1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Based on arch/arm/kernel/traps.c 4 * 5 * Copyright (C) 1995-2009 Russell King 6 * Copyright (C) 2012 ARM Ltd. 7 */ 8 9 #include <linux/bug.h> 10 #include <linux/context_tracking.h> 11 #include <linux/signal.h> 12 #include <linux/kallsyms.h> 13 #include <linux/kprobes.h> 14 #include <linux/spinlock.h> 15 #include <linux/uaccess.h> 16 #include <linux/hardirq.h> 17 #include <linux/kdebug.h> 18 #include <linux/module.h> 19 #include <linux/kexec.h> 20 #include <linux/delay.h> 21 #include <linux/init.h> 22 #include <linux/sched/signal.h> 23 #include <linux/sched/debug.h> 24 #include <linux/sched/task_stack.h> 25 #include <linux/sizes.h> 26 #include <linux/syscalls.h> 27 #include <linux/mm_types.h> 28 #include <linux/kasan.h> 29 30 #include <asm/atomic.h> 31 #include <asm/bug.h> 32 #include <asm/cpufeature.h> 33 #include <asm/daifflags.h> 34 #include <asm/debug-monitors.h> 35 #include <asm/esr.h> 36 #include <asm/exception.h> 37 #include <asm/extable.h> 38 #include <asm/insn.h> 39 #include <asm/kprobes.h> 40 #include <asm/patching.h> 41 #include <asm/traps.h> 42 #include <asm/smp.h> 43 #include <asm/stack_pointer.h> 44 #include <asm/stacktrace.h> 45 #include <asm/system_misc.h> 46 #include <asm/sysreg.h> 47 48 static bool __kprobes __check_eq(unsigned long pstate) 49 { 50 return (pstate & PSR_Z_BIT) != 0; 51 } 52 53 static bool __kprobes __check_ne(unsigned long pstate) 54 { 55 return (pstate & PSR_Z_BIT) == 0; 56 } 57 58 static bool __kprobes __check_cs(unsigned long pstate) 59 { 60 return (pstate & PSR_C_BIT) != 0; 61 } 62 63 static bool __kprobes __check_cc(unsigned long pstate) 64 { 65 return (pstate & PSR_C_BIT) == 0; 66 } 67 68 static bool __kprobes __check_mi(unsigned long pstate) 69 { 70 return (pstate & PSR_N_BIT) != 0; 71 } 72 73 static bool __kprobes __check_pl(unsigned long pstate) 74 { 75 return (pstate & PSR_N_BIT) == 0; 76 } 77 78 static bool __kprobes __check_vs(unsigned long pstate) 79 { 80 return (pstate & PSR_V_BIT) != 0; 81 } 82 83 static bool __kprobes __check_vc(unsigned long pstate) 84 { 85 return (pstate & PSR_V_BIT) == 0; 86 } 87 88 static bool __kprobes __check_hi(unsigned long pstate) 89 { 90 pstate &= ~(pstate >> 1); /* PSR_C_BIT &= ~PSR_Z_BIT */ 91 return (pstate & PSR_C_BIT) != 0; 92 } 93 94 static bool __kprobes __check_ls(unsigned long pstate) 95 { 96 pstate &= ~(pstate >> 1); /* PSR_C_BIT &= ~PSR_Z_BIT */ 97 return (pstate & PSR_C_BIT) == 0; 98 } 99 100 static bool __kprobes __check_ge(unsigned long pstate) 101 { 102 pstate ^= (pstate << 3); /* PSR_N_BIT ^= PSR_V_BIT */ 103 return (pstate & PSR_N_BIT) == 0; 104 } 105 106 static bool __kprobes __check_lt(unsigned long pstate) 107 { 108 pstate ^= (pstate << 3); /* PSR_N_BIT ^= PSR_V_BIT */ 109 return (pstate & PSR_N_BIT) != 0; 110 } 111 112 static bool __kprobes __check_gt(unsigned long pstate) 113 { 114 /*PSR_N_BIT ^= PSR_V_BIT */ 115 unsigned long temp = pstate ^ (pstate << 3); 116 117 temp |= (pstate << 1); /*PSR_N_BIT |= PSR_Z_BIT */ 118 return (temp & PSR_N_BIT) == 0; 119 } 120 121 static bool __kprobes __check_le(unsigned long pstate) 122 { 123 /*PSR_N_BIT ^= PSR_V_BIT */ 124 unsigned long temp = pstate ^ (pstate << 3); 125 126 temp |= (pstate << 1); /*PSR_N_BIT |= PSR_Z_BIT */ 127 return (temp & PSR_N_BIT) != 0; 128 } 129 130 static bool __kprobes __check_al(unsigned long pstate) 131 { 132 return true; 133 } 134 135 /* 136 * Note that the ARMv8 ARM calls condition code 0b1111 "nv", but states that 137 * it behaves identically to 0b1110 ("al"). 138 */ 139 pstate_check_t * const aarch32_opcode_cond_checks[16] = { 140 __check_eq, __check_ne, __check_cs, __check_cc, 141 __check_mi, __check_pl, __check_vs, __check_vc, 142 __check_hi, __check_ls, __check_ge, __check_lt, 143 __check_gt, __check_le, __check_al, __check_al 144 }; 145 146 int show_unhandled_signals = 0; 147 148 static void dump_kernel_instr(const char *lvl, struct pt_regs *regs) 149 { 150 unsigned long addr = instruction_pointer(regs); 151 char str[sizeof("00000000 ") * 5 + 2 + 1], *p = str; 152 int i; 153 154 if (user_mode(regs)) 155 return; 156 157 for (i = -4; i < 1; i++) { 158 unsigned int val, bad; 159 160 bad = aarch64_insn_read(&((u32 *)addr)[i], &val); 161 162 if (!bad) 163 p += sprintf(p, i == 0 ? "(%08x) " : "%08x ", val); 164 else { 165 p += sprintf(p, "bad PC value"); 166 break; 167 } 168 } 169 170 printk("%sCode: %s\n", lvl, str); 171 } 172 173 #ifdef CONFIG_PREEMPT 174 #define S_PREEMPT " PREEMPT" 175 #elif defined(CONFIG_PREEMPT_RT) 176 #define S_PREEMPT " PREEMPT_RT" 177 #else 178 #define S_PREEMPT "" 179 #endif 180 181 #define S_SMP " SMP" 182 183 static int __die(const char *str, int err, struct pt_regs *regs) 184 { 185 static int die_counter; 186 int ret; 187 188 pr_emerg("Internal error: %s: %x [#%d]" S_PREEMPT S_SMP "\n", 189 str, err, ++die_counter); 190 191 /* trap and error numbers are mostly meaningless on ARM */ 192 ret = notify_die(DIE_OOPS, str, regs, err, 0, SIGSEGV); 193 if (ret == NOTIFY_STOP) 194 return ret; 195 196 print_modules(); 197 show_regs(regs); 198 199 dump_kernel_instr(KERN_EMERG, regs); 200 201 return ret; 202 } 203 204 static DEFINE_RAW_SPINLOCK(die_lock); 205 206 /* 207 * This function is protected against re-entrancy. 208 */ 209 void die(const char *str, struct pt_regs *regs, int err) 210 { 211 int ret; 212 unsigned long flags; 213 214 raw_spin_lock_irqsave(&die_lock, flags); 215 216 oops_enter(); 217 218 console_verbose(); 219 bust_spinlocks(1); 220 ret = __die(str, err, regs); 221 222 if (regs && kexec_should_crash(current)) 223 crash_kexec(regs); 224 225 bust_spinlocks(0); 226 add_taint(TAINT_DIE, LOCKDEP_NOW_UNRELIABLE); 227 oops_exit(); 228 229 if (in_interrupt()) 230 panic("%s: Fatal exception in interrupt", str); 231 if (panic_on_oops) 232 panic("%s: Fatal exception", str); 233 234 raw_spin_unlock_irqrestore(&die_lock, flags); 235 236 if (ret != NOTIFY_STOP) 237 make_task_dead(SIGSEGV); 238 } 239 240 static void arm64_show_signal(int signo, const char *str) 241 { 242 static DEFINE_RATELIMIT_STATE(rs, DEFAULT_RATELIMIT_INTERVAL, 243 DEFAULT_RATELIMIT_BURST); 244 struct task_struct *tsk = current; 245 unsigned long esr = tsk->thread.fault_code; 246 struct pt_regs *regs = task_pt_regs(tsk); 247 248 /* Leave if the signal won't be shown */ 249 if (!show_unhandled_signals || 250 !unhandled_signal(tsk, signo) || 251 !__ratelimit(&rs)) 252 return; 253 254 pr_info("%s[%d]: unhandled exception: ", tsk->comm, task_pid_nr(tsk)); 255 if (esr) 256 pr_cont("%s, ESR 0x%016lx, ", esr_get_class_string(esr), esr); 257 258 pr_cont("%s", str); 259 print_vma_addr(KERN_CONT " in ", regs->pc); 260 pr_cont("\n"); 261 __show_regs(regs); 262 } 263 264 void arm64_force_sig_fault(int signo, int code, unsigned long far, 265 const char *str) 266 { 267 arm64_show_signal(signo, str); 268 if (signo == SIGKILL) 269 force_sig(SIGKILL); 270 else 271 force_sig_fault(signo, code, (void __user *)far); 272 } 273 274 void arm64_force_sig_mceerr(int code, unsigned long far, short lsb, 275 const char *str) 276 { 277 arm64_show_signal(SIGBUS, str); 278 force_sig_mceerr(code, (void __user *)far, lsb); 279 } 280 281 void arm64_force_sig_ptrace_errno_trap(int errno, unsigned long far, 282 const char *str) 283 { 284 arm64_show_signal(SIGTRAP, str); 285 force_sig_ptrace_errno_trap(errno, (void __user *)far); 286 } 287 288 void arm64_notify_die(const char *str, struct pt_regs *regs, 289 int signo, int sicode, unsigned long far, 290 unsigned long err) 291 { 292 if (user_mode(regs)) { 293 WARN_ON(regs != current_pt_regs()); 294 current->thread.fault_address = 0; 295 current->thread.fault_code = err; 296 297 arm64_force_sig_fault(signo, sicode, far, str); 298 } else { 299 die(str, regs, err); 300 } 301 } 302 303 #ifdef CONFIG_COMPAT 304 #define PSTATE_IT_1_0_SHIFT 25 305 #define PSTATE_IT_1_0_MASK (0x3 << PSTATE_IT_1_0_SHIFT) 306 #define PSTATE_IT_7_2_SHIFT 10 307 #define PSTATE_IT_7_2_MASK (0x3f << PSTATE_IT_7_2_SHIFT) 308 309 static u32 compat_get_it_state(struct pt_regs *regs) 310 { 311 u32 it, pstate = regs->pstate; 312 313 it = (pstate & PSTATE_IT_1_0_MASK) >> PSTATE_IT_1_0_SHIFT; 314 it |= ((pstate & PSTATE_IT_7_2_MASK) >> PSTATE_IT_7_2_SHIFT) << 2; 315 316 return it; 317 } 318 319 static void compat_set_it_state(struct pt_regs *regs, u32 it) 320 { 321 u32 pstate_it; 322 323 pstate_it = (it << PSTATE_IT_1_0_SHIFT) & PSTATE_IT_1_0_MASK; 324 pstate_it |= ((it >> 2) << PSTATE_IT_7_2_SHIFT) & PSTATE_IT_7_2_MASK; 325 326 regs->pstate &= ~PSR_AA32_IT_MASK; 327 regs->pstate |= pstate_it; 328 } 329 330 static void advance_itstate(struct pt_regs *regs) 331 { 332 u32 it; 333 334 /* ARM mode */ 335 if (!(regs->pstate & PSR_AA32_T_BIT) || 336 !(regs->pstate & PSR_AA32_IT_MASK)) 337 return; 338 339 it = compat_get_it_state(regs); 340 341 /* 342 * If this is the last instruction of the block, wipe the IT 343 * state. Otherwise advance it. 344 */ 345 if (!(it & 7)) 346 it = 0; 347 else 348 it = (it & 0xe0) | ((it << 1) & 0x1f); 349 350 compat_set_it_state(regs, it); 351 } 352 #else 353 static void advance_itstate(struct pt_regs *regs) 354 { 355 } 356 #endif 357 358 void arm64_skip_faulting_instruction(struct pt_regs *regs, unsigned long size) 359 { 360 regs->pc += size; 361 362 /* 363 * If we were single stepping, we want to get the step exception after 364 * we return from the trap. 365 */ 366 if (user_mode(regs)) 367 user_fastforward_single_step(current); 368 369 if (compat_user_mode(regs)) 370 advance_itstate(regs); 371 else 372 regs->pstate &= ~PSR_BTYPE_MASK; 373 } 374 375 static LIST_HEAD(undef_hook); 376 static DEFINE_RAW_SPINLOCK(undef_lock); 377 378 void register_undef_hook(struct undef_hook *hook) 379 { 380 unsigned long flags; 381 382 raw_spin_lock_irqsave(&undef_lock, flags); 383 list_add(&hook->node, &undef_hook); 384 raw_spin_unlock_irqrestore(&undef_lock, flags); 385 } 386 387 void unregister_undef_hook(struct undef_hook *hook) 388 { 389 unsigned long flags; 390 391 raw_spin_lock_irqsave(&undef_lock, flags); 392 list_del(&hook->node); 393 raw_spin_unlock_irqrestore(&undef_lock, flags); 394 } 395 396 static int call_undef_hook(struct pt_regs *regs) 397 { 398 struct undef_hook *hook; 399 unsigned long flags; 400 u32 instr; 401 int (*fn)(struct pt_regs *regs, u32 instr) = NULL; 402 unsigned long pc = instruction_pointer(regs); 403 404 if (!user_mode(regs)) { 405 __le32 instr_le; 406 if (get_kernel_nofault(instr_le, (__le32 *)pc)) 407 goto exit; 408 instr = le32_to_cpu(instr_le); 409 } else if (compat_thumb_mode(regs)) { 410 /* 16-bit Thumb instruction */ 411 __le16 instr_le; 412 if (get_user(instr_le, (__le16 __user *)pc)) 413 goto exit; 414 instr = le16_to_cpu(instr_le); 415 if (aarch32_insn_is_wide(instr)) { 416 u32 instr2; 417 418 if (get_user(instr_le, (__le16 __user *)(pc + 2))) 419 goto exit; 420 instr2 = le16_to_cpu(instr_le); 421 instr = (instr << 16) | instr2; 422 } 423 } else { 424 /* 32-bit ARM instruction */ 425 __le32 instr_le; 426 if (get_user(instr_le, (__le32 __user *)pc)) 427 goto exit; 428 instr = le32_to_cpu(instr_le); 429 } 430 431 raw_spin_lock_irqsave(&undef_lock, flags); 432 list_for_each_entry(hook, &undef_hook, node) 433 if ((instr & hook->instr_mask) == hook->instr_val && 434 (regs->pstate & hook->pstate_mask) == hook->pstate_val) 435 fn = hook->fn; 436 437 raw_spin_unlock_irqrestore(&undef_lock, flags); 438 exit: 439 return fn ? fn(regs, instr) : 1; 440 } 441 442 void force_signal_inject(int signal, int code, unsigned long address, unsigned long err) 443 { 444 const char *desc; 445 struct pt_regs *regs = current_pt_regs(); 446 447 if (WARN_ON(!user_mode(regs))) 448 return; 449 450 switch (signal) { 451 case SIGILL: 452 desc = "undefined instruction"; 453 break; 454 case SIGSEGV: 455 desc = "illegal memory access"; 456 break; 457 default: 458 desc = "unknown or unrecoverable error"; 459 break; 460 } 461 462 /* Force signals we don't understand to SIGKILL */ 463 if (WARN_ON(signal != SIGKILL && 464 siginfo_layout(signal, code) != SIL_FAULT)) { 465 signal = SIGKILL; 466 } 467 468 arm64_notify_die(desc, regs, signal, code, address, err); 469 } 470 471 /* 472 * Set up process info to signal segmentation fault - called on access error. 473 */ 474 void arm64_notify_segfault(unsigned long addr) 475 { 476 int code; 477 478 mmap_read_lock(current->mm); 479 if (find_vma(current->mm, untagged_addr(addr)) == NULL) 480 code = SEGV_MAPERR; 481 else 482 code = SEGV_ACCERR; 483 mmap_read_unlock(current->mm); 484 485 force_signal_inject(SIGSEGV, code, addr, 0); 486 } 487 488 void do_undefinstr(struct pt_regs *regs) 489 { 490 /* check for AArch32 breakpoint instructions */ 491 if (!aarch32_break_handler(regs)) 492 return; 493 494 if (call_undef_hook(regs) == 0) 495 return; 496 497 BUG_ON(!user_mode(regs)); 498 force_signal_inject(SIGILL, ILL_ILLOPC, regs->pc, 0); 499 } 500 NOKPROBE_SYMBOL(do_undefinstr); 501 502 void do_bti(struct pt_regs *regs) 503 { 504 BUG_ON(!user_mode(regs)); 505 force_signal_inject(SIGILL, ILL_ILLOPC, regs->pc, 0); 506 } 507 NOKPROBE_SYMBOL(do_bti); 508 509 void do_ptrauth_fault(struct pt_regs *regs, unsigned long esr) 510 { 511 /* 512 * Unexpected FPAC exception or pointer authentication failure in 513 * the kernel: kill the task before it does any more harm. 514 */ 515 BUG_ON(!user_mode(regs)); 516 force_signal_inject(SIGILL, ILL_ILLOPN, regs->pc, esr); 517 } 518 NOKPROBE_SYMBOL(do_ptrauth_fault); 519 520 #define __user_cache_maint(insn, address, res) \ 521 if (address >= TASK_SIZE_MAX) { \ 522 res = -EFAULT; \ 523 } else { \ 524 uaccess_ttbr0_enable(); \ 525 asm volatile ( \ 526 "1: " insn ", %1\n" \ 527 " mov %w0, #0\n" \ 528 "2:\n" \ 529 _ASM_EXTABLE_UACCESS_ERR(1b, 2b, %w0) \ 530 : "=r" (res) \ 531 : "r" (address)); \ 532 uaccess_ttbr0_disable(); \ 533 } 534 535 static void user_cache_maint_handler(unsigned long esr, struct pt_regs *regs) 536 { 537 unsigned long tagged_address, address; 538 int rt = ESR_ELx_SYS64_ISS_RT(esr); 539 int crm = (esr & ESR_ELx_SYS64_ISS_CRM_MASK) >> ESR_ELx_SYS64_ISS_CRM_SHIFT; 540 int ret = 0; 541 542 tagged_address = pt_regs_read_reg(regs, rt); 543 address = untagged_addr(tagged_address); 544 545 switch (crm) { 546 case ESR_ELx_SYS64_ISS_CRM_DC_CVAU: /* DC CVAU, gets promoted */ 547 __user_cache_maint("dc civac", address, ret); 548 break; 549 case ESR_ELx_SYS64_ISS_CRM_DC_CVAC: /* DC CVAC, gets promoted */ 550 __user_cache_maint("dc civac", address, ret); 551 break; 552 case ESR_ELx_SYS64_ISS_CRM_DC_CVADP: /* DC CVADP */ 553 __user_cache_maint("sys 3, c7, c13, 1", address, ret); 554 break; 555 case ESR_ELx_SYS64_ISS_CRM_DC_CVAP: /* DC CVAP */ 556 __user_cache_maint("sys 3, c7, c12, 1", address, ret); 557 break; 558 case ESR_ELx_SYS64_ISS_CRM_DC_CIVAC: /* DC CIVAC */ 559 __user_cache_maint("dc civac", address, ret); 560 break; 561 case ESR_ELx_SYS64_ISS_CRM_IC_IVAU: /* IC IVAU */ 562 __user_cache_maint("ic ivau", address, ret); 563 break; 564 default: 565 force_signal_inject(SIGILL, ILL_ILLOPC, regs->pc, 0); 566 return; 567 } 568 569 if (ret) 570 arm64_notify_segfault(tagged_address); 571 else 572 arm64_skip_faulting_instruction(regs, AARCH64_INSN_SIZE); 573 } 574 575 static void ctr_read_handler(unsigned long esr, struct pt_regs *regs) 576 { 577 int rt = ESR_ELx_SYS64_ISS_RT(esr); 578 unsigned long val = arm64_ftr_reg_user_value(&arm64_ftr_reg_ctrel0); 579 580 if (cpus_have_const_cap(ARM64_WORKAROUND_1542419)) { 581 /* Hide DIC so that we can trap the unnecessary maintenance...*/ 582 val &= ~BIT(CTR_DIC_SHIFT); 583 584 /* ... and fake IminLine to reduce the number of traps. */ 585 val &= ~CTR_IMINLINE_MASK; 586 val |= (PAGE_SHIFT - 2) & CTR_IMINLINE_MASK; 587 } 588 589 pt_regs_write_reg(regs, rt, val); 590 591 arm64_skip_faulting_instruction(regs, AARCH64_INSN_SIZE); 592 } 593 594 static void cntvct_read_handler(unsigned long esr, struct pt_regs *regs) 595 { 596 int rt = ESR_ELx_SYS64_ISS_RT(esr); 597 598 pt_regs_write_reg(regs, rt, arch_timer_read_counter()); 599 arm64_skip_faulting_instruction(regs, AARCH64_INSN_SIZE); 600 } 601 602 static void cntfrq_read_handler(unsigned long esr, struct pt_regs *regs) 603 { 604 int rt = ESR_ELx_SYS64_ISS_RT(esr); 605 606 pt_regs_write_reg(regs, rt, arch_timer_get_rate()); 607 arm64_skip_faulting_instruction(regs, AARCH64_INSN_SIZE); 608 } 609 610 static void mrs_handler(unsigned long esr, struct pt_regs *regs) 611 { 612 u32 sysreg, rt; 613 614 rt = ESR_ELx_SYS64_ISS_RT(esr); 615 sysreg = esr_sys64_to_sysreg(esr); 616 617 if (do_emulate_mrs(regs, sysreg, rt) != 0) 618 force_signal_inject(SIGILL, ILL_ILLOPC, regs->pc, 0); 619 } 620 621 static void wfi_handler(unsigned long esr, struct pt_regs *regs) 622 { 623 arm64_skip_faulting_instruction(regs, AARCH64_INSN_SIZE); 624 } 625 626 struct sys64_hook { 627 unsigned long esr_mask; 628 unsigned long esr_val; 629 void (*handler)(unsigned long esr, struct pt_regs *regs); 630 }; 631 632 static const struct sys64_hook sys64_hooks[] = { 633 { 634 .esr_mask = ESR_ELx_SYS64_ISS_EL0_CACHE_OP_MASK, 635 .esr_val = ESR_ELx_SYS64_ISS_EL0_CACHE_OP_VAL, 636 .handler = user_cache_maint_handler, 637 }, 638 { 639 /* Trap read access to CTR_EL0 */ 640 .esr_mask = ESR_ELx_SYS64_ISS_SYS_OP_MASK, 641 .esr_val = ESR_ELx_SYS64_ISS_SYS_CTR_READ, 642 .handler = ctr_read_handler, 643 }, 644 { 645 /* Trap read access to CNTVCT_EL0 */ 646 .esr_mask = ESR_ELx_SYS64_ISS_SYS_OP_MASK, 647 .esr_val = ESR_ELx_SYS64_ISS_SYS_CNTVCT, 648 .handler = cntvct_read_handler, 649 }, 650 { 651 /* Trap read access to CNTVCTSS_EL0 */ 652 .esr_mask = ESR_ELx_SYS64_ISS_SYS_OP_MASK, 653 .esr_val = ESR_ELx_SYS64_ISS_SYS_CNTVCTSS, 654 .handler = cntvct_read_handler, 655 }, 656 { 657 /* Trap read access to CNTFRQ_EL0 */ 658 .esr_mask = ESR_ELx_SYS64_ISS_SYS_OP_MASK, 659 .esr_val = ESR_ELx_SYS64_ISS_SYS_CNTFRQ, 660 .handler = cntfrq_read_handler, 661 }, 662 { 663 /* Trap read access to CPUID registers */ 664 .esr_mask = ESR_ELx_SYS64_ISS_SYS_MRS_OP_MASK, 665 .esr_val = ESR_ELx_SYS64_ISS_SYS_MRS_OP_VAL, 666 .handler = mrs_handler, 667 }, 668 { 669 /* Trap WFI instructions executed in userspace */ 670 .esr_mask = ESR_ELx_WFx_MASK, 671 .esr_val = ESR_ELx_WFx_WFI_VAL, 672 .handler = wfi_handler, 673 }, 674 {}, 675 }; 676 677 #ifdef CONFIG_COMPAT 678 static bool cp15_cond_valid(unsigned long esr, struct pt_regs *regs) 679 { 680 int cond; 681 682 /* Only a T32 instruction can trap without CV being set */ 683 if (!(esr & ESR_ELx_CV)) { 684 u32 it; 685 686 it = compat_get_it_state(regs); 687 if (!it) 688 return true; 689 690 cond = it >> 4; 691 } else { 692 cond = (esr & ESR_ELx_COND_MASK) >> ESR_ELx_COND_SHIFT; 693 } 694 695 return aarch32_opcode_cond_checks[cond](regs->pstate); 696 } 697 698 static void compat_cntfrq_read_handler(unsigned long esr, struct pt_regs *regs) 699 { 700 int reg = (esr & ESR_ELx_CP15_32_ISS_RT_MASK) >> ESR_ELx_CP15_32_ISS_RT_SHIFT; 701 702 pt_regs_write_reg(regs, reg, arch_timer_get_rate()); 703 arm64_skip_faulting_instruction(regs, 4); 704 } 705 706 static const struct sys64_hook cp15_32_hooks[] = { 707 { 708 .esr_mask = ESR_ELx_CP15_32_ISS_SYS_MASK, 709 .esr_val = ESR_ELx_CP15_32_ISS_SYS_CNTFRQ, 710 .handler = compat_cntfrq_read_handler, 711 }, 712 {}, 713 }; 714 715 static void compat_cntvct_read_handler(unsigned long esr, struct pt_regs *regs) 716 { 717 int rt = (esr & ESR_ELx_CP15_64_ISS_RT_MASK) >> ESR_ELx_CP15_64_ISS_RT_SHIFT; 718 int rt2 = (esr & ESR_ELx_CP15_64_ISS_RT2_MASK) >> ESR_ELx_CP15_64_ISS_RT2_SHIFT; 719 u64 val = arch_timer_read_counter(); 720 721 pt_regs_write_reg(regs, rt, lower_32_bits(val)); 722 pt_regs_write_reg(regs, rt2, upper_32_bits(val)); 723 arm64_skip_faulting_instruction(regs, 4); 724 } 725 726 static const struct sys64_hook cp15_64_hooks[] = { 727 { 728 .esr_mask = ESR_ELx_CP15_64_ISS_SYS_MASK, 729 .esr_val = ESR_ELx_CP15_64_ISS_SYS_CNTVCT, 730 .handler = compat_cntvct_read_handler, 731 }, 732 { 733 .esr_mask = ESR_ELx_CP15_64_ISS_SYS_MASK, 734 .esr_val = ESR_ELx_CP15_64_ISS_SYS_CNTVCTSS, 735 .handler = compat_cntvct_read_handler, 736 }, 737 {}, 738 }; 739 740 void do_cp15instr(unsigned long esr, struct pt_regs *regs) 741 { 742 const struct sys64_hook *hook, *hook_base; 743 744 if (!cp15_cond_valid(esr, regs)) { 745 /* 746 * There is no T16 variant of a CP access, so we 747 * always advance PC by 4 bytes. 748 */ 749 arm64_skip_faulting_instruction(regs, 4); 750 return; 751 } 752 753 switch (ESR_ELx_EC(esr)) { 754 case ESR_ELx_EC_CP15_32: 755 hook_base = cp15_32_hooks; 756 break; 757 case ESR_ELx_EC_CP15_64: 758 hook_base = cp15_64_hooks; 759 break; 760 default: 761 do_undefinstr(regs); 762 return; 763 } 764 765 for (hook = hook_base; hook->handler; hook++) 766 if ((hook->esr_mask & esr) == hook->esr_val) { 767 hook->handler(esr, regs); 768 return; 769 } 770 771 /* 772 * New cp15 instructions may previously have been undefined at 773 * EL0. Fall back to our usual undefined instruction handler 774 * so that we handle these consistently. 775 */ 776 do_undefinstr(regs); 777 } 778 NOKPROBE_SYMBOL(do_cp15instr); 779 #endif 780 781 void do_sysinstr(unsigned long esr, struct pt_regs *regs) 782 { 783 const struct sys64_hook *hook; 784 785 for (hook = sys64_hooks; hook->handler; hook++) 786 if ((hook->esr_mask & esr) == hook->esr_val) { 787 hook->handler(esr, regs); 788 return; 789 } 790 791 /* 792 * New SYS instructions may previously have been undefined at EL0. Fall 793 * back to our usual undefined instruction handler so that we handle 794 * these consistently. 795 */ 796 do_undefinstr(regs); 797 } 798 NOKPROBE_SYMBOL(do_sysinstr); 799 800 static const char *esr_class_str[] = { 801 [0 ... ESR_ELx_EC_MAX] = "UNRECOGNIZED EC", 802 [ESR_ELx_EC_UNKNOWN] = "Unknown/Uncategorized", 803 [ESR_ELx_EC_WFx] = "WFI/WFE", 804 [ESR_ELx_EC_CP15_32] = "CP15 MCR/MRC", 805 [ESR_ELx_EC_CP15_64] = "CP15 MCRR/MRRC", 806 [ESR_ELx_EC_CP14_MR] = "CP14 MCR/MRC", 807 [ESR_ELx_EC_CP14_LS] = "CP14 LDC/STC", 808 [ESR_ELx_EC_FP_ASIMD] = "ASIMD", 809 [ESR_ELx_EC_CP10_ID] = "CP10 MRC/VMRS", 810 [ESR_ELx_EC_PAC] = "PAC", 811 [ESR_ELx_EC_CP14_64] = "CP14 MCRR/MRRC", 812 [ESR_ELx_EC_BTI] = "BTI", 813 [ESR_ELx_EC_ILL] = "PSTATE.IL", 814 [ESR_ELx_EC_SVC32] = "SVC (AArch32)", 815 [ESR_ELx_EC_HVC32] = "HVC (AArch32)", 816 [ESR_ELx_EC_SMC32] = "SMC (AArch32)", 817 [ESR_ELx_EC_SVC64] = "SVC (AArch64)", 818 [ESR_ELx_EC_HVC64] = "HVC (AArch64)", 819 [ESR_ELx_EC_SMC64] = "SMC (AArch64)", 820 [ESR_ELx_EC_SYS64] = "MSR/MRS (AArch64)", 821 [ESR_ELx_EC_SVE] = "SVE", 822 [ESR_ELx_EC_ERET] = "ERET/ERETAA/ERETAB", 823 [ESR_ELx_EC_FPAC] = "FPAC", 824 [ESR_ELx_EC_SME] = "SME", 825 [ESR_ELx_EC_IMP_DEF] = "EL3 IMP DEF", 826 [ESR_ELx_EC_IABT_LOW] = "IABT (lower EL)", 827 [ESR_ELx_EC_IABT_CUR] = "IABT (current EL)", 828 [ESR_ELx_EC_PC_ALIGN] = "PC Alignment", 829 [ESR_ELx_EC_DABT_LOW] = "DABT (lower EL)", 830 [ESR_ELx_EC_DABT_CUR] = "DABT (current EL)", 831 [ESR_ELx_EC_SP_ALIGN] = "SP Alignment", 832 [ESR_ELx_EC_FP_EXC32] = "FP (AArch32)", 833 [ESR_ELx_EC_FP_EXC64] = "FP (AArch64)", 834 [ESR_ELx_EC_SERROR] = "SError", 835 [ESR_ELx_EC_BREAKPT_LOW] = "Breakpoint (lower EL)", 836 [ESR_ELx_EC_BREAKPT_CUR] = "Breakpoint (current EL)", 837 [ESR_ELx_EC_SOFTSTP_LOW] = "Software Step (lower EL)", 838 [ESR_ELx_EC_SOFTSTP_CUR] = "Software Step (current EL)", 839 [ESR_ELx_EC_WATCHPT_LOW] = "Watchpoint (lower EL)", 840 [ESR_ELx_EC_WATCHPT_CUR] = "Watchpoint (current EL)", 841 [ESR_ELx_EC_BKPT32] = "BKPT (AArch32)", 842 [ESR_ELx_EC_VECTOR32] = "Vector catch (AArch32)", 843 [ESR_ELx_EC_BRK64] = "BRK (AArch64)", 844 }; 845 846 const char *esr_get_class_string(unsigned long esr) 847 { 848 return esr_class_str[ESR_ELx_EC(esr)]; 849 } 850 851 /* 852 * bad_el0_sync handles unexpected, but potentially recoverable synchronous 853 * exceptions taken from EL0. 854 */ 855 void bad_el0_sync(struct pt_regs *regs, int reason, unsigned long esr) 856 { 857 unsigned long pc = instruction_pointer(regs); 858 859 current->thread.fault_address = 0; 860 current->thread.fault_code = esr; 861 862 arm64_force_sig_fault(SIGILL, ILL_ILLOPC, pc, 863 "Bad EL0 synchronous exception"); 864 } 865 866 #ifdef CONFIG_VMAP_STACK 867 868 DEFINE_PER_CPU(unsigned long [OVERFLOW_STACK_SIZE/sizeof(long)], overflow_stack) 869 __aligned(16); 870 871 void panic_bad_stack(struct pt_regs *regs, unsigned long esr, unsigned long far) 872 { 873 unsigned long tsk_stk = (unsigned long)current->stack; 874 unsigned long irq_stk = (unsigned long)this_cpu_read(irq_stack_ptr); 875 unsigned long ovf_stk = (unsigned long)this_cpu_ptr(overflow_stack); 876 877 console_verbose(); 878 pr_emerg("Insufficient stack space to handle exception!"); 879 880 pr_emerg("ESR: 0x%016lx -- %s\n", esr, esr_get_class_string(esr)); 881 pr_emerg("FAR: 0x%016lx\n", far); 882 883 pr_emerg("Task stack: [0x%016lx..0x%016lx]\n", 884 tsk_stk, tsk_stk + THREAD_SIZE); 885 pr_emerg("IRQ stack: [0x%016lx..0x%016lx]\n", 886 irq_stk, irq_stk + IRQ_STACK_SIZE); 887 pr_emerg("Overflow stack: [0x%016lx..0x%016lx]\n", 888 ovf_stk, ovf_stk + OVERFLOW_STACK_SIZE); 889 890 __show_regs(regs); 891 892 /* 893 * We use nmi_panic to limit the potential for recusive overflows, and 894 * to get a better stack trace. 895 */ 896 nmi_panic(NULL, "kernel stack overflow"); 897 cpu_park_loop(); 898 } 899 #endif 900 901 void __noreturn arm64_serror_panic(struct pt_regs *regs, unsigned long esr) 902 { 903 console_verbose(); 904 905 pr_crit("SError Interrupt on CPU%d, code 0x%016lx -- %s\n", 906 smp_processor_id(), esr, esr_get_class_string(esr)); 907 if (regs) 908 __show_regs(regs); 909 910 nmi_panic(regs, "Asynchronous SError Interrupt"); 911 912 cpu_park_loop(); 913 unreachable(); 914 } 915 916 bool arm64_is_fatal_ras_serror(struct pt_regs *regs, unsigned long esr) 917 { 918 unsigned long aet = arm64_ras_serror_get_severity(esr); 919 920 switch (aet) { 921 case ESR_ELx_AET_CE: /* corrected error */ 922 case ESR_ELx_AET_UEO: /* restartable, not yet consumed */ 923 /* 924 * The CPU can make progress. We may take UEO again as 925 * a more severe error. 926 */ 927 return false; 928 929 case ESR_ELx_AET_UEU: /* Uncorrected Unrecoverable */ 930 case ESR_ELx_AET_UER: /* Uncorrected Recoverable */ 931 /* 932 * The CPU can't make progress. The exception may have 933 * been imprecise. 934 * 935 * Neoverse-N1 #1349291 means a non-KVM SError reported as 936 * Unrecoverable should be treated as Uncontainable. We 937 * call arm64_serror_panic() in both cases. 938 */ 939 return true; 940 941 case ESR_ELx_AET_UC: /* Uncontainable or Uncategorized error */ 942 default: 943 /* Error has been silently propagated */ 944 arm64_serror_panic(regs, esr); 945 } 946 } 947 948 void do_serror(struct pt_regs *regs, unsigned long esr) 949 { 950 /* non-RAS errors are not containable */ 951 if (!arm64_is_ras_serror(esr) || arm64_is_fatal_ras_serror(regs, esr)) 952 arm64_serror_panic(regs, esr); 953 } 954 955 /* GENERIC_BUG traps */ 956 957 int is_valid_bugaddr(unsigned long addr) 958 { 959 /* 960 * bug_handler() only called for BRK #BUG_BRK_IMM. 961 * So the answer is trivial -- any spurious instances with no 962 * bug table entry will be rejected by report_bug() and passed 963 * back to the debug-monitors code and handled as a fatal 964 * unexpected debug exception. 965 */ 966 return 1; 967 } 968 969 static int bug_handler(struct pt_regs *regs, unsigned long esr) 970 { 971 switch (report_bug(regs->pc, regs)) { 972 case BUG_TRAP_TYPE_BUG: 973 die("Oops - BUG", regs, 0); 974 break; 975 976 case BUG_TRAP_TYPE_WARN: 977 break; 978 979 default: 980 /* unknown/unrecognised bug trap type */ 981 return DBG_HOOK_ERROR; 982 } 983 984 /* If thread survives, skip over the BUG instruction and continue: */ 985 arm64_skip_faulting_instruction(regs, AARCH64_INSN_SIZE); 986 return DBG_HOOK_HANDLED; 987 } 988 989 static struct break_hook bug_break_hook = { 990 .fn = bug_handler, 991 .imm = BUG_BRK_IMM, 992 }; 993 994 static int reserved_fault_handler(struct pt_regs *regs, unsigned long esr) 995 { 996 pr_err("%s generated an invalid instruction at %pS!\n", 997 "Kernel text patching", 998 (void *)instruction_pointer(regs)); 999 1000 /* We cannot handle this */ 1001 return DBG_HOOK_ERROR; 1002 } 1003 1004 static struct break_hook fault_break_hook = { 1005 .fn = reserved_fault_handler, 1006 .imm = FAULT_BRK_IMM, 1007 }; 1008 1009 #ifdef CONFIG_KASAN_SW_TAGS 1010 1011 #define KASAN_ESR_RECOVER 0x20 1012 #define KASAN_ESR_WRITE 0x10 1013 #define KASAN_ESR_SIZE_MASK 0x0f 1014 #define KASAN_ESR_SIZE(esr) (1 << ((esr) & KASAN_ESR_SIZE_MASK)) 1015 1016 static int kasan_handler(struct pt_regs *regs, unsigned long esr) 1017 { 1018 bool recover = esr & KASAN_ESR_RECOVER; 1019 bool write = esr & KASAN_ESR_WRITE; 1020 size_t size = KASAN_ESR_SIZE(esr); 1021 u64 addr = regs->regs[0]; 1022 u64 pc = regs->pc; 1023 1024 kasan_report(addr, size, write, pc); 1025 1026 /* 1027 * The instrumentation allows to control whether we can proceed after 1028 * a crash was detected. This is done by passing the -recover flag to 1029 * the compiler. Disabling recovery allows to generate more compact 1030 * code. 1031 * 1032 * Unfortunately disabling recovery doesn't work for the kernel right 1033 * now. KASAN reporting is disabled in some contexts (for example when 1034 * the allocator accesses slab object metadata; this is controlled by 1035 * current->kasan_depth). All these accesses are detected by the tool, 1036 * even though the reports for them are not printed. 1037 * 1038 * This is something that might be fixed at some point in the future. 1039 */ 1040 if (!recover) 1041 die("Oops - KASAN", regs, 0); 1042 1043 /* If thread survives, skip over the brk instruction and continue: */ 1044 arm64_skip_faulting_instruction(regs, AARCH64_INSN_SIZE); 1045 return DBG_HOOK_HANDLED; 1046 } 1047 1048 static struct break_hook kasan_break_hook = { 1049 .fn = kasan_handler, 1050 .imm = KASAN_BRK_IMM, 1051 .mask = KASAN_BRK_MASK, 1052 }; 1053 #endif 1054 1055 /* 1056 * Initial handler for AArch64 BRK exceptions 1057 * This handler only used until debug_traps_init(). 1058 */ 1059 int __init early_brk64(unsigned long addr, unsigned long esr, 1060 struct pt_regs *regs) 1061 { 1062 #ifdef CONFIG_KASAN_SW_TAGS 1063 unsigned long comment = esr & ESR_ELx_BRK64_ISS_COMMENT_MASK; 1064 1065 if ((comment & ~KASAN_BRK_MASK) == KASAN_BRK_IMM) 1066 return kasan_handler(regs, esr) != DBG_HOOK_HANDLED; 1067 #endif 1068 return bug_handler(regs, esr) != DBG_HOOK_HANDLED; 1069 } 1070 1071 void __init trap_init(void) 1072 { 1073 register_kernel_break_hook(&bug_break_hook); 1074 register_kernel_break_hook(&fault_break_hook); 1075 #ifdef CONFIG_KASAN_SW_TAGS 1076 register_kernel_break_hook(&kasan_break_hook); 1077 #endif 1078 debug_traps_init(); 1079 } 1080