]>
Commit | Line | Data |
---|---|---|
b2441318 | 1 | // SPDX-License-Identifier: GPL-2.0 |
1da177e4 | 2 | /* |
1da177e4 | 3 | * Copyright (C) 1995 Linus Torvalds |
2d4a7167 | 4 | * Copyright (C) 2001, 2002 Andi Kleen, SuSE Labs. |
f8eeb2e6 | 5 | * Copyright (C) 2008-2009, Red Hat Inc., Ingo Molnar |
1da177e4 | 6 | */ |
a2bcd473 | 7 | #include <linux/sched.h> /* test_thread_flag(), ... */ |
68db0cf1 | 8 | #include <linux/sched/task_stack.h> /* task_stack_*(), ... */ |
a2bcd473 | 9 | #include <linux/kdebug.h> /* oops_begin/end, ... */ |
4cdf8dbe | 10 | #include <linux/extable.h> /* search_exception_tables */ |
a2bcd473 | 11 | #include <linux/bootmem.h> /* max_low_pfn */ |
9326638c | 12 | #include <linux/kprobes.h> /* NOKPROBE_SYMBOL, ... */ |
a2bcd473 | 13 | #include <linux/mmiotrace.h> /* kmmio_handler, ... */ |
cdd6c482 | 14 | #include <linux/perf_event.h> /* perf_sw_event */ |
f672b49b | 15 | #include <linux/hugetlb.h> /* hstate_index_to_shift */ |
268bb0ce | 16 | #include <linux/prefetch.h> /* prefetchw */ |
56dd9470 | 17 | #include <linux/context_tracking.h> /* exception_enter(), ... */ |
70ffdb93 | 18 | #include <linux/uaccess.h> /* faulthandler_disabled() */ |
50a7ca3c | 19 | #include <linux/mm_types.h> |
2d4a7167 | 20 | |
019132ff | 21 | #include <asm/cpufeature.h> /* boot_cpu_has, ... */ |
a2bcd473 IM |
22 | #include <asm/traps.h> /* dotraplinkage, ... */ |
23 | #include <asm/pgalloc.h> /* pgd_*(), ... */ | |
f40c3300 AL |
24 | #include <asm/fixmap.h> /* VSYSCALL_ADDR */ |
25 | #include <asm/vsyscall.h> /* emulate_vsyscall */ | |
ba3e127e | 26 | #include <asm/vm86.h> /* struct vm86 */ |
019132ff | 27 | #include <asm/mmu_context.h> /* vma_pkey() */ |
1da177e4 | 28 | |
d34603b0 SA |
29 | #define CREATE_TRACE_POINTS |
30 | #include <asm/trace/exceptions.h> | |
31 | ||
b814d41f | 32 | /* |
b319eed0 IM |
33 | * Returns 0 if mmiotrace is disabled, or if the fault is not |
34 | * handled by mmiotrace: | |
b814d41f | 35 | */ |
9326638c | 36 | static nokprobe_inline int |
62c9295f | 37 | kmmio_fault(struct pt_regs *regs, unsigned long addr) |
86069782 | 38 | { |
0fd0e3da PP |
39 | if (unlikely(is_kmmio_active())) |
40 | if (kmmio_handler(regs, addr) == 1) | |
41 | return -1; | |
0fd0e3da | 42 | return 0; |
86069782 PP |
43 | } |
44 | ||
9326638c | 45 | static nokprobe_inline int kprobes_fault(struct pt_regs *regs) |
1bd858a5 | 46 | { |
a980c0ef JH |
47 | if (!kprobes_built_in()) |
48 | return 0; | |
49 | if (user_mode(regs)) | |
50 | return 0; | |
51 | /* | |
52 | * To be potentially processing a kprobe fault and to be allowed to call | |
53 | * kprobe_running(), we have to be non-preemptible. | |
54 | */ | |
55 | if (preemptible()) | |
56 | return 0; | |
57 | if (!kprobe_running()) | |
58 | return 0; | |
59 | return kprobe_fault_handler(regs, X86_TRAP_PF); | |
33cb5243 | 60 | } |
1bd858a5 | 61 | |
1dc85be0 | 62 | /* |
2d4a7167 IM |
63 | * Prefetch quirks: |
64 | * | |
65 | * 32-bit mode: | |
66 | * | |
67 | * Sometimes AMD Athlon/Opteron CPUs report invalid exceptions on prefetch. | |
68 | * Check that here and ignore it. | |
1dc85be0 | 69 | * |
2d4a7167 | 70 | * 64-bit mode: |
1dc85be0 | 71 | * |
2d4a7167 IM |
72 | * Sometimes the CPU reports invalid exceptions on prefetch. |
73 | * Check that here and ignore it. | |
74 | * | |
75 | * Opcode checker based on code by Richard Brunner. | |
1dc85be0 | 76 | */ |
107a0367 IM |
77 | static inline int |
78 | check_prefetch_opcode(struct pt_regs *regs, unsigned char *instr, | |
79 | unsigned char opcode, int *prefetch) | |
80 | { | |
81 | unsigned char instr_hi = opcode & 0xf0; | |
82 | unsigned char instr_lo = opcode & 0x0f; | |
83 | ||
84 | switch (instr_hi) { | |
85 | case 0x20: | |
86 | case 0x30: | |
87 | /* | |
88 | * Values 0x26,0x2E,0x36,0x3E are valid x86 prefixes. | |
89 | * In X86_64 long mode, the CPU will signal invalid | |
90 | * opcode if some of these prefixes are present so | |
91 | * X86_64 will never get here anyway | |
92 | */ | |
93 | return ((instr_lo & 7) == 0x6); | |
94 | #ifdef CONFIG_X86_64 | |
95 | case 0x40: | |
96 | /* | |
97 | * In AMD64 long mode 0x40..0x4F are valid REX prefixes | |
98 | * Need to figure out under what instruction mode the | |
99 | * instruction was issued. Could check the LDT for lm, | |
100 | * but for now it's good enough to assume that long | |
101 | * mode only uses well known segments or kernel. | |
102 | */ | |
318f5a2a | 103 | return (!user_mode(regs) || user_64bit_mode(regs)); |
107a0367 IM |
104 | #endif |
105 | case 0x60: | |
106 | /* 0x64 thru 0x67 are valid prefixes in all modes. */ | |
107 | return (instr_lo & 0xC) == 0x4; | |
108 | case 0xF0: | |
109 | /* 0xF0, 0xF2, 0xF3 are valid prefixes in all modes. */ | |
110 | return !instr_lo || (instr_lo>>1) == 1; | |
111 | case 0x00: | |
112 | /* Prefetch instruction is 0x0F0D or 0x0F18 */ | |
113 | if (probe_kernel_address(instr, opcode)) | |
114 | return 0; | |
115 | ||
116 | *prefetch = (instr_lo == 0xF) && | |
117 | (opcode == 0x0D || opcode == 0x18); | |
118 | return 0; | |
119 | default: | |
120 | return 0; | |
121 | } | |
122 | } | |
123 | ||
2d4a7167 IM |
124 | static int |
125 | is_prefetch(struct pt_regs *regs, unsigned long error_code, unsigned long addr) | |
33cb5243 | 126 | { |
2d4a7167 | 127 | unsigned char *max_instr; |
ab2bf0c1 | 128 | unsigned char *instr; |
33cb5243 | 129 | int prefetch = 0; |
1da177e4 | 130 | |
3085354d IM |
131 | /* |
132 | * If it was a exec (instruction fetch) fault on NX page, then | |
133 | * do not ignore the fault: | |
134 | */ | |
1067f030 | 135 | if (error_code & X86_PF_INSTR) |
1da177e4 | 136 | return 0; |
1dc85be0 | 137 | |
107a0367 | 138 | instr = (void *)convert_ip_to_linear(current, regs); |
f1290ec9 | 139 | max_instr = instr + 15; |
1da177e4 | 140 | |
d31bf07f | 141 | if (user_mode(regs) && instr >= (unsigned char *)TASK_SIZE_MAX) |
1da177e4 LT |
142 | return 0; |
143 | ||
107a0367 | 144 | while (instr < max_instr) { |
2d4a7167 | 145 | unsigned char opcode; |
1da177e4 | 146 | |
ab2bf0c1 | 147 | if (probe_kernel_address(instr, opcode)) |
33cb5243 | 148 | break; |
1da177e4 | 149 | |
1da177e4 LT |
150 | instr++; |
151 | ||
107a0367 | 152 | if (!check_prefetch_opcode(regs, instr, opcode, &prefetch)) |
1da177e4 | 153 | break; |
1da177e4 LT |
154 | } |
155 | return prefetch; | |
156 | } | |
157 | ||
019132ff DH |
158 | /* |
159 | * A protection key fault means that the PKRU value did not allow | |
160 | * access to some PTE. Userspace can figure out what PKRU was | |
161 | * from the XSAVE state, and this function fills out a field in | |
162 | * siginfo so userspace can discover which protection key was set | |
163 | * on the PTE. | |
164 | * | |
1067f030 | 165 | * If we get here, we know that the hardware signaled a X86_PF_PK |
019132ff DH |
166 | * fault and that there was a VMA once we got in the fault |
167 | * handler. It does *not* guarantee that the VMA we find here | |
168 | * was the one that we faulted on. | |
169 | * | |
170 | * 1. T1 : mprotect_key(foo, PAGE_SIZE, pkey=4); | |
171 | * 2. T1 : set PKRU to deny access to pkey=4, touches page | |
172 | * 3. T1 : faults... | |
173 | * 4. T2: mprotect_key(foo, PAGE_SIZE, pkey=5); | |
174 | * 5. T1 : enters fault handler, takes mmap_sem, etc... | |
175 | * 6. T1 : reaches here, sees vma_pkey(vma)=5, when we really | |
176 | * faulted on a pte with its pkey=4. | |
177 | */ | |
beacd6f7 EB |
178 | static void fill_sig_info_pkey(int si_signo, int si_code, siginfo_t *info, |
179 | u32 *pkey) | |
019132ff DH |
180 | { |
181 | /* This is effectively an #ifdef */ | |
182 | if (!boot_cpu_has(X86_FEATURE_OSPKE)) | |
183 | return; | |
184 | ||
185 | /* Fault not from Protection Keys: nothing to do */ | |
beacd6f7 | 186 | if ((si_code != SEGV_PKUERR) || (si_signo != SIGSEGV)) |
019132ff DH |
187 | return; |
188 | /* | |
189 | * force_sig_info_fault() is called from a number of | |
190 | * contexts, some of which have a VMA and some of which | |
1067f030 | 191 | * do not. The X86_PF_PK handing happens after we have a |
019132ff DH |
192 | * valid VMA, so we should never reach this without a |
193 | * valid VMA. | |
194 | */ | |
a3c4fb7c | 195 | if (!pkey) { |
019132ff DH |
196 | WARN_ONCE(1, "PKU fault with no VMA passed in"); |
197 | info->si_pkey = 0; | |
198 | return; | |
199 | } | |
200 | /* | |
201 | * si_pkey should be thought of as a strong hint, but not | |
202 | * absolutely guranteed to be 100% accurate because of | |
203 | * the race explained above. | |
204 | */ | |
a3c4fb7c | 205 | info->si_pkey = *pkey; |
019132ff DH |
206 | } |
207 | ||
2d4a7167 IM |
208 | static void |
209 | force_sig_info_fault(int si_signo, int si_code, unsigned long address, | |
a3c4fb7c | 210 | struct task_struct *tsk, u32 *pkey, int fault) |
c4aba4a8 | 211 | { |
f672b49b | 212 | unsigned lsb = 0; |
c4aba4a8 HH |
213 | siginfo_t info; |
214 | ||
3eb0f519 | 215 | clear_siginfo(&info); |
2d4a7167 IM |
216 | info.si_signo = si_signo; |
217 | info.si_errno = 0; | |
218 | info.si_code = si_code; | |
219 | info.si_addr = (void __user *)address; | |
f672b49b AK |
220 | if (fault & VM_FAULT_HWPOISON_LARGE) |
221 | lsb = hstate_index_to_shift(VM_FAULT_GET_HINDEX(fault)); | |
222 | if (fault & VM_FAULT_HWPOISON) | |
223 | lsb = PAGE_SHIFT; | |
224 | info.si_addr_lsb = lsb; | |
2d4a7167 | 225 | |
beacd6f7 | 226 | fill_sig_info_pkey(si_signo, si_code, &info, pkey); |
019132ff | 227 | |
c4aba4a8 HH |
228 | force_sig_info(si_signo, &info, tsk); |
229 | } | |
230 | ||
f2f13a85 IM |
231 | DEFINE_SPINLOCK(pgd_lock); |
232 | LIST_HEAD(pgd_list); | |
233 | ||
234 | #ifdef CONFIG_X86_32 | |
235 | static inline pmd_t *vmalloc_sync_one(pgd_t *pgd, unsigned long address) | |
33cb5243 | 236 | { |
f2f13a85 IM |
237 | unsigned index = pgd_index(address); |
238 | pgd_t *pgd_k; | |
e0c4f675 | 239 | p4d_t *p4d, *p4d_k; |
f2f13a85 IM |
240 | pud_t *pud, *pud_k; |
241 | pmd_t *pmd, *pmd_k; | |
2d4a7167 | 242 | |
f2f13a85 IM |
243 | pgd += index; |
244 | pgd_k = init_mm.pgd + index; | |
245 | ||
246 | if (!pgd_present(*pgd_k)) | |
247 | return NULL; | |
248 | ||
249 | /* | |
250 | * set_pgd(pgd, *pgd_k); here would be useless on PAE | |
251 | * and redundant with the set_pmd() on non-PAE. As would | |
e0c4f675 | 252 | * set_p4d/set_pud. |
f2f13a85 | 253 | */ |
e0c4f675 KS |
254 | p4d = p4d_offset(pgd, address); |
255 | p4d_k = p4d_offset(pgd_k, address); | |
256 | if (!p4d_present(*p4d_k)) | |
257 | return NULL; | |
258 | ||
259 | pud = pud_offset(p4d, address); | |
260 | pud_k = pud_offset(p4d_k, address); | |
f2f13a85 IM |
261 | if (!pud_present(*pud_k)) |
262 | return NULL; | |
263 | ||
264 | pmd = pmd_offset(pud, address); | |
265 | pmd_k = pmd_offset(pud_k, address); | |
266 | if (!pmd_present(*pmd_k)) | |
267 | return NULL; | |
268 | ||
b8bcfe99 | 269 | if (!pmd_present(*pmd)) |
f2f13a85 | 270 | set_pmd(pmd, *pmd_k); |
b8bcfe99 | 271 | else |
f2f13a85 | 272 | BUG_ON(pmd_page(*pmd) != pmd_page(*pmd_k)); |
f2f13a85 IM |
273 | |
274 | return pmd_k; | |
275 | } | |
276 | ||
277 | void vmalloc_sync_all(void) | |
278 | { | |
279 | unsigned long address; | |
280 | ||
281 | if (SHARED_KERNEL_PMD) | |
282 | return; | |
283 | ||
284 | for (address = VMALLOC_START & PMD_MASK; | |
dc4fac84 | 285 | address >= TASK_SIZE_MAX && address < FIXADDR_TOP; |
f2f13a85 | 286 | address += PMD_SIZE) { |
f2f13a85 IM |
287 | struct page *page; |
288 | ||
a79e53d8 | 289 | spin_lock(&pgd_lock); |
f2f13a85 | 290 | list_for_each_entry(page, &pgd_list, lru) { |
617d34d9 | 291 | spinlock_t *pgt_lock; |
f01f7c56 | 292 | pmd_t *ret; |
617d34d9 | 293 | |
a79e53d8 | 294 | /* the pgt_lock only for Xen */ |
617d34d9 JF |
295 | pgt_lock = &pgd_page_get_mm(page)->page_table_lock; |
296 | ||
297 | spin_lock(pgt_lock); | |
298 | ret = vmalloc_sync_one(page_address(page), address); | |
299 | spin_unlock(pgt_lock); | |
300 | ||
301 | if (!ret) | |
f2f13a85 IM |
302 | break; |
303 | } | |
a79e53d8 | 304 | spin_unlock(&pgd_lock); |
f2f13a85 IM |
305 | } |
306 | } | |
307 | ||
308 | /* | |
309 | * 32-bit: | |
310 | * | |
311 | * Handle a fault on the vmalloc or module mapping area | |
312 | */ | |
9326638c | 313 | static noinline int vmalloc_fault(unsigned long address) |
f2f13a85 IM |
314 | { |
315 | unsigned long pgd_paddr; | |
316 | pmd_t *pmd_k; | |
317 | pte_t *pte_k; | |
318 | ||
319 | /* Make sure we are in vmalloc area: */ | |
320 | if (!(address >= VMALLOC_START && address < VMALLOC_END)) | |
321 | return -1; | |
322 | ||
323 | /* | |
324 | * Synchronize this task's top level page-table | |
325 | * with the 'reference' page table. | |
326 | * | |
327 | * Do _not_ use "current" here. We might be inside | |
328 | * an interrupt in the middle of a task switch.. | |
329 | */ | |
6c690ee1 | 330 | pgd_paddr = read_cr3_pa(); |
f2f13a85 IM |
331 | pmd_k = vmalloc_sync_one(__va(pgd_paddr), address); |
332 | if (!pmd_k) | |
333 | return -1; | |
334 | ||
18a95521 | 335 | if (pmd_large(*pmd_k)) |
f4eafd8b TK |
336 | return 0; |
337 | ||
f2f13a85 IM |
338 | pte_k = pte_offset_kernel(pmd_k, address); |
339 | if (!pte_present(*pte_k)) | |
340 | return -1; | |
341 | ||
342 | return 0; | |
343 | } | |
9326638c | 344 | NOKPROBE_SYMBOL(vmalloc_fault); |
f2f13a85 IM |
345 | |
346 | /* | |
347 | * Did it hit the DOS screen memory VA from vm86 mode? | |
348 | */ | |
349 | static inline void | |
350 | check_v8086_mode(struct pt_regs *regs, unsigned long address, | |
351 | struct task_struct *tsk) | |
352 | { | |
9fda6a06 | 353 | #ifdef CONFIG_VM86 |
f2f13a85 IM |
354 | unsigned long bit; |
355 | ||
9fda6a06 | 356 | if (!v8086_mode(regs) || !tsk->thread.vm86) |
f2f13a85 IM |
357 | return; |
358 | ||
359 | bit = (address - 0xA0000) >> PAGE_SHIFT; | |
360 | if (bit < 32) | |
9fda6a06 BG |
361 | tsk->thread.vm86->screen_bitmap |= 1 << bit; |
362 | #endif | |
33cb5243 | 363 | } |
1da177e4 | 364 | |
087975b0 | 365 | static bool low_pfn(unsigned long pfn) |
1da177e4 | 366 | { |
087975b0 AM |
367 | return pfn < max_low_pfn; |
368 | } | |
1156e098 | 369 | |
087975b0 AM |
370 | static void dump_pagetable(unsigned long address) |
371 | { | |
6c690ee1 | 372 | pgd_t *base = __va(read_cr3_pa()); |
087975b0 | 373 | pgd_t *pgd = &base[pgd_index(address)]; |
e0c4f675 KS |
374 | p4d_t *p4d; |
375 | pud_t *pud; | |
087975b0 AM |
376 | pmd_t *pmd; |
377 | pte_t *pte; | |
2d4a7167 | 378 | |
1156e098 | 379 | #ifdef CONFIG_X86_PAE |
39e48d9b | 380 | pr_info("*pdpt = %016Lx ", pgd_val(*pgd)); |
087975b0 AM |
381 | if (!low_pfn(pgd_val(*pgd) >> PAGE_SHIFT) || !pgd_present(*pgd)) |
382 | goto out; | |
39e48d9b JB |
383 | #define pr_pde pr_cont |
384 | #else | |
385 | #define pr_pde pr_info | |
1156e098 | 386 | #endif |
e0c4f675 KS |
387 | p4d = p4d_offset(pgd, address); |
388 | pud = pud_offset(p4d, address); | |
389 | pmd = pmd_offset(pud, address); | |
39e48d9b JB |
390 | pr_pde("*pde = %0*Lx ", sizeof(*pmd) * 2, (u64)pmd_val(*pmd)); |
391 | #undef pr_pde | |
1156e098 HH |
392 | |
393 | /* | |
394 | * We must not directly access the pte in the highpte | |
395 | * case if the page table is located in highmem. | |
396 | * And let's rather not kmap-atomic the pte, just in case | |
2d4a7167 | 397 | * it's allocated already: |
1156e098 | 398 | */ |
087975b0 AM |
399 | if (!low_pfn(pmd_pfn(*pmd)) || !pmd_present(*pmd) || pmd_large(*pmd)) |
400 | goto out; | |
1156e098 | 401 | |
087975b0 | 402 | pte = pte_offset_kernel(pmd, address); |
39e48d9b | 403 | pr_cont("*pte = %0*Lx ", sizeof(*pte) * 2, (u64)pte_val(*pte)); |
087975b0 | 404 | out: |
39e48d9b | 405 | pr_cont("\n"); |
f2f13a85 IM |
406 | } |
407 | ||
408 | #else /* CONFIG_X86_64: */ | |
409 | ||
410 | void vmalloc_sync_all(void) | |
411 | { | |
5372e155 | 412 | sync_global_pgds(VMALLOC_START & PGDIR_MASK, VMALLOC_END); |
f2f13a85 IM |
413 | } |
414 | ||
415 | /* | |
416 | * 64-bit: | |
417 | * | |
418 | * Handle a fault on the vmalloc area | |
f2f13a85 | 419 | */ |
9326638c | 420 | static noinline int vmalloc_fault(unsigned long address) |
f2f13a85 | 421 | { |
565977a3 TK |
422 | pgd_t *pgd, *pgd_k; |
423 | p4d_t *p4d, *p4d_k; | |
424 | pud_t *pud; | |
425 | pmd_t *pmd; | |
426 | pte_t *pte; | |
f2f13a85 IM |
427 | |
428 | /* Make sure we are in vmalloc area: */ | |
429 | if (!(address >= VMALLOC_START && address < VMALLOC_END)) | |
430 | return -1; | |
431 | ||
ebc8827f FW |
432 | WARN_ON_ONCE(in_nmi()); |
433 | ||
f2f13a85 IM |
434 | /* |
435 | * Copy kernel mappings over when needed. This can also | |
436 | * happen within a race in page table update. In the later | |
437 | * case just flush: | |
438 | */ | |
6c690ee1 | 439 | pgd = (pgd_t *)__va(read_cr3_pa()) + pgd_index(address); |
565977a3 TK |
440 | pgd_k = pgd_offset_k(address); |
441 | if (pgd_none(*pgd_k)) | |
f2f13a85 IM |
442 | return -1; |
443 | ||
ed7588d5 | 444 | if (pgtable_l5_enabled()) { |
36b3a772 | 445 | if (pgd_none(*pgd)) { |
565977a3 | 446 | set_pgd(pgd, *pgd_k); |
36b3a772 AL |
447 | arch_flush_lazy_mmu_mode(); |
448 | } else { | |
565977a3 | 449 | BUG_ON(pgd_page_vaddr(*pgd) != pgd_page_vaddr(*pgd_k)); |
36b3a772 | 450 | } |
1160c277 | 451 | } |
f2f13a85 | 452 | |
b50858ce KS |
453 | /* With 4-level paging, copying happens on the p4d level. */ |
454 | p4d = p4d_offset(pgd, address); | |
565977a3 TK |
455 | p4d_k = p4d_offset(pgd_k, address); |
456 | if (p4d_none(*p4d_k)) | |
b50858ce KS |
457 | return -1; |
458 | ||
ed7588d5 | 459 | if (p4d_none(*p4d) && !pgtable_l5_enabled()) { |
565977a3 | 460 | set_p4d(p4d, *p4d_k); |
b50858ce KS |
461 | arch_flush_lazy_mmu_mode(); |
462 | } else { | |
565977a3 | 463 | BUG_ON(p4d_pfn(*p4d) != p4d_pfn(*p4d_k)); |
b50858ce KS |
464 | } |
465 | ||
36b3a772 | 466 | BUILD_BUG_ON(CONFIG_PGTABLE_LEVELS < 4); |
f2f13a85 | 467 | |
b50858ce | 468 | pud = pud_offset(p4d, address); |
565977a3 | 469 | if (pud_none(*pud)) |
f2f13a85 IM |
470 | return -1; |
471 | ||
18a95521 | 472 | if (pud_large(*pud)) |
f4eafd8b TK |
473 | return 0; |
474 | ||
f2f13a85 | 475 | pmd = pmd_offset(pud, address); |
565977a3 | 476 | if (pmd_none(*pmd)) |
f2f13a85 IM |
477 | return -1; |
478 | ||
18a95521 | 479 | if (pmd_large(*pmd)) |
f4eafd8b TK |
480 | return 0; |
481 | ||
f2f13a85 | 482 | pte = pte_offset_kernel(pmd, address); |
565977a3 TK |
483 | if (!pte_present(*pte)) |
484 | return -1; | |
f2f13a85 IM |
485 | |
486 | return 0; | |
487 | } | |
9326638c | 488 | NOKPROBE_SYMBOL(vmalloc_fault); |
f2f13a85 | 489 | |
e05139f2 | 490 | #ifdef CONFIG_CPU_SUP_AMD |
f2f13a85 | 491 | static const char errata93_warning[] = |
ad361c98 JP |
492 | KERN_ERR |
493 | "******* Your BIOS seems to not contain a fix for K8 errata #93\n" | |
494 | "******* Working around it, but it may cause SEGVs or burn power.\n" | |
495 | "******* Please consider a BIOS update.\n" | |
496 | "******* Disabling USB legacy in the BIOS may also help.\n"; | |
e05139f2 | 497 | #endif |
f2f13a85 IM |
498 | |
499 | /* | |
500 | * No vm86 mode in 64-bit mode: | |
501 | */ | |
502 | static inline void | |
503 | check_v8086_mode(struct pt_regs *regs, unsigned long address, | |
504 | struct task_struct *tsk) | |
505 | { | |
506 | } | |
507 | ||
508 | static int bad_address(void *p) | |
509 | { | |
510 | unsigned long dummy; | |
511 | ||
512 | return probe_kernel_address((unsigned long *)p, dummy); | |
513 | } | |
514 | ||
515 | static void dump_pagetable(unsigned long address) | |
516 | { | |
6c690ee1 | 517 | pgd_t *base = __va(read_cr3_pa()); |
087975b0 | 518 | pgd_t *pgd = base + pgd_index(address); |
e0c4f675 | 519 | p4d_t *p4d; |
1da177e4 LT |
520 | pud_t *pud; |
521 | pmd_t *pmd; | |
522 | pte_t *pte; | |
523 | ||
2d4a7167 IM |
524 | if (bad_address(pgd)) |
525 | goto bad; | |
526 | ||
39e48d9b | 527 | pr_info("PGD %lx ", pgd_val(*pgd)); |
2d4a7167 IM |
528 | |
529 | if (!pgd_present(*pgd)) | |
530 | goto out; | |
1da177e4 | 531 | |
e0c4f675 KS |
532 | p4d = p4d_offset(pgd, address); |
533 | if (bad_address(p4d)) | |
534 | goto bad; | |
535 | ||
39e48d9b | 536 | pr_cont("P4D %lx ", p4d_val(*p4d)); |
e0c4f675 KS |
537 | if (!p4d_present(*p4d) || p4d_large(*p4d)) |
538 | goto out; | |
539 | ||
540 | pud = pud_offset(p4d, address); | |
2d4a7167 IM |
541 | if (bad_address(pud)) |
542 | goto bad; | |
543 | ||
39e48d9b | 544 | pr_cont("PUD %lx ", pud_val(*pud)); |
b5360222 | 545 | if (!pud_present(*pud) || pud_large(*pud)) |
2d4a7167 | 546 | goto out; |
1da177e4 LT |
547 | |
548 | pmd = pmd_offset(pud, address); | |
2d4a7167 IM |
549 | if (bad_address(pmd)) |
550 | goto bad; | |
551 | ||
39e48d9b | 552 | pr_cont("PMD %lx ", pmd_val(*pmd)); |
2d4a7167 IM |
553 | if (!pmd_present(*pmd) || pmd_large(*pmd)) |
554 | goto out; | |
1da177e4 LT |
555 | |
556 | pte = pte_offset_kernel(pmd, address); | |
2d4a7167 IM |
557 | if (bad_address(pte)) |
558 | goto bad; | |
559 | ||
39e48d9b | 560 | pr_cont("PTE %lx", pte_val(*pte)); |
2d4a7167 | 561 | out: |
39e48d9b | 562 | pr_cont("\n"); |
1da177e4 LT |
563 | return; |
564 | bad: | |
39e48d9b | 565 | pr_info("BAD\n"); |
8c938f9f IM |
566 | } |
567 | ||
f2f13a85 | 568 | #endif /* CONFIG_X86_64 */ |
1da177e4 | 569 | |
2d4a7167 IM |
570 | /* |
571 | * Workaround for K8 erratum #93 & buggy BIOS. | |
572 | * | |
573 | * BIOS SMM functions are required to use a specific workaround | |
574 | * to avoid corruption of the 64bit RIP register on C stepping K8. | |
575 | * | |
576 | * A lot of BIOS that didn't get tested properly miss this. | |
577 | * | |
578 | * The OS sees this as a page fault with the upper 32bits of RIP cleared. | |
579 | * Try to work around it here. | |
580 | * | |
581 | * Note we only handle faults in kernel here. | |
582 | * Does nothing on 32-bit. | |
fdfe8aa8 | 583 | */ |
33cb5243 | 584 | static int is_errata93(struct pt_regs *regs, unsigned long address) |
1da177e4 | 585 | { |
e05139f2 JB |
586 | #if defined(CONFIG_X86_64) && defined(CONFIG_CPU_SUP_AMD) |
587 | if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD | |
588 | || boot_cpu_data.x86 != 0xf) | |
589 | return 0; | |
590 | ||
65ea5b03 | 591 | if (address != regs->ip) |
1da177e4 | 592 | return 0; |
2d4a7167 | 593 | |
33cb5243 | 594 | if ((address >> 32) != 0) |
1da177e4 | 595 | return 0; |
2d4a7167 | 596 | |
1da177e4 | 597 | address |= 0xffffffffUL << 32; |
33cb5243 HH |
598 | if ((address >= (u64)_stext && address <= (u64)_etext) || |
599 | (address >= MODULES_VADDR && address <= MODULES_END)) { | |
a454ab31 | 600 | printk_once(errata93_warning); |
65ea5b03 | 601 | regs->ip = address; |
1da177e4 LT |
602 | return 1; |
603 | } | |
fdfe8aa8 | 604 | #endif |
1da177e4 | 605 | return 0; |
33cb5243 | 606 | } |
1da177e4 | 607 | |
35f3266f | 608 | /* |
2d4a7167 IM |
609 | * Work around K8 erratum #100 K8 in compat mode occasionally jumps |
610 | * to illegal addresses >4GB. | |
611 | * | |
612 | * We catch this in the page fault handler because these addresses | |
613 | * are not reachable. Just detect this case and return. Any code | |
35f3266f HH |
614 | * segment in LDT is compatibility mode. |
615 | */ | |
616 | static int is_errata100(struct pt_regs *regs, unsigned long address) | |
617 | { | |
618 | #ifdef CONFIG_X86_64 | |
2d4a7167 | 619 | if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32)) |
35f3266f HH |
620 | return 1; |
621 | #endif | |
622 | return 0; | |
623 | } | |
624 | ||
29caf2f9 HH |
625 | static int is_f00f_bug(struct pt_regs *regs, unsigned long address) |
626 | { | |
627 | #ifdef CONFIG_X86_F00F_BUG | |
628 | unsigned long nr; | |
2d4a7167 | 629 | |
29caf2f9 | 630 | /* |
2d4a7167 | 631 | * Pentium F0 0F C7 C8 bug workaround: |
29caf2f9 | 632 | */ |
e2604b49 | 633 | if (boot_cpu_has_bug(X86_BUG_F00F)) { |
29caf2f9 HH |
634 | nr = (address - idt_descr.address) >> 3; |
635 | ||
636 | if (nr == 6) { | |
637 | do_invalid_op(regs, 0); | |
638 | return 1; | |
639 | } | |
640 | } | |
641 | #endif | |
642 | return 0; | |
643 | } | |
644 | ||
2d4a7167 IM |
645 | static void |
646 | show_fault_oops(struct pt_regs *regs, unsigned long error_code, | |
647 | unsigned long address) | |
b3279c7f | 648 | { |
1156e098 HH |
649 | if (!oops_may_print()) |
650 | return; | |
651 | ||
1067f030 | 652 | if (error_code & X86_PF_INSTR) { |
93809be8 | 653 | unsigned int level; |
426e34cc MF |
654 | pgd_t *pgd; |
655 | pte_t *pte; | |
2d4a7167 | 656 | |
6c690ee1 | 657 | pgd = __va(read_cr3_pa()); |
426e34cc MF |
658 | pgd += pgd_index(address); |
659 | ||
660 | pte = lookup_address_in_pgd(pgd, address, &level); | |
1156e098 | 661 | |
8f766149 | 662 | if (pte && pte_present(*pte) && !pte_exec(*pte)) |
d79d0d8a DV |
663 | pr_crit("kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n", |
664 | from_kuid(&init_user_ns, current_uid())); | |
eff50c34 JK |
665 | if (pte && pte_present(*pte) && pte_exec(*pte) && |
666 | (pgd_flags(*pgd) & _PAGE_USER) && | |
1e02ce4c | 667 | (__read_cr4() & X86_CR4_SMEP)) |
d79d0d8a DV |
668 | pr_crit("unable to execute userspace code (SMEP?) (uid: %d)\n", |
669 | from_kuid(&init_user_ns, current_uid())); | |
1156e098 | 670 | } |
1156e098 | 671 | |
4188f063 DV |
672 | pr_alert("BUG: unable to handle kernel %s at %px\n", |
673 | address < PAGE_SIZE ? "NULL pointer dereference" : "paging request", | |
674 | (void *)address); | |
2d4a7167 | 675 | |
b3279c7f HH |
676 | dump_pagetable(address); |
677 | } | |
678 | ||
2d4a7167 IM |
679 | static noinline void |
680 | pgtable_bad(struct pt_regs *regs, unsigned long error_code, | |
681 | unsigned long address) | |
1da177e4 | 682 | { |
2d4a7167 IM |
683 | struct task_struct *tsk; |
684 | unsigned long flags; | |
685 | int sig; | |
686 | ||
687 | flags = oops_begin(); | |
688 | tsk = current; | |
689 | sig = SIGKILL; | |
1209140c | 690 | |
1da177e4 | 691 | printk(KERN_ALERT "%s: Corrupted page table at address %lx\n", |
92181f19 | 692 | tsk->comm, address); |
1da177e4 | 693 | dump_pagetable(address); |
2d4a7167 IM |
694 | |
695 | tsk->thread.cr2 = address; | |
51e7dc70 | 696 | tsk->thread.trap_nr = X86_TRAP_PF; |
2d4a7167 IM |
697 | tsk->thread.error_code = error_code; |
698 | ||
22f5991c | 699 | if (__die("Bad pagetable", regs, error_code)) |
874d93d1 | 700 | sig = 0; |
2d4a7167 | 701 | |
874d93d1 | 702 | oops_end(flags, regs, sig); |
1da177e4 LT |
703 | } |
704 | ||
2d4a7167 IM |
705 | static noinline void |
706 | no_context(struct pt_regs *regs, unsigned long error_code, | |
4fc34901 | 707 | unsigned long address, int signal, int si_code) |
92181f19 NP |
708 | { |
709 | struct task_struct *tsk = current; | |
92181f19 NP |
710 | unsigned long flags; |
711 | int sig; | |
92181f19 | 712 | |
2d4a7167 | 713 | /* Are we prepared to handle this kernel fault? */ |
548acf19 | 714 | if (fixup_exception(regs, X86_TRAP_PF)) { |
c026b359 PZ |
715 | /* |
716 | * Any interrupt that takes a fault gets the fixup. This makes | |
717 | * the below recursive fault logic only apply to a faults from | |
718 | * task context. | |
719 | */ | |
720 | if (in_interrupt()) | |
721 | return; | |
722 | ||
723 | /* | |
724 | * Per the above we're !in_interrupt(), aka. task context. | |
725 | * | |
726 | * In this case we need to make sure we're not recursively | |
727 | * faulting through the emulate_vsyscall() logic. | |
728 | */ | |
2a53ccbc | 729 | if (current->thread.sig_on_uaccess_err && signal) { |
51e7dc70 | 730 | tsk->thread.trap_nr = X86_TRAP_PF; |
1067f030 | 731 | tsk->thread.error_code = error_code | X86_PF_USER; |
4fc34901 AL |
732 | tsk->thread.cr2 = address; |
733 | ||
734 | /* XXX: hwpoison faults will set the wrong code. */ | |
7b2d0dba | 735 | force_sig_info_fault(signal, si_code, address, |
a3c4fb7c | 736 | tsk, NULL, 0); |
4fc34901 | 737 | } |
c026b359 PZ |
738 | |
739 | /* | |
740 | * Barring that, we can do the fixup and be happy. | |
741 | */ | |
92181f19 | 742 | return; |
4fc34901 | 743 | } |
92181f19 | 744 | |
6271cfdf AL |
745 | #ifdef CONFIG_VMAP_STACK |
746 | /* | |
747 | * Stack overflow? During boot, we can fault near the initial | |
748 | * stack in the direct map, but that's not an overflow -- check | |
749 | * that we're in vmalloc space to avoid this. | |
750 | */ | |
751 | if (is_vmalloc_addr((void *)address) && | |
752 | (((unsigned long)tsk->stack - 1 - address < PAGE_SIZE) || | |
753 | address - ((unsigned long)tsk->stack + THREAD_SIZE) < PAGE_SIZE)) { | |
6271cfdf AL |
754 | unsigned long stack = this_cpu_read(orig_ist.ist[DOUBLEFAULT_STACK]) - sizeof(void *); |
755 | /* | |
756 | * We're likely to be running with very little stack space | |
757 | * left. It's plausible that we'd hit this condition but | |
758 | * double-fault even before we get this far, in which case | |
759 | * we're fine: the double-fault handler will deal with it. | |
760 | * | |
761 | * We don't want to make it all the way into the oops code | |
762 | * and then double-fault, though, because we're likely to | |
763 | * break the console driver and lose most of the stack dump. | |
764 | */ | |
765 | asm volatile ("movq %[stack], %%rsp\n\t" | |
766 | "call handle_stack_overflow\n\t" | |
767 | "1: jmp 1b" | |
f5caf621 | 768 | : ASM_CALL_CONSTRAINT |
6271cfdf AL |
769 | : "D" ("kernel stack overflow (page fault)"), |
770 | "S" (regs), "d" (address), | |
771 | [stack] "rm" (stack)); | |
772 | unreachable(); | |
773 | } | |
774 | #endif | |
775 | ||
92181f19 | 776 | /* |
2d4a7167 IM |
777 | * 32-bit: |
778 | * | |
779 | * Valid to do another page fault here, because if this fault | |
780 | * had been triggered by is_prefetch fixup_exception would have | |
781 | * handled it. | |
782 | * | |
783 | * 64-bit: | |
92181f19 | 784 | * |
2d4a7167 | 785 | * Hall of shame of CPU/BIOS bugs. |
92181f19 NP |
786 | */ |
787 | if (is_prefetch(regs, error_code, address)) | |
788 | return; | |
789 | ||
790 | if (is_errata93(regs, address)) | |
791 | return; | |
792 | ||
793 | /* | |
794 | * Oops. The kernel tried to access some bad page. We'll have to | |
2d4a7167 | 795 | * terminate things with extreme prejudice: |
92181f19 | 796 | */ |
92181f19 | 797 | flags = oops_begin(); |
92181f19 NP |
798 | |
799 | show_fault_oops(regs, error_code, address); | |
800 | ||
a70857e4 | 801 | if (task_stack_end_corrupted(tsk)) |
b0f4c4b3 | 802 | printk(KERN_EMERG "Thread overran stack, or stack corrupted\n"); |
19803078 | 803 | |
1cc99544 | 804 | tsk->thread.cr2 = address; |
51e7dc70 | 805 | tsk->thread.trap_nr = X86_TRAP_PF; |
1cc99544 | 806 | tsk->thread.error_code = error_code; |
92181f19 | 807 | |
92181f19 NP |
808 | sig = SIGKILL; |
809 | if (__die("Oops", regs, error_code)) | |
810 | sig = 0; | |
2d4a7167 | 811 | |
92181f19 | 812 | /* Executive summary in case the body of the oops scrolled away */ |
b0f4c4b3 | 813 | printk(KERN_DEFAULT "CR2: %016lx\n", address); |
2d4a7167 | 814 | |
92181f19 | 815 | oops_end(flags, regs, sig); |
92181f19 NP |
816 | } |
817 | ||
2d4a7167 IM |
818 | /* |
819 | * Print out info about fatal segfaults, if the show_unhandled_signals | |
820 | * sysctl is set: | |
821 | */ | |
822 | static inline void | |
823 | show_signal_msg(struct pt_regs *regs, unsigned long error_code, | |
824 | unsigned long address, struct task_struct *tsk) | |
825 | { | |
ba54d856 BP |
826 | const char *loglvl = task_pid_nr(tsk) > 1 ? KERN_INFO : KERN_EMERG; |
827 | ||
2d4a7167 IM |
828 | if (!unhandled_signal(tsk, SIGSEGV)) |
829 | return; | |
830 | ||
831 | if (!printk_ratelimit()) | |
832 | return; | |
833 | ||
10a7e9d8 | 834 | printk("%s%s[%d]: segfault at %lx ip %px sp %px error %lx", |
ba54d856 | 835 | loglvl, tsk->comm, task_pid_nr(tsk), address, |
2d4a7167 IM |
836 | (void *)regs->ip, (void *)regs->sp, error_code); |
837 | ||
838 | print_vma_addr(KERN_CONT " in ", regs->ip); | |
839 | ||
840 | printk(KERN_CONT "\n"); | |
ba54d856 | 841 | |
342db04a | 842 | show_opcodes(regs, loglvl); |
2d4a7167 IM |
843 | } |
844 | ||
845 | static void | |
846 | __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code, | |
a3c4fb7c | 847 | unsigned long address, u32 *pkey, int si_code) |
92181f19 NP |
848 | { |
849 | struct task_struct *tsk = current; | |
850 | ||
851 | /* User mode accesses just cause a SIGSEGV */ | |
1067f030 | 852 | if (error_code & X86_PF_USER) { |
92181f19 | 853 | /* |
2d4a7167 | 854 | * It's possible to have interrupts off here: |
92181f19 NP |
855 | */ |
856 | local_irq_enable(); | |
857 | ||
858 | /* | |
859 | * Valid to do another page fault here because this one came | |
2d4a7167 | 860 | * from user space: |
92181f19 NP |
861 | */ |
862 | if (is_prefetch(regs, error_code, address)) | |
863 | return; | |
864 | ||
865 | if (is_errata100(regs, address)) | |
866 | return; | |
867 | ||
3ae36655 AL |
868 | #ifdef CONFIG_X86_64 |
869 | /* | |
870 | * Instruction fetch faults in the vsyscall page might need | |
871 | * emulation. | |
872 | */ | |
1067f030 | 873 | if (unlikely((error_code & X86_PF_INSTR) && |
f40c3300 | 874 | ((address & ~0xfff) == VSYSCALL_ADDR))) { |
3ae36655 AL |
875 | if (emulate_vsyscall(regs, address)) |
876 | return; | |
877 | } | |
878 | #endif | |
dc4fac84 AL |
879 | |
880 | /* | |
881 | * To avoid leaking information about the kernel page table | |
882 | * layout, pretend that user-mode accesses to kernel addresses | |
883 | * are always protection faults. | |
884 | */ | |
885 | if (address >= TASK_SIZE_MAX) | |
1067f030 | 886 | error_code |= X86_PF_PROT; |
3ae36655 | 887 | |
e575a86f | 888 | if (likely(show_unhandled_signals)) |
2d4a7167 IM |
889 | show_signal_msg(regs, error_code, address, tsk); |
890 | ||
2d4a7167 | 891 | tsk->thread.cr2 = address; |
e575a86f | 892 | tsk->thread.error_code = error_code; |
51e7dc70 | 893 | tsk->thread.trap_nr = X86_TRAP_PF; |
92181f19 | 894 | |
a3c4fb7c | 895 | force_sig_info_fault(SIGSEGV, si_code, address, tsk, pkey, 0); |
2d4a7167 | 896 | |
92181f19 NP |
897 | return; |
898 | } | |
899 | ||
900 | if (is_f00f_bug(regs, address)) | |
901 | return; | |
902 | ||
4fc34901 | 903 | no_context(regs, error_code, address, SIGSEGV, si_code); |
92181f19 NP |
904 | } |
905 | ||
2d4a7167 IM |
906 | static noinline void |
907 | bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code, | |
a3c4fb7c | 908 | unsigned long address, u32 *pkey) |
92181f19 | 909 | { |
a3c4fb7c | 910 | __bad_area_nosemaphore(regs, error_code, address, pkey, SEGV_MAPERR); |
92181f19 NP |
911 | } |
912 | ||
2d4a7167 IM |
913 | static void |
914 | __bad_area(struct pt_regs *regs, unsigned long error_code, | |
7b2d0dba | 915 | unsigned long address, struct vm_area_struct *vma, int si_code) |
92181f19 NP |
916 | { |
917 | struct mm_struct *mm = current->mm; | |
a3c4fb7c LD |
918 | u32 pkey; |
919 | ||
920 | if (vma) | |
921 | pkey = vma_pkey(vma); | |
92181f19 NP |
922 | |
923 | /* | |
924 | * Something tried to access memory that isn't in our memory map.. | |
925 | * Fix it, but check if it's kernel or user first.. | |
926 | */ | |
927 | up_read(&mm->mmap_sem); | |
928 | ||
a3c4fb7c LD |
929 | __bad_area_nosemaphore(regs, error_code, address, |
930 | (vma) ? &pkey : NULL, si_code); | |
92181f19 NP |
931 | } |
932 | ||
2d4a7167 IM |
933 | static noinline void |
934 | bad_area(struct pt_regs *regs, unsigned long error_code, unsigned long address) | |
92181f19 | 935 | { |
7b2d0dba | 936 | __bad_area(regs, error_code, address, NULL, SEGV_MAPERR); |
92181f19 NP |
937 | } |
938 | ||
33a709b2 DH |
939 | static inline bool bad_area_access_from_pkeys(unsigned long error_code, |
940 | struct vm_area_struct *vma) | |
941 | { | |
07f146f5 DH |
942 | /* This code is always called on the current mm */ |
943 | bool foreign = false; | |
944 | ||
33a709b2 DH |
945 | if (!boot_cpu_has(X86_FEATURE_OSPKE)) |
946 | return false; | |
1067f030 | 947 | if (error_code & X86_PF_PK) |
33a709b2 | 948 | return true; |
07f146f5 | 949 | /* this checks permission keys on the VMA: */ |
1067f030 RN |
950 | if (!arch_vma_access_permitted(vma, (error_code & X86_PF_WRITE), |
951 | (error_code & X86_PF_INSTR), foreign)) | |
07f146f5 | 952 | return true; |
33a709b2 | 953 | return false; |
92181f19 NP |
954 | } |
955 | ||
2d4a7167 IM |
956 | static noinline void |
957 | bad_area_access_error(struct pt_regs *regs, unsigned long error_code, | |
7b2d0dba | 958 | unsigned long address, struct vm_area_struct *vma) |
92181f19 | 959 | { |
019132ff DH |
960 | /* |
961 | * This OSPKE check is not strictly necessary at runtime. | |
962 | * But, doing it this way allows compiler optimizations | |
963 | * if pkeys are compiled out. | |
964 | */ | |
33a709b2 | 965 | if (bad_area_access_from_pkeys(error_code, vma)) |
019132ff DH |
966 | __bad_area(regs, error_code, address, vma, SEGV_PKUERR); |
967 | else | |
968 | __bad_area(regs, error_code, address, vma, SEGV_ACCERR); | |
92181f19 NP |
969 | } |
970 | ||
2d4a7167 | 971 | static void |
a6e04aa9 | 972 | do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address, |
a3c4fb7c | 973 | u32 *pkey, unsigned int fault) |
92181f19 NP |
974 | { |
975 | struct task_struct *tsk = current; | |
a6e04aa9 | 976 | int code = BUS_ADRERR; |
92181f19 | 977 | |
2d4a7167 | 978 | /* Kernel mode? Handle exceptions or die: */ |
1067f030 | 979 | if (!(error_code & X86_PF_USER)) { |
4fc34901 | 980 | no_context(regs, error_code, address, SIGBUS, BUS_ADRERR); |
96054569 LT |
981 | return; |
982 | } | |
2d4a7167 | 983 | |
cd1b68f0 | 984 | /* User-space => ok to do another page fault: */ |
92181f19 NP |
985 | if (is_prefetch(regs, error_code, address)) |
986 | return; | |
2d4a7167 IM |
987 | |
988 | tsk->thread.cr2 = address; | |
989 | tsk->thread.error_code = error_code; | |
51e7dc70 | 990 | tsk->thread.trap_nr = X86_TRAP_PF; |
2d4a7167 | 991 | |
a6e04aa9 | 992 | #ifdef CONFIG_MEMORY_FAILURE |
f672b49b | 993 | if (fault & (VM_FAULT_HWPOISON|VM_FAULT_HWPOISON_LARGE)) { |
a6e04aa9 AK |
994 | printk(KERN_ERR |
995 | "MCE: Killing %s:%d due to hardware memory corruption fault at %lx\n", | |
996 | tsk->comm, tsk->pid, address); | |
997 | code = BUS_MCEERR_AR; | |
998 | } | |
999 | #endif | |
a3c4fb7c | 1000 | force_sig_info_fault(SIGBUS, code, address, tsk, pkey, fault); |
92181f19 NP |
1001 | } |
1002 | ||
3a13c4d7 | 1003 | static noinline void |
2d4a7167 | 1004 | mm_fault_error(struct pt_regs *regs, unsigned long error_code, |
50a7ca3c | 1005 | unsigned long address, u32 *pkey, vm_fault_t fault) |
92181f19 | 1006 | { |
1067f030 | 1007 | if (fatal_signal_pending(current) && !(error_code & X86_PF_USER)) { |
3a13c4d7 JW |
1008 | no_context(regs, error_code, address, 0, 0); |
1009 | return; | |
b80ef10e | 1010 | } |
b80ef10e | 1011 | |
2d4a7167 | 1012 | if (fault & VM_FAULT_OOM) { |
f8626854 | 1013 | /* Kernel mode? Handle exceptions or die: */ |
1067f030 | 1014 | if (!(error_code & X86_PF_USER)) { |
4fc34901 AL |
1015 | no_context(regs, error_code, address, |
1016 | SIGSEGV, SEGV_MAPERR); | |
3a13c4d7 | 1017 | return; |
f8626854 AV |
1018 | } |
1019 | ||
c2d23f91 DR |
1020 | /* |
1021 | * We ran out of memory, call the OOM killer, and return the | |
1022 | * userspace (which will retry the fault, or kill us if we got | |
1023 | * oom-killed): | |
1024 | */ | |
1025 | pagefault_out_of_memory(); | |
2d4a7167 | 1026 | } else { |
f672b49b AK |
1027 | if (fault & (VM_FAULT_SIGBUS|VM_FAULT_HWPOISON| |
1028 | VM_FAULT_HWPOISON_LARGE)) | |
a3c4fb7c | 1029 | do_sigbus(regs, error_code, address, pkey, fault); |
33692f27 | 1030 | else if (fault & VM_FAULT_SIGSEGV) |
a3c4fb7c | 1031 | bad_area_nosemaphore(regs, error_code, address, pkey); |
2d4a7167 IM |
1032 | else |
1033 | BUG(); | |
1034 | } | |
92181f19 NP |
1035 | } |
1036 | ||
d8b57bb7 TG |
1037 | static int spurious_fault_check(unsigned long error_code, pte_t *pte) |
1038 | { | |
1067f030 | 1039 | if ((error_code & X86_PF_WRITE) && !pte_write(*pte)) |
d8b57bb7 | 1040 | return 0; |
2d4a7167 | 1041 | |
1067f030 | 1042 | if ((error_code & X86_PF_INSTR) && !pte_exec(*pte)) |
d8b57bb7 | 1043 | return 0; |
b3ecd515 DH |
1044 | /* |
1045 | * Note: We do not do lazy flushing on protection key | |
1067f030 | 1046 | * changes, so no spurious fault will ever set X86_PF_PK. |
b3ecd515 | 1047 | */ |
1067f030 | 1048 | if ((error_code & X86_PF_PK)) |
b3ecd515 | 1049 | return 1; |
d8b57bb7 TG |
1050 | |
1051 | return 1; | |
1052 | } | |
1053 | ||
5b727a3b | 1054 | /* |
2d4a7167 IM |
1055 | * Handle a spurious fault caused by a stale TLB entry. |
1056 | * | |
1057 | * This allows us to lazily refresh the TLB when increasing the | |
1058 | * permissions of a kernel page (RO -> RW or NX -> X). Doing it | |
1059 | * eagerly is very expensive since that implies doing a full | |
1060 | * cross-processor TLB flush, even if no stale TLB entries exist | |
1061 | * on other processors. | |
1062 | * | |
31668511 DV |
1063 | * Spurious faults may only occur if the TLB contains an entry with |
1064 | * fewer permission than the page table entry. Non-present (P = 0) | |
1065 | * and reserved bit (R = 1) faults are never spurious. | |
1066 | * | |
5b727a3b JF |
1067 | * There are no security implications to leaving a stale TLB when |
1068 | * increasing the permissions on a page. | |
31668511 DV |
1069 | * |
1070 | * Returns non-zero if a spurious fault was handled, zero otherwise. | |
1071 | * | |
1072 | * See Intel Developer's Manual Vol 3 Section 4.10.4.3, bullet 3 | |
1073 | * (Optional Invalidation). | |
5b727a3b | 1074 | */ |
9326638c | 1075 | static noinline int |
2d4a7167 | 1076 | spurious_fault(unsigned long error_code, unsigned long address) |
5b727a3b JF |
1077 | { |
1078 | pgd_t *pgd; | |
e0c4f675 | 1079 | p4d_t *p4d; |
5b727a3b JF |
1080 | pud_t *pud; |
1081 | pmd_t *pmd; | |
1082 | pte_t *pte; | |
3c3e5694 | 1083 | int ret; |
5b727a3b | 1084 | |
31668511 DV |
1085 | /* |
1086 | * Only writes to RO or instruction fetches from NX may cause | |
1087 | * spurious faults. | |
1088 | * | |
1089 | * These could be from user or supervisor accesses but the TLB | |
1090 | * is only lazily flushed after a kernel mapping protection | |
1091 | * change, so user accesses are not expected to cause spurious | |
1092 | * faults. | |
1093 | */ | |
1067f030 RN |
1094 | if (error_code != (X86_PF_WRITE | X86_PF_PROT) && |
1095 | error_code != (X86_PF_INSTR | X86_PF_PROT)) | |
5b727a3b JF |
1096 | return 0; |
1097 | ||
1098 | pgd = init_mm.pgd + pgd_index(address); | |
1099 | if (!pgd_present(*pgd)) | |
1100 | return 0; | |
1101 | ||
e0c4f675 KS |
1102 | p4d = p4d_offset(pgd, address); |
1103 | if (!p4d_present(*p4d)) | |
1104 | return 0; | |
1105 | ||
1106 | if (p4d_large(*p4d)) | |
1107 | return spurious_fault_check(error_code, (pte_t *) p4d); | |
1108 | ||
1109 | pud = pud_offset(p4d, address); | |
5b727a3b JF |
1110 | if (!pud_present(*pud)) |
1111 | return 0; | |
1112 | ||
d8b57bb7 TG |
1113 | if (pud_large(*pud)) |
1114 | return spurious_fault_check(error_code, (pte_t *) pud); | |
1115 | ||
5b727a3b JF |
1116 | pmd = pmd_offset(pud, address); |
1117 | if (!pmd_present(*pmd)) | |
1118 | return 0; | |
1119 | ||
d8b57bb7 TG |
1120 | if (pmd_large(*pmd)) |
1121 | return spurious_fault_check(error_code, (pte_t *) pmd); | |
1122 | ||
5b727a3b | 1123 | pte = pte_offset_kernel(pmd, address); |
954f8571 | 1124 | if (!pte_present(*pte)) |
5b727a3b JF |
1125 | return 0; |
1126 | ||
3c3e5694 SR |
1127 | ret = spurious_fault_check(error_code, pte); |
1128 | if (!ret) | |
1129 | return 0; | |
1130 | ||
1131 | /* | |
2d4a7167 IM |
1132 | * Make sure we have permissions in PMD. |
1133 | * If not, then there's a bug in the page tables: | |
3c3e5694 SR |
1134 | */ |
1135 | ret = spurious_fault_check(error_code, (pte_t *) pmd); | |
1136 | WARN_ONCE(!ret, "PMD has incorrect permission bits\n"); | |
2d4a7167 | 1137 | |
3c3e5694 | 1138 | return ret; |
5b727a3b | 1139 | } |
9326638c | 1140 | NOKPROBE_SYMBOL(spurious_fault); |
5b727a3b | 1141 | |
abd4f750 | 1142 | int show_unhandled_signals = 1; |
1da177e4 | 1143 | |
2d4a7167 | 1144 | static inline int |
68da336a | 1145 | access_error(unsigned long error_code, struct vm_area_struct *vma) |
92181f19 | 1146 | { |
07f146f5 DH |
1147 | /* This is only called for the current mm, so: */ |
1148 | bool foreign = false; | |
e8c6226d DH |
1149 | |
1150 | /* | |
1151 | * Read or write was blocked by protection keys. This is | |
1152 | * always an unconditional error and can never result in | |
1153 | * a follow-up action to resolve the fault, like a COW. | |
1154 | */ | |
1067f030 | 1155 | if (error_code & X86_PF_PK) |
e8c6226d DH |
1156 | return 1; |
1157 | ||
07f146f5 DH |
1158 | /* |
1159 | * Make sure to check the VMA so that we do not perform | |
1067f030 | 1160 | * faults just to hit a X86_PF_PK as soon as we fill in a |
07f146f5 DH |
1161 | * page. |
1162 | */ | |
1067f030 RN |
1163 | if (!arch_vma_access_permitted(vma, (error_code & X86_PF_WRITE), |
1164 | (error_code & X86_PF_INSTR), foreign)) | |
07f146f5 | 1165 | return 1; |
33a709b2 | 1166 | |
1067f030 | 1167 | if (error_code & X86_PF_WRITE) { |
2d4a7167 | 1168 | /* write, present and write, not present: */ |
92181f19 NP |
1169 | if (unlikely(!(vma->vm_flags & VM_WRITE))) |
1170 | return 1; | |
2d4a7167 | 1171 | return 0; |
92181f19 NP |
1172 | } |
1173 | ||
2d4a7167 | 1174 | /* read, present: */ |
1067f030 | 1175 | if (unlikely(error_code & X86_PF_PROT)) |
2d4a7167 IM |
1176 | return 1; |
1177 | ||
1178 | /* read, not present: */ | |
1179 | if (unlikely(!(vma->vm_flags & (VM_READ | VM_EXEC | VM_WRITE)))) | |
1180 | return 1; | |
1181 | ||
92181f19 NP |
1182 | return 0; |
1183 | } | |
1184 | ||
0973a06c HS |
1185 | static int fault_in_kernel_space(unsigned long address) |
1186 | { | |
d9517346 | 1187 | return address >= TASK_SIZE_MAX; |
0973a06c HS |
1188 | } |
1189 | ||
40d3cd66 PA |
1190 | static inline bool smap_violation(int error_code, struct pt_regs *regs) |
1191 | { | |
4640c7ee PA |
1192 | if (!IS_ENABLED(CONFIG_X86_SMAP)) |
1193 | return false; | |
1194 | ||
1195 | if (!static_cpu_has(X86_FEATURE_SMAP)) | |
1196 | return false; | |
1197 | ||
1067f030 | 1198 | if (error_code & X86_PF_USER) |
40d3cd66 PA |
1199 | return false; |
1200 | ||
f39b6f0e | 1201 | if (!user_mode(regs) && (regs->flags & X86_EFLAGS_AC)) |
40d3cd66 PA |
1202 | return false; |
1203 | ||
1204 | return true; | |
1205 | } | |
1206 | ||
1da177e4 LT |
1207 | /* |
1208 | * This routine handles page faults. It determines the address, | |
1209 | * and the problem, and then passes it off to one of the appropriate | |
1210 | * routines. | |
1da177e4 | 1211 | */ |
9326638c | 1212 | static noinline void |
0ac09f9f JO |
1213 | __do_page_fault(struct pt_regs *regs, unsigned long error_code, |
1214 | unsigned long address) | |
1da177e4 | 1215 | { |
2d4a7167 | 1216 | struct vm_area_struct *vma; |
1da177e4 LT |
1217 | struct task_struct *tsk; |
1218 | struct mm_struct *mm; | |
50a7ca3c | 1219 | vm_fault_t fault, major = 0; |
759496ba | 1220 | unsigned int flags = FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_KILLABLE; |
a3c4fb7c | 1221 | u32 pkey; |
1da177e4 | 1222 | |
a9ba9a3b AV |
1223 | tsk = current; |
1224 | mm = tsk->mm; | |
2d4a7167 | 1225 | |
5dfaf90f | 1226 | prefetchw(&mm->mmap_sem); |
f8561296 | 1227 | |
0fd0e3da | 1228 | if (unlikely(kmmio_fault(regs, address))) |
86069782 | 1229 | return; |
1da177e4 LT |
1230 | |
1231 | /* | |
1232 | * We fault-in kernel-space virtual memory on-demand. The | |
1233 | * 'reference' page table is init_mm.pgd. | |
1234 | * | |
1235 | * NOTE! We MUST NOT take any locks for this case. We may | |
1236 | * be in an interrupt or a critical region, and should | |
1237 | * only copy the information from the master page table, | |
1238 | * nothing more. | |
1239 | * | |
1240 | * This verifies that the fault happens in kernel space | |
1241 | * (error_code & 4) == 0, and that the fault was not a | |
8b1bde93 | 1242 | * protection error (error_code & 9) == 0. |
1da177e4 | 1243 | */ |
0973a06c | 1244 | if (unlikely(fault_in_kernel_space(address))) { |
1067f030 | 1245 | if (!(error_code & (X86_PF_RSVD | X86_PF_USER | X86_PF_PROT))) { |
f8561296 VN |
1246 | if (vmalloc_fault(address) >= 0) |
1247 | return; | |
f8561296 | 1248 | } |
5b727a3b | 1249 | |
2d4a7167 | 1250 | /* Can handle a stale RO->RW TLB: */ |
92181f19 | 1251 | if (spurious_fault(error_code, address)) |
5b727a3b JF |
1252 | return; |
1253 | ||
2d4a7167 | 1254 | /* kprobes don't want to hook the spurious faults: */ |
e00b12e6 | 1255 | if (kprobes_fault(regs)) |
9be260a6 | 1256 | return; |
f8c2ee22 HH |
1257 | /* |
1258 | * Don't take the mm semaphore here. If we fixup a prefetch | |
2d4a7167 | 1259 | * fault we could otherwise deadlock: |
f8c2ee22 | 1260 | */ |
7b2d0dba | 1261 | bad_area_nosemaphore(regs, error_code, address, NULL); |
2d4a7167 | 1262 | |
92181f19 | 1263 | return; |
f8c2ee22 HH |
1264 | } |
1265 | ||
2d4a7167 | 1266 | /* kprobes don't want to hook the spurious faults: */ |
e00b12e6 | 1267 | if (unlikely(kprobes_fault(regs))) |
9be260a6 | 1268 | return; |
8c914cb7 | 1269 | |
1067f030 | 1270 | if (unlikely(error_code & X86_PF_RSVD)) |
92181f19 | 1271 | pgtable_bad(regs, error_code, address); |
1da177e4 | 1272 | |
4640c7ee | 1273 | if (unlikely(smap_violation(error_code, regs))) { |
7b2d0dba | 1274 | bad_area_nosemaphore(regs, error_code, address, NULL); |
4640c7ee | 1275 | return; |
40d3cd66 PA |
1276 | } |
1277 | ||
1da177e4 | 1278 | /* |
2d4a7167 | 1279 | * If we're in an interrupt, have no user context or are running |
70ffdb93 | 1280 | * in a region with pagefaults disabled then we must not take the fault |
1da177e4 | 1281 | */ |
70ffdb93 | 1282 | if (unlikely(faulthandler_disabled() || !mm)) { |
7b2d0dba | 1283 | bad_area_nosemaphore(regs, error_code, address, NULL); |
92181f19 NP |
1284 | return; |
1285 | } | |
1da177e4 | 1286 | |
e00b12e6 PZ |
1287 | /* |
1288 | * It's safe to allow irq's after cr2 has been saved and the | |
1289 | * vmalloc fault has been handled. | |
1290 | * | |
1291 | * User-mode registers count as a user access even for any | |
1292 | * potential system fault or CPU buglet: | |
1293 | */ | |
f39b6f0e | 1294 | if (user_mode(regs)) { |
e00b12e6 | 1295 | local_irq_enable(); |
1067f030 | 1296 | error_code |= X86_PF_USER; |
e00b12e6 PZ |
1297 | flags |= FAULT_FLAG_USER; |
1298 | } else { | |
1299 | if (regs->flags & X86_EFLAGS_IF) | |
1300 | local_irq_enable(); | |
1301 | } | |
1302 | ||
1303 | perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, address); | |
1304 | ||
1067f030 | 1305 | if (error_code & X86_PF_WRITE) |
759496ba | 1306 | flags |= FAULT_FLAG_WRITE; |
1067f030 | 1307 | if (error_code & X86_PF_INSTR) |
d61172b4 | 1308 | flags |= FAULT_FLAG_INSTRUCTION; |
759496ba | 1309 | |
3a1dfe6e IM |
1310 | /* |
1311 | * When running in the kernel we expect faults to occur only to | |
2d4a7167 IM |
1312 | * addresses in user space. All other faults represent errors in |
1313 | * the kernel and should generate an OOPS. Unfortunately, in the | |
1314 | * case of an erroneous fault occurring in a code path which already | |
1315 | * holds mmap_sem we will deadlock attempting to validate the fault | |
1316 | * against the address space. Luckily the kernel only validly | |
1317 | * references user space from well defined areas of code, which are | |
1318 | * listed in the exceptions table. | |
1da177e4 LT |
1319 | * |
1320 | * As the vast majority of faults will be valid we will only perform | |
2d4a7167 IM |
1321 | * the source reference check when there is a possibility of a |
1322 | * deadlock. Attempt to lock the address space, if we cannot we then | |
1323 | * validate the source. If this is invalid we can skip the address | |
1324 | * space check, thus avoiding the deadlock: | |
1da177e4 | 1325 | */ |
92181f19 | 1326 | if (unlikely(!down_read_trylock(&mm->mmap_sem))) { |
1067f030 | 1327 | if (!(error_code & X86_PF_USER) && |
92181f19 | 1328 | !search_exception_tables(regs->ip)) { |
7b2d0dba | 1329 | bad_area_nosemaphore(regs, error_code, address, NULL); |
92181f19 NP |
1330 | return; |
1331 | } | |
d065bd81 | 1332 | retry: |
1da177e4 | 1333 | down_read(&mm->mmap_sem); |
01006074 PZ |
1334 | } else { |
1335 | /* | |
2d4a7167 IM |
1336 | * The above down_read_trylock() might have succeeded in |
1337 | * which case we'll have missed the might_sleep() from | |
1338 | * down_read(): | |
01006074 PZ |
1339 | */ |
1340 | might_sleep(); | |
1da177e4 LT |
1341 | } |
1342 | ||
1343 | vma = find_vma(mm, address); | |
92181f19 NP |
1344 | if (unlikely(!vma)) { |
1345 | bad_area(regs, error_code, address); | |
1346 | return; | |
1347 | } | |
1348 | if (likely(vma->vm_start <= address)) | |
1da177e4 | 1349 | goto good_area; |
92181f19 NP |
1350 | if (unlikely(!(vma->vm_flags & VM_GROWSDOWN))) { |
1351 | bad_area(regs, error_code, address); | |
1352 | return; | |
1353 | } | |
1067f030 | 1354 | if (error_code & X86_PF_USER) { |
6f4d368e HH |
1355 | /* |
1356 | * Accessing the stack below %sp is always a bug. | |
1357 | * The large cushion allows instructions like enter | |
2d4a7167 | 1358 | * and pusha to work. ("enter $65535, $31" pushes |
6f4d368e | 1359 | * 32 pointers and then decrements %sp by 65535.) |
03fdc2c2 | 1360 | */ |
92181f19 NP |
1361 | if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) { |
1362 | bad_area(regs, error_code, address); | |
1363 | return; | |
1364 | } | |
1da177e4 | 1365 | } |
92181f19 NP |
1366 | if (unlikely(expand_stack(vma, address))) { |
1367 | bad_area(regs, error_code, address); | |
1368 | return; | |
1369 | } | |
1370 | ||
1371 | /* | |
1372 | * Ok, we have a good vm_area for this memory access, so | |
1373 | * we can handle it.. | |
1374 | */ | |
1da177e4 | 1375 | good_area: |
68da336a | 1376 | if (unlikely(access_error(error_code, vma))) { |
7b2d0dba | 1377 | bad_area_access_error(regs, error_code, address, vma); |
92181f19 | 1378 | return; |
1da177e4 LT |
1379 | } |
1380 | ||
1381 | /* | |
1382 | * If for any reason at all we couldn't handle the fault, | |
1383 | * make sure we exit gracefully rather than endlessly redo | |
9a95f3cf PC |
1384 | * the fault. Since we never set FAULT_FLAG_RETRY_NOWAIT, if |
1385 | * we get VM_FAULT_RETRY back, the mmap_sem has been unlocked. | |
cb0631fd VB |
1386 | * |
1387 | * Note that handle_userfault() may also release and reacquire mmap_sem | |
1388 | * (and not return with VM_FAULT_RETRY), when returning to userland to | |
1389 | * repeat the page fault later with a VM_FAULT_NOPAGE retval | |
1390 | * (potentially after handling any pending signal during the return to | |
1391 | * userland). The return to userland is identified whenever | |
1392 | * FAULT_FLAG_USER|FAULT_FLAG_KILLABLE are both set in flags. | |
1393 | * Thus we have to be careful about not touching vma after handling the | |
1394 | * fault, so we read the pkey beforehand. | |
1da177e4 | 1395 | */ |
cb0631fd | 1396 | pkey = vma_pkey(vma); |
dcddffd4 | 1397 | fault = handle_mm_fault(vma, address, flags); |
26178ec1 | 1398 | major |= fault & VM_FAULT_MAJOR; |
2d4a7167 | 1399 | |
3a13c4d7 | 1400 | /* |
26178ec1 LT |
1401 | * If we need to retry the mmap_sem has already been released, |
1402 | * and if there is a fatal signal pending there is no guarantee | |
1403 | * that we made any progress. Handle this case first. | |
3a13c4d7 | 1404 | */ |
26178ec1 LT |
1405 | if (unlikely(fault & VM_FAULT_RETRY)) { |
1406 | /* Retry at most once */ | |
1407 | if (flags & FAULT_FLAG_ALLOW_RETRY) { | |
1408 | flags &= ~FAULT_FLAG_ALLOW_RETRY; | |
1409 | flags |= FAULT_FLAG_TRIED; | |
1410 | if (!fatal_signal_pending(tsk)) | |
1411 | goto retry; | |
1412 | } | |
1413 | ||
1414 | /* User mode? Just return to handle the fatal exception */ | |
cf3c0a15 | 1415 | if (flags & FAULT_FLAG_USER) |
26178ec1 LT |
1416 | return; |
1417 | ||
1418 | /* Not returning to user mode? Handle exceptions or die: */ | |
1419 | no_context(regs, error_code, address, SIGBUS, BUS_ADRERR); | |
3a13c4d7 | 1420 | return; |
26178ec1 | 1421 | } |
3a13c4d7 | 1422 | |
26178ec1 | 1423 | up_read(&mm->mmap_sem); |
3a13c4d7 | 1424 | if (unlikely(fault & VM_FAULT_ERROR)) { |
a3c4fb7c | 1425 | mm_fault_error(regs, error_code, address, &pkey, fault); |
3a13c4d7 | 1426 | return; |
37b23e05 KM |
1427 | } |
1428 | ||
d065bd81 | 1429 | /* |
26178ec1 LT |
1430 | * Major/minor page fault accounting. If any of the events |
1431 | * returned VM_FAULT_MAJOR, we account it as a major fault. | |
d065bd81 | 1432 | */ |
26178ec1 LT |
1433 | if (major) { |
1434 | tsk->maj_flt++; | |
1435 | perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MAJ, 1, regs, address); | |
1436 | } else { | |
1437 | tsk->min_flt++; | |
1438 | perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MIN, 1, regs, address); | |
ac17dc8e | 1439 | } |
d729ab35 | 1440 | |
8c938f9f | 1441 | check_v8086_mode(regs, address, tsk); |
1da177e4 | 1442 | } |
9326638c | 1443 | NOKPROBE_SYMBOL(__do_page_fault); |
6ba3c97a | 1444 | |
9326638c MH |
1445 | static nokprobe_inline void |
1446 | trace_page_fault_entries(unsigned long address, struct pt_regs *regs, | |
1447 | unsigned long error_code) | |
d34603b0 SA |
1448 | { |
1449 | if (user_mode(regs)) | |
d4078e23 | 1450 | trace_page_fault_user(address, regs, error_code); |
d34603b0 | 1451 | else |
d4078e23 | 1452 | trace_page_fault_kernel(address, regs, error_code); |
d34603b0 SA |
1453 | } |
1454 | ||
11a7ffb0 TG |
1455 | /* |
1456 | * We must have this function blacklisted from kprobes, tagged with notrace | |
1457 | * and call read_cr2() before calling anything else. To avoid calling any | |
1458 | * kind of tracing machinery before we've observed the CR2 value. | |
1459 | * | |
1460 | * exception_{enter,exit}() contains all sorts of tracepoints. | |
1461 | */ | |
9326638c | 1462 | dotraplinkage void notrace |
11a7ffb0 | 1463 | do_page_fault(struct pt_regs *regs, unsigned long error_code) |
25c74b10 | 1464 | { |
11a7ffb0 | 1465 | unsigned long address = read_cr2(); /* Get the faulting address */ |
d4078e23 | 1466 | enum ctx_state prev_state; |
25c74b10 SA |
1467 | |
1468 | prev_state = exception_enter(); | |
80954747 | 1469 | if (trace_pagefault_enabled()) |
11a7ffb0 TG |
1470 | trace_page_fault_entries(address, regs, error_code); |
1471 | ||
0ac09f9f | 1472 | __do_page_fault(regs, error_code, address); |
25c74b10 SA |
1473 | exception_exit(prev_state); |
1474 | } | |
11a7ffb0 | 1475 | NOKPROBE_SYMBOL(do_page_fault); |