This source file includes following definitions.
- store_updates_sp
- __bad_area_nosemaphore
- bad_area_nosemaphore
- __bad_area
- bad_area
- bad_key_fault_exception
- bad_access
- do_sigbus
- mm_fault_error
- bad_kernel_fault
- bad_stack_expansion
- access_error
- cmo_account_page_fault
- cmo_account_page_fault
- sanity_check_fault
- sanity_check_fault
- __do_page_fault
- do_page_fault
- bad_page_fault
1
2
3
4
5
6
7
8
9
10
11
12
13
14 #include <linux/signal.h>
15 #include <linux/sched.h>
16 #include <linux/sched/task_stack.h>
17 #include <linux/kernel.h>
18 #include <linux/errno.h>
19 #include <linux/string.h>
20 #include <linux/types.h>
21 #include <linux/pagemap.h>
22 #include <linux/ptrace.h>
23 #include <linux/mman.h>
24 #include <linux/mm.h>
25 #include <linux/interrupt.h>
26 #include <linux/highmem.h>
27 #include <linux/extable.h>
28 #include <linux/kprobes.h>
29 #include <linux/kdebug.h>
30 #include <linux/perf_event.h>
31 #include <linux/ratelimit.h>
32 #include <linux/context_tracking.h>
33 #include <linux/hugetlb.h>
34 #include <linux/uaccess.h>
35
36 #include <asm/firmware.h>
37 #include <asm/page.h>
38 #include <asm/pgtable.h>
39 #include <asm/mmu.h>
40 #include <asm/mmu_context.h>
41 #include <asm/siginfo.h>
42 #include <asm/debug.h>
43 #include <asm/kup.h>
44
45
46
47
48
49 static bool store_updates_sp(unsigned int inst)
50 {
51
52 if (((inst >> 16) & 0x1f) != 1)
53 return false;
54
55 switch (inst >> 26) {
56 case OP_STWU:
57 case OP_STBU:
58 case OP_STHU:
59 case OP_STFSU:
60 case OP_STFDU:
61 return true;
62 case OP_STD:
63 return (inst & 3) == 1;
64 case OP_31:
65
66 switch ((inst >> 1) & 0x3ff) {
67 case OP_31_XOP_STDUX:
68 case OP_31_XOP_STWUX:
69 case OP_31_XOP_STBUX:
70 case OP_31_XOP_STHUX:
71 case OP_31_XOP_STFSUX:
72 case OP_31_XOP_STFDUX:
73 return true;
74 }
75 }
76 return false;
77 }
78
79
80
81
82 static int
83 __bad_area_nosemaphore(struct pt_regs *regs, unsigned long address, int si_code)
84 {
85
86
87
88
89
90 if (!user_mode(regs))
91 return SIGSEGV;
92
93 _exception(SIGSEGV, regs, si_code, address);
94
95 return 0;
96 }
97
98 static noinline int bad_area_nosemaphore(struct pt_regs *regs, unsigned long address)
99 {
100 return __bad_area_nosemaphore(regs, address, SEGV_MAPERR);
101 }
102
103 static int __bad_area(struct pt_regs *regs, unsigned long address, int si_code)
104 {
105 struct mm_struct *mm = current->mm;
106
107
108
109
110
111 up_read(&mm->mmap_sem);
112
113 return __bad_area_nosemaphore(regs, address, si_code);
114 }
115
116 static noinline int bad_area(struct pt_regs *regs, unsigned long address)
117 {
118 return __bad_area(regs, address, SEGV_MAPERR);
119 }
120
121 static int bad_key_fault_exception(struct pt_regs *regs, unsigned long address,
122 int pkey)
123 {
124
125
126
127
128
129 if (!user_mode(regs))
130 return SIGSEGV;
131
132 _exception_pkey(regs, address, pkey);
133
134 return 0;
135 }
136
137 static noinline int bad_access(struct pt_regs *regs, unsigned long address)
138 {
139 return __bad_area(regs, address, SEGV_ACCERR);
140 }
141
142 static int do_sigbus(struct pt_regs *regs, unsigned long address,
143 vm_fault_t fault)
144 {
145 if (!user_mode(regs))
146 return SIGBUS;
147
148 current->thread.trap_nr = BUS_ADRERR;
149 #ifdef CONFIG_MEMORY_FAILURE
150 if (fault & (VM_FAULT_HWPOISON|VM_FAULT_HWPOISON_LARGE)) {
151 unsigned int lsb = 0;
152
153 pr_err("MCE: Killing %s:%d due to hardware memory corruption fault at %lx\n",
154 current->comm, current->pid, address);
155
156 if (fault & VM_FAULT_HWPOISON_LARGE)
157 lsb = hstate_index_to_shift(VM_FAULT_GET_HINDEX(fault));
158 if (fault & VM_FAULT_HWPOISON)
159 lsb = PAGE_SHIFT;
160
161 force_sig_mceerr(BUS_MCEERR_AR, (void __user *)address, lsb);
162 return 0;
163 }
164
165 #endif
166 force_sig_fault(SIGBUS, BUS_ADRERR, (void __user *)address);
167 return 0;
168 }
169
170 static int mm_fault_error(struct pt_regs *regs, unsigned long addr,
171 vm_fault_t fault)
172 {
173
174
175
176
177 if (fatal_signal_pending(current) && !user_mode(regs))
178 return SIGKILL;
179
180
181 if (fault & VM_FAULT_OOM) {
182
183
184
185
186 if (!user_mode(regs))
187 return SIGSEGV;
188 pagefault_out_of_memory();
189 } else {
190 if (fault & (VM_FAULT_SIGBUS|VM_FAULT_HWPOISON|
191 VM_FAULT_HWPOISON_LARGE))
192 return do_sigbus(regs, addr, fault);
193 else if (fault & VM_FAULT_SIGSEGV)
194 return bad_area_nosemaphore(regs, addr);
195 else
196 BUG();
197 }
198 return 0;
199 }
200
201
202 static bool bad_kernel_fault(struct pt_regs *regs, unsigned long error_code,
203 unsigned long address, bool is_write)
204 {
205 int is_exec = TRAP(regs) == 0x400;
206
207
208 if (is_exec && (error_code & (DSISR_NOEXEC_OR_G | DSISR_KEYFAULT |
209 DSISR_PROTFAULT))) {
210 pr_crit_ratelimited("kernel tried to execute %s page (%lx) - exploit attempt? (uid: %d)\n",
211 address >= TASK_SIZE ? "exec-protected" : "user",
212 address,
213 from_kuid(&init_user_ns, current_uid()));
214
215
216 return true;
217 }
218
219 if (!is_exec && address < TASK_SIZE && (error_code & DSISR_PROTFAULT) &&
220 !search_exception_tables(regs->nip)) {
221 pr_crit_ratelimited("Kernel attempted to access user page (%lx) - exploit attempt? (uid: %d)\n",
222 address,
223 from_kuid(&init_user_ns, current_uid()));
224 }
225
226
227 if (address >= TASK_SIZE)
228 return true;
229
230
231 if (!search_exception_tables(regs->nip))
232 return true;
233
234
235
236 if (bad_kuap_fault(regs, address, is_write))
237 return true;
238
239
240
241 return false;
242 }
243
244 static bool bad_stack_expansion(struct pt_regs *regs, unsigned long address,
245 struct vm_area_struct *vma, unsigned int flags,
246 bool *must_retry)
247 {
248
249
250
251
252
253
254
255
256
257 if (address + 0x100000 < vma->vm_end) {
258 unsigned int __user *nip = (unsigned int __user *)regs->nip;
259
260 struct pt_regs *uregs = current->thread.regs;
261 if (uregs == NULL)
262 return true;
263
264
265
266
267
268
269
270
271
272
273
274
275
276 if (address + 2048 >= uregs->gpr[1])
277 return false;
278
279 if ((flags & FAULT_FLAG_WRITE) && (flags & FAULT_FLAG_USER) &&
280 access_ok(nip, sizeof(*nip))) {
281 unsigned int inst;
282 int res;
283
284 pagefault_disable();
285 res = __get_user_inatomic(inst, nip);
286 pagefault_enable();
287 if (!res)
288 return !store_updates_sp(inst);
289 *must_retry = true;
290 }
291 return true;
292 }
293 return false;
294 }
295
296 static bool access_error(bool is_write, bool is_exec,
297 struct vm_area_struct *vma)
298 {
299
300
301
302
303
304
305
306
307
308
309 if (is_exec) {
310 return !(vma->vm_flags & VM_EXEC) &&
311 (cpu_has_feature(CPU_FTR_NOEXECUTE) ||
312 !(vma->vm_flags & (VM_READ | VM_WRITE)));
313 }
314
315 if (is_write) {
316 if (unlikely(!(vma->vm_flags & VM_WRITE)))
317 return true;
318 return false;
319 }
320
321 if (unlikely(!(vma->vm_flags & (VM_READ | VM_EXEC | VM_WRITE))))
322 return true;
323
324
325
326
327
328
329 return false;
330 }
331
332 #ifdef CONFIG_PPC_SMLPAR
333 static inline void cmo_account_page_fault(void)
334 {
335 if (firmware_has_feature(FW_FEATURE_CMO)) {
336 u32 page_ins;
337
338 preempt_disable();
339 page_ins = be32_to_cpu(get_lppaca()->page_ins);
340 page_ins += 1 << PAGE_FACTOR;
341 get_lppaca()->page_ins = cpu_to_be32(page_ins);
342 preempt_enable();
343 }
344 }
345 #else
346 static inline void cmo_account_page_fault(void) { }
347 #endif
348
349 #ifdef CONFIG_PPC_BOOK3S
350 static void sanity_check_fault(bool is_write, bool is_user,
351 unsigned long error_code, unsigned long address)
352 {
353
354
355
356 if (is_user && address >= TASK_SIZE) {
357 if ((long)address == -1)
358 return;
359
360 pr_crit_ratelimited("%s[%d]: User access of kernel address (%lx) - exploit attempt? (uid: %d)\n",
361 current->comm, current->pid, address,
362 from_kuid(&init_user_ns, current_uid()));
363 return;
364 }
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395 if (radix_enabled() || is_write)
396 return;
397
398 WARN_ON_ONCE(error_code & DSISR_PROTFAULT);
399 }
400 #else
401 static void sanity_check_fault(bool is_write, bool is_user,
402 unsigned long error_code, unsigned long address) { }
403 #endif
404
405
406
407
408
409 #if (defined(CONFIG_4xx) || defined(CONFIG_BOOKE))
410 #define page_fault_is_write(__err) ((__err) & ESR_DST)
411 #define page_fault_is_bad(__err) (0)
412 #else
413 #define page_fault_is_write(__err) ((__err) & DSISR_ISSTORE)
414 #if defined(CONFIG_PPC_8xx)
415 #define page_fault_is_bad(__err) ((__err) & DSISR_NOEXEC_OR_G)
416 #elif defined(CONFIG_PPC64)
417 #define page_fault_is_bad(__err) ((__err) & DSISR_BAD_FAULT_64S)
418 #else
419 #define page_fault_is_bad(__err) ((__err) & DSISR_BAD_FAULT_32S)
420 #endif
421 #endif
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436 static int __do_page_fault(struct pt_regs *regs, unsigned long address,
437 unsigned long error_code)
438 {
439 struct vm_area_struct * vma;
440 struct mm_struct *mm = current->mm;
441 unsigned int flags = FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_KILLABLE;
442 int is_exec = TRAP(regs) == 0x400;
443 int is_user = user_mode(regs);
444 int is_write = page_fault_is_write(error_code);
445 vm_fault_t fault, major = 0;
446 bool must_retry = false;
447 bool kprobe_fault = kprobe_page_fault(regs, 11);
448
449 if (unlikely(debugger_fault_handler(regs) || kprobe_fault))
450 return 0;
451
452 if (unlikely(page_fault_is_bad(error_code))) {
453 if (is_user) {
454 _exception(SIGBUS, regs, BUS_OBJERR, address);
455 return 0;
456 }
457 return SIGBUS;
458 }
459
460
461 sanity_check_fault(is_write, is_user, error_code, address);
462
463
464
465
466
467
468 if (unlikely(!is_user && bad_kernel_fault(regs, error_code, address, is_write)))
469 return SIGSEGV;
470
471
472
473
474
475 if (unlikely(faulthandler_disabled() || !mm)) {
476 if (is_user)
477 printk_ratelimited(KERN_ERR "Page fault in user mode"
478 " with faulthandler_disabled()=%d"
479 " mm=%p\n",
480 faulthandler_disabled(), mm);
481 return bad_area_nosemaphore(regs, address);
482 }
483
484
485 if (!arch_irq_disabled_regs(regs))
486 local_irq_enable();
487
488 perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, address);
489
490 if (error_code & DSISR_KEYFAULT)
491 return bad_key_fault_exception(regs, address,
492 get_mm_addr_key(mm, address));
493
494
495
496
497
498
499 if (is_user)
500 flags |= FAULT_FLAG_USER;
501 if (is_write)
502 flags |= FAULT_FLAG_WRITE;
503 if (is_exec)
504 flags |= FAULT_FLAG_INSTRUCTION;
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521 if (unlikely(!down_read_trylock(&mm->mmap_sem))) {
522 if (!is_user && !search_exception_tables(regs->nip))
523 return bad_area_nosemaphore(regs, address);
524
525 retry:
526 down_read(&mm->mmap_sem);
527 } else {
528
529
530
531
532
533 might_sleep();
534 }
535
536 vma = find_vma(mm, address);
537 if (unlikely(!vma))
538 return bad_area(regs, address);
539 if (likely(vma->vm_start <= address))
540 goto good_area;
541 if (unlikely(!(vma->vm_flags & VM_GROWSDOWN)))
542 return bad_area(regs, address);
543
544
545 if (unlikely(bad_stack_expansion(regs, address, vma, flags,
546 &must_retry))) {
547 if (!must_retry)
548 return bad_area(regs, address);
549
550 up_read(&mm->mmap_sem);
551 if (fault_in_pages_readable((const char __user *)regs->nip,
552 sizeof(unsigned int)))
553 return bad_area_nosemaphore(regs, address);
554 goto retry;
555 }
556
557
558 if (unlikely(expand_stack(vma, address)))
559 return bad_area(regs, address);
560
561 good_area:
562 if (unlikely(access_error(is_write, is_exec, vma)))
563 return bad_access(regs, address);
564
565
566
567
568
569
570 fault = handle_mm_fault(vma, address, flags);
571
572 #ifdef CONFIG_PPC_MEM_KEYS
573
574
575
576
577 if (unlikely(fault & VM_FAULT_SIGSEGV) &&
578 !arch_vma_access_permitted(vma, is_write, is_exec, 0)) {
579
580 int pkey = vma_pkey(vma);
581
582 up_read(&mm->mmap_sem);
583 return bad_key_fault_exception(regs, address, pkey);
584 }
585 #endif
586
587 major |= fault & VM_FAULT_MAJOR;
588
589
590
591
592
593 if (unlikely(fault & VM_FAULT_RETRY)) {
594
595 if (flags & FAULT_FLAG_ALLOW_RETRY) {
596
597
598
599
600 flags &= ~FAULT_FLAG_ALLOW_RETRY;
601 flags |= FAULT_FLAG_TRIED;
602 if (!fatal_signal_pending(current))
603 goto retry;
604 }
605
606
607
608
609
610 return is_user ? 0 : SIGBUS;
611 }
612
613 up_read(¤t->mm->mmap_sem);
614
615 if (unlikely(fault & VM_FAULT_ERROR))
616 return mm_fault_error(regs, address, fault);
617
618
619
620
621 if (major) {
622 current->maj_flt++;
623 perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MAJ, 1, regs, address);
624 cmo_account_page_fault();
625 } else {
626 current->min_flt++;
627 perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MIN, 1, regs, address);
628 }
629 return 0;
630 }
631 NOKPROBE_SYMBOL(__do_page_fault);
632
633 int do_page_fault(struct pt_regs *regs, unsigned long address,
634 unsigned long error_code)
635 {
636 enum ctx_state prev_state = exception_enter();
637 int rc = __do_page_fault(regs, address, error_code);
638 exception_exit(prev_state);
639 return rc;
640 }
641 NOKPROBE_SYMBOL(do_page_fault);
642
643
644
645
646
647
648 void bad_page_fault(struct pt_regs *regs, unsigned long address, int sig)
649 {
650 const struct exception_table_entry *entry;
651
652
653 if ((entry = search_exception_tables(regs->nip)) != NULL) {
654 regs->nip = extable_fixup(entry);
655 return;
656 }
657
658
659
660 switch (TRAP(regs)) {
661 case 0x300:
662 case 0x380:
663 case 0xe00:
664 pr_alert("BUG: %s at 0x%08lx\n",
665 regs->dar < PAGE_SIZE ? "Kernel NULL pointer dereference" :
666 "Unable to handle kernel data access", regs->dar);
667 break;
668 case 0x400:
669 case 0x480:
670 pr_alert("BUG: Unable to handle kernel instruction fetch%s",
671 regs->nip < PAGE_SIZE ? " (NULL pointer?)\n" : "\n");
672 break;
673 case 0x600:
674 pr_alert("BUG: Unable to handle kernel unaligned access at 0x%08lx\n",
675 regs->dar);
676 break;
677 default:
678 pr_alert("BUG: Unable to handle unknown paging fault at 0x%08lx\n",
679 regs->dar);
680 break;
681 }
682 printk(KERN_ALERT "Faulting instruction address: 0x%08lx\n",
683 regs->nip);
684
685 if (task_stack_end_corrupted(current))
686 printk(KERN_ALERT "Thread overran stack, or stack corrupted\n");
687
688 die("Kernel access of bad area", regs, sig);
689 }