1 // SPDX-License-Identifier: GPL-2.0-only
3 * linux/arch/arm/mm/fault.c
5 * Copyright (C) 1995 Linus Torvalds
6 * Modifications for ARM processor (c) 1995-2004 Russell King
8 #include <linux/extable.h>
9 #include <linux/signal.h>
11 #include <linux/hardirq.h>
12 #include <linux/init.h>
13 #include <linux/kprobes.h>
14 #include <linux/uaccess.h>
15 #include <linux/page-flags.h>
16 #include <linux/sched/signal.h>
17 #include <linux/sched/debug.h>
18 #include <linux/highmem.h>
19 #include <linux/perf_event.h>
21 #include <asm/system_misc.h>
22 #include <asm/system_info.h>
23 #include <asm/tlbflush.h>
30 * This is useful to dump out the page tables associated with
33 void show_pte(const char *lvl, struct mm_struct *mm, unsigned long addr)
40 pgd = pgd_offset(mm, addr);
41 printk("%s[%08lx] *pgd=%08llx", lvl, addr, (long long)pgd_val(*pgd));
49 p4d = p4d_offset(pgd, addr);
58 pud = pud_offset(p4d, addr);
59 if (PTRS_PER_PUD != 1)
60 pr_cont(", *pud=%08llx", (long long)pud_val(*pud));
70 pmd = pmd_offset(pud, addr);
71 if (PTRS_PER_PMD != 1)
72 pr_cont(", *pmd=%08llx", (long long)pmd_val(*pmd));
82 /* We must not map this if we have highmem enabled */
83 if (PageHighMem(pfn_to_page(pmd_val(*pmd) >> PAGE_SHIFT)))
86 pte = pte_offset_map(pmd, addr);
87 pr_cont(", *pte=%08llx", (long long)pte_val(*pte));
88 #ifndef CONFIG_ARM_LPAE
89 pr_cont(", *ppte=%08llx",
90 (long long)pte_val(pte[PTE_HWTABLE_PTRS]));
97 #else /* CONFIG_MMU */
98 void show_pte(const char *lvl, struct mm_struct *mm, unsigned long addr)
100 #endif /* CONFIG_MMU */
102 static inline bool is_write_fault(unsigned int fsr)
104 return (fsr & FSR_WRITE) && !(fsr & FSR_CM);
107 static void die_kernel_fault(const char *msg, struct mm_struct *mm,
108 unsigned long addr, unsigned int fsr,
109 struct pt_regs *regs)
112 pr_alert("8<--- cut here ---\n");
113 pr_alert("Unable to handle kernel %s at virtual address %08lx\n",
116 show_pte(KERN_ALERT, mm, addr);
117 die("Oops", regs, fsr);
123 * Oops. The kernel tried to access some page that wasn't present.
126 __do_kernel_fault(struct mm_struct *mm, unsigned long addr, unsigned int fsr,
127 struct pt_regs *regs)
131 * Are we prepared to handle this kernel fault?
133 if (fixup_exception(regs))
137 * No handler, we'll have to terminate things with extreme prejudice.
139 if (addr < PAGE_SIZE)
140 msg = "NULL pointer dereference";
142 msg = "paging request";
144 die_kernel_fault(msg, mm, addr, fsr, regs);
148 * Something tried to access memory that isn't in our memory map..
149 * User mode accesses just cause a SIGSEGV
152 __do_user_fault(unsigned long addr, unsigned int fsr, unsigned int sig,
153 int code, struct pt_regs *regs)
155 struct task_struct *tsk = current;
157 if (addr > TASK_SIZE)
158 harden_branch_predictor();
160 #ifdef CONFIG_DEBUG_USER
161 if (((user_debug & UDBG_SEGV) && (sig == SIGSEGV)) ||
162 ((user_debug & UDBG_BUS) && (sig == SIGBUS))) {
163 pr_err("8<--- cut here ---\n");
164 pr_err("%s: unhandled page fault (%d) at 0x%08lx, code 0x%03x\n",
165 tsk->comm, sig, addr, fsr);
166 show_pte(KERN_ERR, tsk->mm, addr);
170 #ifndef CONFIG_KUSER_HELPERS
171 if ((sig == SIGSEGV) && ((addr & PAGE_MASK) == 0xffff0000))
172 printk_ratelimited(KERN_DEBUG
173 "%s: CONFIG_KUSER_HELPERS disabled at 0x%08lx\n",
177 tsk->thread.address = addr;
178 tsk->thread.error_code = fsr;
179 tsk->thread.trap_no = 14;
180 force_sig_fault(sig, code, (void __user *)addr);
183 void do_bad_area(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
185 struct task_struct *tsk = current;
186 struct mm_struct *mm = tsk->active_mm;
189 * If we are in kernel mode at this point, we
190 * have no context to handle this fault with.
193 __do_user_fault(addr, fsr, SIGSEGV, SEGV_MAPERR, regs);
195 __do_kernel_fault(mm, addr, fsr, regs);
199 #define VM_FAULT_BADMAP ((__force vm_fault_t)0x010000)
200 #define VM_FAULT_BADACCESS ((__force vm_fault_t)0x020000)
202 static inline bool is_permission_fault(unsigned int fsr)
204 int fs = fsr_fs(fsr);
205 #ifdef CONFIG_ARM_LPAE
206 if ((fs & FS_PERM_NOLL_MASK) == FS_PERM_NOLL)
209 if (fs == FS_L1_PERM || fs == FS_L2_PERM)
215 static vm_fault_t __kprobes
216 __do_page_fault(struct mm_struct *mm, unsigned long addr, unsigned int flags,
217 unsigned long vma_flags, struct pt_regs *regs)
219 struct vm_area_struct *vma = find_vma(mm, addr);
221 return VM_FAULT_BADMAP;
223 if (unlikely(vma->vm_start > addr)) {
224 if (!(vma->vm_flags & VM_GROWSDOWN))
225 return VM_FAULT_BADMAP;
226 if (addr < FIRST_USER_ADDRESS)
227 return VM_FAULT_BADMAP;
228 if (expand_stack(vma, addr))
229 return VM_FAULT_BADMAP;
233 * ok, we have a good vm_area for this memory access, check the
234 * permissions on the VMA allow for the fault which occurred.
236 if (!(vma->vm_flags & vma_flags))
237 return VM_FAULT_BADACCESS;
239 return handle_mm_fault(vma, addr & PAGE_MASK, flags, regs);
243 do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
245 struct mm_struct *mm = current->mm;
248 unsigned int flags = FAULT_FLAG_DEFAULT;
249 unsigned long vm_flags = VM_ACCESS_FLAGS;
251 if (kprobe_page_fault(regs, fsr))
255 /* Enable interrupts if they were enabled in the parent context. */
256 if (interrupts_enabled(regs))
260 * If we're in an interrupt or have no user
261 * context, we must not take the fault..
263 if (faulthandler_disabled() || !mm)
267 flags |= FAULT_FLAG_USER;
269 if (is_write_fault(fsr)) {
270 flags |= FAULT_FLAG_WRITE;
274 if (fsr & FSR_LNX_PF) {
277 if (is_permission_fault(fsr) && !user_mode(regs))
278 die_kernel_fault("execution of memory",
279 mm, addr, fsr, regs);
282 perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, addr);
285 * As per x86, we may deadlock here. However, since the kernel only
286 * validly references user space from well defined areas of the code,
287 * we can bug out early if this is from code which shouldn't.
289 if (!mmap_read_trylock(mm)) {
290 if (!user_mode(regs) && !search_exception_tables(regs->ARM_pc))
296 * The above down_read_trylock() might have succeeded in
297 * which case, we'll have missed the might_sleep() from
301 #ifdef CONFIG_DEBUG_VM
302 if (!user_mode(regs) &&
303 !search_exception_tables(regs->ARM_pc))
308 fault = __do_page_fault(mm, addr, flags, vm_flags, regs);
310 /* If we need to retry but a fatal signal is pending, handle the
311 * signal first. We do not need to release the mmap_lock because
312 * it would already be released in __lock_page_or_retry in
314 if (fault_signal_pending(fault, regs)) {
315 if (!user_mode(regs))
320 if (!(fault & VM_FAULT_ERROR) && flags & FAULT_FLAG_ALLOW_RETRY) {
321 if (fault & VM_FAULT_RETRY) {
322 flags |= FAULT_FLAG_TRIED;
327 mmap_read_unlock(mm);
330 * Handle the "normal" case first - VM_FAULT_MAJOR
332 if (likely(!(fault & (VM_FAULT_ERROR | VM_FAULT_BADMAP | VM_FAULT_BADACCESS))))
336 * If we are in kernel mode at this point, we
337 * have no context to handle this fault with.
339 if (!user_mode(regs))
342 if (fault & VM_FAULT_OOM) {
344 * We ran out of memory, call the OOM killer, and return to
345 * userspace (which will retry the fault, or kill us if we
348 pagefault_out_of_memory();
352 if (fault & VM_FAULT_SIGBUS) {
354 * We had some memory, but were unable to
355 * successfully fix up this page fault.
361 * Something tried to access memory that
362 * isn't in our memory map..
365 code = fault == VM_FAULT_BADACCESS ?
366 SEGV_ACCERR : SEGV_MAPERR;
369 __do_user_fault(addr, fsr, sig, code, regs);
373 __do_kernel_fault(mm, addr, fsr, regs);
376 #else /* CONFIG_MMU */
378 do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
382 #endif /* CONFIG_MMU */
385 * First Level Translation Fault Handler
387 * We enter here because the first level page table doesn't contain
388 * a valid entry for the address.
390 * If the address is in kernel space (>= TASK_SIZE), then we are
391 * probably faulting in the vmalloc() area.
393 * If the init_task's first level page tables contains the relevant
394 * entry, we copy the it to this task. If not, we send the process
395 * a signal, fixup the exception, or oops the kernel.
397 * NOTE! We MUST NOT take any locks for this case. We may be in an
398 * interrupt or a critical region, and should only copy the information
399 * from the master page table, nothing more.
403 do_translation_fault(unsigned long addr, unsigned int fsr,
404 struct pt_regs *regs)
412 if (addr < TASK_SIZE)
413 return do_page_fault(addr, fsr, regs);
418 index = pgd_index(addr);
420 pgd = cpu_get_pgd() + index;
421 pgd_k = init_mm.pgd + index;
423 p4d = p4d_offset(pgd, addr);
424 p4d_k = p4d_offset(pgd_k, addr);
426 if (p4d_none(*p4d_k))
428 if (!p4d_present(*p4d))
429 set_p4d(p4d, *p4d_k);
431 pud = pud_offset(p4d, addr);
432 pud_k = pud_offset(p4d_k, addr);
434 if (pud_none(*pud_k))
436 if (!pud_present(*pud))
437 set_pud(pud, *pud_k);
439 pmd = pmd_offset(pud, addr);
440 pmd_k = pmd_offset(pud_k, addr);
442 #ifdef CONFIG_ARM_LPAE
444 * Only one hardware entry per PMD with LPAE.
449 * On ARM one Linux PGD entry contains two hardware entries (see page
450 * tables layout in pgtable.h). We normally guarantee that we always
451 * fill both L1 entries. But create_mapping() doesn't follow the rule.
452 * It can create inidividual L1 entries, so here we have to call
453 * pmd_none() check for the entry really corresponded to address, not
454 * for the first of pair.
456 index = (addr >> SECTION_SHIFT) & 1;
458 if (pmd_none(pmd_k[index]))
461 copy_pmd(pmd, pmd_k);
465 do_bad_area(addr, fsr, regs);
468 #else /* CONFIG_MMU */
470 do_translation_fault(unsigned long addr, unsigned int fsr,
471 struct pt_regs *regs)
475 #endif /* CONFIG_MMU */
478 * Some section permission faults need to be handled gracefully.
479 * They can happen due to a __{get,put}_user during an oops.
481 #ifndef CONFIG_ARM_LPAE
483 do_sect_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
485 do_bad_area(addr, fsr, regs);
488 #endif /* CONFIG_ARM_LPAE */
491 * This abort handler always returns "fault".
494 do_bad(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
500 int (*fn)(unsigned long addr, unsigned int fsr, struct pt_regs *regs);
507 #ifdef CONFIG_ARM_LPAE
508 #include "fsr-3level.c"
510 #include "fsr-2level.c"
514 hook_fault_code(int nr, int (*fn)(unsigned long, unsigned int, struct pt_regs *),
515 int sig, int code, const char *name)
517 if (nr < 0 || nr >= ARRAY_SIZE(fsr_info))
520 fsr_info[nr].fn = fn;
521 fsr_info[nr].sig = sig;
522 fsr_info[nr].code = code;
523 fsr_info[nr].name = name;
527 * Dispatch a data abort to the relevant handler.
530 do_DataAbort(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
532 const struct fsr_info *inf = fsr_info + fsr_fs(fsr);
534 if (!inf->fn(addr, fsr & ~FSR_LNX_PF, regs))
537 pr_alert("8<--- cut here ---\n");
538 pr_alert("Unhandled fault: %s (0x%03x) at 0x%08lx\n",
539 inf->name, fsr, addr);
540 show_pte(KERN_ALERT, current->mm, addr);
542 arm_notify_die("", regs, inf->sig, inf->code, (void __user *)addr,
547 hook_ifault_code(int nr, int (*fn)(unsigned long, unsigned int, struct pt_regs *),
548 int sig, int code, const char *name)
550 if (nr < 0 || nr >= ARRAY_SIZE(ifsr_info))
553 ifsr_info[nr].fn = fn;
554 ifsr_info[nr].sig = sig;
555 ifsr_info[nr].code = code;
556 ifsr_info[nr].name = name;
560 do_PrefetchAbort(unsigned long addr, unsigned int ifsr, struct pt_regs *regs)
562 const struct fsr_info *inf = ifsr_info + fsr_fs(ifsr);
564 if (!inf->fn(addr, ifsr | FSR_LNX_PF, regs))
567 pr_alert("Unhandled prefetch abort: %s (0x%03x) at 0x%08lx\n",
568 inf->name, ifsr, addr);
570 arm_notify_die("", regs, inf->sig, inf->code, (void __user *)addr,
575 * Abort handler to be used only during first unmasking of asynchronous aborts
576 * on the boot CPU. This makes sure that the machine will not die if the
577 * firmware/bootloader left an imprecise abort pending for us to trip over.
579 static int __init early_abort_handler(unsigned long addr, unsigned int fsr,
580 struct pt_regs *regs)
582 pr_warn("Hit pending asynchronous external abort (FSR=0x%08x) during "
583 "first unmask, this is most likely caused by a "
584 "firmware/bootloader bug.\n", fsr);
589 void __init early_abt_enable(void)
591 fsr_info[FSR_FS_AEA].fn = early_abort_handler;
593 fsr_info[FSR_FS_AEA].fn = do_bad;
596 #ifndef CONFIG_ARM_LPAE
597 static int __init exceptions_init(void)
599 if (cpu_architecture() >= CPU_ARCH_ARMv6) {
600 hook_fault_code(4, do_translation_fault, SIGSEGV, SEGV_MAPERR,
601 "I-cache maintenance fault");
604 if (cpu_architecture() >= CPU_ARCH_ARMv7) {
606 * TODO: Access flag faults introduced in ARMv6K.
607 * Runtime check for 'K' extension is needed
609 hook_fault_code(3, do_bad, SIGSEGV, SEGV_MAPERR,
610 "section access flag fault");
611 hook_fault_code(6, do_bad, SIGSEGV, SEGV_MAPERR,
612 "section access flag fault");
618 arch_initcall(exceptions_init);