[S390] Fixed handling of access register mode faults.

Replaced check_user_space() + __check_access_register with the new check_space(). The old functions made wrong assumptions about kernel and user space when the kernel and user address spaces are switched (kernel in home space, user in primary/secondary space). Secondly the user process can switch to the accress register mode if it is running in primary or secondary mode. In addition it can load an arbitrary value to the access registers. If any other value than 0 for primary space or 1 for secondary space is loaded and memory is accessed using the base register related to the access register, the program should be terminated with a SIGSEGV. To achieve that the DUALD pointer in the DUCT and the PSALD pointer in the PASTE need to point to an array of 8 invalid access-list entries to get a ALEN-translation exception if an invalid alet is used. Signed-off-by: Gerald Schaefer <geraldsc@de.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
author: Gerald Schaefer <geraldsc@de.ibm.com> 2007-03-05 17:35:54 -0500
committer: Martin Schwidefsky <schwidefsky@de.ibm.com> 2007-03-05 17:35:54 -0500
commit: 482b05dd533da162fa8d04c61712fae297bea3e0 (patch)
tree: d8c93f1557927b7a00ca07c2e07b7de8b0fa7772 /arch/s390/mm/fault.c
parent: 046f3e821f146d6c473edb033af15a0604957af8 (diff)
1 files changed, 47 insertions, 58 deletions
diff --git a/arch/s390/mm/fault.c b/arch/s390/mm/fault.c
index 641aef36ccc4..7462aebd3eb6 100644
--- a/arch/s390/mm/fault.c
+++ b/arch/s390/mm/fault.c
@@ -108,53 +108,40 @@ void bust_spinlocks(int yes)
 }
 /*
- * Check which address space is addressed by the access
+ * Returns the address space associated with the fault.
- * register in S390_lowcore.exc_access_id.
+ * Returns 0 for kernel space, 1 for user space and
- * Returns 1 for user space and 0 for kernel space.
+ * 2 for code execution in user space with noexec=on.
 */
-static int __check_access_register(struct pt_regs *regs, int error_code)
+static inline int check_space(struct task_struct *tsk)
-{
-        int areg = S390_lowcore.exc_access_id;
-        if (areg == 0)
-                /* Access via access register 0 -> kernel address */
-                return 0;
-        save_access_regs(current->thread.acrs);
-        if (regs && areg < NUM_ACRS && current->thread.acrs[areg] <= 1)
-                /*
-                 * access register contains 0 -> kernel address,
-                 * access register contains 1 -> user space address
-                 */
-                return current->thread.acrs[areg];
-        /* Something unhealthy was done with the access registers... */
-        die("page fault via unknown access register", regs, error_code);
-        do_exit(SIGKILL);
-        return 0;
-}
-/*
- * Check which address space the address belongs to.
- * May return 1 or 2 for user space and 0 for kernel space.
- * Returns 2 for user space in primary addressing mode with
- * CONFIG_S390_EXEC_PROTECT on and kernel parameter noexec=on.
- */
-static inline int check_user_space(struct pt_regs *regs, int error_code)
 {
        /*
-         * The lowest two bits of S390_lowcore.trans_exc_code indicate
+         * The lowest two bits of S390_lowcore.trans_exc_code
-         * which paging table was used:
+         * indicate which paging table was used.
-         *   0: Primary Segment Table Descriptor
-         *   1: STD determined via access register
-         *   2: Secondary Segment Table Descriptor
-         *   3: Home Segment Table Descriptor
         */
-        int descriptor = S390_lowcore.trans_exc_code & 3;
+        int desc = S390_lowcore.trans_exc_code & 3;
-        if (unlikely(descriptor == 1))
-                return __check_access_register(regs, error_code);
+        if (desc == 3)  /* Home Segment Table Descriptor */
-        if (descriptor == 2)
+                return switch_amode == 0;
-                return current->thread.mm_segment.ar4;
+        if (desc == 2)  /* Secondary Segment Table Descriptor */
-        return ((descriptor != 0) ^ (switch_amode)) << s390_noexec;
+                return tsk->thread.mm_segment.ar4;
+#ifdef CONFIG_S390_SWITCH_AMODE
+        if (unlikely(desc == 1)) { /* STD determined via access register */
+                /* %a0 always indicates primary space. */
+                if (S390_lowcore.exc_access_id != 0) {
+                        save_access_regs(tsk->thread.acrs);
+                        /*
+                         * An alet of 0 indicates primary space.
+                         * An alet of 1 indicates secondary space.
+                         * Any other alet values generate an
+                         * alen-translation exception.
+                         */
+                        if (tsk->thread.acrs[S390_lowcore.exc_access_id])
+                                return tsk->thread.mm_segment.ar4;
+                }
+        }
+#endif
+        /* Primary Segment Table Descriptor */
+        return switch_amode << s390_noexec;
 }
 /*
@@ -265,16 +252,16 @@ out_fault:
 *   11       Page translation     ->  Not present       (nullification)
 *   3b       Region third trans.  ->  Not present       (nullification)
 */
-static inline void __kprobes
+static inline void
 do_exception(struct pt_regs *regs, unsigned long error_code, int is_protection)
 {
        struct task_struct *tsk;
        struct mm_struct *mm;
        struct vm_area_struct * vma;
        unsigned long address;
-        int user_address;
        const struct exception_table_entry *fixup;
-        int si_code = SEGV_MAPERR;
+        int si_code;
+        int space;
        tsk = current;
        mm = tsk->mm;
@@ -294,7 +281,7 @@ do_exception(struct pt_regs *regs, unsigned long error_code, int is_protection)
                   NULL pointer write access in kernel mode.  */
                if (!(regs->psw.mask & PSW_MASK_PSTATE)) {
                        address = 0;
-                        user_address = 0;
+                        space = 0;
                        goto no_context;
                }
@@ -309,15 +296,15 @@ do_exception(struct pt_regs *regs, unsigned long error_code, int is_protection)
         * the address 
         */
        address = S390_lowcore.trans_exc_code & __FAIL_ADDR_MASK;
-        user_address = check_user_space(regs, error_code);
+        space = check_space(tsk);
        /*
         * Verify that the fault happened in user space, that
         * we are not in an interrupt and that there is a 
         * user context.
         */
-        if (user_address == 0 || in_atomic() || !mm)
+        if (unlikely(space == 0 || in_atomic() || !mm))
-                goto no_context;
+                goto no_context;
        /*
         * When we get here, the fault happened in the current
@@ -328,12 +315,13 @@ do_exception(struct pt_regs *regs, unsigned long error_code, int is_protection)
        down_read(&mm->mmap_sem);
-        vma = find_vma(mm, address);
+        si_code = SEGV_MAPERR;
-        if (!vma)
+        vma = find_vma(mm, address);
-                goto bad_area;
+        if (!vma)
+                goto bad_area;
 #ifdef CONFIG_S390_EXEC_PROTECT
-        if (unlikely((user_address == 2) && !(vma->vm_flags & VM_EXEC)))
+        if (unlikely((space == 2) && !(vma->vm_flags & VM_EXEC)))
                if (!signal_return(mm, regs, address, error_code))
                        /*
                         * signal_return() has done an up_read(&mm->mmap_sem)
@@ -389,7 +377,7 @@ survive:
         * The instruction that caused the program check will
         * be repeated. Don't signal single step via SIGTRAP.
         */
-        clear_tsk_thread_flag(current, TIF_SINGLE_STEP);
+        clear_tsk_thread_flag(tsk, TIF_SINGLE_STEP);
        return;
 /*
@@ -419,7 +407,7 @@ no_context:
 * Oops. The kernel tried to access some bad page. We'll have to
 * terminate things with extreme prejudice.
 */
-        if (user_address == 0)
+        if (space == 0)
                printk(KERN_ALERT "Unable to handle kernel pointer dereference"
                       " at virtual kernel address %p\n", (void *)address);
        else
@@ -462,13 +450,14 @@ do_sigbus:
                goto no_context;
 }
-void do_protection_exception(struct pt_regs *regs, unsigned long error_code)
+void __kprobes do_protection_exception(struct pt_regs *regs,
+                                       unsigned long error_code)
 {
        regs->psw.addr -= (error_code >> 16);
        do_exception(regs, 4, 1);
 }
-void do_dat_exception(struct pt_regs *regs, unsigned long error_code)
+void __kprobes do_dat_exception(struct pt_regs *regs, unsigned long error_code)
 {
        do_exception(regs, error_code & 0xff, 0);
 }
author	Gerald Schaefer <geraldsc@de.ibm.com>	2007-03-05 17:35:54 -0500
committer	Martin Schwidefsky <schwidefsky@de.ibm.com>	2007-03-05 17:35:54 -0500
commit	482b05dd533da162fa8d04c61712fae297bea3e0 (patch)
tree	d8c93f1557927b7a00ca07c2e07b7de8b0fa7772 /arch/s390/mm/fault.c
parent	046f3e821f146d6c473edb033af15a0604957af8 (diff)

diff --git a/arch/s390/mm/fault.c b/arch/s390/mm/fault.c index 641aef36ccc4..7462aebd3eb6 100644 --- a/arch/s390/mm/fault.c +++ b/arch/s390/mm/fault.c
@@ -108,53 +108,40 @@ void bust_spinlocks(int yes)
108	}	108	}
109		109
110	/*	110	/*
111	* Check which address space is addressed by the access	111	* Returns the address space associated with the fault.
112	* register in S390_lowcore.exc_access_id.	112	* Returns 0 for kernel space, 1 for user space and
113	* Returns 1 for user space and 0 for kernel space.	113	* 2 for code execution in user space with noexec=on.
114	*/	114	*/
115	static int __check_access_register(struct pt_regs *regs, int error_code)	115	static inline int check_space(struct task_struct *tsk)
116	{
117	int areg = S390_lowcore.exc_access_id;
118
119	if (areg == 0)
120	/* Access via access register 0 -> kernel address */
121	return 0;
122	save_access_regs(current->thread.acrs);
123	if (regs && areg < NUM_ACRS && current->thread.acrs[areg] <= 1)
124	/*
125	* access register contains 0 -> kernel address,
126	* access register contains 1 -> user space address
127	*/
128	return current->thread.acrs[areg];
129
130	/* Something unhealthy was done with the access registers... */
131	die("page fault via unknown access register", regs, error_code);
132	do_exit(SIGKILL);
133	return 0;
134	}
135
136	/*
137	* Check which address space the address belongs to.
138	* May return 1 or 2 for user space and 0 for kernel space.
139	* Returns 2 for user space in primary addressing mode with
140	* CONFIG_S390_EXEC_PROTECT on and kernel parameter noexec=on.
141	*/
142	static inline int check_user_space(struct pt_regs *regs, int error_code)
143	{	116	{
144	/*	117	/*
145	* The lowest two bits of S390_lowcore.trans_exc_code indicate	118	* The lowest two bits of S390_lowcore.trans_exc_code
146	* which paging table was used:	119	* indicate which paging table was used.
147	* 0: Primary Segment Table Descriptor
148	* 1: STD determined via access register
149	* 2: Secondary Segment Table Descriptor
150	* 3: Home Segment Table Descriptor
151	*/	120	*/
152	int descriptor = S390_lowcore.trans_exc_code & 3;	121	int desc = S390_lowcore.trans_exc_code & 3;
153	if (unlikely(descriptor == 1))	122
154	return __check_access_register(regs, error_code);	123	if (desc == 3) /* Home Segment Table Descriptor */
155	if (descriptor == 2)	124	return switch_amode == 0;
156	return current->thread.mm_segment.ar4;	125	if (desc == 2) /* Secondary Segment Table Descriptor */
157	return ((descriptor != 0) ^ (switch_amode)) << s390_noexec;	126	return tsk->thread.mm_segment.ar4;
		127	#ifdef CONFIG_S390_SWITCH_AMODE
		128	if (unlikely(desc == 1)) { /* STD determined via access register */
		129	/* %a0 always indicates primary space. */
		130	if (S390_lowcore.exc_access_id != 0) {
		131	save_access_regs(tsk->thread.acrs);
		132	/*
		133	* An alet of 0 indicates primary space.
		134	* An alet of 1 indicates secondary space.
		135	* Any other alet values generate an
		136	* alen-translation exception.
		137	*/
		138	if (tsk->thread.acrs[S390_lowcore.exc_access_id])
		139	return tsk->thread.mm_segment.ar4;
		140	}
		141	}
		142	#endif
		143	/* Primary Segment Table Descriptor */
		144	return switch_amode << s390_noexec;
158	}	145	}
159		146
160	/*	147	/*
@@ -265,16 +252,16 @@ out_fault:
265	* 11 Page translation -> Not present (nullification)	252	* 11 Page translation -> Not present (nullification)
266	* 3b Region third trans. -> Not present (nullification)	253	* 3b Region third trans. -> Not present (nullification)
267	*/	254	*/
268	static inline void __kprobes	255	static inline void
269	do_exception(struct pt_regs *regs, unsigned long error_code, int is_protection)	256	do_exception(struct pt_regs *regs, unsigned long error_code, int is_protection)
270	{	257	{
271	struct task_struct *tsk;	258	struct task_struct *tsk;
272	struct mm_struct *mm;	259	struct mm_struct *mm;
273	struct vm_area_struct * vma;	260	struct vm_area_struct * vma;
274	unsigned long address;	261	unsigned long address;
275	int user_address;
276	const struct exception_table_entry *fixup;	262	const struct exception_table_entry *fixup;
277	int si_code = SEGV_MAPERR;	263	int si_code;
		264	int space;
278		265
279	tsk = current;	266	tsk = current;
280	mm = tsk->mm;	267	mm = tsk->mm;
@@ -294,7 +281,7 @@ do_exception(struct pt_regs *regs, unsigned long error_code, int is_protection)
294	NULL pointer write access in kernel mode. */	281	NULL pointer write access in kernel mode. */
295	if (!(regs->psw.mask & PSW_MASK_PSTATE)) {	282	if (!(regs->psw.mask & PSW_MASK_PSTATE)) {
296	address = 0;	283	address = 0;
297	user_address = 0;	284	space = 0;
298	goto no_context;	285	goto no_context;
299	}	286	}
300		287
@@ -309,15 +296,15 @@ do_exception(struct pt_regs *regs, unsigned long error_code, int is_protection)
309	* the address	296	* the address
310	*/	297	*/
311	address = S390_lowcore.trans_exc_code & __FAIL_ADDR_MASK;	298	address = S390_lowcore.trans_exc_code & __FAIL_ADDR_MASK;
312	user_address = check_user_space(regs, error_code);	299	space = check_space(tsk);
313		300
314	/*	301	/*
315	* Verify that the fault happened in user space, that	302	* Verify that the fault happened in user space, that
316	* we are not in an interrupt and that there is a	303	* we are not in an interrupt and that there is a
317	* user context.	304	* user context.
318	*/	305	*/
319	if (user_address == 0 \|\| in_atomic() \|\| !mm)	306	if (unlikely(space == 0 \|\| in_atomic() \|\| !mm))
320	goto no_context;	307	goto no_context;
321		308
322	/*	309	/*
323	* When we get here, the fault happened in the current	310	* When we get here, the fault happened in the current
@@ -328,12 +315,13 @@ do_exception(struct pt_regs *regs, unsigned long error_code, int is_protection)
328		315
329	down_read(&mm->mmap_sem);	316	down_read(&mm->mmap_sem);
330		317
331	vma = find_vma(mm, address);	318	si_code = SEGV_MAPERR;
332	if (!vma)	319	vma = find_vma(mm, address);
333	goto bad_area;	320	if (!vma)
		321	goto bad_area;
334		322
335	#ifdef CONFIG_S390_EXEC_PROTECT	323	#ifdef CONFIG_S390_EXEC_PROTECT
336	if (unlikely((user_address == 2) && !(vma->vm_flags & VM_EXEC)))	324	if (unlikely((space == 2) && !(vma->vm_flags & VM_EXEC)))
337	if (!signal_return(mm, regs, address, error_code))	325	if (!signal_return(mm, regs, address, error_code))
338	/*	326	/*
339	* signal_return() has done an up_read(&mm->mmap_sem)	327	* signal_return() has done an up_read(&mm->mmap_sem)
@@ -389,7 +377,7 @@ survive:
389	* The instruction that caused the program check will	377	* The instruction that caused the program check will
390	* be repeated. Don't signal single step via SIGTRAP.	378	* be repeated. Don't signal single step via SIGTRAP.
391	*/	379	*/
392	clear_tsk_thread_flag(current, TIF_SINGLE_STEP);	380	clear_tsk_thread_flag(tsk, TIF_SINGLE_STEP);
393	return;	381	return;
394		382
395	/*	383	/*
@@ -419,7 +407,7 @@ no_context:
419	* Oops. The kernel tried to access some bad page. We'll have to	407	* Oops. The kernel tried to access some bad page. We'll have to
420	* terminate things with extreme prejudice.	408	* terminate things with extreme prejudice.
421	*/	409	*/
422	if (user_address == 0)	410	if (space == 0)
423	printk(KERN_ALERT "Unable to handle kernel pointer dereference"	411	printk(KERN_ALERT "Unable to handle kernel pointer dereference"
424	" at virtual kernel address %p\n", (void *)address);	412	" at virtual kernel address %p\n", (void *)address);
425	else	413	else
@@ -462,13 +450,14 @@ do_sigbus:
462	goto no_context;	450	goto no_context;
463	}	451	}
464		452
465	void do_protection_exception(struct pt_regs *regs, unsigned long error_code)	453	void __kprobes do_protection_exception(struct pt_regs *regs,
		454	unsigned long error_code)
466	{	455	{
467	regs->psw.addr -= (error_code >> 16);	456	regs->psw.addr -= (error_code >> 16);
468	do_exception(regs, 4, 1);	457	do_exception(regs, 4, 1);
469	}	458	}
470		459
471	void do_dat_exception(struct pt_regs *regs, unsigned long error_code)	460	void __kprobes do_dat_exception(struct pt_regs *regs, unsigned long error_code)
472	{	461	{
473	do_exception(regs, error_code & 0xff, 0);	462	do_exception(regs, error_code & 0xff, 0);
474	}	463	}