| blob | 51986e8a9d353528cbee8186019a3ed8bc7823f2 |
1 // SPDX-License-Identifier: GPL-2.0-only
2 #include <linux/extable.h>
3 #include <linux/uaccess.h>
4 #include <linux/sched/debug.h>
5 #include <linux/bitfield.h>
6 #include <xen/xen.h>
8 #include <asm/fpu/api.h>
9 #include <asm/fred.h>
10 #include <asm/sev.h>
11 #include <asm/traps.h>
12 #include <asm/kdebug.h>
13 #include <asm/insn-eval.h>
14 #include <asm/sgx.h>
17 {
25 }
29 {
31 }
35 {
43 }
45 /*
46 * This is the *very* rare case where we do a "load_unaligned_zeropad()"
47 * and it's a page crosser into a non-existent page.
48 *
49 * This happens when we optimistically load a pathname a word-at-a-time
50 * and the name is less than the full word and the next page is not
51 * mapped. Typically that only happens for CONFIG_DEBUG_PAGEALLOC.
52 *
53 * NOTE! The faulting address is always a 'mov mem,reg' type instruction
54 * of size 'long', and the exception fixup must always point to right
55 * after the instruction.
56 */
60 {
96 }
100 {
103 }
107 {
110 }
112 /*
113 * Handler for when we fail to restore a task's FPU state. We should never get
114 * here because the FPU state of a task using the FPU (task->thread.fpu.state)
115 * should always be valid. However, past bugs have allowed userspace to set
116 * reserved bits in the XSAVE area using PTRACE_SETREGSET or sys_rt_sigreturn().
117 * These caused XRSTOR to fail when switching to the task, leaking the FPU
118 * registers of the task previously executing on the CPU. Mitigate this class
119 * of vulnerability by restoring from the initial state (essentially, zeroing
120 * out all the FPU registers) if we can't restore from the task's FPU state.
121 */
124 {
132 }
134 /*
135 * On x86-64, we end up being imprecise with 'access_ok()', and allow
136 * non-canonical user addresses to make the range comparisons simpler,
137 * and to not have to worry about LAM being enabled.
138 *
139 * In fact, we allow up to one page of "slop" at the sign boundary,
140 * which means that we can do access_ok() by just checking the sign
141 * of the pointer for the common case of having a small access size.
142 */
144 {
145 #ifdef CONFIG_X86_64
146 /* Is it in the "user space" part of the non-canonical space? */
150 /* .. or just above it? */
154 #endif
156 }
161 {
165 }
169 {
171 pr_warn("unchecked MSR access error: WRMSR to 0x%x (tried to write 0x%08x%08x) at rIP: 0x%lx (%pS)\n",
175 }
181 }
184 /* Pretend that the read succeeded and returned 0. */
187 }
193 }
197 {
202 }
206 {
209 }
215 {
218 }
220 #ifdef CONFIG_X86_FRED
223 {
228 /*
229 * Move the NMI bit from the invalid stack frame, which caused ERETU
230 * to fault, to the fault handler's stack frame, thus to unblock NMI
231 * with the fault handler's ERETS instruction ASAP if NMI is blocked.
232 */
235 /*
236 * Sync event information to uregs, i.e., the ERETU return frame, but
237 * is it safe to write to the ERETU return frame which is just above
238 * current event stack frame?
239 *
240 * The RSP used by FRED to push a stack frame is not the value in %rsp,
241 * it is calculated from %rsp with the following 2 steps:
242 * 1) RSP = %rsp - (IA32_FRED_CONFIG & 0x1c0) // Reserve N*64 bytes
243 * 2) RSP = RSP & ~0x3f // Align to a 64-byte cache line
244 * when an event delivery doesn't trigger a stack level change.
245 *
246 * Here is an example with N*64 (N=1) bytes reserved:
247 *
248 * 64-byte cache line ==> ______________
249 * |___Reserved___|
250 * |__Event_data__|
251 * |_____SS_______|
252 * |_____RSP______|
253 * |_____FLAGS____|
254 * |_____CS_______|
255 * |_____IP_______|
256 * 64-byte cache line ==> |__Error_code__| <== ERETU return frame
257 * |______________|
258 * |______________|
259 * |______________|
260 * |______________|
261 * |______________|
262 * |______________|
263 * |______________|
264 * 64-byte cache line ==> |______________| <== RSP after step 1) and 2)
265 * |___Reserved___|
266 * |__Event_data__|
267 * |_____SS_______|
268 * |_____RSP______|
269 * |_____FLAGS____|
270 * |_____CS_______|
271 * |_____IP_______|
272 * 64-byte cache line ==> |__Error_code__| <== ERETS return frame
273 *
274 * Thus a new FRED stack frame will always be pushed below a previous
275 * FRED stack frame ((N*64) bytes may be reserved between), and it is
276 * safe to write to a previous FRED stack frame as they never overlap.
277 */
281 /* The NMI bit was moved away above */
290 }
291 #endif
294 {
298 }
302 {
306 #ifdef CONFIG_PNPBIOS
317 }
318 #endif
359 fallthrough;
368 #ifdef CONFIG_X86_FRED
371 #endif
372 }
374 }
378 /* Restricted version used during very early boot */
380 {
381 /* Ignore early NMIs. */
388 /*
389 * Old CPUs leave the high bits of CS on the stack
390 * undefined. I'm not sure which CPUs do this, but at least
391 * the 486 DX works this way.
392 * Xen pv domains are not using the default __KERNEL_CS.
393 */
397 /*
398 * The full exception fixup machinery is available as soon as
399 * the early IDT is loaded. This means that it is the
400 * responsibility of extable users to either function correctly
401 * when handlers are invoked early or to simply avoid causing
402 * exceptions before they're ready to handle them.
403 *
404 * This is better than filtering which handlers can be used,
405 * because refusing to call a handler here is guaranteed to
406 * result in a hard-to-debug panic.
407 *
408 * Keep in mind that not all vectors actually get here. Early
409 * page faults, for example, are special.
410 */
416 /* Skip the ud2. */
419 }
421 /*
422 * If this was a BUG and report_bug returns or if this
423 * was just a normal #UD, we want to continue onward and
424 * crash.
425 */
426 }
428 fail:
435 halt_loop:
438 }