2 * Copyright (C) 1995 Linus Torvalds
3 * Copyright (C) 2001,2002 Andi Kleen, SuSE Labs.
6 #include <linux/signal.h>
7 #include <linux/sched.h>
8 #include <linux/kernel.h>
9 #include <linux/errno.h>
10 #include <linux/string.h>
11 #include <linux/types.h>
12 #include <linux/ptrace.h>
13 #include <linux/mman.h>
15 #include <linux/smp.h>
16 #include <linux/interrupt.h>
17 #include <linux/init.h>
18 #include <linux/tty.h>
19 #include <linux/vt_kern.h> /* For unblank_screen() */
20 #include <linux/compiler.h>
21 #include <linux/vmalloc.h>
22 #include <linux/module.h>
23 #include <linux/kprobes.h>
24 #include <linux/uaccess.h>
25 #include <linux/kdebug.h>
27 #include <asm/system.h>
28 #include <asm/pgalloc.h>
30 #include <asm/tlbflush.h>
31 #include <asm/proto.h>
32 #include <asm-generic/sections.h>
35 * Page fault error code bits
36 * bit 0 == 0 means no page found, 1 means protection fault
37 * bit 1 == 0 means read, 1 means write
38 * bit 2 == 0 means kernel, 1 means user-mode
39 * bit 3 == 1 means use of reserved bit detected
40 * bit 4 == 1 means fault was an instruction fetch
42 #define PF_PROT (1<<0)
43 #define PF_WRITE (1<<1)
44 #define PF_USER (1<<2)
45 #define PF_RSVD (1<<3)
46 #define PF_INSTR (1<<4)
48 static inline int notify_page_fault(struct pt_regs *regs)
53 /* kprobe_running() needs smp_processor_id() */
54 if (!user_mode(regs)) {
56 if (kprobe_running() && kprobe_fault_handler(regs, 14))
69 * Sometimes AMD Athlon/Opteron CPUs report invalid exceptions on prefetch.
70 * Check that here and ignore it.
73 * Sometimes the CPU reports invalid exceptions on prefetch.
74 * Check that here and ignore it.
76 * Opcode checker based on code by Richard Brunner
78 static int is_prefetch(struct pt_regs *regs, unsigned long addr,
79 unsigned long error_code)
84 unsigned char *max_instr;
87 if (unlikely(boot_cpu_data.x86_vendor == X86_VENDOR_AMD &&
88 boot_cpu_data.x86 >= 6)) {
89 /* Catch an obscure case of prefetch inside an NX page. */
90 if (nx_enabled && (error_code & PF_INSTR))
96 /* If it was a exec fault ignore */
97 if (error_code & PF_INSTR)
101 instr = (unsigned char *)convert_ip_to_linear(current, regs);
102 max_instr = instr + 15;
104 if (user_mode(regs) && instr >= (unsigned char *)TASK_SIZE)
107 while (scan_more && instr < max_instr) {
108 unsigned char opcode;
109 unsigned char instr_hi;
110 unsigned char instr_lo;
112 if (probe_kernel_address(instr, opcode))
115 instr_hi = opcode & 0xf0;
116 instr_lo = opcode & 0x0f;
123 * Values 0x26,0x2E,0x36,0x3E are valid x86 prefixes.
124 * In X86_64 long mode, the CPU will signal invalid
125 * opcode if some of these prefixes are present so
126 * X86_64 will never get here anyway
128 scan_more = ((instr_lo & 7) == 0x6);
133 * In AMD64 long mode 0x40..0x4F are valid REX prefixes
134 * Need to figure out under what instruction mode the
135 * instruction was issued. Could check the LDT for lm,
136 * but for now it's good enough to assume that long
137 * mode only uses well known segments or kernel.
139 scan_more = (!user_mode(regs)) || (regs->cs == __USER_CS);
143 /* 0x64 thru 0x67 are valid prefixes in all modes. */
144 scan_more = (instr_lo & 0xC) == 0x4;
147 /* 0xF0, 0xF2, 0xF3 are valid prefixes in all modes. */
148 scan_more = !instr_lo || (instr_lo>>1) == 1;
151 /* Prefetch instruction is 0x0F0D or 0x0F18 */
154 if (probe_kernel_address(instr, opcode))
156 prefetch = (instr_lo == 0xF) &&
157 (opcode == 0x0D || opcode == 0x18);
167 static void force_sig_info_fault(int si_signo, int si_code,
168 unsigned long address, struct task_struct *tsk)
172 info.si_signo = si_signo;
174 info.si_code = si_code;
175 info.si_addr = (void __user *)address;
176 force_sig_info(si_signo, &info, tsk);
179 static int bad_address(void *p)
182 return probe_kernel_address((unsigned long *)p, dummy);
185 void dump_pagetable(unsigned long address)
192 pgd = (pgd_t *)read_cr3();
194 pgd = __va((unsigned long)pgd & PHYSICAL_PAGE_MASK);
195 pgd += pgd_index(address);
196 if (bad_address(pgd)) goto bad;
197 printk("PGD %lx ", pgd_val(*pgd));
198 if (!pgd_present(*pgd)) goto ret;
200 pud = pud_offset(pgd, address);
201 if (bad_address(pud)) goto bad;
202 printk("PUD %lx ", pud_val(*pud));
203 if (!pud_present(*pud)) goto ret;
205 pmd = pmd_offset(pud, address);
206 if (bad_address(pmd)) goto bad;
207 printk("PMD %lx ", pmd_val(*pmd));
208 if (!pmd_present(*pmd) || pmd_large(*pmd)) goto ret;
210 pte = pte_offset_kernel(pmd, address);
211 if (bad_address(pte)) goto bad;
212 printk("PTE %lx", pte_val(*pte));
221 static const char errata93_warning[] =
222 KERN_ERR "******* Your BIOS seems to not contain a fix for K8 errata #93\n"
223 KERN_ERR "******* Working around it, but it may cause SEGVs or burn power.\n"
224 KERN_ERR "******* Please consider a BIOS update.\n"
225 KERN_ERR "******* Disabling USB legacy in the BIOS may also help.\n";
228 /* Workaround for K8 erratum #93 & buggy BIOS.
229 BIOS SMM functions are required to use a specific workaround
230 to avoid corruption of the 64bit RIP register on C stepping K8.
231 A lot of BIOS that didn't get tested properly miss this.
232 The OS sees this as a page fault with the upper 32bits of RIP cleared.
233 Try to work around it here.
234 Note we only handle faults in kernel here.
235 Does nothing for X86_32
237 static int is_errata93(struct pt_regs *regs, unsigned long address)
241 if (address != regs->ip)
243 if ((address >> 32) != 0)
245 address |= 0xffffffffUL << 32;
246 if ((address >= (u64)_stext && address <= (u64)_etext) ||
247 (address >= MODULES_VADDR && address <= MODULES_END)) {
249 printk(errata93_warning);
260 * Work around K8 erratum #100 K8 in compat mode occasionally jumps to illegal
261 * addresses >4GB. We catch this in the page fault handler because these
262 * addresses are not reachable. Just detect this case and return. Any code
263 * segment in LDT is compatibility mode.
265 static int is_errata100(struct pt_regs *regs, unsigned long address)
268 if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) &&
275 void do_invalid_op(struct pt_regs *, unsigned long);
277 static int is_f00f_bug(struct pt_regs *regs, unsigned long address)
279 #ifdef CONFIG_X86_F00F_BUG
282 * Pentium F0 0F C7 C8 bug workaround.
284 if (boot_cpu_data.f00f_bug) {
285 nr = (address - idt_descr.address) >> 3;
288 do_invalid_op(regs, 0);
296 static void show_fault_oops(struct pt_regs *regs, unsigned long error_code,
297 unsigned long address)
299 printk(KERN_ALERT "BUG: unable to handle kernel ");
300 if (address < PAGE_SIZE)
301 printk(KERN_CONT "NULL pointer dereference");
303 printk(KERN_CONT "paging request");
304 printk(KERN_CONT " at %016lx\n", address);
306 printk(KERN_ALERT "IP:");
307 printk_address(regs->ip, 1);
308 dump_pagetable(address);
311 static noinline void pgtable_bad(unsigned long address, struct pt_regs *regs,
312 unsigned long error_code)
314 unsigned long flags = oops_begin();
315 struct task_struct *tsk;
317 printk(KERN_ALERT "%s: Corrupted page table at address %lx\n",
318 current->comm, address);
319 dump_pagetable(address);
321 tsk->thread.cr2 = address;
322 tsk->thread.trap_no = 14;
323 tsk->thread.error_code = error_code;
324 if (__die("Bad pagetable", regs, error_code))
326 oops_end(flags, regs, SIGKILL);
330 * Handle a fault on the vmalloc area
332 * This assumes no large pages in there.
334 static int vmalloc_fault(unsigned long address)
337 unsigned long pgd_paddr;
341 * Synchronize this task's top level page-table
342 * with the 'reference' page table.
344 * Do _not_ use "current" here. We might be inside
345 * an interrupt in the middle of a task switch..
347 pgd_paddr = read_cr3();
348 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
351 pte_k = pte_offset_kernel(pmd_k, address);
352 if (!pte_present(*pte_k))
356 pgd_t *pgd, *pgd_ref;
357 pud_t *pud, *pud_ref;
358 pmd_t *pmd, *pmd_ref;
359 pte_t *pte, *pte_ref;
361 /* Copy kernel mappings over when needed. This can also
362 happen within a race in page table update. In the later
365 pgd = pgd_offset(current->mm ?: &init_mm, address);
366 pgd_ref = pgd_offset_k(address);
367 if (pgd_none(*pgd_ref))
370 set_pgd(pgd, *pgd_ref);
372 BUG_ON(pgd_page_vaddr(*pgd) != pgd_page_vaddr(*pgd_ref));
374 /* Below here mismatches are bugs because these lower tables
377 pud = pud_offset(pgd, address);
378 pud_ref = pud_offset(pgd_ref, address);
379 if (pud_none(*pud_ref))
381 if (pud_none(*pud) || pud_page_vaddr(*pud) != pud_page_vaddr(*pud_ref))
383 pmd = pmd_offset(pud, address);
384 pmd_ref = pmd_offset(pud_ref, address);
385 if (pmd_none(*pmd_ref))
387 if (pmd_none(*pmd) || pmd_page(*pmd) != pmd_page(*pmd_ref))
389 pte_ref = pte_offset_kernel(pmd_ref, address);
390 if (!pte_present(*pte_ref))
392 pte = pte_offset_kernel(pmd, address);
393 /* Don't use pte_page here, because the mappings can point
394 outside mem_map, and the NUMA hash lookup cannot handle
396 if (!pte_present(*pte) || pte_pfn(*pte) != pte_pfn(*pte_ref))
402 int show_unhandled_signals = 1;
405 * This routine handles page faults. It determines the address,
406 * and the problem, and then passes it off to one of the appropriate
409 asmlinkage void __kprobes do_page_fault(struct pt_regs *regs,
410 unsigned long error_code)
412 struct task_struct *tsk;
413 struct mm_struct *mm;
414 struct vm_area_struct *vma;
415 unsigned long address;
421 * We can fault from pretty much anywhere, with unknown IRQ state.
423 trace_hardirqs_fixup();
427 prefetchw(&mm->mmap_sem);
429 /* get the address */
430 address = read_cr2();
432 si_code = SEGV_MAPERR;
434 if (notify_page_fault(regs))
438 * We fault-in kernel-space virtual memory on-demand. The
439 * 'reference' page table is init_mm.pgd.
441 * NOTE! We MUST NOT take any locks for this case. We may
442 * be in an interrupt or a critical region, and should
443 * only copy the information from the master page table,
446 * This verifies that the fault happens in kernel space
447 * (error_code & 4) == 0, and that the fault was not a
448 * protection error (error_code & 9) == 0.
450 if (unlikely(address >= TASK_SIZE64)) {
452 * Don't check for the module range here: its PML4
453 * is always initialized because it's shared with the main
454 * kernel text. Only vmalloc may need PML4 syncups.
456 if (!(error_code & (PF_RSVD|PF_USER|PF_PROT)) &&
457 ((address >= VMALLOC_START && address < VMALLOC_END))) {
458 if (vmalloc_fault(address) >= 0)
462 * Don't take the mm semaphore here. If we fixup a prefetch
463 * fault we could otherwise deadlock.
465 goto bad_area_nosemaphore;
468 if (likely(regs->flags & X86_EFLAGS_IF))
471 if (unlikely(error_code & PF_RSVD))
472 pgtable_bad(address, regs, error_code);
475 * If we're in an interrupt, have no user context or are running in an
476 * atomic region then we must not take the fault.
478 if (unlikely(in_atomic() || !mm))
479 goto bad_area_nosemaphore;
482 * User-mode registers count as a user access even for any
483 * potential system fault or CPU buglet.
485 if (user_mode_vm(regs))
486 error_code |= PF_USER;
489 /* When running in the kernel we expect faults to occur only to
490 * addresses in user space. All other faults represent errors in the
491 * kernel and should generate an OOPS. Unfortunately, in the case of an
492 * erroneous fault occurring in a code path which already holds mmap_sem
493 * we will deadlock attempting to validate the fault against the
494 * address space. Luckily the kernel only validly references user
495 * space from well defined areas of code, which are listed in the
498 * As the vast majority of faults will be valid we will only perform
499 * the source reference check when there is a possibility of a deadlock.
500 * Attempt to lock the address space, if we cannot we then validate the
501 * source. If this is invalid we can skip the address space check,
502 * thus avoiding the deadlock.
504 if (!down_read_trylock(&mm->mmap_sem)) {
505 if ((error_code & PF_USER) == 0 &&
506 !search_exception_tables(regs->ip))
507 goto bad_area_nosemaphore;
508 down_read(&mm->mmap_sem);
511 vma = find_vma(mm, address);
514 if (likely(vma->vm_start <= address))
516 if (!(vma->vm_flags & VM_GROWSDOWN))
518 if (error_code & PF_USER) {
520 * Accessing the stack below %sp is always a bug.
521 * The large cushion allows instructions like enter
522 * and pusha to work. ("enter $65535,$31" pushes
523 * 32 pointers and then decrements %sp by 65535.)
525 if (address + 65536 + 32 * sizeof(unsigned long) < regs->sp)
528 if (expand_stack(vma, address))
531 * Ok, we have a good vm_area for this memory access, so
535 si_code = SEGV_ACCERR;
537 switch (error_code & (PF_PROT|PF_WRITE)) {
538 default: /* 3: write, present */
540 case PF_WRITE: /* write, not present */
541 if (!(vma->vm_flags & VM_WRITE))
545 case PF_PROT: /* read, present */
547 case 0: /* read, not present */
548 if (!(vma->vm_flags & (VM_READ | VM_EXEC | VM_WRITE)))
553 * If for any reason at all we couldn't handle the fault,
554 * make sure we exit gracefully rather than endlessly redo
557 fault = handle_mm_fault(mm, vma, address, write);
558 if (unlikely(fault & VM_FAULT_ERROR)) {
559 if (fault & VM_FAULT_OOM)
561 else if (fault & VM_FAULT_SIGBUS)
565 if (fault & VM_FAULT_MAJOR)
572 * Did it hit the DOS screen memory VA from vm86 mode?
574 if (v8086_mode(regs)) {
575 unsigned long bit = (address - 0xA0000) >> PAGE_SHIFT;
577 tsk->thread.screen_bitmap |= 1 << bit;
580 up_read(&mm->mmap_sem);
584 * Something tried to access memory that isn't in our memory map..
585 * Fix it, but check if it's kernel or user first..
588 up_read(&mm->mmap_sem);
590 bad_area_nosemaphore:
591 /* User mode accesses just cause a SIGSEGV */
592 if (error_code & PF_USER) {
595 * It's possible to have interrupts off here.
599 if (is_prefetch(regs, address, error_code))
602 if (is_errata100(regs, address))
605 if (show_unhandled_signals && unhandled_signal(tsk, SIGSEGV) &&
606 printk_ratelimit()) {
609 "%s%s[%d]: segfault at %lx ip %08lx sp %08lx error %lx",
611 "%s%s[%d]: segfault at %lx ip %lx sp %lx error %lx",
613 task_pid_nr(tsk) > 1 ? KERN_INFO : KERN_EMERG,
614 tsk->comm, task_pid_nr(tsk), address, regs->ip,
615 regs->sp, error_code);
616 print_vma_addr(" in ", regs->ip);
620 tsk->thread.cr2 = address;
621 /* Kernel addresses are always protection faults */
622 tsk->thread.error_code = error_code | (address >= TASK_SIZE);
623 tsk->thread.trap_no = 14;
625 force_sig_info_fault(SIGSEGV, si_code, address, tsk);
629 if (is_f00f_bug(regs, address))
633 /* Are we prepared to handle this kernel fault? */
634 if (fixup_exception(regs))
638 * Hall of shame of CPU/BIOS bugs.
641 if (is_prefetch(regs, address, error_code))
644 if (is_errata93(regs, address))
648 * Oops. The kernel tried to access some bad page. We'll have to
649 * terminate things with extreme prejudice.
652 flags = oops_begin();
654 show_fault_oops(regs, error_code, address);
656 tsk->thread.cr2 = address;
657 tsk->thread.trap_no = 14;
658 tsk->thread.error_code = error_code;
659 if (__die("Oops", regs, error_code))
661 /* Executive summary in case the body of the oops scrolled away */
662 printk(KERN_EMERG "CR2: %016lx\n", address);
663 oops_end(flags, regs, SIGKILL);
666 * We ran out of memory, or some other thing happened to us that made
667 * us unable to handle the page fault gracefully.
670 up_read(&mm->mmap_sem);
671 if (is_global_init(current)) {
675 printk("VM: killing process %s\n", tsk->comm);
676 if (error_code & PF_USER)
677 do_group_exit(SIGKILL);
681 up_read(&mm->mmap_sem);
683 /* Kernel mode? Handle exceptions or die */
684 if (!(error_code & PF_USER))
687 tsk->thread.cr2 = address;
688 tsk->thread.error_code = error_code;
689 tsk->thread.trap_no = 14;
690 force_sig_info_fault(SIGBUS, BUS_ADRERR, address, tsk);
694 DEFINE_SPINLOCK(pgd_lock);
697 void vmalloc_sync_all(void)
700 * Note that races in the updates of insync and start aren't
701 * problematic: insync can only get set bits added, and updates to
702 * start are only improving performance (without affecting correctness
705 static DECLARE_BITMAP(insync, PTRS_PER_PGD);
706 static unsigned long start = VMALLOC_START & PGDIR_MASK;
707 unsigned long address;
709 for (address = start; address <= VMALLOC_END; address += PGDIR_SIZE) {
710 if (!test_bit(pgd_index(address), insync)) {
711 const pgd_t *pgd_ref = pgd_offset_k(address);
714 if (pgd_none(*pgd_ref))
716 spin_lock(&pgd_lock);
717 list_for_each_entry(page, &pgd_list, lru) {
719 pgd = (pgd_t *)page_address(page) + pgd_index(address);
721 set_pgd(pgd, *pgd_ref);
723 BUG_ON(pgd_page_vaddr(*pgd) != pgd_page_vaddr(*pgd_ref));
725 spin_unlock(&pgd_lock);
726 set_bit(pgd_index(address), insync);
728 if (address == start)
729 start = address + PGDIR_SIZE;
731 /* Check that there is no need to do the same for the modules area. */
732 BUILD_BUG_ON(!(MODULES_VADDR > __START_KERNEL));
733 BUILD_BUG_ON(!(((MODULES_END - 1) & PGDIR_MASK) ==
734 (__START_KERNEL & PGDIR_MASK)));