9 files changed, 90 insertions, 89 deletions
diff --git a/arch/x86/include/asm/irq_vectors.h b/arch/x86/include/asm/irq_vectors.h
index a563c509edcb..2c224e183b52 100644
--- a/arch/x86/include/asm/irq_vectors.h
+++ b/arch/x86/include/asm/irq_vectors.h
@@ -17,7 +17,6 @@
 *  Vectors   0 ...  31 : system traps and exceptions - hardcoded events
 *  Vectors  32 ... 127 : device interrupts
 *  Vector  128         : legacy int80 syscall interface
- *  Vector  204         : legacy x86_64 vsyscall emulation
 *  Vectors 129 ... INVALIDATE_TLB_VECTOR_START-1 except 204 : device interrupts
 *  Vectors INVALIDATE_TLB_VECTOR_START ... 255 : special interrupts
 *
@@ -51,9 +50,6 @@
 #ifdef CONFIG_X86_32
 # define SYSCALL_VECTOR                 0x80
 #endif
-#ifdef CONFIG_X86_64
-# define VSYSCALL_EMU_VECTOR            0xcc
-#endif
 /*
 * Vectors 0x30-0x3f are used for ISA interrupts.
diff --git a/arch/x86/include/asm/traps.h b/arch/x86/include/asm/traps.h
index 2bae0a513b40..0012d0902c5f 100644
--- a/arch/x86/include/asm/traps.h
+++ b/arch/x86/include/asm/traps.h
@@ -40,7 +40,6 @@ asmlinkage void alignment_check(void);
 asmlinkage void machine_check(void);
 #endif /* CONFIG_X86_MCE */
 asmlinkage void simd_coprocessor_error(void);
-asmlinkage void emulate_vsyscall(void);
 dotraplinkage void do_divide_error(struct pt_regs *, long);
 dotraplinkage void do_debug(struct pt_regs *, long);
@@ -67,7 +66,6 @@ dotraplinkage void do_alignment_check(struct pt_regs *, long);
 dotraplinkage void do_machine_check(struct pt_regs *, long);
 #endif
 dotraplinkage void do_simd_coprocessor_error(struct pt_regs *, long);
-dotraplinkage void do_emulate_vsyscall(struct pt_regs *, long);
 #ifdef CONFIG_X86_32
 dotraplinkage void do_iret_error(struct pt_regs *, long);
 #endif
diff --git a/arch/x86/include/asm/vsyscall.h b/arch/x86/include/asm/vsyscall.h
index 60107072c28b..eaea1d31f753 100644
--- a/arch/x86/include/asm/vsyscall.h
+++ b/arch/x86/include/asm/vsyscall.h
@@ -27,6 +27,12 @@ extern struct timezone sys_tz;
 extern void map_vsyscall(void);
+/*
+ * Called on instruction fetch fault in vsyscall page.
+ * Returns true if handled.
+ */
+extern bool emulate_vsyscall(struct pt_regs *regs, unsigned long address);
 #endif /* __KERNEL__ */
 #endif /* _ASM_X86_VSYSCALL_H */
diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
index e949793d6b93..46792d900018 100644
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -1123,7 +1123,6 @@ zeroentry spurious_interrupt_bug do_spurious_interrupt_bug
 zeroentry coprocessor_error do_coprocessor_error
 errorentry alignment_check do_alignment_check
 zeroentry simd_coprocessor_error do_simd_coprocessor_error
-zeroentry emulate_vsyscall do_emulate_vsyscall
        /* Reload gs selector with exception handling */
diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
index fbc097a085ca..b9b67166f9de 100644
--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
@@ -872,12 +872,6 @@ void __init trap_init(void)
        set_bit(SYSCALL_VECTOR, used_vectors);
 #endif
-#ifdef CONFIG_X86_64
-        BUG_ON(test_bit(VSYSCALL_EMU_VECTOR, used_vectors));
-        set_system_intr_gate(VSYSCALL_EMU_VECTOR, &emulate_vsyscall);
-        set_bit(VSYSCALL_EMU_VECTOR, used_vectors);
-#endif
        /*
         * Should be a barrier for any external CPU state:
         */
diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
index 8f3a265476d7..0f703f10901a 100644
--- a/arch/x86/kernel/vmlinux.lds.S
+++ b/arch/x86/kernel/vmlinux.lds.S
@@ -71,7 +71,6 @@ PHDRS {
        text PT_LOAD FLAGS(5);          /* R_E */
        data PT_LOAD FLAGS(6);          /* RW_ */
 #ifdef CONFIG_X86_64
-        user PT_LOAD FLAGS(5);          /* R_E */
 #ifdef CONFIG_SMP
        percpu PT_LOAD FLAGS(6);        /* RW_ */
 #endif
@@ -174,38 +173,6 @@ SECTIONS
       . = ALIGN(__vvar_page + PAGE_SIZE, PAGE_SIZE);
-#define VSYSCALL_ADDR (-10*1024*1024)
-#define VLOAD_OFFSET (VSYSCALL_ADDR - __vsyscall_0 + LOAD_OFFSET)
-#define VLOAD(x) (ADDR(x) - VLOAD_OFFSET)
-#define VVIRT_OFFSET (VSYSCALL_ADDR - __vsyscall_0)
-#define VVIRT(x) (ADDR(x) - VVIRT_OFFSET)
-        __vsyscall_0 = .;
-        . = VSYSCALL_ADDR;
-        .vsyscall : AT(VLOAD(.vsyscall)) {
-                /* work around gold bug 13023 */
-                __vsyscall_beginning_hack = .;
-                *(.vsyscall_0)
-                . = __vsyscall_beginning_hack + 1024;
-                *(.vsyscall_1)
-                . = __vsyscall_beginning_hack + 2048;
-                *(.vsyscall_2)
-                . = __vsyscall_beginning_hack + 4096;  /* Pad the whole page. */
-        } :user =0xcc
-        . = ALIGN(__vsyscall_0 + PAGE_SIZE, PAGE_SIZE);
-#undef VSYSCALL_ADDR
-#undef VLOAD_OFFSET
-#undef VLOAD
-#undef VVIRT_OFFSET
-#undef VVIRT
 #endif /* CONFIG_X86_64 */
        /* Init code and data - will be freed after init */
diff --git a/arch/x86/kernel/vsyscall_64.c b/arch/x86/kernel/vsyscall_64.c
index bf8e9ffee6e9..18ae83dd1cd7 100644
--- a/arch/x86/kernel/vsyscall_64.c
+++ b/arch/x86/kernel/vsyscall_64.c
@@ -56,6 +56,27 @@ DEFINE_VVAR(struct vsyscall_gtod_data, vsyscall_gtod_data) =
        .lock = __SEQLOCK_UNLOCKED(__vsyscall_gtod_data.lock),
 };
+static enum { EMULATE, NATIVE, NONE } vsyscall_mode = EMULATE;
+static int __init vsyscall_setup(char *str)
+{
+        if (str) {
+                if (!strcmp("emulate", str))
+                        vsyscall_mode = EMULATE;
+                else if (!strcmp("native", str))
+                        vsyscall_mode = NATIVE;
+                else if (!strcmp("none", str))
+                        vsyscall_mode = NONE;
+                else
+                        return -EINVAL;
+                return 0;
+        }
+        return -EINVAL;
+}
+early_param("vsyscall", vsyscall_setup);
 void update_vsyscall_tz(void)
 {
        unsigned long flags;
@@ -100,7 +121,7 @@ static void warn_bad_vsyscall(const char *level, struct pt_regs *regs,
        printk("%s%s[%d] %s ip:%lx cs:%lx sp:%lx ax:%lx si:%lx di:%lx\n",
               level, tsk->comm, task_pid_nr(tsk),
-               message, regs->ip - 2, regs->cs,
+               message, regs->ip, regs->cs,
               regs->sp, regs->ax, regs->si, regs->di);
 }
@@ -118,45 +139,39 @@ static int addr_to_vsyscall_nr(unsigned long addr)
        return nr;
 }
-void dotraplinkage do_emulate_vsyscall(struct pt_regs *regs, long error_code)
+bool emulate_vsyscall(struct pt_regs *regs, unsigned long address)
 {
        struct task_struct *tsk;
        unsigned long caller;
        int vsyscall_nr;
        long ret;
-        local_irq_enable();
+        /*
+         * No point in checking CS -- the only way to get here is a user mode
+         * trap to a high address, which means that we're in 64-bit user code.
+         */
-        if (!user_64bit_mode(regs)) {
+        WARN_ON_ONCE(address != regs->ip);
-                /*
-                 * If we trapped from kernel mode, we might as well OOPS now
-                 * instead of returning to some random address and OOPSing
-                 * then.
-                 */
-                BUG_ON(!user_mode(regs));
-                /* Compat mode and non-compat 32-bit CS should both segfault. */
+        if (vsyscall_mode == NONE) {
-                warn_bad_vsyscall(KERN_WARNING, regs,
+                warn_bad_vsyscall(KERN_INFO, regs,
-                                  "illegal int 0xcc from 32-bit mode");
+                                  "vsyscall attempted with vsyscall=none");
-                goto sigsegv;
+                return false;
        }
-        /*
+        vsyscall_nr = addr_to_vsyscall_nr(address);
-         * x86-ism here: regs->ip points to the instruction after the int 0xcc,
-         * and int 0xcc is two bytes long.
-         */
-        vsyscall_nr = addr_to_vsyscall_nr(regs->ip - 2);
        trace_emulate_vsyscall(vsyscall_nr);
        if (vsyscall_nr < 0) {
                warn_bad_vsyscall(KERN_WARNING, regs,
-                                  "illegal int 0xcc (exploit attempt?)");
+                                  "misaligned vsyscall (exploit attempt or buggy program) -- look up the vsyscall kernel parameter if you need a workaround");
                goto sigsegv;
        }
        if (get_user(caller, (unsigned long __user *)regs->sp) != 0) {
-                warn_bad_vsyscall(KERN_WARNING, regs, "int 0xcc with bad stack (exploit attempt?)");
+                warn_bad_vsyscall(KERN_WARNING, regs,
+                                  "vsyscall with bad stack (exploit attempt?)");
                goto sigsegv;
        }
@@ -201,13 +216,11 @@ void dotraplinkage do_emulate_vsyscall(struct pt_regs *regs, long error_code)
        regs->ip = caller;
        regs->sp += 8;
-        local_irq_disable();
+        return true;
-        return;
 sigsegv:
-        regs->ip -= 2;  /* The faulting instruction should be the int 0xcc. */
        force_sig(SIGSEGV, current);
-        local_irq_disable();
+        return true;
 }
 /*
@@ -255,15 +268,21 @@ cpu_vsyscall_notifier(struct notifier_block *n, unsigned long action, void *arg)
 void __init map_vsyscall(void)
 {
-        extern char __vsyscall_0;
+        extern char __vsyscall_page;
-        unsigned long physaddr_page0 = __pa_symbol(&__vsyscall_0);
+        unsigned long physaddr_vsyscall = __pa_symbol(&__vsyscall_page);
        extern char __vvar_page;
        unsigned long physaddr_vvar_page = __pa_symbol(&__vvar_page);
-        /* Note that VSYSCALL_MAPPED_PAGES must agree with the code below. */
+        __set_fixmap(VSYSCALL_FIRST_PAGE, physaddr_vsyscall,
-        __set_fixmap(VSYSCALL_FIRST_PAGE, physaddr_page0, PAGE_KERNEL_VSYSCALL);
+                     vsyscall_mode == NATIVE
+                     ? PAGE_KERNEL_VSYSCALL
+                     : PAGE_KERNEL_VVAR);
+        BUILD_BUG_ON((unsigned long)__fix_to_virt(VSYSCALL_FIRST_PAGE) !=
+                     (unsigned long)VSYSCALL_START);
        __set_fixmap(VVAR_PAGE, physaddr_vvar_page, PAGE_KERNEL_VVAR);
-        BUILD_BUG_ON((unsigned long)__fix_to_virt(VVAR_PAGE) != (unsigned long)VVAR_ADDRESS);
+        BUILD_BUG_ON((unsigned long)__fix_to_virt(VVAR_PAGE) !=
+                     (unsigned long)VVAR_ADDRESS);
 }
 static int __init vsyscall_init(void)
diff --git a/arch/x86/kernel/vsyscall_emu_64.S b/arch/x86/kernel/vsyscall_emu_64.S
index ffa845eae5ca..c9596a9af159 100644
--- a/arch/x86/kernel/vsyscall_emu_64.S
+++ b/arch/x86/kernel/vsyscall_emu_64.S
@@ -7,21 +7,31 @@
 */
 #include <linux/linkage.h>
 #include <asm/irq_vectors.h>
+#include <asm/page_types.h>
+#include <asm/unistd_64.h>
+__PAGE_ALIGNED_DATA
+        .globl __vsyscall_page
+        .balign PAGE_SIZE, 0xcc
+        .type __vsyscall_page, @object
+__vsyscall_page:
+        mov $__NR_gettimeofday, %rax
+        syscall
+        ret
-/* The unused parts of the page are filled with 0xcc by the linker script. */
+        .balign 1024, 0xcc
+        mov $__NR_time, %rax
+        syscall
+        ret
-.section .vsyscall_0, "a"
+        .balign 1024, 0xcc
-ENTRY(vsyscall_0)
+        mov $__NR_getcpu, %rax
-        int $VSYSCALL_EMU_VECTOR
+        syscall
-END(vsyscall_0)
+        ret
-.section .vsyscall_1, "a"
+        .balign 4096, 0xcc
-ENTRY(vsyscall_1)
-        int $VSYSCALL_EMU_VECTOR
-END(vsyscall_1)
-.section .vsyscall_2, "a"
+        .size __vsyscall_page, 4096
-ENTRY(vsyscall_2)
-        int $VSYSCALL_EMU_VECTOR
-END(vsyscall_2)
diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index c1d018238f32..e58935c25b94 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -720,6 +720,18 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
                if (is_errata100(regs, address))
                        return;
+#ifdef CONFIG_X86_64
+                /*
+                 * Instruction fetch faults in the vsyscall page might need
+                 * emulation.
+                 */
+                if (unlikely((error_code & PF_INSTR) &&
+                             ((address & ~0xfff) == VSYSCALL_START))) {
+                        if (emulate_vsyscall(regs, address))
+                                return;
+                }
+#endif
                if (unlikely(show_unhandled_signals))
                        show_signal_msg(regs, error_code, address, tsk);