root/arch/powerpc/mm/fault.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. store_updates_sp
  2. __bad_area_nosemaphore
  3. bad_area_nosemaphore
  4. __bad_area
  5. bad_area
  6. bad_key_fault_exception
  7. bad_access
  8. do_sigbus
  9. mm_fault_error
  10. bad_kernel_fault
  11. bad_stack_expansion
  12. access_error
  13. cmo_account_page_fault
  14. cmo_account_page_fault
  15. sanity_check_fault
  16. sanity_check_fault
  17. __do_page_fault
  18. do_page_fault
  19. bad_page_fault

   1 // SPDX-License-Identifier: GPL-2.0-or-later
   2 /*
   3  *  PowerPC version
   4  *    Copyright (C) 1995-1996 Gary Thomas (gdt@linuxppc.org)
   5  *
   6  *  Derived from "arch/i386/mm/fault.c"
   7  *    Copyright (C) 1991, 1992, 1993, 1994  Linus Torvalds
   8  *
   9  *  Modified by Cort Dougan and Paul Mackerras.
  10  *
  11  *  Modified for PPC64 by Dave Engebretsen (engebret@ibm.com)
  12  */
  13 
  14 #include <linux/signal.h>
  15 #include <linux/sched.h>
  16 #include <linux/sched/task_stack.h>
  17 #include <linux/kernel.h>
  18 #include <linux/errno.h>
  19 #include <linux/string.h>
  20 #include <linux/types.h>
  21 #include <linux/pagemap.h>
  22 #include <linux/ptrace.h>
  23 #include <linux/mman.h>
  24 #include <linux/mm.h>
  25 #include <linux/interrupt.h>
  26 #include <linux/highmem.h>
  27 #include <linux/extable.h>
  28 #include <linux/kprobes.h>
  29 #include <linux/kdebug.h>
  30 #include <linux/perf_event.h>
  31 #include <linux/ratelimit.h>
  32 #include <linux/context_tracking.h>
  33 #include <linux/hugetlb.h>
  34 #include <linux/uaccess.h>
  35 
  36 #include <asm/firmware.h>
  37 #include <asm/page.h>
  38 #include <asm/pgtable.h>
  39 #include <asm/mmu.h>
  40 #include <asm/mmu_context.h>
  41 #include <asm/siginfo.h>
  42 #include <asm/debug.h>
  43 #include <asm/kup.h>
  44 
  45 /*
  46  * Check whether the instruction inst is a store using
  47  * an update addressing form which will update r1.
  48  */
  49 static bool store_updates_sp(unsigned int inst)
  50 {
  51         /* check for 1 in the rA field */
  52         if (((inst >> 16) & 0x1f) != 1)
  53                 return false;
  54         /* check major opcode */
  55         switch (inst >> 26) {
  56         case OP_STWU:
  57         case OP_STBU:
  58         case OP_STHU:
  59         case OP_STFSU:
  60         case OP_STFDU:
  61                 return true;
  62         case OP_STD:    /* std or stdu */
  63                 return (inst & 3) == 1;
  64         case OP_31:
  65                 /* check minor opcode */
  66                 switch ((inst >> 1) & 0x3ff) {
  67                 case OP_31_XOP_STDUX:
  68                 case OP_31_XOP_STWUX:
  69                 case OP_31_XOP_STBUX:
  70                 case OP_31_XOP_STHUX:
  71                 case OP_31_XOP_STFSUX:
  72                 case OP_31_XOP_STFDUX:
  73                         return true;
  74                 }
  75         }
  76         return false;
  77 }
  78 /*
  79  * do_page_fault error handling helpers
  80  */
  81 
  82 static int
  83 __bad_area_nosemaphore(struct pt_regs *regs, unsigned long address, int si_code)
  84 {
  85         /*
  86          * If we are in kernel mode, bail out with a SEGV, this will
  87          * be caught by the assembly which will restore the non-volatile
  88          * registers before calling bad_page_fault()
  89          */
  90         if (!user_mode(regs))
  91                 return SIGSEGV;
  92 
  93         _exception(SIGSEGV, regs, si_code, address);
  94 
  95         return 0;
  96 }
  97 
  98 static noinline int bad_area_nosemaphore(struct pt_regs *regs, unsigned long address)
  99 {
 100         return __bad_area_nosemaphore(regs, address, SEGV_MAPERR);
 101 }
 102 
 103 static int __bad_area(struct pt_regs *regs, unsigned long address, int si_code)
 104 {
 105         struct mm_struct *mm = current->mm;
 106 
 107         /*
 108          * Something tried to access memory that isn't in our memory map..
 109          * Fix it, but check if it's kernel or user first..
 110          */
 111         up_read(&mm->mmap_sem);
 112 
 113         return __bad_area_nosemaphore(regs, address, si_code);
 114 }
 115 
 116 static noinline int bad_area(struct pt_regs *regs, unsigned long address)
 117 {
 118         return __bad_area(regs, address, SEGV_MAPERR);
 119 }
 120 
 121 static int bad_key_fault_exception(struct pt_regs *regs, unsigned long address,
 122                                     int pkey)
 123 {
 124         /*
 125          * If we are in kernel mode, bail out with a SEGV, this will
 126          * be caught by the assembly which will restore the non-volatile
 127          * registers before calling bad_page_fault()
 128          */
 129         if (!user_mode(regs))
 130                 return SIGSEGV;
 131 
 132         _exception_pkey(regs, address, pkey);
 133 
 134         return 0;
 135 }
 136 
 137 static noinline int bad_access(struct pt_regs *regs, unsigned long address)
 138 {
 139         return __bad_area(regs, address, SEGV_ACCERR);
 140 }
 141 
 142 static int do_sigbus(struct pt_regs *regs, unsigned long address,
 143                      vm_fault_t fault)
 144 {
 145         if (!user_mode(regs))
 146                 return SIGBUS;
 147 
 148         current->thread.trap_nr = BUS_ADRERR;
 149 #ifdef CONFIG_MEMORY_FAILURE
 150         if (fault & (VM_FAULT_HWPOISON|VM_FAULT_HWPOISON_LARGE)) {
 151                 unsigned int lsb = 0; /* shutup gcc */
 152 
 153                 pr_err("MCE: Killing %s:%d due to hardware memory corruption fault at %lx\n",
 154                         current->comm, current->pid, address);
 155 
 156                 if (fault & VM_FAULT_HWPOISON_LARGE)
 157                         lsb = hstate_index_to_shift(VM_FAULT_GET_HINDEX(fault));
 158                 if (fault & VM_FAULT_HWPOISON)
 159                         lsb = PAGE_SHIFT;
 160 
 161                 force_sig_mceerr(BUS_MCEERR_AR, (void __user *)address, lsb);
 162                 return 0;
 163         }
 164 
 165 #endif
 166         force_sig_fault(SIGBUS, BUS_ADRERR, (void __user *)address);
 167         return 0;
 168 }
 169 
 170 static int mm_fault_error(struct pt_regs *regs, unsigned long addr,
 171                                 vm_fault_t fault)
 172 {
 173         /*
 174          * Kernel page fault interrupted by SIGKILL. We have no reason to
 175          * continue processing.
 176          */
 177         if (fatal_signal_pending(current) && !user_mode(regs))
 178                 return SIGKILL;
 179 
 180         /* Out of memory */
 181         if (fault & VM_FAULT_OOM) {
 182                 /*
 183                  * We ran out of memory, or some other thing happened to us that
 184                  * made us unable to handle the page fault gracefully.
 185                  */
 186                 if (!user_mode(regs))
 187                         return SIGSEGV;
 188                 pagefault_out_of_memory();
 189         } else {
 190                 if (fault & (VM_FAULT_SIGBUS|VM_FAULT_HWPOISON|
 191                              VM_FAULT_HWPOISON_LARGE))
 192                         return do_sigbus(regs, addr, fault);
 193                 else if (fault & VM_FAULT_SIGSEGV)
 194                         return bad_area_nosemaphore(regs, addr);
 195                 else
 196                         BUG();
 197         }
 198         return 0;
 199 }
 200 
 201 /* Is this a bad kernel fault ? */
 202 static bool bad_kernel_fault(struct pt_regs *regs, unsigned long error_code,
 203                              unsigned long address, bool is_write)
 204 {
 205         int is_exec = TRAP(regs) == 0x400;
 206 
 207         /* NX faults set DSISR_PROTFAULT on the 8xx, DSISR_NOEXEC_OR_G on others */
 208         if (is_exec && (error_code & (DSISR_NOEXEC_OR_G | DSISR_KEYFAULT |
 209                                       DSISR_PROTFAULT))) {
 210                 pr_crit_ratelimited("kernel tried to execute %s page (%lx) - exploit attempt? (uid: %d)\n",
 211                                     address >= TASK_SIZE ? "exec-protected" : "user",
 212                                     address,
 213                                     from_kuid(&init_user_ns, current_uid()));
 214 
 215                 // Kernel exec fault is always bad
 216                 return true;
 217         }
 218 
 219         if (!is_exec && address < TASK_SIZE && (error_code & DSISR_PROTFAULT) &&
 220             !search_exception_tables(regs->nip)) {
 221                 pr_crit_ratelimited("Kernel attempted to access user page (%lx) - exploit attempt? (uid: %d)\n",
 222                                     address,
 223                                     from_kuid(&init_user_ns, current_uid()));
 224         }
 225 
 226         // Kernel fault on kernel address is bad
 227         if (address >= TASK_SIZE)
 228                 return true;
 229 
 230         // Fault on user outside of certain regions (eg. copy_tofrom_user()) is bad
 231         if (!search_exception_tables(regs->nip))
 232                 return true;
 233 
 234         // Read/write fault in a valid region (the exception table search passed
 235         // above), but blocked by KUAP is bad, it can never succeed.
 236         if (bad_kuap_fault(regs, address, is_write))
 237                 return true;
 238 
 239         // What's left? Kernel fault on user in well defined regions (extable
 240         // matched), and allowed by KUAP in the faulting context.
 241         return false;
 242 }
 243 
 244 static bool bad_stack_expansion(struct pt_regs *regs, unsigned long address,
 245                                 struct vm_area_struct *vma, unsigned int flags,
 246                                 bool *must_retry)
 247 {
 248         /*
 249          * N.B. The POWER/Open ABI allows programs to access up to
 250          * 288 bytes below the stack pointer.
 251          * The kernel signal delivery code writes up to about 1.5kB
 252          * below the stack pointer (r1) before decrementing it.
 253          * The exec code can write slightly over 640kB to the stack
 254          * before setting the user r1.  Thus we allow the stack to
 255          * expand to 1MB without further checks.
 256          */
 257         if (address + 0x100000 < vma->vm_end) {
 258                 unsigned int __user *nip = (unsigned int __user *)regs->nip;
 259                 /* get user regs even if this fault is in kernel mode */
 260                 struct pt_regs *uregs = current->thread.regs;
 261                 if (uregs == NULL)
 262                         return true;
 263 
 264                 /*
 265                  * A user-mode access to an address a long way below
 266                  * the stack pointer is only valid if the instruction
 267                  * is one which would update the stack pointer to the
 268                  * address accessed if the instruction completed,
 269                  * i.e. either stwu rs,n(r1) or stwux rs,r1,rb
 270                  * (or the byte, halfword, float or double forms).
 271                  *
 272                  * If we don't check this then any write to the area
 273                  * between the last mapped region and the stack will
 274                  * expand the stack rather than segfaulting.
 275                  */
 276                 if (address + 2048 >= uregs->gpr[1])
 277                         return false;
 278 
 279                 if ((flags & FAULT_FLAG_WRITE) && (flags & FAULT_FLAG_USER) &&
 280                     access_ok(nip, sizeof(*nip))) {
 281                         unsigned int inst;
 282                         int res;
 283 
 284                         pagefault_disable();
 285                         res = __get_user_inatomic(inst, nip);
 286                         pagefault_enable();
 287                         if (!res)
 288                                 return !store_updates_sp(inst);
 289                         *must_retry = true;
 290                 }
 291                 return true;
 292         }
 293         return false;
 294 }
 295 
 296 static bool access_error(bool is_write, bool is_exec,
 297                          struct vm_area_struct *vma)
 298 {
 299         /*
 300          * Allow execution from readable areas if the MMU does not
 301          * provide separate controls over reading and executing.
 302          *
 303          * Note: That code used to not be enabled for 4xx/BookE.
 304          * It is now as I/D cache coherency for these is done at
 305          * set_pte_at() time and I see no reason why the test
 306          * below wouldn't be valid on those processors. This -may-
 307          * break programs compiled with a really old ABI though.
 308          */
 309         if (is_exec) {
 310                 return !(vma->vm_flags & VM_EXEC) &&
 311                         (cpu_has_feature(CPU_FTR_NOEXECUTE) ||
 312                          !(vma->vm_flags & (VM_READ | VM_WRITE)));
 313         }
 314 
 315         if (is_write) {
 316                 if (unlikely(!(vma->vm_flags & VM_WRITE)))
 317                         return true;
 318                 return false;
 319         }
 320 
 321         if (unlikely(!(vma->vm_flags & (VM_READ | VM_EXEC | VM_WRITE))))
 322                 return true;
 323         /*
 324          * We should ideally do the vma pkey access check here. But in the
 325          * fault path, handle_mm_fault() also does the same check. To avoid
 326          * these multiple checks, we skip it here and handle access error due
 327          * to pkeys later.
 328          */
 329         return false;
 330 }
 331 
 332 #ifdef CONFIG_PPC_SMLPAR
 333 static inline void cmo_account_page_fault(void)
 334 {
 335         if (firmware_has_feature(FW_FEATURE_CMO)) {
 336                 u32 page_ins;
 337 
 338                 preempt_disable();
 339                 page_ins = be32_to_cpu(get_lppaca()->page_ins);
 340                 page_ins += 1 << PAGE_FACTOR;
 341                 get_lppaca()->page_ins = cpu_to_be32(page_ins);
 342                 preempt_enable();
 343         }
 344 }
 345 #else
 346 static inline void cmo_account_page_fault(void) { }
 347 #endif /* CONFIG_PPC_SMLPAR */
 348 
 349 #ifdef CONFIG_PPC_BOOK3S
 350 static void sanity_check_fault(bool is_write, bool is_user,
 351                                unsigned long error_code, unsigned long address)
 352 {
 353         /*
 354          * Userspace trying to access kernel address, we get PROTFAULT for that.
 355          */
 356         if (is_user && address >= TASK_SIZE) {
 357                 if ((long)address == -1)
 358                         return;
 359 
 360                 pr_crit_ratelimited("%s[%d]: User access of kernel address (%lx) - exploit attempt? (uid: %d)\n",
 361                                    current->comm, current->pid, address,
 362                                    from_kuid(&init_user_ns, current_uid()));
 363                 return;
 364         }
 365 
 366         /*
 367          * For hash translation mode, we should never get a
 368          * PROTFAULT. Any update to pte to reduce access will result in us
 369          * removing the hash page table entry, thus resulting in a DSISR_NOHPTE
 370          * fault instead of DSISR_PROTFAULT.
 371          *
 372          * A pte update to relax the access will not result in a hash page table
 373          * entry invalidate and hence can result in DSISR_PROTFAULT.
 374          * ptep_set_access_flags() doesn't do a hpte flush. This is why we have
 375          * the special !is_write in the below conditional.
 376          *
 377          * For platforms that doesn't supports coherent icache and do support
 378          * per page noexec bit, we do setup things such that we do the
 379          * sync between D/I cache via fault. But that is handled via low level
 380          * hash fault code (hash_page_do_lazy_icache()) and we should not reach
 381          * here in such case.
 382          *
 383          * For wrong access that can result in PROTFAULT, the above vma->vm_flags
 384          * check should handle those and hence we should fall to the bad_area
 385          * handling correctly.
 386          *
 387          * For embedded with per page exec support that doesn't support coherent
 388          * icache we do get PROTFAULT and we handle that D/I cache sync in
 389          * set_pte_at while taking the noexec/prot fault. Hence this is WARN_ON
 390          * is conditional for server MMU.
 391          *
 392          * For radix, we can get prot fault for autonuma case, because radix
 393          * page table will have them marked noaccess for user.
 394          */
 395         if (radix_enabled() || is_write)
 396                 return;
 397 
 398         WARN_ON_ONCE(error_code & DSISR_PROTFAULT);
 399 }
 400 #else
 401 static void sanity_check_fault(bool is_write, bool is_user,
 402                                unsigned long error_code, unsigned long address) { }
 403 #endif /* CONFIG_PPC_BOOK3S */
 404 
 405 /*
 406  * Define the correct "is_write" bit in error_code based
 407  * on the processor family
 408  */
 409 #if (defined(CONFIG_4xx) || defined(CONFIG_BOOKE))
 410 #define page_fault_is_write(__err)      ((__err) & ESR_DST)
 411 #define page_fault_is_bad(__err)        (0)
 412 #else
 413 #define page_fault_is_write(__err)      ((__err) & DSISR_ISSTORE)
 414 #if defined(CONFIG_PPC_8xx)
 415 #define page_fault_is_bad(__err)        ((__err) & DSISR_NOEXEC_OR_G)
 416 #elif defined(CONFIG_PPC64)
 417 #define page_fault_is_bad(__err)        ((__err) & DSISR_BAD_FAULT_64S)
 418 #else
 419 #define page_fault_is_bad(__err)        ((__err) & DSISR_BAD_FAULT_32S)
 420 #endif
 421 #endif
 422 
 423 /*
 424  * For 600- and 800-family processors, the error_code parameter is DSISR
 425  * for a data fault, SRR1 for an instruction fault. For 400-family processors
 426  * the error_code parameter is ESR for a data fault, 0 for an instruction
 427  * fault.
 428  * For 64-bit processors, the error_code parameter is
 429  *  - DSISR for a non-SLB data access fault,
 430  *  - SRR1 & 0x08000000 for a non-SLB instruction access fault
 431  *  - 0 any SLB fault.
 432  *
 433  * The return value is 0 if the fault was handled, or the signal
 434  * number if this is a kernel fault that can't be handled here.
 435  */
 436 static int __do_page_fault(struct pt_regs *regs, unsigned long address,
 437                            unsigned long error_code)
 438 {
 439         struct vm_area_struct * vma;
 440         struct mm_struct *mm = current->mm;
 441         unsigned int flags = FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_KILLABLE;
 442         int is_exec = TRAP(regs) == 0x400;
 443         int is_user = user_mode(regs);
 444         int is_write = page_fault_is_write(error_code);
 445         vm_fault_t fault, major = 0;
 446         bool must_retry = false;
 447         bool kprobe_fault = kprobe_page_fault(regs, 11);
 448 
 449         if (unlikely(debugger_fault_handler(regs) || kprobe_fault))
 450                 return 0;
 451 
 452         if (unlikely(page_fault_is_bad(error_code))) {
 453                 if (is_user) {
 454                         _exception(SIGBUS, regs, BUS_OBJERR, address);
 455                         return 0;
 456                 }
 457                 return SIGBUS;
 458         }
 459 
 460         /* Additional sanity check(s) */
 461         sanity_check_fault(is_write, is_user, error_code, address);
 462 
 463         /*
 464          * The kernel should never take an execute fault nor should it
 465          * take a page fault to a kernel address or a page fault to a user
 466          * address outside of dedicated places
 467          */
 468         if (unlikely(!is_user && bad_kernel_fault(regs, error_code, address, is_write)))
 469                 return SIGSEGV;
 470 
 471         /*
 472          * If we're in an interrupt, have no user context or are running
 473          * in a region with pagefaults disabled then we must not take the fault
 474          */
 475         if (unlikely(faulthandler_disabled() || !mm)) {
 476                 if (is_user)
 477                         printk_ratelimited(KERN_ERR "Page fault in user mode"
 478                                            " with faulthandler_disabled()=%d"
 479                                            " mm=%p\n",
 480                                            faulthandler_disabled(), mm);
 481                 return bad_area_nosemaphore(regs, address);
 482         }
 483 
 484         /* We restore the interrupt state now */
 485         if (!arch_irq_disabled_regs(regs))
 486                 local_irq_enable();
 487 
 488         perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, address);
 489 
 490         if (error_code & DSISR_KEYFAULT)
 491                 return bad_key_fault_exception(regs, address,
 492                                                get_mm_addr_key(mm, address));
 493 
 494         /*
 495          * We want to do this outside mmap_sem, because reading code around nip
 496          * can result in fault, which will cause a deadlock when called with
 497          * mmap_sem held
 498          */
 499         if (is_user)
 500                 flags |= FAULT_FLAG_USER;
 501         if (is_write)
 502                 flags |= FAULT_FLAG_WRITE;
 503         if (is_exec)
 504                 flags |= FAULT_FLAG_INSTRUCTION;
 505 
 506         /* When running in the kernel we expect faults to occur only to
 507          * addresses in user space.  All other faults represent errors in the
 508          * kernel and should generate an OOPS.  Unfortunately, in the case of an
 509          * erroneous fault occurring in a code path which already holds mmap_sem
 510          * we will deadlock attempting to validate the fault against the
 511          * address space.  Luckily the kernel only validly references user
 512          * space from well defined areas of code, which are listed in the
 513          * exceptions table.
 514          *
 515          * As the vast majority of faults will be valid we will only perform
 516          * the source reference check when there is a possibility of a deadlock.
 517          * Attempt to lock the address space, if we cannot we then validate the
 518          * source.  If this is invalid we can skip the address space check,
 519          * thus avoiding the deadlock.
 520          */
 521         if (unlikely(!down_read_trylock(&mm->mmap_sem))) {
 522                 if (!is_user && !search_exception_tables(regs->nip))
 523                         return bad_area_nosemaphore(regs, address);
 524 
 525 retry:
 526                 down_read(&mm->mmap_sem);
 527         } else {
 528                 /*
 529                  * The above down_read_trylock() might have succeeded in
 530                  * which case we'll have missed the might_sleep() from
 531                  * down_read():
 532                  */
 533                 might_sleep();
 534         }
 535 
 536         vma = find_vma(mm, address);
 537         if (unlikely(!vma))
 538                 return bad_area(regs, address);
 539         if (likely(vma->vm_start <= address))
 540                 goto good_area;
 541         if (unlikely(!(vma->vm_flags & VM_GROWSDOWN)))
 542                 return bad_area(regs, address);
 543 
 544         /* The stack is being expanded, check if it's valid */
 545         if (unlikely(bad_stack_expansion(regs, address, vma, flags,
 546                                          &must_retry))) {
 547                 if (!must_retry)
 548                         return bad_area(regs, address);
 549 
 550                 up_read(&mm->mmap_sem);
 551                 if (fault_in_pages_readable((const char __user *)regs->nip,
 552                                             sizeof(unsigned int)))
 553                         return bad_area_nosemaphore(regs, address);
 554                 goto retry;
 555         }
 556 
 557         /* Try to expand it */
 558         if (unlikely(expand_stack(vma, address)))
 559                 return bad_area(regs, address);
 560 
 561 good_area:
 562         if (unlikely(access_error(is_write, is_exec, vma)))
 563                 return bad_access(regs, address);
 564 
 565         /*
 566          * If for any reason at all we couldn't handle the fault,
 567          * make sure we exit gracefully rather than endlessly redo
 568          * the fault.
 569          */
 570         fault = handle_mm_fault(vma, address, flags);
 571 
 572 #ifdef CONFIG_PPC_MEM_KEYS
 573         /*
 574          * we skipped checking for access error due to key earlier.
 575          * Check that using handle_mm_fault error return.
 576          */
 577         if (unlikely(fault & VM_FAULT_SIGSEGV) &&
 578                 !arch_vma_access_permitted(vma, is_write, is_exec, 0)) {
 579 
 580                 int pkey = vma_pkey(vma);
 581 
 582                 up_read(&mm->mmap_sem);
 583                 return bad_key_fault_exception(regs, address, pkey);
 584         }
 585 #endif /* CONFIG_PPC_MEM_KEYS */
 586 
 587         major |= fault & VM_FAULT_MAJOR;
 588 
 589         /*
 590          * Handle the retry right now, the mmap_sem has been released in that
 591          * case.
 592          */
 593         if (unlikely(fault & VM_FAULT_RETRY)) {
 594                 /* We retry only once */
 595                 if (flags & FAULT_FLAG_ALLOW_RETRY) {
 596                         /*
 597                          * Clear FAULT_FLAG_ALLOW_RETRY to avoid any risk
 598                          * of starvation.
 599                          */
 600                         flags &= ~FAULT_FLAG_ALLOW_RETRY;
 601                         flags |= FAULT_FLAG_TRIED;
 602                         if (!fatal_signal_pending(current))
 603                                 goto retry;
 604                 }
 605 
 606                 /*
 607                  * User mode? Just return to handle the fatal exception otherwise
 608                  * return to bad_page_fault
 609                  */
 610                 return is_user ? 0 : SIGBUS;
 611         }
 612 
 613         up_read(&current->mm->mmap_sem);
 614 
 615         if (unlikely(fault & VM_FAULT_ERROR))
 616                 return mm_fault_error(regs, address, fault);
 617 
 618         /*
 619          * Major/minor page fault accounting.
 620          */
 621         if (major) {
 622                 current->maj_flt++;
 623                 perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MAJ, 1, regs, address);
 624                 cmo_account_page_fault();
 625         } else {
 626                 current->min_flt++;
 627                 perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MIN, 1, regs, address);
 628         }
 629         return 0;
 630 }
 631 NOKPROBE_SYMBOL(__do_page_fault);
 632 
 633 int do_page_fault(struct pt_regs *regs, unsigned long address,
 634                   unsigned long error_code)
 635 {
 636         enum ctx_state prev_state = exception_enter();
 637         int rc = __do_page_fault(regs, address, error_code);
 638         exception_exit(prev_state);
 639         return rc;
 640 }
 641 NOKPROBE_SYMBOL(do_page_fault);
 642 
 643 /*
 644  * bad_page_fault is called when we have a bad access from the kernel.
 645  * It is called from the DSI and ISI handlers in head.S and from some
 646  * of the procedures in traps.c.
 647  */
 648 void bad_page_fault(struct pt_regs *regs, unsigned long address, int sig)
 649 {
 650         const struct exception_table_entry *entry;
 651 
 652         /* Are we prepared to handle this fault?  */
 653         if ((entry = search_exception_tables(regs->nip)) != NULL) {
 654                 regs->nip = extable_fixup(entry);
 655                 return;
 656         }
 657 
 658         /* kernel has accessed a bad area */
 659 
 660         switch (TRAP(regs)) {
 661         case 0x300:
 662         case 0x380:
 663         case 0xe00:
 664                 pr_alert("BUG: %s at 0x%08lx\n",
 665                          regs->dar < PAGE_SIZE ? "Kernel NULL pointer dereference" :
 666                          "Unable to handle kernel data access", regs->dar);
 667                 break;
 668         case 0x400:
 669         case 0x480:
 670                 pr_alert("BUG: Unable to handle kernel instruction fetch%s",
 671                          regs->nip < PAGE_SIZE ? " (NULL pointer?)\n" : "\n");
 672                 break;
 673         case 0x600:
 674                 pr_alert("BUG: Unable to handle kernel unaligned access at 0x%08lx\n",
 675                          regs->dar);
 676                 break;
 677         default:
 678                 pr_alert("BUG: Unable to handle unknown paging fault at 0x%08lx\n",
 679                          regs->dar);
 680                 break;
 681         }
 682         printk(KERN_ALERT "Faulting instruction address: 0x%08lx\n",
 683                 regs->nip);
 684 
 685         if (task_stack_end_corrupted(current))
 686                 printk(KERN_ALERT "Thread overran stack, or stack corrupted\n");
 687 
 688         die("Kernel access of bad area", regs, sig);
 689 }

/* [<][>][^][v][top][bottom][index][help] */