1 /* 2 * linux/arch/arm/mm/fault.c 3 * 4 * Copyright (C) 1995 Linus Torvalds 5 * Modifications for ARM processor (c) 1995-2004 Russell King 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License version 2 as 9 * published by the Free Software Foundation. 10 */ 11 #include <linux/module.h> 12 #include <linux/signal.h> 13 #include <linux/mm.h> 14 #include <linux/hardirq.h> 15 #include <linux/init.h> 16 #include <linux/kprobes.h> 17 #include <linux/uaccess.h> 18 #include <linux/page-flags.h> 19 20 #include <asm/system.h> 21 #include <asm/pgtable.h> 22 #include <asm/tlbflush.h> 23 24 #include "fault.h" 25 26 27 #ifdef CONFIG_KPROBES 28 static inline int notify_page_fault(struct pt_regs *regs, unsigned int fsr) 29 { 30 int ret = 0; 31 32 if (!user_mode(regs)) { 33 /* kprobe_running() needs smp_processor_id() */ 34 preempt_disable(); 35 if (kprobe_running() && kprobe_fault_handler(regs, fsr)) 36 ret = 1; 37 preempt_enable(); 38 } 39 40 return ret; 41 } 42 #else 43 static inline int notify_page_fault(struct pt_regs *regs, unsigned int fsr) 44 { 45 return 0; 46 } 47 #endif 48 49 /* 50 * This is useful to dump out the page tables associated with 51 * 'addr' in mm 'mm'. 52 */ 53 void show_pte(struct mm_struct *mm, unsigned long addr) 54 { 55 pgd_t *pgd; 56 57 if (!mm) 58 mm = &init_mm; 59 60 printk(KERN_ALERT "pgd = %p\n", mm->pgd); 61 pgd = pgd_offset(mm, addr); 62 printk(KERN_ALERT "[%08lx] *pgd=%08lx", addr, pgd_val(*pgd)); 63 64 do { 65 pmd_t *pmd; 66 pte_t *pte; 67 68 if (pgd_none(*pgd)) 69 break; 70 71 if (pgd_bad(*pgd)) { 72 printk("(bad)"); 73 break; 74 } 75 76 pmd = pmd_offset(pgd, addr); 77 if (PTRS_PER_PMD != 1) 78 printk(", *pmd=%08lx", pmd_val(*pmd)); 79 80 if (pmd_none(*pmd)) 81 break; 82 83 if (pmd_bad(*pmd)) { 84 printk("(bad)"); 85 break; 86 } 87 88 /* We must not map this if we have highmem enabled */ 89 if (PageHighMem(pfn_to_page(pmd_val(*pmd) >> PAGE_SHIFT))) 90 break; 91 92 pte = pte_offset_map(pmd, addr); 93 printk(", *pte=%08lx", pte_val(*pte)); 94 printk(", *ppte=%08lx", pte_val(pte[-PTRS_PER_PTE])); 95 pte_unmap(pte); 96 } while(0); 97 98 printk("\n"); 99 } 100 101 /* 102 * Oops. The kernel tried to access some page that wasn't present. 103 */ 104 static void 105 __do_kernel_fault(struct mm_struct *mm, unsigned long addr, unsigned int fsr, 106 struct pt_regs *regs) 107 { 108 /* 109 * Are we prepared to handle this kernel fault? 110 */ 111 if (fixup_exception(regs)) 112 return; 113 114 /* 115 * No handler, we'll have to terminate things with extreme prejudice. 116 */ 117 bust_spinlocks(1); 118 printk(KERN_ALERT 119 "Unable to handle kernel %s at virtual address %08lx\n", 120 (addr < PAGE_SIZE) ? "NULL pointer dereference" : 121 "paging request", addr); 122 123 show_pte(mm, addr); 124 die("Oops", regs, fsr); 125 bust_spinlocks(0); 126 do_exit(SIGKILL); 127 } 128 129 /* 130 * Something tried to access memory that isn't in our memory map.. 131 * User mode accesses just cause a SIGSEGV 132 */ 133 static void 134 __do_user_fault(struct task_struct *tsk, unsigned long addr, 135 unsigned int fsr, unsigned int sig, int code, 136 struct pt_regs *regs) 137 { 138 struct siginfo si; 139 140 #ifdef CONFIG_DEBUG_USER 141 if (user_debug & UDBG_SEGV) { 142 printk(KERN_DEBUG "%s: unhandled page fault (%d) at 0x%08lx, code 0x%03x\n", 143 tsk->comm, sig, addr, fsr); 144 show_pte(tsk->mm, addr); 145 show_regs(regs); 146 } 147 #endif 148 149 tsk->thread.address = addr; 150 tsk->thread.error_code = fsr; 151 tsk->thread.trap_no = 14; 152 si.si_signo = sig; 153 si.si_errno = 0; 154 si.si_code = code; 155 si.si_addr = (void __user *)addr; 156 force_sig_info(sig, &si, tsk); 157 } 158 159 void do_bad_area(unsigned long addr, unsigned int fsr, struct pt_regs *regs) 160 { 161 struct task_struct *tsk = current; 162 struct mm_struct *mm = tsk->active_mm; 163 164 /* 165 * If we are in kernel mode at this point, we 166 * have no context to handle this fault with. 167 */ 168 if (user_mode(regs)) 169 __do_user_fault(tsk, addr, fsr, SIGSEGV, SEGV_MAPERR, regs); 170 else 171 __do_kernel_fault(mm, addr, fsr, regs); 172 } 173 174 #define VM_FAULT_BADMAP 0x010000 175 #define VM_FAULT_BADACCESS 0x020000 176 177 static int 178 __do_page_fault(struct mm_struct *mm, unsigned long addr, unsigned int fsr, 179 struct task_struct *tsk) 180 { 181 struct vm_area_struct *vma; 182 int fault, mask; 183 184 vma = find_vma(mm, addr); 185 fault = VM_FAULT_BADMAP; 186 if (!vma) 187 goto out; 188 if (vma->vm_start > addr) 189 goto check_stack; 190 191 /* 192 * Ok, we have a good vm_area for this 193 * memory access, so we can handle it. 194 */ 195 good_area: 196 if (fsr & (1 << 11)) /* write? */ 197 mask = VM_WRITE; 198 else 199 mask = VM_READ|VM_EXEC|VM_WRITE; 200 201 fault = VM_FAULT_BADACCESS; 202 if (!(vma->vm_flags & mask)) 203 goto out; 204 205 /* 206 * If for any reason at all we couldn't handle 207 * the fault, make sure we exit gracefully rather 208 * than endlessly redo the fault. 209 */ 210 survive: 211 fault = handle_mm_fault(mm, vma, addr & PAGE_MASK, fsr & (1 << 11)); 212 if (unlikely(fault & VM_FAULT_ERROR)) { 213 if (fault & VM_FAULT_OOM) 214 goto out_of_memory; 215 else if (fault & VM_FAULT_SIGBUS) 216 return fault; 217 BUG(); 218 } 219 if (fault & VM_FAULT_MAJOR) 220 tsk->maj_flt++; 221 else 222 tsk->min_flt++; 223 return fault; 224 225 out_of_memory: 226 if (!is_global_init(tsk)) 227 goto out; 228 229 /* 230 * If we are out of memory for pid1, sleep for a while and retry 231 */ 232 up_read(&mm->mmap_sem); 233 yield(); 234 down_read(&mm->mmap_sem); 235 goto survive; 236 237 check_stack: 238 if (vma->vm_flags & VM_GROWSDOWN && !expand_stack(vma, addr)) 239 goto good_area; 240 out: 241 return fault; 242 } 243 244 static int __kprobes 245 do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs) 246 { 247 struct task_struct *tsk; 248 struct mm_struct *mm; 249 int fault, sig, code; 250 251 if (notify_page_fault(regs, fsr)) 252 return 0; 253 254 tsk = current; 255 mm = tsk->mm; 256 257 /* 258 * If we're in an interrupt or have no user 259 * context, we must not take the fault.. 260 */ 261 if (in_atomic() || !mm) 262 goto no_context; 263 264 /* 265 * As per x86, we may deadlock here. However, since the kernel only 266 * validly references user space from well defined areas of the code, 267 * we can bug out early if this is from code which shouldn't. 268 */ 269 if (!down_read_trylock(&mm->mmap_sem)) { 270 if (!user_mode(regs) && !search_exception_tables(regs->ARM_pc)) 271 goto no_context; 272 down_read(&mm->mmap_sem); 273 } 274 275 fault = __do_page_fault(mm, addr, fsr, tsk); 276 up_read(&mm->mmap_sem); 277 278 /* 279 * Handle the "normal" case first - VM_FAULT_MAJOR / VM_FAULT_MINOR 280 */ 281 if (likely(!(fault & (VM_FAULT_ERROR | VM_FAULT_BADMAP | VM_FAULT_BADACCESS)))) 282 return 0; 283 284 /* 285 * If we are in kernel mode at this point, we 286 * have no context to handle this fault with. 287 */ 288 if (!user_mode(regs)) 289 goto no_context; 290 291 if (fault & VM_FAULT_OOM) { 292 /* 293 * We ran out of memory, or some other thing 294 * happened to us that made us unable to handle 295 * the page fault gracefully. 296 */ 297 printk("VM: killing process %s\n", tsk->comm); 298 do_group_exit(SIGKILL); 299 return 0; 300 } 301 if (fault & VM_FAULT_SIGBUS) { 302 /* 303 * We had some memory, but were unable to 304 * successfully fix up this page fault. 305 */ 306 sig = SIGBUS; 307 code = BUS_ADRERR; 308 } else { 309 /* 310 * Something tried to access memory that 311 * isn't in our memory map.. 312 */ 313 sig = SIGSEGV; 314 code = fault == VM_FAULT_BADACCESS ? 315 SEGV_ACCERR : SEGV_MAPERR; 316 } 317 318 __do_user_fault(tsk, addr, fsr, sig, code, regs); 319 return 0; 320 321 no_context: 322 __do_kernel_fault(mm, addr, fsr, regs); 323 return 0; 324 } 325 326 /* 327 * First Level Translation Fault Handler 328 * 329 * We enter here because the first level page table doesn't contain 330 * a valid entry for the address. 331 * 332 * If the address is in kernel space (>= TASK_SIZE), then we are 333 * probably faulting in the vmalloc() area. 334 * 335 * If the init_task's first level page tables contains the relevant 336 * entry, we copy the it to this task. If not, we send the process 337 * a signal, fixup the exception, or oops the kernel. 338 * 339 * NOTE! We MUST NOT take any locks for this case. We may be in an 340 * interrupt or a critical region, and should only copy the information 341 * from the master page table, nothing more. 342 */ 343 static int __kprobes 344 do_translation_fault(unsigned long addr, unsigned int fsr, 345 struct pt_regs *regs) 346 { 347 unsigned int index; 348 pgd_t *pgd, *pgd_k; 349 pmd_t *pmd, *pmd_k; 350 351 if (addr < TASK_SIZE) 352 return do_page_fault(addr, fsr, regs); 353 354 index = pgd_index(addr); 355 356 /* 357 * FIXME: CP15 C1 is write only on ARMv3 architectures. 358 */ 359 pgd = cpu_get_pgd() + index; 360 pgd_k = init_mm.pgd + index; 361 362 if (pgd_none(*pgd_k)) 363 goto bad_area; 364 365 if (!pgd_present(*pgd)) 366 set_pgd(pgd, *pgd_k); 367 368 pmd_k = pmd_offset(pgd_k, addr); 369 pmd = pmd_offset(pgd, addr); 370 371 if (pmd_none(*pmd_k)) 372 goto bad_area; 373 374 copy_pmd(pmd, pmd_k); 375 return 0; 376 377 bad_area: 378 do_bad_area(addr, fsr, regs); 379 return 0; 380 } 381 382 /* 383 * Some section permission faults need to be handled gracefully. 384 * They can happen due to a __{get,put}_user during an oops. 385 */ 386 static int 387 do_sect_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs) 388 { 389 do_bad_area(addr, fsr, regs); 390 return 0; 391 } 392 393 /* 394 * This abort handler always returns "fault". 395 */ 396 static int 397 do_bad(unsigned long addr, unsigned int fsr, struct pt_regs *regs) 398 { 399 return 1; 400 } 401 402 static struct fsr_info { 403 int (*fn)(unsigned long addr, unsigned int fsr, struct pt_regs *regs); 404 int sig; 405 int code; 406 const char *name; 407 } fsr_info[] = { 408 /* 409 * The following are the standard ARMv3 and ARMv4 aborts. ARMv5 410 * defines these to be "precise" aborts. 411 */ 412 { do_bad, SIGSEGV, 0, "vector exception" }, 413 { do_bad, SIGILL, BUS_ADRALN, "alignment exception" }, 414 { do_bad, SIGKILL, 0, "terminal exception" }, 415 { do_bad, SIGILL, BUS_ADRALN, "alignment exception" }, 416 { do_bad, SIGBUS, 0, "external abort on linefetch" }, 417 { do_translation_fault, SIGSEGV, SEGV_MAPERR, "section translation fault" }, 418 { do_bad, SIGBUS, 0, "external abort on linefetch" }, 419 { do_page_fault, SIGSEGV, SEGV_MAPERR, "page translation fault" }, 420 { do_bad, SIGBUS, 0, "external abort on non-linefetch" }, 421 { do_bad, SIGSEGV, SEGV_ACCERR, "section domain fault" }, 422 { do_bad, SIGBUS, 0, "external abort on non-linefetch" }, 423 { do_bad, SIGSEGV, SEGV_ACCERR, "page domain fault" }, 424 { do_bad, SIGBUS, 0, "external abort on translation" }, 425 { do_sect_fault, SIGSEGV, SEGV_ACCERR, "section permission fault" }, 426 { do_bad, SIGBUS, 0, "external abort on translation" }, 427 { do_page_fault, SIGSEGV, SEGV_ACCERR, "page permission fault" }, 428 /* 429 * The following are "imprecise" aborts, which are signalled by bit 430 * 10 of the FSR, and may not be recoverable. These are only 431 * supported if the CPU abort handler supports bit 10. 432 */ 433 { do_bad, SIGBUS, 0, "unknown 16" }, 434 { do_bad, SIGBUS, 0, "unknown 17" }, 435 { do_bad, SIGBUS, 0, "unknown 18" }, 436 { do_bad, SIGBUS, 0, "unknown 19" }, 437 { do_bad, SIGBUS, 0, "lock abort" }, /* xscale */ 438 { do_bad, SIGBUS, 0, "unknown 21" }, 439 { do_bad, SIGBUS, BUS_OBJERR, "imprecise external abort" }, /* xscale */ 440 { do_bad, SIGBUS, 0, "unknown 23" }, 441 { do_bad, SIGBUS, 0, "dcache parity error" }, /* xscale */ 442 { do_bad, SIGBUS, 0, "unknown 25" }, 443 { do_bad, SIGBUS, 0, "unknown 26" }, 444 { do_bad, SIGBUS, 0, "unknown 27" }, 445 { do_bad, SIGBUS, 0, "unknown 28" }, 446 { do_bad, SIGBUS, 0, "unknown 29" }, 447 { do_bad, SIGBUS, 0, "unknown 30" }, 448 { do_bad, SIGBUS, 0, "unknown 31" } 449 }; 450 451 void __init 452 hook_fault_code(int nr, int (*fn)(unsigned long, unsigned int, struct pt_regs *), 453 int sig, const char *name) 454 { 455 if (nr >= 0 && nr < ARRAY_SIZE(fsr_info)) { 456 fsr_info[nr].fn = fn; 457 fsr_info[nr].sig = sig; 458 fsr_info[nr].name = name; 459 } 460 } 461 462 /* 463 * Dispatch a data abort to the relevant handler. 464 */ 465 asmlinkage void __exception 466 do_DataAbort(unsigned long addr, unsigned int fsr, struct pt_regs *regs) 467 { 468 const struct fsr_info *inf = fsr_info + (fsr & 15) + ((fsr & (1 << 10)) >> 6); 469 struct siginfo info; 470 471 if (!inf->fn(addr, fsr, regs)) 472 return; 473 474 printk(KERN_ALERT "Unhandled fault: %s (0x%03x) at 0x%08lx\n", 475 inf->name, fsr, addr); 476 477 info.si_signo = inf->sig; 478 info.si_errno = 0; 479 info.si_code = inf->code; 480 info.si_addr = (void __user *)addr; 481 arm_notify_die("", regs, &info, fsr, 0); 482 } 483 484 asmlinkage void __exception 485 do_PrefetchAbort(unsigned long addr, struct pt_regs *regs) 486 { 487 do_translation_fault(addr, 0, regs); 488 } 489 490