2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* Copyright (C) 2001 Andrea Arcangeli <andrea@suse.de> SuSE
|
|
|
|
* Copyright 2003 Andi Kleen, SuSE Labs.
|
|
|
|
*
|
2011-06-06 01:50:24 +08:00
|
|
|
* [ NOTE: this mechanism is now deprecated in favor of the vDSO. ]
|
|
|
|
*
|
2005-04-17 06:20:36 +08:00
|
|
|
* Thanks to hpa@transmeta.com for some useful hint.
|
|
|
|
* Special thanks to Ingo Molnar for his early experience with
|
|
|
|
* a different vsyscall implementation for Linux/IA32 and for the name.
|
|
|
|
*
|
|
|
|
* vsyscall 1 is located at -10Mbyte, vsyscall 2 is located
|
|
|
|
* at virtual address -10Mbyte+1024bytes etc... There are at max 4
|
|
|
|
* vsyscalls. One vsyscall can reserve more than 1 slot to avoid
|
|
|
|
* jumping out of line if necessary. We cannot add more with this
|
|
|
|
* mechanism because older kernels won't return -ENOSYS.
|
|
|
|
*
|
2011-06-06 01:50:24 +08:00
|
|
|
* Note: the concept clashes with user mode linux. UML users should
|
|
|
|
* use the vDSO.
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/time.h>
|
|
|
|
#include <linux/init.h>
|
|
|
|
#include <linux/kernel.h>
|
|
|
|
#include <linux/timer.h>
|
|
|
|
#include <linux/seqlock.h>
|
|
|
|
#include <linux/jiffies.h>
|
|
|
|
#include <linux/sysctl.h>
|
2007-02-16 17:28:21 +08:00
|
|
|
#include <linux/clocksource.h>
|
2006-09-26 16:52:28 +08:00
|
|
|
#include <linux/getcpu.h>
|
2006-11-14 23:57:46 +08:00
|
|
|
#include <linux/cpu.h>
|
|
|
|
#include <linux/smp.h>
|
|
|
|
#include <linux/notifier.h>
|
2011-06-06 01:50:24 +08:00
|
|
|
#include <linux/syscalls.h>
|
|
|
|
#include <linux/ratelimit.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
#include <asm/vsyscall.h>
|
|
|
|
#include <asm/pgtable.h>
|
2011-07-13 21:24:09 +08:00
|
|
|
#include <asm/compat.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
#include <asm/page.h>
|
2007-02-16 17:28:21 +08:00
|
|
|
#include <asm/unistd.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
#include <asm/fixmap.h>
|
|
|
|
#include <asm/errno.h>
|
|
|
|
#include <asm/io.h>
|
2006-09-26 16:52:28 +08:00
|
|
|
#include <asm/segment.h>
|
|
|
|
#include <asm/desc.h>
|
|
|
|
#include <asm/topology.h>
|
2007-07-21 23:10:01 +08:00
|
|
|
#include <asm/vgtod.h>
|
2011-06-06 01:50:24 +08:00
|
|
|
#include <asm/traps.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-08-03 21:31:54 +08:00
|
|
|
#define CREATE_TRACE_POINTS
|
|
|
|
#include "vsyscall_trace.h"
|
|
|
|
|
2011-05-23 21:31:24 +08:00
|
|
|
DEFINE_VVAR(int, vgetcpu_mode);
|
|
|
|
DEFINE_VVAR(struct vsyscall_gtod_data, vsyscall_gtod_data) =
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2011-05-24 20:08:08 +08:00
|
|
|
.lock = __SEQLOCK_UNLOCKED(__vsyscall_gtod_data.lock),
|
2007-02-16 17:28:21 +08:00
|
|
|
};
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2007-10-18 18:04:57 +08:00
|
|
|
void update_vsyscall_tz(void)
|
|
|
|
{
|
|
|
|
unsigned long flags;
|
|
|
|
|
|
|
|
write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
|
|
|
|
/* sys_tz has changed */
|
|
|
|
vsyscall_gtod_data.sys_tz = sys_tz;
|
|
|
|
write_sequnlock_irqrestore(&vsyscall_gtod_data.lock, flags);
|
|
|
|
}
|
|
|
|
|
2010-07-14 08:56:23 +08:00
|
|
|
void update_vsyscall(struct timespec *wall_time, struct timespec *wtm,
|
|
|
|
struct clocksource *clock, u32 mult)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2007-02-16 17:28:21 +08:00
|
|
|
unsigned long flags;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2007-02-16 17:28:21 +08:00
|
|
|
write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
|
2011-06-06 01:50:24 +08:00
|
|
|
|
2007-02-16 17:28:21 +08:00
|
|
|
/* copy vsyscall data */
|
2011-07-14 18:47:22 +08:00
|
|
|
vsyscall_gtod_data.clock.vclock_mode = clock->archdata.vclock_mode;
|
2011-06-06 01:50:24 +08:00
|
|
|
vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
|
|
|
|
vsyscall_gtod_data.clock.mask = clock->mask;
|
|
|
|
vsyscall_gtod_data.clock.mult = mult;
|
|
|
|
vsyscall_gtod_data.clock.shift = clock->shift;
|
|
|
|
vsyscall_gtod_data.wall_time_sec = wall_time->tv_sec;
|
|
|
|
vsyscall_gtod_data.wall_time_nsec = wall_time->tv_nsec;
|
|
|
|
vsyscall_gtod_data.wall_to_monotonic = *wtm;
|
|
|
|
vsyscall_gtod_data.wall_time_coarse = __current_kernel_time();
|
|
|
|
|
2007-02-16 17:28:21 +08:00
|
|
|
write_sequnlock_irqrestore(&vsyscall_gtod_data.lock, flags);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2011-06-06 01:50:24 +08:00
|
|
|
static void warn_bad_vsyscall(const char *level, struct pt_regs *regs,
|
|
|
|
const char *message)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2011-06-06 01:50:24 +08:00
|
|
|
static DEFINE_RATELIMIT_STATE(rs, DEFAULT_RATELIMIT_INTERVAL, DEFAULT_RATELIMIT_BURST);
|
|
|
|
struct task_struct *tsk;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-06-06 01:50:24 +08:00
|
|
|
if (!show_unhandled_signals || !__ratelimit(&rs))
|
|
|
|
return;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-06-06 01:50:24 +08:00
|
|
|
tsk = current;
|
2007-02-16 17:28:21 +08:00
|
|
|
|
2011-07-13 21:24:09 +08:00
|
|
|
printk("%s%s[%d] %s ip:%lx cs:%lx sp:%lx ax:%lx si:%lx di:%lx\n",
|
2011-06-06 01:50:24 +08:00
|
|
|
level, tsk->comm, task_pid_nr(tsk),
|
2011-07-13 21:24:09 +08:00
|
|
|
message, regs->ip - 2, regs->cs,
|
|
|
|
regs->sp, regs->ax, regs->si, regs->di);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int addr_to_vsyscall_nr(unsigned long addr)
|
|
|
|
{
|
|
|
|
int nr;
|
|
|
|
|
|
|
|
if ((addr & ~0xC00UL) != VSYSCALL_START)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
nr = (addr & 0xC00UL) >> 10;
|
|
|
|
if (nr >= 3)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
return nr;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2011-06-06 01:50:24 +08:00
|
|
|
void dotraplinkage do_emulate_vsyscall(struct pt_regs *regs, long error_code)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2011-06-06 01:50:24 +08:00
|
|
|
struct task_struct *tsk;
|
|
|
|
unsigned long caller;
|
|
|
|
int vsyscall_nr;
|
|
|
|
long ret;
|
|
|
|
|
|
|
|
local_irq_enable();
|
|
|
|
|
2011-08-03 21:31:53 +08:00
|
|
|
if (!user_64bit_mode(regs)) {
|
2011-07-13 21:24:09 +08:00
|
|
|
/*
|
|
|
|
* If we trapped from kernel mode, we might as well OOPS now
|
|
|
|
* instead of returning to some random address and OOPSing
|
|
|
|
* then.
|
|
|
|
*/
|
|
|
|
BUG_ON(!user_mode(regs));
|
|
|
|
|
|
|
|
/* Compat mode and non-compat 32-bit CS should both segfault. */
|
|
|
|
warn_bad_vsyscall(KERN_WARNING, regs,
|
|
|
|
"illegal int 0xcc from 32-bit mode");
|
|
|
|
goto sigsegv;
|
|
|
|
}
|
|
|
|
|
2011-06-06 01:50:24 +08:00
|
|
|
/*
|
|
|
|
* x86-ism here: regs->ip points to the instruction after the int 0xcc,
|
|
|
|
* and int 0xcc is two bytes long.
|
|
|
|
*/
|
2011-07-13 21:24:09 +08:00
|
|
|
vsyscall_nr = addr_to_vsyscall_nr(regs->ip - 2);
|
2011-08-03 21:31:54 +08:00
|
|
|
|
|
|
|
trace_emulate_vsyscall(vsyscall_nr);
|
|
|
|
|
2011-07-13 21:24:09 +08:00
|
|
|
if (vsyscall_nr < 0) {
|
|
|
|
warn_bad_vsyscall(KERN_WARNING, regs,
|
|
|
|
"illegal int 0xcc (exploit attempt?)");
|
2011-06-06 01:50:24 +08:00
|
|
|
goto sigsegv;
|
|
|
|
}
|
2007-05-21 20:31:52 +08:00
|
|
|
|
2011-06-06 01:50:24 +08:00
|
|
|
if (get_user(caller, (unsigned long __user *)regs->sp) != 0) {
|
|
|
|
warn_bad_vsyscall(KERN_WARNING, regs, "int 0xcc with bad stack (exploit attempt?)");
|
|
|
|
goto sigsegv;
|
|
|
|
}
|
2010-07-14 08:56:18 +08:00
|
|
|
|
2011-06-06 01:50:24 +08:00
|
|
|
tsk = current;
|
|
|
|
if (seccomp_mode(&tsk->seccomp))
|
|
|
|
do_exit(SIGKILL);
|
|
|
|
|
|
|
|
switch (vsyscall_nr) {
|
|
|
|
case 0:
|
|
|
|
ret = sys_gettimeofday(
|
|
|
|
(struct timeval __user *)regs->di,
|
|
|
|
(struct timezone __user *)regs->si);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 1:
|
|
|
|
ret = sys_time((time_t __user *)regs->di);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 2:
|
|
|
|
ret = sys_getcpu((unsigned __user *)regs->di,
|
|
|
|
(unsigned __user *)regs->si,
|
|
|
|
0);
|
|
|
|
break;
|
|
|
|
}
|
2010-07-14 08:56:18 +08:00
|
|
|
|
2011-06-06 01:50:24 +08:00
|
|
|
if (ret == -EFAULT) {
|
|
|
|
/*
|
|
|
|
* Bad news -- userspace fed a bad pointer to a vsyscall.
|
|
|
|
*
|
|
|
|
* With a real vsyscall, that would have caused SIGSEGV.
|
|
|
|
* To make writing reliable exploits using the emulated
|
|
|
|
* vsyscalls harder, generate SIGSEGV here as well.
|
|
|
|
*/
|
|
|
|
warn_bad_vsyscall(KERN_INFO, regs,
|
|
|
|
"vsyscall fault (exploit attempt?)");
|
|
|
|
goto sigsegv;
|
|
|
|
}
|
2010-07-14 08:56:18 +08:00
|
|
|
|
2011-06-06 01:50:24 +08:00
|
|
|
regs->ax = ret;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-06-06 01:50:24 +08:00
|
|
|
/* Emulate a ret instruction. */
|
|
|
|
regs->ip = caller;
|
|
|
|
regs->sp += 8;
|
2006-09-26 16:52:28 +08:00
|
|
|
|
2011-06-06 01:50:24 +08:00
|
|
|
local_irq_disable();
|
|
|
|
return;
|
|
|
|
|
|
|
|
sigsegv:
|
|
|
|
regs->ip -= 2; /* The faulting instruction should be the int 0xcc. */
|
|
|
|
force_sig(SIGSEGV, current);
|
2011-07-13 21:24:09 +08:00
|
|
|
local_irq_disable();
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2011-06-06 01:50:24 +08:00
|
|
|
/*
|
|
|
|
* Assume __initcall executes before all user space. Hopefully kmod
|
|
|
|
* doesn't violate that. We'll find out if it does.
|
|
|
|
*/
|
2006-11-14 23:57:46 +08:00
|
|
|
static void __cpuinit vsyscall_set_cpu(int cpu)
|
2006-09-26 16:52:28 +08:00
|
|
|
{
|
2008-06-25 12:19:01 +08:00
|
|
|
unsigned long d;
|
2006-09-26 16:52:28 +08:00
|
|
|
unsigned long node = 0;
|
|
|
|
#ifdef CONFIG_NUMA
|
x86: fix cpu_to_node references
In x86_64 and i386 architectures most arrays that are sized using
NR_CPUS lay in local memory on node 0. Not only will most (99%?) of the
systems not use all the slots in these arrays, particularly when NR_CPUS
is increased to accommodate future very high cpu count systems, but a
number of cache lines are passed unnecessarily on the system bus when
these arrays are referenced by cpus on other nodes.
Typically, the values in these arrays are referenced by the cpu
accessing it's own values, though when passing IPI interrupts, the cpu
does access the data relevant to the targeted cpu/node. Of course, if
the referencing cpu is not on node 0, then the reference will still
require cross node exchanges of cache lines. A common use of this is
for an interrupt service routine to pass the interrupt to other cpus
local to that node.
Ideally, all the elements in these arrays should be moved to the per_cpu
data area. In some cases (such as x86_cpu_to_apicid) the array is
referenced before the per_cpu data areas are setup. In this case, a
static array is declared in the __initdata area and initialized by the
booting cpu (BSP). The values are then moved to the per_cpu area after
it is initialized and the original static array is freed with the rest
of the __initdata.
This patch:
Fix four instances where cpu_to_node is referenced by array instead of
via the cpu_to_node macro. This is preparation to moving it to the
per_cpu data area.
Signed-off-by: Mike Travis <travis@sgi.com>
Cc: Andi Kleen <ak@suse.de>
Cc: Christoph Lameter <clameter@sgi.com>
Cc: "Siddha, Suresh B" <suresh.b.siddha@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
2007-10-18 00:04:39 +08:00
|
|
|
node = cpu_to_node(cpu);
|
2006-09-26 16:52:28 +08:00
|
|
|
#endif
|
2007-10-20 02:35:04 +08:00
|
|
|
if (cpu_has(&cpu_data(cpu), X86_FEATURE_RDTSCP))
|
2006-11-14 23:57:46 +08:00
|
|
|
write_rdtscp_aux((node << 12) | cpu);
|
2006-09-26 16:52:28 +08:00
|
|
|
|
2011-06-06 01:50:24 +08:00
|
|
|
/*
|
|
|
|
* Store cpu number in limit so that it can be loaded quickly
|
|
|
|
* in user space in vgetcpu. (12 bits for the CPU and 8 bits for the node)
|
|
|
|
*/
|
2008-06-25 12:19:01 +08:00
|
|
|
d = 0x0f40000000000ULL;
|
|
|
|
d |= cpu;
|
|
|
|
d |= (node & 0xf) << 12;
|
|
|
|
d |= (node >> 4) << 48;
|
2011-06-06 01:50:24 +08:00
|
|
|
|
2008-06-25 12:19:01 +08:00
|
|
|
write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_PER_CPU, &d, DESCTYPE_S);
|
2006-09-26 16:52:28 +08:00
|
|
|
}
|
|
|
|
|
2006-11-14 23:57:46 +08:00
|
|
|
static void __cpuinit cpu_vsyscall_init(void *arg)
|
|
|
|
{
|
|
|
|
/* preemption should be already off */
|
|
|
|
vsyscall_set_cpu(raw_smp_processor_id());
|
|
|
|
}
|
|
|
|
|
|
|
|
static int __cpuinit
|
|
|
|
cpu_vsyscall_notifier(struct notifier_block *n, unsigned long action, void *arg)
|
|
|
|
{
|
|
|
|
long cpu = (long)arg;
|
2011-06-06 01:50:24 +08:00
|
|
|
|
2007-05-09 17:35:10 +08:00
|
|
|
if (action == CPU_ONLINE || action == CPU_ONLINE_FROZEN)
|
2008-06-06 17:18:06 +08:00
|
|
|
smp_call_function_single(cpu, cpu_vsyscall_init, NULL, 1);
|
2011-06-06 01:50:24 +08:00
|
|
|
|
2006-11-14 23:57:46 +08:00
|
|
|
return NOTIFY_DONE;
|
|
|
|
}
|
|
|
|
|
2008-01-30 20:32:39 +08:00
|
|
|
void __init map_vsyscall(void)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
extern char __vsyscall_0;
|
|
|
|
unsigned long physaddr_page0 = __pa_symbol(&__vsyscall_0);
|
2011-06-06 01:50:19 +08:00
|
|
|
extern char __vvar_page;
|
|
|
|
unsigned long physaddr_vvar_page = __pa_symbol(&__vvar_page);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2006-12-07 09:14:09 +08:00
|
|
|
/* Note that VSYSCALL_MAPPED_PAGES must agree with the code below. */
|
2005-04-17 06:20:36 +08:00
|
|
|
__set_fixmap(VSYSCALL_FIRST_PAGE, physaddr_page0, PAGE_KERNEL_VSYSCALL);
|
2011-06-06 01:50:19 +08:00
|
|
|
__set_fixmap(VVAR_PAGE, physaddr_vvar_page, PAGE_KERNEL_VVAR);
|
2011-06-06 01:50:24 +08:00
|
|
|
BUILD_BUG_ON((unsigned long)__fix_to_virt(VVAR_PAGE) != (unsigned long)VVAR_ADDRESS);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static int __init vsyscall_init(void)
|
|
|
|
{
|
2011-06-06 01:50:24 +08:00
|
|
|
BUG_ON(VSYSCALL_ADDR(0) != __fix_to_virt(VSYSCALL_FIRST_PAGE));
|
|
|
|
|
2008-05-09 15:39:44 +08:00
|
|
|
on_each_cpu(cpu_vsyscall_init, NULL, 1);
|
2009-12-18 16:48:45 +08:00
|
|
|
/* notifier priority > KVM */
|
|
|
|
hotcpu_notifier(cpu_vsyscall_notifier, 30);
|
2011-06-06 01:50:24 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
__initcall(vsyscall_init);
|