1 files changed, 189 insertions, 99 deletions
diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index 0d45f6debb3a..2b1519bc5381 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -851,6 +851,15 @@ show_signal_msg(struct pt_regs *regs, unsigned long error_code,
        show_opcodes(regs, loglvl);
 }
+/*
+ * The (legacy) vsyscall page is the long page in the kernel portion
+ * of the address space that has user-accessible permissions.
+ */
+static bool is_vsyscall_vaddr(unsigned long vaddr)
+{
+        return unlikely((vaddr & PAGE_MASK) == VSYSCALL_ADDR);
+}
 static void
 __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
                       unsigned long address, u32 *pkey, int si_code)
@@ -874,18 +883,6 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
                if (is_errata100(regs, address))
                        return;
-#ifdef CONFIG_X86_64
-                /*
-                 * Instruction fetch faults in the vsyscall page might need
-                 * emulation.
-                 */
-                if (unlikely((error_code & X86_PF_INSTR) &&
-                             ((address & ~0xfff) == VSYSCALL_ADDR))) {
-                        if (emulate_vsyscall(regs, address))
-                                return;
-                }
-#endif
                /*
                 * To avoid leaking information about the kernel page table
                 * layout, pretend that user-mode accesses to kernel addresses
@@ -1043,19 +1040,13 @@ mm_fault_error(struct pt_regs *regs, unsigned long error_code,
        }
 }
-static int spurious_fault_check(unsigned long error_code, pte_t *pte)
+static int spurious_kernel_fault_check(unsigned long error_code, pte_t *pte)
 {
        if ((error_code & X86_PF_WRITE) && !pte_write(*pte))
                return 0;
        if ((error_code & X86_PF_INSTR) && !pte_exec(*pte))
                return 0;
-        /*
-         * Note: We do not do lazy flushing on protection key
-         * changes, so no spurious fault will ever set X86_PF_PK.
-         */
-        if ((error_code & X86_PF_PK))
-                return 1;
        return 1;
 }
@@ -1082,7 +1073,7 @@ static int spurious_fault_check(unsigned long error_code, pte_t *pte)
 * (Optional Invalidation).
 */
 static noinline int
-spurious_fault(unsigned long error_code, unsigned long address)
+spurious_kernel_fault(unsigned long error_code, unsigned long address)
 {
        pgd_t *pgd;
        p4d_t *p4d;
@@ -1113,27 +1104,27 @@ spurious_fault(unsigned long error_code, unsigned long address)
                return 0;
        if (p4d_large(*p4d))
-                return spurious_fault_check(error_code, (pte_t *) p4d);
+                return spurious_kernel_fault_check(error_code, (pte_t *) p4d);
        pud = pud_offset(p4d, address);
        if (!pud_present(*pud))
                return 0;
        if (pud_large(*pud))
-                return spurious_fault_check(error_code, (pte_t *) pud);
+                return spurious_kernel_fault_check(error_code, (pte_t *) pud);
        pmd = pmd_offset(pud, address);
        if (!pmd_present(*pmd))
                return 0;
        if (pmd_large(*pmd))
-                return spurious_fault_check(error_code, (pte_t *) pmd);
+                return spurious_kernel_fault_check(error_code, (pte_t *) pmd);
        pte = pte_offset_kernel(pmd, address);
        if (!pte_present(*pte))
                return 0;
-        ret = spurious_fault_check(error_code, pte);
+        ret = spurious_kernel_fault_check(error_code, pte);
        if (!ret)
                return 0;
@@ -1141,12 +1132,12 @@ spurious_fault(unsigned long error_code, unsigned long address)
         * Make sure we have permissions in PMD.
         * If not, then there's a bug in the page tables:
         */
-        ret = spurious_fault_check(error_code, (pte_t *) pmd);
+        ret = spurious_kernel_fault_check(error_code, (pte_t *) pmd);
        WARN_ONCE(!ret, "PMD has incorrect permission bits\n");
        return ret;
 }
-NOKPROBE_SYMBOL(spurious_fault);
+NOKPROBE_SYMBOL(spurious_kernel_fault);
 int show_unhandled_signals = 1;
@@ -1193,6 +1184,14 @@ access_error(unsigned long error_code, struct vm_area_struct *vma)
 static int fault_in_kernel_space(unsigned long address)
 {
+        /*
+         * On 64-bit systems, the vsyscall page is at an address above
+         * TASK_SIZE_MAX, but is not considered part of the kernel
+         * address space.
+         */
+        if (IS_ENABLED(CONFIG_X86_64) && is_vsyscall_vaddr(address))
+                return false;
        return address >= TASK_SIZE_MAX;
 }
@@ -1214,31 +1213,23 @@ static inline bool smap_violation(int error_code, struct pt_regs *regs)
 }
 /*
- * This routine handles page faults.  It determines the address,
+ * Called for all faults where 'address' is part of the kernel address
- * and the problem, and then passes it off to one of the appropriate
+ * space.  Might get called for faults that originate from *code* that
- * routines.
+ * ran in userspace or the kernel.
 */
-static noinline void
+static void
-__do_page_fault(struct pt_regs *regs, unsigned long error_code,
+do_kern_addr_fault(struct pt_regs *regs, unsigned long hw_error_code,
-                unsigned long address)
+                   unsigned long address)
 {
-        struct vm_area_struct *vma;
+        /*
-        struct task_struct *tsk;
+         * Protection keys exceptions only happen on user pages.  We
-        struct mm_struct *mm;
+         * have no user pages in the kernel portion of the address
-        vm_fault_t fault, major = 0;
+         * space, so do not expect them here.
-        unsigned int flags = FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_KILLABLE;
+         */
-        u32 pkey;
+        WARN_ON_ONCE(hw_error_code & X86_PF_PK);
-        tsk = current;
-        mm = tsk->mm;
-        prefetchw(&mm->mmap_sem);
-        if (unlikely(kmmio_fault(regs, address)))
-                return;
        /*
-         * We fault-in kernel-space virtual memory on-demand. The
+         * We can fault-in kernel-space virtual memory on-demand. The
         * 'reference' page table is init_mm.pgd.
         *
         * NOTE! We MUST NOT take any locks for this case. We may
@@ -1246,41 +1237,74 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code,
         * only copy the information from the master page table,
         * nothing more.
         *
-         * This verifies that the fault happens in kernel space
+         * Before doing this on-demand faulting, ensure that the
-         * (error_code & 4) == 0, and that the fault was not a
+         * fault is not any of the following:
-         * protection error (error_code & 9) == 0.
+         * 1. A fault on a PTE with a reserved bit set.
+         * 2. A fault caused by a user-mode access.  (Do not demand-
+         *    fault kernel memory due to user-mode accesses).
+         * 3. A fault caused by a page-level protection violation.
+         *    (A demand fault would be on a non-present page which
+         *     would have X86_PF_PROT==0).
         */
-        if (unlikely(fault_in_kernel_space(address))) {
+        if (!(hw_error_code & (X86_PF_RSVD | X86_PF_USER | X86_PF_PROT))) {
-                if (!(error_code & (X86_PF_RSVD | X86_PF_USER | X86_PF_PROT))) {
+                if (vmalloc_fault(address) >= 0)
-                        if (vmalloc_fault(address) >= 0)
-                                return;
-                }
-                /* Can handle a stale RO->RW TLB: */
-                if (spurious_fault(error_code, address))
                        return;
+        }
-                /* kprobes don't want to hook the spurious faults: */
+        /* Was the fault spurious, caused by lazy TLB invalidation? */
-                if (kprobes_fault(regs))
+        if (spurious_kernel_fault(hw_error_code, address))
-                        return;
+                return;
-                /*
-                 * Don't take the mm semaphore here. If we fixup a prefetch
-                 * fault we could otherwise deadlock:
-                 */
-                bad_area_nosemaphore(regs, error_code, address, NULL);
+        /* kprobes don't want to hook the spurious faults: */
+        if (kprobes_fault(regs))
                return;
-        }
+        /*
+         * Note, despite being a "bad area", there are quite a few
+         * acceptable reasons to get here, such as erratum fixups
+         * and handling kernel code that can fault, like get_user().
+         *
+         * Don't take the mm semaphore here. If we fixup a prefetch
+         * fault we could otherwise deadlock:
+         */
+        bad_area_nosemaphore(regs, hw_error_code, address, NULL);
+}
+NOKPROBE_SYMBOL(do_kern_addr_fault);
+/* Handle faults in the user portion of the address space */
+static inline
+void do_user_addr_fault(struct pt_regs *regs,
+                        unsigned long hw_error_code,
+                        unsigned long address)
+{
+        unsigned long sw_error_code;
+        struct vm_area_struct *vma;
+        struct task_struct *tsk;
+        struct mm_struct *mm;
+        vm_fault_t fault, major = 0;
+        unsigned int flags = FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_KILLABLE;
+        u32 pkey;
+        tsk = current;
+        mm = tsk->mm;
        /* kprobes don't want to hook the spurious faults: */
        if (unlikely(kprobes_fault(regs)))
                return;
-        if (unlikely(error_code & X86_PF_RSVD))
+        /*
-                pgtable_bad(regs, error_code, address);
+         * Reserved bits are never expected to be set on
+         * entries in the user portion of the page tables.
+         */
+        if (unlikely(hw_error_code & X86_PF_RSVD))
+                pgtable_bad(regs, hw_error_code, address);
-        if (unlikely(smap_violation(error_code, regs))) {
+        /*
-                bad_area_nosemaphore(regs, error_code, address, NULL);
+         * Check for invalid kernel (supervisor) access to user
+         * pages in the user address space.
+         */
+        if (unlikely(smap_violation(hw_error_code, regs))) {
+                bad_area_nosemaphore(regs, hw_error_code, address, NULL);
                return;
        }
@@ -1289,11 +1313,18 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code,
         * in a region with pagefaults disabled then we must not take the fault
         */
        if (unlikely(faulthandler_disabled() || !mm)) {
-                bad_area_nosemaphore(regs, error_code, address, NULL);
+                bad_area_nosemaphore(regs, hw_error_code, address, NULL);
                return;
        }
        /*
+         * hw_error_code is literally the "page fault error code" passed to
+         * the kernel directly from the hardware.  But, we will shortly be
+         * modifying it in software, so give it a new name.
+         */
+        sw_error_code = hw_error_code;
+        /*
         * It's safe to allow irq's after cr2 has been saved and the
         * vmalloc fault has been handled.
         *
@@ -1302,7 +1333,26 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code,
         */
        if (user_mode(regs)) {
                local_irq_enable();
-                error_code |= X86_PF_USER;
+                /*
+                 * Up to this point, X86_PF_USER set in hw_error_code
+                 * indicated a user-mode access.  But, after this,
+                 * X86_PF_USER in sw_error_code will indicate either
+                 * that, *or* an implicit kernel(supervisor)-mode access
+                 * which originated from user mode.
+                 */
+                if (!(hw_error_code & X86_PF_USER)) {
+                        /*
+                         * The CPU was in user mode, but the CPU says
+                         * the fault was not a user-mode access.
+                         * Must be an implicit kernel-mode access,
+                         * which we do not expect to happen in the
+                         * user address space.
+                         */
+                        pr_warn_once("kernel-mode error from user-mode: %lx\n",
+                                        hw_error_code);
+                        sw_error_code |= X86_PF_USER;
+                }
                flags |= FAULT_FLAG_USER;
        } else {
                if (regs->flags & X86_EFLAGS_IF)
@@ -1311,31 +1361,49 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code,
        perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, address);
-        if (error_code & X86_PF_WRITE)
+        if (sw_error_code & X86_PF_WRITE)
                flags |= FAULT_FLAG_WRITE;
-        if (error_code & X86_PF_INSTR)
+        if (sw_error_code & X86_PF_INSTR)
                flags |= FAULT_FLAG_INSTRUCTION;
+#ifdef CONFIG_X86_64
        /*
-         * When running in the kernel we expect faults to occur only to
+         * Instruction fetch faults in the vsyscall page might need
-         * addresses in user space.  All other faults represent errors in
+         * emulation.  The vsyscall page is at a high address
-         * the kernel and should generate an OOPS.  Unfortunately, in the
+         * (>PAGE_OFFSET), but is considered to be part of the user
-         * case of an erroneous fault occurring in a code path which already
+         * address space.
-         * holds mmap_sem we will deadlock attempting to validate the fault
-         * against the address space.  Luckily the kernel only validly
-         * references user space from well defined areas of code, which are
-         * listed in the exceptions table.
         *
-         * As the vast majority of faults will be valid we will only perform
+         * The vsyscall page does not have a "real" VMA, so do this
-         * the source reference check when there is a possibility of a
+         * emulation before we go searching for VMAs.
-         * deadlock. Attempt to lock the address space, if we cannot we then
+         */
-         * validate the source. If this is invalid we can skip the address
+        if ((sw_error_code & X86_PF_INSTR) && is_vsyscall_vaddr(address)) {
-         * space check, thus avoiding the deadlock:
+                if (emulate_vsyscall(regs, address))
+                        return;
+        }
+#endif
+        /*
+         * Kernel-mode access to the user address space should only occur
+         * on well-defined single instructions listed in the exception
+         * tables.  But, an erroneous kernel fault occurring outside one of
+         * those areas which also holds mmap_sem might deadlock attempting
+         * to validate the fault against the address space.
+         *
+         * Only do the expensive exception table search when we might be at
+         * risk of a deadlock.  This happens if we
+         * 1. Failed to acquire mmap_sem, and
+         * 2. The access did not originate in userspace.  Note: either the
+         *    hardware or earlier page fault code may set X86_PF_USER
+         *    in sw_error_code.
         */
        if (unlikely(!down_read_trylock(&mm->mmap_sem))) {
-                if (!(error_code & X86_PF_USER) &&
+                if (!(sw_error_code & X86_PF_USER) &&
                    !search_exception_tables(regs->ip)) {
-                        bad_area_nosemaphore(regs, error_code, address, NULL);
+                        /*
+                         * Fault from code in kernel from
+                         * which we do not expect faults.
+                         */
+                        bad_area_nosemaphore(regs, sw_error_code, address, NULL);
                        return;
                }
 retry:
@@ -1351,16 +1419,16 @@ retry:
        vma = find_vma(mm, address);
        if (unlikely(!vma)) {
-                bad_area(regs, error_code, address);
+                bad_area(regs, sw_error_code, address);
                return;
        }
        if (likely(vma->vm_start <= address))
                goto good_area;
        if (unlikely(!(vma->vm_flags & VM_GROWSDOWN))) {
-                bad_area(regs, error_code, address);
+                bad_area(regs, sw_error_code, address);
                return;
        }
-        if (error_code & X86_PF_USER) {
+        if (sw_error_code & X86_PF_USER) {
                /*
                 * Accessing the stack below %sp is always a bug.
                 * The large cushion allows instructions like enter
@@ -1368,12 +1436,12 @@ retry:
                 * 32 pointers and then decrements %sp by 65535.)
                 */
                if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
-                        bad_area(regs, error_code, address);
+                        bad_area(regs, sw_error_code, address);
                        return;
                }
        }
        if (unlikely(expand_stack(vma, address))) {
-                bad_area(regs, error_code, address);
+                bad_area(regs, sw_error_code, address);
                return;
        }
@@ -1382,8 +1450,8 @@ retry:
         * we can handle it..
         */
 good_area:
-        if (unlikely(access_error(error_code, vma))) {
+        if (unlikely(access_error(sw_error_code, vma))) {
-                bad_area_access_error(regs, error_code, address, vma);
+                bad_area_access_error(regs, sw_error_code, address, vma);
                return;
        }
@@ -1425,13 +1493,13 @@ good_area:
                        return;
                /* Not returning to user mode? Handle exceptions or die: */
-                no_context(regs, error_code, address, SIGBUS, BUS_ADRERR);
+                no_context(regs, sw_error_code, address, SIGBUS, BUS_ADRERR);
                return;
        }
        up_read(&mm->mmap_sem);
        if (unlikely(fault & VM_FAULT_ERROR)) {
-                mm_fault_error(regs, error_code, address, &pkey, fault);
+                mm_fault_error(regs, sw_error_code, address, &pkey, fault);
                return;
        }
@@ -1449,6 +1517,28 @@ good_area:
        check_v8086_mode(regs, address, tsk);
 }
+NOKPROBE_SYMBOL(do_user_addr_fault);
+/*
+ * This routine handles page faults.  It determines the address,
+ * and the problem, and then passes it off to one of the appropriate
+ * routines.
+ */
+static noinline void
+__do_page_fault(struct pt_regs *regs, unsigned long hw_error_code,
+                unsigned long address)
+{
+        prefetchw(&current->mm->mmap_sem);
+        if (unlikely(kmmio_fault(regs, address)))
+                return;
+        /* Was the fault on kernel-controlled part of the address space? */
+        if (unlikely(fault_in_kernel_space(address)))
+                do_kern_addr_fault(regs, hw_error_code, address);
+        else
+                do_user_addr_fault(regs, hw_error_code, address);
+}
 NOKPROBE_SYMBOL(__do_page_fault);
 static nokprobe_inline void

diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c index 0d45f6debb3a..2b1519bc5381 100644 --- a/arch/x86/mm/fault.c +++ b/arch/x86/mm/fault.c
@@ -851,6 +851,15 @@ show_signal_msg(struct pt_regs *regs, unsigned long error_code,
851	show_opcodes(regs, loglvl);	851	show_opcodes(regs, loglvl);
852	}	852	}
853		853
		854	/*
		855	* The (legacy) vsyscall page is the long page in the kernel portion
		856	* of the address space that has user-accessible permissions.
		857	*/
		858	static bool is_vsyscall_vaddr(unsigned long vaddr)
		859	{
		860	return unlikely((vaddr & PAGE_MASK) == VSYSCALL_ADDR);
		861	}
		862
854	static void	863	static void
855	__bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,	864	__bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
856	unsigned long address, u32 *pkey, int si_code)	865	unsigned long address, u32 *pkey, int si_code)
@@ -874,18 +883,6 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
874	if (is_errata100(regs, address))	883	if (is_errata100(regs, address))
875	return;	884	return;
876		885
877	#ifdef CONFIG_X86_64
878	/*
879	* Instruction fetch faults in the vsyscall page might need
880	* emulation.
881	*/
882	if (unlikely((error_code & X86_PF_INSTR) &&
883	((address & ~0xfff) == VSYSCALL_ADDR))) {
884	if (emulate_vsyscall(regs, address))
885	return;
886	}
887	#endif
888
889	/*	886	/*
890	* To avoid leaking information about the kernel page table	887	* To avoid leaking information about the kernel page table
891	* layout, pretend that user-mode accesses to kernel addresses	888	* layout, pretend that user-mode accesses to kernel addresses
@@ -1043,19 +1040,13 @@ mm_fault_error(struct pt_regs *regs, unsigned long error_code,
1043	}	1040	}
1044	}	1041	}
1045		1042
1046	static int spurious_fault_check(unsigned long error_code, pte_t *pte)	1043	static int spurious_kernel_fault_check(unsigned long error_code, pte_t *pte)
1047	{	1044	{
1048	if ((error_code & X86_PF_WRITE) && !pte_write(*pte))	1045	if ((error_code & X86_PF_WRITE) && !pte_write(*pte))
1049	return 0;	1046	return 0;
1050		1047
1051	if ((error_code & X86_PF_INSTR) && !pte_exec(*pte))	1048	if ((error_code & X86_PF_INSTR) && !pte_exec(*pte))
1052	return 0;	1049	return 0;
1053	/*
1054	* Note: We do not do lazy flushing on protection key
1055	* changes, so no spurious fault will ever set X86_PF_PK.
1056	*/
1057	if ((error_code & X86_PF_PK))
1058	return 1;
1059		1050
1060	return 1;	1051	return 1;
1061	}	1052	}
@@ -1082,7 +1073,7 @@ static int spurious_fault_check(unsigned long error_code, pte_t *pte)
1082	* (Optional Invalidation).	1073	* (Optional Invalidation).
1083	*/	1074	*/
1084	static noinline int	1075	static noinline int
1085	spurious_fault(unsigned long error_code, unsigned long address)	1076	spurious_kernel_fault(unsigned long error_code, unsigned long address)
1086	{	1077	{
1087	pgd_t *pgd;	1078	pgd_t *pgd;
1088	p4d_t *p4d;	1079	p4d_t *p4d;
@@ -1113,27 +1104,27 @@ spurious_fault(unsigned long error_code, unsigned long address)
1113	return 0;	1104	return 0;
1114		1105
1115	if (p4d_large(*p4d))	1106	if (p4d_large(*p4d))
1116	return spurious_fault_check(error_code, (pte_t *) p4d);	1107	return spurious_kernel_fault_check(error_code, (pte_t *) p4d);
1117		1108
1118	pud = pud_offset(p4d, address);	1109	pud = pud_offset(p4d, address);
1119	if (!pud_present(*pud))	1110	if (!pud_present(*pud))
1120	return 0;	1111	return 0;
1121		1112
1122	if (pud_large(*pud))	1113	if (pud_large(*pud))
1123	return spurious_fault_check(error_code, (pte_t *) pud);	1114	return spurious_kernel_fault_check(error_code, (pte_t *) pud);
1124		1115
1125	pmd = pmd_offset(pud, address);	1116	pmd = pmd_offset(pud, address);
1126	if (!pmd_present(*pmd))	1117	if (!pmd_present(*pmd))
1127	return 0;	1118	return 0;
1128		1119
1129	if (pmd_large(*pmd))	1120	if (pmd_large(*pmd))
1130	return spurious_fault_check(error_code, (pte_t *) pmd);	1121	return spurious_kernel_fault_check(error_code, (pte_t *) pmd);
1131		1122
1132	pte = pte_offset_kernel(pmd, address);	1123	pte = pte_offset_kernel(pmd, address);
1133	if (!pte_present(*pte))	1124	if (!pte_present(*pte))
1134	return 0;	1125	return 0;
1135		1126
1136	ret = spurious_fault_check(error_code, pte);	1127	ret = spurious_kernel_fault_check(error_code, pte);
1137	if (!ret)	1128	if (!ret)
1138	return 0;	1129	return 0;
1139		1130
@@ -1141,12 +1132,12 @@ spurious_fault(unsigned long error_code, unsigned long address)
1141	* Make sure we have permissions in PMD.	1132	* Make sure we have permissions in PMD.
1142	* If not, then there's a bug in the page tables:	1133	* If not, then there's a bug in the page tables:
1143	*/	1134	*/
1144	ret = spurious_fault_check(error_code, (pte_t *) pmd);	1135	ret = spurious_kernel_fault_check(error_code, (pte_t *) pmd);
1145	WARN_ONCE(!ret, "PMD has incorrect permission bits\n");	1136	WARN_ONCE(!ret, "PMD has incorrect permission bits\n");
1146		1137
1147	return ret;	1138	return ret;
1148	}	1139	}
1149	NOKPROBE_SYMBOL(spurious_fault);	1140	NOKPROBE_SYMBOL(spurious_kernel_fault);
1150		1141
1151	int show_unhandled_signals = 1;	1142	int show_unhandled_signals = 1;
1152		1143
@@ -1193,6 +1184,14 @@ access_error(unsigned long error_code, struct vm_area_struct *vma)
1193		1184
1194	static int fault_in_kernel_space(unsigned long address)	1185	static int fault_in_kernel_space(unsigned long address)
1195	{	1186	{
		1187	/*
		1188	* On 64-bit systems, the vsyscall page is at an address above
		1189	* TASK_SIZE_MAX, but is not considered part of the kernel
		1190	* address space.
		1191	*/
		1192	if (IS_ENABLED(CONFIG_X86_64) && is_vsyscall_vaddr(address))
		1193	return false;
		1194
1196	return address >= TASK_SIZE_MAX;	1195	return address >= TASK_SIZE_MAX;
1197	}	1196	}
1198		1197
@@ -1214,31 +1213,23 @@ static inline bool smap_violation(int error_code, struct pt_regs *regs)
1214	}	1213	}
1215		1214
1216	/*	1215	/*
1217	* This routine handles page faults. It determines the address,	1216	* Called for all faults where 'address' is part of the kernel address
1218	* and the problem, and then passes it off to one of the appropriate	1217	* space. Might get called for faults that originate from code that
1219	* routines.	1218	* ran in userspace or the kernel.
1220	*/	1219	*/
1221	static noinline void	1220	static void
1222	__do_page_fault(struct pt_regs *regs, unsigned long error_code,	1221	do_kern_addr_fault(struct pt_regs *regs, unsigned long hw_error_code,
1223	unsigned long address)	1222	unsigned long address)
1224	{	1223	{
1225	struct vm_area_struct *vma;	1224	/*
1226	struct task_struct *tsk;	1225	* Protection keys exceptions only happen on user pages. We
1227	struct mm_struct *mm;	1226	* have no user pages in the kernel portion of the address
1228	vm_fault_t fault, major = 0;	1227	* space, so do not expect them here.
1229	unsigned int flags = FAULT_FLAG_ALLOW_RETRY \| FAULT_FLAG_KILLABLE;	1228	*/
1230	u32 pkey;	1229	WARN_ON_ONCE(hw_error_code & X86_PF_PK);
1231
1232	tsk = current;
1233	mm = tsk->mm;
1234
1235	prefetchw(&mm->mmap_sem);
1236
1237	if (unlikely(kmmio_fault(regs, address)))
1238	return;
1239		1230
1240	/*	1231	/*
1241	* We fault-in kernel-space virtual memory on-demand. The	1232	* We can fault-in kernel-space virtual memory on-demand. The
1242	* 'reference' page table is init_mm.pgd.	1233	* 'reference' page table is init_mm.pgd.
1243	*	1234	*
1244	* NOTE! We MUST NOT take any locks for this case. We may	1235	* NOTE! We MUST NOT take any locks for this case. We may
@@ -1246,41 +1237,74 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code,
1246	* only copy the information from the master page table,	1237	* only copy the information from the master page table,
1247	* nothing more.	1238	* nothing more.
1248	*	1239	*
1249	* This verifies that the fault happens in kernel space	1240	* Before doing this on-demand faulting, ensure that the
1250	* (error_code & 4) == 0, and that the fault was not a	1241	* fault is not any of the following:
1251	* protection error (error_code & 9) == 0.	1242	* 1. A fault on a PTE with a reserved bit set.
		1243	* 2. A fault caused by a user-mode access. (Do not demand-
		1244	* fault kernel memory due to user-mode accesses).
		1245	* 3. A fault caused by a page-level protection violation.
		1246	* (A demand fault would be on a non-present page which
		1247	* would have X86_PF_PROT==0).
1252	*/	1248	*/
1253	if (unlikely(fault_in_kernel_space(address))) {	1249	if (!(hw_error_code & (X86_PF_RSVD \| X86_PF_USER \| X86_PF_PROT))) {
1254	if (!(error_code & (X86_PF_RSVD \| X86_PF_USER \| X86_PF_PROT))) {	1250	if (vmalloc_fault(address) >= 0)
1255	if (vmalloc_fault(address) >= 0)
1256	return;
1257	}
1258
1259	/* Can handle a stale RO->RW TLB: */
1260	if (spurious_fault(error_code, address))
1261	return;	1251	return;
		1252	}
1262		1253
1263	/* kprobes don't want to hook the spurious faults: */	1254	/* Was the fault spurious, caused by lazy TLB invalidation? */
1264	if (kprobes_fault(regs))	1255	if (spurious_kernel_fault(hw_error_code, address))
1265	return;	1256	return;
1266	/*
1267	* Don't take the mm semaphore here. If we fixup a prefetch
1268	* fault we could otherwise deadlock:
1269	*/
1270	bad_area_nosemaphore(regs, error_code, address, NULL);
1271		1257
		1258	/* kprobes don't want to hook the spurious faults: */
		1259	if (kprobes_fault(regs))
1272	return;	1260	return;
1273	}	1261
		1262	/*
		1263	* Note, despite being a "bad area", there are quite a few
		1264	* acceptable reasons to get here, such as erratum fixups
		1265	* and handling kernel code that can fault, like get_user().
		1266	*
		1267	* Don't take the mm semaphore here. If we fixup a prefetch
		1268	* fault we could otherwise deadlock:
		1269	*/
		1270	bad_area_nosemaphore(regs, hw_error_code, address, NULL);
		1271	}
		1272	NOKPROBE_SYMBOL(do_kern_addr_fault);
		1273
		1274	/* Handle faults in the user portion of the address space */
		1275	static inline
		1276	void do_user_addr_fault(struct pt_regs *regs,
		1277	unsigned long hw_error_code,
		1278	unsigned long address)
		1279	{
		1280	unsigned long sw_error_code;
		1281	struct vm_area_struct *vma;
		1282	struct task_struct *tsk;
		1283	struct mm_struct *mm;
		1284	vm_fault_t fault, major = 0;
		1285	unsigned int flags = FAULT_FLAG_ALLOW_RETRY \| FAULT_FLAG_KILLABLE;
		1286	u32 pkey;
		1287
		1288	tsk = current;
		1289	mm = tsk->mm;
1274		1290
1275	/* kprobes don't want to hook the spurious faults: */	1291	/* kprobes don't want to hook the spurious faults: */
1276	if (unlikely(kprobes_fault(regs)))	1292	if (unlikely(kprobes_fault(regs)))
1277	return;	1293	return;
1278		1294
1279	if (unlikely(error_code & X86_PF_RSVD))	1295	/*
1280	pgtable_bad(regs, error_code, address);	1296	* Reserved bits are never expected to be set on
		1297	* entries in the user portion of the page tables.
		1298	*/
		1299	if (unlikely(hw_error_code & X86_PF_RSVD))
		1300	pgtable_bad(regs, hw_error_code, address);
1281		1301
1282	if (unlikely(smap_violation(error_code, regs))) {	1302	/*
1283	bad_area_nosemaphore(regs, error_code, address, NULL);	1303	* Check for invalid kernel (supervisor) access to user
		1304	* pages in the user address space.
		1305	*/
		1306	if (unlikely(smap_violation(hw_error_code, regs))) {
		1307	bad_area_nosemaphore(regs, hw_error_code, address, NULL);
1284	return;	1308	return;
1285	}	1309	}
1286		1310
@@ -1289,11 +1313,18 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code,
1289	* in a region with pagefaults disabled then we must not take the fault	1313	* in a region with pagefaults disabled then we must not take the fault
1290	*/	1314	*/
1291	if (unlikely(faulthandler_disabled() \|\| !mm)) {	1315	if (unlikely(faulthandler_disabled() \|\| !mm)) {
1292	bad_area_nosemaphore(regs, error_code, address, NULL);	1316	bad_area_nosemaphore(regs, hw_error_code, address, NULL);
1293	return;	1317	return;
1294	}	1318	}
1295		1319
1296	/*	1320	/*
		1321	* hw_error_code is literally the "page fault error code" passed to
		1322	* the kernel directly from the hardware. But, we will shortly be
		1323	* modifying it in software, so give it a new name.
		1324	*/
		1325	sw_error_code = hw_error_code;
		1326
		1327	/*
1297	* It's safe to allow irq's after cr2 has been saved and the	1328	* It's safe to allow irq's after cr2 has been saved and the
1298	* vmalloc fault has been handled.	1329	* vmalloc fault has been handled.
1299	*	1330	*
@@ -1302,7 +1333,26 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code,
1302	*/	1333	*/
1303	if (user_mode(regs)) {	1334	if (user_mode(regs)) {
1304	local_irq_enable();	1335	local_irq_enable();
1305	error_code \|= X86_PF_USER;	1336	/*
		1337	* Up to this point, X86_PF_USER set in hw_error_code
		1338	* indicated a user-mode access. But, after this,
		1339	* X86_PF_USER in sw_error_code will indicate either
		1340	* that, or an implicit kernel(supervisor)-mode access
		1341	* which originated from user mode.
		1342	*/
		1343	if (!(hw_error_code & X86_PF_USER)) {
		1344	/*
		1345	* The CPU was in user mode, but the CPU says
		1346	* the fault was not a user-mode access.
		1347	* Must be an implicit kernel-mode access,
		1348	* which we do not expect to happen in the
		1349	* user address space.
		1350	*/
		1351	pr_warn_once("kernel-mode error from user-mode: %lx\n",
		1352	hw_error_code);
		1353
		1354	sw_error_code \|= X86_PF_USER;
		1355	}
1306	flags \|= FAULT_FLAG_USER;	1356	flags \|= FAULT_FLAG_USER;
1307	} else {	1357	} else {
1308	if (regs->flags & X86_EFLAGS_IF)	1358	if (regs->flags & X86_EFLAGS_IF)
@@ -1311,31 +1361,49 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code,
1311		1361
1312	perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, address);	1362	perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, address);
1313		1363
1314	if (error_code & X86_PF_WRITE)	1364	if (sw_error_code & X86_PF_WRITE)
1315	flags \|= FAULT_FLAG_WRITE;	1365	flags \|= FAULT_FLAG_WRITE;
1316	if (error_code & X86_PF_INSTR)	1366	if (sw_error_code & X86_PF_INSTR)
1317	flags \|= FAULT_FLAG_INSTRUCTION;	1367	flags \|= FAULT_FLAG_INSTRUCTION;
1318		1368
		1369	#ifdef CONFIG_X86_64
1319	/*	1370	/*
1320	* When running in the kernel we expect faults to occur only to	1371	* Instruction fetch faults in the vsyscall page might need
1321	* addresses in user space. All other faults represent errors in	1372	* emulation. The vsyscall page is at a high address
1322	* the kernel and should generate an OOPS. Unfortunately, in the	1373	* (>PAGE_OFFSET), but is considered to be part of the user
1323	* case of an erroneous fault occurring in a code path which already	1374	* address space.
1324	* holds mmap_sem we will deadlock attempting to validate the fault
1325	* against the address space. Luckily the kernel only validly
1326	* references user space from well defined areas of code, which are
1327	* listed in the exceptions table.
1328	*	1375	*
1329	* As the vast majority of faults will be valid we will only perform	1376	* The vsyscall page does not have a "real" VMA, so do this
1330	* the source reference check when there is a possibility of a	1377	* emulation before we go searching for VMAs.
1331	* deadlock. Attempt to lock the address space, if we cannot we then	1378	*/
1332	* validate the source. If this is invalid we can skip the address	1379	if ((sw_error_code & X86_PF_INSTR) && is_vsyscall_vaddr(address)) {
1333	* space check, thus avoiding the deadlock:	1380	if (emulate_vsyscall(regs, address))
		1381	return;
		1382	}
		1383	#endif
		1384
		1385	/*
		1386	* Kernel-mode access to the user address space should only occur
		1387	* on well-defined single instructions listed in the exception
		1388	* tables. But, an erroneous kernel fault occurring outside one of
		1389	* those areas which also holds mmap_sem might deadlock attempting
		1390	* to validate the fault against the address space.
		1391	*
		1392	* Only do the expensive exception table search when we might be at
		1393	* risk of a deadlock. This happens if we
		1394	* 1. Failed to acquire mmap_sem, and
		1395	* 2. The access did not originate in userspace. Note: either the
		1396	* hardware or earlier page fault code may set X86_PF_USER
		1397	* in sw_error_code.
1334	*/	1398	*/
1335	if (unlikely(!down_read_trylock(&mm->mmap_sem))) {	1399	if (unlikely(!down_read_trylock(&mm->mmap_sem))) {
1336	if (!(error_code & X86_PF_USER) &&	1400	if (!(sw_error_code & X86_PF_USER) &&
1337	!search_exception_tables(regs->ip)) {	1401	!search_exception_tables(regs->ip)) {
1338	bad_area_nosemaphore(regs, error_code, address, NULL);	1402	/*
		1403	* Fault from code in kernel from
		1404	* which we do not expect faults.
		1405	*/
		1406	bad_area_nosemaphore(regs, sw_error_code, address, NULL);
1339	return;	1407	return;
1340	}	1408	}
1341	retry:	1409	retry:
@@ -1351,16 +1419,16 @@ retry:
1351		1419
1352	vma = find_vma(mm, address);	1420	vma = find_vma(mm, address);
1353	if (unlikely(!vma)) {	1421	if (unlikely(!vma)) {
1354	bad_area(regs, error_code, address);	1422	bad_area(regs, sw_error_code, address);
1355	return;	1423	return;
1356	}	1424	}
1357	if (likely(vma->vm_start <= address))	1425	if (likely(vma->vm_start <= address))
1358	goto good_area;	1426	goto good_area;
1359	if (unlikely(!(vma->vm_flags & VM_GROWSDOWN))) {	1427	if (unlikely(!(vma->vm_flags & VM_GROWSDOWN))) {
1360	bad_area(regs, error_code, address);	1428	bad_area(regs, sw_error_code, address);
1361	return;	1429	return;
1362	}	1430	}
1363	if (error_code & X86_PF_USER) {	1431	if (sw_error_code & X86_PF_USER) {
1364	/*	1432	/*
1365	* Accessing the stack below %sp is always a bug.	1433	* Accessing the stack below %sp is always a bug.
1366	* The large cushion allows instructions like enter	1434	* The large cushion allows instructions like enter
@@ -1368,12 +1436,12 @@ retry:
1368	* 32 pointers and then decrements %sp by 65535.)	1436	* 32 pointers and then decrements %sp by 65535.)
1369	*/	1437	*/
1370	if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {	1438	if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
1371	bad_area(regs, error_code, address);	1439	bad_area(regs, sw_error_code, address);
1372	return;	1440	return;
1373	}	1441	}
1374	}	1442	}
1375	if (unlikely(expand_stack(vma, address))) {	1443	if (unlikely(expand_stack(vma, address))) {
1376	bad_area(regs, error_code, address);	1444	bad_area(regs, sw_error_code, address);
1377	return;	1445	return;
1378	}	1446	}
1379		1447
@@ -1382,8 +1450,8 @@ retry:
1382	* we can handle it..	1450	* we can handle it..
1383	*/	1451	*/
1384	good_area:	1452	good_area:
1385	if (unlikely(access_error(error_code, vma))) {	1453	if (unlikely(access_error(sw_error_code, vma))) {
1386	bad_area_access_error(regs, error_code, address, vma);	1454	bad_area_access_error(regs, sw_error_code, address, vma);
1387	return;	1455	return;
1388	}	1456	}
1389		1457
@@ -1425,13 +1493,13 @@ good_area:
1425	return;	1493	return;
1426		1494
1427	/* Not returning to user mode? Handle exceptions or die: */	1495	/* Not returning to user mode? Handle exceptions or die: */
1428	no_context(regs, error_code, address, SIGBUS, BUS_ADRERR);	1496	no_context(regs, sw_error_code, address, SIGBUS, BUS_ADRERR);
1429	return;	1497	return;
1430	}	1498	}
1431		1499
1432	up_read(&mm->mmap_sem);	1500	up_read(&mm->mmap_sem);
1433	if (unlikely(fault & VM_FAULT_ERROR)) {	1501	if (unlikely(fault & VM_FAULT_ERROR)) {
1434	mm_fault_error(regs, error_code, address, &pkey, fault);	1502	mm_fault_error(regs, sw_error_code, address, &pkey, fault);
1435	return;	1503	return;
1436	}	1504	}
1437		1505
@@ -1449,6 +1517,28 @@ good_area:
1449		1517
1450	check_v8086_mode(regs, address, tsk);	1518	check_v8086_mode(regs, address, tsk);
1451	}	1519	}
		1520	NOKPROBE_SYMBOL(do_user_addr_fault);
		1521
		1522	/*
		1523	* This routine handles page faults. It determines the address,
		1524	* and the problem, and then passes it off to one of the appropriate
		1525	* routines.
		1526	*/
		1527	static noinline void
		1528	__do_page_fault(struct pt_regs *regs, unsigned long hw_error_code,
		1529	unsigned long address)
		1530	{
		1531	prefetchw(&current->mm->mmap_sem);
		1532
		1533	if (unlikely(kmmio_fault(regs, address)))
		1534	return;
		1535
		1536	/* Was the fault on kernel-controlled part of the address space? */
		1537	if (unlikely(fault_in_kernel_space(address)))
		1538	do_kern_addr_fault(regs, hw_error_code, address);
		1539	else
		1540	do_user_addr_fault(regs, hw_error_code, address);
		1541	}
1452	NOKPROBE_SYMBOL(__do_page_fault);	1542	NOKPROBE_SYMBOL(__do_page_fault);
1453		1543
1454	static nokprobe_inline void	1544	static nokprobe_inline void