x86, trace: Fix CR2 corruption when tracing page faults

The trace_do_page_fault function trigger tracepoint and then handles the actual page fault. This could lead to error if the tracepoint caused page fault. The original cr2 value gets lost and the original page fault handler kills current process with SIGSEGV. This happens if you record page faults with callchain data, the user part of it will cause tracepoint handler to page fault: # perf record -g -e exceptions:page_fault_user ls Fixing this by saving the original cr2 value and using it after tracepoint handler is done. v2: Moving the cr2 read before exception_enter, because it could trigger tracepoint as well. Reported-by: Arnaldo Carvalho de Melo <acme@ghostprotocols.net> Reported-by: Vince Weaver <vincent.weaver@maine.edu> Tested-by: Vince Weaver <vincent.weaver@maine.edu> Acked-by: Steven Rostedt <rostedt@goodmis.org> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Paul Mackerras <paulus@samba.org> Cc: Seiji Aguchi <seiji.aguchi@hds.com> Signed-off-by: H. Peter Anvin <hpa@linux.intel.com> Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1402211701380.6395@vincent-weaver-1.um.maine.edu Link: http://lkml.kernel.org/r/20140228160526.GD1133@krava.brq.redhat.com
author: Jiri Olsa <jolsa@redhat.com> 2014-02-28 11:05:26 -0500
committer: H. Peter Anvin <hpa@linux.intel.com> 2014-03-04 19:00:14 -0500
commit: 0ac09f9f8cd1fb028a48330edba6023d347d3cea (patch)
tree: 6c0552e39b416d90334dd488fe7ce82e3318bb46 /arch/x86
parent: 3c0b566334c9942c89927bd1b5ad2f32baab81fa (diff)
1 files changed, 13 insertions, 7 deletions
diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index 6dea040cc3a1..e7fa28bf3262 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -1022,11 +1022,11 @@ static inline bool smap_violation(int error_code, struct pt_regs *regs)
 * routines.
 */
 static void __kprobes
-__do_page_fault(struct pt_regs *regs, unsigned long error_code)
+__do_page_fault(struct pt_regs *regs, unsigned long error_code,
+                unsigned long address)
 {
        struct vm_area_struct *vma;
        struct task_struct *tsk;
-        unsigned long address;
        struct mm_struct *mm;
        int fault;
        unsigned int flags = FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_KILLABLE;
@@ -1034,9 +1034,6 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code)
        tsk = current;
        mm = tsk->mm;
-        /* Get the faulting address: */
-        address = read_cr2();
        /*
         * Detect and handle instructions that would cause a page fault for
         * both a tracked kernel page and a userspace page.
@@ -1252,9 +1249,11 @@ dotraplinkage void __kprobes
 do_page_fault(struct pt_regs *regs, unsigned long error_code)
 {
        enum ctx_state prev_state;
+        /* Get the faulting address: */
+        unsigned long address = read_cr2();
        prev_state = exception_enter();
-        __do_page_fault(regs, error_code);
+        __do_page_fault(regs, error_code, address);
        exception_exit(prev_state);
 }
@@ -1271,9 +1270,16 @@ dotraplinkage void __kprobes
 trace_do_page_fault(struct pt_regs *regs, unsigned long error_code)
 {
        enum ctx_state prev_state;
+        /*
+         * The exception_enter and tracepoint processing could
+         * trigger another page faults (user space callchain
+         * reading) and destroy the original cr2 value, so read
+         * the faulting address now.
+         */
+        unsigned long address = read_cr2();
        prev_state = exception_enter();
        trace_page_fault_entries(regs, error_code);
-        __do_page_fault(regs, error_code);
+        __do_page_fault(regs, error_code, address);
        exception_exit(prev_state);
 }
author	Jiri Olsa <jolsa@redhat.com>	2014-02-28 11:05:26 -0500
committer	H. Peter Anvin <hpa@linux.intel.com>	2014-03-04 19:00:14 -0500
commit	0ac09f9f8cd1fb028a48330edba6023d347d3cea (patch)
tree	6c0552e39b416d90334dd488fe7ce82e3318bb46 /arch/x86
parent	3c0b566334c9942c89927bd1b5ad2f32baab81fa (diff)