Commit | Line | Data |
---|---|---|
1da177e4 | 1 | /* |
1da177e4 LT |
2 | * Copyright (C) 1995 Linus Torvalds |
3 | * Copyright (C) 2001,2002 Andi Kleen, SuSE Labs. | |
4 | */ | |
5 | ||
1da177e4 LT |
6 | #include <linux/signal.h> |
7 | #include <linux/sched.h> | |
8 | #include <linux/kernel.h> | |
9 | #include <linux/errno.h> | |
10 | #include <linux/string.h> | |
11 | #include <linux/types.h> | |
12 | #include <linux/ptrace.h> | |
13 | #include <linux/mman.h> | |
14 | #include <linux/mm.h> | |
15 | #include <linux/smp.h> | |
1da177e4 LT |
16 | #include <linux/interrupt.h> |
17 | #include <linux/init.h> | |
18 | #include <linux/tty.h> | |
19 | #include <linux/vt_kern.h> /* For unblank_screen() */ | |
20 | #include <linux/compiler.h> | |
c61e211d HH |
21 | #include <linux/highmem.h> |
22 | #include <linux/bootmem.h> /* for max_low_pfn */ | |
1eeb66a1 | 23 | #include <linux/vmalloc.h> |
1da177e4 | 24 | #include <linux/module.h> |
0f2fbdcb | 25 | #include <linux/kprobes.h> |
ab2bf0c1 | 26 | #include <linux/uaccess.h> |
1eeb66a1 | 27 | #include <linux/kdebug.h> |
1da177e4 LT |
28 | |
29 | #include <asm/system.h> | |
c61e211d HH |
30 | #include <asm/desc.h> |
31 | #include <asm/segment.h> | |
1da177e4 LT |
32 | #include <asm/pgalloc.h> |
33 | #include <asm/smp.h> | |
34 | #include <asm/tlbflush.h> | |
35 | #include <asm/proto.h> | |
1da177e4 | 36 | #include <asm-generic/sections.h> |
1da177e4 | 37 | |
33cb5243 HH |
38 | /* |
39 | * Page fault error code bits | |
40 | * bit 0 == 0 means no page found, 1 means protection fault | |
41 | * bit 1 == 0 means read, 1 means write | |
42 | * bit 2 == 0 means kernel, 1 means user-mode | |
43 | * bit 3 == 1 means use of reserved bit detected | |
44 | * bit 4 == 1 means fault was an instruction fetch | |
45 | */ | |
8a19da7b | 46 | #define PF_PROT (1<<0) |
66c58156 | 47 | #define PF_WRITE (1<<1) |
8a19da7b IM |
48 | #define PF_USER (1<<2) |
49 | #define PF_RSVD (1<<3) | |
66c58156 AK |
50 | #define PF_INSTR (1<<4) |
51 | ||
10c43d2e PP |
52 | #ifdef CONFIG_MMIOTRACE_HOOKS |
53 | static pf_handler_func mmiotrace_pf_handler; /* protected by RCU */ | |
54 | static DEFINE_SPINLOCK(mmiotrace_handler_lock); | |
86069782 | 55 | |
10c43d2e | 56 | int mmiotrace_register_pf(pf_handler_func new_pfh) |
86069782 | 57 | { |
10c43d2e | 58 | int ret = 0; |
86069782 | 59 | unsigned long flags; |
10c43d2e PP |
60 | spin_lock_irqsave(&mmiotrace_handler_lock, flags); |
61 | if (mmiotrace_pf_handler) | |
62 | ret = -EBUSY; | |
63 | else | |
64 | mmiotrace_pf_handler = new_pfh; | |
65 | spin_unlock_irqrestore(&mmiotrace_handler_lock, flags); | |
66 | return ret; | |
86069782 | 67 | } |
10c43d2e | 68 | EXPORT_SYMBOL_GPL(mmiotrace_register_pf); |
86069782 PP |
69 | |
70 | /** | |
10c43d2e | 71 | * mmiotrace_unregister_pf: |
86069782 | 72 | * The caller must ensure @old_pfh is not in use anymore before freeing it. |
10c43d2e PP |
73 | * This function does not guarantee it. The handler function pointer is |
74 | * protected by RCU, so you can do this by e.g. calling synchronize_rcu(). | |
86069782 | 75 | */ |
10c43d2e | 76 | int mmiotrace_unregister_pf(pf_handler_func old_pfh) |
86069782 | 77 | { |
10c43d2e | 78 | int ret = 0; |
86069782 | 79 | unsigned long flags; |
10c43d2e PP |
80 | spin_lock_irqsave(&mmiotrace_handler_lock, flags); |
81 | if (mmiotrace_pf_handler != old_pfh) | |
82 | ret = -EPERM; | |
83 | else | |
84 | mmiotrace_pf_handler = NULL; | |
85 | spin_unlock_irqrestore(&mmiotrace_handler_lock, flags); | |
86 | return ret; | |
86069782 | 87 | } |
10c43d2e PP |
88 | EXPORT_SYMBOL_GPL(mmiotrace_unregister_pf); |
89 | #endif /* CONFIG_MMIOTRACE_HOOKS */ | |
86069782 PP |
90 | |
91 | /* returns non-zero if do_page_fault() should return */ | |
10c43d2e PP |
92 | static inline int call_mmiotrace(struct pt_regs *regs, |
93 | unsigned long error_code, | |
94 | unsigned long address) | |
86069782 | 95 | { |
10c43d2e | 96 | #ifdef CONFIG_MMIOTRACE_HOOKS |
86069782 | 97 | int ret = 0; |
86069782 | 98 | rcu_read_lock(); |
10c43d2e PP |
99 | if (mmiotrace_pf_handler) |
100 | ret = mmiotrace_pf_handler(regs, error_code, address); | |
86069782 PP |
101 | rcu_read_unlock(); |
102 | return ret; | |
103 | #else | |
104 | return 0; | |
105 | #endif | |
106 | } | |
107 | ||
74a0b576 | 108 | static inline int notify_page_fault(struct pt_regs *regs) |
1bd858a5 | 109 | { |
33cb5243 | 110 | #ifdef CONFIG_KPROBES |
74a0b576 CH |
111 | int ret = 0; |
112 | ||
113 | /* kprobe_running() needs smp_processor_id() */ | |
f8c2ee22 HH |
114 | #ifdef CONFIG_X86_32 |
115 | if (!user_mode_vm(regs)) { | |
116 | #else | |
74a0b576 | 117 | if (!user_mode(regs)) { |
f8c2ee22 | 118 | #endif |
74a0b576 CH |
119 | preempt_disable(); |
120 | if (kprobe_running() && kprobe_fault_handler(regs, 14)) | |
121 | ret = 1; | |
122 | preempt_enable(); | |
123 | } | |
1bd858a5 | 124 | |
74a0b576 | 125 | return ret; |
74a0b576 | 126 | #else |
74a0b576 | 127 | return 0; |
74a0b576 | 128 | #endif |
33cb5243 | 129 | } |
1bd858a5 | 130 | |
1dc85be0 HH |
131 | /* |
132 | * X86_32 | |
133 | * Sometimes AMD Athlon/Opteron CPUs report invalid exceptions on prefetch. | |
134 | * Check that here and ignore it. | |
135 | * | |
136 | * X86_64 | |
137 | * Sometimes the CPU reports invalid exceptions on prefetch. | |
138 | * Check that here and ignore it. | |
139 | * | |
140 | * Opcode checker based on code by Richard Brunner | |
141 | */ | |
142 | static int is_prefetch(struct pt_regs *regs, unsigned long addr, | |
143 | unsigned long error_code) | |
33cb5243 | 144 | { |
ab2bf0c1 | 145 | unsigned char *instr; |
1da177e4 | 146 | int scan_more = 1; |
33cb5243 | 147 | int prefetch = 0; |
f1290ec9 | 148 | unsigned char *max_instr; |
1da177e4 | 149 | |
3085354d IM |
150 | /* |
151 | * If it was a exec (instruction fetch) fault on NX page, then | |
152 | * do not ignore the fault: | |
153 | */ | |
66c58156 | 154 | if (error_code & PF_INSTR) |
1da177e4 | 155 | return 0; |
1dc85be0 | 156 | |
f2857ce9 | 157 | instr = (unsigned char *)convert_ip_to_linear(current, regs); |
f1290ec9 | 158 | max_instr = instr + 15; |
1da177e4 | 159 | |
76381fee | 160 | if (user_mode(regs) && instr >= (unsigned char *)TASK_SIZE) |
1da177e4 LT |
161 | return 0; |
162 | ||
33cb5243 | 163 | while (scan_more && instr < max_instr) { |
1da177e4 LT |
164 | unsigned char opcode; |
165 | unsigned char instr_hi; | |
166 | unsigned char instr_lo; | |
167 | ||
ab2bf0c1 | 168 | if (probe_kernel_address(instr, opcode)) |
33cb5243 | 169 | break; |
1da177e4 | 170 | |
33cb5243 HH |
171 | instr_hi = opcode & 0xf0; |
172 | instr_lo = opcode & 0x0f; | |
1da177e4 LT |
173 | instr++; |
174 | ||
33cb5243 | 175 | switch (instr_hi) { |
1da177e4 LT |
176 | case 0x20: |
177 | case 0x30: | |
33cb5243 HH |
178 | /* |
179 | * Values 0x26,0x2E,0x36,0x3E are valid x86 prefixes. | |
180 | * In X86_64 long mode, the CPU will signal invalid | |
181 | * opcode if some of these prefixes are present so | |
182 | * X86_64 will never get here anyway | |
183 | */ | |
1da177e4 LT |
184 | scan_more = ((instr_lo & 7) == 0x6); |
185 | break; | |
33cb5243 | 186 | #ifdef CONFIG_X86_64 |
1da177e4 | 187 | case 0x40: |
33cb5243 HH |
188 | /* |
189 | * In AMD64 long mode 0x40..0x4F are valid REX prefixes | |
190 | * Need to figure out under what instruction mode the | |
191 | * instruction was issued. Could check the LDT for lm, | |
192 | * but for now it's good enough to assume that long | |
193 | * mode only uses well known segments or kernel. | |
194 | */ | |
76381fee | 195 | scan_more = (!user_mode(regs)) || (regs->cs == __USER_CS); |
1da177e4 | 196 | break; |
33cb5243 | 197 | #endif |
1da177e4 LT |
198 | case 0x60: |
199 | /* 0x64 thru 0x67 are valid prefixes in all modes. */ | |
200 | scan_more = (instr_lo & 0xC) == 0x4; | |
33cb5243 | 201 | break; |
1da177e4 | 202 | case 0xF0: |
1dc85be0 | 203 | /* 0xF0, 0xF2, 0xF3 are valid prefixes in all modes. */ |
1da177e4 | 204 | scan_more = !instr_lo || (instr_lo>>1) == 1; |
33cb5243 | 205 | break; |
1da177e4 LT |
206 | case 0x00: |
207 | /* Prefetch instruction is 0x0F0D or 0x0F18 */ | |
208 | scan_more = 0; | |
f2857ce9 | 209 | |
ab2bf0c1 | 210 | if (probe_kernel_address(instr, opcode)) |
1da177e4 LT |
211 | break; |
212 | prefetch = (instr_lo == 0xF) && | |
213 | (opcode == 0x0D || opcode == 0x18); | |
33cb5243 | 214 | break; |
1da177e4 LT |
215 | default: |
216 | scan_more = 0; | |
217 | break; | |
33cb5243 | 218 | } |
1da177e4 LT |
219 | } |
220 | return prefetch; | |
221 | } | |
222 | ||
c4aba4a8 HH |
223 | static void force_sig_info_fault(int si_signo, int si_code, |
224 | unsigned long address, struct task_struct *tsk) | |
225 | { | |
226 | siginfo_t info; | |
227 | ||
228 | info.si_signo = si_signo; | |
229 | info.si_errno = 0; | |
230 | info.si_code = si_code; | |
231 | info.si_addr = (void __user *)address; | |
232 | force_sig_info(si_signo, &info, tsk); | |
233 | } | |
234 | ||
1156e098 | 235 | #ifdef CONFIG_X86_64 |
33cb5243 HH |
236 | static int bad_address(void *p) |
237 | { | |
1da177e4 | 238 | unsigned long dummy; |
ab2bf0c1 | 239 | return probe_kernel_address((unsigned long *)p, dummy); |
33cb5243 | 240 | } |
1156e098 | 241 | #endif |
1da177e4 | 242 | |
cae30f82 | 243 | static void dump_pagetable(unsigned long address) |
1da177e4 | 244 | { |
1156e098 HH |
245 | #ifdef CONFIG_X86_32 |
246 | __typeof__(pte_val(__pte(0))) page; | |
247 | ||
248 | page = read_cr3(); | |
249 | page = ((__typeof__(page) *) __va(page))[address >> PGDIR_SHIFT]; | |
250 | #ifdef CONFIG_X86_PAE | |
251 | printk("*pdpt = %016Lx ", page); | |
252 | if ((page >> PAGE_SHIFT) < max_low_pfn | |
253 | && page & _PAGE_PRESENT) { | |
254 | page &= PAGE_MASK; | |
255 | page = ((__typeof__(page) *) __va(page))[(address >> PMD_SHIFT) | |
256 | & (PTRS_PER_PMD - 1)]; | |
257 | printk(KERN_CONT "*pde = %016Lx ", page); | |
258 | page &= ~_PAGE_NX; | |
259 | } | |
260 | #else | |
261 | printk("*pde = %08lx ", page); | |
262 | #endif | |
263 | ||
264 | /* | |
265 | * We must not directly access the pte in the highpte | |
266 | * case if the page table is located in highmem. | |
267 | * And let's rather not kmap-atomic the pte, just in case | |
268 | * it's allocated already. | |
269 | */ | |
270 | if ((page >> PAGE_SHIFT) < max_low_pfn | |
271 | && (page & _PAGE_PRESENT) | |
272 | && !(page & _PAGE_PSE)) { | |
273 | page &= PAGE_MASK; | |
274 | page = ((__typeof__(page) *) __va(page))[(address >> PAGE_SHIFT) | |
275 | & (PTRS_PER_PTE - 1)]; | |
276 | printk("*pte = %0*Lx ", sizeof(page)*2, (u64)page); | |
277 | } | |
278 | ||
279 | printk("\n"); | |
280 | #else /* CONFIG_X86_64 */ | |
1da177e4 LT |
281 | pgd_t *pgd; |
282 | pud_t *pud; | |
283 | pmd_t *pmd; | |
284 | pte_t *pte; | |
285 | ||
f51c9452 | 286 | pgd = (pgd_t *)read_cr3(); |
1da177e4 | 287 | |
33cb5243 | 288 | pgd = __va((unsigned long)pgd & PHYSICAL_PAGE_MASK); |
1da177e4 | 289 | pgd += pgd_index(address); |
1da177e4 | 290 | if (bad_address(pgd)) goto bad; |
d646bce4 | 291 | printk("PGD %lx ", pgd_val(*pgd)); |
33cb5243 | 292 | if (!pgd_present(*pgd)) goto ret; |
1da177e4 | 293 | |
d2ae5b5f | 294 | pud = pud_offset(pgd, address); |
1da177e4 LT |
295 | if (bad_address(pud)) goto bad; |
296 | printk("PUD %lx ", pud_val(*pud)); | |
b5360222 AK |
297 | if (!pud_present(*pud) || pud_large(*pud)) |
298 | goto ret; | |
1da177e4 LT |
299 | |
300 | pmd = pmd_offset(pud, address); | |
301 | if (bad_address(pmd)) goto bad; | |
302 | printk("PMD %lx ", pmd_val(*pmd)); | |
b1992df3 | 303 | if (!pmd_present(*pmd) || pmd_large(*pmd)) goto ret; |
1da177e4 LT |
304 | |
305 | pte = pte_offset_kernel(pmd, address); | |
306 | if (bad_address(pte)) goto bad; | |
33cb5243 | 307 | printk("PTE %lx", pte_val(*pte)); |
1da177e4 LT |
308 | ret: |
309 | printk("\n"); | |
310 | return; | |
311 | bad: | |
312 | printk("BAD\n"); | |
1156e098 HH |
313 | #endif |
314 | } | |
315 | ||
316 | #ifdef CONFIG_X86_32 | |
317 | static inline pmd_t *vmalloc_sync_one(pgd_t *pgd, unsigned long address) | |
318 | { | |
319 | unsigned index = pgd_index(address); | |
320 | pgd_t *pgd_k; | |
321 | pud_t *pud, *pud_k; | |
322 | pmd_t *pmd, *pmd_k; | |
323 | ||
324 | pgd += index; | |
325 | pgd_k = init_mm.pgd + index; | |
326 | ||
327 | if (!pgd_present(*pgd_k)) | |
328 | return NULL; | |
329 | ||
330 | /* | |
331 | * set_pgd(pgd, *pgd_k); here would be useless on PAE | |
332 | * and redundant with the set_pmd() on non-PAE. As would | |
333 | * set_pud. | |
334 | */ | |
335 | ||
336 | pud = pud_offset(pgd, address); | |
337 | pud_k = pud_offset(pgd_k, address); | |
338 | if (!pud_present(*pud_k)) | |
339 | return NULL; | |
340 | ||
341 | pmd = pmd_offset(pud, address); | |
342 | pmd_k = pmd_offset(pud_k, address); | |
343 | if (!pmd_present(*pmd_k)) | |
344 | return NULL; | |
345 | if (!pmd_present(*pmd)) { | |
346 | set_pmd(pmd, *pmd_k); | |
347 | arch_flush_lazy_mmu_mode(); | |
348 | } else | |
349 | BUG_ON(pmd_page(*pmd) != pmd_page(*pmd_k)); | |
350 | return pmd_k; | |
1da177e4 | 351 | } |
1156e098 | 352 | #endif |
1da177e4 | 353 | |
1dc85be0 | 354 | #ifdef CONFIG_X86_64 |
33cb5243 | 355 | static const char errata93_warning[] = |
1da177e4 LT |
356 | KERN_ERR "******* Your BIOS seems to not contain a fix for K8 errata #93\n" |
357 | KERN_ERR "******* Working around it, but it may cause SEGVs or burn power.\n" | |
358 | KERN_ERR "******* Please consider a BIOS update.\n" | |
359 | KERN_ERR "******* Disabling USB legacy in the BIOS may also help.\n"; | |
fdfe8aa8 | 360 | #endif |
1da177e4 LT |
361 | |
362 | /* Workaround for K8 erratum #93 & buggy BIOS. | |
363 | BIOS SMM functions are required to use a specific workaround | |
33cb5243 HH |
364 | to avoid corruption of the 64bit RIP register on C stepping K8. |
365 | A lot of BIOS that didn't get tested properly miss this. | |
1da177e4 LT |
366 | The OS sees this as a page fault with the upper 32bits of RIP cleared. |
367 | Try to work around it here. | |
fdfe8aa8 HH |
368 | Note we only handle faults in kernel here. |
369 | Does nothing for X86_32 | |
370 | */ | |
33cb5243 | 371 | static int is_errata93(struct pt_regs *regs, unsigned long address) |
1da177e4 | 372 | { |
fdfe8aa8 | 373 | #ifdef CONFIG_X86_64 |
1da177e4 | 374 | static int warned; |
65ea5b03 | 375 | if (address != regs->ip) |
1da177e4 | 376 | return 0; |
33cb5243 | 377 | if ((address >> 32) != 0) |
1da177e4 LT |
378 | return 0; |
379 | address |= 0xffffffffUL << 32; | |
33cb5243 HH |
380 | if ((address >= (u64)_stext && address <= (u64)_etext) || |
381 | (address >= MODULES_VADDR && address <= MODULES_END)) { | |
1da177e4 | 382 | if (!warned) { |
33cb5243 | 383 | printk(errata93_warning); |
1da177e4 LT |
384 | warned = 1; |
385 | } | |
65ea5b03 | 386 | regs->ip = address; |
1da177e4 LT |
387 | return 1; |
388 | } | |
fdfe8aa8 | 389 | #endif |
1da177e4 | 390 | return 0; |
33cb5243 | 391 | } |
1da177e4 | 392 | |
35f3266f HH |
393 | /* |
394 | * Work around K8 erratum #100 K8 in compat mode occasionally jumps to illegal | |
395 | * addresses >4GB. We catch this in the page fault handler because these | |
396 | * addresses are not reachable. Just detect this case and return. Any code | |
397 | * segment in LDT is compatibility mode. | |
398 | */ | |
399 | static int is_errata100(struct pt_regs *regs, unsigned long address) | |
400 | { | |
401 | #ifdef CONFIG_X86_64 | |
402 | if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && | |
403 | (address >> 32)) | |
404 | return 1; | |
405 | #endif | |
406 | return 0; | |
407 | } | |
408 | ||
29caf2f9 HH |
409 | void do_invalid_op(struct pt_regs *, unsigned long); |
410 | ||
411 | static int is_f00f_bug(struct pt_regs *regs, unsigned long address) | |
412 | { | |
413 | #ifdef CONFIG_X86_F00F_BUG | |
414 | unsigned long nr; | |
415 | /* | |
416 | * Pentium F0 0F C7 C8 bug workaround. | |
417 | */ | |
418 | if (boot_cpu_data.f00f_bug) { | |
419 | nr = (address - idt_descr.address) >> 3; | |
420 | ||
421 | if (nr == 6) { | |
422 | do_invalid_op(regs, 0); | |
423 | return 1; | |
424 | } | |
425 | } | |
426 | #endif | |
427 | return 0; | |
428 | } | |
429 | ||
b3279c7f HH |
430 | static void show_fault_oops(struct pt_regs *regs, unsigned long error_code, |
431 | unsigned long address) | |
432 | { | |
1156e098 HH |
433 | #ifdef CONFIG_X86_32 |
434 | if (!oops_may_print()) | |
435 | return; | |
fd40d6e3 | 436 | #endif |
1156e098 HH |
437 | |
438 | #ifdef CONFIG_X86_PAE | |
439 | if (error_code & PF_INSTR) { | |
93809be8 | 440 | unsigned int level; |
1156e098 HH |
441 | pte_t *pte = lookup_address(address, &level); |
442 | ||
443 | if (pte && pte_present(*pte) && !pte_exec(*pte)) | |
444 | printk(KERN_CRIT "kernel tried to execute " | |
445 | "NX-protected page - exploit attempt? " | |
446 | "(uid: %d)\n", current->uid); | |
447 | } | |
448 | #endif | |
1156e098 | 449 | |
19f0dda9 | 450 | printk(KERN_ALERT "BUG: unable to handle kernel "); |
b3279c7f | 451 | if (address < PAGE_SIZE) |
19f0dda9 | 452 | printk(KERN_CONT "NULL pointer dereference"); |
b3279c7f | 453 | else |
19f0dda9 | 454 | printk(KERN_CONT "paging request"); |
fd40d6e3 HH |
455 | #ifdef CONFIG_X86_32 |
456 | printk(KERN_CONT " at %08lx\n", address); | |
457 | #else | |
19f0dda9 | 458 | printk(KERN_CONT " at %016lx\n", address); |
fd40d6e3 | 459 | #endif |
19f0dda9 | 460 | printk(KERN_ALERT "IP:"); |
b3279c7f HH |
461 | printk_address(regs->ip, 1); |
462 | dump_pagetable(address); | |
463 | } | |
464 | ||
1156e098 | 465 | #ifdef CONFIG_X86_64 |
1da177e4 LT |
466 | static noinline void pgtable_bad(unsigned long address, struct pt_regs *regs, |
467 | unsigned long error_code) | |
468 | { | |
1209140c | 469 | unsigned long flags = oops_begin(); |
6e3f3617 | 470 | struct task_struct *tsk; |
1209140c | 471 | |
1da177e4 LT |
472 | printk(KERN_ALERT "%s: Corrupted page table at address %lx\n", |
473 | current->comm, address); | |
474 | dump_pagetable(address); | |
6e3f3617 JB |
475 | tsk = current; |
476 | tsk->thread.cr2 = address; | |
477 | tsk->thread.trap_no = 14; | |
478 | tsk->thread.error_code = error_code; | |
22f5991c JB |
479 | if (__die("Bad pagetable", regs, error_code)) |
480 | regs = NULL; | |
481 | oops_end(flags, regs, SIGKILL); | |
1da177e4 | 482 | } |
1156e098 | 483 | #endif |
1da177e4 | 484 | |
d8b57bb7 TG |
485 | static int spurious_fault_check(unsigned long error_code, pte_t *pte) |
486 | { | |
487 | if ((error_code & PF_WRITE) && !pte_write(*pte)) | |
488 | return 0; | |
489 | if ((error_code & PF_INSTR) && !pte_exec(*pte)) | |
490 | return 0; | |
491 | ||
492 | return 1; | |
493 | } | |
494 | ||
5b727a3b JF |
495 | /* |
496 | * Handle a spurious fault caused by a stale TLB entry. This allows | |
497 | * us to lazily refresh the TLB when increasing the permissions of a | |
498 | * kernel page (RO -> RW or NX -> X). Doing it eagerly is very | |
499 | * expensive since that implies doing a full cross-processor TLB | |
500 | * flush, even if no stale TLB entries exist on other processors. | |
501 | * There are no security implications to leaving a stale TLB when | |
502 | * increasing the permissions on a page. | |
503 | */ | |
504 | static int spurious_fault(unsigned long address, | |
505 | unsigned long error_code) | |
506 | { | |
507 | pgd_t *pgd; | |
508 | pud_t *pud; | |
509 | pmd_t *pmd; | |
510 | pte_t *pte; | |
511 | ||
512 | /* Reserved-bit violation or user access to kernel space? */ | |
513 | if (error_code & (PF_USER | PF_RSVD)) | |
514 | return 0; | |
515 | ||
516 | pgd = init_mm.pgd + pgd_index(address); | |
517 | if (!pgd_present(*pgd)) | |
518 | return 0; | |
519 | ||
520 | pud = pud_offset(pgd, address); | |
521 | if (!pud_present(*pud)) | |
522 | return 0; | |
523 | ||
d8b57bb7 TG |
524 | if (pud_large(*pud)) |
525 | return spurious_fault_check(error_code, (pte_t *) pud); | |
526 | ||
5b727a3b JF |
527 | pmd = pmd_offset(pud, address); |
528 | if (!pmd_present(*pmd)) | |
529 | return 0; | |
530 | ||
d8b57bb7 TG |
531 | if (pmd_large(*pmd)) |
532 | return spurious_fault_check(error_code, (pte_t *) pmd); | |
533 | ||
5b727a3b JF |
534 | pte = pte_offset_kernel(pmd, address); |
535 | if (!pte_present(*pte)) | |
536 | return 0; | |
537 | ||
d8b57bb7 | 538 | return spurious_fault_check(error_code, pte); |
5b727a3b JF |
539 | } |
540 | ||
1da177e4 | 541 | /* |
f8c2ee22 HH |
542 | * X86_32 |
543 | * Handle a fault on the vmalloc or module mapping area | |
544 | * | |
545 | * X86_64 | |
f95190b2 | 546 | * Handle a fault on the vmalloc area |
3b9ba4d5 AK |
547 | * |
548 | * This assumes no large pages in there. | |
1da177e4 LT |
549 | */ |
550 | static int vmalloc_fault(unsigned long address) | |
551 | { | |
fdfe8aa8 HH |
552 | #ifdef CONFIG_X86_32 |
553 | unsigned long pgd_paddr; | |
554 | pmd_t *pmd_k; | |
555 | pte_t *pte_k; | |
556 | /* | |
557 | * Synchronize this task's top level page-table | |
558 | * with the 'reference' page table. | |
559 | * | |
560 | * Do _not_ use "current" here. We might be inside | |
561 | * an interrupt in the middle of a task switch.. | |
562 | */ | |
563 | pgd_paddr = read_cr3(); | |
564 | pmd_k = vmalloc_sync_one(__va(pgd_paddr), address); | |
565 | if (!pmd_k) | |
566 | return -1; | |
567 | pte_k = pte_offset_kernel(pmd_k, address); | |
568 | if (!pte_present(*pte_k)) | |
569 | return -1; | |
570 | return 0; | |
571 | #else | |
1da177e4 LT |
572 | pgd_t *pgd, *pgd_ref; |
573 | pud_t *pud, *pud_ref; | |
574 | pmd_t *pmd, *pmd_ref; | |
575 | pte_t *pte, *pte_ref; | |
576 | ||
cf89ec92 HH |
577 | /* Make sure we are in vmalloc area */ |
578 | if (!(address >= VMALLOC_START && address < VMALLOC_END)) | |
579 | return -1; | |
580 | ||
1da177e4 LT |
581 | /* Copy kernel mappings over when needed. This can also |
582 | happen within a race in page table update. In the later | |
583 | case just flush. */ | |
584 | ||
585 | pgd = pgd_offset(current->mm ?: &init_mm, address); | |
586 | pgd_ref = pgd_offset_k(address); | |
587 | if (pgd_none(*pgd_ref)) | |
588 | return -1; | |
589 | if (pgd_none(*pgd)) | |
590 | set_pgd(pgd, *pgd_ref); | |
8c914cb7 | 591 | else |
46a82b2d | 592 | BUG_ON(pgd_page_vaddr(*pgd) != pgd_page_vaddr(*pgd_ref)); |
1da177e4 LT |
593 | |
594 | /* Below here mismatches are bugs because these lower tables | |
595 | are shared */ | |
596 | ||
597 | pud = pud_offset(pgd, address); | |
598 | pud_ref = pud_offset(pgd_ref, address); | |
599 | if (pud_none(*pud_ref)) | |
600 | return -1; | |
46a82b2d | 601 | if (pud_none(*pud) || pud_page_vaddr(*pud) != pud_page_vaddr(*pud_ref)) |
1da177e4 LT |
602 | BUG(); |
603 | pmd = pmd_offset(pud, address); | |
604 | pmd_ref = pmd_offset(pud_ref, address); | |
605 | if (pmd_none(*pmd_ref)) | |
606 | return -1; | |
607 | if (pmd_none(*pmd) || pmd_page(*pmd) != pmd_page(*pmd_ref)) | |
608 | BUG(); | |
609 | pte_ref = pte_offset_kernel(pmd_ref, address); | |
610 | if (!pte_present(*pte_ref)) | |
611 | return -1; | |
612 | pte = pte_offset_kernel(pmd, address); | |
3b9ba4d5 AK |
613 | /* Don't use pte_page here, because the mappings can point |
614 | outside mem_map, and the NUMA hash lookup cannot handle | |
615 | that. */ | |
616 | if (!pte_present(*pte) || pte_pfn(*pte) != pte_pfn(*pte_ref)) | |
1da177e4 | 617 | BUG(); |
1da177e4 | 618 | return 0; |
fdfe8aa8 | 619 | #endif |
1da177e4 LT |
620 | } |
621 | ||
abd4f750 | 622 | int show_unhandled_signals = 1; |
1da177e4 LT |
623 | |
624 | /* | |
625 | * This routine handles page faults. It determines the address, | |
626 | * and the problem, and then passes it off to one of the appropriate | |
627 | * routines. | |
1da177e4 | 628 | */ |
f8c2ee22 HH |
629 | #ifdef CONFIG_X86_64 |
630 | asmlinkage | |
631 | #endif | |
632 | void __kprobes do_page_fault(struct pt_regs *regs, unsigned long error_code) | |
1da177e4 LT |
633 | { |
634 | struct task_struct *tsk; | |
635 | struct mm_struct *mm; | |
33cb5243 | 636 | struct vm_area_struct *vma; |
1da177e4 | 637 | unsigned long address; |
f8c2ee22 HH |
638 | int write, si_code; |
639 | int fault; | |
640 | #ifdef CONFIG_X86_64 | |
1209140c | 641 | unsigned long flags; |
f8c2ee22 | 642 | #endif |
1da177e4 | 643 | |
143a5d32 PZ |
644 | /* |
645 | * We can fault from pretty much anywhere, with unknown IRQ state. | |
646 | */ | |
647 | trace_hardirqs_fixup(); | |
648 | ||
a9ba9a3b AV |
649 | tsk = current; |
650 | mm = tsk->mm; | |
651 | prefetchw(&mm->mmap_sem); | |
652 | ||
1da177e4 | 653 | /* get the address */ |
f51c9452 | 654 | address = read_cr2(); |
1da177e4 | 655 | |
c4aba4a8 | 656 | si_code = SEGV_MAPERR; |
1da177e4 | 657 | |
608566b4 HH |
658 | if (notify_page_fault(regs)) |
659 | return; | |
10c43d2e | 660 | if (call_mmiotrace(regs, error_code, address)) |
86069782 | 661 | return; |
1da177e4 LT |
662 | |
663 | /* | |
664 | * We fault-in kernel-space virtual memory on-demand. The | |
665 | * 'reference' page table is init_mm.pgd. | |
666 | * | |
667 | * NOTE! We MUST NOT take any locks for this case. We may | |
668 | * be in an interrupt or a critical region, and should | |
669 | * only copy the information from the master page table, | |
670 | * nothing more. | |
671 | * | |
672 | * This verifies that the fault happens in kernel space | |
673 | * (error_code & 4) == 0, and that the fault was not a | |
8b1bde93 | 674 | * protection error (error_code & 9) == 0. |
1da177e4 | 675 | */ |
f8c2ee22 HH |
676 | #ifdef CONFIG_X86_32 |
677 | if (unlikely(address >= TASK_SIZE)) { | |
cf89ec92 HH |
678 | #else |
679 | if (unlikely(address >= TASK_SIZE64)) { | |
680 | #endif | |
f8c2ee22 HH |
681 | if (!(error_code & (PF_RSVD|PF_USER|PF_PROT)) && |
682 | vmalloc_fault(address) >= 0) | |
683 | return; | |
5b727a3b JF |
684 | |
685 | /* Can handle a stale RO->RW TLB */ | |
686 | if (spurious_fault(address, error_code)) | |
687 | return; | |
688 | ||
f8c2ee22 HH |
689 | /* |
690 | * Don't take the mm semaphore here. If we fixup a prefetch | |
691 | * fault we could otherwise deadlock. | |
692 | */ | |
693 | goto bad_area_nosemaphore; | |
694 | } | |
695 | ||
cf89ec92 HH |
696 | |
697 | #ifdef CONFIG_X86_32 | |
f8c2ee22 HH |
698 | /* It's safe to allow irq's after cr2 has been saved and the vmalloc |
699 | fault has been handled. */ | |
6b6891f9 | 700 | if (regs->flags & (X86_EFLAGS_IF | X86_VM_MASK)) |
f8c2ee22 HH |
701 | local_irq_enable(); |
702 | ||
703 | /* | |
704 | * If we're in an interrupt, have no user context or are running in an | |
705 | * atomic region then we must not take the fault. | |
706 | */ | |
707 | if (in_atomic() || !mm) | |
708 | goto bad_area_nosemaphore; | |
709 | #else /* CONFIG_X86_64 */ | |
65ea5b03 | 710 | if (likely(regs->flags & X86_EFLAGS_IF)) |
8c914cb7 JB |
711 | local_irq_enable(); |
712 | ||
66c58156 | 713 | if (unlikely(error_code & PF_RSVD)) |
1da177e4 LT |
714 | pgtable_bad(address, regs, error_code); |
715 | ||
716 | /* | |
33cb5243 HH |
717 | * If we're in an interrupt, have no user context or are running in an |
718 | * atomic region then we must not take the fault. | |
1da177e4 LT |
719 | */ |
720 | if (unlikely(in_atomic() || !mm)) | |
721 | goto bad_area_nosemaphore; | |
722 | ||
dbe3ed1c LT |
723 | /* |
724 | * User-mode registers count as a user access even for any | |
725 | * potential system fault or CPU buglet. | |
726 | */ | |
727 | if (user_mode_vm(regs)) | |
728 | error_code |= PF_USER; | |
f8c2ee22 HH |
729 | again: |
730 | #endif | |
1da177e4 LT |
731 | /* When running in the kernel we expect faults to occur only to |
732 | * addresses in user space. All other faults represent errors in the | |
676b1855 | 733 | * kernel and should generate an OOPS. Unfortunately, in the case of an |
80f7228b | 734 | * erroneous fault occurring in a code path which already holds mmap_sem |
1da177e4 LT |
735 | * we will deadlock attempting to validate the fault against the |
736 | * address space. Luckily the kernel only validly references user | |
737 | * space from well defined areas of code, which are listed in the | |
738 | * exceptions table. | |
739 | * | |
740 | * As the vast majority of faults will be valid we will only perform | |
676b1855 | 741 | * the source reference check when there is a possibility of a deadlock. |
1da177e4 LT |
742 | * Attempt to lock the address space, if we cannot we then validate the |
743 | * source. If this is invalid we can skip the address space check, | |
744 | * thus avoiding the deadlock. | |
745 | */ | |
746 | if (!down_read_trylock(&mm->mmap_sem)) { | |
66c58156 | 747 | if ((error_code & PF_USER) == 0 && |
65ea5b03 | 748 | !search_exception_tables(regs->ip)) |
1da177e4 LT |
749 | goto bad_area_nosemaphore; |
750 | down_read(&mm->mmap_sem); | |
751 | } | |
752 | ||
753 | vma = find_vma(mm, address); | |
754 | if (!vma) | |
755 | goto bad_area; | |
f8c2ee22 | 756 | if (vma->vm_start <= address) |
1da177e4 LT |
757 | goto good_area; |
758 | if (!(vma->vm_flags & VM_GROWSDOWN)) | |
759 | goto bad_area; | |
33cb5243 | 760 | if (error_code & PF_USER) { |
6f4d368e HH |
761 | /* |
762 | * Accessing the stack below %sp is always a bug. | |
763 | * The large cushion allows instructions like enter | |
764 | * and pusha to work. ("enter $65535,$31" pushes | |
765 | * 32 pointers and then decrements %sp by 65535.) | |
03fdc2c2 | 766 | */ |
65ea5b03 | 767 | if (address + 65536 + 32 * sizeof(unsigned long) < regs->sp) |
1da177e4 LT |
768 | goto bad_area; |
769 | } | |
770 | if (expand_stack(vma, address)) | |
771 | goto bad_area; | |
772 | /* | |
773 | * Ok, we have a good vm_area for this memory access, so | |
774 | * we can handle it.. | |
775 | */ | |
776 | good_area: | |
c4aba4a8 | 777 | si_code = SEGV_ACCERR; |
1da177e4 | 778 | write = 0; |
66c58156 | 779 | switch (error_code & (PF_PROT|PF_WRITE)) { |
33cb5243 HH |
780 | default: /* 3: write, present */ |
781 | /* fall through */ | |
782 | case PF_WRITE: /* write, not present */ | |
783 | if (!(vma->vm_flags & VM_WRITE)) | |
784 | goto bad_area; | |
785 | write++; | |
786 | break; | |
787 | case PF_PROT: /* read, present */ | |
788 | goto bad_area; | |
789 | case 0: /* read, not present */ | |
790 | if (!(vma->vm_flags & (VM_READ | VM_EXEC | VM_WRITE))) | |
1da177e4 | 791 | goto bad_area; |
1da177e4 LT |
792 | } |
793 | ||
f8c2ee22 HH |
794 | #ifdef CONFIG_X86_32 |
795 | survive: | |
796 | #endif | |
1da177e4 LT |
797 | /* |
798 | * If for any reason at all we couldn't handle the fault, | |
799 | * make sure we exit gracefully rather than endlessly redo | |
800 | * the fault. | |
801 | */ | |
83c54070 NP |
802 | fault = handle_mm_fault(mm, vma, address, write); |
803 | if (unlikely(fault & VM_FAULT_ERROR)) { | |
804 | if (fault & VM_FAULT_OOM) | |
805 | goto out_of_memory; | |
806 | else if (fault & VM_FAULT_SIGBUS) | |
807 | goto do_sigbus; | |
808 | BUG(); | |
1da177e4 | 809 | } |
83c54070 NP |
810 | if (fault & VM_FAULT_MAJOR) |
811 | tsk->maj_flt++; | |
812 | else | |
813 | tsk->min_flt++; | |
d729ab35 HH |
814 | |
815 | #ifdef CONFIG_X86_32 | |
816 | /* | |
817 | * Did it hit the DOS screen memory VA from vm86 mode? | |
818 | */ | |
819 | if (v8086_mode(regs)) { | |
820 | unsigned long bit = (address - 0xA0000) >> PAGE_SHIFT; | |
821 | if (bit < 32) | |
822 | tsk->thread.screen_bitmap |= 1 << bit; | |
823 | } | |
824 | #endif | |
1da177e4 LT |
825 | up_read(&mm->mmap_sem); |
826 | return; | |
827 | ||
828 | /* | |
829 | * Something tried to access memory that isn't in our memory map.. | |
830 | * Fix it, but check if it's kernel or user first.. | |
831 | */ | |
832 | bad_area: | |
833 | up_read(&mm->mmap_sem); | |
834 | ||
835 | bad_area_nosemaphore: | |
1da177e4 | 836 | /* User mode accesses just cause a SIGSEGV */ |
66c58156 | 837 | if (error_code & PF_USER) { |
e5e3c84b SR |
838 | /* |
839 | * It's possible to have interrupts off here. | |
840 | */ | |
841 | local_irq_enable(); | |
842 | ||
1156e098 HH |
843 | /* |
844 | * Valid to do another page fault here because this one came | |
845 | * from user space. | |
846 | */ | |
1da177e4 LT |
847 | if (is_prefetch(regs, address, error_code)) |
848 | return; | |
849 | ||
35f3266f | 850 | if (is_errata100(regs, address)) |
1da177e4 LT |
851 | return; |
852 | ||
abd4f750 MAS |
853 | if (show_unhandled_signals && unhandled_signal(tsk, SIGSEGV) && |
854 | printk_ratelimit()) { | |
1da177e4 | 855 | printk( |
6f4d368e | 856 | #ifdef CONFIG_X86_32 |
edcd8119 | 857 | "%s%s[%d]: segfault at %lx ip %08lx sp %08lx error %lx", |
6f4d368e | 858 | #else |
03252919 | 859 | "%s%s[%d]: segfault at %lx ip %lx sp %lx error %lx", |
6f4d368e HH |
860 | #endif |
861 | task_pid_nr(tsk) > 1 ? KERN_INFO : KERN_EMERG, | |
862 | tsk->comm, task_pid_nr(tsk), address, regs->ip, | |
863 | regs->sp, error_code); | |
03252919 AK |
864 | print_vma_addr(" in ", regs->ip); |
865 | printk("\n"); | |
1da177e4 | 866 | } |
33cb5243 | 867 | |
1da177e4 LT |
868 | tsk->thread.cr2 = address; |
869 | /* Kernel addresses are always protection faults */ | |
870 | tsk->thread.error_code = error_code | (address >= TASK_SIZE); | |
871 | tsk->thread.trap_no = 14; | |
c4aba4a8 | 872 | force_sig_info_fault(SIGSEGV, si_code, address, tsk); |
1da177e4 LT |
873 | return; |
874 | } | |
875 | ||
29caf2f9 HH |
876 | if (is_f00f_bug(regs, address)) |
877 | return; | |
878 | ||
1da177e4 | 879 | no_context: |
1da177e4 | 880 | /* Are we prepared to handle this kernel fault? */ |
33cb5243 | 881 | if (fixup_exception(regs)) |
1da177e4 | 882 | return; |
1da177e4 | 883 | |
33cb5243 | 884 | /* |
f8c2ee22 HH |
885 | * X86_32 |
886 | * Valid to do another page fault here, because if this fault | |
887 | * had been triggered by is_prefetch fixup_exception would have | |
888 | * handled it. | |
889 | * | |
890 | * X86_64 | |
1da177e4 LT |
891 | * Hall of shame of CPU/BIOS bugs. |
892 | */ | |
33cb5243 HH |
893 | if (is_prefetch(regs, address, error_code)) |
894 | return; | |
1da177e4 LT |
895 | |
896 | if (is_errata93(regs, address)) | |
33cb5243 | 897 | return; |
1da177e4 LT |
898 | |
899 | /* | |
900 | * Oops. The kernel tried to access some bad page. We'll have to | |
901 | * terminate things with extreme prejudice. | |
902 | */ | |
f8c2ee22 HH |
903 | #ifdef CONFIG_X86_32 |
904 | bust_spinlocks(1); | |
fd40d6e3 HH |
905 | #else |
906 | flags = oops_begin(); | |
907 | #endif | |
f8c2ee22 HH |
908 | |
909 | show_fault_oops(regs, error_code, address); | |
1da177e4 | 910 | |
f8c2ee22 HH |
911 | tsk->thread.cr2 = address; |
912 | tsk->thread.trap_no = 14; | |
913 | tsk->thread.error_code = error_code; | |
fd40d6e3 HH |
914 | |
915 | #ifdef CONFIG_X86_32 | |
f8c2ee22 HH |
916 | die("Oops", regs, error_code); |
917 | bust_spinlocks(0); | |
918 | do_exit(SIGKILL); | |
fd40d6e3 | 919 | #else |
22f5991c JB |
920 | if (__die("Oops", regs, error_code)) |
921 | regs = NULL; | |
1da177e4 LT |
922 | /* Executive summary in case the body of the oops scrolled away */ |
923 | printk(KERN_EMERG "CR2: %016lx\n", address); | |
22f5991c | 924 | oops_end(flags, regs, SIGKILL); |
f8c2ee22 | 925 | #endif |
1da177e4 LT |
926 | |
927 | /* | |
928 | * We ran out of memory, or some other thing happened to us that made | |
929 | * us unable to handle the page fault gracefully. | |
930 | */ | |
931 | out_of_memory: | |
932 | up_read(&mm->mmap_sem); | |
f8c2ee22 HH |
933 | if (is_global_init(tsk)) { |
934 | yield(); | |
fd40d6e3 | 935 | #ifdef CONFIG_X86_32 |
f8c2ee22 HH |
936 | down_read(&mm->mmap_sem); |
937 | goto survive; | |
f8c2ee22 | 938 | #else |
1da177e4 | 939 | goto again; |
f8c2ee22 | 940 | #endif |
fd40d6e3 HH |
941 | } |
942 | ||
1da177e4 | 943 | printk("VM: killing process %s\n", tsk->comm); |
318aa296 | 944 | if (error_code & PF_USER) |
021daae2 | 945 | do_group_exit(SIGKILL); |
1da177e4 LT |
946 | goto no_context; |
947 | ||
948 | do_sigbus: | |
949 | up_read(&mm->mmap_sem); | |
950 | ||
951 | /* Kernel mode? Handle exceptions or die */ | |
66c58156 | 952 | if (!(error_code & PF_USER)) |
1da177e4 | 953 | goto no_context; |
f8c2ee22 HH |
954 | #ifdef CONFIG_X86_32 |
955 | /* User space => ok to do another page fault */ | |
956 | if (is_prefetch(regs, address, error_code)) | |
957 | return; | |
958 | #endif | |
1da177e4 LT |
959 | tsk->thread.cr2 = address; |
960 | tsk->thread.error_code = error_code; | |
961 | tsk->thread.trap_no = 14; | |
c4aba4a8 | 962 | force_sig_info_fault(SIGBUS, BUS_ADRERR, address, tsk); |
1da177e4 | 963 | } |
9e43e1b7 | 964 | |
8c914cb7 | 965 | DEFINE_SPINLOCK(pgd_lock); |
2bff7383 | 966 | LIST_HEAD(pgd_list); |
8c914cb7 JB |
967 | |
968 | void vmalloc_sync_all(void) | |
969 | { | |
1156e098 HH |
970 | #ifdef CONFIG_X86_32 |
971 | /* | |
972 | * Note that races in the updates of insync and start aren't | |
973 | * problematic: insync can only get set bits added, and updates to | |
974 | * start are only improving performance (without affecting correctness | |
975 | * if undone). | |
976 | */ | |
977 | static DECLARE_BITMAP(insync, PTRS_PER_PGD); | |
978 | static unsigned long start = TASK_SIZE; | |
979 | unsigned long address; | |
980 | ||
981 | if (SHARED_KERNEL_PMD) | |
982 | return; | |
983 | ||
984 | BUILD_BUG_ON(TASK_SIZE & ~PGDIR_MASK); | |
985 | for (address = start; address >= TASK_SIZE; address += PGDIR_SIZE) { | |
986 | if (!test_bit(pgd_index(address), insync)) { | |
987 | unsigned long flags; | |
988 | struct page *page; | |
989 | ||
990 | spin_lock_irqsave(&pgd_lock, flags); | |
e3ed910d | 991 | list_for_each_entry(page, &pgd_list, lru) { |
1156e098 | 992 | if (!vmalloc_sync_one(page_address(page), |
e3ed910d | 993 | address)) |
1156e098 | 994 | break; |
e3ed910d | 995 | } |
1156e098 HH |
996 | spin_unlock_irqrestore(&pgd_lock, flags); |
997 | if (!page) | |
998 | set_bit(pgd_index(address), insync); | |
999 | } | |
1000 | if (address == start && test_bit(pgd_index(address), insync)) | |
1001 | start = address + PGDIR_SIZE; | |
1002 | } | |
1003 | #else /* CONFIG_X86_64 */ | |
6f4d368e HH |
1004 | /* |
1005 | * Note that races in the updates of insync and start aren't | |
1006 | * problematic: insync can only get set bits added, and updates to | |
1007 | * start are only improving performance (without affecting correctness | |
1008 | * if undone). | |
1009 | */ | |
8c914cb7 JB |
1010 | static DECLARE_BITMAP(insync, PTRS_PER_PGD); |
1011 | static unsigned long start = VMALLOC_START & PGDIR_MASK; | |
1012 | unsigned long address; | |
1013 | ||
1014 | for (address = start; address <= VMALLOC_END; address += PGDIR_SIZE) { | |
1015 | if (!test_bit(pgd_index(address), insync)) { | |
1016 | const pgd_t *pgd_ref = pgd_offset_k(address); | |
58d5d0d8 | 1017 | unsigned long flags; |
8c914cb7 JB |
1018 | struct page *page; |
1019 | ||
1020 | if (pgd_none(*pgd_ref)) | |
1021 | continue; | |
58d5d0d8 | 1022 | spin_lock_irqsave(&pgd_lock, flags); |
2bff7383 | 1023 | list_for_each_entry(page, &pgd_list, lru) { |
8c914cb7 JB |
1024 | pgd_t *pgd; |
1025 | pgd = (pgd_t *)page_address(page) + pgd_index(address); | |
1026 | if (pgd_none(*pgd)) | |
1027 | set_pgd(pgd, *pgd_ref); | |
1028 | else | |
46a82b2d | 1029 | BUG_ON(pgd_page_vaddr(*pgd) != pgd_page_vaddr(*pgd_ref)); |
8c914cb7 | 1030 | } |
58d5d0d8 | 1031 | spin_unlock_irqrestore(&pgd_lock, flags); |
8c914cb7 JB |
1032 | set_bit(pgd_index(address), insync); |
1033 | } | |
1034 | if (address == start) | |
1035 | start = address + PGDIR_SIZE; | |
1036 | } | |
1156e098 | 1037 | #endif |
8c914cb7 | 1038 | } |