[GitHub/mt8127/android_kernel_alcatel_ttab.git] / arch / x86 / mm / fault_32.c

/*
 *  linux/arch/i386/mm/fault.c
 *
 *  Copyright (C) 1995  Linus Torvalds
 */

#include <linux/signal.h>
#include <linux/sched.h>
#include <linux/kernel.h>
#include <linux/errno.h>
#include <linux/string.h>
#include <linux/types.h>
#include <linux/ptrace.h>
#include <linux/mman.h>
#include <linux/mm.h>
#include <linux/smp.h>
#include <linux/interrupt.h>
#include <linux/init.h>
#include <linux/tty.h>
#include <linux/vt_kern.h>		/* For unblank_screen() */
#include <linux/highmem.h>
#include <linux/bootmem.h>		/* for max_low_pfn */
#include <linux/vmalloc.h>
#include <linux/module.h>
#include <linux/kprobes.h>
#include <linux/uaccess.h>
#include <linux/kdebug.h>

#include <asm/system.h>
#include <asm/desc.h>
#include <asm/segment.h>

extern void die(const char *,struct pt_regs *,long);

#ifdef CONFIG_KPROBES
static inline int notify_page_fault(struct pt_regs *regs)
{
	int ret = 0;

	/* kprobe_running() needs smp_processor_id() */
	if (!user_mode_vm(regs)) {
		preempt_disable();
		if (kprobe_running() && kprobe_fault_handler(regs, 14))
			ret = 1;
		preempt_enable();
	}

	return ret;
}
#else
static inline int notify_page_fault(struct pt_regs *regs)
{
	return 0;
}
#endif

/*
 * Return EIP plus the CS segment base.  The segment limit is also
 * adjusted, clamped to the kernel/user address space (whichever is
 * appropriate), and returned in *eip_limit.
 *
 * The segment is checked, because it might have been changed by another
 * task between the original faulting instruction and here.
 *
 * If CS is no longer a valid code segment, or if EIP is beyond the
 * limit, or if it is a kernel address when CS is not a kernel segment,
 * then the returned value will be greater than *eip_limit.
 * 
 * This is slow, but is very rarely executed.
 */
static inline unsigned long get_segment_eip(struct pt_regs *regs,
					    unsigned long *eip_limit)
{
	unsigned long ip = regs->ip;
	unsigned seg = regs->cs & 0xffff;
	u32 seg_ar, seg_limit, base, *desc;

	/* Unlikely, but must come before segment checks. */
	if (unlikely(regs->flags & VM_MASK)) {
		base = seg << 4;
		*eip_limit = base + 0xffff;
		return base + (ip & 0xffff);
	}

	/* The standard kernel/user address space limit. */
	*eip_limit = user_mode(regs) ? USER_DS.seg : KERNEL_DS.seg;
	
	/* By far the most common cases. */
	if (likely(SEGMENT_IS_FLAT_CODE(seg)))
		return ip;

	/* Check the segment exists, is within the current LDT/GDT size,
	   that kernel/user (ring 0..3) has the appropriate privilege,
	   that it's a code segment, and get the limit. */
	__asm__ ("larl %3,%0; lsll %3,%1"
		 : "=&r" (seg_ar), "=r" (seg_limit) : "0" (0), "rm" (seg));
	if ((~seg_ar & 0x9800) || ip > seg_limit) {
		*eip_limit = 0;
		return 1;	 /* So that returned ip > *eip_limit. */
	}

	/* Get the GDT/LDT descriptor base. 
	   When you look for races in this code remember that
	   LDT and other horrors are only used in user space. */
	if (seg & (1<<2)) {
		/* Must lock the LDT while reading it. */
		mutex_lock(&current->mm->context.lock);
		desc = current->mm->context.ldt;
		desc = (void *)desc + (seg & ~7);
	} else {
		/* Must disable preemption while reading the GDT. */
 		desc = (u32 *)get_cpu_gdt_table(get_cpu());
		desc = (void *)desc + (seg & ~7);
	}

	/* Decode the code segment base from the descriptor */
	base = get_desc_base((struct desc_struct *)desc);

	if (seg & (1<<2)) { 
		mutex_unlock(&current->mm->context.lock);
	} else
		put_cpu();

	/* Adjust EIP and segment limit, and clamp at the kernel limit.
	   It's legitimate for segments to wrap at 0xffffffff. */
	seg_limit += base;
	if (seg_limit < *eip_limit && seg_limit >= base)
		*eip_limit = seg_limit;
	return ip + base;
}

/* 
 * Sometimes AMD Athlon/Opteron CPUs report invalid exceptions on prefetch.
 * Check that here and ignore it.
 */
static int __is_prefetch(struct pt_regs *regs, unsigned long addr)
{ 
	unsigned long limit;
	unsigned char *instr = (unsigned char *)get_segment_eip (regs, &limit);
	int scan_more = 1;
	int prefetch = 0; 
	int i;

	for (i = 0; scan_more && i < 15; i++) { 
		unsigned char opcode;
		unsigned char instr_hi;
		unsigned char instr_lo;

		if (instr > (unsigned char *)limit)
			break;
		if (probe_kernel_address(instr, opcode))
			break; 

		instr_hi = opcode & 0xf0; 
		instr_lo = opcode & 0x0f; 
		instr++;

		switch (instr_hi) { 
		case 0x20:
		case 0x30:
			/* Values 0x26,0x2E,0x36,0x3E are valid x86 prefixes. */
			scan_more = ((instr_lo & 7) == 0x6);
			break;
			
		case 0x60:
			/* 0x64 thru 0x67 are valid prefixes in all modes. */
			scan_more = (instr_lo & 0xC) == 0x4;
			break;		
		case 0xF0:
			/* 0xF0, 0xF2, and 0xF3 are valid prefixes */
			scan_more = !instr_lo || (instr_lo>>1) == 1;
			break;			
		case 0x00:
			/* Prefetch instruction is 0x0F0D or 0x0F18 */
			scan_more = 0;
			if (instr > (unsigned char *)limit)
				break;
			if (probe_kernel_address(instr, opcode))
				break;
			prefetch = (instr_lo == 0xF) &&
				(opcode == 0x0D || opcode == 0x18);
			break;			
		default:
			scan_more = 0;
			break;
		} 
	}
	return prefetch;
}

static inline int is_prefetch(struct pt_regs *regs, unsigned long addr,
			      unsigned long error_code)
{
	if (unlikely(boot_cpu_data.x86_vendor == X86_VENDOR_AMD &&
		     boot_cpu_data.x86 >= 6)) {
		/* Catch an obscure case of prefetch inside an NX page. */
		if (nx_enabled && (error_code & 16))
			return 0;
		return __is_prefetch(regs, addr);
	}
	return 0;
} 

static noinline void force_sig_info_fault(int si_signo, int si_code,
	unsigned long address, struct task_struct *tsk)
{
	siginfo_t info;

	info.si_signo = si_signo;
	info.si_errno = 0;
	info.si_code = si_code;
	info.si_addr = (void __user *)address;
	force_sig_info(si_signo, &info, tsk);
}

void do_invalid_op(struct pt_regs *, unsigned long);

static inline pmd_t *vmalloc_sync_one(pgd_t *pgd, unsigned long address)
{
	unsigned index = pgd_index(address);
	pgd_t *pgd_k;
	pud_t *pud, *pud_k;
	pmd_t *pmd, *pmd_k;

	pgd += index;
	pgd_k = init_mm.pgd + index;

	if (!pgd_present(*pgd_k))
		return NULL;

	/*
	 * set_pgd(pgd, *pgd_k); here would be useless on PAE
	 * and redundant with the set_pmd() on non-PAE. As would
	 * set_pud.
	 */

	pud = pud_offset(pgd, address);
	pud_k = pud_offset(pgd_k, address);
	if (!pud_present(*pud_k))
		return NULL;

	pmd = pmd_offset(pud, address);
	pmd_k = pmd_offset(pud_k, address);
	if (!pmd_present(*pmd_k))
		return NULL;
	if (!pmd_present(*pmd)) {
		set_pmd(pmd, *pmd_k);
		arch_flush_lazy_mmu_mode();
	} else
		BUG_ON(pmd_page(*pmd) != pmd_page(*pmd_k));
	return pmd_k;
}

/*
 * Handle a fault on the vmalloc or module mapping area
 *
 * This assumes no large pages in there.
 */
static inline int vmalloc_fault(unsigned long address)
{
	unsigned long pgd_paddr;
	pmd_t *pmd_k;
	pte_t *pte_k;
	/*
	 * Synchronize this task's top level page-table
	 * with the 'reference' page table.
	 *
	 * Do _not_ use "current" here. We might be inside
	 * an interrupt in the middle of a task switch..
	 */
	pgd_paddr = read_cr3();
	pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
	if (!pmd_k)
		return -1;
	pte_k = pte_offset_kernel(pmd_k, address);
	if (!pte_present(*pte_k))
		return -1;
	return 0;
}

int show_unhandled_signals = 1;

/*
 * This routine handles page faults.  It determines the address,
 * and the problem, and then passes it off to one of the appropriate
 * routines.
 *
 * error_code:
 *	bit 0 == 0 means no page found, 1 means protection fault
 *	bit 1 == 0 means read, 1 means write
 *	bit 2 == 0 means kernel, 1 means user-mode
 *	bit 3 == 1 means use of reserved bit detected
 *	bit 4 == 1 means fault was an instruction fetch
 */
void __kprobes do_page_fault(struct pt_regs *regs, unsigned long error_code)
{
	struct task_struct *tsk;
	struct mm_struct *mm;
	struct vm_area_struct * vma;
	unsigned long address;
	int write, si_code;
	int fault;

	/*
	 * We can fault from pretty much anywhere, with unknown IRQ state.
	 */
	trace_hardirqs_fixup();

	/* get the address */
        address = read_cr2();

	tsk = current;

	si_code = SEGV_MAPERR;

	/*
	 * We fault-in kernel-space virtual memory on-demand. The
	 * 'reference' page table is init_mm.pgd.
	 *
	 * NOTE! We MUST NOT take any locks for this case. We may
	 * be in an interrupt or a critical region, and should
	 * only copy the information from the master page table,
	 * nothing more.
	 *
	 * This verifies that the fault happens in kernel space
	 * (error_code & 4) == 0, and that the fault was not a
	 * protection error (error_code & 9) == 0.
	 */
	if (unlikely(address >= TASK_SIZE)) {
		if (!(error_code & 0x0000000d) && vmalloc_fault(address) >= 0)
			return;
		if (notify_page_fault(regs))
			return;
		/*
		 * Don't take the mm semaphore here. If we fixup a prefetch
		 * fault we could otherwise deadlock.
		 */
		goto bad_area_nosemaphore;
	}

	if (notify_page_fault(regs))
		return;

	/* It's safe to allow irq's after cr2 has been saved and the vmalloc
	   fault has been handled. */
	if (regs->flags & (X86_EFLAGS_IF|VM_MASK))
		local_irq_enable();

	mm = tsk->mm;

	/*
	 * If we're in an interrupt, have no user context or are running in an
	 * atomic region then we must not take the fault..
	 */
	if (in_atomic() || !mm)
		goto bad_area_nosemaphore;

	/* When running in the kernel we expect faults to occur only to
	 * addresses in user space.  All other faults represent errors in the
	 * kernel and should generate an OOPS.  Unfortunately, in the case of an
	 * erroneous fault occurring in a code path which already holds mmap_sem
	 * we will deadlock attempting to validate the fault against the
	 * address space.  Luckily the kernel only validly references user
	 * space from well defined areas of code, which are listed in the
	 * exceptions table.
	 *
	 * As the vast majority of faults will be valid we will only perform
	 * the source reference check when there is a possibility of a deadlock.
	 * Attempt to lock the address space, if we cannot we then validate the
	 * source.  If this is invalid we can skip the address space check,
	 * thus avoiding the deadlock.
	 */
	if (!down_read_trylock(&mm->mmap_sem)) {
		if ((error_code & 4) == 0 &&
		    !search_exception_tables(regs->ip))
			goto bad_area_nosemaphore;
		down_read(&mm->mmap_sem);
	}

	vma = find_vma(mm, address);
	if (!vma)
		goto bad_area;
	if (vma->vm_start <= address)
		goto good_area;
	if (!(vma->vm_flags & VM_GROWSDOWN))
		goto bad_area;
	if (error_code & 4) {
		/*
		 * Accessing the stack below %sp is always a bug.
		 * The large cushion allows instructions like enter
		 * and pusha to work.  ("enter $65535,$31" pushes
		 * 32 pointers and then decrements %sp by 65535.)
		 */
		if (address + 65536 + 32 * sizeof(unsigned long) < regs->sp)
			goto bad_area;
	}
	if (expand_stack(vma, address))
		goto bad_area;
/*
 * Ok, we have a good vm_area for this memory access, so
 * we can handle it..
 */
good_area:
	si_code = SEGV_ACCERR;
	write = 0;
	switch (error_code & 3) {
		default:	/* 3: write, present */
				/* fall through */
		case 2:		/* write, not present */
			if (!(vma->vm_flags & VM_WRITE))
				goto bad_area;
			write++;
			break;
		case 1:		/* read, present */
			goto bad_area;
		case 0:		/* read, not present */
			if (!(vma->vm_flags & (VM_READ | VM_EXEC | VM_WRITE)))
				goto bad_area;
	}

 survive:
	/*
	 * If for any reason at all we couldn't handle the fault,
	 * make sure we exit gracefully rather than endlessly redo
	 * the fault.
	 */
	fault = handle_mm_fault(mm, vma, address, write);
	if (unlikely(fault & VM_FAULT_ERROR)) {
		if (fault & VM_FAULT_OOM)
			goto out_of_memory;
		else if (fault & VM_FAULT_SIGBUS)
			goto do_sigbus;
		BUG();
	}
	if (fault & VM_FAULT_MAJOR)
		tsk->maj_flt++;
	else
		tsk->min_flt++;

	/*
	 * Did it hit the DOS screen memory VA from vm86 mode?
	 */
	if (regs->flags & VM_MASK) {
		unsigned long bit = (address - 0xA0000) >> PAGE_SHIFT;
		if (bit < 32)
			tsk->thread.screen_bitmap |= 1 << bit;
	}
	up_read(&mm->mmap_sem);
	return;

/*
 * Something tried to access memory that isn't in our memory map..
 * Fix it, but check if it's kernel or user first..
 */
bad_area:
	up_read(&mm->mmap_sem);

bad_area_nosemaphore:
	/* User mode accesses just cause a SIGSEGV */
	if (error_code & 4) {
		/*
		 * It's possible to have interrupts off here.
		 */
		local_irq_enable();

		/* 
		 * Valid to do another page fault here because this one came 
		 * from user space.
		 */
		if (is_prefetch(regs, address, error_code))
			return;

		if (show_unhandled_signals && unhandled_signal(tsk, SIGSEGV) &&
		    printk_ratelimit()) {
			printk("%s%s[%d]: segfault at %08lx ip %08lx "
			    "sp %08lx error %lx\n",
			    task_pid_nr(tsk) > 1 ? KERN_INFO : KERN_EMERG,
			    tsk->comm, task_pid_nr(tsk), address, regs->ip,
			    regs->sp, error_code);
		}
		tsk->thread.cr2 = address;
		/* Kernel addresses are always protection faults */
		tsk->thread.error_code = error_code | (address >= TASK_SIZE);
		tsk->thread.trap_no = 14;
		force_sig_info_fault(SIGSEGV, si_code, address, tsk);
		return;
	}

#ifdef CONFIG_X86_F00F_BUG
	/*
	 * Pentium F0 0F C7 C8 bug workaround.
	 */
	if (boot_cpu_data.f00f_bug) {
		unsigned long nr;
		
		nr = (address - idt_descr.address) >> 3;

		if (nr == 6) {
			do_invalid_op(regs, 0);
			return;
		}
	}
#endif

no_context:
	/* Are we prepared to handle this kernel fault?  */
	if (fixup_exception(regs))
		return;

	/* 
	 * Valid to do another page fault here, because if this fault
	 * had been triggered by is_prefetch fixup_exception would have 
	 * handled it.
	 */
 	if (is_prefetch(regs, address, error_code))
 		return;

/*
 * Oops. The kernel tried to access some bad page. We'll have to
 * terminate things with extreme prejudice.
 */

	bust_spinlocks(1);

	if (oops_may_print()) {
		__typeof__(pte_val(__pte(0))) page;

#ifdef CONFIG_X86_PAE
		if (error_code & 16) {
			pte_t *pte = lookup_address(address);

			if (pte && pte_present(*pte) && !pte_exec_kernel(*pte))
				printk(KERN_CRIT "kernel tried to execute "
					"NX-protected page - exploit attempt? "
					"(uid: %d)\n", current->uid);
		}
#endif
		if (address < PAGE_SIZE)
			printk(KERN_ALERT "BUG: unable to handle kernel NULL "
					"pointer dereference");
		else
			printk(KERN_ALERT "BUG: unable to handle kernel paging"
					" request");
		printk(" at virtual address %08lx\n",address);
		printk(KERN_ALERT "printing ip: %08lx ", regs->ip);

		page = read_cr3();
		page = ((__typeof__(page) *) __va(page))[address >> PGDIR_SHIFT];
#ifdef CONFIG_X86_PAE
		printk("*pdpt = %016Lx ", page);
		if ((page >> PAGE_SHIFT) < max_low_pfn
		    && page & _PAGE_PRESENT) {
			page &= PAGE_MASK;
			page = ((__typeof__(page) *) __va(page))[(address >> PMD_SHIFT)
			                                         & (PTRS_PER_PMD - 1)];
			printk(KERN_CONT "*pde = %016Lx ", page);
			page &= ~_PAGE_NX;
		}
#else
		printk("*pde = %08lx ", page);
#endif

		/*
		 * We must not directly access the pte in the highpte
		 * case if the page table is located in highmem.
		 * And let's rather not kmap-atomic the pte, just in case
		 * it's allocated already.
		 */
		if ((page >> PAGE_SHIFT) < max_low_pfn
		    && (page & _PAGE_PRESENT)
		    && !(page & _PAGE_PSE)) {
			page &= PAGE_MASK;
			page = ((__typeof__(page) *) __va(page))[(address >> PAGE_SHIFT)
			                                         & (PTRS_PER_PTE - 1)];
			printk("*pte = %0*Lx ", sizeof(page)*2, (u64)page);
		}

		printk("\n");
	}

	tsk->thread.cr2 = address;
	tsk->thread.trap_no = 14;
	tsk->thread.error_code = error_code;
	die("Oops", regs, error_code);
	bust_spinlocks(0);
	do_exit(SIGKILL);

/*
 * We ran out of memory, or some other thing happened to us that made
 * us unable to handle the page fault gracefully.
 */
out_of_memory:
	up_read(&mm->mmap_sem);
	if (is_global_init(tsk)) {
		yield();
		down_read(&mm->mmap_sem);
		goto survive;
	}
	printk("VM: killing process %s\n", tsk->comm);
	if (error_code & 4)
		do_group_exit(SIGKILL);
	goto no_context;

do_sigbus:
	up_read(&mm->mmap_sem);

	/* Kernel mode? Handle exceptions or die */
	if (!(error_code & 4))
		goto no_context;

	/* User space => ok to do another page fault */
	if (is_prefetch(regs, address, error_code))
		return;

	tsk->thread.cr2 = address;
	tsk->thread.error_code = error_code;
	tsk->thread.trap_no = 14;
	force_sig_info_fault(SIGBUS, BUS_ADRERR, address, tsk);
}

void vmalloc_sync_all(void)
{
	/*
	 * Note that races in the updates of insync and start aren't
	 * problematic: insync can only get set bits added, and updates to
	 * start are only improving performance (without affecting correctness
	 * if undone).
	 */
	static DECLARE_BITMAP(insync, PTRS_PER_PGD);
	static unsigned long start = TASK_SIZE;
	unsigned long address;

	if (SHARED_KERNEL_PMD)
		return;

	BUILD_BUG_ON(TASK_SIZE & ~PGDIR_MASK);
	for (address = start; address >= TASK_SIZE; address += PGDIR_SIZE) {
		if (!test_bit(pgd_index(address), insync)) {
			unsigned long flags;
			struct page *page;

			spin_lock_irqsave(&pgd_lock, flags);
			for (page = pgd_list; page; page =
					(struct page *)page->index)
				if (!vmalloc_sync_one(page_address(page),
								address)) {
					BUG_ON(page != pgd_list);
					break;
				}
			spin_unlock_irqrestore(&pgd_lock, flags);
			if (!page)
				set_bit(pgd_index(address), insync);
		}
		if (address == start && test_bit(pgd_index(address), insync))
			start = address + PGDIR_SIZE;
	}
}
Commit	Line	Data
1da177e4 LT	1	/*
	2	* linux/arch/i386/mm/fault.c
	3	*
	4	* Copyright (C) 1995 Linus Torvalds
	5	*/
	6
	7	#include <linux/signal.h>
	8	#include <linux/sched.h>
	9	#include <linux/kernel.h>
	10	#include <linux/errno.h>
	11	#include <linux/string.h>
	12	#include <linux/types.h>
	13	#include <linux/ptrace.h>
	14	#include <linux/mman.h>
	15	#include <linux/mm.h>
	16	#include <linux/smp.h>
1da177e4 LT	17	#include <linux/interrupt.h>
	18	#include <linux/init.h>
	19	#include <linux/tty.h>
	20	#include <linux/vt_kern.h> /* For unblank_screen() */
	21	#include <linux/highmem.h>
28609f6e	22	#include <linux/bootmem.h> /* for max_low_pfn */
1eeb66a1	23	#include <linux/vmalloc.h>
1da177e4	24	#include <linux/module.h>
3d97ae5b	25	#include <linux/kprobes.h>
11a4180c	26	#include <linux/uaccess.h>
1eeb66a1	27	#include <linux/kdebug.h>
1da177e4 LT	28
1da177e4 LT	29	#include <asm/system.h>
1da177e4	30	#include <asm/desc.h>
78be3706	31	#include <asm/segment.h>
1da177e4 LT	32
	33	extern void die(const char ,struct pt_regs ,long);
	34
74a0b576 CH	35	#ifdef CONFIG_KPROBES
74a0b576 CH	36	static inline int notify_page_fault(struct pt_regs *regs)
b71b5b65	37	{
74a0b576 CH	38	int ret = 0;
	39
	40	/* kprobe_running() needs smp_processor_id() */
	41	if (!user_mode_vm(regs)) {
	42	preempt_disable();
	43	if (kprobe_running() && kprobe_fault_handler(regs, 14))
	44	ret = 1;
	45	preempt_enable();
	46	}
b71b5b65	47
74a0b576	48	return ret;
b71b5b65	49	}
74a0b576 CH	50	#else
74a0b576 CH	51	static inline int notify_page_fault(struct pt_regs *regs)
b71b5b65	52	{
74a0b576	53	return 0;
b71b5b65	54	}
74a0b576	55	#endif
b71b5b65	56
1da177e4 LT	57	/*
	58	* Return EIP plus the CS segment base. The segment limit is also
	59	* adjusted, clamped to the kernel/user address space (whichever is
	60	* appropriate), and returned in *eip_limit.
	61	*
	62	* The segment is checked, because it might have been changed by another
	63	* task between the original faulting instruction and here.
	64	*
	65	* If CS is no longer a valid code segment, or if EIP is beyond the
	66	* limit, or if it is a kernel address when CS is not a kernel segment,
	67	* then the returned value will be greater than *eip_limit.
	68	*
	69	* This is slow, but is very rarely executed.
	70	*/
	71	static inline unsigned long get_segment_eip(struct pt_regs *regs,
	72	unsigned long *eip_limit)
	73	{
65ea5b03 PA	74	unsigned long ip = regs->ip;
65ea5b03 PA	75	unsigned seg = regs->cs & 0xffff;
1da177e4 LT	76	u32 seg_ar, seg_limit, base, *desc;
1da177e4 LT	77
19964fec	78	/* Unlikely, but must come before segment checks. */
65ea5b03	79	if (unlikely(regs->flags & VM_MASK)) {
19964fec CE	80	base = seg << 4;
19964fec CE	81	*eip_limit = base + 0xffff;
65ea5b03	82	return base + (ip & 0xffff);
19964fec CE	83	}
19964fec CE	84
1da177e4	85	/* The standard kernel/user address space limit. */
78be3706	86	*eip_limit = user_mode(regs) ? USER_DS.seg : KERNEL_DS.seg;
1da177e4 LT	87
1da177e4 LT	88	/* By far the most common cases. */
78be3706	89	if (likely(SEGMENT_IS_FLAT_CODE(seg)))
65ea5b03	90	return ip;
1da177e4 LT	91
	92	/* Check the segment exists, is within the current LDT/GDT size,
	93	that kernel/user (ring 0..3) has the appropriate privilege,
	94	that it's a code segment, and get the limit. */
	95	__asm__ ("larl %3,%0; lsll %3,%1"
	96	: "=&r" (seg_ar), "=r" (seg_limit) : "0" (0), "rm" (seg));
65ea5b03	97	if ((~seg_ar & 0x9800) \|\| ip > seg_limit) {
1da177e4	98	*eip_limit = 0;
65ea5b03	99	return 1; /* So that returned ip > eip_limit. /
1da177e4 LT	100	}
	101
	102	/* Get the GDT/LDT descriptor base.
	103	When you look for races in this code remember that
	104	LDT and other horrors are only used in user space. */
	105	if (seg & (1<<2)) {
	106	/* Must lock the LDT while reading it. */
de8aacbe	107	mutex_lock(&current->mm->context.lock);
1da177e4 LT	108	desc = current->mm->context.ldt;
	109	desc = (void *)desc + (seg & ~7);
	110	} else {
	111	/* Must disable preemption while reading the GDT. */
251e6912	112	desc = (u32 *)get_cpu_gdt_table(get_cpu());
1da177e4 LT	113	desc = (void *)desc + (seg & ~7);
	114	}
	115
	116	/* Decode the code segment base from the descriptor */
cc697852	117	base = get_desc_base((struct desc_struct *)desc);
1da177e4 LT	118
1da177e4 LT	119	if (seg & (1<<2)) {
de8aacbe	120	mutex_unlock(&current->mm->context.lock);
1da177e4 LT	121	} else
	122	put_cpu();
	123
	124	/* Adjust EIP and segment limit, and clamp at the kernel limit.
	125	It's legitimate for segments to wrap at 0xffffffff. */
	126	seg_limit += base;
	127	if (seg_limit < *eip_limit && seg_limit >= base)
	128	*eip_limit = seg_limit;
65ea5b03	129	return ip + base;
1da177e4 LT	130	}
	131
	132	/*
	133	* Sometimes AMD Athlon/Opteron CPUs report invalid exceptions on prefetch.
	134	* Check that here and ignore it.
	135	*/
	136	static int __is_prefetch(struct pt_regs *regs, unsigned long addr)
	137	{
	138	unsigned long limit;
11a4180c	139	unsigned char instr = (unsigned char )get_segment_eip (regs, &limit);
1da177e4 LT	140	int scan_more = 1;
	141	int prefetch = 0;
	142	int i;
	143
	144	for (i = 0; scan_more && i < 15; i++) {
	145	unsigned char opcode;
	146	unsigned char instr_hi;
	147	unsigned char instr_lo;
	148
11a4180c	149	if (instr > (unsigned char *)limit)
1da177e4	150	break;
11a4180c	151	if (probe_kernel_address(instr, opcode))
1da177e4 LT	152	break;
	153
	154	instr_hi = opcode & 0xf0;
	155	instr_lo = opcode & 0x0f;
	156	instr++;
	157
	158	switch (instr_hi) {
	159	case 0x20:
	160	case 0x30:
	161	/* Values 0x26,0x2E,0x36,0x3E are valid x86 prefixes. */
	162	scan_more = ((instr_lo & 7) == 0x6);
	163	break;
	164
	165	case 0x60:
	166	/* 0x64 thru 0x67 are valid prefixes in all modes. */
	167	scan_more = (instr_lo & 0xC) == 0x4;
	168	break;
	169	case 0xF0:
	170	/* 0xF0, 0xF2, and 0xF3 are valid prefixes */
	171	scan_more = !instr_lo \|\| (instr_lo>>1) == 1;
	172	break;
	173	case 0x00:
	174	/* Prefetch instruction is 0x0F0D or 0x0F18 */
	175	scan_more = 0;
11a4180c	176	if (instr > (unsigned char *)limit)
1da177e4	177	break;
11a4180c	178	if (probe_kernel_address(instr, opcode))
1da177e4 LT	179	break;
	180	prefetch = (instr_lo == 0xF) &&
	181	(opcode == 0x0D \|\| opcode == 0x18);
	182	break;
	183	default:
	184	scan_more = 0;
	185	break;
	186	}
	187	}
	188	return prefetch;
	189	}
	190
	191	static inline int is_prefetch(struct pt_regs *regs, unsigned long addr,
	192	unsigned long error_code)
	193	{
	194	if (unlikely(boot_cpu_data.x86_vendor == X86_VENDOR_AMD &&
	195	boot_cpu_data.x86 >= 6)) {
	196	/* Catch an obscure case of prefetch inside an NX page. */
	197	if (nx_enabled && (error_code & 16))
	198	return 0;
	199	return __is_prefetch(regs, addr);
	200	}
	201	return 0;
	202	}
	203
869f96a0 IM	204	static noinline void force_sig_info_fault(int si_signo, int si_code,
	205	unsigned long address, struct task_struct *tsk)
	206	{
	207	siginfo_t info;
	208
	209	info.si_signo = si_signo;
	210	info.si_errno = 0;
	211	info.si_code = si_code;
	212	info.si_addr = (void __user *)address;
	213	force_sig_info(si_signo, &info, tsk);
	214	}
	215
75604d7f	216	void do_invalid_op(struct pt_regs *, unsigned long);
1da177e4	217
101f12af JB	218	static inline pmd_t vmalloc_sync_one(pgd_t pgd, unsigned long address)
	219	{
	220	unsigned index = pgd_index(address);
	221	pgd_t *pgd_k;
	222	pud_t pud, pud_k;
	223	pmd_t pmd, pmd_k;
	224
	225	pgd += index;
	226	pgd_k = init_mm.pgd + index;
	227
	228	if (!pgd_present(*pgd_k))
	229	return NULL;
	230
	231	/*
	232	* set_pgd(pgd, *pgd_k); here would be useless on PAE
	233	* and redundant with the set_pmd() on non-PAE. As would
	234	* set_pud.
	235	*/
	236
	237	pud = pud_offset(pgd, address);
	238	pud_k = pud_offset(pgd_k, address);
	239	if (!pud_present(*pud_k))
	240	return NULL;
	241
	242	pmd = pmd_offset(pud, address);
	243	pmd_k = pmd_offset(pud_k, address);
	244	if (!pmd_present(*pmd_k))
	245	return NULL;
8b14cb99	246	if (!pmd_present(*pmd)) {
101f12af	247	set_pmd(pmd, *pmd_k);
8b14cb99 ZA	248	arch_flush_lazy_mmu_mode();
8b14cb99 ZA	249	} else
101f12af JB	250	BUG_ON(pmd_page(pmd) != pmd_page(pmd_k));
	251	return pmd_k;
	252	}
	253
	254	/*
	255	* Handle a fault on the vmalloc or module mapping area
	256	*
	257	* This assumes no large pages in there.
	258	*/
	259	static inline int vmalloc_fault(unsigned long address)
	260	{
	261	unsigned long pgd_paddr;
	262	pmd_t *pmd_k;
	263	pte_t *pte_k;
	264	/*
	265	* Synchronize this task's top level page-table
	266	* with the 'reference' page table.
	267	*
	268	* Do _not_ use "current" here. We might be inside
	269	* an interrupt in the middle of a task switch..
	270	*/
	271	pgd_paddr = read_cr3();
	272	pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
	273	if (!pmd_k)
	274	return -1;
	275	pte_k = pte_offset_kernel(pmd_k, address);
	276	if (!pte_present(*pte_k))
	277	return -1;
	278	return 0;
	279	}
	280
abd4f750 MAS	281	int show_unhandled_signals = 1;
abd4f750 MAS	282
1da177e4 LT	283	/*
	284	* This routine handles page faults. It determines the address,
	285	* and the problem, and then passes it off to one of the appropriate
	286	* routines.
	287	*
	288	* error_code:
	289	* bit 0 == 0 means no page found, 1 means protection fault
	290	* bit 1 == 0 means read, 1 means write
	291	* bit 2 == 0 means kernel, 1 means user-mode
101f12af JB	292	* bit 3 == 1 means use of reserved bit detected
101f12af JB	293	* bit 4 == 1 means fault was an instruction fetch
1da177e4	294	*/
75604d7f	295	void __kprobes do_page_fault(struct pt_regs *regs, unsigned long error_code)
1da177e4 LT	296	{
	297	struct task_struct *tsk;
	298	struct mm_struct *mm;
	299	struct vm_area_struct * vma;
	300	unsigned long address;
869f96a0	301	int write, si_code;
83c54070	302	int fault;
1da177e4	303
143a5d32 PZ	304	/*
	305	* We can fault from pretty much anywhere, with unknown IRQ state.
	306	*/
	307	trace_hardirqs_fixup();
	308
1da177e4	309	/* get the address */
4bb0d3ec	310	address = read_cr2();
1da177e4	311
1da177e4 LT	312	tsk = current;
1da177e4 LT	313
869f96a0	314	si_code = SEGV_MAPERR;
1da177e4 LT	315
	316	/*
	317	* We fault-in kernel-space virtual memory on-demand. The
	318	* 'reference' page table is init_mm.pgd.
	319	*
	320	* NOTE! We MUST NOT take any locks for this case. We may
	321	* be in an interrupt or a critical region, and should
	322	* only copy the information from the master page table,
	323	* nothing more.
	324	*
	325	* This verifies that the fault happens in kernel space
	326	* (error_code & 4) == 0, and that the fault was not a
101f12af	327	* protection error (error_code & 9) == 0.
1da177e4	328	*/
101f12af JB	329	if (unlikely(address >= TASK_SIZE)) {
	330	if (!(error_code & 0x0000000d) && vmalloc_fault(address) >= 0)
	331	return;
74a0b576	332	if (notify_page_fault(regs))
101f12af JB	333	return;
101f12af JB	334	/*
1da177e4 LT	335	* Don't take the mm semaphore here. If we fixup a prefetch
	336	* fault we could otherwise deadlock.
	337	*/
	338	goto bad_area_nosemaphore;
101f12af JB	339	}
101f12af JB	340
74a0b576	341	if (notify_page_fault(regs))
101f12af JB	342	return;
	343
	344	/* It's safe to allow irq's after cr2 has been saved and the vmalloc
	345	fault has been handled. */
65ea5b03	346	if (regs->flags & (X86_EFLAGS_IF\|VM_MASK))
101f12af	347	local_irq_enable();
1da177e4 LT	348
	349	mm = tsk->mm;
	350
	351	/*
	352	* If we're in an interrupt, have no user context or are running in an
	353	* atomic region then we must not take the fault..
	354	*/
	355	if (in_atomic() \|\| !mm)
	356	goto bad_area_nosemaphore;
	357
	358	/* When running in the kernel we expect faults to occur only to
	359	* addresses in user space. All other faults represent errors in the
27b46d76	360	* kernel and should generate an OOPS. Unfortunately, in the case of an
80f7228b	361	* erroneous fault occurring in a code path which already holds mmap_sem
1da177e4 LT	362	* we will deadlock attempting to validate the fault against the
	363	* address space. Luckily the kernel only validly references user
	364	* space from well defined areas of code, which are listed in the
	365	* exceptions table.
	366	*
	367	* As the vast majority of faults will be valid we will only perform
27b46d76	368	* the source reference check when there is a possibility of a deadlock.
1da177e4 LT	369	* Attempt to lock the address space, if we cannot we then validate the
	370	* source. If this is invalid we can skip the address space check,
	371	* thus avoiding the deadlock.
	372	*/
	373	if (!down_read_trylock(&mm->mmap_sem)) {
	374	if ((error_code & 4) == 0 &&
65ea5b03	375	!search_exception_tables(regs->ip))
1da177e4 LT	376	goto bad_area_nosemaphore;
	377	down_read(&mm->mmap_sem);
	378	}
	379
	380	vma = find_vma(mm, address);
	381	if (!vma)
	382	goto bad_area;
	383	if (vma->vm_start <= address)
	384	goto good_area;
	385	if (!(vma->vm_flags & VM_GROWSDOWN))
	386	goto bad_area;
	387	if (error_code & 4) {
	388	/*
65ea5b03	389	* Accessing the stack below %sp is always a bug.
21528454 CE	390	* The large cushion allows instructions like enter
21528454 CE	391	* and pusha to work. ("enter $65535,$31" pushes
65ea5b03	392	* 32 pointers and then decrements %sp by 65535.)
1da177e4	393	*/
65ea5b03	394	if (address + 65536 + 32 * sizeof(unsigned long) < regs->sp)
1da177e4 LT	395	goto bad_area;
	396	}
	397	if (expand_stack(vma, address))
	398	goto bad_area;
	399	/*
	400	* Ok, we have a good vm_area for this memory access, so
	401	* we can handle it..
	402	*/
	403	good_area:
869f96a0	404	si_code = SEGV_ACCERR;
1da177e4 LT	405	write = 0;
	406	switch (error_code & 3) {
	407	default: /* 3: write, present */
78be3706	408	/* fall through */
1da177e4 LT	409	case 2: /* write, not present */
	410	if (!(vma->vm_flags & VM_WRITE))
	411	goto bad_area;
	412	write++;
	413	break;
	414	case 1: /* read, present */
	415	goto bad_area;
	416	case 0: /* read, not present */
df67b3da	417	if (!(vma->vm_flags & (VM_READ \| VM_EXEC \| VM_WRITE)))
1da177e4 LT	418	goto bad_area;
	419	}
	420
	421	survive:
	422	/*
	423	* If for any reason at all we couldn't handle the fault,
	424	* make sure we exit gracefully rather than endlessly redo
	425	* the fault.
	426	*/
83c54070 NP	427	fault = handle_mm_fault(mm, vma, address, write);
	428	if (unlikely(fault & VM_FAULT_ERROR)) {
	429	if (fault & VM_FAULT_OOM)
1da177e4	430	goto out_of_memory;
83c54070 NP	431	else if (fault & VM_FAULT_SIGBUS)
	432	goto do_sigbus;
	433	BUG();
1da177e4	434	}
83c54070 NP	435	if (fault & VM_FAULT_MAJOR)
	436	tsk->maj_flt++;
	437	else
	438	tsk->min_flt++;
1da177e4 LT	439
	440	/*
	441	* Did it hit the DOS screen memory VA from vm86 mode?
	442	*/
65ea5b03	443	if (regs->flags & VM_MASK) {
1da177e4 LT	444	unsigned long bit = (address - 0xA0000) >> PAGE_SHIFT;
	445	if (bit < 32)
	446	tsk->thread.screen_bitmap \|= 1 << bit;
	447	}
	448	up_read(&mm->mmap_sem);
	449	return;
	450
	451	/*
	452	* Something tried to access memory that isn't in our memory map..
	453	* Fix it, but check if it's kernel or user first..
	454	*/
	455	bad_area:
	456	up_read(&mm->mmap_sem);
	457
	458	bad_area_nosemaphore:
	459	/* User mode accesses just cause a SIGSEGV */
	460	if (error_code & 4) {
e5e3c84b SR	461	/*
	462	* It's possible to have interrupts off here.
	463	*/
	464	local_irq_enable();
	465
1da177e4 LT	466	/*
	467	* Valid to do another page fault here because this one came
	468	* from user space.
	469	*/
	470	if (is_prefetch(regs, address, error_code))
	471	return;
	472
abd4f750 MAS	473	if (show_unhandled_signals && unhandled_signal(tsk, SIGSEGV) &&
abd4f750 MAS	474	printk_ratelimit()) {
65ea5b03 PA	475	printk("%s%s[%d]: segfault at %08lx ip %08lx "
65ea5b03 PA	476	"sp %08lx error %lx\n",
19c5870c	477	task_pid_nr(tsk) > 1 ? KERN_INFO : KERN_EMERG,
65ea5b03 PA	478	tsk->comm, task_pid_nr(tsk), address, regs->ip,
65ea5b03 PA	479	regs->sp, error_code);
abd4f750	480	}
1da177e4 LT	481	tsk->thread.cr2 = address;
	482	/* Kernel addresses are always protection faults */
	483	tsk->thread.error_code = error_code \| (address >= TASK_SIZE);
	484	tsk->thread.trap_no = 14;
869f96a0	485	force_sig_info_fault(SIGSEGV, si_code, address, tsk);
1da177e4 LT	486	return;
	487	}
	488
	489	#ifdef CONFIG_X86_F00F_BUG
	490	/*
	491	* Pentium F0 0F C7 C8 bug workaround.
	492	*/
	493	if (boot_cpu_data.f00f_bug) {
	494	unsigned long nr;
	495
	496	nr = (address - idt_descr.address) >> 3;
	497
	498	if (nr == 6) {
	499	do_invalid_op(regs, 0);
	500	return;
	501	}
	502	}
	503	#endif
	504
	505	no_context:
	506	/* Are we prepared to handle this kernel fault? */
	507	if (fixup_exception(regs))
	508	return;
	509
	510	/*
	511	* Valid to do another page fault here, because if this fault
	512	* had been triggered by is_prefetch fixup_exception would have
	513	* handled it.
	514	*/
	515	if (is_prefetch(regs, address, error_code))
	516	return;
	517
	518	/*
	519	* Oops. The kernel tried to access some bad page. We'll have to
	520	* terminate things with extreme prejudice.
	521	*/
	522
	523	bust_spinlocks(1);
	524
dd287796	525	if (oops_may_print()) {
28609f6e JB	526	__typeof__(pte_val(__pte(0))) page;
	527
	528	#ifdef CONFIG_X86_PAE
dd287796 AM	529	if (error_code & 16) {
	530	pte_t *pte = lookup_address(address);
	531
	532	if (pte && pte_present(pte) && !pte_exec_kernel(pte))
	533	printk(KERN_CRIT "kernel tried to execute "
	534	"NX-protected page - exploit attempt? "
	535	"(uid: %d)\n", current->uid);
	536	}
28609f6e	537	#endif
dd287796 AM	538	if (address < PAGE_SIZE)
	539	printk(KERN_ALERT "BUG: unable to handle kernel NULL "
	540	"pointer dereference");
	541	else
	542	printk(KERN_ALERT "BUG: unable to handle kernel paging"
	543	" request");
	544	printk(" at virtual address %08lx\n",address);
65ea5b03	545	printk(KERN_ALERT "printing ip: %08lx ", regs->ip);
28609f6e JB	546
	547	page = read_cr3();
	548	page = ((__typeof__(page) *) __va(page))[address >> PGDIR_SHIFT];
	549	#ifdef CONFIG_X86_PAE
9aa8d719	550	printk("*pdpt = %016Lx ", page);
28609f6e JB	551	if ((page >> PAGE_SHIFT) < max_low_pfn
	552	&& page & _PAGE_PRESENT) {
	553	page &= PAGE_MASK;
	554	page = ((__typeof__(page) *) __va(page))[(address >> PMD_SHIFT)
	555	& (PTRS_PER_PMD - 1)];
eec407c9	556	printk(KERN_CONT "*pde = %016Lx ", page);
28609f6e JB	557	page &= ~_PAGE_NX;
	558	}
	559	#else
9aa8d719	560	printk("*pde = %08lx ", page);
1da177e4	561	#endif
28609f6e JB	562
	563	/*
	564	* We must not directly access the pte in the highpte
	565	* case if the page table is located in highmem.
	566	* And let's rather not kmap-atomic the pte, just in case
	567	* it's allocated already.
	568	*/
	569	if ((page >> PAGE_SHIFT) < max_low_pfn
b1992df3 JB	570	&& (page & _PAGE_PRESENT)
b1992df3 JB	571	&& !(page & _PAGE_PSE)) {
28609f6e JB	572	page &= PAGE_MASK;
	573	page = ((__typeof__(page) *) __va(page))[(address >> PAGE_SHIFT)
	574	& (PTRS_PER_PTE - 1)];
9aa8d719	575	printk("pte = %0Lx ", sizeof(page)*2, (u64)page);
28609f6e	576	}
9aa8d719 PE	577
9aa8d719 PE	578	printk("\n");
28609f6e JB	579	}
28609f6e JB	580
4f339ecb AN	581	tsk->thread.cr2 = address;
	582	tsk->thread.trap_no = 14;
	583	tsk->thread.error_code = error_code;
1da177e4 LT	584	die("Oops", regs, error_code);
	585	bust_spinlocks(0);
	586	do_exit(SIGKILL);
	587
	588	/*
	589	* We ran out of memory, or some other thing happened to us that made
	590	* us unable to handle the page fault gracefully.
	591	*/
	592	out_of_memory:
	593	up_read(&mm->mmap_sem);
b460cbc5	594	if (is_global_init(tsk)) {
1da177e4 LT	595	yield();
	596	down_read(&mm->mmap_sem);
	597	goto survive;
	598	}
	599	printk("VM: killing process %s\n", tsk->comm);
	600	if (error_code & 4)
dcca2bde	601	do_group_exit(SIGKILL);
1da177e4 LT	602	goto no_context;
	603
	604	do_sigbus:
	605	up_read(&mm->mmap_sem);
	606
	607	/* Kernel mode? Handle exceptions or die */
	608	if (!(error_code & 4))
	609	goto no_context;
	610
	611	/* User space => ok to do another page fault */
	612	if (is_prefetch(regs, address, error_code))
	613	return;
	614
	615	tsk->thread.cr2 = address;
	616	tsk->thread.error_code = error_code;
	617	tsk->thread.trap_no = 14;
869f96a0	618	force_sig_info_fault(SIGBUS, BUS_ADRERR, address, tsk);
101f12af	619	}
1da177e4	620
101f12af JB	621	void vmalloc_sync_all(void)
	622	{
	623	/*
	624	* Note that races in the updates of insync and start aren't
	625	* problematic: insync can only get set bits added, and updates to
	626	* start are only improving performance (without affecting correctness
	627	* if undone).
	628	*/
	629	static DECLARE_BITMAP(insync, PTRS_PER_PGD);
	630	static unsigned long start = TASK_SIZE;
	631	unsigned long address;
1da177e4	632
5311ab62 JF	633	if (SHARED_KERNEL_PMD)
	634	return;
	635
101f12af JB	636	BUILD_BUG_ON(TASK_SIZE & ~PGDIR_MASK);
	637	for (address = start; address >= TASK_SIZE; address += PGDIR_SIZE) {
	638	if (!test_bit(pgd_index(address), insync)) {
	639	unsigned long flags;
	640	struct page *page;
	641
	642	spin_lock_irqsave(&pgd_lock, flags);
	643	for (page = pgd_list; page; page =
	644	(struct page *)page->index)
	645	if (!vmalloc_sync_one(page_address(page),
	646	address)) {
	647	BUG_ON(page != pgd_list);
	648	break;
	649	}
	650	spin_unlock_irqrestore(&pgd_lock, flags);
	651	if (!page)
	652	set_bit(pgd_index(address), insync);
	653	}
	654	if (address == start && test_bit(pgd_index(address), insync))
	655	start = address + PGDIR_SIZE;
1da177e4 LT	656	}
1da177e4 LT	657	}