2 * linux/arch/i386/mm/fault.c
4 * Copyright (C) 1995 Linus Torvalds
7 #include <linux/signal.h>
8 #include <linux/sched.h>
9 #include <linux/kernel.h>
10 #include <linux/errno.h>
11 #include <linux/string.h>
12 #include <linux/types.h>
13 #include <linux/ptrace.h>
14 #include <linux/mman.h>
16 #include <linux/smp.h>
17 #include <linux/smp_lock.h>
18 #include <linux/interrupt.h>
19 #include <linux/init.h>
20 #include <linux/tty.h>
21 #include <linux/vt_kern.h> /* For unblank_screen() */
22 #include <linux/highmem.h>
23 #include <linux/module.h>
24 #include <linux/kprobes.h>
26 #include <asm/system.h>
27 #include <asm/uaccess.h>
29 #include <asm/kdebug.h>
31 extern void die(const char *,struct pt_regs *,long);
34 ATOMIC_NOTIFIER_HEAD(notify_page_fault_chain);
35 int register_page_fault_notifier(struct notifier_block *nb)
38 return atomic_notifier_chain_register(¬ify_page_fault_chain, nb);
41 int unregister_page_fault_notifier(struct notifier_block *nb)
43 return atomic_notifier_chain_unregister(¬ify_page_fault_chain, nb);
46 static inline int notify_page_fault(enum die_val val, const char *str,
47 struct pt_regs *regs, long err, int trap, int sig)
49 struct die_args args = {
56 return atomic_notifier_call_chain(¬ify_page_fault_chain, val, &args);
59 static inline int notify_page_fault(enum die_val val, const char *str,
60 struct pt_regs *regs, long err, int trap, int sig)
67 * Unlock any spinlocks which will prevent us from getting the
70 void bust_spinlocks(int yes)
72 int loglevel_save = console_loglevel;
83 * OK, the message is on the console. Now we call printk()
84 * without oops_in_progress set so that printk will give klogd
85 * a poke. Hold onto your hats...
87 console_loglevel = 15; /* NMI oopser may have shut the console up */
89 console_loglevel = loglevel_save;
93 * Return EIP plus the CS segment base. The segment limit is also
94 * adjusted, clamped to the kernel/user address space (whichever is
95 * appropriate), and returned in *eip_limit.
97 * The segment is checked, because it might have been changed by another
98 * task between the original faulting instruction and here.
100 * If CS is no longer a valid code segment, or if EIP is beyond the
101 * limit, or if it is a kernel address when CS is not a kernel segment,
102 * then the returned value will be greater than *eip_limit.
104 * This is slow, but is very rarely executed.
106 static inline unsigned long get_segment_eip(struct pt_regs *regs,
107 unsigned long *eip_limit)
109 unsigned long eip = regs->eip;
110 unsigned seg = regs->xcs & 0xffff;
111 u32 seg_ar, seg_limit, base, *desc;
113 /* Unlikely, but must come before segment checks. */
114 if (unlikely(regs->eflags & VM_MASK)) {
116 *eip_limit = base + 0xffff;
117 return base + (eip & 0xffff);
120 /* The standard kernel/user address space limit. */
121 *eip_limit = (seg & 2) ? USER_DS.seg : KERNEL_DS.seg;
123 /* By far the most common cases. */
124 if (likely(seg == __USER_CS || seg == GET_KERNEL_CS()))
127 /* Check the segment exists, is within the current LDT/GDT size,
128 that kernel/user (ring 0..3) has the appropriate privilege,
129 that it's a code segment, and get the limit. */
130 __asm__ ("larl %3,%0; lsll %3,%1"
131 : "=&r" (seg_ar), "=r" (seg_limit) : "0" (0), "rm" (seg));
132 if ((~seg_ar & 0x9800) || eip > seg_limit) {
134 return 1; /* So that returned eip > *eip_limit. */
137 /* Get the GDT/LDT descriptor base.
138 When you look for races in this code remember that
139 LDT and other horrors are only used in user space. */
141 /* Must lock the LDT while reading it. */
142 down(¤t->mm->context.sem);
143 desc = current->mm->context.ldt;
144 desc = (void *)desc + (seg & ~7);
146 /* Must disable preemption while reading the GDT. */
147 desc = (u32 *)get_cpu_gdt_table(get_cpu());
148 desc = (void *)desc + (seg & ~7);
151 /* Decode the code segment base from the descriptor */
152 base = get_desc_base((unsigned long *)desc);
155 up(¤t->mm->context.sem);
159 /* Adjust EIP and segment limit, and clamp at the kernel limit.
160 It's legitimate for segments to wrap at 0xffffffff. */
162 if (seg_limit < *eip_limit && seg_limit >= base)
163 *eip_limit = seg_limit;
168 * Sometimes AMD Athlon/Opteron CPUs report invalid exceptions on prefetch.
169 * Check that here and ignore it.
171 static int __is_prefetch(struct pt_regs *regs, unsigned long addr)
174 unsigned long instr = get_segment_eip (regs, &limit);
179 for (i = 0; scan_more && i < 15; i++) {
180 unsigned char opcode;
181 unsigned char instr_hi;
182 unsigned char instr_lo;
186 if (__get_user(opcode, (unsigned char __user *) instr))
189 instr_hi = opcode & 0xf0;
190 instr_lo = opcode & 0x0f;
196 /* Values 0x26,0x2E,0x36,0x3E are valid x86 prefixes. */
197 scan_more = ((instr_lo & 7) == 0x6);
201 /* 0x64 thru 0x67 are valid prefixes in all modes. */
202 scan_more = (instr_lo & 0xC) == 0x4;
205 /* 0xF0, 0xF2, and 0xF3 are valid prefixes */
206 scan_more = !instr_lo || (instr_lo>>1) == 1;
209 /* Prefetch instruction is 0x0F0D or 0x0F18 */
213 if (__get_user(opcode, (unsigned char __user *) instr))
215 prefetch = (instr_lo == 0xF) &&
216 (opcode == 0x0D || opcode == 0x18);
226 static inline int is_prefetch(struct pt_regs *regs, unsigned long addr,
227 unsigned long error_code)
229 if (unlikely(boot_cpu_data.x86_vendor == X86_VENDOR_AMD &&
230 boot_cpu_data.x86 >= 6)) {
231 /* Catch an obscure case of prefetch inside an NX page. */
232 if (nx_enabled && (error_code & 16))
234 return __is_prefetch(regs, addr);
239 static noinline void force_sig_info_fault(int si_signo, int si_code,
240 unsigned long address, struct task_struct *tsk)
244 info.si_signo = si_signo;
246 info.si_code = si_code;
247 info.si_addr = (void __user *)address;
248 force_sig_info(si_signo, &info, tsk);
251 fastcall void do_invalid_op(struct pt_regs *, unsigned long);
253 #ifdef CONFIG_X86_PAE
254 static void dump_fault_path(unsigned long address)
256 unsigned long *p, page;
260 p = (unsigned long *)__va(page);
261 p += (address >> 30) * 2;
262 printk(KERN_ALERT "%08lx -> *pde = %08lx:%08lx\n", page, p[1], p[0]);
264 mfn = (p[0] >> PAGE_SHIFT) | ((p[1] & 0x7) << 20);
265 page = mfn_to_pfn(mfn) << PAGE_SHIFT;
266 p = (unsigned long *)__va(page);
267 address &= 0x3fffffff;
268 p += (address >> 21) * 2;
269 printk(KERN_ALERT "%08lx -> *pme = %08lx:%08lx\n",
271 #ifndef CONFIG_HIGHPTE
273 mfn = (p[0] >> PAGE_SHIFT) | ((p[1] & 0x7) << 20);
274 page = mfn_to_pfn(mfn) << PAGE_SHIFT;
275 p = (unsigned long *) __va(page);
276 address &= 0x001fffff;
277 p += (address >> 12) * 2;
278 printk(KERN_ALERT "%08lx -> *pte = %08lx:%08lx\n",
285 static void dump_fault_path(unsigned long address)
290 page = ((unsigned long *) __va(page))[address >> 22];
291 if (oops_may_print())
292 printk(KERN_ALERT "*pde = ma %08lx pa %08lx\n", page,
293 machine_to_phys(page));
295 * We must not directly access the pte in the highpte
296 * case, the page table might be allocated in highmem.
297 * And lets rather not kmap-atomic the pte, just in case
298 * it's allocated already.
300 #ifndef CONFIG_HIGHPTE
301 if ((page & 1) && oops_may_print()) {
303 address &= 0x003ff000;
304 page = machine_to_phys(page);
305 page = ((unsigned long *) __va(page))[address >> PAGE_SHIFT];
306 printk(KERN_ALERT "*pte = ma %08lx pa %08lx\n", page,
307 machine_to_phys(page));
313 static int spurious_fault(struct pt_regs *regs,
314 unsigned long address,
315 unsigned long error_code)
323 /* Faults in hypervisor area are never spurious. */
324 if (address >= HYPERVISOR_VIRT_START)
328 /* Reserved-bit violation or user access to kernel space? */
329 if (error_code & 0x0c)
332 pgd = init_mm.pgd + pgd_index(address);
333 if (!pgd_present(*pgd))
336 pud = pud_offset(pgd, address);
337 if (!pud_present(*pud))
340 pmd = pmd_offset(pud, address);
341 if (!pmd_present(*pmd))
344 pte = pte_offset_kernel(pmd, address);
345 if (!pte_present(*pte))
347 if ((error_code & 0x02) && !pte_write(*pte))
349 #ifdef CONFIG_X86_PAE
350 if ((error_code & 0x10) && (pte_val(*pte) & _PAGE_NX))
357 static inline pmd_t *vmalloc_sync_one(pgd_t *pgd, unsigned long address)
359 unsigned index = pgd_index(address);
365 pgd_k = init_mm.pgd + index;
367 if (!pgd_present(*pgd_k))
371 * set_pgd(pgd, *pgd_k); here would be useless on PAE
372 * and redundant with the set_pmd() on non-PAE. As would
376 pud = pud_offset(pgd, address);
377 pud_k = pud_offset(pgd_k, address);
378 if (!pud_present(*pud_k))
381 pmd = pmd_offset(pud, address);
382 pmd_k = pmd_offset(pud_k, address);
383 if (!pmd_present(*pmd_k))
385 if (!pmd_present(*pmd))
387 set_pmd(pmd, *pmd_k);
390 * When running on Xen we must launder *pmd_k through
391 * pmd_val() to ensure that _PAGE_PRESENT is correctly set.
393 set_pmd(pmd, __pmd(pmd_val(*pmd_k)));
396 BUG_ON(pmd_page(*pmd) != pmd_page(*pmd_k));
401 * Handle a fault on the vmalloc or module mapping area
403 * This assumes no large pages in there.
405 static inline int vmalloc_fault(unsigned long address)
407 unsigned long pgd_paddr;
411 * Synchronize this task's top level page-table
412 * with the 'reference' page table.
414 * Do _not_ use "current" here. We might be inside
415 * an interrupt in the middle of a task switch..
417 pgd_paddr = read_cr3();
418 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
421 pte_k = pte_offset_kernel(pmd_k, address);
422 if (!pte_present(*pte_k))
428 * This routine handles page faults. It determines the address,
429 * and the problem, and then passes it off to one of the appropriate
433 * bit 0 == 0 means no page found, 1 means protection fault
434 * bit 1 == 0 means read, 1 means write
435 * bit 2 == 0 means kernel, 1 means user-mode
436 * bit 3 == 1 means use of reserved bit detected
437 * bit 4 == 1 means fault was an instruction fetch
439 fastcall void __kprobes do_page_fault(struct pt_regs *regs,
440 unsigned long error_code)
442 struct task_struct *tsk;
443 struct mm_struct *mm;
444 struct vm_area_struct * vma;
445 unsigned long address;
448 /* get the address */
449 address = read_cr2();
451 /* Set the "privileged fault" bit to something sane. */
453 error_code |= (regs->xcs & 2) << 1;
454 if (regs->eflags & X86_EFLAGS_VM)
459 si_code = SEGV_MAPERR;
462 * We fault-in kernel-space virtual memory on-demand. The
463 * 'reference' page table is init_mm.pgd.
465 * NOTE! We MUST NOT take any locks for this case. We may
466 * be in an interrupt or a critical region, and should
467 * only copy the information from the master page table,
470 * This verifies that the fault happens in kernel space
471 * (error_code & 4) == 0, and that the fault was not a
472 * protection error (error_code & 9) == 0.
474 if (unlikely(address >= TASK_SIZE)) {
476 /* Faults in hypervisor area can never be patched up. */
477 if (address >= HYPERVISOR_VIRT_START)
478 goto bad_area_nosemaphore;
480 if (!(error_code & 0x0000000d) && vmalloc_fault(address) >= 0)
482 /* Can take a spurious fault if mapping changes R/O -> R/W. */
483 if (spurious_fault(regs, address, error_code))
485 if (notify_page_fault(DIE_PAGE_FAULT, "page fault", regs, error_code, 14,
486 SIGSEGV) == NOTIFY_STOP)
489 * Don't take the mm semaphore here. If we fixup a prefetch
490 * fault we could otherwise deadlock.
492 goto bad_area_nosemaphore;
495 if (notify_page_fault(DIE_PAGE_FAULT, "page fault", regs, error_code, 14,
496 SIGSEGV) == NOTIFY_STOP)
499 /* It's safe to allow irq's after cr2 has been saved and the vmalloc
500 fault has been handled. */
501 if (regs->eflags & (X86_EFLAGS_IF|VM_MASK))
507 * If we're in an interrupt, have no user context or are running in an
508 * atomic region then we must not take the fault..
510 if (in_atomic() || !mm)
511 goto bad_area_nosemaphore;
513 /* When running in the kernel we expect faults to occur only to
514 * addresses in user space. All other faults represent errors in the
515 * kernel and should generate an OOPS. Unfortunatly, in the case of an
516 * erroneous fault occurring in a code path which already holds mmap_sem
517 * we will deadlock attempting to validate the fault against the
518 * address space. Luckily the kernel only validly references user
519 * space from well defined areas of code, which are listed in the
522 * As the vast majority of faults will be valid we will only perform
523 * the source reference check when there is a possibilty of a deadlock.
524 * Attempt to lock the address space, if we cannot we then validate the
525 * source. If this is invalid we can skip the address space check,
526 * thus avoiding the deadlock.
528 if (!down_read_trylock(&mm->mmap_sem)) {
529 if ((error_code & 4) == 0 &&
530 !search_exception_tables(regs->eip))
531 goto bad_area_nosemaphore;
532 down_read(&mm->mmap_sem);
535 vma = find_vma(mm, address);
538 if (vma->vm_start <= address)
540 if (!(vma->vm_flags & VM_GROWSDOWN))
542 if (error_code & 4) {
544 * Accessing the stack below %esp is always a bug.
545 * The large cushion allows instructions like enter
546 * and pusha to work. ("enter $65535,$31" pushes
547 * 32 pointers and then decrements %esp by 65535.)
549 if (address + 65536 + 32 * sizeof(unsigned long) < regs->esp)
552 if (expand_stack(vma, address))
555 * Ok, we have a good vm_area for this memory access, so
559 si_code = SEGV_ACCERR;
561 switch (error_code & 3) {
562 default: /* 3: write, present */
563 #ifdef TEST_VERIFY_AREA
564 if (regs->cs == GET_KERNEL_CS())
565 printk("WP fault at %08lx\n", regs->eip);
568 case 2: /* write, not present */
569 if (!(vma->vm_flags & VM_WRITE))
573 case 1: /* read, present */
575 case 0: /* read, not present */
576 if (!(vma->vm_flags & (VM_READ | VM_EXEC)))
582 * If for any reason at all we couldn't handle the fault,
583 * make sure we exit gracefully rather than endlessly redo
586 switch (handle_mm_fault(mm, vma, address, write)) {
593 case VM_FAULT_SIGBUS:
602 * Did it hit the DOS screen memory VA from vm86 mode?
604 if (regs->eflags & VM_MASK) {
605 unsigned long bit = (address - 0xA0000) >> PAGE_SHIFT;
607 tsk->thread.screen_bitmap |= 1 << bit;
609 up_read(&mm->mmap_sem);
613 * Something tried to access memory that isn't in our memory map..
614 * Fix it, but check if it's kernel or user first..
617 up_read(&mm->mmap_sem);
619 bad_area_nosemaphore:
620 /* User mode accesses just cause a SIGSEGV */
621 if (error_code & 4) {
623 * Valid to do another page fault here because this one came
626 if (is_prefetch(regs, address, error_code))
629 tsk->thread.cr2 = address;
630 /* Kernel addresses are always protection faults */
631 tsk->thread.error_code = error_code | (address >= TASK_SIZE);
632 tsk->thread.trap_no = 14;
633 force_sig_info_fault(SIGSEGV, si_code, address, tsk);
637 #ifdef CONFIG_X86_F00F_BUG
639 * Pentium F0 0F C7 C8 bug workaround.
641 if (boot_cpu_data.f00f_bug) {
644 nr = (address - idt_descr.address) >> 3;
647 do_invalid_op(regs, 0);
654 /* Are we prepared to handle this kernel fault? */
655 if (fixup_exception(regs))
659 * Valid to do another page fault here, because if this fault
660 * had been triggered by is_prefetch fixup_exception would have
663 if (is_prefetch(regs, address, error_code))
667 * Oops. The kernel tried to access some bad page. We'll have to
668 * terminate things with extreme prejudice.
673 if (oops_may_print()) {
674 #ifdef CONFIG_X86_PAE
675 if (error_code & 16) {
676 pte_t *pte = lookup_address(address);
678 if (pte && pte_present(*pte) && !pte_exec_kernel(*pte))
679 printk(KERN_CRIT "kernel tried to execute "
680 "NX-protected page - exploit attempt? "
681 "(uid: %d)\n", current->uid);
684 if (address < PAGE_SIZE)
685 printk(KERN_ALERT "BUG: unable to handle kernel NULL "
686 "pointer dereference");
688 printk(KERN_ALERT "BUG: unable to handle kernel paging"
690 printk(" at virtual address %08lx\n",address);
691 printk(KERN_ALERT " printing eip:\n");
692 printk("%08lx\n", regs->eip);
693 dump_fault_path(address);
695 tsk->thread.cr2 = address;
696 tsk->thread.trap_no = 14;
697 tsk->thread.error_code = error_code;
698 die("Oops", regs, error_code);
703 * We ran out of memory, or some other thing happened to us that made
704 * us unable to handle the page fault gracefully.
707 up_read(&mm->mmap_sem);
710 down_read(&mm->mmap_sem);
713 printk("VM: killing process %s\n", tsk->comm);
719 up_read(&mm->mmap_sem);
721 /* Kernel mode? Handle exceptions or die */
722 if (!(error_code & 4))
725 /* User space => ok to do another page fault */
726 if (is_prefetch(regs, address, error_code))
729 tsk->thread.cr2 = address;
730 tsk->thread.error_code = error_code;
731 tsk->thread.trap_no = 14;
732 force_sig_info_fault(SIGBUS, BUS_ADRERR, address, tsk);
735 #ifndef CONFIG_X86_PAE
736 void vmalloc_sync_all(void)
739 * Note that races in the updates of insync and start aren't
740 * problematic: insync can only get set bits added, and updates to
741 * start are only improving performance (without affecting correctness
744 static DECLARE_BITMAP(insync, PTRS_PER_PGD);
745 static unsigned long start = TASK_SIZE;
746 unsigned long address;
748 BUILD_BUG_ON(TASK_SIZE & ~PGDIR_MASK);
749 for (address = start; address >= TASK_SIZE; address += PGDIR_SIZE) {
750 if (!test_bit(pgd_index(address), insync)) {
754 spin_lock_irqsave(&pgd_lock, flags);
755 for (page = pgd_list; page; page =
756 (struct page *)page->index)
757 if (!vmalloc_sync_one(page_address(page),
759 BUG_ON(page != pgd_list);
762 spin_unlock_irqrestore(&pgd_lock, flags);
764 set_bit(pgd_index(address), insync);
766 if (address == start && test_bit(pgd_index(address), insync))
767 start = address + PGDIR_SIZE;