1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Based on arch/arm/mm/fault.c
4 *
5 * Copyright (C) 1995 Linus Torvalds
6 * Copyright (C) 1995-2004 Russell King
7 * Copyright (C) 2012 ARM Ltd.
8 */
9
10 #include <linux/acpi.h>
11 #include <linux/bitfield.h>
12 #include <linux/extable.h>
13 #include <linux/kfence.h>
14 #include <linux/signal.h>
15 #include <linux/mm.h>
16 #include <linux/hardirq.h>
17 #include <linux/init.h>
18 #include <linux/kasan.h>
19 #include <linux/kprobes.h>
20 #include <linux/uaccess.h>
21 #include <linux/page-flags.h>
22 #include <linux/sched/signal.h>
23 #include <linux/sched/debug.h>
24 #include <linux/highmem.h>
25 #include <linux/perf_event.h>
26 #include <linux/pkeys.h>
27 #include <linux/preempt.h>
28 #include <linux/hugetlb.h>
29
30 #include <asm/acpi.h>
31 #include <asm/bug.h>
32 #include <asm/cmpxchg.h>
33 #include <asm/cpufeature.h>
34 #include <asm/efi.h>
35 #include <asm/exception.h>
36 #include <asm/daifflags.h>
37 #include <asm/debug-monitors.h>
38 #include <asm/esr.h>
39 #include <asm/kprobes.h>
40 #include <asm/mte.h>
41 #include <asm/processor.h>
42 #include <asm/sysreg.h>
43 #include <asm/system_misc.h>
44 #include <asm/tlbflush.h>
45 #include <asm/traps.h>
46
47 struct fault_info {
48 int (*fn)(unsigned long far, unsigned long esr,
49 struct pt_regs *regs);
50 int sig;
51 int code;
52 const char *name;
53 };
54
55 static const struct fault_info fault_info[];
56 static struct fault_info debug_fault_info[];
57
esr_to_fault_info(unsigned long esr)58 static inline const struct fault_info *esr_to_fault_info(unsigned long esr)
59 {
60 return fault_info + (esr & ESR_ELx_FSC);
61 }
62
esr_to_debug_fault_info(unsigned long esr)63 static inline const struct fault_info *esr_to_debug_fault_info(unsigned long esr)
64 {
65 return debug_fault_info + DBG_ESR_EVT(esr);
66 }
67
data_abort_decode(unsigned long esr)68 static void data_abort_decode(unsigned long esr)
69 {
70 unsigned long iss2 = ESR_ELx_ISS2(esr);
71
72 pr_alert("Data abort info:\n");
73
74 if (esr & ESR_ELx_ISV) {
75 pr_alert(" Access size = %u byte(s)\n",
76 1U << ((esr & ESR_ELx_SAS) >> ESR_ELx_SAS_SHIFT));
77 pr_alert(" SSE = %lu, SRT = %lu\n",
78 (esr & ESR_ELx_SSE) >> ESR_ELx_SSE_SHIFT,
79 (esr & ESR_ELx_SRT_MASK) >> ESR_ELx_SRT_SHIFT);
80 pr_alert(" SF = %lu, AR = %lu\n",
81 (esr & ESR_ELx_SF) >> ESR_ELx_SF_SHIFT,
82 (esr & ESR_ELx_AR) >> ESR_ELx_AR_SHIFT);
83 } else {
84 pr_alert(" ISV = 0, ISS = 0x%08lx, ISS2 = 0x%08lx\n",
85 esr & ESR_ELx_ISS_MASK, iss2);
86 }
87
88 pr_alert(" CM = %lu, WnR = %lu, TnD = %lu, TagAccess = %lu\n",
89 (esr & ESR_ELx_CM) >> ESR_ELx_CM_SHIFT,
90 (esr & ESR_ELx_WNR) >> ESR_ELx_WNR_SHIFT,
91 (iss2 & ESR_ELx_TnD) >> ESR_ELx_TnD_SHIFT,
92 (iss2 & ESR_ELx_TagAccess) >> ESR_ELx_TagAccess_SHIFT);
93
94 pr_alert(" GCS = %ld, Overlay = %lu, DirtyBit = %lu, Xs = %llu\n",
95 (iss2 & ESR_ELx_GCS) >> ESR_ELx_GCS_SHIFT,
96 (iss2 & ESR_ELx_Overlay) >> ESR_ELx_Overlay_SHIFT,
97 (iss2 & ESR_ELx_DirtyBit) >> ESR_ELx_DirtyBit_SHIFT,
98 (iss2 & ESR_ELx_Xs_MASK) >> ESR_ELx_Xs_SHIFT);
99 }
100
mem_abort_decode(unsigned long esr)101 static void mem_abort_decode(unsigned long esr)
102 {
103 pr_alert("Mem abort info:\n");
104
105 pr_alert(" ESR = 0x%016lx\n", esr);
106 pr_alert(" EC = 0x%02lx: %s, IL = %u bits\n",
107 ESR_ELx_EC(esr), esr_get_class_string(esr),
108 (esr & ESR_ELx_IL) ? 32 : 16);
109 pr_alert(" SET = %lu, FnV = %lu\n",
110 (esr & ESR_ELx_SET_MASK) >> ESR_ELx_SET_SHIFT,
111 (esr & ESR_ELx_FnV) >> ESR_ELx_FnV_SHIFT);
112 pr_alert(" EA = %lu, S1PTW = %lu\n",
113 (esr & ESR_ELx_EA) >> ESR_ELx_EA_SHIFT,
114 (esr & ESR_ELx_S1PTW) >> ESR_ELx_S1PTW_SHIFT);
115 pr_alert(" FSC = 0x%02lx: %s\n", (esr & ESR_ELx_FSC),
116 esr_to_fault_info(esr)->name);
117
118 if (esr_is_data_abort(esr))
119 data_abort_decode(esr);
120 }
121
mm_to_pgd_phys(struct mm_struct * mm)122 static inline unsigned long mm_to_pgd_phys(struct mm_struct *mm)
123 {
124 /* Either init_pg_dir or swapper_pg_dir */
125 if (mm == &init_mm)
126 return __pa_symbol(mm->pgd);
127
128 return (unsigned long)virt_to_phys(mm->pgd);
129 }
130
131 /*
132 * Dump out the page tables associated with 'addr' in the currently active mm.
133 */
show_pte(unsigned long addr)134 static void show_pte(unsigned long addr)
135 {
136 struct mm_struct *mm;
137 pgd_t *pgdp;
138 pgd_t pgd;
139
140 if (is_ttbr0_addr(addr)) {
141 /* TTBR0 */
142 mm = current->active_mm;
143 if (mm == &init_mm) {
144 pr_alert("[%016lx] user address but active_mm is swapper\n",
145 addr);
146 return;
147 }
148 } else if (is_ttbr1_addr(addr)) {
149 /* TTBR1 */
150 mm = &init_mm;
151 } else {
152 pr_alert("[%016lx] address between user and kernel address ranges\n",
153 addr);
154 return;
155 }
156
157 pr_alert("%s pgtable: %luk pages, %llu-bit VAs, pgdp=%016lx\n",
158 mm == &init_mm ? "swapper" : "user", PAGE_SIZE / SZ_1K,
159 vabits_actual, mm_to_pgd_phys(mm));
160 pgdp = pgd_offset(mm, addr);
161 pgd = READ_ONCE(*pgdp);
162 pr_alert("[%016lx] pgd=%016llx", addr, pgd_val(pgd));
163
164 do {
165 p4d_t *p4dp, p4d;
166 pud_t *pudp, pud;
167 pmd_t *pmdp, pmd;
168 pte_t *ptep, pte;
169
170 if (pgd_none(pgd) || pgd_bad(pgd))
171 break;
172
173 p4dp = p4d_offset(pgdp, addr);
174 p4d = READ_ONCE(*p4dp);
175 pr_cont(", p4d=%016llx", p4d_val(p4d));
176 if (p4d_none(p4d) || p4d_bad(p4d))
177 break;
178
179 pudp = pud_offset(p4dp, addr);
180 pud = READ_ONCE(*pudp);
181 pr_cont(", pud=%016llx", pud_val(pud));
182 if (pud_none(pud) || pud_bad(pud))
183 break;
184
185 pmdp = pmd_offset(pudp, addr);
186 pmd = READ_ONCE(*pmdp);
187 pr_cont(", pmd=%016llx", pmd_val(pmd));
188 if (pmd_none(pmd) || pmd_bad(pmd))
189 break;
190
191 ptep = pte_offset_map(pmdp, addr);
192 if (!ptep)
193 break;
194
195 pte = __ptep_get(ptep);
196 pr_cont(", pte=%016llx", pte_val(pte));
197 pte_unmap(ptep);
198 } while(0);
199
200 pr_cont("\n");
201 }
202
203 /*
204 * This function sets the access flags (dirty, accessed), as well as write
205 * permission, and only to a more permissive setting.
206 *
207 * It needs to cope with hardware update of the accessed/dirty state by other
208 * agents in the system and can safely skip the __sync_icache_dcache() call as,
209 * like __set_ptes(), the PTE is never changed from no-exec to exec here.
210 *
211 * Returns whether or not the PTE actually changed.
212 */
__ptep_set_access_flags(struct vm_area_struct * vma,unsigned long address,pte_t * ptep,pte_t entry,int dirty)213 int __ptep_set_access_flags(struct vm_area_struct *vma,
214 unsigned long address, pte_t *ptep,
215 pte_t entry, int dirty)
216 {
217 pteval_t old_pteval, pteval;
218 pte_t pte = __ptep_get(ptep);
219
220 if (pte_same(pte, entry))
221 return 0;
222
223 /* only preserve the access flags and write permission */
224 pte_val(entry) &= PTE_RDONLY | PTE_AF | PTE_WRITE | PTE_DIRTY;
225
226 /*
227 * Setting the flags must be done atomically to avoid racing with the
228 * hardware update of the access/dirty state. The PTE_RDONLY bit must
229 * be set to the most permissive (lowest value) of *ptep and entry
230 * (calculated as: a & b == ~(~a | ~b)).
231 */
232 pte_val(entry) ^= PTE_RDONLY;
233 pteval = pte_val(pte);
234 do {
235 old_pteval = pteval;
236 pteval ^= PTE_RDONLY;
237 pteval |= pte_val(entry);
238 pteval ^= PTE_RDONLY;
239 pteval = cmpxchg_relaxed(&pte_val(*ptep), old_pteval, pteval);
240 } while (pteval != old_pteval);
241
242 /* Invalidate a stale read-only entry */
243 if (dirty)
244 flush_tlb_page(vma, address);
245 return 1;
246 }
247
is_el1_instruction_abort(unsigned long esr)248 static bool is_el1_instruction_abort(unsigned long esr)
249 {
250 return ESR_ELx_EC(esr) == ESR_ELx_EC_IABT_CUR;
251 }
252
is_el1_data_abort(unsigned long esr)253 static bool is_el1_data_abort(unsigned long esr)
254 {
255 return ESR_ELx_EC(esr) == ESR_ELx_EC_DABT_CUR;
256 }
257
is_el1_permission_fault(unsigned long addr,unsigned long esr,struct pt_regs * regs)258 static inline bool is_el1_permission_fault(unsigned long addr, unsigned long esr,
259 struct pt_regs *regs)
260 {
261 if (!is_el1_data_abort(esr) && !is_el1_instruction_abort(esr))
262 return false;
263
264 if (esr_fsc_is_permission_fault(esr))
265 return true;
266
267 if (is_ttbr0_addr(addr) && system_uses_ttbr0_pan())
268 return esr_fsc_is_translation_fault(esr) &&
269 (regs->pstate & PSR_PAN_BIT);
270
271 return false;
272 }
273
is_spurious_el1_translation_fault(unsigned long addr,unsigned long esr,struct pt_regs * regs)274 static bool __kprobes is_spurious_el1_translation_fault(unsigned long addr,
275 unsigned long esr,
276 struct pt_regs *regs)
277 {
278 unsigned long flags;
279 u64 par, dfsc;
280
281 if (!is_el1_data_abort(esr) || !esr_fsc_is_translation_fault(esr))
282 return false;
283
284 local_irq_save(flags);
285 asm volatile("at s1e1r, %0" :: "r" (addr));
286 isb();
287 par = read_sysreg_par();
288 local_irq_restore(flags);
289
290 /*
291 * If we now have a valid translation, treat the translation fault as
292 * spurious.
293 */
294 if (!(par & SYS_PAR_EL1_F))
295 return true;
296
297 /*
298 * If we got a different type of fault from the AT instruction,
299 * treat the translation fault as spurious.
300 */
301 dfsc = FIELD_GET(SYS_PAR_EL1_FST, par);
302 return !esr_fsc_is_translation_fault(dfsc);
303 }
304
die_kernel_fault(const char * msg,unsigned long addr,unsigned long esr,struct pt_regs * regs)305 static void die_kernel_fault(const char *msg, unsigned long addr,
306 unsigned long esr, struct pt_regs *regs)
307 {
308 bust_spinlocks(1);
309
310 pr_alert("Unable to handle kernel %s at virtual address %016lx\n", msg,
311 addr);
312
313 kasan_non_canonical_hook(addr);
314
315 mem_abort_decode(esr);
316
317 show_pte(addr);
318 die("Oops", regs, esr);
319 bust_spinlocks(0);
320 make_task_dead(SIGKILL);
321 }
322
323 #ifdef CONFIG_KASAN_HW_TAGS
report_tag_fault(unsigned long addr,unsigned long esr,struct pt_regs * regs)324 static void report_tag_fault(unsigned long addr, unsigned long esr,
325 struct pt_regs *regs)
326 {
327 /*
328 * SAS bits aren't set for all faults reported in EL1, so we can't
329 * find out access size.
330 */
331 bool is_write = !!(esr & ESR_ELx_WNR);
332 kasan_report((void *)addr, 0, is_write, regs->pc);
333 }
334 #else
335 /* Tag faults aren't enabled without CONFIG_KASAN_HW_TAGS. */
report_tag_fault(unsigned long addr,unsigned long esr,struct pt_regs * regs)336 static inline void report_tag_fault(unsigned long addr, unsigned long esr,
337 struct pt_regs *regs) { }
338 #endif
339
do_tag_recovery(unsigned long addr,unsigned long esr,struct pt_regs * regs)340 static void do_tag_recovery(unsigned long addr, unsigned long esr,
341 struct pt_regs *regs)
342 {
343
344 report_tag_fault(addr, esr, regs);
345
346 /*
347 * Disable MTE Tag Checking on the local CPU for the current EL.
348 * It will be done lazily on the other CPUs when they will hit a
349 * tag fault.
350 */
351 sysreg_clear_set(sctlr_el1, SCTLR_EL1_TCF_MASK,
352 SYS_FIELD_PREP_ENUM(SCTLR_EL1, TCF, NONE));
353 isb();
354 }
355
is_el1_mte_sync_tag_check_fault(unsigned long esr)356 static bool is_el1_mte_sync_tag_check_fault(unsigned long esr)
357 {
358 unsigned long fsc = esr & ESR_ELx_FSC;
359
360 if (!is_el1_data_abort(esr))
361 return false;
362
363 if (fsc == ESR_ELx_FSC_MTE)
364 return true;
365
366 return false;
367 }
368
__do_kernel_fault(unsigned long addr,unsigned long esr,struct pt_regs * regs)369 static void __do_kernel_fault(unsigned long addr, unsigned long esr,
370 struct pt_regs *regs)
371 {
372 const char *msg;
373
374 /*
375 * Are we prepared to handle this kernel fault?
376 * We are almost certainly not prepared to handle instruction faults.
377 */
378 if (!is_el1_instruction_abort(esr) && fixup_exception(regs, esr))
379 return;
380
381 if (WARN_RATELIMIT(is_spurious_el1_translation_fault(addr, esr, regs),
382 "Ignoring spurious kernel translation fault at virtual address %016lx\n", addr))
383 return;
384
385 if (is_el1_mte_sync_tag_check_fault(esr)) {
386 do_tag_recovery(addr, esr, regs);
387
388 return;
389 }
390
391 if (is_el1_permission_fault(addr, esr, regs)) {
392 if (esr & ESR_ELx_WNR)
393 msg = "write to read-only memory";
394 else if (is_el1_instruction_abort(esr))
395 msg = "execute from non-executable memory";
396 else
397 msg = "read from unreadable memory";
398 } else if (addr < PAGE_SIZE) {
399 msg = "NULL pointer dereference";
400 } else {
401 if (esr_fsc_is_translation_fault(esr) &&
402 kfence_handle_page_fault(addr, esr & ESR_ELx_WNR, regs))
403 return;
404
405 msg = "paging request";
406 }
407
408 if (efi_runtime_fixup_exception(regs, msg))
409 return;
410
411 die_kernel_fault(msg, addr, esr, regs);
412 }
413
set_thread_esr(unsigned long address,unsigned long esr)414 static void set_thread_esr(unsigned long address, unsigned long esr)
415 {
416 current->thread.fault_address = address;
417
418 /*
419 * If the faulting address is in the kernel, we must sanitize the ESR.
420 * From userspace's point of view, kernel-only mappings don't exist
421 * at all, so we report them as level 0 translation faults.
422 * (This is not quite the way that "no mapping there at all" behaves:
423 * an alignment fault not caused by the memory type would take
424 * precedence over translation fault for a real access to empty
425 * space. Unfortunately we can't easily distinguish "alignment fault
426 * not caused by memory type" from "alignment fault caused by memory
427 * type", so we ignore this wrinkle and just return the translation
428 * fault.)
429 */
430 if (!is_ttbr0_addr(current->thread.fault_address)) {
431 switch (ESR_ELx_EC(esr)) {
432 case ESR_ELx_EC_DABT_LOW:
433 /*
434 * These bits provide only information about the
435 * faulting instruction, which userspace knows already.
436 * We explicitly clear bits which are architecturally
437 * RES0 in case they are given meanings in future.
438 * We always report the ESR as if the fault was taken
439 * to EL1 and so ISV and the bits in ISS[23:14] are
440 * clear. (In fact it always will be a fault to EL1.)
441 */
442 esr &= ESR_ELx_EC_MASK | ESR_ELx_IL |
443 ESR_ELx_CM | ESR_ELx_WNR;
444 esr |= ESR_ELx_FSC_FAULT;
445 break;
446 case ESR_ELx_EC_IABT_LOW:
447 /*
448 * Claim a level 0 translation fault.
449 * All other bits are architecturally RES0 for faults
450 * reported with that DFSC value, so we clear them.
451 */
452 esr &= ESR_ELx_EC_MASK | ESR_ELx_IL;
453 esr |= ESR_ELx_FSC_FAULT;
454 break;
455 default:
456 /*
457 * This should never happen (entry.S only brings us
458 * into this code for insn and data aborts from a lower
459 * exception level). Fail safe by not providing an ESR
460 * context record at all.
461 */
462 WARN(1, "ESR 0x%lx is not DABT or IABT from EL0\n", esr);
463 esr = 0;
464 break;
465 }
466 }
467
468 current->thread.fault_code = esr;
469 }
470
do_bad_area(unsigned long far,unsigned long esr,struct pt_regs * regs)471 static void do_bad_area(unsigned long far, unsigned long esr,
472 struct pt_regs *regs)
473 {
474 unsigned long addr = untagged_addr(far);
475
476 /*
477 * If we are in kernel mode at this point, we have no context to
478 * handle this fault with.
479 */
480 if (user_mode(regs)) {
481 const struct fault_info *inf = esr_to_fault_info(esr);
482
483 set_thread_esr(addr, esr);
484 arm64_force_sig_fault(inf->sig, inf->code, far, inf->name);
485 } else {
486 __do_kernel_fault(addr, esr, regs);
487 }
488 }
489
fault_from_pkey(struct vm_area_struct * vma,unsigned int mm_flags)490 static bool fault_from_pkey(struct vm_area_struct *vma, unsigned int mm_flags)
491 {
492 if (!system_supports_poe())
493 return false;
494
495 /*
496 * We do not check whether an Overlay fault has occurred because we
497 * cannot make a decision based solely on its value:
498 *
499 * - If Overlay is set, a fault did occur due to POE, but it may be
500 * spurious in those cases where we update POR_EL0 without ISB (e.g.
501 * on context-switch). We would then need to manually check POR_EL0
502 * against vma_pkey(vma), which is exactly what
503 * arch_vma_access_permitted() does.
504 *
505 * - If Overlay is not set, we may still need to report a pkey fault.
506 * This is the case if an access was made within a mapping but with no
507 * page mapped, and POR_EL0 forbids the access (according to
508 * vma_pkey()). Such access will result in a SIGSEGV regardless
509 * because core code checks arch_vma_access_permitted(), but in order
510 * to report the correct error code - SEGV_PKUERR - we must handle
511 * that case here.
512 */
513 return !arch_vma_access_permitted(vma,
514 mm_flags & FAULT_FLAG_WRITE,
515 mm_flags & FAULT_FLAG_INSTRUCTION,
516 false);
517 }
518
is_gcs_fault(unsigned long esr)519 static bool is_gcs_fault(unsigned long esr)
520 {
521 if (!esr_is_data_abort(esr))
522 return false;
523
524 return ESR_ELx_ISS2(esr) & ESR_ELx_GCS;
525 }
526
is_el0_instruction_abort(unsigned long esr)527 static bool is_el0_instruction_abort(unsigned long esr)
528 {
529 return ESR_ELx_EC(esr) == ESR_ELx_EC_IABT_LOW;
530 }
531
532 /*
533 * Note: not valid for EL1 DC IVAC, but we never use that such that it
534 * should fault. EL0 cannot issue DC IVAC (undef).
535 */
is_write_abort(unsigned long esr)536 static bool is_write_abort(unsigned long esr)
537 {
538 return (esr & ESR_ELx_WNR) && !(esr & ESR_ELx_CM);
539 }
540
is_invalid_gcs_access(struct vm_area_struct * vma,u64 esr)541 static bool is_invalid_gcs_access(struct vm_area_struct *vma, u64 esr)
542 {
543 if (!system_supports_gcs())
544 return false;
545
546 if (unlikely(is_gcs_fault(esr))) {
547 /* GCS accesses must be performed on a GCS page */
548 if (!(vma->vm_flags & VM_SHADOW_STACK))
549 return true;
550 } else if (unlikely(vma->vm_flags & VM_SHADOW_STACK)) {
551 /* Only GCS operations can write to a GCS page */
552 return esr_is_data_abort(esr) && is_write_abort(esr);
553 }
554
555 return false;
556 }
557
do_page_fault(unsigned long far,unsigned long esr,struct pt_regs * regs)558 static int __kprobes do_page_fault(unsigned long far, unsigned long esr,
559 struct pt_regs *regs)
560 {
561 const struct fault_info *inf;
562 struct mm_struct *mm = current->mm;
563 vm_fault_t fault;
564 unsigned long vm_flags;
565 unsigned int mm_flags = FAULT_FLAG_DEFAULT;
566 unsigned long addr = untagged_addr(far);
567 struct vm_area_struct *vma;
568 int si_code;
569 int pkey = -1;
570
571 if (kprobe_page_fault(regs, esr))
572 return 0;
573
574 /*
575 * If we're in an interrupt or have no user context, we must not take
576 * the fault.
577 */
578 if (faulthandler_disabled() || !mm)
579 goto no_context;
580
581 if (user_mode(regs))
582 mm_flags |= FAULT_FLAG_USER;
583
584 /*
585 * vm_flags tells us what bits we must have in vma->vm_flags
586 * for the fault to be benign, __do_page_fault() would check
587 * vma->vm_flags & vm_flags and returns an error if the
588 * intersection is empty
589 */
590 if (is_el0_instruction_abort(esr)) {
591 /* It was exec fault */
592 vm_flags = VM_EXEC;
593 mm_flags |= FAULT_FLAG_INSTRUCTION;
594 } else if (is_gcs_fault(esr)) {
595 /*
596 * The GCS permission on a page implies both read and
597 * write so always handle any GCS fault as a write fault,
598 * we need to trigger CoW even for GCS reads.
599 */
600 vm_flags = VM_WRITE;
601 mm_flags |= FAULT_FLAG_WRITE;
602 } else if (is_write_abort(esr)) {
603 /* It was write fault */
604 vm_flags = VM_WRITE;
605 mm_flags |= FAULT_FLAG_WRITE;
606 } else {
607 /* It was read fault */
608 vm_flags = VM_READ;
609 /* Write implies read */
610 vm_flags |= VM_WRITE;
611 /* If EPAN is absent then exec implies read */
612 if (!alternative_has_cap_unlikely(ARM64_HAS_EPAN))
613 vm_flags |= VM_EXEC;
614 }
615
616 if (is_ttbr0_addr(addr) && is_el1_permission_fault(addr, esr, regs)) {
617 if (is_el1_instruction_abort(esr))
618 die_kernel_fault("execution of user memory",
619 addr, esr, regs);
620
621 if (!insn_may_access_user(regs->pc, esr))
622 die_kernel_fault("access to user memory outside uaccess routines",
623 addr, esr, regs);
624 }
625
626 perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, addr);
627
628 if (!(mm_flags & FAULT_FLAG_USER))
629 goto lock_mmap;
630
631 vma = lock_vma_under_rcu(mm, addr);
632 if (!vma)
633 goto lock_mmap;
634
635 if (is_invalid_gcs_access(vma, esr)) {
636 vma_end_read(vma);
637 fault = 0;
638 si_code = SEGV_ACCERR;
639 goto bad_area;
640 }
641
642 if (!(vma->vm_flags & vm_flags)) {
643 vma_end_read(vma);
644 fault = 0;
645 si_code = SEGV_ACCERR;
646 count_vm_vma_lock_event(VMA_LOCK_SUCCESS);
647 goto bad_area;
648 }
649
650 if (fault_from_pkey(vma, mm_flags)) {
651 pkey = vma_pkey(vma);
652 vma_end_read(vma);
653 fault = 0;
654 si_code = SEGV_PKUERR;
655 count_vm_vma_lock_event(VMA_LOCK_SUCCESS);
656 goto bad_area;
657 }
658
659 fault = handle_mm_fault(vma, addr, mm_flags | FAULT_FLAG_VMA_LOCK, regs);
660 if (!(fault & (VM_FAULT_RETRY | VM_FAULT_COMPLETED)))
661 vma_end_read(vma);
662
663 if (!(fault & VM_FAULT_RETRY)) {
664 count_vm_vma_lock_event(VMA_LOCK_SUCCESS);
665 goto done;
666 }
667 count_vm_vma_lock_event(VMA_LOCK_RETRY);
668 if (fault & VM_FAULT_MAJOR)
669 mm_flags |= FAULT_FLAG_TRIED;
670
671 /* Quick path to respond to signals */
672 if (fault_signal_pending(fault, regs)) {
673 if (!user_mode(regs))
674 goto no_context;
675 return 0;
676 }
677 lock_mmap:
678
679 retry:
680 vma = lock_mm_and_find_vma(mm, addr, regs);
681 if (unlikely(!vma)) {
682 fault = 0;
683 si_code = SEGV_MAPERR;
684 goto bad_area;
685 }
686
687 if (!(vma->vm_flags & vm_flags)) {
688 mmap_read_unlock(mm);
689 fault = 0;
690 si_code = SEGV_ACCERR;
691 goto bad_area;
692 }
693
694 if (fault_from_pkey(vma, mm_flags)) {
695 pkey = vma_pkey(vma);
696 mmap_read_unlock(mm);
697 fault = 0;
698 si_code = SEGV_PKUERR;
699 goto bad_area;
700 }
701
702 fault = handle_mm_fault(vma, addr, mm_flags, regs);
703
704 /* Quick path to respond to signals */
705 if (fault_signal_pending(fault, regs)) {
706 if (!user_mode(regs))
707 goto no_context;
708 return 0;
709 }
710
711 /* The fault is fully completed (including releasing mmap lock) */
712 if (fault & VM_FAULT_COMPLETED)
713 return 0;
714
715 if (fault & VM_FAULT_RETRY) {
716 mm_flags |= FAULT_FLAG_TRIED;
717 goto retry;
718 }
719 mmap_read_unlock(mm);
720
721 done:
722 /* Handle the "normal" (no error) case first. */
723 if (likely(!(fault & VM_FAULT_ERROR)))
724 return 0;
725
726 si_code = SEGV_MAPERR;
727 bad_area:
728 /*
729 * If we are in kernel mode at this point, we have no context to
730 * handle this fault with.
731 */
732 if (!user_mode(regs))
733 goto no_context;
734
735 if (fault & VM_FAULT_OOM) {
736 /*
737 * We ran out of memory, call the OOM killer, and return to
738 * userspace (which will retry the fault, or kill us if we got
739 * oom-killed).
740 */
741 pagefault_out_of_memory();
742 return 0;
743 }
744
745 inf = esr_to_fault_info(esr);
746 set_thread_esr(addr, esr);
747 if (fault & VM_FAULT_SIGBUS) {
748 /*
749 * We had some memory, but were unable to successfully fix up
750 * this page fault.
751 */
752 arm64_force_sig_fault(SIGBUS, BUS_ADRERR, far, inf->name);
753 } else if (fault & (VM_FAULT_HWPOISON_LARGE | VM_FAULT_HWPOISON)) {
754 unsigned int lsb;
755
756 lsb = PAGE_SHIFT;
757 if (fault & VM_FAULT_HWPOISON_LARGE)
758 lsb = hstate_index_to_shift(VM_FAULT_GET_HINDEX(fault));
759
760 arm64_force_sig_mceerr(BUS_MCEERR_AR, far, lsb, inf->name);
761 } else {
762 /*
763 * The pkey value that we return to userspace can be different
764 * from the pkey that caused the fault.
765 *
766 * 1. T1 : mprotect_key(foo, PAGE_SIZE, pkey=4);
767 * 2. T1 : set POR_EL0 to deny access to pkey=4, touches, page
768 * 3. T1 : faults...
769 * 4. T2: mprotect_key(foo, PAGE_SIZE, pkey=5);
770 * 5. T1 : enters fault handler, takes mmap_lock, etc...
771 * 6. T1 : reaches here, sees vma_pkey(vma)=5, when we really
772 * faulted on a pte with its pkey=4.
773 */
774 /* Something tried to access memory that out of memory map */
775 if (si_code == SEGV_PKUERR)
776 arm64_force_sig_fault_pkey(far, inf->name, pkey);
777 else
778 arm64_force_sig_fault(SIGSEGV, si_code, far, inf->name);
779 }
780
781 return 0;
782
783 no_context:
784 __do_kernel_fault(addr, esr, regs);
785 return 0;
786 }
787
do_translation_fault(unsigned long far,unsigned long esr,struct pt_regs * regs)788 static int __kprobes do_translation_fault(unsigned long far,
789 unsigned long esr,
790 struct pt_regs *regs)
791 {
792 unsigned long addr = untagged_addr(far);
793
794 if (is_ttbr0_addr(addr))
795 return do_page_fault(far, esr, regs);
796
797 do_bad_area(far, esr, regs);
798 return 0;
799 }
800
do_alignment_fault(unsigned long far,unsigned long esr,struct pt_regs * regs)801 static int do_alignment_fault(unsigned long far, unsigned long esr,
802 struct pt_regs *regs)
803 {
804 if (IS_ENABLED(CONFIG_COMPAT_ALIGNMENT_FIXUPS) &&
805 compat_user_mode(regs))
806 return do_compat_alignment_fixup(far, regs);
807 do_bad_area(far, esr, regs);
808 return 0;
809 }
810
do_bad(unsigned long far,unsigned long esr,struct pt_regs * regs)811 static int do_bad(unsigned long far, unsigned long esr, struct pt_regs *regs)
812 {
813 return 1; /* "fault" */
814 }
815
do_sea(unsigned long far,unsigned long esr,struct pt_regs * regs)816 static int do_sea(unsigned long far, unsigned long esr, struct pt_regs *regs)
817 {
818 const struct fault_info *inf;
819 unsigned long siaddr;
820
821 inf = esr_to_fault_info(esr);
822
823 if (user_mode(regs) && apei_claim_sea(regs) == 0) {
824 /*
825 * APEI claimed this as a firmware-first notification.
826 * Some processing deferred to task_work before ret_to_user().
827 */
828 return 0;
829 }
830
831 if (esr & ESR_ELx_FnV) {
832 siaddr = 0;
833 } else {
834 /*
835 * The architecture specifies that the tag bits of FAR_EL1 are
836 * UNKNOWN for synchronous external aborts. Mask them out now
837 * so that userspace doesn't see them.
838 */
839 siaddr = untagged_addr(far);
840 }
841 arm64_notify_die(inf->name, regs, inf->sig, inf->code, siaddr, esr);
842
843 return 0;
844 }
845
do_tag_check_fault(unsigned long far,unsigned long esr,struct pt_regs * regs)846 static int do_tag_check_fault(unsigned long far, unsigned long esr,
847 struct pt_regs *regs)
848 {
849 /*
850 * The architecture specifies that bits 63:60 of FAR_EL1 are UNKNOWN
851 * for tag check faults. Set them to corresponding bits in the untagged
852 * address.
853 */
854 far = (__untagged_addr(far) & ~MTE_TAG_MASK) | (far & MTE_TAG_MASK);
855 do_bad_area(far, esr, regs);
856 return 0;
857 }
858
859 static const struct fault_info fault_info[] = {
860 { do_bad, SIGKILL, SI_KERNEL, "ttbr address size fault" },
861 { do_bad, SIGKILL, SI_KERNEL, "level 1 address size fault" },
862 { do_bad, SIGKILL, SI_KERNEL, "level 2 address size fault" },
863 { do_bad, SIGKILL, SI_KERNEL, "level 3 address size fault" },
864 { do_translation_fault, SIGSEGV, SEGV_MAPERR, "level 0 translation fault" },
865 { do_translation_fault, SIGSEGV, SEGV_MAPERR, "level 1 translation fault" },
866 { do_translation_fault, SIGSEGV, SEGV_MAPERR, "level 2 translation fault" },
867 { do_translation_fault, SIGSEGV, SEGV_MAPERR, "level 3 translation fault" },
868 { do_page_fault, SIGSEGV, SEGV_ACCERR, "level 0 access flag fault" },
869 { do_page_fault, SIGSEGV, SEGV_ACCERR, "level 1 access flag fault" },
870 { do_page_fault, SIGSEGV, SEGV_ACCERR, "level 2 access flag fault" },
871 { do_page_fault, SIGSEGV, SEGV_ACCERR, "level 3 access flag fault" },
872 { do_page_fault, SIGSEGV, SEGV_ACCERR, "level 0 permission fault" },
873 { do_page_fault, SIGSEGV, SEGV_ACCERR, "level 1 permission fault" },
874 { do_page_fault, SIGSEGV, SEGV_ACCERR, "level 2 permission fault" },
875 { do_page_fault, SIGSEGV, SEGV_ACCERR, "level 3 permission fault" },
876 { do_sea, SIGBUS, BUS_OBJERR, "synchronous external abort" },
877 { do_tag_check_fault, SIGSEGV, SEGV_MTESERR, "synchronous tag check fault" },
878 { do_bad, SIGKILL, SI_KERNEL, "unknown 18" },
879 { do_sea, SIGKILL, SI_KERNEL, "level -1 (translation table walk)" },
880 { do_sea, SIGKILL, SI_KERNEL, "level 0 (translation table walk)" },
881 { do_sea, SIGKILL, SI_KERNEL, "level 1 (translation table walk)" },
882 { do_sea, SIGKILL, SI_KERNEL, "level 2 (translation table walk)" },
883 { do_sea, SIGKILL, SI_KERNEL, "level 3 (translation table walk)" },
884 { do_sea, SIGBUS, BUS_OBJERR, "synchronous parity or ECC error" }, // Reserved when RAS is implemented
885 { do_bad, SIGKILL, SI_KERNEL, "unknown 25" },
886 { do_bad, SIGKILL, SI_KERNEL, "unknown 26" },
887 { do_sea, SIGKILL, SI_KERNEL, "level -1 synchronous parity error (translation table walk)" }, // Reserved when RAS is implemented
888 { do_sea, SIGKILL, SI_KERNEL, "level 0 synchronous parity error (translation table walk)" }, // Reserved when RAS is implemented
889 { do_sea, SIGKILL, SI_KERNEL, "level 1 synchronous parity error (translation table walk)" }, // Reserved when RAS is implemented
890 { do_sea, SIGKILL, SI_KERNEL, "level 2 synchronous parity error (translation table walk)" }, // Reserved when RAS is implemented
891 { do_sea, SIGKILL, SI_KERNEL, "level 3 synchronous parity error (translation table walk)" }, // Reserved when RAS is implemented
892 { do_bad, SIGKILL, SI_KERNEL, "unknown 32" },
893 { do_alignment_fault, SIGBUS, BUS_ADRALN, "alignment fault" },
894 { do_bad, SIGKILL, SI_KERNEL, "unknown 34" },
895 { do_bad, SIGKILL, SI_KERNEL, "unknown 35" },
896 { do_bad, SIGKILL, SI_KERNEL, "unknown 36" },
897 { do_bad, SIGKILL, SI_KERNEL, "unknown 37" },
898 { do_bad, SIGKILL, SI_KERNEL, "unknown 38" },
899 { do_bad, SIGKILL, SI_KERNEL, "unknown 39" },
900 { do_bad, SIGKILL, SI_KERNEL, "unknown 40" },
901 { do_bad, SIGKILL, SI_KERNEL, "level -1 address size fault" },
902 { do_bad, SIGKILL, SI_KERNEL, "unknown 42" },
903 { do_translation_fault, SIGSEGV, SEGV_MAPERR, "level -1 translation fault" },
904 { do_bad, SIGKILL, SI_KERNEL, "unknown 44" },
905 { do_bad, SIGKILL, SI_KERNEL, "unknown 45" },
906 { do_bad, SIGKILL, SI_KERNEL, "unknown 46" },
907 { do_bad, SIGKILL, SI_KERNEL, "unknown 47" },
908 { do_bad, SIGKILL, SI_KERNEL, "TLB conflict abort" },
909 { do_bad, SIGKILL, SI_KERNEL, "Unsupported atomic hardware update fault" },
910 { do_bad, SIGKILL, SI_KERNEL, "unknown 50" },
911 { do_bad, SIGKILL, SI_KERNEL, "unknown 51" },
912 { do_bad, SIGKILL, SI_KERNEL, "implementation fault (lockdown abort)" },
913 { do_bad, SIGBUS, BUS_OBJERR, "implementation fault (unsupported exclusive)" },
914 { do_bad, SIGKILL, SI_KERNEL, "unknown 54" },
915 { do_bad, SIGKILL, SI_KERNEL, "unknown 55" },
916 { do_bad, SIGKILL, SI_KERNEL, "unknown 56" },
917 { do_bad, SIGKILL, SI_KERNEL, "unknown 57" },
918 { do_bad, SIGKILL, SI_KERNEL, "unknown 58" },
919 { do_bad, SIGKILL, SI_KERNEL, "unknown 59" },
920 { do_bad, SIGKILL, SI_KERNEL, "unknown 60" },
921 { do_bad, SIGKILL, SI_KERNEL, "section domain fault" },
922 { do_bad, SIGKILL, SI_KERNEL, "page domain fault" },
923 { do_bad, SIGKILL, SI_KERNEL, "unknown 63" },
924 };
925
do_mem_abort(unsigned long far,unsigned long esr,struct pt_regs * regs)926 void do_mem_abort(unsigned long far, unsigned long esr, struct pt_regs *regs)
927 {
928 const struct fault_info *inf = esr_to_fault_info(esr);
929 unsigned long addr = untagged_addr(far);
930
931 if (!inf->fn(far, esr, regs))
932 return;
933
934 if (!user_mode(regs))
935 die_kernel_fault(inf->name, addr, esr, regs);
936
937 /*
938 * At this point we have an unrecognized fault type whose tag bits may
939 * have been defined as UNKNOWN. Therefore we only expose the untagged
940 * address to the signal handler.
941 */
942 arm64_notify_die(inf->name, regs, inf->sig, inf->code, addr, esr);
943 }
944 NOKPROBE_SYMBOL(do_mem_abort);
945
do_sp_pc_abort(unsigned long addr,unsigned long esr,struct pt_regs * regs)946 void do_sp_pc_abort(unsigned long addr, unsigned long esr, struct pt_regs *regs)
947 {
948 arm64_notify_die("SP/PC alignment exception", regs, SIGBUS, BUS_ADRALN,
949 addr, esr);
950 }
951 NOKPROBE_SYMBOL(do_sp_pc_abort);
952
953 /*
954 * __refdata because early_brk64 is __init, but the reference to it is
955 * clobbered at arch_initcall time.
956 * See traps.c and debug-monitors.c:debug_traps_init().
957 */
958 static struct fault_info __refdata debug_fault_info[] = {
959 { do_bad, SIGTRAP, TRAP_HWBKPT, "hardware breakpoint" },
960 { do_bad, SIGTRAP, TRAP_HWBKPT, "hardware single-step" },
961 { do_bad, SIGTRAP, TRAP_HWBKPT, "hardware watchpoint" },
962 { do_bad, SIGKILL, SI_KERNEL, "unknown 3" },
963 { do_bad, SIGTRAP, TRAP_BRKPT, "aarch32 BKPT" },
964 { do_bad, SIGKILL, SI_KERNEL, "aarch32 vector catch" },
965 { early_brk64, SIGTRAP, TRAP_BRKPT, "aarch64 BRK" },
966 { do_bad, SIGKILL, SI_KERNEL, "unknown 7" },
967 };
968
hook_debug_fault_code(int nr,int (* fn)(unsigned long,unsigned long,struct pt_regs *),int sig,int code,const char * name)969 void __init hook_debug_fault_code(int nr,
970 int (*fn)(unsigned long, unsigned long, struct pt_regs *),
971 int sig, int code, const char *name)
972 {
973 BUG_ON(nr < 0 || nr >= ARRAY_SIZE(debug_fault_info));
974
975 debug_fault_info[nr].fn = fn;
976 debug_fault_info[nr].sig = sig;
977 debug_fault_info[nr].code = code;
978 debug_fault_info[nr].name = name;
979 }
980
981 /*
982 * In debug exception context, we explicitly disable preemption despite
983 * having interrupts disabled.
984 * This serves two purposes: it makes it much less likely that we would
985 * accidentally schedule in exception context and it will force a warning
986 * if we somehow manage to schedule by accident.
987 */
debug_exception_enter(struct pt_regs * regs)988 static void debug_exception_enter(struct pt_regs *regs)
989 {
990 preempt_disable();
991
992 /* This code is a bit fragile. Test it. */
993 RCU_LOCKDEP_WARN(!rcu_is_watching(), "exception_enter didn't work");
994 }
995 NOKPROBE_SYMBOL(debug_exception_enter);
996
debug_exception_exit(struct pt_regs * regs)997 static void debug_exception_exit(struct pt_regs *regs)
998 {
999 preempt_enable_no_resched();
1000 }
1001 NOKPROBE_SYMBOL(debug_exception_exit);
1002
do_debug_exception(unsigned long addr_if_watchpoint,unsigned long esr,struct pt_regs * regs)1003 void do_debug_exception(unsigned long addr_if_watchpoint, unsigned long esr,
1004 struct pt_regs *regs)
1005 {
1006 const struct fault_info *inf = esr_to_debug_fault_info(esr);
1007 unsigned long pc = instruction_pointer(regs);
1008
1009 debug_exception_enter(regs);
1010
1011 if (user_mode(regs) && !is_ttbr0_addr(pc))
1012 arm64_apply_bp_hardening();
1013
1014 if (inf->fn(addr_if_watchpoint, esr, regs)) {
1015 arm64_notify_die(inf->name, regs, inf->sig, inf->code, pc, esr);
1016 }
1017
1018 debug_exception_exit(regs);
1019 }
1020 NOKPROBE_SYMBOL(do_debug_exception);
1021
1022 /*
1023 * Used during anonymous page fault handling.
1024 */
vma_alloc_zeroed_movable_folio(struct vm_area_struct * vma,unsigned long vaddr)1025 struct folio *vma_alloc_zeroed_movable_folio(struct vm_area_struct *vma,
1026 unsigned long vaddr)
1027 {
1028 gfp_t flags = GFP_HIGHUSER_MOVABLE | __GFP_ZERO;
1029
1030 /*
1031 * If the page is mapped with PROT_MTE, initialise the tags at the
1032 * point of allocation and page zeroing as this is usually faster than
1033 * separate DC ZVA and STGM.
1034 */
1035 if (vma->vm_flags & VM_MTE)
1036 flags |= __GFP_ZEROTAGS;
1037
1038 return vma_alloc_folio(flags, 0, vma, vaddr);
1039 }
1040
tag_clear_highpage(struct page * page)1041 void tag_clear_highpage(struct page *page)
1042 {
1043 /* Newly allocated page, shouldn't have been tagged yet */
1044 WARN_ON_ONCE(!try_page_mte_tagging(page));
1045 mte_zero_clear_page_tags(page_address(page));
1046 set_page_mte_tagged(page);
1047 }
1048