Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 1 | /* |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 2 | * PowerPC version |
| 3 | * Copyright (C) 1995-1996 Gary Thomas (gdt@linuxppc.org) |
| 4 | * |
| 5 | * Derived from "arch/i386/mm/fault.c" |
| 6 | * Copyright (C) 1991, 1992, 1993, 1994 Linus Torvalds |
| 7 | * |
| 8 | * Modified by Cort Dougan and Paul Mackerras. |
| 9 | * |
| 10 | * This program is free software; you can redistribute it and/or |
| 11 | * modify it under the terms of the GNU General Public License |
| 12 | * as published by the Free Software Foundation; either version |
| 13 | * 2 of the License, or (at your option) any later version. |
| 14 | */ |
| 15 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 16 | #include <linux/signal.h> |
| 17 | #include <linux/sched.h> |
| 18 | #include <linux/kernel.h> |
| 19 | #include <linux/errno.h> |
| 20 | #include <linux/string.h> |
| 21 | #include <linux/types.h> |
| 22 | #include <linux/ptrace.h> |
| 23 | #include <linux/mman.h> |
| 24 | #include <linux/mm.h> |
| 25 | #include <linux/interrupt.h> |
| 26 | #include <linux/highmem.h> |
| 27 | #include <linux/module.h> |
| 28 | |
| 29 | #include <asm/page.h> |
| 30 | #include <asm/pgtable.h> |
| 31 | #include <asm/mmu.h> |
| 32 | #include <asm/mmu_context.h> |
| 33 | #include <asm/system.h> |
| 34 | #include <asm/uaccess.h> |
| 35 | #include <asm/tlbflush.h> |
| 36 | |
| 37 | #if defined(CONFIG_XMON) || defined(CONFIG_KGDB) |
| 38 | extern void (*debugger)(struct pt_regs *); |
| 39 | extern void (*debugger_fault_handler)(struct pt_regs *); |
| 40 | extern int (*debugger_dabr_match)(struct pt_regs *); |
| 41 | int debugger_kernel_faults = 1; |
| 42 | #endif |
| 43 | |
| 44 | unsigned long htab_reloads; /* updated by hashtable.S:hash_page() */ |
| 45 | unsigned long htab_evicts; /* updated by hashtable.S:hash_page() */ |
| 46 | unsigned long htab_preloads; /* updated by hashtable.S:add_hash_page() */ |
| 47 | unsigned long pte_misses; /* updated by do_page_fault() */ |
| 48 | unsigned long pte_errors; /* updated by do_page_fault() */ |
| 49 | unsigned int probingmem; |
| 50 | |
| 51 | /* |
| 52 | * Check whether the instruction at regs->nip is a store using |
| 53 | * an update addressing form which will update r1. |
| 54 | */ |
| 55 | static int store_updates_sp(struct pt_regs *regs) |
| 56 | { |
| 57 | unsigned int inst; |
| 58 | |
| 59 | if (get_user(inst, (unsigned int __user *)regs->nip)) |
| 60 | return 0; |
| 61 | /* check for 1 in the rA field */ |
| 62 | if (((inst >> 16) & 0x1f) != 1) |
| 63 | return 0; |
| 64 | /* check major opcode */ |
| 65 | switch (inst >> 26) { |
| 66 | case 37: /* stwu */ |
| 67 | case 39: /* stbu */ |
| 68 | case 45: /* sthu */ |
| 69 | case 53: /* stfsu */ |
| 70 | case 55: /* stfdu */ |
| 71 | return 1; |
| 72 | case 31: |
| 73 | /* check minor opcode */ |
| 74 | switch ((inst >> 1) & 0x3ff) { |
| 75 | case 183: /* stwux */ |
| 76 | case 247: /* stbux */ |
| 77 | case 439: /* sthux */ |
| 78 | case 695: /* stfsux */ |
| 79 | case 759: /* stfdux */ |
| 80 | return 1; |
| 81 | } |
| 82 | } |
| 83 | return 0; |
| 84 | } |
| 85 | |
| 86 | /* |
| 87 | * For 600- and 800-family processors, the error_code parameter is DSISR |
| 88 | * for a data fault, SRR1 for an instruction fault. For 400-family processors |
| 89 | * the error_code parameter is ESR for a data fault, 0 for an instruction |
| 90 | * fault. |
| 91 | */ |
| 92 | int do_page_fault(struct pt_regs *regs, unsigned long address, |
| 93 | unsigned long error_code) |
| 94 | { |
| 95 | struct vm_area_struct * vma; |
| 96 | struct mm_struct *mm = current->mm; |
| 97 | siginfo_t info; |
| 98 | int code = SEGV_MAPERR; |
| 99 | #if defined(CONFIG_4xx) || defined (CONFIG_BOOKE) |
| 100 | int is_write = error_code & ESR_DST; |
| 101 | #else |
| 102 | int is_write = 0; |
| 103 | |
| 104 | /* |
| 105 | * Fortunately the bit assignments in SRR1 for an instruction |
| 106 | * fault and DSISR for a data fault are mostly the same for the |
| 107 | * bits we are interested in. But there are some bits which |
| 108 | * indicate errors in DSISR but can validly be set in SRR1. |
| 109 | */ |
| 110 | if (TRAP(regs) == 0x400) |
| 111 | error_code &= 0x48200000; |
| 112 | else |
| 113 | is_write = error_code & 0x02000000; |
| 114 | #endif /* CONFIG_4xx || CONFIG_BOOKE */ |
| 115 | |
| 116 | #if defined(CONFIG_XMON) || defined(CONFIG_KGDB) |
| 117 | if (debugger_fault_handler && TRAP(regs) == 0x300) { |
| 118 | debugger_fault_handler(regs); |
| 119 | return 0; |
| 120 | } |
| 121 | #if !(defined(CONFIG_4xx) || defined(CONFIG_BOOKE)) |
| 122 | if (error_code & 0x00400000) { |
| 123 | /* DABR match */ |
| 124 | if (debugger_dabr_match(regs)) |
| 125 | return 0; |
| 126 | } |
| 127 | #endif /* !(CONFIG_4xx || CONFIG_BOOKE)*/ |
| 128 | #endif /* CONFIG_XMON || CONFIG_KGDB */ |
| 129 | |
| 130 | if (in_atomic() || mm == NULL) |
| 131 | return SIGSEGV; |
| 132 | |
| 133 | down_read(&mm->mmap_sem); |
| 134 | vma = find_vma(mm, address); |
| 135 | if (!vma) |
| 136 | goto bad_area; |
| 137 | if (vma->vm_start <= address) |
| 138 | goto good_area; |
| 139 | if (!(vma->vm_flags & VM_GROWSDOWN)) |
| 140 | goto bad_area; |
| 141 | if (!is_write) |
| 142 | goto bad_area; |
| 143 | |
| 144 | /* |
| 145 | * N.B. The rs6000/xcoff ABI allows programs to access up to |
| 146 | * a few hundred bytes below the stack pointer. |
| 147 | * The kernel signal delivery code writes up to about 1.5kB |
| 148 | * below the stack pointer (r1) before decrementing it. |
| 149 | * The exec code can write slightly over 640kB to the stack |
| 150 | * before setting the user r1. Thus we allow the stack to |
| 151 | * expand to 1MB without further checks. |
| 152 | */ |
| 153 | if (address + 0x100000 < vma->vm_end) { |
| 154 | /* get user regs even if this fault is in kernel mode */ |
| 155 | struct pt_regs *uregs = current->thread.regs; |
| 156 | if (uregs == NULL) |
| 157 | goto bad_area; |
| 158 | |
| 159 | /* |
| 160 | * A user-mode access to an address a long way below |
| 161 | * the stack pointer is only valid if the instruction |
| 162 | * is one which would update the stack pointer to the |
| 163 | * address accessed if the instruction completed, |
| 164 | * i.e. either stwu rs,n(r1) or stwux rs,r1,rb |
| 165 | * (or the byte, halfword, float or double forms). |
| 166 | * |
| 167 | * If we don't check this then any write to the area |
| 168 | * between the last mapped region and the stack will |
| 169 | * expand the stack rather than segfaulting. |
| 170 | */ |
| 171 | if (address + 2048 < uregs->gpr[1] |
| 172 | && (!user_mode(regs) || !store_updates_sp(regs))) |
| 173 | goto bad_area; |
| 174 | } |
| 175 | if (expand_stack(vma, address)) |
| 176 | goto bad_area; |
| 177 | |
| 178 | good_area: |
| 179 | code = SEGV_ACCERR; |
| 180 | #if defined(CONFIG_6xx) |
| 181 | if (error_code & 0x95700000) |
| 182 | /* an error such as lwarx to I/O controller space, |
| 183 | address matching DABR, eciwx, etc. */ |
| 184 | goto bad_area; |
| 185 | #endif /* CONFIG_6xx */ |
| 186 | #if defined(CONFIG_8xx) |
| 187 | /* The MPC8xx seems to always set 0x80000000, which is |
| 188 | * "undefined". Of those that can be set, this is the only |
| 189 | * one which seems bad. |
| 190 | */ |
| 191 | if (error_code & 0x10000000) |
| 192 | /* Guarded storage error. */ |
| 193 | goto bad_area; |
| 194 | #endif /* CONFIG_8xx */ |
| 195 | |
| 196 | /* a write */ |
| 197 | if (is_write) { |
| 198 | if (!(vma->vm_flags & VM_WRITE)) |
| 199 | goto bad_area; |
| 200 | #if defined(CONFIG_4xx) || defined(CONFIG_BOOKE) |
| 201 | /* an exec - 4xx/Book-E allows for per-page execute permission */ |
| 202 | } else if (TRAP(regs) == 0x400) { |
| 203 | pte_t *ptep; |
Eugene Surovegin | bab70a4 | 2006-03-28 10:13:12 -0800 | [diff] [blame] | 204 | pmd_t *pmdp; |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 205 | |
| 206 | #if 0 |
| 207 | /* It would be nice to actually enforce the VM execute |
| 208 | permission on CPUs which can do so, but far too |
| 209 | much stuff in userspace doesn't get the permissions |
| 210 | right, so we let any page be executed for now. */ |
| 211 | if (! (vma->vm_flags & VM_EXEC)) |
| 212 | goto bad_area; |
| 213 | #endif |
| 214 | |
| 215 | /* Since 4xx/Book-E supports per-page execute permission, |
| 216 | * we lazily flush dcache to icache. */ |
| 217 | ptep = NULL; |
Eugene Surovegin | bab70a4 | 2006-03-28 10:13:12 -0800 | [diff] [blame] | 218 | if (get_pteptr(mm, address, &ptep, &pmdp)) { |
| 219 | spinlock_t *ptl = pte_lockptr(mm, pmdp); |
| 220 | spin_lock(ptl); |
| 221 | if (pte_present(*ptep)) { |
| 222 | struct page *page = pte_page(*ptep); |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 223 | |
Eugene Surovegin | bab70a4 | 2006-03-28 10:13:12 -0800 | [diff] [blame] | 224 | if (!test_bit(PG_arch_1, &page->flags)) { |
| 225 | flush_dcache_icache_page(page); |
| 226 | set_bit(PG_arch_1, &page->flags); |
| 227 | } |
| 228 | pte_update(ptep, 0, _PAGE_HWEXEC); |
| 229 | _tlbie(address); |
| 230 | pte_unmap_unlock(ptep, ptl); |
| 231 | up_read(&mm->mmap_sem); |
| 232 | return 0; |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 233 | } |
Eugene Surovegin | bab70a4 | 2006-03-28 10:13:12 -0800 | [diff] [blame] | 234 | pte_unmap_unlock(ptep, ptl); |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 235 | } |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 236 | #endif |
| 237 | /* a read */ |
| 238 | } else { |
| 239 | /* protection fault */ |
| 240 | if (error_code & 0x08000000) |
| 241 | goto bad_area; |
| 242 | if (!(vma->vm_flags & (VM_READ | VM_EXEC))) |
| 243 | goto bad_area; |
| 244 | } |
| 245 | |
| 246 | /* |
| 247 | * If for any reason at all we couldn't handle the fault, |
| 248 | * make sure we exit gracefully rather than endlessly redo |
| 249 | * the fault. |
| 250 | */ |
| 251 | survive: |
| 252 | switch (handle_mm_fault(mm, vma, address, is_write)) { |
| 253 | case VM_FAULT_MINOR: |
| 254 | current->min_flt++; |
| 255 | break; |
| 256 | case VM_FAULT_MAJOR: |
| 257 | current->maj_flt++; |
| 258 | break; |
| 259 | case VM_FAULT_SIGBUS: |
| 260 | goto do_sigbus; |
| 261 | case VM_FAULT_OOM: |
| 262 | goto out_of_memory; |
| 263 | default: |
| 264 | BUG(); |
| 265 | } |
| 266 | |
| 267 | up_read(&mm->mmap_sem); |
| 268 | /* |
| 269 | * keep track of tlb+htab misses that are good addrs but |
| 270 | * just need pte's created via handle_mm_fault() |
| 271 | * -- Cort |
| 272 | */ |
| 273 | pte_misses++; |
| 274 | return 0; |
| 275 | |
| 276 | bad_area: |
| 277 | up_read(&mm->mmap_sem); |
| 278 | pte_errors++; |
| 279 | |
| 280 | /* User mode accesses cause a SIGSEGV */ |
| 281 | if (user_mode(regs)) { |
Paul Mackerras | bb0bb3b | 2005-09-10 21:13:11 +1000 | [diff] [blame] | 282 | _exception(SIGSEGV, regs, code, address); |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 283 | return 0; |
| 284 | } |
| 285 | |
| 286 | return SIGSEGV; |
| 287 | |
| 288 | /* |
| 289 | * We ran out of memory, or some other thing happened to us that made |
| 290 | * us unable to handle the page fault gracefully. |
| 291 | */ |
| 292 | out_of_memory: |
| 293 | up_read(&mm->mmap_sem); |
| 294 | if (current->pid == 1) { |
| 295 | yield(); |
| 296 | down_read(&mm->mmap_sem); |
| 297 | goto survive; |
| 298 | } |
| 299 | printk("VM: killing process %s\n", current->comm); |
| 300 | if (user_mode(regs)) |
| 301 | do_exit(SIGKILL); |
| 302 | return SIGKILL; |
| 303 | |
| 304 | do_sigbus: |
| 305 | up_read(&mm->mmap_sem); |
| 306 | info.si_signo = SIGBUS; |
| 307 | info.si_errno = 0; |
| 308 | info.si_code = BUS_ADRERR; |
| 309 | info.si_addr = (void __user *)address; |
| 310 | force_sig_info (SIGBUS, &info, current); |
| 311 | if (!user_mode(regs)) |
| 312 | return SIGBUS; |
| 313 | return 0; |
| 314 | } |
| 315 | |
| 316 | /* |
| 317 | * bad_page_fault is called when we have a bad access from the kernel. |
| 318 | * It is called from the DSI and ISI handlers in head.S and from some |
| 319 | * of the procedures in traps.c. |
| 320 | */ |
| 321 | void |
| 322 | bad_page_fault(struct pt_regs *regs, unsigned long address, int sig) |
| 323 | { |
| 324 | const struct exception_table_entry *entry; |
| 325 | |
| 326 | /* Are we prepared to handle this fault? */ |
| 327 | if ((entry = search_exception_tables(regs->nip)) != NULL) { |
| 328 | regs->nip = entry->fixup; |
| 329 | return; |
| 330 | } |
| 331 | |
| 332 | /* kernel has accessed a bad area */ |
| 333 | #if defined(CONFIG_XMON) || defined(CONFIG_KGDB) |
| 334 | if (debugger_kernel_faults) |
| 335 | debugger(regs); |
| 336 | #endif |
| 337 | die("kernel access of bad area", regs, sig); |
| 338 | } |
| 339 | |
| 340 | #ifdef CONFIG_8xx |
| 341 | |
| 342 | /* The pgtable.h claims some functions generically exist, but I |
| 343 | * can't find them...... |
| 344 | */ |
| 345 | pte_t *va_to_pte(unsigned long address) |
| 346 | { |
| 347 | pgd_t *dir; |
| 348 | pmd_t *pmd; |
| 349 | pte_t *pte; |
| 350 | |
| 351 | if (address < TASK_SIZE) |
| 352 | return NULL; |
| 353 | |
| 354 | dir = pgd_offset(&init_mm, address); |
| 355 | if (dir) { |
| 356 | pmd = pmd_offset(dir, address & PAGE_MASK); |
| 357 | if (pmd && pmd_present(*pmd)) { |
| 358 | pte = pte_offset_kernel(pmd, address & PAGE_MASK); |
| 359 | if (pte && pte_present(*pte)) |
| 360 | return(pte); |
| 361 | } |
| 362 | } |
| 363 | return NULL; |
| 364 | } |
| 365 | |
| 366 | unsigned long va_to_phys(unsigned long address) |
| 367 | { |
| 368 | pte_t *pte; |
| 369 | |
| 370 | pte = va_to_pte(address); |
| 371 | if (pte) |
| 372 | return(((unsigned long)(pte_val(*pte)) & PAGE_MASK) | (address & ~(PAGE_MASK))); |
| 373 | return (0); |
| 374 | } |
| 375 | |
| 376 | void |
| 377 | print_8xx_pte(struct mm_struct *mm, unsigned long addr) |
| 378 | { |
| 379 | pgd_t * pgd; |
| 380 | pmd_t * pmd; |
| 381 | pte_t * pte; |
| 382 | |
| 383 | printk(" pte @ 0x%8lx: ", addr); |
| 384 | pgd = pgd_offset(mm, addr & PAGE_MASK); |
| 385 | if (pgd) { |
| 386 | pmd = pmd_offset(pgd, addr & PAGE_MASK); |
| 387 | if (pmd && pmd_present(*pmd)) { |
| 388 | pte = pte_offset_kernel(pmd, addr & PAGE_MASK); |
| 389 | if (pte) { |
| 390 | printk(" (0x%08lx)->(0x%08lx)->0x%08lx\n", |
| 391 | (long)pgd, (long)pte, (long)pte_val(*pte)); |
| 392 | #define pp ((long)pte_val(*pte)) |
| 393 | printk(" RPN: %05lx PP: %lx SPS: %lx SH: %lx " |
| 394 | "CI: %lx v: %lx\n", |
| 395 | pp>>12, /* rpn */ |
| 396 | (pp>>10)&3, /* pp */ |
| 397 | (pp>>3)&1, /* small */ |
| 398 | (pp>>2)&1, /* shared */ |
| 399 | (pp>>1)&1, /* cache inhibit */ |
| 400 | pp&1 /* valid */ |
| 401 | ); |
| 402 | #undef pp |
| 403 | } |
| 404 | else { |
| 405 | printk("no pte\n"); |
| 406 | } |
| 407 | } |
| 408 | else { |
| 409 | printk("no pmd\n"); |
| 410 | } |
| 411 | } |
| 412 | else { |
| 413 | printk("no pgd\n"); |
| 414 | } |
| 415 | } |
| 416 | |
| 417 | int |
| 418 | get_8xx_pte(struct mm_struct *mm, unsigned long addr) |
| 419 | { |
| 420 | pgd_t * pgd; |
| 421 | pmd_t * pmd; |
| 422 | pte_t * pte; |
| 423 | int retval = 0; |
| 424 | |
| 425 | pgd = pgd_offset(mm, addr & PAGE_MASK); |
| 426 | if (pgd) { |
| 427 | pmd = pmd_offset(pgd, addr & PAGE_MASK); |
| 428 | if (pmd && pmd_present(*pmd)) { |
| 429 | pte = pte_offset_kernel(pmd, addr & PAGE_MASK); |
| 430 | if (pte) { |
| 431 | retval = (int)pte_val(*pte); |
| 432 | } |
| 433 | } |
| 434 | } |
| 435 | return(retval); |
| 436 | } |
| 437 | #endif /* CONFIG_8xx */ |