xref: /linux/arch/arm64/mm/fault.c (revision f69f5aab1fad379bbef9339f66bc8323daffe56e)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Based on arch/arm/mm/fault.c
4  *
5  * Copyright (C) 1995  Linus Torvalds
6  * Copyright (C) 1995-2004 Russell King
7  * Copyright (C) 2012 ARM Ltd.
8  */
9 
10 #include <linux/acpi.h>
11 #include <linux/bitfield.h>
12 #include <linux/extable.h>
13 #include <linux/kfence.h>
14 #include <linux/signal.h>
15 #include <linux/mm.h>
16 #include <linux/hardirq.h>
17 #include <linux/init.h>
18 #include <linux/kasan.h>
19 #include <linux/kprobes.h>
20 #include <linux/uaccess.h>
21 #include <linux/page-flags.h>
22 #include <linux/sched/signal.h>
23 #include <linux/sched/debug.h>
24 #include <linux/highmem.h>
25 #include <linux/perf_event.h>
26 #include <linux/pkeys.h>
27 #include <linux/preempt.h>
28 #include <linux/hugetlb.h>
29 
30 #include <asm/acpi.h>
31 #include <asm/bug.h>
32 #include <asm/cmpxchg.h>
33 #include <asm/cpufeature.h>
34 #include <asm/efi.h>
35 #include <asm/exception.h>
36 #include <asm/daifflags.h>
37 #include <asm/debug-monitors.h>
38 #include <asm/esr.h>
39 #include <asm/kprobes.h>
40 #include <asm/mte.h>
41 #include <asm/processor.h>
42 #include <asm/sysreg.h>
43 #include <asm/system_misc.h>
44 #include <asm/tlbflush.h>
45 #include <asm/traps.h>
46 
47 struct fault_info {
48 	int	(*fn)(unsigned long far, unsigned long esr,
49 		      struct pt_regs *regs);
50 	int	sig;
51 	int	code;
52 	const char *name;
53 };
54 
55 static const struct fault_info fault_info[];
56 static struct fault_info debug_fault_info[];
57 
esr_to_fault_info(unsigned long esr)58 static inline const struct fault_info *esr_to_fault_info(unsigned long esr)
59 {
60 	return fault_info + (esr & ESR_ELx_FSC);
61 }
62 
esr_to_debug_fault_info(unsigned long esr)63 static inline const struct fault_info *esr_to_debug_fault_info(unsigned long esr)
64 {
65 	return debug_fault_info + DBG_ESR_EVT(esr);
66 }
67 
data_abort_decode(unsigned long esr)68 static void data_abort_decode(unsigned long esr)
69 {
70 	unsigned long iss2 = ESR_ELx_ISS2(esr);
71 
72 	pr_alert("Data abort info:\n");
73 
74 	if (esr & ESR_ELx_ISV) {
75 		pr_alert("  Access size = %u byte(s)\n",
76 			 1U << ((esr & ESR_ELx_SAS) >> ESR_ELx_SAS_SHIFT));
77 		pr_alert("  SSE = %lu, SRT = %lu\n",
78 			 (esr & ESR_ELx_SSE) >> ESR_ELx_SSE_SHIFT,
79 			 (esr & ESR_ELx_SRT_MASK) >> ESR_ELx_SRT_SHIFT);
80 		pr_alert("  SF = %lu, AR = %lu\n",
81 			 (esr & ESR_ELx_SF) >> ESR_ELx_SF_SHIFT,
82 			 (esr & ESR_ELx_AR) >> ESR_ELx_AR_SHIFT);
83 	} else {
84 		pr_alert("  ISV = 0, ISS = 0x%08lx, ISS2 = 0x%08lx\n",
85 			 esr & ESR_ELx_ISS_MASK, iss2);
86 	}
87 
88 	pr_alert("  CM = %lu, WnR = %lu, TnD = %lu, TagAccess = %lu\n",
89 		 (esr & ESR_ELx_CM) >> ESR_ELx_CM_SHIFT,
90 		 (esr & ESR_ELx_WNR) >> ESR_ELx_WNR_SHIFT,
91 		 (iss2 & ESR_ELx_TnD) >> ESR_ELx_TnD_SHIFT,
92 		 (iss2 & ESR_ELx_TagAccess) >> ESR_ELx_TagAccess_SHIFT);
93 
94 	pr_alert("  GCS = %ld, Overlay = %lu, DirtyBit = %lu, Xs = %llu\n",
95 		 (iss2 & ESR_ELx_GCS) >> ESR_ELx_GCS_SHIFT,
96 		 (iss2 & ESR_ELx_Overlay) >> ESR_ELx_Overlay_SHIFT,
97 		 (iss2 & ESR_ELx_DirtyBit) >> ESR_ELx_DirtyBit_SHIFT,
98 		 (iss2 & ESR_ELx_Xs_MASK) >> ESR_ELx_Xs_SHIFT);
99 }
100 
mem_abort_decode(unsigned long esr)101 static void mem_abort_decode(unsigned long esr)
102 {
103 	pr_alert("Mem abort info:\n");
104 
105 	pr_alert("  ESR = 0x%016lx\n", esr);
106 	pr_alert("  EC = 0x%02lx: %s, IL = %u bits\n",
107 		 ESR_ELx_EC(esr), esr_get_class_string(esr),
108 		 (esr & ESR_ELx_IL) ? 32 : 16);
109 	pr_alert("  SET = %lu, FnV = %lu\n",
110 		 (esr & ESR_ELx_SET_MASK) >> ESR_ELx_SET_SHIFT,
111 		 (esr & ESR_ELx_FnV) >> ESR_ELx_FnV_SHIFT);
112 	pr_alert("  EA = %lu, S1PTW = %lu\n",
113 		 (esr & ESR_ELx_EA) >> ESR_ELx_EA_SHIFT,
114 		 (esr & ESR_ELx_S1PTW) >> ESR_ELx_S1PTW_SHIFT);
115 	pr_alert("  FSC = 0x%02lx: %s\n", (esr & ESR_ELx_FSC),
116 		 esr_to_fault_info(esr)->name);
117 
118 	if (esr_is_data_abort(esr))
119 		data_abort_decode(esr);
120 }
121 
mm_to_pgd_phys(struct mm_struct * mm)122 static inline unsigned long mm_to_pgd_phys(struct mm_struct *mm)
123 {
124 	/* Either init_pg_dir or swapper_pg_dir */
125 	if (mm == &init_mm)
126 		return __pa_symbol(mm->pgd);
127 
128 	return (unsigned long)virt_to_phys(mm->pgd);
129 }
130 
131 /*
132  * Dump out the page tables associated with 'addr' in the currently active mm.
133  */
show_pte(unsigned long addr)134 static void show_pte(unsigned long addr)
135 {
136 	struct mm_struct *mm;
137 	pgd_t *pgdp;
138 	pgd_t pgd;
139 
140 	if (is_ttbr0_addr(addr)) {
141 		/* TTBR0 */
142 		mm = current->active_mm;
143 		if (mm == &init_mm) {
144 			pr_alert("[%016lx] user address but active_mm is swapper\n",
145 				 addr);
146 			return;
147 		}
148 	} else if (is_ttbr1_addr(addr)) {
149 		/* TTBR1 */
150 		mm = &init_mm;
151 	} else {
152 		pr_alert("[%016lx] address between user and kernel address ranges\n",
153 			 addr);
154 		return;
155 	}
156 
157 	pr_alert("%s pgtable: %luk pages, %llu-bit VAs, pgdp=%016lx\n",
158 		 mm == &init_mm ? "swapper" : "user", PAGE_SIZE / SZ_1K,
159 		 vabits_actual, mm_to_pgd_phys(mm));
160 	pgdp = pgd_offset(mm, addr);
161 	pgd = READ_ONCE(*pgdp);
162 	pr_alert("[%016lx] pgd=%016llx", addr, pgd_val(pgd));
163 
164 	do {
165 		p4d_t *p4dp, p4d;
166 		pud_t *pudp, pud;
167 		pmd_t *pmdp, pmd;
168 		pte_t *ptep, pte;
169 
170 		if (pgd_none(pgd) || pgd_bad(pgd))
171 			break;
172 
173 		p4dp = p4d_offset(pgdp, addr);
174 		p4d = READ_ONCE(*p4dp);
175 		pr_cont(", p4d=%016llx", p4d_val(p4d));
176 		if (p4d_none(p4d) || p4d_bad(p4d))
177 			break;
178 
179 		pudp = pud_offset(p4dp, addr);
180 		pud = READ_ONCE(*pudp);
181 		pr_cont(", pud=%016llx", pud_val(pud));
182 		if (pud_none(pud) || pud_bad(pud))
183 			break;
184 
185 		pmdp = pmd_offset(pudp, addr);
186 		pmd = READ_ONCE(*pmdp);
187 		pr_cont(", pmd=%016llx", pmd_val(pmd));
188 		if (pmd_none(pmd) || pmd_bad(pmd))
189 			break;
190 
191 		ptep = pte_offset_map(pmdp, addr);
192 		if (!ptep)
193 			break;
194 
195 		pte = __ptep_get(ptep);
196 		pr_cont(", pte=%016llx", pte_val(pte));
197 		pte_unmap(ptep);
198 	} while(0);
199 
200 	pr_cont("\n");
201 }
202 
203 /*
204  * This function sets the access flags (dirty, accessed), as well as write
205  * permission, and only to a more permissive setting.
206  *
207  * It needs to cope with hardware update of the accessed/dirty state by other
208  * agents in the system and can safely skip the __sync_icache_dcache() call as,
209  * like __set_ptes(), the PTE is never changed from no-exec to exec here.
210  *
211  * Returns whether or not the PTE actually changed.
212  */
__ptep_set_access_flags(struct vm_area_struct * vma,unsigned long address,pte_t * ptep,pte_t entry,int dirty)213 int __ptep_set_access_flags(struct vm_area_struct *vma,
214 			    unsigned long address, pte_t *ptep,
215 			    pte_t entry, int dirty)
216 {
217 	pteval_t old_pteval, pteval;
218 	pte_t pte = __ptep_get(ptep);
219 
220 	if (pte_same(pte, entry))
221 		return 0;
222 
223 	/* only preserve the access flags and write permission */
224 	pte_val(entry) &= PTE_RDONLY | PTE_AF | PTE_WRITE | PTE_DIRTY;
225 
226 	/*
227 	 * Setting the flags must be done atomically to avoid racing with the
228 	 * hardware update of the access/dirty state. The PTE_RDONLY bit must
229 	 * be set to the most permissive (lowest value) of *ptep and entry
230 	 * (calculated as: a & b == ~(~a | ~b)).
231 	 */
232 	pte_val(entry) ^= PTE_RDONLY;
233 	pteval = pte_val(pte);
234 	do {
235 		old_pteval = pteval;
236 		pteval ^= PTE_RDONLY;
237 		pteval |= pte_val(entry);
238 		pteval ^= PTE_RDONLY;
239 		pteval = cmpxchg_relaxed(&pte_val(*ptep), old_pteval, pteval);
240 	} while (pteval != old_pteval);
241 
242 	/* Invalidate a stale read-only entry */
243 	if (dirty)
244 		flush_tlb_page(vma, address);
245 	return 1;
246 }
247 
is_el1_instruction_abort(unsigned long esr)248 static bool is_el1_instruction_abort(unsigned long esr)
249 {
250 	return ESR_ELx_EC(esr) == ESR_ELx_EC_IABT_CUR;
251 }
252 
is_el1_data_abort(unsigned long esr)253 static bool is_el1_data_abort(unsigned long esr)
254 {
255 	return ESR_ELx_EC(esr) == ESR_ELx_EC_DABT_CUR;
256 }
257 
is_el1_permission_fault(unsigned long addr,unsigned long esr,struct pt_regs * regs)258 static inline bool is_el1_permission_fault(unsigned long addr, unsigned long esr,
259 					   struct pt_regs *regs)
260 {
261 	if (!is_el1_data_abort(esr) && !is_el1_instruction_abort(esr))
262 		return false;
263 
264 	if (esr_fsc_is_permission_fault(esr))
265 		return true;
266 
267 	if (is_ttbr0_addr(addr) && system_uses_ttbr0_pan())
268 		return esr_fsc_is_translation_fault(esr) &&
269 			(regs->pstate & PSR_PAN_BIT);
270 
271 	return false;
272 }
273 
is_spurious_el1_translation_fault(unsigned long addr,unsigned long esr,struct pt_regs * regs)274 static bool __kprobes is_spurious_el1_translation_fault(unsigned long addr,
275 							unsigned long esr,
276 							struct pt_regs *regs)
277 {
278 	unsigned long flags;
279 	u64 par, dfsc;
280 
281 	if (!is_el1_data_abort(esr) || !esr_fsc_is_translation_fault(esr))
282 		return false;
283 
284 	local_irq_save(flags);
285 	asm volatile("at s1e1r, %0" :: "r" (addr));
286 	isb();
287 	par = read_sysreg_par();
288 	local_irq_restore(flags);
289 
290 	/*
291 	 * If we now have a valid translation, treat the translation fault as
292 	 * spurious.
293 	 */
294 	if (!(par & SYS_PAR_EL1_F))
295 		return true;
296 
297 	/*
298 	 * If we got a different type of fault from the AT instruction,
299 	 * treat the translation fault as spurious.
300 	 */
301 	dfsc = FIELD_GET(SYS_PAR_EL1_FST, par);
302 	return !esr_fsc_is_translation_fault(dfsc);
303 }
304 
die_kernel_fault(const char * msg,unsigned long addr,unsigned long esr,struct pt_regs * regs)305 static void die_kernel_fault(const char *msg, unsigned long addr,
306 			     unsigned long esr, struct pt_regs *regs)
307 {
308 	bust_spinlocks(1);
309 
310 	pr_alert("Unable to handle kernel %s at virtual address %016lx\n", msg,
311 		 addr);
312 
313 	kasan_non_canonical_hook(addr);
314 
315 	mem_abort_decode(esr);
316 
317 	show_pte(addr);
318 	die("Oops", regs, esr);
319 	bust_spinlocks(0);
320 	make_task_dead(SIGKILL);
321 }
322 
323 #ifdef CONFIG_KASAN_HW_TAGS
report_tag_fault(unsigned long addr,unsigned long esr,struct pt_regs * regs)324 static void report_tag_fault(unsigned long addr, unsigned long esr,
325 			     struct pt_regs *regs)
326 {
327 	/*
328 	 * SAS bits aren't set for all faults reported in EL1, so we can't
329 	 * find out access size.
330 	 */
331 	bool is_write = !!(esr & ESR_ELx_WNR);
332 	kasan_report((void *)addr, 0, is_write, regs->pc);
333 }
334 #else
335 /* Tag faults aren't enabled without CONFIG_KASAN_HW_TAGS. */
report_tag_fault(unsigned long addr,unsigned long esr,struct pt_regs * regs)336 static inline void report_tag_fault(unsigned long addr, unsigned long esr,
337 				    struct pt_regs *regs) { }
338 #endif
339 
do_tag_recovery(unsigned long addr,unsigned long esr,struct pt_regs * regs)340 static void do_tag_recovery(unsigned long addr, unsigned long esr,
341 			   struct pt_regs *regs)
342 {
343 
344 	report_tag_fault(addr, esr, regs);
345 
346 	/*
347 	 * Disable MTE Tag Checking on the local CPU for the current EL.
348 	 * It will be done lazily on the other CPUs when they will hit a
349 	 * tag fault.
350 	 */
351 	sysreg_clear_set(sctlr_el1, SCTLR_EL1_TCF_MASK,
352 			 SYS_FIELD_PREP_ENUM(SCTLR_EL1, TCF, NONE));
353 	isb();
354 }
355 
is_el1_mte_sync_tag_check_fault(unsigned long esr)356 static bool is_el1_mte_sync_tag_check_fault(unsigned long esr)
357 {
358 	unsigned long fsc = esr & ESR_ELx_FSC;
359 
360 	if (!is_el1_data_abort(esr))
361 		return false;
362 
363 	if (fsc == ESR_ELx_FSC_MTE)
364 		return true;
365 
366 	return false;
367 }
368 
__do_kernel_fault(unsigned long addr,unsigned long esr,struct pt_regs * regs)369 static void __do_kernel_fault(unsigned long addr, unsigned long esr,
370 			      struct pt_regs *regs)
371 {
372 	const char *msg;
373 
374 	/*
375 	 * Are we prepared to handle this kernel fault?
376 	 * We are almost certainly not prepared to handle instruction faults.
377 	 */
378 	if (!is_el1_instruction_abort(esr) && fixup_exception(regs, esr))
379 		return;
380 
381 	if (WARN_RATELIMIT(is_spurious_el1_translation_fault(addr, esr, regs),
382 	    "Ignoring spurious kernel translation fault at virtual address %016lx\n", addr))
383 		return;
384 
385 	if (is_el1_mte_sync_tag_check_fault(esr)) {
386 		do_tag_recovery(addr, esr, regs);
387 
388 		return;
389 	}
390 
391 	if (is_el1_permission_fault(addr, esr, regs)) {
392 		if (esr & ESR_ELx_WNR)
393 			msg = "write to read-only memory";
394 		else if (is_el1_instruction_abort(esr))
395 			msg = "execute from non-executable memory";
396 		else
397 			msg = "read from unreadable memory";
398 	} else if (addr < PAGE_SIZE) {
399 		msg = "NULL pointer dereference";
400 	} else {
401 		if (esr_fsc_is_translation_fault(esr) &&
402 		    kfence_handle_page_fault(addr, esr & ESR_ELx_WNR, regs))
403 			return;
404 
405 		msg = "paging request";
406 	}
407 
408 	if (efi_runtime_fixup_exception(regs, msg))
409 		return;
410 
411 	die_kernel_fault(msg, addr, esr, regs);
412 }
413 
set_thread_esr(unsigned long address,unsigned long esr)414 static void set_thread_esr(unsigned long address, unsigned long esr)
415 {
416 	current->thread.fault_address = address;
417 
418 	/*
419 	 * If the faulting address is in the kernel, we must sanitize the ESR.
420 	 * From userspace's point of view, kernel-only mappings don't exist
421 	 * at all, so we report them as level 0 translation faults.
422 	 * (This is not quite the way that "no mapping there at all" behaves:
423 	 * an alignment fault not caused by the memory type would take
424 	 * precedence over translation fault for a real access to empty
425 	 * space. Unfortunately we can't easily distinguish "alignment fault
426 	 * not caused by memory type" from "alignment fault caused by memory
427 	 * type", so we ignore this wrinkle and just return the translation
428 	 * fault.)
429 	 */
430 	if (!is_ttbr0_addr(current->thread.fault_address)) {
431 		switch (ESR_ELx_EC(esr)) {
432 		case ESR_ELx_EC_DABT_LOW:
433 			/*
434 			 * These bits provide only information about the
435 			 * faulting instruction, which userspace knows already.
436 			 * We explicitly clear bits which are architecturally
437 			 * RES0 in case they are given meanings in future.
438 			 * We always report the ESR as if the fault was taken
439 			 * to EL1 and so ISV and the bits in ISS[23:14] are
440 			 * clear. (In fact it always will be a fault to EL1.)
441 			 */
442 			esr &= ESR_ELx_EC_MASK | ESR_ELx_IL |
443 				ESR_ELx_CM | ESR_ELx_WNR;
444 			esr |= ESR_ELx_FSC_FAULT;
445 			break;
446 		case ESR_ELx_EC_IABT_LOW:
447 			/*
448 			 * Claim a level 0 translation fault.
449 			 * All other bits are architecturally RES0 for faults
450 			 * reported with that DFSC value, so we clear them.
451 			 */
452 			esr &= ESR_ELx_EC_MASK | ESR_ELx_IL;
453 			esr |= ESR_ELx_FSC_FAULT;
454 			break;
455 		default:
456 			/*
457 			 * This should never happen (entry.S only brings us
458 			 * into this code for insn and data aborts from a lower
459 			 * exception level). Fail safe by not providing an ESR
460 			 * context record at all.
461 			 */
462 			WARN(1, "ESR 0x%lx is not DABT or IABT from EL0\n", esr);
463 			esr = 0;
464 			break;
465 		}
466 	}
467 
468 	current->thread.fault_code = esr;
469 }
470 
do_bad_area(unsigned long far,unsigned long esr,struct pt_regs * regs)471 static void do_bad_area(unsigned long far, unsigned long esr,
472 			struct pt_regs *regs)
473 {
474 	unsigned long addr = untagged_addr(far);
475 
476 	/*
477 	 * If we are in kernel mode at this point, we have no context to
478 	 * handle this fault with.
479 	 */
480 	if (user_mode(regs)) {
481 		const struct fault_info *inf = esr_to_fault_info(esr);
482 
483 		set_thread_esr(addr, esr);
484 		arm64_force_sig_fault(inf->sig, inf->code, far, inf->name);
485 	} else {
486 		__do_kernel_fault(addr, esr, regs);
487 	}
488 }
489 
fault_from_pkey(struct vm_area_struct * vma,unsigned int mm_flags)490 static bool fault_from_pkey(struct vm_area_struct *vma, unsigned int mm_flags)
491 {
492 	if (!system_supports_poe())
493 		return false;
494 
495 	/*
496 	 * We do not check whether an Overlay fault has occurred because we
497 	 * cannot make a decision based solely on its value:
498 	 *
499 	 * - If Overlay is set, a fault did occur due to POE, but it may be
500 	 *   spurious in those cases where we update POR_EL0 without ISB (e.g.
501 	 *   on context-switch). We would then need to manually check POR_EL0
502 	 *   against vma_pkey(vma), which is exactly what
503 	 *   arch_vma_access_permitted() does.
504 	 *
505 	 * - If Overlay is not set, we may still need to report a pkey fault.
506 	 *   This is the case if an access was made within a mapping but with no
507 	 *   page mapped, and POR_EL0 forbids the access (according to
508 	 *   vma_pkey()). Such access will result in a SIGSEGV regardless
509 	 *   because core code checks arch_vma_access_permitted(), but in order
510 	 *   to report the correct error code - SEGV_PKUERR - we must handle
511 	 *   that case here.
512 	 */
513 	return !arch_vma_access_permitted(vma,
514 			mm_flags & FAULT_FLAG_WRITE,
515 			mm_flags & FAULT_FLAG_INSTRUCTION,
516 			false);
517 }
518 
is_gcs_fault(unsigned long esr)519 static bool is_gcs_fault(unsigned long esr)
520 {
521 	if (!esr_is_data_abort(esr))
522 		return false;
523 
524 	return ESR_ELx_ISS2(esr) & ESR_ELx_GCS;
525 }
526 
is_el0_instruction_abort(unsigned long esr)527 static bool is_el0_instruction_abort(unsigned long esr)
528 {
529 	return ESR_ELx_EC(esr) == ESR_ELx_EC_IABT_LOW;
530 }
531 
532 /*
533  * Note: not valid for EL1 DC IVAC, but we never use that such that it
534  * should fault. EL0 cannot issue DC IVAC (undef).
535  */
is_write_abort(unsigned long esr)536 static bool is_write_abort(unsigned long esr)
537 {
538 	return (esr & ESR_ELx_WNR) && !(esr & ESR_ELx_CM);
539 }
540 
is_invalid_gcs_access(struct vm_area_struct * vma,u64 esr)541 static bool is_invalid_gcs_access(struct vm_area_struct *vma, u64 esr)
542 {
543 	if (!system_supports_gcs())
544 		return false;
545 
546 	if (unlikely(is_gcs_fault(esr))) {
547 		/* GCS accesses must be performed on a GCS page */
548 		if (!(vma->vm_flags & VM_SHADOW_STACK))
549 			return true;
550 	} else if (unlikely(vma->vm_flags & VM_SHADOW_STACK)) {
551 		/* Only GCS operations can write to a GCS page */
552 		return esr_is_data_abort(esr) && is_write_abort(esr);
553 	}
554 
555 	return false;
556 }
557 
do_page_fault(unsigned long far,unsigned long esr,struct pt_regs * regs)558 static int __kprobes do_page_fault(unsigned long far, unsigned long esr,
559 				   struct pt_regs *regs)
560 {
561 	const struct fault_info *inf;
562 	struct mm_struct *mm = current->mm;
563 	vm_fault_t fault;
564 	unsigned long vm_flags;
565 	unsigned int mm_flags = FAULT_FLAG_DEFAULT;
566 	unsigned long addr = untagged_addr(far);
567 	struct vm_area_struct *vma;
568 	int si_code;
569 	int pkey = -1;
570 
571 	if (kprobe_page_fault(regs, esr))
572 		return 0;
573 
574 	/*
575 	 * If we're in an interrupt or have no user context, we must not take
576 	 * the fault.
577 	 */
578 	if (faulthandler_disabled() || !mm)
579 		goto no_context;
580 
581 	if (user_mode(regs))
582 		mm_flags |= FAULT_FLAG_USER;
583 
584 	/*
585 	 * vm_flags tells us what bits we must have in vma->vm_flags
586 	 * for the fault to be benign, __do_page_fault() would check
587 	 * vma->vm_flags & vm_flags and returns an error if the
588 	 * intersection is empty
589 	 */
590 	if (is_el0_instruction_abort(esr)) {
591 		/* It was exec fault */
592 		vm_flags = VM_EXEC;
593 		mm_flags |= FAULT_FLAG_INSTRUCTION;
594 	} else if (is_gcs_fault(esr)) {
595 		/*
596 		 * The GCS permission on a page implies both read and
597 		 * write so always handle any GCS fault as a write fault,
598 		 * we need to trigger CoW even for GCS reads.
599 		 */
600 		vm_flags = VM_WRITE;
601 		mm_flags |= FAULT_FLAG_WRITE;
602 	} else if (is_write_abort(esr)) {
603 		/* It was write fault */
604 		vm_flags = VM_WRITE;
605 		mm_flags |= FAULT_FLAG_WRITE;
606 	} else {
607 		/* It was read fault */
608 		vm_flags = VM_READ;
609 		/* Write implies read */
610 		vm_flags |= VM_WRITE;
611 		/* If EPAN is absent then exec implies read */
612 		if (!alternative_has_cap_unlikely(ARM64_HAS_EPAN))
613 			vm_flags |= VM_EXEC;
614 	}
615 
616 	if (is_ttbr0_addr(addr) && is_el1_permission_fault(addr, esr, regs)) {
617 		if (is_el1_instruction_abort(esr))
618 			die_kernel_fault("execution of user memory",
619 					 addr, esr, regs);
620 
621 		if (!insn_may_access_user(regs->pc, esr))
622 			die_kernel_fault("access to user memory outside uaccess routines",
623 					 addr, esr, regs);
624 	}
625 
626 	perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, addr);
627 
628 	if (!(mm_flags & FAULT_FLAG_USER))
629 		goto lock_mmap;
630 
631 	vma = lock_vma_under_rcu(mm, addr);
632 	if (!vma)
633 		goto lock_mmap;
634 
635 	if (is_invalid_gcs_access(vma, esr)) {
636 		vma_end_read(vma);
637 		fault = 0;
638 		si_code = SEGV_ACCERR;
639 		goto bad_area;
640 	}
641 
642 	if (!(vma->vm_flags & vm_flags)) {
643 		vma_end_read(vma);
644 		fault = 0;
645 		si_code = SEGV_ACCERR;
646 		count_vm_vma_lock_event(VMA_LOCK_SUCCESS);
647 		goto bad_area;
648 	}
649 
650 	if (fault_from_pkey(vma, mm_flags)) {
651 		pkey = vma_pkey(vma);
652 		vma_end_read(vma);
653 		fault = 0;
654 		si_code = SEGV_PKUERR;
655 		count_vm_vma_lock_event(VMA_LOCK_SUCCESS);
656 		goto bad_area;
657 	}
658 
659 	fault = handle_mm_fault(vma, addr, mm_flags | FAULT_FLAG_VMA_LOCK, regs);
660 	if (!(fault & (VM_FAULT_RETRY | VM_FAULT_COMPLETED)))
661 		vma_end_read(vma);
662 
663 	if (!(fault & VM_FAULT_RETRY)) {
664 		count_vm_vma_lock_event(VMA_LOCK_SUCCESS);
665 		goto done;
666 	}
667 	count_vm_vma_lock_event(VMA_LOCK_RETRY);
668 	if (fault & VM_FAULT_MAJOR)
669 		mm_flags |= FAULT_FLAG_TRIED;
670 
671 	/* Quick path to respond to signals */
672 	if (fault_signal_pending(fault, regs)) {
673 		if (!user_mode(regs))
674 			goto no_context;
675 		return 0;
676 	}
677 lock_mmap:
678 
679 retry:
680 	vma = lock_mm_and_find_vma(mm, addr, regs);
681 	if (unlikely(!vma)) {
682 		fault = 0;
683 		si_code = SEGV_MAPERR;
684 		goto bad_area;
685 	}
686 
687 	if (!(vma->vm_flags & vm_flags)) {
688 		mmap_read_unlock(mm);
689 		fault = 0;
690 		si_code = SEGV_ACCERR;
691 		goto bad_area;
692 	}
693 
694 	if (fault_from_pkey(vma, mm_flags)) {
695 		pkey = vma_pkey(vma);
696 		mmap_read_unlock(mm);
697 		fault = 0;
698 		si_code = SEGV_PKUERR;
699 		goto bad_area;
700 	}
701 
702 	fault = handle_mm_fault(vma, addr, mm_flags, regs);
703 
704 	/* Quick path to respond to signals */
705 	if (fault_signal_pending(fault, regs)) {
706 		if (!user_mode(regs))
707 			goto no_context;
708 		return 0;
709 	}
710 
711 	/* The fault is fully completed (including releasing mmap lock) */
712 	if (fault & VM_FAULT_COMPLETED)
713 		return 0;
714 
715 	if (fault & VM_FAULT_RETRY) {
716 		mm_flags |= FAULT_FLAG_TRIED;
717 		goto retry;
718 	}
719 	mmap_read_unlock(mm);
720 
721 done:
722 	/* Handle the "normal" (no error) case first. */
723 	if (likely(!(fault & VM_FAULT_ERROR)))
724 		return 0;
725 
726 	si_code = SEGV_MAPERR;
727 bad_area:
728 	/*
729 	 * If we are in kernel mode at this point, we have no context to
730 	 * handle this fault with.
731 	 */
732 	if (!user_mode(regs))
733 		goto no_context;
734 
735 	if (fault & VM_FAULT_OOM) {
736 		/*
737 		 * We ran out of memory, call the OOM killer, and return to
738 		 * userspace (which will retry the fault, or kill us if we got
739 		 * oom-killed).
740 		 */
741 		pagefault_out_of_memory();
742 		return 0;
743 	}
744 
745 	inf = esr_to_fault_info(esr);
746 	set_thread_esr(addr, esr);
747 	if (fault & VM_FAULT_SIGBUS) {
748 		/*
749 		 * We had some memory, but were unable to successfully fix up
750 		 * this page fault.
751 		 */
752 		arm64_force_sig_fault(SIGBUS, BUS_ADRERR, far, inf->name);
753 	} else if (fault & (VM_FAULT_HWPOISON_LARGE | VM_FAULT_HWPOISON)) {
754 		unsigned int lsb;
755 
756 		lsb = PAGE_SHIFT;
757 		if (fault & VM_FAULT_HWPOISON_LARGE)
758 			lsb = hstate_index_to_shift(VM_FAULT_GET_HINDEX(fault));
759 
760 		arm64_force_sig_mceerr(BUS_MCEERR_AR, far, lsb, inf->name);
761 	} else {
762 		/*
763 		 * The pkey value that we return to userspace can be different
764 		 * from the pkey that caused the fault.
765 		 *
766 		 * 1. T1   : mprotect_key(foo, PAGE_SIZE, pkey=4);
767 		 * 2. T1   : set POR_EL0 to deny access to pkey=4, touches, page
768 		 * 3. T1   : faults...
769 		 * 4.    T2: mprotect_key(foo, PAGE_SIZE, pkey=5);
770 		 * 5. T1   : enters fault handler, takes mmap_lock, etc...
771 		 * 6. T1   : reaches here, sees vma_pkey(vma)=5, when we really
772 		 *	     faulted on a pte with its pkey=4.
773 		 */
774 		/* Something tried to access memory that out of memory map */
775 		if (si_code == SEGV_PKUERR)
776 			arm64_force_sig_fault_pkey(far, inf->name, pkey);
777 		else
778 			arm64_force_sig_fault(SIGSEGV, si_code, far, inf->name);
779 	}
780 
781 	return 0;
782 
783 no_context:
784 	__do_kernel_fault(addr, esr, regs);
785 	return 0;
786 }
787 
do_translation_fault(unsigned long far,unsigned long esr,struct pt_regs * regs)788 static int __kprobes do_translation_fault(unsigned long far,
789 					  unsigned long esr,
790 					  struct pt_regs *regs)
791 {
792 	unsigned long addr = untagged_addr(far);
793 
794 	if (is_ttbr0_addr(addr))
795 		return do_page_fault(far, esr, regs);
796 
797 	do_bad_area(far, esr, regs);
798 	return 0;
799 }
800 
do_alignment_fault(unsigned long far,unsigned long esr,struct pt_regs * regs)801 static int do_alignment_fault(unsigned long far, unsigned long esr,
802 			      struct pt_regs *regs)
803 {
804 	if (IS_ENABLED(CONFIG_COMPAT_ALIGNMENT_FIXUPS) &&
805 	    compat_user_mode(regs))
806 		return do_compat_alignment_fixup(far, regs);
807 	do_bad_area(far, esr, regs);
808 	return 0;
809 }
810 
do_bad(unsigned long far,unsigned long esr,struct pt_regs * regs)811 static int do_bad(unsigned long far, unsigned long esr, struct pt_regs *regs)
812 {
813 	return 1; /* "fault" */
814 }
815 
do_sea(unsigned long far,unsigned long esr,struct pt_regs * regs)816 static int do_sea(unsigned long far, unsigned long esr, struct pt_regs *regs)
817 {
818 	const struct fault_info *inf;
819 	unsigned long siaddr;
820 
821 	inf = esr_to_fault_info(esr);
822 
823 	if (user_mode(regs) && apei_claim_sea(regs) == 0) {
824 		/*
825 		 * APEI claimed this as a firmware-first notification.
826 		 * Some processing deferred to task_work before ret_to_user().
827 		 */
828 		return 0;
829 	}
830 
831 	if (esr & ESR_ELx_FnV) {
832 		siaddr = 0;
833 	} else {
834 		/*
835 		 * The architecture specifies that the tag bits of FAR_EL1 are
836 		 * UNKNOWN for synchronous external aborts. Mask them out now
837 		 * so that userspace doesn't see them.
838 		 */
839 		siaddr  = untagged_addr(far);
840 	}
841 	arm64_notify_die(inf->name, regs, inf->sig, inf->code, siaddr, esr);
842 
843 	return 0;
844 }
845 
do_tag_check_fault(unsigned long far,unsigned long esr,struct pt_regs * regs)846 static int do_tag_check_fault(unsigned long far, unsigned long esr,
847 			      struct pt_regs *regs)
848 {
849 	/*
850 	 * The architecture specifies that bits 63:60 of FAR_EL1 are UNKNOWN
851 	 * for tag check faults. Set them to corresponding bits in the untagged
852 	 * address.
853 	 */
854 	far = (__untagged_addr(far) & ~MTE_TAG_MASK) | (far & MTE_TAG_MASK);
855 	do_bad_area(far, esr, regs);
856 	return 0;
857 }
858 
859 static const struct fault_info fault_info[] = {
860 	{ do_bad,		SIGKILL, SI_KERNEL,	"ttbr address size fault"	},
861 	{ do_bad,		SIGKILL, SI_KERNEL,	"level 1 address size fault"	},
862 	{ do_bad,		SIGKILL, SI_KERNEL,	"level 2 address size fault"	},
863 	{ do_bad,		SIGKILL, SI_KERNEL,	"level 3 address size fault"	},
864 	{ do_translation_fault,	SIGSEGV, SEGV_MAPERR,	"level 0 translation fault"	},
865 	{ do_translation_fault,	SIGSEGV, SEGV_MAPERR,	"level 1 translation fault"	},
866 	{ do_translation_fault,	SIGSEGV, SEGV_MAPERR,	"level 2 translation fault"	},
867 	{ do_translation_fault,	SIGSEGV, SEGV_MAPERR,	"level 3 translation fault"	},
868 	{ do_page_fault,	SIGSEGV, SEGV_ACCERR,	"level 0 access flag fault"	},
869 	{ do_page_fault,	SIGSEGV, SEGV_ACCERR,	"level 1 access flag fault"	},
870 	{ do_page_fault,	SIGSEGV, SEGV_ACCERR,	"level 2 access flag fault"	},
871 	{ do_page_fault,	SIGSEGV, SEGV_ACCERR,	"level 3 access flag fault"	},
872 	{ do_page_fault,	SIGSEGV, SEGV_ACCERR,	"level 0 permission fault"	},
873 	{ do_page_fault,	SIGSEGV, SEGV_ACCERR,	"level 1 permission fault"	},
874 	{ do_page_fault,	SIGSEGV, SEGV_ACCERR,	"level 2 permission fault"	},
875 	{ do_page_fault,	SIGSEGV, SEGV_ACCERR,	"level 3 permission fault"	},
876 	{ do_sea,		SIGBUS,  BUS_OBJERR,	"synchronous external abort"	},
877 	{ do_tag_check_fault,	SIGSEGV, SEGV_MTESERR,	"synchronous tag check fault"	},
878 	{ do_bad,		SIGKILL, SI_KERNEL,	"unknown 18"			},
879 	{ do_sea,		SIGKILL, SI_KERNEL,	"level -1 (translation table walk)"	},
880 	{ do_sea,		SIGKILL, SI_KERNEL,	"level 0 (translation table walk)"	},
881 	{ do_sea,		SIGKILL, SI_KERNEL,	"level 1 (translation table walk)"	},
882 	{ do_sea,		SIGKILL, SI_KERNEL,	"level 2 (translation table walk)"	},
883 	{ do_sea,		SIGKILL, SI_KERNEL,	"level 3 (translation table walk)"	},
884 	{ do_sea,		SIGBUS,  BUS_OBJERR,	"synchronous parity or ECC error" },	// Reserved when RAS is implemented
885 	{ do_bad,		SIGKILL, SI_KERNEL,	"unknown 25"			},
886 	{ do_bad,		SIGKILL, SI_KERNEL,	"unknown 26"			},
887 	{ do_sea,		SIGKILL, SI_KERNEL,	"level -1 synchronous parity error (translation table walk)"	},	// Reserved when RAS is implemented
888 	{ do_sea,		SIGKILL, SI_KERNEL,	"level 0 synchronous parity error (translation table walk)"	},	// Reserved when RAS is implemented
889 	{ do_sea,		SIGKILL, SI_KERNEL,	"level 1 synchronous parity error (translation table walk)"	},	// Reserved when RAS is implemented
890 	{ do_sea,		SIGKILL, SI_KERNEL,	"level 2 synchronous parity error (translation table walk)"	},	// Reserved when RAS is implemented
891 	{ do_sea,		SIGKILL, SI_KERNEL,	"level 3 synchronous parity error (translation table walk)"	},	// Reserved when RAS is implemented
892 	{ do_bad,		SIGKILL, SI_KERNEL,	"unknown 32"			},
893 	{ do_alignment_fault,	SIGBUS,  BUS_ADRALN,	"alignment fault"		},
894 	{ do_bad,		SIGKILL, SI_KERNEL,	"unknown 34"			},
895 	{ do_bad,		SIGKILL, SI_KERNEL,	"unknown 35"			},
896 	{ do_bad,		SIGKILL, SI_KERNEL,	"unknown 36"			},
897 	{ do_bad,		SIGKILL, SI_KERNEL,	"unknown 37"			},
898 	{ do_bad,		SIGKILL, SI_KERNEL,	"unknown 38"			},
899 	{ do_bad,		SIGKILL, SI_KERNEL,	"unknown 39"			},
900 	{ do_bad,		SIGKILL, SI_KERNEL,	"unknown 40"			},
901 	{ do_bad,		SIGKILL, SI_KERNEL,	"level -1 address size fault"	},
902 	{ do_bad,		SIGKILL, SI_KERNEL,	"unknown 42"			},
903 	{ do_translation_fault,	SIGSEGV, SEGV_MAPERR,	"level -1 translation fault"	},
904 	{ do_bad,		SIGKILL, SI_KERNEL,	"unknown 44"			},
905 	{ do_bad,		SIGKILL, SI_KERNEL,	"unknown 45"			},
906 	{ do_bad,		SIGKILL, SI_KERNEL,	"unknown 46"			},
907 	{ do_bad,		SIGKILL, SI_KERNEL,	"unknown 47"			},
908 	{ do_bad,		SIGKILL, SI_KERNEL,	"TLB conflict abort"		},
909 	{ do_bad,		SIGKILL, SI_KERNEL,	"Unsupported atomic hardware update fault"	},
910 	{ do_bad,		SIGKILL, SI_KERNEL,	"unknown 50"			},
911 	{ do_bad,		SIGKILL, SI_KERNEL,	"unknown 51"			},
912 	{ do_bad,		SIGKILL, SI_KERNEL,	"implementation fault (lockdown abort)" },
913 	{ do_bad,		SIGBUS,  BUS_OBJERR,	"implementation fault (unsupported exclusive)" },
914 	{ do_bad,		SIGKILL, SI_KERNEL,	"unknown 54"			},
915 	{ do_bad,		SIGKILL, SI_KERNEL,	"unknown 55"			},
916 	{ do_bad,		SIGKILL, SI_KERNEL,	"unknown 56"			},
917 	{ do_bad,		SIGKILL, SI_KERNEL,	"unknown 57"			},
918 	{ do_bad,		SIGKILL, SI_KERNEL,	"unknown 58" 			},
919 	{ do_bad,		SIGKILL, SI_KERNEL,	"unknown 59"			},
920 	{ do_bad,		SIGKILL, SI_KERNEL,	"unknown 60"			},
921 	{ do_bad,		SIGKILL, SI_KERNEL,	"section domain fault"		},
922 	{ do_bad,		SIGKILL, SI_KERNEL,	"page domain fault"		},
923 	{ do_bad,		SIGKILL, SI_KERNEL,	"unknown 63"			},
924 };
925 
do_mem_abort(unsigned long far,unsigned long esr,struct pt_regs * regs)926 void do_mem_abort(unsigned long far, unsigned long esr, struct pt_regs *regs)
927 {
928 	const struct fault_info *inf = esr_to_fault_info(esr);
929 	unsigned long addr = untagged_addr(far);
930 
931 	if (!inf->fn(far, esr, regs))
932 		return;
933 
934 	if (!user_mode(regs))
935 		die_kernel_fault(inf->name, addr, esr, regs);
936 
937 	/*
938 	 * At this point we have an unrecognized fault type whose tag bits may
939 	 * have been defined as UNKNOWN. Therefore we only expose the untagged
940 	 * address to the signal handler.
941 	 */
942 	arm64_notify_die(inf->name, regs, inf->sig, inf->code, addr, esr);
943 }
944 NOKPROBE_SYMBOL(do_mem_abort);
945 
do_sp_pc_abort(unsigned long addr,unsigned long esr,struct pt_regs * regs)946 void do_sp_pc_abort(unsigned long addr, unsigned long esr, struct pt_regs *regs)
947 {
948 	arm64_notify_die("SP/PC alignment exception", regs, SIGBUS, BUS_ADRALN,
949 			 addr, esr);
950 }
951 NOKPROBE_SYMBOL(do_sp_pc_abort);
952 
953 /*
954  * __refdata because early_brk64 is __init, but the reference to it is
955  * clobbered at arch_initcall time.
956  * See traps.c and debug-monitors.c:debug_traps_init().
957  */
958 static struct fault_info __refdata debug_fault_info[] = {
959 	{ do_bad,	SIGTRAP,	TRAP_HWBKPT,	"hardware breakpoint"	},
960 	{ do_bad,	SIGTRAP,	TRAP_HWBKPT,	"hardware single-step"	},
961 	{ do_bad,	SIGTRAP,	TRAP_HWBKPT,	"hardware watchpoint"	},
962 	{ do_bad,	SIGKILL,	SI_KERNEL,	"unknown 3"		},
963 	{ do_bad,	SIGTRAP,	TRAP_BRKPT,	"aarch32 BKPT"		},
964 	{ do_bad,	SIGKILL,	SI_KERNEL,	"aarch32 vector catch"	},
965 	{ early_brk64,	SIGTRAP,	TRAP_BRKPT,	"aarch64 BRK"		},
966 	{ do_bad,	SIGKILL,	SI_KERNEL,	"unknown 7"		},
967 };
968 
hook_debug_fault_code(int nr,int (* fn)(unsigned long,unsigned long,struct pt_regs *),int sig,int code,const char * name)969 void __init hook_debug_fault_code(int nr,
970 				  int (*fn)(unsigned long, unsigned long, struct pt_regs *),
971 				  int sig, int code, const char *name)
972 {
973 	BUG_ON(nr < 0 || nr >= ARRAY_SIZE(debug_fault_info));
974 
975 	debug_fault_info[nr].fn		= fn;
976 	debug_fault_info[nr].sig	= sig;
977 	debug_fault_info[nr].code	= code;
978 	debug_fault_info[nr].name	= name;
979 }
980 
981 /*
982  * In debug exception context, we explicitly disable preemption despite
983  * having interrupts disabled.
984  * This serves two purposes: it makes it much less likely that we would
985  * accidentally schedule in exception context and it will force a warning
986  * if we somehow manage to schedule by accident.
987  */
debug_exception_enter(struct pt_regs * regs)988 static void debug_exception_enter(struct pt_regs *regs)
989 {
990 	preempt_disable();
991 
992 	/* This code is a bit fragile.  Test it. */
993 	RCU_LOCKDEP_WARN(!rcu_is_watching(), "exception_enter didn't work");
994 }
995 NOKPROBE_SYMBOL(debug_exception_enter);
996 
debug_exception_exit(struct pt_regs * regs)997 static void debug_exception_exit(struct pt_regs *regs)
998 {
999 	preempt_enable_no_resched();
1000 }
1001 NOKPROBE_SYMBOL(debug_exception_exit);
1002 
do_debug_exception(unsigned long addr_if_watchpoint,unsigned long esr,struct pt_regs * regs)1003 void do_debug_exception(unsigned long addr_if_watchpoint, unsigned long esr,
1004 			struct pt_regs *regs)
1005 {
1006 	const struct fault_info *inf = esr_to_debug_fault_info(esr);
1007 	unsigned long pc = instruction_pointer(regs);
1008 
1009 	debug_exception_enter(regs);
1010 
1011 	if (user_mode(regs) && !is_ttbr0_addr(pc))
1012 		arm64_apply_bp_hardening();
1013 
1014 	if (inf->fn(addr_if_watchpoint, esr, regs)) {
1015 		arm64_notify_die(inf->name, regs, inf->sig, inf->code, pc, esr);
1016 	}
1017 
1018 	debug_exception_exit(regs);
1019 }
1020 NOKPROBE_SYMBOL(do_debug_exception);
1021 
1022 /*
1023  * Used during anonymous page fault handling.
1024  */
vma_alloc_zeroed_movable_folio(struct vm_area_struct * vma,unsigned long vaddr)1025 struct folio *vma_alloc_zeroed_movable_folio(struct vm_area_struct *vma,
1026 						unsigned long vaddr)
1027 {
1028 	gfp_t flags = GFP_HIGHUSER_MOVABLE | __GFP_ZERO;
1029 
1030 	/*
1031 	 * If the page is mapped with PROT_MTE, initialise the tags at the
1032 	 * point of allocation and page zeroing as this is usually faster than
1033 	 * separate DC ZVA and STGM.
1034 	 */
1035 	if (vma->vm_flags & VM_MTE)
1036 		flags |= __GFP_ZEROTAGS;
1037 
1038 	return vma_alloc_folio(flags, 0, vma, vaddr);
1039 }
1040 
tag_clear_highpage(struct page * page)1041 void tag_clear_highpage(struct page *page)
1042 {
1043 	/* Newly allocated page, shouldn't have been tagged yet */
1044 	WARN_ON_ONCE(!try_page_mte_tagging(page));
1045 	mte_zero_clear_page_tags(page_address(page));
1046 	set_page_mte_tagged(page);
1047 }
1048