Commit | Line | Data |
---|---|---|
1da177e4 | 1 | /* |
1da177e4 LT |
2 | * Copyright (C) 1995 Linus Torvalds |
3 | */ | |
4 | ||
5 | #include <linux/signal.h> | |
6 | #include <linux/sched.h> | |
7 | #include <linux/kernel.h> | |
8 | #include <linux/errno.h> | |
9 | #include <linux/string.h> | |
10 | #include <linux/types.h> | |
11 | #include <linux/ptrace.h> | |
12 | #include <linux/mman.h> | |
13 | #include <linux/mm.h> | |
14 | #include <linux/smp.h> | |
1da177e4 LT |
15 | #include <linux/interrupt.h> |
16 | #include <linux/init.h> | |
17 | #include <linux/tty.h> | |
18 | #include <linux/vt_kern.h> /* For unblank_screen() */ | |
19 | #include <linux/highmem.h> | |
28609f6e | 20 | #include <linux/bootmem.h> /* for max_low_pfn */ |
1eeb66a1 | 21 | #include <linux/vmalloc.h> |
1da177e4 | 22 | #include <linux/module.h> |
3d97ae5b | 23 | #include <linux/kprobes.h> |
11a4180c | 24 | #include <linux/uaccess.h> |
1eeb66a1 | 25 | #include <linux/kdebug.h> |
1da177e4 LT |
26 | |
27 | #include <asm/system.h> | |
1da177e4 | 28 | #include <asm/desc.h> |
78be3706 | 29 | #include <asm/segment.h> |
1da177e4 | 30 | |
33cb5243 HH |
31 | /* |
32 | * Page fault error code bits | |
33 | * bit 0 == 0 means no page found, 1 means protection fault | |
34 | * bit 1 == 0 means read, 1 means write | |
35 | * bit 2 == 0 means kernel, 1 means user-mode | |
36 | * bit 3 == 1 means use of reserved bit detected | |
37 | * bit 4 == 1 means fault was an instruction fetch | |
38 | */ | |
6f4d368e | 39 | #define PF_PROT (1<<0) |
33cb5243 | 40 | #define PF_WRITE (1<<1) |
6f4d368e HH |
41 | #define PF_USER (1<<2) |
42 | #define PF_RSVD (1<<3) | |
33cb5243 HH |
43 | #define PF_INSTR (1<<4) |
44 | ||
74a0b576 | 45 | static inline int notify_page_fault(struct pt_regs *regs) |
b71b5b65 | 46 | { |
33cb5243 | 47 | #ifdef CONFIG_KPROBES |
74a0b576 CH |
48 | int ret = 0; |
49 | ||
50 | /* kprobe_running() needs smp_processor_id() */ | |
51 | if (!user_mode_vm(regs)) { | |
52 | preempt_disable(); | |
53 | if (kprobe_running() && kprobe_fault_handler(regs, 14)) | |
54 | ret = 1; | |
55 | preempt_enable(); | |
56 | } | |
b71b5b65 | 57 | |
74a0b576 | 58 | return ret; |
74a0b576 | 59 | #else |
74a0b576 | 60 | return 0; |
74a0b576 | 61 | #endif |
33cb5243 | 62 | } |
b71b5b65 | 63 | |
33cb5243 | 64 | /* |
1dc85be0 | 65 | * X86_32 |
1da177e4 LT |
66 | * Sometimes AMD Athlon/Opteron CPUs report invalid exceptions on prefetch. |
67 | * Check that here and ignore it. | |
1dc85be0 HH |
68 | * |
69 | * X86_64 | |
70 | * Sometimes the CPU reports invalid exceptions on prefetch. | |
71 | * Check that here and ignore it. | |
72 | * | |
73 | * Opcode checker based on code by Richard Brunner | |
1da177e4 | 74 | */ |
1dc85be0 HH |
75 | static int is_prefetch(struct pt_regs *regs, unsigned long addr, |
76 | unsigned long error_code) | |
33cb5243 | 77 | { |
1dc85be0 | 78 | unsigned char *instr; |
1da177e4 | 79 | int scan_more = 1; |
33cb5243 | 80 | int prefetch = 0; |
1dc85be0 HH |
81 | unsigned char *max_instr; |
82 | ||
83 | #ifdef CONFIG_X86_32 | |
1dc85be0 HH |
84 | if (unlikely(boot_cpu_data.x86_vendor == X86_VENDOR_AMD && |
85 | boot_cpu_data.x86 >= 6)) { | |
86 | /* Catch an obscure case of prefetch inside an NX page. */ | |
87 | if (nx_enabled && (error_code & PF_INSTR)) | |
88 | return 0; | |
89 | } else { | |
90 | return 0; | |
91 | } | |
1dc85be0 HH |
92 | #else |
93 | /* If it was a exec fault ignore */ | |
94 | if (error_code & PF_INSTR) | |
95 | return 0; | |
1dc85be0 | 96 | #endif |
1da177e4 | 97 | |
f2857ce9 | 98 | instr = (unsigned char *)convert_ip_to_linear(current, regs); |
1dc85be0 HH |
99 | max_instr = instr + 15; |
100 | ||
1dc85be0 HH |
101 | if (user_mode(regs) && instr >= (unsigned char *)TASK_SIZE) |
102 | return 0; | |
1dc85be0 HH |
103 | |
104 | while (scan_more && instr < max_instr) { | |
1da177e4 LT |
105 | unsigned char opcode; |
106 | unsigned char instr_hi; | |
107 | unsigned char instr_lo; | |
108 | ||
11a4180c | 109 | if (probe_kernel_address(instr, opcode)) |
33cb5243 | 110 | break; |
1da177e4 | 111 | |
33cb5243 HH |
112 | instr_hi = opcode & 0xf0; |
113 | instr_lo = opcode & 0x0f; | |
1da177e4 LT |
114 | instr++; |
115 | ||
33cb5243 | 116 | switch (instr_hi) { |
1da177e4 LT |
117 | case 0x20: |
118 | case 0x30: | |
33cb5243 HH |
119 | /* |
120 | * Values 0x26,0x2E,0x36,0x3E are valid x86 prefixes. | |
121 | * In X86_64 long mode, the CPU will signal invalid | |
122 | * opcode if some of these prefixes are present so | |
123 | * X86_64 will never get here anyway | |
124 | */ | |
1da177e4 LT |
125 | scan_more = ((instr_lo & 7) == 0x6); |
126 | break; | |
33cb5243 HH |
127 | #ifdef CONFIG_X86_64 |
128 | case 0x40: | |
129 | /* | |
130 | * In AMD64 long mode 0x40..0x4F are valid REX prefixes | |
131 | * Need to figure out under what instruction mode the | |
132 | * instruction was issued. Could check the LDT for lm, | |
133 | * but for now it's good enough to assume that long | |
134 | * mode only uses well known segments or kernel. | |
135 | */ | |
136 | scan_more = (!user_mode(regs)) || (regs->cs == __USER_CS); | |
137 | break; | |
138 | #endif | |
1da177e4 LT |
139 | case 0x60: |
140 | /* 0x64 thru 0x67 are valid prefixes in all modes. */ | |
141 | scan_more = (instr_lo & 0xC) == 0x4; | |
33cb5243 | 142 | break; |
1da177e4 | 143 | case 0xF0: |
33cb5243 | 144 | /* 0xF0, 0xF2, 0xF3 are valid prefixes in all modes. */ |
1da177e4 | 145 | scan_more = !instr_lo || (instr_lo>>1) == 1; |
33cb5243 | 146 | break; |
1da177e4 LT |
147 | case 0x00: |
148 | /* Prefetch instruction is 0x0F0D or 0x0F18 */ | |
149 | scan_more = 0; | |
f2857ce9 | 150 | |
11a4180c | 151 | if (probe_kernel_address(instr, opcode)) |
1da177e4 LT |
152 | break; |
153 | prefetch = (instr_lo == 0xF) && | |
154 | (opcode == 0x0D || opcode == 0x18); | |
33cb5243 | 155 | break; |
1da177e4 LT |
156 | default: |
157 | scan_more = 0; | |
158 | break; | |
33cb5243 | 159 | } |
1da177e4 LT |
160 | } |
161 | return prefetch; | |
162 | } | |
163 | ||
c4aba4a8 | 164 | static void force_sig_info_fault(int si_signo, int si_code, |
869f96a0 IM |
165 | unsigned long address, struct task_struct *tsk) |
166 | { | |
167 | siginfo_t info; | |
168 | ||
169 | info.si_signo = si_signo; | |
170 | info.si_errno = 0; | |
171 | info.si_code = si_code; | |
172 | info.si_addr = (void __user *)address; | |
173 | force_sig_info(si_signo, &info, tsk); | |
174 | } | |
175 | ||
e66a9512 HH |
176 | void dump_pagetable(unsigned long address) |
177 | { | |
178 | __typeof__(pte_val(__pte(0))) page; | |
179 | ||
180 | page = read_cr3(); | |
181 | page = ((__typeof__(page) *) __va(page))[address >> PGDIR_SHIFT]; | |
182 | #ifdef CONFIG_X86_PAE | |
183 | printk("*pdpt = %016Lx ", page); | |
184 | if ((page >> PAGE_SHIFT) < max_low_pfn | |
185 | && page & _PAGE_PRESENT) { | |
186 | page &= PAGE_MASK; | |
187 | page = ((__typeof__(page) *) __va(page))[(address >> PMD_SHIFT) | |
188 | & (PTRS_PER_PMD - 1)]; | |
189 | printk(KERN_CONT "*pde = %016Lx ", page); | |
190 | page &= ~_PAGE_NX; | |
191 | } | |
192 | #else | |
193 | printk("*pde = %08lx ", page); | |
194 | #endif | |
195 | ||
196 | /* | |
197 | * We must not directly access the pte in the highpte | |
198 | * case if the page table is located in highmem. | |
199 | * And let's rather not kmap-atomic the pte, just in case | |
200 | * it's allocated already. | |
201 | */ | |
202 | if ((page >> PAGE_SHIFT) < max_low_pfn | |
203 | && (page & _PAGE_PRESENT) | |
204 | && !(page & _PAGE_PSE)) { | |
205 | page &= PAGE_MASK; | |
206 | page = ((__typeof__(page) *) __va(page))[(address >> PAGE_SHIFT) | |
207 | & (PTRS_PER_PTE - 1)]; | |
208 | printk("*pte = %0*Lx ", sizeof(page)*2, (u64)page); | |
209 | } | |
210 | ||
211 | printk("\n"); | |
212 | } | |
213 | ||
101f12af JB |
214 | static inline pmd_t *vmalloc_sync_one(pgd_t *pgd, unsigned long address) |
215 | { | |
216 | unsigned index = pgd_index(address); | |
217 | pgd_t *pgd_k; | |
218 | pud_t *pud, *pud_k; | |
219 | pmd_t *pmd, *pmd_k; | |
220 | ||
221 | pgd += index; | |
222 | pgd_k = init_mm.pgd + index; | |
223 | ||
224 | if (!pgd_present(*pgd_k)) | |
225 | return NULL; | |
226 | ||
227 | /* | |
228 | * set_pgd(pgd, *pgd_k); here would be useless on PAE | |
229 | * and redundant with the set_pmd() on non-PAE. As would | |
230 | * set_pud. | |
231 | */ | |
232 | ||
233 | pud = pud_offset(pgd, address); | |
234 | pud_k = pud_offset(pgd_k, address); | |
235 | if (!pud_present(*pud_k)) | |
236 | return NULL; | |
237 | ||
238 | pmd = pmd_offset(pud, address); | |
239 | pmd_k = pmd_offset(pud_k, address); | |
240 | if (!pmd_present(*pmd_k)) | |
241 | return NULL; | |
8b14cb99 | 242 | if (!pmd_present(*pmd)) { |
101f12af | 243 | set_pmd(pmd, *pmd_k); |
8b14cb99 ZA |
244 | arch_flush_lazy_mmu_mode(); |
245 | } else | |
101f12af JB |
246 | BUG_ON(pmd_page(*pmd) != pmd_page(*pmd_k)); |
247 | return pmd_k; | |
248 | } | |
249 | ||
1dc85be0 HH |
250 | #ifdef CONFIG_X86_64 |
251 | static const char errata93_warning[] = | |
252 | KERN_ERR "******* Your BIOS seems to not contain a fix for K8 errata #93\n" | |
253 | KERN_ERR "******* Working around it, but it may cause SEGVs or burn power.\n" | |
254 | KERN_ERR "******* Please consider a BIOS update.\n" | |
255 | KERN_ERR "******* Disabling USB legacy in the BIOS may also help.\n"; | |
fdfe8aa8 | 256 | #endif |
1dc85be0 HH |
257 | |
258 | /* Workaround for K8 erratum #93 & buggy BIOS. | |
259 | BIOS SMM functions are required to use a specific workaround | |
260 | to avoid corruption of the 64bit RIP register on C stepping K8. | |
261 | A lot of BIOS that didn't get tested properly miss this. | |
262 | The OS sees this as a page fault with the upper 32bits of RIP cleared. | |
263 | Try to work around it here. | |
fdfe8aa8 HH |
264 | Note we only handle faults in kernel here. |
265 | Does nothing for X86_32 | |
266 | */ | |
1dc85be0 HH |
267 | static int is_errata93(struct pt_regs *regs, unsigned long address) |
268 | { | |
fdfe8aa8 | 269 | #ifdef CONFIG_X86_64 |
1dc85be0 HH |
270 | static int warned; |
271 | if (address != regs->ip) | |
272 | return 0; | |
273 | if ((address >> 32) != 0) | |
274 | return 0; | |
275 | address |= 0xffffffffUL << 32; | |
276 | if ((address >= (u64)_stext && address <= (u64)_etext) || | |
277 | (address >= MODULES_VADDR && address <= MODULES_END)) { | |
278 | if (!warned) { | |
279 | printk(errata93_warning); | |
280 | warned = 1; | |
281 | } | |
282 | regs->ip = address; | |
283 | return 1; | |
284 | } | |
fdfe8aa8 | 285 | #endif |
1dc85be0 HH |
286 | return 0; |
287 | } | |
fdfe8aa8 | 288 | |
29caf2f9 HH |
289 | void do_invalid_op(struct pt_regs *, unsigned long); |
290 | ||
291 | static int is_f00f_bug(struct pt_regs *regs, unsigned long address) | |
292 | { | |
293 | #ifdef CONFIG_X86_F00F_BUG | |
294 | unsigned long nr; | |
295 | /* | |
296 | * Pentium F0 0F C7 C8 bug workaround. | |
297 | */ | |
298 | if (boot_cpu_data.f00f_bug) { | |
299 | nr = (address - idt_descr.address) >> 3; | |
300 | ||
301 | if (nr == 6) { | |
302 | do_invalid_op(regs, 0); | |
303 | return 1; | |
304 | } | |
305 | } | |
306 | #endif | |
307 | return 0; | |
308 | } | |
1dc85be0 | 309 | |
101f12af JB |
310 | /* |
311 | * Handle a fault on the vmalloc or module mapping area | |
312 | * | |
313 | * This assumes no large pages in there. | |
314 | */ | |
315 | static inline int vmalloc_fault(unsigned long address) | |
316 | { | |
fdfe8aa8 | 317 | #ifdef CONFIG_X86_32 |
101f12af JB |
318 | unsigned long pgd_paddr; |
319 | pmd_t *pmd_k; | |
320 | pte_t *pte_k; | |
321 | /* | |
322 | * Synchronize this task's top level page-table | |
323 | * with the 'reference' page table. | |
324 | * | |
325 | * Do _not_ use "current" here. We might be inside | |
326 | * an interrupt in the middle of a task switch.. | |
327 | */ | |
328 | pgd_paddr = read_cr3(); | |
329 | pmd_k = vmalloc_sync_one(__va(pgd_paddr), address); | |
330 | if (!pmd_k) | |
331 | return -1; | |
332 | pte_k = pte_offset_kernel(pmd_k, address); | |
333 | if (!pte_present(*pte_k)) | |
334 | return -1; | |
335 | return 0; | |
fdfe8aa8 HH |
336 | #else |
337 | pgd_t *pgd, *pgd_ref; | |
338 | pud_t *pud, *pud_ref; | |
339 | pmd_t *pmd, *pmd_ref; | |
340 | pte_t *pte, *pte_ref; | |
341 | ||
342 | /* Copy kernel mappings over when needed. This can also | |
343 | happen within a race in page table update. In the later | |
344 | case just flush. */ | |
345 | ||
346 | pgd = pgd_offset(current->mm ?: &init_mm, address); | |
347 | pgd_ref = pgd_offset_k(address); | |
348 | if (pgd_none(*pgd_ref)) | |
349 | return -1; | |
350 | if (pgd_none(*pgd)) | |
351 | set_pgd(pgd, *pgd_ref); | |
352 | else | |
353 | BUG_ON(pgd_page_vaddr(*pgd) != pgd_page_vaddr(*pgd_ref)); | |
354 | ||
355 | /* Below here mismatches are bugs because these lower tables | |
356 | are shared */ | |
357 | ||
358 | pud = pud_offset(pgd, address); | |
359 | pud_ref = pud_offset(pgd_ref, address); | |
360 | if (pud_none(*pud_ref)) | |
361 | return -1; | |
362 | if (pud_none(*pud) || pud_page_vaddr(*pud) != pud_page_vaddr(*pud_ref)) | |
363 | BUG(); | |
364 | pmd = pmd_offset(pud, address); | |
365 | pmd_ref = pmd_offset(pud_ref, address); | |
366 | if (pmd_none(*pmd_ref)) | |
367 | return -1; | |
368 | if (pmd_none(*pmd) || pmd_page(*pmd) != pmd_page(*pmd_ref)) | |
369 | BUG(); | |
370 | pte_ref = pte_offset_kernel(pmd_ref, address); | |
371 | if (!pte_present(*pte_ref)) | |
372 | return -1; | |
373 | pte = pte_offset_kernel(pmd, address); | |
374 | /* Don't use pte_page here, because the mappings can point | |
375 | outside mem_map, and the NUMA hash lookup cannot handle | |
376 | that. */ | |
377 | if (!pte_present(*pte) || pte_pfn(*pte) != pte_pfn(*pte_ref)) | |
378 | BUG(); | |
379 | return 0; | |
380 | #endif | |
101f12af JB |
381 | } |
382 | ||
abd4f750 MAS |
383 | int show_unhandled_signals = 1; |
384 | ||
1da177e4 LT |
385 | /* |
386 | * This routine handles page faults. It determines the address, | |
387 | * and the problem, and then passes it off to one of the appropriate | |
388 | * routines. | |
1da177e4 | 389 | */ |
75604d7f | 390 | void __kprobes do_page_fault(struct pt_regs *regs, unsigned long error_code) |
1da177e4 LT |
391 | { |
392 | struct task_struct *tsk; | |
393 | struct mm_struct *mm; | |
33cb5243 | 394 | struct vm_area_struct *vma; |
1da177e4 | 395 | unsigned long address; |
869f96a0 | 396 | int write, si_code; |
83c54070 | 397 | int fault; |
1da177e4 | 398 | |
143a5d32 PZ |
399 | /* |
400 | * We can fault from pretty much anywhere, with unknown IRQ state. | |
401 | */ | |
402 | trace_hardirqs_fixup(); | |
403 | ||
608566b4 HH |
404 | tsk = current; |
405 | mm = tsk->mm; | |
406 | prefetchw(&mm->mmap_sem); | |
407 | ||
1da177e4 | 408 | /* get the address */ |
33cb5243 | 409 | address = read_cr2(); |
1da177e4 | 410 | |
869f96a0 | 411 | si_code = SEGV_MAPERR; |
1da177e4 | 412 | |
608566b4 HH |
413 | if (notify_page_fault(regs)) |
414 | return; | |
415 | ||
1da177e4 LT |
416 | /* |
417 | * We fault-in kernel-space virtual memory on-demand. The | |
418 | * 'reference' page table is init_mm.pgd. | |
419 | * | |
420 | * NOTE! We MUST NOT take any locks for this case. We may | |
421 | * be in an interrupt or a critical region, and should | |
422 | * only copy the information from the master page table, | |
423 | * nothing more. | |
424 | * | |
425 | * This verifies that the fault happens in kernel space | |
426 | * (error_code & 4) == 0, and that the fault was not a | |
101f12af | 427 | * protection error (error_code & 9) == 0. |
1da177e4 | 428 | */ |
101f12af | 429 | if (unlikely(address >= TASK_SIZE)) { |
318aa296 HH |
430 | if (!(error_code & (PF_RSVD|PF_USER|PF_PROT)) && |
431 | vmalloc_fault(address) >= 0) | |
101f12af | 432 | return; |
101f12af | 433 | /* |
1da177e4 LT |
434 | * Don't take the mm semaphore here. If we fixup a prefetch |
435 | * fault we could otherwise deadlock. | |
436 | */ | |
437 | goto bad_area_nosemaphore; | |
101f12af JB |
438 | } |
439 | ||
101f12af JB |
440 | /* It's safe to allow irq's after cr2 has been saved and the vmalloc |
441 | fault has been handled. */ | |
65ea5b03 | 442 | if (regs->flags & (X86_EFLAGS_IF|VM_MASK)) |
101f12af | 443 | local_irq_enable(); |
1da177e4 | 444 | |
1da177e4 LT |
445 | /* |
446 | * If we're in an interrupt, have no user context or are running in an | |
33cb5243 | 447 | * atomic region then we must not take the fault. |
1da177e4 LT |
448 | */ |
449 | if (in_atomic() || !mm) | |
450 | goto bad_area_nosemaphore; | |
451 | ||
452 | /* When running in the kernel we expect faults to occur only to | |
453 | * addresses in user space. All other faults represent errors in the | |
27b46d76 | 454 | * kernel and should generate an OOPS. Unfortunately, in the case of an |
80f7228b | 455 | * erroneous fault occurring in a code path which already holds mmap_sem |
1da177e4 LT |
456 | * we will deadlock attempting to validate the fault against the |
457 | * address space. Luckily the kernel only validly references user | |
458 | * space from well defined areas of code, which are listed in the | |
459 | * exceptions table. | |
460 | * | |
461 | * As the vast majority of faults will be valid we will only perform | |
27b46d76 | 462 | * the source reference check when there is a possibility of a deadlock. |
1da177e4 LT |
463 | * Attempt to lock the address space, if we cannot we then validate the |
464 | * source. If this is invalid we can skip the address space check, | |
465 | * thus avoiding the deadlock. | |
466 | */ | |
467 | if (!down_read_trylock(&mm->mmap_sem)) { | |
33cb5243 | 468 | if ((error_code & PF_USER) == 0 && |
65ea5b03 | 469 | !search_exception_tables(regs->ip)) |
1da177e4 LT |
470 | goto bad_area_nosemaphore; |
471 | down_read(&mm->mmap_sem); | |
472 | } | |
473 | ||
474 | vma = find_vma(mm, address); | |
475 | if (!vma) | |
476 | goto bad_area; | |
477 | if (vma->vm_start <= address) | |
478 | goto good_area; | |
479 | if (!(vma->vm_flags & VM_GROWSDOWN)) | |
480 | goto bad_area; | |
33cb5243 | 481 | if (error_code & PF_USER) { |
1da177e4 | 482 | /* |
65ea5b03 | 483 | * Accessing the stack below %sp is always a bug. |
21528454 CE |
484 | * The large cushion allows instructions like enter |
485 | * and pusha to work. ("enter $65535,$31" pushes | |
65ea5b03 | 486 | * 32 pointers and then decrements %sp by 65535.) |
1da177e4 | 487 | */ |
65ea5b03 | 488 | if (address + 65536 + 32 * sizeof(unsigned long) < regs->sp) |
1da177e4 LT |
489 | goto bad_area; |
490 | } | |
491 | if (expand_stack(vma, address)) | |
492 | goto bad_area; | |
493 | /* | |
494 | * Ok, we have a good vm_area for this memory access, so | |
495 | * we can handle it.. | |
496 | */ | |
497 | good_area: | |
869f96a0 | 498 | si_code = SEGV_ACCERR; |
1da177e4 | 499 | write = 0; |
33cb5243 HH |
500 | switch (error_code & (PF_PROT|PF_WRITE)) { |
501 | default: /* 3: write, present */ | |
502 | /* fall through */ | |
503 | case PF_WRITE: /* write, not present */ | |
504 | if (!(vma->vm_flags & VM_WRITE)) | |
505 | goto bad_area; | |
506 | write++; | |
507 | break; | |
508 | case PF_PROT: /* read, present */ | |
509 | goto bad_area; | |
510 | case 0: /* read, not present */ | |
511 | if (!(vma->vm_flags & (VM_READ | VM_EXEC | VM_WRITE))) | |
1da177e4 | 512 | goto bad_area; |
1da177e4 LT |
513 | } |
514 | ||
515 | survive: | |
516 | /* | |
517 | * If for any reason at all we couldn't handle the fault, | |
518 | * make sure we exit gracefully rather than endlessly redo | |
519 | * the fault. | |
520 | */ | |
83c54070 NP |
521 | fault = handle_mm_fault(mm, vma, address, write); |
522 | if (unlikely(fault & VM_FAULT_ERROR)) { | |
523 | if (fault & VM_FAULT_OOM) | |
1da177e4 | 524 | goto out_of_memory; |
83c54070 NP |
525 | else if (fault & VM_FAULT_SIGBUS) |
526 | goto do_sigbus; | |
527 | BUG(); | |
1da177e4 | 528 | } |
83c54070 NP |
529 | if (fault & VM_FAULT_MAJOR) |
530 | tsk->maj_flt++; | |
531 | else | |
532 | tsk->min_flt++; | |
1da177e4 | 533 | |
d729ab35 | 534 | #ifdef CONFIG_X86_32 |
1da177e4 LT |
535 | /* |
536 | * Did it hit the DOS screen memory VA from vm86 mode? | |
537 | */ | |
d729ab35 | 538 | if (v8086_mode(regs)) { |
1da177e4 LT |
539 | unsigned long bit = (address - 0xA0000) >> PAGE_SHIFT; |
540 | if (bit < 32) | |
541 | tsk->thread.screen_bitmap |= 1 << bit; | |
542 | } | |
d729ab35 | 543 | #endif |
1da177e4 LT |
544 | up_read(&mm->mmap_sem); |
545 | return; | |
546 | ||
547 | /* | |
548 | * Something tried to access memory that isn't in our memory map.. | |
549 | * Fix it, but check if it's kernel or user first.. | |
550 | */ | |
551 | bad_area: | |
552 | up_read(&mm->mmap_sem); | |
553 | ||
554 | bad_area_nosemaphore: | |
555 | /* User mode accesses just cause a SIGSEGV */ | |
33cb5243 | 556 | if (error_code & PF_USER) { |
e5e3c84b SR |
557 | /* |
558 | * It's possible to have interrupts off here. | |
559 | */ | |
560 | local_irq_enable(); | |
561 | ||
33cb5243 HH |
562 | /* |
563 | * Valid to do another page fault here because this one came | |
1da177e4 LT |
564 | * from user space. |
565 | */ | |
566 | if (is_prefetch(regs, address, error_code)) | |
567 | return; | |
568 | ||
abd4f750 MAS |
569 | if (show_unhandled_signals && unhandled_signal(tsk, SIGSEGV) && |
570 | printk_ratelimit()) { | |
6f4d368e HH |
571 | printk( |
572 | #ifdef CONFIG_X86_32 | |
edcd8119 | 573 | "%s%s[%d]: segfault at %lx ip %08lx sp %08lx error %lx", |
6f4d368e | 574 | #else |
03252919 | 575 | "%s%s[%d]: segfault at %lx ip %lx sp %lx error %lx", |
6f4d368e HH |
576 | #endif |
577 | task_pid_nr(tsk) > 1 ? KERN_INFO : KERN_EMERG, | |
578 | tsk->comm, task_pid_nr(tsk), address, regs->ip, | |
579 | regs->sp, error_code); | |
03252919 AK |
580 | print_vma_addr(" in ", regs->ip); |
581 | printk("\n"); | |
abd4f750 | 582 | } |
1da177e4 LT |
583 | tsk->thread.cr2 = address; |
584 | /* Kernel addresses are always protection faults */ | |
585 | tsk->thread.error_code = error_code | (address >= TASK_SIZE); | |
586 | tsk->thread.trap_no = 14; | |
869f96a0 | 587 | force_sig_info_fault(SIGSEGV, si_code, address, tsk); |
1da177e4 LT |
588 | return; |
589 | } | |
590 | ||
29caf2f9 HH |
591 | if (is_f00f_bug(regs, address)) |
592 | return; | |
1da177e4 LT |
593 | |
594 | no_context: | |
595 | /* Are we prepared to handle this kernel fault? */ | |
596 | if (fixup_exception(regs)) | |
597 | return; | |
598 | ||
33cb5243 | 599 | /* |
1da177e4 | 600 | * Valid to do another page fault here, because if this fault |
33cb5243 | 601 | * had been triggered by is_prefetch fixup_exception would have |
1da177e4 LT |
602 | * handled it. |
603 | */ | |
33cb5243 HH |
604 | if (is_prefetch(regs, address, error_code)) |
605 | return; | |
1da177e4 | 606 | |
fdfe8aa8 HH |
607 | if (is_errata93(regs, address)) |
608 | return; | |
609 | ||
1da177e4 LT |
610 | /* |
611 | * Oops. The kernel tried to access some bad page. We'll have to | |
612 | * terminate things with extreme prejudice. | |
613 | */ | |
614 | ||
615 | bust_spinlocks(1); | |
616 | ||
dd287796 | 617 | if (oops_may_print()) { |
28609f6e JB |
618 | |
619 | #ifdef CONFIG_X86_PAE | |
318aa296 | 620 | if (error_code & PF_INSTR) { |
f0646e43 IM |
621 | int level; |
622 | pte_t *pte = lookup_address(address, &level); | |
dd287796 | 623 | |
4c3c4b45 | 624 | if (pte && pte_present(*pte) && !pte_exec(*pte)) |
dd287796 AM |
625 | printk(KERN_CRIT "kernel tried to execute " |
626 | "NX-protected page - exploit attempt? " | |
627 | "(uid: %d)\n", current->uid); | |
628 | } | |
28609f6e | 629 | #endif |
dd287796 AM |
630 | if (address < PAGE_SIZE) |
631 | printk(KERN_ALERT "BUG: unable to handle kernel NULL " | |
632 | "pointer dereference"); | |
633 | else | |
634 | printk(KERN_ALERT "BUG: unable to handle kernel paging" | |
635 | " request"); | |
33cb5243 | 636 | printk(" at virtual address %08lx\n", address); |
65ea5b03 | 637 | printk(KERN_ALERT "printing ip: %08lx ", regs->ip); |
28609f6e | 638 | |
e66a9512 | 639 | dump_pagetable(address); |
28609f6e JB |
640 | } |
641 | ||
4f339ecb AN |
642 | tsk->thread.cr2 = address; |
643 | tsk->thread.trap_no = 14; | |
644 | tsk->thread.error_code = error_code; | |
1da177e4 LT |
645 | die("Oops", regs, error_code); |
646 | bust_spinlocks(0); | |
647 | do_exit(SIGKILL); | |
648 | ||
649 | /* | |
650 | * We ran out of memory, or some other thing happened to us that made | |
651 | * us unable to handle the page fault gracefully. | |
652 | */ | |
653 | out_of_memory: | |
654 | up_read(&mm->mmap_sem); | |
b460cbc5 | 655 | if (is_global_init(tsk)) { |
1da177e4 LT |
656 | yield(); |
657 | down_read(&mm->mmap_sem); | |
658 | goto survive; | |
659 | } | |
660 | printk("VM: killing process %s\n", tsk->comm); | |
318aa296 | 661 | if (error_code & PF_USER) |
dcca2bde | 662 | do_group_exit(SIGKILL); |
1da177e4 LT |
663 | goto no_context; |
664 | ||
665 | do_sigbus: | |
666 | up_read(&mm->mmap_sem); | |
667 | ||
668 | /* Kernel mode? Handle exceptions or die */ | |
33cb5243 | 669 | if (!(error_code & PF_USER)) |
1da177e4 LT |
670 | goto no_context; |
671 | ||
672 | /* User space => ok to do another page fault */ | |
673 | if (is_prefetch(regs, address, error_code)) | |
674 | return; | |
675 | ||
676 | tsk->thread.cr2 = address; | |
677 | tsk->thread.error_code = error_code; | |
678 | tsk->thread.trap_no = 14; | |
869f96a0 | 679 | force_sig_info_fault(SIGBUS, BUS_ADRERR, address, tsk); |
101f12af | 680 | } |
1da177e4 | 681 | |
101f12af JB |
682 | void vmalloc_sync_all(void) |
683 | { | |
684 | /* | |
685 | * Note that races in the updates of insync and start aren't | |
686 | * problematic: insync can only get set bits added, and updates to | |
687 | * start are only improving performance (without affecting correctness | |
688 | * if undone). | |
689 | */ | |
690 | static DECLARE_BITMAP(insync, PTRS_PER_PGD); | |
691 | static unsigned long start = TASK_SIZE; | |
692 | unsigned long address; | |
1da177e4 | 693 | |
5311ab62 JF |
694 | if (SHARED_KERNEL_PMD) |
695 | return; | |
696 | ||
101f12af JB |
697 | BUILD_BUG_ON(TASK_SIZE & ~PGDIR_MASK); |
698 | for (address = start; address >= TASK_SIZE; address += PGDIR_SIZE) { | |
699 | if (!test_bit(pgd_index(address), insync)) { | |
700 | unsigned long flags; | |
701 | struct page *page; | |
702 | ||
703 | spin_lock_irqsave(&pgd_lock, flags); | |
704 | for (page = pgd_list; page; page = | |
705 | (struct page *)page->index) | |
706 | if (!vmalloc_sync_one(page_address(page), | |
707 | address)) { | |
708 | BUG_ON(page != pgd_list); | |
709 | break; | |
710 | } | |
711 | spin_unlock_irqrestore(&pgd_lock, flags); | |
712 | if (!page) | |
713 | set_bit(pgd_index(address), insync); | |
714 | } | |
715 | if (address == start && test_bit(pgd_index(address), insync)) | |
716 | start = address + PGDIR_SIZE; | |
1da177e4 LT |
717 | } |
718 | } |