2019-05-27 00:55:01 -06:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-or-later
|
2005-09-26 00:04:21 -06:00
|
|
|
/*
|
|
|
|
|
* PowerPC version
|
|
|
|
|
* Copyright (C) 1995-1996 Gary Thomas (gdt@linuxppc.org)
|
|
|
|
|
*
|
|
|
|
|
* Derived from "arch/i386/mm/fault.c"
|
|
|
|
|
* Copyright (C) 1991, 1992, 1993, 1994 Linus Torvalds
|
|
|
|
|
*
|
|
|
|
|
* Modified by Cort Dougan and Paul Mackerras.
|
|
|
|
|
*
|
|
|
|
|
* Modified for PPC64 by Dave Engebretsen (engebret@ibm.com)
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <linux/signal.h>
|
|
|
|
|
#include <linux/sched.h>
|
2017-02-08 10:51:37 -07:00
|
|
|
#include <linux/sched/task_stack.h>
|
2005-09-26 00:04:21 -06:00
|
|
|
#include <linux/kernel.h>
|
|
|
|
|
#include <linux/errno.h>
|
|
|
|
|
#include <linux/string.h>
|
|
|
|
|
#include <linux/types.h>
|
2018-05-23 02:53:22 -06:00
|
|
|
#include <linux/pagemap.h>
|
2005-09-26 00:04:21 -06:00
|
|
|
#include <linux/ptrace.h>
|
|
|
|
|
#include <linux/mman.h>
|
|
|
|
|
#include <linux/mm.h>
|
|
|
|
|
#include <linux/interrupt.h>
|
|
|
|
|
#include <linux/highmem.h>
|
2016-08-16 08:57:34 -06:00
|
|
|
#include <linux/extable.h>
|
2005-09-26 00:04:21 -06:00
|
|
|
#include <linux/kprobes.h>
|
2007-05-08 01:27:03 -06:00
|
|
|
#include <linux/kdebug.h>
|
perf: Do the big rename: Performance Counters -> Performance Events
Bye-bye Performance Counters, welcome Performance Events!
In the past few months the perfcounters subsystem has grown out its
initial role of counting hardware events, and has become (and is
becoming) a much broader generic event enumeration, reporting, logging,
monitoring, analysis facility.
Naming its core object 'perf_counter' and naming the subsystem
'perfcounters' has become more and more of a misnomer. With pending
code like hw-breakpoints support the 'counter' name is less and
less appropriate.
All in one, we've decided to rename the subsystem to 'performance
events' and to propagate this rename through all fields, variables
and API names. (in an ABI compatible fashion)
The word 'event' is also a bit shorter than 'counter' - which makes
it slightly more convenient to write/handle as well.
Thanks goes to Stephane Eranian who first observed this misnomer and
suggested a rename.
User-space tooling and ABI compatibility is not affected - this patch
should be function-invariant. (Also, defconfigs were not touched to
keep the size down.)
This patch has been generated via the following script:
FILES=$(find * -type f | grep -vE 'oprofile|[^K]config')
sed -i \
-e 's/PERF_EVENT_/PERF_RECORD_/g' \
-e 's/PERF_COUNTER/PERF_EVENT/g' \
-e 's/perf_counter/perf_event/g' \
-e 's/nb_counters/nb_events/g' \
-e 's/swcounter/swevent/g' \
-e 's/tpcounter_event/tp_event/g' \
$FILES
for N in $(find . -name perf_counter.[ch]); do
M=$(echo $N | sed 's/perf_counter/perf_event/g')
mv $N $M
done
FILES=$(find . -name perf_event.*)
sed -i \
-e 's/COUNTER_MASK/REG_MASK/g' \
-e 's/COUNTER/EVENT/g' \
-e 's/\<event\>/event_id/g' \
-e 's/counter/event/g' \
-e 's/Counter/Event/g' \
$FILES
... to keep it as correct as possible. This script can also be
used by anyone who has pending perfcounters patches - it converts
a Linux kernel tree over to the new naming. We tried to time this
change to the point in time where the amount of pending patches
is the smallest: the end of the merge window.
Namespace clashes were fixed up in a preparatory patch - and some
stylistic fallout will be fixed up in a subsequent patch.
( NOTE: 'counters' are still the proper terminology when we deal
with hardware registers - and these sed scripts are a bit
over-eager in renaming them. I've undone some of that, but
in case there's something left where 'counter' would be
better than 'event' we can undo that on an individual basis
instead of touching an otherwise nicely automated patch. )
Suggested-by: Stephane Eranian <eranian@google.com>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Acked-by: Paul Mackerras <paulus@samba.org>
Reviewed-by: Arjan van de Ven <arjan@linux.intel.com>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: David Howells <dhowells@redhat.com>
Cc: Kyle McMartin <kyle@mcmartin.ca>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: <linux-arch@vger.kernel.org>
LKML-Reference: <new-submission>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2009-09-21 04:02:48 -06:00
|
|
|
#include <linux/perf_event.h>
|
2011-06-03 23:36:54 -06:00
|
|
|
#include <linux/ratelimit.h>
|
powerpc: Exception hooks for context tracking subsystem
This is the exception hooks for context tracking subsystem, including
data access, program check, single step, instruction breakpoint, machine check,
alignment, fp unavailable, altivec assist, unknown exception, whose handlers
might use RCU.
This patch corresponds to
[PATCH] x86: Exception hooks for userspace RCU extended QS
commit 6ba3c97a38803883c2eee489505796cb0a727122
But after the exception handling moved to generic code, and some changes in
following two commits:
56dd9470d7c8734f055da2a6bac553caf4a468eb
context_tracking: Move exception handling to generic code
6c1e0256fad84a843d915414e4b5973b7443d48d
context_tracking: Restore correct previous context state on exception exit
it is able for exception hooks to use the generic code above instead of a
redundant arch implementation.
Signed-off-by: Li Zhong <zhong@linux.vnet.ibm.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
2013-05-13 10:16:41 -06:00
|
|
|
#include <linux/context_tracking.h>
|
2014-09-24 00:59:58 -06:00
|
|
|
#include <linux/hugetlb.h>
|
2015-05-11 09:52:11 -06:00
|
|
|
#include <linux/uaccess.h>
|
2005-09-26 00:04:21 -06:00
|
|
|
|
2008-10-21 23:53:45 -06:00
|
|
|
#include <asm/firmware.h>
|
2005-09-26 00:04:21 -06:00
|
|
|
#include <asm/page.h>
|
|
|
|
|
#include <asm/pgtable.h>
|
|
|
|
|
#include <asm/mmu.h>
|
|
|
|
|
#include <asm/mmu_context.h>
|
|
|
|
|
#include <asm/siginfo.h>
|
2012-03-28 11:30:02 -06:00
|
|
|
#include <asm/debug.h>
|
powerpc/mm: Detect bad KUAP faults
When KUAP is enabled we have logic to detect page faults that occur
outside of a valid user access region and are blocked by the AMR.
What we don't have at the moment is logic to detect a fault *within* a
valid user access region, that has been incorrectly blocked by AMR.
This is not meant to ever happen, but it can if we incorrectly
save/restore the AMR, or if the AMR was overwritten for some other
reason.
Currently if that happens we assume it's just a regular fault that
will be corrected by handling the fault normally, so we just return.
But there is nothing the fault handling code can do to fix it, so the
fault just happens again and we spin forever, leading to soft lockups.
So add some logic to detect that case and WARN() if we ever see it.
Arguably it should be a BUG(), but it's more polite to fail the access
and let the kernel continue, rather than taking down the box. There
should be no data integrity issue with failing the fault rather than
BUG'ing, as we're just going to disallow an access that should have
been allowed.
To make the code a little easier to follow, unroll the condition at
the end of bad_kernel_fault() and comment each case, before adding the
call to bad_kuap_fault().
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
2019-04-18 00:51:25 -06:00
|
|
|
#include <asm/kup.h>
|
2006-06-26 01:25:27 -06:00
|
|
|
|
2005-09-26 00:04:21 -06:00
|
|
|
/*
|
2018-05-23 02:53:22 -06:00
|
|
|
* Check whether the instruction inst is a store using
|
2005-09-26 00:04:21 -06:00
|
|
|
* an update addressing form which will update r1.
|
|
|
|
|
*/
|
2018-05-23 02:53:22 -06:00
|
|
|
static bool store_updates_sp(unsigned int inst)
|
2005-09-26 00:04:21 -06:00
|
|
|
{
|
|
|
|
|
/* check for 1 in the rA field */
|
|
|
|
|
if (((inst >> 16) & 0x1f) != 1)
|
2017-07-18 22:49:45 -06:00
|
|
|
return false;
|
2005-09-26 00:04:21 -06:00
|
|
|
/* check major opcode */
|
|
|
|
|
switch (inst >> 26) {
|
2018-05-23 01:04:04 -06:00
|
|
|
case OP_STWU:
|
|
|
|
|
case OP_STBU:
|
|
|
|
|
case OP_STHU:
|
|
|
|
|
case OP_STFSU:
|
|
|
|
|
case OP_STFDU:
|
2017-07-18 22:49:45 -06:00
|
|
|
return true;
|
2018-05-23 01:04:04 -06:00
|
|
|
case OP_STD: /* std or stdu */
|
2005-09-26 00:04:21 -06:00
|
|
|
return (inst & 3) == 1;
|
2018-05-23 01:04:04 -06:00
|
|
|
case OP_31:
|
2005-09-26 00:04:21 -06:00
|
|
|
/* check minor opcode */
|
|
|
|
|
switch ((inst >> 1) & 0x3ff) {
|
2018-05-23 01:04:04 -06:00
|
|
|
case OP_31_XOP_STDUX:
|
|
|
|
|
case OP_31_XOP_STWUX:
|
|
|
|
|
case OP_31_XOP_STBUX:
|
|
|
|
|
case OP_31_XOP_STHUX:
|
|
|
|
|
case OP_31_XOP_STFSUX:
|
|
|
|
|
case OP_31_XOP_STFDUX:
|
2017-07-18 22:49:45 -06:00
|
|
|
return true;
|
2005-09-26 00:04:21 -06:00
|
|
|
}
|
|
|
|
|
}
|
2017-07-18 22:49:45 -06:00
|
|
|
return false;
|
2005-09-26 00:04:21 -06:00
|
|
|
}
|
2012-03-01 00:14:45 -07:00
|
|
|
/*
|
|
|
|
|
* do_page_fault error handling helpers
|
|
|
|
|
*/
|
|
|
|
|
|
2017-07-18 22:49:35 -06:00
|
|
|
static int
|
2018-09-18 02:42:33 -06:00
|
|
|
__bad_area_nosemaphore(struct pt_regs *regs, unsigned long address, int si_code)
|
2017-07-18 22:49:35 -06:00
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* If we are in kernel mode, bail out with a SEGV, this will
|
|
|
|
|
* be caught by the assembly which will restore the non-volatile
|
|
|
|
|
* registers before calling bad_page_fault()
|
|
|
|
|
*/
|
|
|
|
|
if (!user_mode(regs))
|
|
|
|
|
return SIGSEGV;
|
|
|
|
|
|
2018-09-18 02:42:33 -06:00
|
|
|
_exception(SIGSEGV, regs, si_code, address);
|
2017-07-18 22:49:35 -06:00
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static noinline int bad_area_nosemaphore(struct pt_regs *regs, unsigned long address)
|
|
|
|
|
{
|
2018-09-18 02:42:33 -06:00
|
|
|
return __bad_area_nosemaphore(regs, address, SEGV_MAPERR);
|
2017-07-18 22:49:35 -06:00
|
|
|
}
|
|
|
|
|
|
2018-09-18 01:19:24 -06:00
|
|
|
static int __bad_area(struct pt_regs *regs, unsigned long address, int si_code)
|
2017-07-18 22:49:35 -06:00
|
|
|
{
|
|
|
|
|
struct mm_struct *mm = current->mm;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Something tried to access memory that isn't in our memory map..
|
|
|
|
|
* Fix it, but check if it's kernel or user first..
|
|
|
|
|
*/
|
|
|
|
|
up_read(&mm->mmap_sem);
|
|
|
|
|
|
2018-09-18 02:42:33 -06:00
|
|
|
return __bad_area_nosemaphore(regs, address, si_code);
|
2017-07-18 22:49:35 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static noinline int bad_area(struct pt_regs *regs, unsigned long address)
|
|
|
|
|
{
|
2018-09-18 01:19:24 -06:00
|
|
|
return __bad_area(regs, address, SEGV_MAPERR);
|
2018-01-18 18:50:42 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int bad_key_fault_exception(struct pt_regs *regs, unsigned long address,
|
|
|
|
|
int pkey)
|
|
|
|
|
{
|
2018-09-18 01:14:49 -06:00
|
|
|
/*
|
|
|
|
|
* If we are in kernel mode, bail out with a SEGV, this will
|
|
|
|
|
* be caught by the assembly which will restore the non-volatile
|
|
|
|
|
* registers before calling bad_page_fault()
|
|
|
|
|
*/
|
|
|
|
|
if (!user_mode(regs))
|
|
|
|
|
return SIGSEGV;
|
|
|
|
|
|
2018-09-18 02:56:25 -06:00
|
|
|
_exception_pkey(regs, address, pkey);
|
2018-09-18 01:14:49 -06:00
|
|
|
|
|
|
|
|
return 0;
|
2017-07-18 22:49:35 -06:00
|
|
|
}
|
|
|
|
|
|
powerpc/mm: Fix SEGV on mapped region to return SEGV_ACCERR
The recent refactoring of the powerpc page fault handler in commit
c3350602e876 ("powerpc/mm: Make bad_area* helper functions") caused
access to protected memory regions to indicate SEGV_MAPERR instead of
the traditional SEGV_ACCERR in the si_code field of a user-space
signal handler. This can confuse debug libraries that temporarily
change the protection of memory regions, and expect to use SEGV_ACCERR
as an indication to restore access to a region.
This commit restores the previous behavior. The following program
exhibits the issue:
$ ./repro read || echo "FAILED"
$ ./repro write || echo "FAILED"
$ ./repro exec || echo "FAILED"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <signal.h>
#include <sys/mman.h>
#include <assert.h>
static void segv_handler(int n, siginfo_t *info, void *arg) {
_exit(info->si_code == SEGV_ACCERR ? 0 : 1);
}
int main(int argc, char **argv)
{
void *p = NULL;
struct sigaction act = {
.sa_sigaction = segv_handler,
.sa_flags = SA_SIGINFO,
};
assert(argc == 2);
p = mmap(NULL, getpagesize(),
(strcmp(argv[1], "write") == 0) ? PROT_READ : 0,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
assert(p != MAP_FAILED);
assert(sigaction(SIGSEGV, &act, NULL) == 0);
if (strcmp(argv[1], "read") == 0)
printf("%c", *(unsigned char *)p);
else if (strcmp(argv[1], "write") == 0)
*(unsigned char *)p = 0;
else if (strcmp(argv[1], "exec") == 0)
((void (*)(void))p)();
return 1; /* failed to generate SEGV */
}
Fixes: c3350602e876 ("powerpc/mm: Make bad_area* helper functions")
Cc: stable@vger.kernel.org # v4.14+
Signed-off-by: John Sperbeck <jsperbeck@google.com>
Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
[mpe: Add commit references in change log]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
2017-12-31 22:24:58 -07:00
|
|
|
static noinline int bad_access(struct pt_regs *regs, unsigned long address)
|
|
|
|
|
{
|
2018-09-18 01:19:24 -06:00
|
|
|
return __bad_area(regs, address, SEGV_ACCERR);
|
powerpc/mm: Fix SEGV on mapped region to return SEGV_ACCERR
The recent refactoring of the powerpc page fault handler in commit
c3350602e876 ("powerpc/mm: Make bad_area* helper functions") caused
access to protected memory regions to indicate SEGV_MAPERR instead of
the traditional SEGV_ACCERR in the si_code field of a user-space
signal handler. This can confuse debug libraries that temporarily
change the protection of memory regions, and expect to use SEGV_ACCERR
as an indication to restore access to a region.
This commit restores the previous behavior. The following program
exhibits the issue:
$ ./repro read || echo "FAILED"
$ ./repro write || echo "FAILED"
$ ./repro exec || echo "FAILED"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <signal.h>
#include <sys/mman.h>
#include <assert.h>
static void segv_handler(int n, siginfo_t *info, void *arg) {
_exit(info->si_code == SEGV_ACCERR ? 0 : 1);
}
int main(int argc, char **argv)
{
void *p = NULL;
struct sigaction act = {
.sa_sigaction = segv_handler,
.sa_flags = SA_SIGINFO,
};
assert(argc == 2);
p = mmap(NULL, getpagesize(),
(strcmp(argv[1], "write") == 0) ? PROT_READ : 0,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
assert(p != MAP_FAILED);
assert(sigaction(SIGSEGV, &act, NULL) == 0);
if (strcmp(argv[1], "read") == 0)
printf("%c", *(unsigned char *)p);
else if (strcmp(argv[1], "write") == 0)
*(unsigned char *)p = 0;
else if (strcmp(argv[1], "exec") == 0)
((void (*)(void))p)();
return 1; /* failed to generate SEGV */
}
Fixes: c3350602e876 ("powerpc/mm: Make bad_area* helper functions")
Cc: stable@vger.kernel.org # v4.14+
Signed-off-by: John Sperbeck <jsperbeck@google.com>
Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
[mpe: Add commit references in change log]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
2017-12-31 22:24:58 -07:00
|
|
|
}
|
|
|
|
|
|
2014-09-24 00:59:57 -06:00
|
|
|
static int do_sigbus(struct pt_regs *regs, unsigned long address,
|
2018-08-17 16:44:47 -06:00
|
|
|
vm_fault_t fault)
|
2012-03-01 00:14:45 -07:00
|
|
|
{
|
2014-09-24 00:59:56 -06:00
|
|
|
if (!user_mode(regs))
|
2017-07-18 22:49:36 -06:00
|
|
|
return SIGBUS;
|
2014-09-24 00:59:56 -06:00
|
|
|
|
|
|
|
|
current->thread.trap_nr = BUS_ADRERR;
|
2014-09-24 00:59:57 -06:00
|
|
|
#ifdef CONFIG_MEMORY_FAILURE
|
|
|
|
|
if (fault & (VM_FAULT_HWPOISON|VM_FAULT_HWPOISON_LARGE)) {
|
2018-04-19 16:36:43 -06:00
|
|
|
unsigned int lsb = 0; /* shutup gcc */
|
|
|
|
|
|
2014-09-24 00:59:57 -06:00
|
|
|
pr_err("MCE: Killing %s:%d due to hardware memory corruption fault at %lx\n",
|
|
|
|
|
current->comm, current->pid, address);
|
2018-04-19 16:36:43 -06:00
|
|
|
|
|
|
|
|
if (fault & VM_FAULT_HWPOISON_LARGE)
|
|
|
|
|
lsb = hstate_index_to_shift(VM_FAULT_GET_HINDEX(fault));
|
|
|
|
|
if (fault & VM_FAULT_HWPOISON)
|
|
|
|
|
lsb = PAGE_SHIFT;
|
|
|
|
|
|
2019-02-05 17:14:19 -07:00
|
|
|
force_sig_mceerr(BUS_MCEERR_AR, (void __user *)address, lsb);
|
2018-04-19 16:36:43 -06:00
|
|
|
return 0;
|
2014-09-24 00:59:57 -06:00
|
|
|
}
|
2014-09-24 00:59:58 -06:00
|
|
|
|
2014-09-24 00:59:57 -06:00
|
|
|
#endif
|
2019-05-23 10:04:24 -06:00
|
|
|
force_sig_fault(SIGBUS, BUS_ADRERR, (void __user *)address);
|
2017-07-18 22:49:36 -06:00
|
|
|
return 0;
|
2012-03-01 00:14:45 -07:00
|
|
|
}
|
|
|
|
|
|
2018-08-17 16:44:47 -06:00
|
|
|
static int mm_fault_error(struct pt_regs *regs, unsigned long addr,
|
|
|
|
|
vm_fault_t fault)
|
2012-03-01 00:14:45 -07:00
|
|
|
{
|
|
|
|
|
/*
|
2017-07-18 22:49:36 -06:00
|
|
|
* Kernel page fault interrupted by SIGKILL. We have no reason to
|
|
|
|
|
* continue processing.
|
2012-03-01 00:14:45 -07:00
|
|
|
*/
|
2017-07-18 22:49:36 -06:00
|
|
|
if (fatal_signal_pending(current) && !user_mode(regs))
|
|
|
|
|
return SIGKILL;
|
2012-03-01 00:14:45 -07:00
|
|
|
|
|
|
|
|
/* Out of memory */
|
2012-12-12 14:52:10 -07:00
|
|
|
if (fault & VM_FAULT_OOM) {
|
|
|
|
|
/*
|
|
|
|
|
* We ran out of memory, or some other thing happened to us that
|
|
|
|
|
* made us unable to handle the page fault gracefully.
|
|
|
|
|
*/
|
|
|
|
|
if (!user_mode(regs))
|
2017-07-18 22:49:36 -06:00
|
|
|
return SIGSEGV;
|
2012-12-12 14:52:10 -07:00
|
|
|
pagefault_out_of_memory();
|
2017-07-18 22:49:36 -06:00
|
|
|
} else {
|
|
|
|
|
if (fault & (VM_FAULT_SIGBUS|VM_FAULT_HWPOISON|
|
|
|
|
|
VM_FAULT_HWPOISON_LARGE))
|
|
|
|
|
return do_sigbus(regs, addr, fault);
|
|
|
|
|
else if (fault & VM_FAULT_SIGSEGV)
|
|
|
|
|
return bad_area_nosemaphore(regs, addr);
|
|
|
|
|
else
|
|
|
|
|
BUG();
|
2012-12-12 14:52:10 -07:00
|
|
|
}
|
2017-07-18 22:49:36 -06:00
|
|
|
return 0;
|
2012-03-01 00:14:45 -07:00
|
|
|
}
|
2005-09-26 00:04:21 -06:00
|
|
|
|
2017-07-18 22:49:34 -06:00
|
|
|
/* Is this a bad kernel fault ? */
|
2019-04-18 00:51:20 -06:00
|
|
|
static bool bad_kernel_fault(struct pt_regs *regs, unsigned long error_code,
|
powerpc/mm: Detect bad KUAP faults
When KUAP is enabled we have logic to detect page faults that occur
outside of a valid user access region and are blocked by the AMR.
What we don't have at the moment is logic to detect a fault *within* a
valid user access region, that has been incorrectly blocked by AMR.
This is not meant to ever happen, but it can if we incorrectly
save/restore the AMR, or if the AMR was overwritten for some other
reason.
Currently if that happens we assume it's just a regular fault that
will be corrected by handling the fault normally, so we just return.
But there is nothing the fault handling code can do to fix it, so the
fault just happens again and we spin forever, leading to soft lockups.
So add some logic to detect that case and WARN() if we ever see it.
Arguably it should be a BUG(), but it's more polite to fail the access
and let the kernel continue, rather than taking down the box. There
should be no data integrity issue with failing the fault rather than
BUG'ing, as we're just going to disallow an access that should have
been allowed.
To make the code a little easier to follow, unroll the condition at
the end of bad_kernel_fault() and comment each case, before adding the
call to bad_kuap_fault().
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
2019-04-18 00:51:25 -06:00
|
|
|
unsigned long address, bool is_write)
|
2017-07-18 22:49:34 -06:00
|
|
|
{
|
2019-04-18 00:51:20 -06:00
|
|
|
int is_exec = TRAP(regs) == 0x400;
|
|
|
|
|
|
2018-11-28 02:27:04 -07:00
|
|
|
/* NX faults set DSISR_PROTFAULT on the 8xx, DSISR_NOEXEC_OR_G on others */
|
|
|
|
|
if (is_exec && (error_code & (DSISR_NOEXEC_OR_G | DSISR_KEYFAULT |
|
|
|
|
|
DSISR_PROTFAULT))) {
|
2019-04-18 00:51:19 -06:00
|
|
|
pr_crit_ratelimited("kernel tried to execute %s page (%lx) - exploit attempt? (uid: %d)\n",
|
|
|
|
|
address >= TASK_SIZE ? "exec-protected" : "user",
|
|
|
|
|
address,
|
|
|
|
|
from_kuid(&init_user_ns, current_uid()));
|
powerpc/mm: Detect bad KUAP faults
When KUAP is enabled we have logic to detect page faults that occur
outside of a valid user access region and are blocked by the AMR.
What we don't have at the moment is logic to detect a fault *within* a
valid user access region, that has been incorrectly blocked by AMR.
This is not meant to ever happen, but it can if we incorrectly
save/restore the AMR, or if the AMR was overwritten for some other
reason.
Currently if that happens we assume it's just a regular fault that
will be corrected by handling the fault normally, so we just return.
But there is nothing the fault handling code can do to fix it, so the
fault just happens again and we spin forever, leading to soft lockups.
So add some logic to detect that case and WARN() if we ever see it.
Arguably it should be a BUG(), but it's more polite to fail the access
and let the kernel continue, rather than taking down the box. There
should be no data integrity issue with failing the fault rather than
BUG'ing, as we're just going to disallow an access that should have
been allowed.
To make the code a little easier to follow, unroll the condition at
the end of bad_kernel_fault() and comment each case, before adding the
call to bad_kuap_fault().
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
2019-04-18 00:51:25 -06:00
|
|
|
|
|
|
|
|
// Kernel exec fault is always bad
|
|
|
|
|
return true;
|
2017-07-18 22:49:34 -06:00
|
|
|
}
|
2019-04-18 00:51:20 -06:00
|
|
|
|
|
|
|
|
if (!is_exec && address < TASK_SIZE && (error_code & DSISR_PROTFAULT) &&
|
|
|
|
|
!search_exception_tables(regs->nip)) {
|
|
|
|
|
pr_crit_ratelimited("Kernel attempted to access user page (%lx) - exploit attempt? (uid: %d)\n",
|
|
|
|
|
address,
|
|
|
|
|
from_kuid(&init_user_ns, current_uid()));
|
|
|
|
|
}
|
|
|
|
|
|
powerpc/mm: Detect bad KUAP faults
When KUAP is enabled we have logic to detect page faults that occur
outside of a valid user access region and are blocked by the AMR.
What we don't have at the moment is logic to detect a fault *within* a
valid user access region, that has been incorrectly blocked by AMR.
This is not meant to ever happen, but it can if we incorrectly
save/restore the AMR, or if the AMR was overwritten for some other
reason.
Currently if that happens we assume it's just a regular fault that
will be corrected by handling the fault normally, so we just return.
But there is nothing the fault handling code can do to fix it, so the
fault just happens again and we spin forever, leading to soft lockups.
So add some logic to detect that case and WARN() if we ever see it.
Arguably it should be a BUG(), but it's more polite to fail the access
and let the kernel continue, rather than taking down the box. There
should be no data integrity issue with failing the fault rather than
BUG'ing, as we're just going to disallow an access that should have
been allowed.
To make the code a little easier to follow, unroll the condition at
the end of bad_kernel_fault() and comment each case, before adding the
call to bad_kuap_fault().
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
2019-04-18 00:51:25 -06:00
|
|
|
// Kernel fault on kernel address is bad
|
|
|
|
|
if (address >= TASK_SIZE)
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
// Fault on user outside of certain regions (eg. copy_tofrom_user()) is bad
|
|
|
|
|
if (!search_exception_tables(regs->nip))
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
// Read/write fault in a valid region (the exception table search passed
|
|
|
|
|
// above), but blocked by KUAP is bad, it can never succeed.
|
2020-01-24 04:54:40 -07:00
|
|
|
if (bad_kuap_fault(regs, address, is_write))
|
powerpc/mm: Detect bad KUAP faults
When KUAP is enabled we have logic to detect page faults that occur
outside of a valid user access region and are blocked by the AMR.
What we don't have at the moment is logic to detect a fault *within* a
valid user access region, that has been incorrectly blocked by AMR.
This is not meant to ever happen, but it can if we incorrectly
save/restore the AMR, or if the AMR was overwritten for some other
reason.
Currently if that happens we assume it's just a regular fault that
will be corrected by handling the fault normally, so we just return.
But there is nothing the fault handling code can do to fix it, so the
fault just happens again and we spin forever, leading to soft lockups.
So add some logic to detect that case and WARN() if we ever see it.
Arguably it should be a BUG(), but it's more polite to fail the access
and let the kernel continue, rather than taking down the box. There
should be no data integrity issue with failing the fault rather than
BUG'ing, as we're just going to disallow an access that should have
been allowed.
To make the code a little easier to follow, unroll the condition at
the end of bad_kernel_fault() and comment each case, before adding the
call to bad_kuap_fault().
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
2019-04-18 00:51:25 -06:00
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
// What's left? Kernel fault on user in well defined regions (extable
|
|
|
|
|
// matched), and allowed by KUAP in the faulting context.
|
|
|
|
|
return false;
|
2017-07-18 22:49:34 -06:00
|
|
|
}
|
|
|
|
|
|
powerpc: Allow 4224 bytes of stack expansion for the signal frame
commit 63dee5df43a31f3844efabc58972f0a206ca4534 upstream.
We have powerpc specific logic in our page fault handling to decide if
an access to an unmapped address below the stack pointer should expand
the stack VMA.
The code was originally added in 2004 "ported from 2.4". The rough
logic is that the stack is allowed to grow to 1MB with no extra
checking. Over 1MB the access must be within 2048 bytes of the stack
pointer, or be from a user instruction that updates the stack pointer.
The 2048 byte allowance below the stack pointer is there to cover the
288 byte "red zone" as well as the "about 1.5kB" needed by the signal
delivery code.
Unfortunately since then the signal frame has expanded, and is now
4224 bytes on 64-bit kernels with transactional memory enabled. This
means if a process has consumed more than 1MB of stack, and its stack
pointer lies less than 4224 bytes from the next page boundary, signal
delivery will fault when trying to expand the stack and the process
will see a SEGV.
The total size of the signal frame is the size of struct rt_sigframe
(which includes the red zone) plus __SIGNAL_FRAMESIZE (128 bytes on
64-bit).
The 2048 byte allowance was correct until 2008 as the signal frame
was:
struct rt_sigframe {
struct ucontext uc; /* 0 1440 */
/* --- cacheline 11 boundary (1408 bytes) was 32 bytes ago --- */
long unsigned int _unused[2]; /* 1440 16 */
unsigned int tramp[6]; /* 1456 24 */
struct siginfo * pinfo; /* 1480 8 */
void * puc; /* 1488 8 */
struct siginfo info; /* 1496 128 */
/* --- cacheline 12 boundary (1536 bytes) was 88 bytes ago --- */
char abigap[288]; /* 1624 288 */
/* size: 1920, cachelines: 15, members: 7 */
/* padding: 8 */
};
1920 + 128 = 2048
Then in commit ce48b2100785 ("powerpc: Add VSX context save/restore,
ptrace and signal support") (Jul 2008) the signal frame expanded to
2304 bytes:
struct rt_sigframe {
struct ucontext uc; /* 0 1696 */ <--
/* --- cacheline 13 boundary (1664 bytes) was 32 bytes ago --- */
long unsigned int _unused[2]; /* 1696 16 */
unsigned int tramp[6]; /* 1712 24 */
struct siginfo * pinfo; /* 1736 8 */
void * puc; /* 1744 8 */
struct siginfo info; /* 1752 128 */
/* --- cacheline 14 boundary (1792 bytes) was 88 bytes ago --- */
char abigap[288]; /* 1880 288 */
/* size: 2176, cachelines: 17, members: 7 */
/* padding: 8 */
};
2176 + 128 = 2304
At this point we should have been exposed to the bug, though as far as
I know it was never reported. I no longer have a system old enough to
easily test on.
Then in 2010 commit 320b2b8de126 ("mm: keep a guard page below a
grow-down stack segment") caused our stack expansion code to never
trigger, as there was always a VMA found for a write up to PAGE_SIZE
below r1.
That meant the bug was hidden as we continued to expand the signal
frame in commit 2b0a576d15e0 ("powerpc: Add new transactional memory
state to the signal context") (Feb 2013):
struct rt_sigframe {
struct ucontext uc; /* 0 1696 */
/* --- cacheline 13 boundary (1664 bytes) was 32 bytes ago --- */
struct ucontext uc_transact; /* 1696 1696 */ <--
/* --- cacheline 26 boundary (3328 bytes) was 64 bytes ago --- */
long unsigned int _unused[2]; /* 3392 16 */
unsigned int tramp[6]; /* 3408 24 */
struct siginfo * pinfo; /* 3432 8 */
void * puc; /* 3440 8 */
struct siginfo info; /* 3448 128 */
/* --- cacheline 27 boundary (3456 bytes) was 120 bytes ago --- */
char abigap[288]; /* 3576 288 */
/* size: 3872, cachelines: 31, members: 8 */
/* padding: 8 */
/* last cacheline: 32 bytes */
};
3872 + 128 = 4000
And commit 573ebfa6601f ("powerpc: Increase stack redzone for 64-bit
userspace to 512 bytes") (Feb 2014):
struct rt_sigframe {
struct ucontext uc; /* 0 1696 */
/* --- cacheline 13 boundary (1664 bytes) was 32 bytes ago --- */
struct ucontext uc_transact; /* 1696 1696 */
/* --- cacheline 26 boundary (3328 bytes) was 64 bytes ago --- */
long unsigned int _unused[2]; /* 3392 16 */
unsigned int tramp[6]; /* 3408 24 */
struct siginfo * pinfo; /* 3432 8 */
void * puc; /* 3440 8 */
struct siginfo info; /* 3448 128 */
/* --- cacheline 27 boundary (3456 bytes) was 120 bytes ago --- */
char abigap[512]; /* 3576 512 */ <--
/* size: 4096, cachelines: 32, members: 8 */
/* padding: 8 */
};
4096 + 128 = 4224
Then finally in 2017, commit 1be7107fbe18 ("mm: larger stack guard
gap, between vmas") exposed us to the existing bug, because it changed
the stack VMA to be the correct/real size, meaning our stack expansion
code is now triggered.
Fix it by increasing the allowance to 4224 bytes.
Hard-coding 4224 is obviously unsafe against future expansions of the
signal frame in the same way as the existing code. We can't easily use
sizeof() because the signal frame structure is not in a header. We
will either fix that, or rip out all the custom stack expansion
checking logic entirely.
Fixes: ce48b2100785 ("powerpc: Add VSX context save/restore, ptrace and signal support")
Cc: stable@vger.kernel.org # v2.6.27+
Reported-by: Tom Lane <tgl@sss.pgh.pa.us>
Tested-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20200724092528.1578671-2-mpe@ellerman.id.au
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-07-24 03:25:25 -06:00
|
|
|
// This comes from 64-bit struct rt_sigframe + __SIGNAL_FRAMESIZE
|
|
|
|
|
#define SIGFRAME_MAX_SIZE (4096 + 128)
|
|
|
|
|
|
2017-07-18 22:49:45 -06:00
|
|
|
static bool bad_stack_expansion(struct pt_regs *regs, unsigned long address,
|
2018-05-23 02:53:22 -06:00
|
|
|
struct vm_area_struct *vma, unsigned int flags,
|
|
|
|
|
bool *must_retry)
|
2017-07-18 22:49:45 -06:00
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* N.B. The POWER/Open ABI allows programs to access up to
|
|
|
|
|
* 288 bytes below the stack pointer.
|
powerpc: Allow 4224 bytes of stack expansion for the signal frame
commit 63dee5df43a31f3844efabc58972f0a206ca4534 upstream.
We have powerpc specific logic in our page fault handling to decide if
an access to an unmapped address below the stack pointer should expand
the stack VMA.
The code was originally added in 2004 "ported from 2.4". The rough
logic is that the stack is allowed to grow to 1MB with no extra
checking. Over 1MB the access must be within 2048 bytes of the stack
pointer, or be from a user instruction that updates the stack pointer.
The 2048 byte allowance below the stack pointer is there to cover the
288 byte "red zone" as well as the "about 1.5kB" needed by the signal
delivery code.
Unfortunately since then the signal frame has expanded, and is now
4224 bytes on 64-bit kernels with transactional memory enabled. This
means if a process has consumed more than 1MB of stack, and its stack
pointer lies less than 4224 bytes from the next page boundary, signal
delivery will fault when trying to expand the stack and the process
will see a SEGV.
The total size of the signal frame is the size of struct rt_sigframe
(which includes the red zone) plus __SIGNAL_FRAMESIZE (128 bytes on
64-bit).
The 2048 byte allowance was correct until 2008 as the signal frame
was:
struct rt_sigframe {
struct ucontext uc; /* 0 1440 */
/* --- cacheline 11 boundary (1408 bytes) was 32 bytes ago --- */
long unsigned int _unused[2]; /* 1440 16 */
unsigned int tramp[6]; /* 1456 24 */
struct siginfo * pinfo; /* 1480 8 */
void * puc; /* 1488 8 */
struct siginfo info; /* 1496 128 */
/* --- cacheline 12 boundary (1536 bytes) was 88 bytes ago --- */
char abigap[288]; /* 1624 288 */
/* size: 1920, cachelines: 15, members: 7 */
/* padding: 8 */
};
1920 + 128 = 2048
Then in commit ce48b2100785 ("powerpc: Add VSX context save/restore,
ptrace and signal support") (Jul 2008) the signal frame expanded to
2304 bytes:
struct rt_sigframe {
struct ucontext uc; /* 0 1696 */ <--
/* --- cacheline 13 boundary (1664 bytes) was 32 bytes ago --- */
long unsigned int _unused[2]; /* 1696 16 */
unsigned int tramp[6]; /* 1712 24 */
struct siginfo * pinfo; /* 1736 8 */
void * puc; /* 1744 8 */
struct siginfo info; /* 1752 128 */
/* --- cacheline 14 boundary (1792 bytes) was 88 bytes ago --- */
char abigap[288]; /* 1880 288 */
/* size: 2176, cachelines: 17, members: 7 */
/* padding: 8 */
};
2176 + 128 = 2304
At this point we should have been exposed to the bug, though as far as
I know it was never reported. I no longer have a system old enough to
easily test on.
Then in 2010 commit 320b2b8de126 ("mm: keep a guard page below a
grow-down stack segment") caused our stack expansion code to never
trigger, as there was always a VMA found for a write up to PAGE_SIZE
below r1.
That meant the bug was hidden as we continued to expand the signal
frame in commit 2b0a576d15e0 ("powerpc: Add new transactional memory
state to the signal context") (Feb 2013):
struct rt_sigframe {
struct ucontext uc; /* 0 1696 */
/* --- cacheline 13 boundary (1664 bytes) was 32 bytes ago --- */
struct ucontext uc_transact; /* 1696 1696 */ <--
/* --- cacheline 26 boundary (3328 bytes) was 64 bytes ago --- */
long unsigned int _unused[2]; /* 3392 16 */
unsigned int tramp[6]; /* 3408 24 */
struct siginfo * pinfo; /* 3432 8 */
void * puc; /* 3440 8 */
struct siginfo info; /* 3448 128 */
/* --- cacheline 27 boundary (3456 bytes) was 120 bytes ago --- */
char abigap[288]; /* 3576 288 */
/* size: 3872, cachelines: 31, members: 8 */
/* padding: 8 */
/* last cacheline: 32 bytes */
};
3872 + 128 = 4000
And commit 573ebfa6601f ("powerpc: Increase stack redzone for 64-bit
userspace to 512 bytes") (Feb 2014):
struct rt_sigframe {
struct ucontext uc; /* 0 1696 */
/* --- cacheline 13 boundary (1664 bytes) was 32 bytes ago --- */
struct ucontext uc_transact; /* 1696 1696 */
/* --- cacheline 26 boundary (3328 bytes) was 64 bytes ago --- */
long unsigned int _unused[2]; /* 3392 16 */
unsigned int tramp[6]; /* 3408 24 */
struct siginfo * pinfo; /* 3432 8 */
void * puc; /* 3440 8 */
struct siginfo info; /* 3448 128 */
/* --- cacheline 27 boundary (3456 bytes) was 120 bytes ago --- */
char abigap[512]; /* 3576 512 */ <--
/* size: 4096, cachelines: 32, members: 8 */
/* padding: 8 */
};
4096 + 128 = 4224
Then finally in 2017, commit 1be7107fbe18 ("mm: larger stack guard
gap, between vmas") exposed us to the existing bug, because it changed
the stack VMA to be the correct/real size, meaning our stack expansion
code is now triggered.
Fix it by increasing the allowance to 4224 bytes.
Hard-coding 4224 is obviously unsafe against future expansions of the
signal frame in the same way as the existing code. We can't easily use
sizeof() because the signal frame structure is not in a header. We
will either fix that, or rip out all the custom stack expansion
checking logic entirely.
Fixes: ce48b2100785 ("powerpc: Add VSX context save/restore, ptrace and signal support")
Cc: stable@vger.kernel.org # v2.6.27+
Reported-by: Tom Lane <tgl@sss.pgh.pa.us>
Tested-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20200724092528.1578671-2-mpe@ellerman.id.au
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-07-24 03:25:25 -06:00
|
|
|
* The kernel signal delivery code writes a bit over 4KB
|
2017-07-18 22:49:45 -06:00
|
|
|
* below the stack pointer (r1) before decrementing it.
|
|
|
|
|
* The exec code can write slightly over 640kB to the stack
|
|
|
|
|
* before setting the user r1. Thus we allow the stack to
|
|
|
|
|
* expand to 1MB without further checks.
|
|
|
|
|
*/
|
|
|
|
|
if (address + 0x100000 < vma->vm_end) {
|
2018-05-23 02:53:22 -06:00
|
|
|
unsigned int __user *nip = (unsigned int __user *)regs->nip;
|
2017-07-18 22:49:45 -06:00
|
|
|
/* get user regs even if this fault is in kernel mode */
|
|
|
|
|
struct pt_regs *uregs = current->thread.regs;
|
|
|
|
|
if (uregs == NULL)
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* A user-mode access to an address a long way below
|
|
|
|
|
* the stack pointer is only valid if the instruction
|
|
|
|
|
* is one which would update the stack pointer to the
|
|
|
|
|
* address accessed if the instruction completed,
|
|
|
|
|
* i.e. either stwu rs,n(r1) or stwux rs,r1,rb
|
|
|
|
|
* (or the byte, halfword, float or double forms).
|
|
|
|
|
*
|
|
|
|
|
* If we don't check this then any write to the area
|
|
|
|
|
* between the last mapped region and the stack will
|
|
|
|
|
* expand the stack rather than segfaulting.
|
|
|
|
|
*/
|
powerpc: Allow 4224 bytes of stack expansion for the signal frame
commit 63dee5df43a31f3844efabc58972f0a206ca4534 upstream.
We have powerpc specific logic in our page fault handling to decide if
an access to an unmapped address below the stack pointer should expand
the stack VMA.
The code was originally added in 2004 "ported from 2.4". The rough
logic is that the stack is allowed to grow to 1MB with no extra
checking. Over 1MB the access must be within 2048 bytes of the stack
pointer, or be from a user instruction that updates the stack pointer.
The 2048 byte allowance below the stack pointer is there to cover the
288 byte "red zone" as well as the "about 1.5kB" needed by the signal
delivery code.
Unfortunately since then the signal frame has expanded, and is now
4224 bytes on 64-bit kernels with transactional memory enabled. This
means if a process has consumed more than 1MB of stack, and its stack
pointer lies less than 4224 bytes from the next page boundary, signal
delivery will fault when trying to expand the stack and the process
will see a SEGV.
The total size of the signal frame is the size of struct rt_sigframe
(which includes the red zone) plus __SIGNAL_FRAMESIZE (128 bytes on
64-bit).
The 2048 byte allowance was correct until 2008 as the signal frame
was:
struct rt_sigframe {
struct ucontext uc; /* 0 1440 */
/* --- cacheline 11 boundary (1408 bytes) was 32 bytes ago --- */
long unsigned int _unused[2]; /* 1440 16 */
unsigned int tramp[6]; /* 1456 24 */
struct siginfo * pinfo; /* 1480 8 */
void * puc; /* 1488 8 */
struct siginfo info; /* 1496 128 */
/* --- cacheline 12 boundary (1536 bytes) was 88 bytes ago --- */
char abigap[288]; /* 1624 288 */
/* size: 1920, cachelines: 15, members: 7 */
/* padding: 8 */
};
1920 + 128 = 2048
Then in commit ce48b2100785 ("powerpc: Add VSX context save/restore,
ptrace and signal support") (Jul 2008) the signal frame expanded to
2304 bytes:
struct rt_sigframe {
struct ucontext uc; /* 0 1696 */ <--
/* --- cacheline 13 boundary (1664 bytes) was 32 bytes ago --- */
long unsigned int _unused[2]; /* 1696 16 */
unsigned int tramp[6]; /* 1712 24 */
struct siginfo * pinfo; /* 1736 8 */
void * puc; /* 1744 8 */
struct siginfo info; /* 1752 128 */
/* --- cacheline 14 boundary (1792 bytes) was 88 bytes ago --- */
char abigap[288]; /* 1880 288 */
/* size: 2176, cachelines: 17, members: 7 */
/* padding: 8 */
};
2176 + 128 = 2304
At this point we should have been exposed to the bug, though as far as
I know it was never reported. I no longer have a system old enough to
easily test on.
Then in 2010 commit 320b2b8de126 ("mm: keep a guard page below a
grow-down stack segment") caused our stack expansion code to never
trigger, as there was always a VMA found for a write up to PAGE_SIZE
below r1.
That meant the bug was hidden as we continued to expand the signal
frame in commit 2b0a576d15e0 ("powerpc: Add new transactional memory
state to the signal context") (Feb 2013):
struct rt_sigframe {
struct ucontext uc; /* 0 1696 */
/* --- cacheline 13 boundary (1664 bytes) was 32 bytes ago --- */
struct ucontext uc_transact; /* 1696 1696 */ <--
/* --- cacheline 26 boundary (3328 bytes) was 64 bytes ago --- */
long unsigned int _unused[2]; /* 3392 16 */
unsigned int tramp[6]; /* 3408 24 */
struct siginfo * pinfo; /* 3432 8 */
void * puc; /* 3440 8 */
struct siginfo info; /* 3448 128 */
/* --- cacheline 27 boundary (3456 bytes) was 120 bytes ago --- */
char abigap[288]; /* 3576 288 */
/* size: 3872, cachelines: 31, members: 8 */
/* padding: 8 */
/* last cacheline: 32 bytes */
};
3872 + 128 = 4000
And commit 573ebfa6601f ("powerpc: Increase stack redzone for 64-bit
userspace to 512 bytes") (Feb 2014):
struct rt_sigframe {
struct ucontext uc; /* 0 1696 */
/* --- cacheline 13 boundary (1664 bytes) was 32 bytes ago --- */
struct ucontext uc_transact; /* 1696 1696 */
/* --- cacheline 26 boundary (3328 bytes) was 64 bytes ago --- */
long unsigned int _unused[2]; /* 3392 16 */
unsigned int tramp[6]; /* 3408 24 */
struct siginfo * pinfo; /* 3432 8 */
void * puc; /* 3440 8 */
struct siginfo info; /* 3448 128 */
/* --- cacheline 27 boundary (3456 bytes) was 120 bytes ago --- */
char abigap[512]; /* 3576 512 */ <--
/* size: 4096, cachelines: 32, members: 8 */
/* padding: 8 */
};
4096 + 128 = 4224
Then finally in 2017, commit 1be7107fbe18 ("mm: larger stack guard
gap, between vmas") exposed us to the existing bug, because it changed
the stack VMA to be the correct/real size, meaning our stack expansion
code is now triggered.
Fix it by increasing the allowance to 4224 bytes.
Hard-coding 4224 is obviously unsafe against future expansions of the
signal frame in the same way as the existing code. We can't easily use
sizeof() because the signal frame structure is not in a header. We
will either fix that, or rip out all the custom stack expansion
checking logic entirely.
Fixes: ce48b2100785 ("powerpc: Add VSX context save/restore, ptrace and signal support")
Cc: stable@vger.kernel.org # v2.6.27+
Reported-by: Tom Lane <tgl@sss.pgh.pa.us>
Tested-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20200724092528.1578671-2-mpe@ellerman.id.au
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-07-24 03:25:25 -06:00
|
|
|
if (address + SIGFRAME_MAX_SIZE >= uregs->gpr[1])
|
2018-05-23 02:53:22 -06:00
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
if ((flags & FAULT_FLAG_WRITE) && (flags & FAULT_FLAG_USER) &&
|
Remove 'type' argument from access_ok() function
Nobody has actually used the type (VERIFY_READ vs VERIFY_WRITE) argument
of the user address range verification function since we got rid of the
old racy i386-only code to walk page tables by hand.
It existed because the original 80386 would not honor the write protect
bit when in kernel mode, so you had to do COW by hand before doing any
user access. But we haven't supported that in a long time, and these
days the 'type' argument is a purely historical artifact.
A discussion about extending 'user_access_begin()' to do the range
checking resulted this patch, because there is no way we're going to
move the old VERIFY_xyz interface to that model. And it's best done at
the end of the merge window when I've done most of my merges, so let's
just get this done once and for all.
This patch was mostly done with a sed-script, with manual fix-ups for
the cases that weren't of the trivial 'access_ok(VERIFY_xyz' form.
There were a couple of notable cases:
- csky still had the old "verify_area()" name as an alias.
- the iter_iov code had magical hardcoded knowledge of the actual
values of VERIFY_{READ,WRITE} (not that they mattered, since nothing
really used it)
- microblaze used the type argument for a debug printout
but other than those oddities this should be a total no-op patch.
I tried to fix up all architectures, did fairly extensive grepping for
access_ok() uses, and the changes are trivial, but I may have missed
something. Any missed conversion should be trivially fixable, though.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-01-03 19:57:57 -07:00
|
|
|
access_ok(nip, sizeof(*nip))) {
|
2018-05-23 02:53:22 -06:00
|
|
|
unsigned int inst;
|
|
|
|
|
int res;
|
|
|
|
|
|
|
|
|
|
pagefault_disable();
|
|
|
|
|
res = __get_user_inatomic(inst, nip);
|
|
|
|
|
pagefault_enable();
|
|
|
|
|
if (!res)
|
|
|
|
|
return !store_updates_sp(inst);
|
|
|
|
|
*must_retry = true;
|
|
|
|
|
}
|
|
|
|
|
return true;
|
2017-07-18 22:49:45 -06:00
|
|
|
}
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2017-07-18 22:49:43 -06:00
|
|
|
static bool access_error(bool is_write, bool is_exec,
|
|
|
|
|
struct vm_area_struct *vma)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Allow execution from readable areas if the MMU does not
|
|
|
|
|
* provide separate controls over reading and executing.
|
|
|
|
|
*
|
|
|
|
|
* Note: That code used to not be enabled for 4xx/BookE.
|
|
|
|
|
* It is now as I/D cache coherency for these is done at
|
|
|
|
|
* set_pte_at() time and I see no reason why the test
|
|
|
|
|
* below wouldn't be valid on those processors. This -may-
|
|
|
|
|
* break programs compiled with a really old ABI though.
|
|
|
|
|
*/
|
|
|
|
|
if (is_exec) {
|
|
|
|
|
return !(vma->vm_flags & VM_EXEC) &&
|
|
|
|
|
(cpu_has_feature(CPU_FTR_NOEXECUTE) ||
|
|
|
|
|
!(vma->vm_flags & (VM_READ | VM_WRITE)));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (is_write) {
|
|
|
|
|
if (unlikely(!(vma->vm_flags & VM_WRITE)))
|
|
|
|
|
return true;
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (unlikely(!(vma->vm_flags & (VM_READ | VM_EXEC | VM_WRITE))))
|
|
|
|
|
return true;
|
2018-03-07 06:36:45 -07:00
|
|
|
/*
|
|
|
|
|
* We should ideally do the vma pkey access check here. But in the
|
|
|
|
|
* fault path, handle_mm_fault() also does the same check. To avoid
|
|
|
|
|
* these multiple checks, we skip it here and handle access error due
|
|
|
|
|
* to pkeys later.
|
|
|
|
|
*/
|
2017-07-18 22:49:43 -06:00
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2017-07-18 22:49:37 -06:00
|
|
|
#ifdef CONFIG_PPC_SMLPAR
|
|
|
|
|
static inline void cmo_account_page_fault(void)
|
|
|
|
|
{
|
|
|
|
|
if (firmware_has_feature(FW_FEATURE_CMO)) {
|
|
|
|
|
u32 page_ins;
|
|
|
|
|
|
|
|
|
|
preempt_disable();
|
|
|
|
|
page_ins = be32_to_cpu(get_lppaca()->page_ins);
|
|
|
|
|
page_ins += 1 << PAGE_FACTOR;
|
|
|
|
|
get_lppaca()->page_ins = cpu_to_be32(page_ins);
|
|
|
|
|
preempt_enable();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
#else
|
|
|
|
|
static inline void cmo_account_page_fault(void) { }
|
|
|
|
|
#endif /* CONFIG_PPC_SMLPAR */
|
|
|
|
|
|
2018-11-26 07:35:04 -07:00
|
|
|
static void sanity_check_fault(bool is_write, bool is_user,
|
|
|
|
|
unsigned long error_code, unsigned long address)
|
2017-07-18 22:49:39 -06:00
|
|
|
{
|
2018-11-26 07:35:04 -07:00
|
|
|
/*
|
|
|
|
|
* Userspace trying to access kernel address, we get PROTFAULT for that.
|
|
|
|
|
*/
|
|
|
|
|
if (is_user && address >= TASK_SIZE) {
|
2019-12-23 00:54:22 -07:00
|
|
|
if ((long)address == -1)
|
|
|
|
|
return;
|
|
|
|
|
|
2018-11-26 07:35:04 -07:00
|
|
|
pr_crit_ratelimited("%s[%d]: User access of kernel address (%lx) - exploit attempt? (uid: %d)\n",
|
|
|
|
|
current->comm, current->pid, address,
|
|
|
|
|
from_kuid(&init_user_ns, current_uid()));
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-08 22:29:21 -07:00
|
|
|
if (!IS_ENABLED(CONFIG_PPC_BOOK3S))
|
|
|
|
|
return;
|
|
|
|
|
|
2017-07-18 22:49:39 -06:00
|
|
|
/*
|
|
|
|
|
* For hash translation mode, we should never get a
|
|
|
|
|
* PROTFAULT. Any update to pte to reduce access will result in us
|
|
|
|
|
* removing the hash page table entry, thus resulting in a DSISR_NOHPTE
|
|
|
|
|
* fault instead of DSISR_PROTFAULT.
|
|
|
|
|
*
|
|
|
|
|
* A pte update to relax the access will not result in a hash page table
|
|
|
|
|
* entry invalidate and hence can result in DSISR_PROTFAULT.
|
|
|
|
|
* ptep_set_access_flags() doesn't do a hpte flush. This is why we have
|
|
|
|
|
* the special !is_write in the below conditional.
|
|
|
|
|
*
|
|
|
|
|
* For platforms that doesn't supports coherent icache and do support
|
|
|
|
|
* per page noexec bit, we do setup things such that we do the
|
|
|
|
|
* sync between D/I cache via fault. But that is handled via low level
|
|
|
|
|
* hash fault code (hash_page_do_lazy_icache()) and we should not reach
|
|
|
|
|
* here in such case.
|
|
|
|
|
*
|
|
|
|
|
* For wrong access that can result in PROTFAULT, the above vma->vm_flags
|
|
|
|
|
* check should handle those and hence we should fall to the bad_area
|
|
|
|
|
* handling correctly.
|
|
|
|
|
*
|
|
|
|
|
* For embedded with per page exec support that doesn't support coherent
|
|
|
|
|
* icache we do get PROTFAULT and we handle that D/I cache sync in
|
|
|
|
|
* set_pte_at while taking the noexec/prot fault. Hence this is WARN_ON
|
|
|
|
|
* is conditional for server MMU.
|
|
|
|
|
*
|
|
|
|
|
* For radix, we can get prot fault for autonuma case, because radix
|
|
|
|
|
* page table will have them marked noaccess for user.
|
|
|
|
|
*/
|
2018-11-26 07:35:04 -07:00
|
|
|
if (radix_enabled() || is_write)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
WARN_ON_ONCE(error_code & DSISR_PROTFAULT);
|
2017-07-18 22:49:39 -06:00
|
|
|
}
|
|
|
|
|
|
2017-07-18 22:49:29 -06:00
|
|
|
/*
|
|
|
|
|
* Define the correct "is_write" bit in error_code based
|
|
|
|
|
* on the processor family
|
|
|
|
|
*/
|
|
|
|
|
#if (defined(CONFIG_4xx) || defined(CONFIG_BOOKE))
|
|
|
|
|
#define page_fault_is_write(__err) ((__err) & ESR_DST)
|
2017-07-18 22:49:31 -06:00
|
|
|
#define page_fault_is_bad(__err) (0)
|
2017-07-18 22:49:29 -06:00
|
|
|
#else
|
|
|
|
|
#define page_fault_is_write(__err) ((__err) & DSISR_ISSTORE)
|
2017-08-08 05:58:54 -06:00
|
|
|
#if defined(CONFIG_PPC_8xx)
|
2017-08-08 05:59:00 -06:00
|
|
|
#define page_fault_is_bad(__err) ((__err) & DSISR_NOEXEC_OR_G)
|
2017-07-18 22:49:31 -06:00
|
|
|
#elif defined(CONFIG_PPC64)
|
|
|
|
|
#define page_fault_is_bad(__err) ((__err) & DSISR_BAD_FAULT_64S)
|
|
|
|
|
#else
|
|
|
|
|
#define page_fault_is_bad(__err) ((__err) & DSISR_BAD_FAULT_32S)
|
|
|
|
|
#endif
|
2017-07-18 22:49:29 -06:00
|
|
|
#endif
|
|
|
|
|
|
2005-09-26 00:04:21 -06:00
|
|
|
/*
|
|
|
|
|
* For 600- and 800-family processors, the error_code parameter is DSISR
|
|
|
|
|
* for a data fault, SRR1 for an instruction fault. For 400-family processors
|
|
|
|
|
* the error_code parameter is ESR for a data fault, 0 for an instruction
|
|
|
|
|
* fault.
|
|
|
|
|
* For 64-bit processors, the error_code parameter is
|
|
|
|
|
* - DSISR for a non-SLB data access fault,
|
|
|
|
|
* - SRR1 & 0x08000000 for a non-SLB instruction access fault
|
|
|
|
|
* - 0 any SLB fault.
|
|
|
|
|
*
|
|
|
|
|
* The return value is 0 if the fault was handled, or the signal
|
|
|
|
|
* number if this is a kernel fault that can't be handled here.
|
|
|
|
|
*/
|
2017-07-18 22:49:23 -06:00
|
|
|
static int __do_page_fault(struct pt_regs *regs, unsigned long address,
|
|
|
|
|
unsigned long error_code)
|
2005-09-26 00:04:21 -06:00
|
|
|
{
|
|
|
|
|
struct vm_area_struct * vma;
|
|
|
|
|
struct mm_struct *mm = current->mm;
|
2012-03-01 00:14:45 -07:00
|
|
|
unsigned int flags = FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_KILLABLE;
|
2017-07-18 22:49:24 -06:00
|
|
|
int is_exec = TRAP(regs) == 0x400;
|
powerpc/mm: Evaluate user_mode(regs) only once in do_page_fault()
Analysis of the assembly code shows that when using user_mode(regs),
at least the 'andi.' is redone all the time, and also
the 'lwz ,132(r31)' most of the time. With the new form, the 'is_user'
is mapped to cr4, then all further use of is_user results in just
things like 'beq cr4,218 <do_page_fault+0x218>'
Without the patch:
50: 81 1e 00 84 lwz r8,132(r30)
54: 71 09 40 00 andi. r9,r8,16384
58: 40 82 00 0c bne 64 <do_page_fault+0x64>
84: 81 3e 00 84 lwz r9,132(r30)
8c: 71 2a 40 00 andi. r10,r9,16384
90: 41 a2 01 64 beq 1f4 <do_page_fault+0x1f4>
d4: 81 3e 00 84 lwz r9,132(r30)
dc: 71 28 40 00 andi. r8,r9,16384
e0: 41 82 02 08 beq 2e8 <do_page_fault+0x2e8>
108: 81 3e 00 84 lwz r9,132(r30)
110: 71 28 40 00 andi. r8,r9,16384
118: 41 82 02 28 beq 340 <do_page_fault+0x340>
1e4: 81 3e 00 84 lwz r9,132(r30)
1e8: 71 2a 40 00 andi. r10,r9,16384
1ec: 40 82 01 68 bne 354 <do_page_fault+0x354>
228: 81 3e 00 84 lwz r9,132(r30)
22c: 71 28 40 00 andi. r8,r9,16384
230: 41 82 ff c4 beq 1f4 <do_page_fault+0x1f4>
288: 71 2a 40 00 andi. r10,r9,16384
294: 41 a2 fe 60 beq f4 <do_page_fault+0xf4>
50c: 81 3e 00 84 lwz r9,132(r30)
514: 71 2a 40 00 andi. r10,r9,16384
518: 40 a2 fc e0 bne 1f8 <do_page_fault+0x1f8>
534: 81 3e 00 84 lwz r9,132(r30)
53c: 71 2a 40 00 andi. r10,r9,16384
540: 41 82 fc b8 beq 1f8 <do_page_fault+0x1f8>
This patch creates a local var called 'is_user' which contains the
result of user_mode(regs)
With the patch:
20: 81 03 00 84 lwz r8,132(r3)
48: 55 09 97 fe rlwinm r9,r8,18,31,31
58: 2e 09 00 00 cmpwi cr4,r9,0
5c: 40 92 00 0c bne cr4,68 <do_page_fault+0x68>
88: 41 b2 01 90 beq cr4,218 <do_page_fault+0x218>
d4: 40 92 01 d0 bne cr4,2a4 <do_page_fault+0x2a4>
120: 41 b2 00 f8 beq cr4,218 <do_page_fault+0x218>
138: 41 b2 ff a0 beq cr4,d8 <do_page_fault+0xd8>
1d4: 40 92 00 e0 bne cr4,2b4 <do_page_fault+0x2b4>
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
2017-04-19 06:56:30 -06:00
|
|
|
int is_user = user_mode(regs);
|
2017-07-18 22:49:29 -06:00
|
|
|
int is_write = page_fault_is_write(error_code);
|
2018-08-17 16:44:47 -06:00
|
|
|
vm_fault_t fault, major = 0;
|
2018-05-23 02:53:22 -06:00
|
|
|
bool must_retry = false;
|
2019-07-16 17:28:00 -06:00
|
|
|
bool kprobe_fault = kprobe_page_fault(regs, 11);
|
2005-09-26 00:04:21 -06:00
|
|
|
|
2019-07-16 17:28:00 -06:00
|
|
|
if (unlikely(debugger_fault_handler(regs) || kprobe_fault))
|
2017-07-18 22:49:33 -06:00
|
|
|
return 0;
|
2005-09-26 00:04:21 -06:00
|
|
|
|
2017-07-18 22:49:31 -06:00
|
|
|
if (unlikely(page_fault_is_bad(error_code))) {
|
2017-07-18 22:49:33 -06:00
|
|
|
if (is_user) {
|
2017-07-18 22:49:31 -06:00
|
|
|
_exception(SIGBUS, regs, BUS_OBJERR, address);
|
2017-07-18 22:49:33 -06:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
return SIGBUS;
|
2017-07-18 22:49:30 -06:00
|
|
|
}
|
|
|
|
|
|
2017-07-18 22:49:39 -06:00
|
|
|
/* Additional sanity check(s) */
|
2018-11-26 07:35:04 -07:00
|
|
|
sanity_check_fault(is_write, is_user, error_code, address);
|
2017-07-18 22:49:39 -06:00
|
|
|
|
2017-02-02 23:10:28 -07:00
|
|
|
/*
|
|
|
|
|
* The kernel should never take an execute fault nor should it
|
2019-04-18 00:51:20 -06:00
|
|
|
* take a page fault to a kernel address or a page fault to a user
|
|
|
|
|
* address outside of dedicated places
|
2017-02-02 23:10:28 -07:00
|
|
|
*/
|
powerpc/mm: Detect bad KUAP faults
When KUAP is enabled we have logic to detect page faults that occur
outside of a valid user access region and are blocked by the AMR.
What we don't have at the moment is logic to detect a fault *within* a
valid user access region, that has been incorrectly blocked by AMR.
This is not meant to ever happen, but it can if we incorrectly
save/restore the AMR, or if the AMR was overwritten for some other
reason.
Currently if that happens we assume it's just a regular fault that
will be corrected by handling the fault normally, so we just return.
But there is nothing the fault handling code can do to fix it, so the
fault just happens again and we spin forever, leading to soft lockups.
So add some logic to detect that case and WARN() if we ever see it.
Arguably it should be a BUG(), but it's more polite to fail the access
and let the kernel continue, rather than taking down the box. There
should be no data integrity issue with failing the fault rather than
BUG'ing, as we're just going to disallow an access that should have
been allowed.
To make the code a little easier to follow, unroll the condition at
the end of bad_kernel_fault() and comment each case, before adding the
call to bad_kuap_fault().
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
2019-04-18 00:51:25 -06:00
|
|
|
if (unlikely(!is_user && bad_kernel_fault(regs, error_code, address, is_write)))
|
2017-07-18 22:49:33 -06:00
|
|
|
return SIGSEGV;
|
2005-09-26 00:04:21 -06:00
|
|
|
|
2017-07-18 22:49:40 -06:00
|
|
|
/*
|
|
|
|
|
* If we're in an interrupt, have no user context or are running
|
|
|
|
|
* in a region with pagefaults disabled then we must not take the fault
|
|
|
|
|
*/
|
|
|
|
|
if (unlikely(faulthandler_disabled() || !mm)) {
|
|
|
|
|
if (is_user)
|
|
|
|
|
printk_ratelimited(KERN_ERR "Page fault in user mode"
|
|
|
|
|
" with faulthandler_disabled()=%d"
|
|
|
|
|
" mm=%p\n",
|
|
|
|
|
faulthandler_disabled(), mm);
|
|
|
|
|
return bad_area_nosemaphore(regs, address);
|
|
|
|
|
}
|
|
|
|
|
|
2012-03-06 22:48:45 -07:00
|
|
|
/* We restore the interrupt state now */
|
|
|
|
|
if (!arch_irq_disabled_regs(regs))
|
|
|
|
|
local_irq_enable();
|
|
|
|
|
|
2011-06-27 06:41:57 -06:00
|
|
|
perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, address);
|
2009-03-13 05:21:33 -06:00
|
|
|
|
2018-01-18 18:50:42 -07:00
|
|
|
if (error_code & DSISR_KEYFAULT)
|
|
|
|
|
return bad_key_fault_exception(regs, address,
|
|
|
|
|
get_mm_addr_key(mm, address));
|
2018-01-18 18:50:40 -07:00
|
|
|
|
2013-09-10 07:14:42 -06:00
|
|
|
/*
|
|
|
|
|
* We want to do this outside mmap_sem, because reading code around nip
|
|
|
|
|
* can result in fault, which will cause a deadlock when called with
|
|
|
|
|
* mmap_sem held
|
|
|
|
|
*/
|
powerpc/mm: Evaluate user_mode(regs) only once in do_page_fault()
Analysis of the assembly code shows that when using user_mode(regs),
at least the 'andi.' is redone all the time, and also
the 'lwz ,132(r31)' most of the time. With the new form, the 'is_user'
is mapped to cr4, then all further use of is_user results in just
things like 'beq cr4,218 <do_page_fault+0x218>'
Without the patch:
50: 81 1e 00 84 lwz r8,132(r30)
54: 71 09 40 00 andi. r9,r8,16384
58: 40 82 00 0c bne 64 <do_page_fault+0x64>
84: 81 3e 00 84 lwz r9,132(r30)
8c: 71 2a 40 00 andi. r10,r9,16384
90: 41 a2 01 64 beq 1f4 <do_page_fault+0x1f4>
d4: 81 3e 00 84 lwz r9,132(r30)
dc: 71 28 40 00 andi. r8,r9,16384
e0: 41 82 02 08 beq 2e8 <do_page_fault+0x2e8>
108: 81 3e 00 84 lwz r9,132(r30)
110: 71 28 40 00 andi. r8,r9,16384
118: 41 82 02 28 beq 340 <do_page_fault+0x340>
1e4: 81 3e 00 84 lwz r9,132(r30)
1e8: 71 2a 40 00 andi. r10,r9,16384
1ec: 40 82 01 68 bne 354 <do_page_fault+0x354>
228: 81 3e 00 84 lwz r9,132(r30)
22c: 71 28 40 00 andi. r8,r9,16384
230: 41 82 ff c4 beq 1f4 <do_page_fault+0x1f4>
288: 71 2a 40 00 andi. r10,r9,16384
294: 41 a2 fe 60 beq f4 <do_page_fault+0xf4>
50c: 81 3e 00 84 lwz r9,132(r30)
514: 71 2a 40 00 andi. r10,r9,16384
518: 40 a2 fc e0 bne 1f8 <do_page_fault+0x1f8>
534: 81 3e 00 84 lwz r9,132(r30)
53c: 71 2a 40 00 andi. r10,r9,16384
540: 41 82 fc b8 beq 1f8 <do_page_fault+0x1f8>
This patch creates a local var called 'is_user' which contains the
result of user_mode(regs)
With the patch:
20: 81 03 00 84 lwz r8,132(r3)
48: 55 09 97 fe rlwinm r9,r8,18,31,31
58: 2e 09 00 00 cmpwi cr4,r9,0
5c: 40 92 00 0c bne cr4,68 <do_page_fault+0x68>
88: 41 b2 01 90 beq cr4,218 <do_page_fault+0x218>
d4: 40 92 01 d0 bne cr4,2a4 <do_page_fault+0x2a4>
120: 41 b2 00 f8 beq cr4,218 <do_page_fault+0x218>
138: 41 b2 ff a0 beq cr4,d8 <do_page_fault+0xd8>
1d4: 40 92 00 e0 bne cr4,2b4 <do_page_fault+0x2b4>
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
2017-04-19 06:56:30 -06:00
|
|
|
if (is_user)
|
2013-09-12 16:13:39 -06:00
|
|
|
flags |= FAULT_FLAG_USER;
|
2017-07-18 22:49:42 -06:00
|
|
|
if (is_write)
|
|
|
|
|
flags |= FAULT_FLAG_WRITE;
|
|
|
|
|
if (is_exec)
|
|
|
|
|
flags |= FAULT_FLAG_INSTRUCTION;
|
2013-09-12 16:13:39 -06:00
|
|
|
|
2005-09-26 00:04:21 -06:00
|
|
|
/* When running in the kernel we expect faults to occur only to
|
|
|
|
|
* addresses in user space. All other faults represent errors in the
|
2006-03-31 17:33:12 -07:00
|
|
|
* kernel and should generate an OOPS. Unfortunately, in the case of an
|
|
|
|
|
* erroneous fault occurring in a code path which already holds mmap_sem
|
2005-09-26 00:04:21 -06:00
|
|
|
* we will deadlock attempting to validate the fault against the
|
|
|
|
|
* address space. Luckily the kernel only validly references user
|
|
|
|
|
* space from well defined areas of code, which are listed in the
|
|
|
|
|
* exceptions table.
|
|
|
|
|
*
|
|
|
|
|
* As the vast majority of faults will be valid we will only perform
|
2006-03-31 17:33:12 -07:00
|
|
|
* the source reference check when there is a possibility of a deadlock.
|
2005-09-26 00:04:21 -06:00
|
|
|
* Attempt to lock the address space, if we cannot we then validate the
|
|
|
|
|
* source. If this is invalid we can skip the address space check,
|
|
|
|
|
* thus avoiding the deadlock.
|
|
|
|
|
*/
|
2017-07-18 22:49:41 -06:00
|
|
|
if (unlikely(!down_read_trylock(&mm->mmap_sem))) {
|
powerpc/mm: Evaluate user_mode(regs) only once in do_page_fault()
Analysis of the assembly code shows that when using user_mode(regs),
at least the 'andi.' is redone all the time, and also
the 'lwz ,132(r31)' most of the time. With the new form, the 'is_user'
is mapped to cr4, then all further use of is_user results in just
things like 'beq cr4,218 <do_page_fault+0x218>'
Without the patch:
50: 81 1e 00 84 lwz r8,132(r30)
54: 71 09 40 00 andi. r9,r8,16384
58: 40 82 00 0c bne 64 <do_page_fault+0x64>
84: 81 3e 00 84 lwz r9,132(r30)
8c: 71 2a 40 00 andi. r10,r9,16384
90: 41 a2 01 64 beq 1f4 <do_page_fault+0x1f4>
d4: 81 3e 00 84 lwz r9,132(r30)
dc: 71 28 40 00 andi. r8,r9,16384
e0: 41 82 02 08 beq 2e8 <do_page_fault+0x2e8>
108: 81 3e 00 84 lwz r9,132(r30)
110: 71 28 40 00 andi. r8,r9,16384
118: 41 82 02 28 beq 340 <do_page_fault+0x340>
1e4: 81 3e 00 84 lwz r9,132(r30)
1e8: 71 2a 40 00 andi. r10,r9,16384
1ec: 40 82 01 68 bne 354 <do_page_fault+0x354>
228: 81 3e 00 84 lwz r9,132(r30)
22c: 71 28 40 00 andi. r8,r9,16384
230: 41 82 ff c4 beq 1f4 <do_page_fault+0x1f4>
288: 71 2a 40 00 andi. r10,r9,16384
294: 41 a2 fe 60 beq f4 <do_page_fault+0xf4>
50c: 81 3e 00 84 lwz r9,132(r30)
514: 71 2a 40 00 andi. r10,r9,16384
518: 40 a2 fc e0 bne 1f8 <do_page_fault+0x1f8>
534: 81 3e 00 84 lwz r9,132(r30)
53c: 71 2a 40 00 andi. r10,r9,16384
540: 41 82 fc b8 beq 1f8 <do_page_fault+0x1f8>
This patch creates a local var called 'is_user' which contains the
result of user_mode(regs)
With the patch:
20: 81 03 00 84 lwz r8,132(r3)
48: 55 09 97 fe rlwinm r9,r8,18,31,31
58: 2e 09 00 00 cmpwi cr4,r9,0
5c: 40 92 00 0c bne cr4,68 <do_page_fault+0x68>
88: 41 b2 01 90 beq cr4,218 <do_page_fault+0x218>
d4: 40 92 01 d0 bne cr4,2a4 <do_page_fault+0x2a4>
120: 41 b2 00 f8 beq cr4,218 <do_page_fault+0x218>
138: 41 b2 ff a0 beq cr4,d8 <do_page_fault+0xd8>
1d4: 40 92 00 e0 bne cr4,2b4 <do_page_fault+0x2b4>
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
2017-04-19 06:56:30 -06:00
|
|
|
if (!is_user && !search_exception_tables(regs->nip))
|
2017-07-18 22:49:35 -06:00
|
|
|
return bad_area_nosemaphore(regs, address);
|
2005-09-26 00:04:21 -06:00
|
|
|
|
2012-03-01 00:14:45 -07:00
|
|
|
retry:
|
2005-09-26 00:04:21 -06:00
|
|
|
down_read(&mm->mmap_sem);
|
2012-03-06 22:48:45 -07:00
|
|
|
} else {
|
|
|
|
|
/*
|
|
|
|
|
* The above down_read_trylock() might have succeeded in
|
|
|
|
|
* which case we'll have missed the might_sleep() from
|
|
|
|
|
* down_read():
|
|
|
|
|
*/
|
|
|
|
|
might_sleep();
|
2005-09-26 00:04:21 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
vma = find_vma(mm, address);
|
2017-07-18 22:49:41 -06:00
|
|
|
if (unlikely(!vma))
|
2017-07-18 22:49:35 -06:00
|
|
|
return bad_area(regs, address);
|
2017-07-18 22:49:41 -06:00
|
|
|
if (likely(vma->vm_start <= address))
|
2005-09-26 00:04:21 -06:00
|
|
|
goto good_area;
|
2017-07-18 22:49:41 -06:00
|
|
|
if (unlikely(!(vma->vm_flags & VM_GROWSDOWN)))
|
2017-07-18 22:49:35 -06:00
|
|
|
return bad_area(regs, address);
|
2005-09-26 00:04:21 -06:00
|
|
|
|
2017-07-18 22:49:45 -06:00
|
|
|
/* The stack is being expanded, check if it's valid */
|
2018-05-23 02:53:22 -06:00
|
|
|
if (unlikely(bad_stack_expansion(regs, address, vma, flags,
|
|
|
|
|
&must_retry))) {
|
|
|
|
|
if (!must_retry)
|
|
|
|
|
return bad_area(regs, address);
|
|
|
|
|
|
|
|
|
|
up_read(&mm->mmap_sem);
|
|
|
|
|
if (fault_in_pages_readable((const char __user *)regs->nip,
|
|
|
|
|
sizeof(unsigned int)))
|
|
|
|
|
return bad_area_nosemaphore(regs, address);
|
|
|
|
|
goto retry;
|
|
|
|
|
}
|
2005-09-26 00:04:21 -06:00
|
|
|
|
2017-07-18 22:49:45 -06:00
|
|
|
/* Try to expand it */
|
2017-07-18 22:49:41 -06:00
|
|
|
if (unlikely(expand_stack(vma, address)))
|
2017-07-18 22:49:35 -06:00
|
|
|
return bad_area(regs, address);
|
2005-09-26 00:04:21 -06:00
|
|
|
|
|
|
|
|
good_area:
|
2017-07-18 22:49:43 -06:00
|
|
|
if (unlikely(access_error(is_write, is_exec, vma)))
|
powerpc/mm: Fix SEGV on mapped region to return SEGV_ACCERR
The recent refactoring of the powerpc page fault handler in commit
c3350602e876 ("powerpc/mm: Make bad_area* helper functions") caused
access to protected memory regions to indicate SEGV_MAPERR instead of
the traditional SEGV_ACCERR in the si_code field of a user-space
signal handler. This can confuse debug libraries that temporarily
change the protection of memory regions, and expect to use SEGV_ACCERR
as an indication to restore access to a region.
This commit restores the previous behavior. The following program
exhibits the issue:
$ ./repro read || echo "FAILED"
$ ./repro write || echo "FAILED"
$ ./repro exec || echo "FAILED"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <signal.h>
#include <sys/mman.h>
#include <assert.h>
static void segv_handler(int n, siginfo_t *info, void *arg) {
_exit(info->si_code == SEGV_ACCERR ? 0 : 1);
}
int main(int argc, char **argv)
{
void *p = NULL;
struct sigaction act = {
.sa_sigaction = segv_handler,
.sa_flags = SA_SIGINFO,
};
assert(argc == 2);
p = mmap(NULL, getpagesize(),
(strcmp(argv[1], "write") == 0) ? PROT_READ : 0,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
assert(p != MAP_FAILED);
assert(sigaction(SIGSEGV, &act, NULL) == 0);
if (strcmp(argv[1], "read") == 0)
printf("%c", *(unsigned char *)p);
else if (strcmp(argv[1], "write") == 0)
*(unsigned char *)p = 0;
else if (strcmp(argv[1], "exec") == 0)
((void (*)(void))p)();
return 1; /* failed to generate SEGV */
}
Fixes: c3350602e876 ("powerpc/mm: Make bad_area* helper functions")
Cc: stable@vger.kernel.org # v4.14+
Signed-off-by: John Sperbeck <jsperbeck@google.com>
Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
[mpe: Add commit references in change log]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
2017-12-31 22:24:58 -07:00
|
|
|
return bad_access(regs, address);
|
2005-09-26 00:04:21 -06:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If for any reason at all we couldn't handle the fault,
|
|
|
|
|
* make sure we exit gracefully rather than endlessly redo
|
|
|
|
|
* the fault.
|
|
|
|
|
*/
|
2016-07-26 16:25:18 -06:00
|
|
|
fault = handle_mm_fault(vma, address, flags);
|
2018-01-18 18:50:40 -07:00
|
|
|
|
|
|
|
|
#ifdef CONFIG_PPC_MEM_KEYS
|
|
|
|
|
/*
|
2018-03-07 06:36:45 -07:00
|
|
|
* we skipped checking for access error due to key earlier.
|
|
|
|
|
* Check that using handle_mm_fault error return.
|
2018-01-18 18:50:40 -07:00
|
|
|
*/
|
|
|
|
|
if (unlikely(fault & VM_FAULT_SIGSEGV) &&
|
2018-03-07 06:36:45 -07:00
|
|
|
!arch_vma_access_permitted(vma, is_write, is_exec, 0)) {
|
|
|
|
|
|
2018-01-18 18:50:40 -07:00
|
|
|
int pkey = vma_pkey(vma);
|
|
|
|
|
|
2018-03-07 06:36:45 -07:00
|
|
|
up_read(&mm->mmap_sem);
|
|
|
|
|
return bad_key_fault_exception(regs, address, pkey);
|
2018-01-18 18:50:40 -07:00
|
|
|
}
|
|
|
|
|
#endif /* CONFIG_PPC_MEM_KEYS */
|
|
|
|
|
|
2017-07-18 22:49:44 -06:00
|
|
|
major |= fault & VM_FAULT_MAJOR;
|
2017-02-14 09:45:11 -07:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Handle the retry right now, the mmap_sem has been released in that
|
|
|
|
|
* case.
|
|
|
|
|
*/
|
|
|
|
|
if (unlikely(fault & VM_FAULT_RETRY)) {
|
|
|
|
|
/* We retry only once */
|
|
|
|
|
if (flags & FAULT_FLAG_ALLOW_RETRY) {
|
|
|
|
|
/*
|
|
|
|
|
* Clear FAULT_FLAG_ALLOW_RETRY to avoid any risk
|
|
|
|
|
* of starvation.
|
|
|
|
|
*/
|
|
|
|
|
flags &= ~FAULT_FLAG_ALLOW_RETRY;
|
|
|
|
|
flags |= FAULT_FLAG_TRIED;
|
|
|
|
|
if (!fatal_signal_pending(current))
|
|
|
|
|
goto retry;
|
|
|
|
|
}
|
|
|
|
|
|
2017-07-18 22:49:36 -06:00
|
|
|
/*
|
|
|
|
|
* User mode? Just return to handle the fatal exception otherwise
|
|
|
|
|
* return to bad_page_fault
|
|
|
|
|
*/
|
|
|
|
|
return is_user ? 0 : SIGBUS;
|
2005-09-26 00:04:21 -06:00
|
|
|
}
|
2012-03-01 00:14:45 -07:00
|
|
|
|
2017-07-18 22:49:36 -06:00
|
|
|
up_read(¤t->mm->mmap_sem);
|
|
|
|
|
|
|
|
|
|
if (unlikely(fault & VM_FAULT_ERROR))
|
|
|
|
|
return mm_fault_error(regs, address, fault);
|
|
|
|
|
|
2012-03-01 00:14:45 -07:00
|
|
|
/*
|
2017-02-14 09:45:11 -07:00
|
|
|
* Major/minor page fault accounting.
|
2012-03-01 00:14:45 -07:00
|
|
|
*/
|
2017-07-18 22:49:44 -06:00
|
|
|
if (major) {
|
2017-02-14 09:45:11 -07:00
|
|
|
current->maj_flt++;
|
2017-07-18 22:49:38 -06:00
|
|
|
perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MAJ, 1, regs, address);
|
2017-07-18 22:49:37 -06:00
|
|
|
cmo_account_page_fault();
|
2017-02-14 09:45:11 -07:00
|
|
|
} else {
|
|
|
|
|
current->min_flt++;
|
2017-07-18 22:49:38 -06:00
|
|
|
perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MIN, 1, regs, address);
|
2009-03-13 05:21:34 -06:00
|
|
|
}
|
2017-07-18 22:49:35 -06:00
|
|
|
return 0;
|
2017-07-18 22:49:23 -06:00
|
|
|
}
|
|
|
|
|
NOKPROBE_SYMBOL(__do_page_fault);
|
|
|
|
|
|
|
|
|
|
int do_page_fault(struct pt_regs *regs, unsigned long address,
|
|
|
|
|
unsigned long error_code)
|
|
|
|
|
{
|
|
|
|
|
enum ctx_state prev_state = exception_enter();
|
|
|
|
|
int rc = __do_page_fault(regs, address, error_code);
|
powerpc: Exception hooks for context tracking subsystem
This is the exception hooks for context tracking subsystem, including
data access, program check, single step, instruction breakpoint, machine check,
alignment, fp unavailable, altivec assist, unknown exception, whose handlers
might use RCU.
This patch corresponds to
[PATCH] x86: Exception hooks for userspace RCU extended QS
commit 6ba3c97a38803883c2eee489505796cb0a727122
But after the exception handling moved to generic code, and some changes in
following two commits:
56dd9470d7c8734f055da2a6bac553caf4a468eb
context_tracking: Move exception handling to generic code
6c1e0256fad84a843d915414e4b5973b7443d48d
context_tracking: Restore correct previous context state on exception exit
it is able for exception hooks to use the generic code above instead of a
redundant arch implementation.
Signed-off-by: Li Zhong <zhong@linux.vnet.ibm.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
2013-05-13 10:16:41 -06:00
|
|
|
exception_exit(prev_state);
|
|
|
|
|
return rc;
|
2005-09-26 00:04:21 -06:00
|
|
|
}
|
2016-09-16 04:48:08 -06:00
|
|
|
NOKPROBE_SYMBOL(do_page_fault);
|
2005-09-26 00:04:21 -06:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* bad_page_fault is called when we have a bad access from the kernel.
|
|
|
|
|
* It is called from the DSI and ISI handlers in head.S and from some
|
|
|
|
|
* of the procedures in traps.c.
|
|
|
|
|
*/
|
|
|
|
|
void bad_page_fault(struct pt_regs *regs, unsigned long address, int sig)
|
|
|
|
|
{
|
|
|
|
|
const struct exception_table_entry *entry;
|
|
|
|
|
|
|
|
|
|
/* Are we prepared to handle this fault? */
|
|
|
|
|
if ((entry = search_exception_tables(regs->nip)) != NULL) {
|
2016-10-13 23:47:31 -06:00
|
|
|
regs->nip = extable_fixup(entry);
|
2005-09-26 00:04:21 -06:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* kernel has accessed a bad area */
|
2005-11-06 15:54:36 -07:00
|
|
|
|
2018-01-11 19:28:49 -07:00
|
|
|
switch (TRAP(regs)) {
|
2006-11-07 16:22:59 -07:00
|
|
|
case 0x300:
|
|
|
|
|
case 0x380:
|
2018-12-13 22:29:05 -07:00
|
|
|
case 0xe00:
|
2018-12-14 08:23:33 -07:00
|
|
|
pr_alert("BUG: %s at 0x%08lx\n",
|
|
|
|
|
regs->dar < PAGE_SIZE ? "Kernel NULL pointer dereference" :
|
|
|
|
|
"Unable to handle kernel data access", regs->dar);
|
2006-11-07 16:22:59 -07:00
|
|
|
break;
|
|
|
|
|
case 0x400:
|
|
|
|
|
case 0x480:
|
2018-12-14 08:23:33 -07:00
|
|
|
pr_alert("BUG: Unable to handle kernel instruction fetch%s",
|
|
|
|
|
regs->nip < PAGE_SIZE ? " (NULL pointer?)\n" : "\n");
|
2006-11-07 16:22:59 -07:00
|
|
|
break;
|
2015-07-01 22:56:20 -06:00
|
|
|
case 0x600:
|
2018-12-14 08:23:33 -07:00
|
|
|
pr_alert("BUG: Unable to handle kernel unaligned access at 0x%08lx\n",
|
|
|
|
|
regs->dar);
|
2015-07-01 22:56:20 -06:00
|
|
|
break;
|
2006-11-07 16:22:59 -07:00
|
|
|
default:
|
2018-12-14 08:23:33 -07:00
|
|
|
pr_alert("BUG: Unable to handle unknown paging fault at 0x%08lx\n",
|
|
|
|
|
regs->dar);
|
2006-11-07 16:22:59 -07:00
|
|
|
break;
|
2005-11-06 15:54:36 -07:00
|
|
|
}
|
|
|
|
|
printk(KERN_ALERT "Faulting instruction address: 0x%08lx\n",
|
|
|
|
|
regs->nip);
|
|
|
|
|
|
2014-09-12 07:16:18 -06:00
|
|
|
if (task_stack_end_corrupted(current))
|
2010-08-24 07:15:28 -06:00
|
|
|
printk(KERN_ALERT "Thread overran stack, or stack corrupted\n");
|
|
|
|
|
|
2005-09-26 00:04:21 -06:00
|
|
|
die("Kernel access of bad area", regs, sig);
|
|
|
|
|
}
|