for (address = VMALLOC_START & PMD_MASK;
296 address >= TASK_SIZE_MAX && address < FIXADDR_TOP;
297 address += PMD_SIZE) {
300 spin_lock(&pgd_lock);
301 list_for_each_entry(page, &pgd_list, lru) {
302 spinlock_t *pgt_lock;
304 /* the pgt_lock only for Xen */
305 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
308 vmalloc_sync_one(page_address(page), address);
309 spin_unlock(pgt_lock);
311 spin_unlock(&pgd_lock);
315 void vmalloc_sync_mappings(void)
320 void vmalloc_sync_unmappings(void)
328 * Handle a fault on the vmalloc or module mapping area
330 static noinline int vmalloc_fault(unsigned long address)
332 unsigned long pgd_paddr;
336 /* Make sure we are in vmalloc area: */
337 if (!(address >= VMALLOC_START && address < VMALLOC_END))
341 * Synchronize this task's top level page-table
342 * with the 'reference' page table.
344 * Do _not_ use "current" here. We might be inside
345 * an interrupt in the middle of a task switch..
347 pgd_paddr = read_cr3();
348 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
352 if (pmd_large(*pmd_k))
355 pte_k = pte_offset_kernel(pmd_k, address);
356 if (!pte_present(*pte_k))
361 NOKPROBE_SYMBOL(vmalloc_fault);
364 * Did it hit the DOS screen memory VA from vm86 mode?
367 check_v8086_mode(struct pt_regs *regs, unsigned long address,
368 struct task_struct *tsk)
373 if (!v8086_mode(regs) || !tsk->thread.vm86)
376 bit = (address - 0xA0000) >> PAGE_SHIFT;
378 tsk->thread.vm86->screen_bitmap |= 1 << bit;
382 static bool low_pfn(unsigned long pfn)
384 return pfn < max_low_pfn;
387 static void dump_pagetable(unsigned long address)
389 pgd_t *base = __va(read_cr3());
390 pgd_t *pgd = &base[pgd_index(address)];
394 #ifdef CONFIG_X86_PAE
395 printk("*pdpt = %016Lx ", pgd_val(*pgd));
396 if (!low_pfn(pgd_val(*pgd) >> PAGE_SHIFT) || !pgd_present(*pgd))
399 pmd = pmd_offset(pud_offset(pgd, address), address);
400 printk(KERN_CONT "*pde = %0*Lx ", sizeof(*pmd) * 2, (u64)pmd_val(*pmd));
403 * We must not directly access the pte in the highpte
404 * case if the page table is located in highmem.
405 * And let's rather not kmap-atomic the pte, just in case
406 * it's allocated already:
408 if (!low_pfn(pmd_pfn(*pmd)) || !pmd_present(*pmd) || pmd_large(*pmd))
411 pte = pte_offset_kernel(pmd, address);
412 printk("*pte = %0*Lx ", sizeof(*pte) * 2, (u64)pte_val(*pte));
417 #else /* CONFIG_X86_64: */
419 void vmalloc_sync_mappings(void)
422 * 64-bit mappings might allocate new p4d/pud pages
423 * that need to be propagated to all tasks' PGDs.
425 sync_global_pgds(VMALLOC_START & PGDIR_MASK, VMALLOC_END, 0);
428 void vmalloc_sync_unmappings(void)
431 * Unmappings never allocate or free p4d/pud pages.
432 * No work is required here.
439 * Handle a fault on the vmalloc area
441 static noinline int vmalloc_fault(unsigned long address)
443 pgd_t *pgd, *pgd_ref;
444 pud_t *pud, *pud_ref;
445 pmd_t *pmd, *pmd_ref;
446 pte_t *pte, *pte_ref;
448 /* Make sure we are in vmalloc area: */
449 if (!(address >= VMALLOC_START && address < VMALLOC_END))
453 * Copy kernel mappings over when needed. This can also
454 * happen within a race in page table update. In the later
457 pgd = (pgd_t *)__va(read_cr3()) + pgd_index(address);
458 pgd_ref = pgd_offset_k(address);
459 if (pgd_none(*pgd_ref))
462 if (pgd_none(*pgd)) {
463 set_pgd(pgd, *pgd_ref);
464 arch_flush_lazy_mmu_mode();
466 BUG_ON(pgd_page_vaddr(*pgd) != pgd_page_vaddr(*pgd_ref));
470 * Below here mismatches are bugs because these lower tables
474 pud = pud_offset(pgd, address);
475 pud_ref = pud_offset(pgd_ref, address);
476 if (pud_none(*pud_ref))
479 if (pud_none(*pud) || pud_pfn(*pud) != pud_pfn(*pud_ref))
485 pmd = pmd_offset(pud, address);
486 pmd_ref = pmd_offset(pud_ref, address);
487 if (pmd_none(*pmd_ref))
490 if (pmd_none(*pmd) || pmd_pfn(*pmd) != pmd_pfn(*pmd_ref))
496 pte_ref = pte_offset_kernel(pmd_ref, address);
497 if (!pte_present(*pte_ref))
500 pte = pte_offset_kernel(pmd, address);
503 * Don't use pte_page here, because the mappings can point
504 * outside mem_map, and the NUMA hash lookup cannot handle
507 if (!pte_present(*pte) || pte_pfn(*pte) != pte_pfn(*pte_ref))
512 NOKPROBE_SYMBOL(vmalloc_fault);
514 #ifdef CONFIG_CPU_SUP_AMD
515 static const char errata93_warning[] =
517 "******* Your BIOS seems to not contain a fix for K8 errata #93\n"
518 "******* Working around it, but it may cause SEGVs or burn power.\n"
519 "******* Please consider a BIOS update.\n"
520 "******* Disabling USB legacy in the BIOS may also help.\n";
524 * No vm86 mode in 64-bit mode:
527 check_v8086_mode(struct pt_regs *regs, unsigned long address,
528 struct task_struct *tsk)
532 static int bad_address(void *p)
536 return probe_kernel_address((unsigned long *)p, dummy);
539 static void dump_pagetable(unsigned long address)
541 pgd_t *base = __va(read_cr3() & PHYSICAL_PAGE_MASK);
542 pgd_t *pgd = base + pgd_index(address);
547 if (bad_address(pgd))
550 printk("PGD %lx ", pgd_val(*pgd));
552 if (!pgd_present(*pgd))
555 pud = pud_offset(pgd, address);
556 if (bad_address(pud))
559 printk("PUD %lx ", pud_val(*pud));
560 if (!pud_present(*pud) || pud_large(*pud))
563 pmd = pmd_offset(pud, address);
564 if (bad_address(pmd))
567 printk("PMD %lx ", pmd_val(*pmd));
568 if (!pmd_present(*pmd) || pmd_large(*pmd))
571 pte = pte_offset_kernel(pmd, address);
572 if (bad_address(pte))
575 printk("PTE %lx", pte_val(*pte));
583 #endif /* CONFIG_X86_64 */
586 * Workaround for K8 erratum #93 & buggy BIOS.
588 * BIOS SMM functions are required to use a specific workaround
589 * to avoid corruption of the 64bit RIP register on C stepping K8.
591 * A lot of BIOS that didn't get tested properly miss this.
593 * The OS sees this as a page fault with the upper 32bits of RIP cleared.
594 * Try to work around it here.
596 * Note we only handle faults in kernel here.
597 * Does nothing on 32-bit.
599 static int is_errata93(struct pt_regs *regs, unsigned long address)
601 #if defined(CONFIG_X86_64) && defined(CONFIG_CPU_SUP_AMD)
602 if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD
603 || boot_cpu_data.x86 != 0xf)
606 if (address != regs->ip)
609 if ((address >> 32) != 0)
612 address |= 0xffffffffUL << 32;
613 if ((address >= (u64)_stext && address <= (u64)_etext) ||
614 (address >= MODULES_VADDR && address <= MODULES_END)) {
615 printk_once(errata93_warning);
624 * Work around K8 erratum #100 K8 in compat mode occasionally jumps
625 * to illegal addresses >4GB.
627 * We catch this in the page fault handler because these addresses
628 * are not reachable. Just detect this case and return. Any code
629 * segment in LDT is compatibility mode.
631 static int is_errata100(struct pt_regs *regs, unsigned long address)
634 if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
640 static int is_f00f_bug(struct pt_regs *regs, unsigned long address)
642 #ifdef CONFIG_X86_F00F_BUG
646 * Pentium F0 0F C7 C8 bug workaround:
648 if (boot_cpu_has_bug(X86_BUG_F00F)) {
649 nr = (address - idt_descr.address) >> 3;
652 do_invalid_op(regs, 0);
660 static const char nx_warning[] = KERN_CRIT
661 "kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
662 static const char smep_warning[] = KERN_CRIT
663 "unable to execute userspace code (SMEP?) (uid: %d)\n";
666 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
667 unsigned long address)
669 if (!oops_may_print())
672 if (error_code & PF_INSTR) {
677 pgd = __va(read_cr3() & PHYSICAL_PAGE_MASK);
678 pgd += pgd_index(address);
680 pte = lookup_address_in_pgd(pgd, address, &level);
682 if (pte && pte_present(*pte) && !pte_exec(*pte))
683 printk(nx_warning, from_kuid(&init_user_ns, current_uid()));
684 if (pte && pte_present(*pte) && pte_exec(*pte) &&
685 (pgd_flags(*pgd) & _PAGE_USER) &&
686 (__read_cr4() & X86_CR4_SMEP))
687 printk(smep_warning, from_kuid(&init_user_ns, current_uid()));
690 printk(KERN_ALERT "BUG: unable to handle kernel ");
691 if (address < PAGE_SIZE)
692 printk(KERN_CONT "NULL pointer dereference");
694 printk(KERN_CONT "paging request");
696 printk(KERN_CONT " at %p\n", (void *) address);
697 printk(KERN_ALERT "IP:");
698 printk_address(regs->ip);
700 dump_pagetable(address);
704 pgtable_bad(struct pt_regs *regs, unsigned long error_code,
705 unsigned long address)
707 struct task_struct *tsk;
711 flags = oops_begin();
715 printk(KERN_ALERT "%s: Corrupted page table at address %lx\n",
717 dump_pagetable(address);
719 tsk->thread.cr2 = address;
720 tsk->thread.trap_nr = X86_TRAP_PF;
721 tsk->thread.error_code = error_code;
723 if (__die("Bad pagetable", regs, error_code))
726 oops_end(flags, regs, sig);
730 no_context(struct pt_regs *regs, unsigned long error_code,
731 unsigned long address, int signal, int si_code)
733 struct task_struct *tsk = current;
737 /* Are we prepared to handle this kernel fault? */
738 if (fixup_exception(regs, X86_TRAP_PF)) {
740 * Any interrupt that takes a fault gets the fixup. This makes
741 * the below recursive fault logic only apply to a faults from
748 * Per the above we're !in_interrupt(), aka. task context.
750 * In this case we need to make sure we're not recursively
751 * faulting through the emulate_vsyscall() logic.
753 if (current->thread.sig_on_uaccess_err && signal) {
754 tsk->thread.trap_nr = X86_TRAP_PF;
755 tsk->thread.error_code = error_code | PF_USER;
756 tsk->thread.cr2 = address;
758 /* XXX: hwpoison faults will set the wrong code. */
759 force_sig_info_fault(signal, si_code, address,
764 * Barring that, we can do the fixup and be happy.
769 #ifdef CONFIG_VMAP_STACK
771 * Stack overflow? During boot, we can fault near the initial
772 * stack in the direct map, but that's not an overflow -- check
773 * that we're in vmalloc space to avoid this.
775 if (is_vmalloc_addr((void *)address) &&
776 (((unsigned long)tsk->stack - 1 - address < PAGE_SIZE) ||
777 address - ((unsigned long)tsk->stack + THREAD_SIZE) < PAGE_SIZE)) {
778 register void *__sp asm("rsp");
779 unsigned long stack = this_cpu_read(orig_ist.ist[DOUBLEFAULT_STACK]) - sizeof(void *);
781 * We're likely to be running with very little stack space
782 * left. It's plausible that we'd hit this condition but
783 * double-fault even before we get this far, in which case
784 * we're fine: the double-fault handler will deal with it.
786 * We don't want to make it all the way into the oops code
787 * and then double-fault, though, because we're likely to
788 * break the console driver and lose most of the stack dump.
790 asm volatile ("movq %[stack], %%rsp\n\t"
791 "call handle_stack_overflow\n\t"
794 : "D" ("kernel stack overflow (page fault)"),
795 "S" (regs), "d" (address),
796 [stack] "rm" (stack));
804 * Valid to do another page fault here, because if this fault
805 * had been triggered by is_prefetch fixup_exception would have
810 * Hall of shame of CPU/BIOS bugs.
812 if (is_prefetch(regs, error_code, address))
815 if (is_errata93(regs, address))
819 * Oops. The kernel tried to access some bad page. We'll have to
820 * terminate things with extreme prejudice:
822 flags = oops_begin();
824 show_fault_oops(regs, error_code, address);
826 if (task_stack_end_corrupted(tsk))
827 printk(KERN_EMERG "Thread overran stack, or stack corrupted\n");
829 tsk->thread.cr2 = address;
830 tsk->thread.trap_nr = X86_TRAP_PF;
831 tsk->thread.error_code = error_code;
834 if (__die("Oops", regs, error_code))
837 /* Executive summary in case the body of the oops scrolled away */
838 printk(KERN_DEFAULT "CR2: %016lx\n", address);
840 oops_end(flags, regs, sig);
844 * Print out info about fatal segfaults, if the show_unhandled_signals
848 show_signal_msg(struct pt_regs *regs, unsigned long error_code,
849 unsigned long address, struct task_struct *tsk)
851 if (!unhandled_signal(tsk, SIGSEGV))
854 if (!printk_ratelimit())
857 printk("%s%s[%d]: segfault at %lx ip %p sp %p error %lx",
858 task_pid_nr(tsk) > 1 ? KERN_INFO : KERN_EMERG,
859 tsk->comm, task_pid_nr(tsk), address,
860 (void *)regs->ip, (void *)regs->sp, error_code);
862 print_vma_addr(KERN_CONT " in ", regs->ip);
864 printk(KERN_CONT "\n");
868 __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
869 unsigned long address, u32 *pkey, int si_code)
871 struct task_struct *tsk = current;
873 /* User mode accesses just cause a SIGSEGV */
874 if (error_code & PF_USER) {
876 * It's possible to have interrupts off here:
881 * Valid to do another page fault here because this one came
884 if (is_prefetch(regs, error_code, address))
887 if (is_errata100(regs, address))
892 * Instruction fetch faults in the vsyscall page might need
895 if (unlikely((error_code & PF_INSTR) &&
896 ((address & ~0xfff) == VSYSCALL_ADDR))) {
897 if (emulate_vsyscall(regs, address))
903 * To avoid leaking information about the kernel page table
904 * layout, pretend that user-mode accesses to kernel addresses
905 * are always protection faults.
907 if (address >= TASK_SIZE_MAX)
908 error_code |= PF_PROT;
910 if (likely(show_unhandled_signals))
911 show_signal_msg(regs, error_code, address, tsk);
913 tsk->thread.cr2 = address;
914 tsk->thread.error_code = error_code;
915 tsk->thread.trap_nr = X86_TRAP_PF;
917 force_sig_info_fault(SIGSEGV, si_code, address, tsk, pkey, 0);
922 if (is_f00f_bug(regs, address))
925 no_context(regs, error_code, address, SIGSEGV, si_code);
929 bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
930 unsigned long address, u32 *pkey)
932 __bad_area_nosemaphore(regs, error_code, address, pkey, SEGV_MAPERR);
936 __bad_area(struct pt_regs *regs, unsigned long error_code,
937 unsigned long address, struct vm_area_struct *vma, int si_code)
939 struct mm_struct *mm = current->mm;
943 pkey = vma_pkey(vma);
946 * Something tried to access memory that isn't in our memory map..
947 * Fix it, but check if it's kernel or user first..
949 up_read(&mm->mmap_sem);
951 __bad_area_nosemaphore(regs, error_code, address,
952 (vma) ? &pkey : NULL, si_code);
956 bad_area(struct pt_regs *regs, unsigned long error_code, unsigned long address)
958 __bad_area(regs, error_code, address, NULL, SEGV_MAPERR);
961 static inline bool bad_area_access_from_pkeys(unsigned long error_code,
962 struct vm_area_struct *vma)
964 /* This code is always called on the current mm */
965 bool foreign = false;
967 if (!boot_cpu_has(X86_FEATURE_OSPKE))
969 if (error_code & PF_PK)
971 /* this checks permission keys on the VMA: */
972 if (!arch_vma_access_permitted(vma, (error_code & PF_WRITE),
973 (error_code & PF_INSTR), foreign))
979 bad_area_access_error(struct pt_regs *regs, unsigned long error_code,
980 unsigned long address, struct vm_area_struct *vma)
983 * This OSPKE check is not strictly necessary at runtime.
984 * But, doing it this way allows compiler optimizations
985 * if pkeys are compiled out.
987 if (bad_area_access_from_pkeys(error_code, vma))
988 __bad_area(regs, error_code, address, vma, SEGV_PKUERR);
990 __bad_area(regs, error_code, address, vma, SEGV_ACCERR);
994 do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address,
995 u32 *pkey, unsigned int fault)
997 struct task_struct *tsk = current;
998 int code = BUS_ADRERR;
1000 /* Kernel mode? Handle exceptions or die: */
1001 if (!(error_code & PF_USER)) {
1002 no_context(regs, error_code, address, SIGBUS, BUS_ADRERR);
1006 /* User-space => ok to do another page fault: */
1007 if (is_prefetch(regs, error_code, address))
1010 tsk->thread.cr2 = address;
1011 tsk->thread.error_code = error_code;
1012 tsk->thread.trap_nr = X86_TRAP_PF;
1014 #ifdef CONFIG_MEMORY_FAILURE
1015 if (fault & (VM_FAULT_HWPOISON|VM_FAULT_HWPOISON_LARGE)) {
1017 "MCE: Killing %s:%d due to hardware memory corruption fault at %lx\n",
1018 tsk->comm, tsk->pid, address);
1019 code = BUS_MCEERR_AR;
1022 force_sig_info_fault(SIGBUS, code, address, tsk, pkey, fault);
1025 static noinline void
1026 mm_fault_error(struct pt_regs *regs, unsigned long error_code,
1027 unsigned long address, u32 *pkey, unsigned int fault)
1029 if (fatal_signal_pending(current) && !(error_code & PF_USER)) {
1030 no_context(regs, error_code, address, 0, 0);
1034 if (fault & VM_FAULT_OOM) {
1035 /* Kernel mode? Handle exceptions or die: */
1036 if (!(error_code & PF_USER)) {
1037 no_context(regs, error_code, address,
1038 SIGSEGV, SEGV_MAPERR);
1043 * We ran out of memory, call the OOM killer, and return the
1044 * userspace (which will retry the fault, or kill us if we got
1047 pagefault_out_of_memory();
1049 if (fault & (VM_FAULT_SIGBUS|VM_FAULT_HWPOISON|
1050 VM_FAULT_HWPOISON_LARGE))
1051 do_sigbus(regs, error_code, address, pkey, fault);
1052 else if (fault & VM_FAULT_SIGSEGV)
1053 bad_area_nosemaphore(regs, error_code, address, pkey);
1059 static int spurious_fault_check(unsigned long error_code, pte_t *pte)
1061 if ((error_code & PF_WRITE) && !pte_write(*pte))
1064 if ((error_code & PF_INSTR) && !pte_exec(*pte))
1067 * Note: We do not do lazy flushing on protection key
1068 * changes, so no spurious fault will ever set PF_PK.
1070 if ((error_code & PF_PK))
1077 * Handle a spurious fault caused by a stale TLB entry.
1079 * This allows us to lazily refresh the TLB when increasing the
1080 * permissions of a kernel page (RO -> RW or NX -> X). Doing it
1081 * eagerly is very expensive since that implies doing a full
1082 * cross-processor TLB flush, even if no stale TLB entries exist
1083 * on other processors.
1085 * Spurious faults may only occur if the TLB contains an entry with
1086 * fewer permission than the page table entry. Non-present (P = 0)
1087 * and reserved bit (R = 1) faults are never spurious.
1089 * There are no security implications to leaving a stale TLB when
1090 * increasing the permissions on a page.
1092 * Returns non-zero if a spurious fault was handled, zero otherwise.
1094 * See Intel Developer's Manual Vol 3 Section 4.10.4.3, bullet 3
1095 * (Optional Invalidation).
1098 spurious_fault(unsigned long error_code, unsigned long address)
1107 * Only writes to RO or instruction fetches from NX may cause
1110 * These could be from user or supervisor accesses but the TLB
1111 * is only lazily flushed after a kernel mapping protection
1112 * change, so user accesses are not expected to cause spurious
1115 if (error_code != (PF_WRITE | PF_PROT)
1116 && error_code != (PF_INSTR | PF_PROT))
1119 pgd = init_mm.pgd + pgd_index(address);
1120 if (!pgd_present(*pgd))
1123 pud = pud_offset(pgd, address);
1124 if (!pud_present(*pud))
1127 if (pud_large(*pud))
1128 return spurious_fault_check(error_code, (pte_t *) pud);
1130 pmd = pmd_offset(pud, address);
1131 if (!pmd_present(*pmd))
1134 if (pmd_large(*pmd))
1135 return spurious_fault_check(error_code, (pte_t *) pmd);
1137 pte = pte_offset_kernel(pmd, address);
1138 if (!pte_present(*pte))
1141 ret = spurious_fault_check(error_code, pte);
1146 * Make sure we have permissions in PMD.
1147 * If not, then there's a bug in the page tables:
1149 ret = spurious_fault_check(error_code, (pte_t *) pmd);
1150 WARN_ONCE(!ret, "PMD has incorrect permission bits\n");
1154 NOKPROBE_SYMBOL(spurious_fault);
1156 int show_unhandled_signals = 1;
1159 access_error(unsigned long error_code, struct vm_area_struct *vma)
1161 /* This is only called for the current mm, so: */
1162 bool foreign = false;
1165 * Read or write was blocked by protection keys. This is
1166 * always an unconditional error and can never result in
1167 * a follow-up action to resolve the fault, like a COW.
1169 if (error_code & PF_PK)
1173 * Make sure to check the VMA so that we do not perform
1174 * faults just to hit a PF_PK as soon as we fill in a
1177 if (!arch_vma_access_permitted(vma, (error_code & PF_WRITE),
1178 (error_code & PF_INSTR), foreign))
1181 if (error_code & PF_WRITE) {
1182 /* write, present and write, not present: */
1183 if (unlikely(!(vma->vm_flags & VM_WRITE)))
1188 /* read, present: */
1189 if (unlikely(error_code & PF_PROT))
1192 /* read, not present: */
1193 if (unlikely(!(vma->vm_flags & (VM_READ | VM_EXEC | VM_WRITE))))
1199 static int fault_in_kernel_space(unsigned long address)
1201 return address >= TASK_SIZE_MAX;
1204 static inline bool smap_violation(int error_code, struct pt_regs *regs)
1206 if (!IS_ENABLED(CONFIG_X86_SMAP))
1209 if (!static_cpu_has(X86_FEATURE_SMAP))
1212 if (error_code & PF_USER)
1215 if (!user_mode(regs) && (regs->flags & X86_EFLAGS_AC))
1222 * This routine handles page faults. It determines the address,
1223 * and the problem, and then passes it off to one of the appropriate
1226 * This function must have noinline because both callers
1227 * {,trace_}do_page_fault() have notrace on. Having this an actual function
1228 * guarantees there's a function trace entry.
1230 static noinline void
1231 __do_page_fault(struct pt_regs *regs, unsigned long error_code,
1232 unsigned long address)
1234 struct vm_area_struct *vma;
1235 struct task_struct *tsk;
1236 struct mm_struct *mm;
1237 int fault, major = 0;
1238 unsigned int flags = FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_KILLABLE;
1245 * Detect and handle instructions that would cause a page fault for
1246 * both a tracked kernel page and a userspace page.
1248 if (kmemcheck_active(regs))
1249 kmemcheck_hide(regs);
1250 prefetchw(&mm->mmap_sem);
1252 if (unlikely(kmmio_fault(regs, address)))
1256 * We fault-in kernel-space virtual memory on-demand. The
1257 * 'reference' page table is init_mm.pgd.
1259 * NOTE! We MUST NOT take any locks for this case. We may
1260 * be in an interrupt or a critical region, and should
1261 * only copy the information from the master page table,
1264 * This verifies that the fault happens in kernel space
1265 * (error_code & 4) == 0, and that the fault was not a
1266 * protection error (error_code & 9) == 0.
1268 if (unlikely(fault_in_kernel_space(address))) {
1269 if (!(error_code & (PF_RSVD | PF_USER | PF_PROT))) {
1270 if (vmalloc_fault(address) >= 0)
1273 if (kmemcheck_fault(regs, address, error_code))
1277 /* Can handle a stale RO->RW TLB: */
1278 if (spurious_fault(error_code, address))
1281 /* kprobes don't want to hook the spurious faults: */
1282 if (kprobes_fault(regs))
1285 * Don't take the mm semaphore here. If we fixup a prefetch
1286 * fault we could otherwise deadlock:
1288 bad_area_nosemaphore(regs, error_code, address, NULL);
1293 /* kprobes don't want to hook the spurious faults: */
1294 if (unlikely(kprobes_fault(regs)))
1297 if (unlikely(error_code & PF_RSVD))
1298 pgtable_bad(regs, error_code, address);
1300 if (unlikely(smap_violation(error_code, regs))) {
1301 bad_area_nosemaphore(regs, error_code, address, NULL);
1306 * If we're in an interrupt, have no user context or are running
1307 * in a region with pagefaults disabled then we must not take the fault
1309 if (unlikely(faulthandler_disabled() || !mm)) {
1310 bad_area_nosemaphore(regs, error_code, address, NULL);
1315 * It's safe to allow irq's after cr2 has been saved and the
1316 * vmalloc fault has been handled.
1318 * User-mode registers count as a user access even for any
1319 * potential system fault or CPU buglet:
1321 if (user_mode(regs)) {
1323 error_code |= PF_USER;
1324 flags |= FAULT_FLAG_USER;
1326 if (regs->flags & X86_EFLAGS_IF)
1330 perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, address);
1332 if (error_code & PF_WRITE)
1333 flags |= FAULT_FLAG_WRITE;
1334 if (error_code & PF_INSTR)
1335 flags |= FAULT_FLAG_INSTRUCTION;
1338 * When running in the kernel we expect faults to occur only to
1339 * addresses in user space. All other faults represent errors in
1340 * the kernel and should generate an OOPS. Unfortunately, in the
1341 * case of an erroneous fault occurring in a code path which already
1342 * holds mmap_sem we will deadlock attempting to validate the fault
1343 * against the address space. Luckily the kernel only validly
1344 * references user space from well defined areas of code, which are
1345 * listed in the exceptions table.
1347 * As the vast majority of faults will be valid we will only perform
1348 * the source reference check when there is a possibility of a
1349 * deadlock. Attempt to lock the address space, if we cannot we then
1350 * validate the source. If this is invalid we can skip the address
1351 * space check, thus avoiding the deadlock:
1353 if (unlikely(!down_read_trylock(&mm->mmap_sem))) {
1354 if ((error_code & PF_USER) == 0 &&
1355 !search_exception_tables(regs->ip)) {
1356 bad_area_nosemaphore(regs, error_code, address, NULL);
1360 down_read(&mm->mmap_sem);
1363 * The above down_read_trylock() might have succeeded in
1364 * which case we'll have missed the might_sleep() from
1370 vma = find_vma(mm, address);
1371 if (unlikely(!vma)) {
1372 bad_area(regs, error_code, address);
1375 if (likely(vma->vm_start <= address))
1377 if (unlikely(!(vma->vm_flags & VM_GROWSDOWN))) {
1378 bad_area(regs, error_code, address);
1381 if (error_code & PF_USER) {
1383 * Accessing the stack below %sp is always a bug.
1384 * The large cushion allows instructions like enter
1385 * and pusha to work. ("enter $65535, $31" pushes
1386 * 32 pointers and then decrements %sp by 65535.)
1388 if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
1389 bad_area(regs, error_code, address);
1393 if (unlikely(expand_stack(vma, address))) {
1394 bad_area(regs, error_code, address);
1399 * Ok, we have a good vm_area for this memory access, so
1400 * we can handle it..
1403 if (unlikely(access_error(error_code, vma))) {
1404 bad_area_access_error(regs, error_code, address, vma);
1409 * If for any reason at all we couldn't handle the fault,
1410 * make sure we exit gracefully rather than endlessly redo
1411 * the fault. Since we never set FAULT_FLAG_RETRY_NOWAIT, if
1412 * we get VM_FAULT_RETRY back, the mmap_sem has been unlocked.
1414 * Note that handle_userfault() may also release and reacquire mmap_sem
1415 * (and not return with VM_FAULT_RETRY), when returning to userland to
1416 * repeat the page fault later with a VM_FAULT_NOPAGE retval
1417 * (potentially after handling any pending signal during the return to
1418 * userland). The return to userland is identified whenever
1419 * FAULT_FLAG_USER|FAULT_FLAG_KILLABLE are both set in flags.
1420 * Thus we have to be careful about not touching vma after handling the
1421 * fault, so we read the pkey beforehand.
1423 pkey = vma_pkey(vma);
1424 fault = handle_mm_fault(vma, address, flags);
1425 major |= fault & VM_FAULT_MAJOR;
1428 * If we need to retry the mmap_sem has already been released,
1429 * and if there is a fatal signal pending there is no guarantee
1430 * that we made any progress. Handle this case first.
1432 if (unlikely(fault & VM_FAULT_RETRY)) {
1433 /* Retry at most once */
1434 if (flags & FAULT_FLAG_ALLOW_RETRY) {
1435 flags &= ~FAULT_FLAG_ALLOW_RETRY;
1436 flags |= FAULT_FLAG_TRIED;
1437 if (!fatal_signal_pending(tsk))
1441 /* User mode? Just return to handle the fatal exception */
1442 if (flags & FAULT_FLAG_USER)
1445 /* Not returning to user mode? Handle exceptions or die: */
1446 no_context(regs, error_code, address, SIGBUS, BUS_ADRERR);
1450 up_read(&mm->mmap_sem);
1451 if (unlikely(fault & VM_FAULT_ERROR)) {
1452 mm_fault_error(regs, error_code, address, &pkey, fault);
1457 * Major/minor page fault accounting. If any of the events
1458 * returned VM_FAULT_MAJOR, we account it as a major fault.
1462 perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MAJ, 1, regs, address);
1465 perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MIN, 1, regs, address);
1468 check_v8086_mode(regs, address, tsk);
1470 NOKPROBE_SYMBOL(__do_page_fault);
1472 dotraplinkage void notrace
1473 do_page_fault(struct pt_regs *regs, unsigned long error_code)
1475 unsigned long address = read_cr2(); /* Get the faulting address */
1476 enum ctx_state prev_state;
1479 * We must have this function tagged with __kprobes, notrace and call
1480 * read_cr2() before calling anything else. To avoid calling any kind
1481 * of tracing machinery before we've observed the CR2 value.
1483 * exception_{enter,exit}() contain all sorts of tracepoints.
1486 prev_state = exception_enter();
1487 __do_page_fault(regs, error_code, address);
1488 exception_exit(prev_state);
1490 NOKPROBE_SYMBOL(do_page_fault);
1492 #ifdef CONFIG_TRACING
1493 static nokprobe_inline void
1494 trace_page_fault_entries(unsigned long address, struct pt_regs *regs,
1495 unsigned long error_code)
1497 if (user_mode(regs))
1498 trace_page_fault_user(address, regs, error_code);
1500 trace_page_fault_kernel(address, regs, error_code);
1503 dotraplinkage void notrace
1504 trace_do_page_fault(struct pt_regs *regs, unsigned long error_code)
1507 * The exception_enter and tracepoint processing could
1508 * trigger another page faults (user space callchain
1509 * reading) and destroy the original cr2 value, so read
1510 * the faulting address now.
1512 unsigned long address = read_cr2();
1513 enum ctx_state prev_state;
1515 prev_state = exception_enter();
1516 trace_page_fault_entries(address, regs, error_code);
1517 __do_page_fault(regs, error_code, address);
1518 exception_exit(prev_state);
1520 NOKPROBE_SYMBOL(trace_do_page_fault);
1521 #endif /* CONFIG_TRACING */
projects / releases.git / blob