1 /* $NetBSD: fault.c,v 1.25 2002/10/13 12:24:57 bjh21 Exp $ */ 2 3 /* 4 * Copyright (c) 1994-1997 Mark Brinicombe. 5 * Copyright (c) 1994 Brini. 6 * All rights reserved. 7 * 8 * This code is derived from software written for Brini by Mark Brinicombe 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. All advertising materials mentioning features or use of this software 19 * must display the following acknowledgement: 20 * This product includes software developed by Brini. 21 * 4. The name of the company nor the name of the author may be used to 22 * endorse or promote products derived from this software without specific 23 * prior written permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY BRINI ``AS IS'' AND ANY EXPRESS OR IMPLIED 26 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 27 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 28 * IN NO EVENT SHALL BRINI OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, 29 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 30 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 31 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 * 37 * RiscBSD kernel project 38 * 39 * fault.c 40 * 41 * Fault handlers 42 * 43 * Created : 28/11/94 44 */ 45 46 #include "opt_ddb.h" 47 #include "opt_pmap_debug.h" 48 49 #include <sys/types.h> 50 __KERNEL_RCSID(0, "$NetBSD: fault.c,v 1.25 2002/10/13 12:24:57 bjh21 Exp $"); 51 52 #include <sys/param.h> 53 #include <sys/systm.h> 54 #include <sys/proc.h> 55 #include <sys/user.h> 56 #include <sys/kernel.h> 57 58 #include <uvm/uvm_extern.h> 59 60 #include <arm/cpuconf.h> 61 62 #include <machine/frame.h> 63 #include <arm/arm32/katelib.h> 64 #include <machine/cpu.h> 65 #include <machine/intr.h> 66 #ifdef DDB 67 #include <machine/db_machdep.h> 68 #endif 69 70 #include <arch/arm/arm/disassem.h> 71 #include <arm/arm32/machdep.h> 72 73 extern char fusubailout[]; 74 75 static void report_abort __P((const char *, u_int, u_int, u_int)); 76 77 /* Abort code */ 78 79 /* Define text descriptions of the different aborts */ 80 81 static const char *aborts[16] = { 82 "Write buffer fault", 83 "Alignment fault", 84 "Write buffer fault", 85 "Alignment fault", 86 "Bus error (LF section)", 87 "Translation fault (section)", 88 "Bus error (page)", 89 "Translation fault (page)", 90 "Bus error (section)", 91 "Domain error (section)", 92 "Bus error (page)", 93 "Domain error (page)", 94 "Bus error trans (L1)", 95 "Permission error (section)", 96 "Bus error trans (L2)", 97 "Permission error (page)" 98 }; 99 100 static void 101 report_abort(prefix, fault_status, fault_address, fault_pc) 102 const char *prefix; 103 u_int fault_status; 104 u_int fault_address; 105 u_int fault_pc; 106 { 107 #ifndef DEBUG 108 if (prefix == NULL) { 109 #endif 110 if (prefix) 111 printf("%s ", prefix); 112 printf("Data abort: '%s' status=%03x address=%08x PC=%08x\n", 113 aborts[fault_status & FAULT_TYPE_MASK], 114 fault_status & 0xfff, fault_address, fault_pc); 115 #ifndef DEBUG 116 } 117 #endif 118 } 119 120 static __volatile int data_abort_expected; 121 static __volatile int data_abort_received; 122 123 int 124 badaddr_read(void *addr, size_t size, void *rptr) 125 { 126 u_long rcpt; 127 int rv; 128 129 /* Tell the Data Abort handler that we're expecting one. */ 130 data_abort_received = 0; 131 data_abort_expected = 1; 132 133 cpu_drain_writebuf(); 134 135 /* Read from the test address. */ 136 switch (size) { 137 case sizeof(uint8_t): 138 __asm __volatile("ldrb %0, [%1]" 139 : "=r" (rcpt) 140 : "r" (addr)); 141 break; 142 143 case sizeof(uint16_t): 144 __asm __volatile("ldrh %0, [%1]" 145 : "=r" (rcpt) 146 : "r" (addr)); 147 break; 148 149 case sizeof(uint32_t): 150 __asm __volatile("ldr %0, [%1]" 151 : "=r" (rcpt) 152 : "r" (addr)); 153 break; 154 155 default: 156 data_abort_expected = 0; 157 panic("badaddr: invalid size (%lu)", (u_long) size); 158 } 159 160 /* Disallow further Data Aborts. */ 161 data_abort_expected = 0; 162 163 rv = data_abort_received; 164 data_abort_received = 0; 165 166 /* Copy the data back if no fault occurred. */ 167 if (rptr != NULL && rv == 0) { 168 switch (size) { 169 case sizeof(uint8_t): 170 *(uint8_t *) rptr = rcpt; 171 break; 172 173 case sizeof(uint16_t): 174 *(uint16_t *) rptr = rcpt; 175 break; 176 177 case sizeof(uint32_t): 178 *(uint32_t *) rptr = rcpt; 179 break; 180 } 181 } 182 183 /* Return true if the address was invalid. */ 184 return (rv); 185 } 186 187 /* 188 * void data_abort_handler(trapframe_t *frame) 189 * 190 * Abort handler called when read/write occurs at an address of 191 * a non existent or restricted (access permissions) memory page. 192 * We first need to identify the type of page fault. 193 */ 194 195 #define TRAP_CODE ((fault_status & 0x0f) | (fault_address & 0xfffffff0)) 196 197 void 198 data_abort_handler(frame) 199 trapframe_t *frame; 200 { 201 struct proc *p; 202 struct pcb *pcb; 203 u_int fault_address; 204 u_int fault_status; 205 u_int fault_pc; 206 u_int fault_instruction; 207 int fault_code; 208 int user; 209 int error; 210 void *onfault; 211 212 /* 213 * If we were expecting a Data Abort, signal that we got 214 * one, adjust the PC to skip the faulting insn, and 215 * return. 216 */ 217 if (data_abort_expected) { 218 data_abort_received = 1; 219 frame->tf_pc += INSN_SIZE; 220 return; 221 } 222 223 /* 224 * Must get fault address and status from the CPU before 225 * re-enabling interrupts. (Interrupt handlers may take 226 * R/M emulation faults.) 227 */ 228 fault_address = cpu_faultaddress(); 229 fault_status = cpu_faultstatus(); 230 fault_pc = frame->tf_pc; 231 232 /* 233 * Enable IRQ's (disabled by CPU on abort) if trapframe 234 * shows they were enabled. 235 */ 236 if (!(frame->tf_spsr & I32_bit)) 237 enable_interrupts(I32_bit); 238 239 #ifdef DEBUG 240 if ((GetCPSR() & PSR_MODE) != PSR_SVC32_MODE) 241 panic("data_abort_handler: not in SVC32 mode"); 242 #endif 243 244 /* Update vmmeter statistics */ 245 uvmexp.traps++; 246 247 /* Extract the fault code from the fault status */ 248 fault_code = fault_status & FAULT_TYPE_MASK; 249 250 /* Get the current proc structure or proc0 if there is none */ 251 if ((p = curproc) == NULL) 252 p = &proc0; 253 254 /* 255 * can't use curpcb, as it might be NULL; and we have p in 256 * a register anyway 257 */ 258 pcb = &p->p_addr->u_pcb; 259 260 /* fusubailout is used by [fs]uswintr to avoid page faulting */ 261 if (pcb->pcb_onfault 262 && ((fault_code != FAULT_TRANS_S && fault_code != FAULT_TRANS_P && 263 fault_code != FAULT_PERM_S && fault_code != FAULT_PERM_P) 264 || pcb->pcb_onfault == fusubailout)) { 265 266 frame->tf_r0 = EFAULT; 267 copyfault: 268 #ifdef DEBUG 269 printf("Using pcb_onfault=%p addr=%08x st=%08x p=%p\n", 270 pcb->pcb_onfault, fault_address, fault_status, p); 271 #endif 272 frame->tf_pc = (u_int)pcb->pcb_onfault; 273 if ((frame->tf_spsr & PSR_MODE) == PSR_USR32_MODE) 274 panic("Yikes pcb_onfault=%p during USR mode fault", 275 pcb->pcb_onfault); 276 return; 277 } 278 279 /* More debug stuff */ 280 281 fault_instruction = ReadWord(fault_pc); 282 283 #ifdef PMAP_DEBUG 284 if (pmap_debug_level >= 0) { 285 report_abort(NULL, fault_status, fault_address, fault_pc); 286 printf("Instruction @V%08x = %08x\n", 287 fault_pc, fault_instruction); 288 } 289 #endif 290 291 /* Call the cpu specific abort fixup routine */ 292 error = cpu_dataabt_fixup(frame); 293 if (error == ABORT_FIXUP_RETURN) 294 return; 295 if (error == ABORT_FIXUP_FAILED) { 296 printf("pc = 0x%08x, opcode 0x%08x, insn = ", fault_pc, *((u_int *)fault_pc)); 297 disassemble(fault_pc); 298 printf("data abort handler: fixup failed for this instruction\n"); 299 } 300 301 #ifdef PMAP_DEBUG 302 if (pmap_debug_level >= 0) 303 printf("fault in process %p\n", p); 304 #endif 305 306 #ifdef DEBUG 307 /* Is this needed ? */ 308 if (pcb != curpcb) { 309 printf("data_abort: Alert ! pcb(%p) != curpcb(%p)\n", 310 pcb, curpcb); 311 printf("data_abort: Alert ! proc(%p), curproc(%p)\n", 312 p, curproc); 313 } 314 #endif /* DEBUG */ 315 316 /* Were we in user mode when the abort occurred ? */ 317 if ((frame->tf_spsr & PSR_MODE) == PSR_USR32_MODE) { 318 /* 319 * Note that the fault was from USR mode. 320 */ 321 user = 1; 322 p->p_addr->u_pcb.pcb_tf = frame; 323 } else 324 user = 0; 325 326 /* check if this was a failed fixup */ 327 if (error == ABORT_FIXUP_FAILED) { 328 if (user) { 329 trapsignal(p, SIGSEGV, TRAP_CODE); 330 userret(p); 331 return; 332 }; 333 panic("Data abort fixup failed in kernel - we're dead"); 334 }; 335 336 /* Now act on the fault type */ 337 switch (fault_code) { 338 case FAULT_WRTBUF_0: /* Write Buffer Fault */ 339 case FAULT_WRTBUF_1: /* Write Buffer Fault */ 340 /* If this happens forget it no point in continuing */ 341 342 /* FALLTHROUGH */ 343 344 case FAULT_ALIGN_0: /* Alignment Fault */ 345 case FAULT_ALIGN_1: /* Alignment Fault */ 346 /* 347 * Really this should just kill the process. 348 * Alignment faults are turned off in the kernel 349 * in order to get better performance from shorts with 350 * GCC so an alignment fault means somebody has played 351 * with the control register in the CPU. Might as well 352 * panic as the kernel was not compiled for aligned accesses. 353 */ 354 355 /* FALLTHROUGH */ 356 357 case FAULT_BUSERR_0: /* Bus Error LF Section */ 358 case FAULT_BUSERR_1: /* Bus Error Page */ 359 case FAULT_BUSERR_2: /* Bus Error Section */ 360 case FAULT_BUSERR_3: /* Bus Error Page */ 361 /* What will accutally cause a bus error ? */ 362 /* Real bus errors are not a process problem but hardware */ 363 364 /* FALLTHROUGH */ 365 366 case FAULT_DOMAIN_S: /* Section Domain Error Fault */ 367 case FAULT_DOMAIN_P: /* Page Domain Error Fault*/ 368 /* 369 * Right well we dont use domains, everything is 370 * always a client and thus subject to access permissions. 371 * If we get a domain error then we have corrupts PTE's 372 * so we might as well die ! 373 * I suppose eventually this should just kill the process 374 * who owns the PTE's but if this happens it implies a 375 * kernel problem. 376 */ 377 378 /* FALLTHROUGH */ 379 380 case FAULT_BUSTRNL1: /* Bus Error Trans L1 Fault */ 381 case FAULT_BUSTRNL2: /* Bus Error Trans L2 Fault */ 382 /* 383 * These faults imply that the PTE is corrupt. 384 * Likely to be a kernel fault so we had better stop. 385 */ 386 387 /* FALLTHROUGH */ 388 389 default : 390 /* Are there any combinations I have missed ? */ 391 report_abort(NULL, fault_status, fault_address, fault_pc); 392 393 we_re_toast: 394 /* 395 * Were are dead, try and provide some debug 396 * information before dying. 397 */ 398 #ifdef DDB 399 printf("Unhandled trap (frame = %p)\n", frame); 400 report_abort(NULL, fault_status, fault_address, fault_pc); 401 kdb_trap(-1, frame); 402 return; 403 #else 404 panic("Unhandled trap (frame = %p)", frame); 405 #endif /* DDB */ 406 407 case FAULT_TRANS_P: /* Page Translation Fault */ 408 case FAULT_PERM_P: /* Page Permission Fault */ 409 case FAULT_TRANS_S: /* Section Translation Fault */ 410 case FAULT_PERM_S: /* Section Permission Fault */ 411 /* 412 * Page/section translation/permission fault -- need to fault in 413 * the page and possibly the page table page. 414 */ 415 { 416 register vaddr_t va; 417 register struct vmspace *vm = p->p_vmspace; 418 register struct vm_map *map; 419 int rv; 420 vm_prot_t ftype; 421 extern struct vm_map *kernel_map; 422 423 va = trunc_page((vaddr_t)fault_address); 424 425 #ifdef PMAP_DEBUG 426 if (pmap_debug_level >= 0) 427 printf("page fault: addr=V%08lx ", va); 428 #endif 429 430 /* 431 * It is only a kernel address space fault iff: 432 * 1. user == 0 and 433 * 2. pcb_onfault not set or 434 * 3. pcb_onfault set but supervisor space fault 435 * The last can occur during an exec() copyin where the 436 * argument space is lazy-allocated. 437 */ 438 if (!user && 439 (va >= VM_MIN_KERNEL_ADDRESS || va < VM_MIN_ADDRESS)) { 440 /* Was the fault due to the FPE/IPKDB ? */ 441 if ((frame->tf_spsr & PSR_MODE) == PSR_UND32_MODE) { 442 report_abort("UND32", fault_status, 443 fault_address, fault_pc); 444 trapsignal(p, SIGSEGV, TRAP_CODE); 445 446 /* 447 * Force exit via userret() 448 * This is necessary as the FPE is an extension 449 * to userland that actually runs in a 450 * priveledged mode but uses USR mode 451 * permissions for its accesses. 452 */ 453 userret(p); 454 return; 455 } 456 map = kernel_map; 457 } else 458 map = &vm->vm_map; 459 460 #ifdef PMAP_DEBUG 461 if (pmap_debug_level >= 0) 462 printf("vmmap=%p ", map); 463 #endif 464 465 if (map == NULL) 466 panic("No map for fault address va = 0x%08lx", va); 467 468 /* 469 * We need to know whether the page should be mapped 470 * as R or R/W. The MMU does not give us the info as 471 * to whether the fault was caused by a read or a write. 472 * This means we need to disassemble the instruction 473 * responsible and determine if it was a read or write 474 * instruction. 475 */ 476 /* STR instruction ? */ 477 if ((fault_instruction & 0x0c100000) == 0x04000000) 478 ftype = VM_PROT_WRITE; 479 /* STM or CDT instruction ? */ 480 else if ((fault_instruction & 0x0a100000) == 0x08000000) 481 ftype = VM_PROT_WRITE; 482 /* STRH, STRSH or STRSB instruction ? */ 483 else if ((fault_instruction & 0x0e100090) == 0x00000090) 484 ftype = VM_PROT_WRITE; 485 /* SWP instruction ? */ 486 else if ((fault_instruction & 0x0fb00ff0) == 0x01000090) 487 ftype = VM_PROT_READ | VM_PROT_WRITE; 488 else 489 ftype = VM_PROT_READ; 490 491 #ifdef PMAP_DEBUG 492 if (pmap_debug_level >= 0) 493 printf("fault protection = %d\n", ftype); 494 #endif 495 496 if ((ftype & VM_PROT_WRITE) ? 497 pmap_modified_emulation(map->pmap, va) : 498 pmap_handled_emulation(map->pmap, va)) 499 goto out; 500 501 if (current_intr_depth > 0) { 502 #ifdef DDB 503 printf("Non-emulated page fault with intr_depth > 0\n"); 504 report_abort(NULL, fault_status, fault_address, fault_pc); 505 kdb_trap(-1, frame); 506 return; 507 #else 508 panic("Fault with intr_depth > 0"); 509 #endif /* DDB */ 510 } 511 512 onfault = pcb->pcb_onfault; 513 pcb->pcb_onfault = NULL; 514 rv = uvm_fault(map, va, 0, ftype); 515 pcb->pcb_onfault = onfault; 516 if (rv == 0) { 517 if (user != 0) /* Record any stack growth... */ 518 uvm_grow(p, trunc_page(va)); 519 goto out; 520 } 521 if (user == 0) { 522 if (pcb->pcb_onfault) { 523 frame->tf_r0 = rv; 524 goto copyfault; 525 } 526 printf("[u]vm_fault(%p, %lx, %x, 0) -> %x\n", 527 map, va, ftype, rv); 528 goto we_re_toast; 529 } 530 531 report_abort("", fault_status, fault_address, fault_pc); 532 if (rv == ENOMEM) { 533 printf("UVM: pid %d (%s), uid %d killed: " 534 "out of swap\n", p->p_pid, p->p_comm, 535 p->p_cred && p->p_ucred ? 536 p->p_ucred->cr_uid : -1); 537 trapsignal(p, SIGKILL, TRAP_CODE); 538 } else 539 trapsignal(p, SIGSEGV, TRAP_CODE); 540 break; 541 } 542 } 543 544 out: 545 /* Call userret() if it was a USR mode fault */ 546 if (user) 547 userret(p); 548 } 549 550 551 /* 552 * void prefetch_abort_handler(trapframe_t *frame) 553 * 554 * Abort handler called when instruction execution occurs at 555 * a non existent or restricted (access permissions) memory page. 556 * If the address is invalid and we were in SVC mode then panic as 557 * the kernel should never prefetch abort. 558 * If the address is invalid and the page is mapped then the user process 559 * does no have read permission so send it a signal. 560 * Otherwise fault the page in and try again. 561 */ 562 563 extern int kernel_debug; 564 565 void 566 prefetch_abort_handler(frame) 567 trapframe_t *frame; 568 { 569 struct proc *p; 570 struct vm_map *map; 571 vaddr_t fault_pc, va; 572 int error; 573 574 /* 575 * Enable IRQ's (disabled by the abort) This always comes 576 * from user mode so we know interrupts were not disabled. 577 * But we check anyway. 578 */ 579 if (!(frame->tf_spsr & I32_bit)) 580 enable_interrupts(I32_bit); 581 582 #ifdef DEBUG 583 if ((GetCPSR() & PSR_MODE) != PSR_SVC32_MODE) 584 panic("prefetch_abort_handler: not in SVC32 mode"); 585 #endif 586 587 /* Update vmmeter statistics */ 588 uvmexp.traps++; 589 590 /* Call the cpu specific abort fixup routine */ 591 error = cpu_prefetchabt_fixup(frame); 592 if (error == ABORT_FIXUP_RETURN) 593 return; 594 if (error == ABORT_FIXUP_FAILED) 595 panic("prefetch abort fixup failed"); 596 597 /* Get the current proc structure or proc0 if there is none */ 598 if ((p = curproc) == 0) { 599 p = &proc0; 600 #ifdef DEBUG 601 printf("Prefetch abort with curproc == 0\n"); 602 #endif 603 } 604 605 #ifdef PMAP_DEBUG 606 if (pmap_debug_level >= 0) 607 printf("prefetch fault in process %p %s\n", p, p->p_comm); 608 #endif 609 610 /* Get fault address */ 611 fault_pc = frame->tf_pc; 612 va = trunc_page(fault_pc); 613 614 /* Was the prefectch abort from USR32 mode ? */ 615 if ((frame->tf_spsr & PSR_MODE) == PSR_USR32_MODE) { 616 p->p_addr->u_pcb.pcb_tf = frame; 617 } else { 618 /* 619 * All the kernel code pages are loaded at boot time 620 * and do not get paged 621 */ 622 panic("Prefetch abort in non-USR mode (frame=%p PC=0x%08lx)", 623 frame, fault_pc); 624 } 625 626 map = &p->p_vmspace->vm_map; 627 628 #ifdef PMAP_DEBUG 629 if (pmap_debug_level >= 0) 630 printf("prefetch_abort: PC = %08lx\n", fault_pc); 631 #endif 632 /* Ok validate the address, can only execute in USER space */ 633 if (fault_pc < VM_MIN_ADDRESS || fault_pc >= VM_MAXUSER_ADDRESS) { 634 #ifdef DEBUG 635 printf("prefetch: pc (%08lx) not in user process space\n", 636 fault_pc); 637 #endif 638 trapsignal(p, SIGSEGV, fault_pc); 639 userret(p); 640 return; 641 } 642 643 #ifdef CPU_SA110 644 /* 645 * There are bugs in the rev K SA110. This is a check for one 646 * of them. 647 */ 648 if (curcpu()->ci_arm_cputype == CPU_ID_SA110 && 649 curcpu()->ci_arm_cpurev < 3) { 650 /* Always current pmap */ 651 pt_entry_t *pte = vtopte((vaddr_t) fault_pc); 652 struct pmap *pmap = p->p_vmspace->vm_map.pmap; 653 654 if (pmap_pde_v(pmap_pde(pmap, (vaddr_t) fault_pc)) && 655 pmap_pte_v(pte)) { 656 if (kernel_debug & 1) { 657 printf("prefetch_abort: page is already " 658 "mapped - pte=%p *pte=%08x\n", pte, *pte); 659 printf("prefetch_abort: pc=%08lx proc=%p " 660 "process=%s\n", fault_pc, p, p->p_comm); 661 printf("prefetch_abort: far=%08x fs=%x\n", 662 cpu_faultaddress(), cpu_faultstatus()); 663 printf("prefetch_abort: trapframe=%08x\n", 664 (u_int)frame); 665 } 666 #ifdef DDB 667 if (kernel_debug & 2) 668 Debugger(); 669 #endif 670 } 671 } 672 #endif /* CPU_SA110 */ 673 674 if (pmap_handled_emulation(map->pmap, va)) 675 goto out; 676 677 if (current_intr_depth > 0) { 678 #ifdef DDB 679 printf("Non-emulated prefetch abort with intr_depth > 0\n"); 680 kdb_trap(-1, frame); 681 return; 682 #else 683 panic("Prefetch Abort with intr_depth > 0"); 684 #endif 685 } 686 687 error = uvm_fault(map, va, 0, VM_PROT_READ); 688 if (error == 0) 689 goto out; 690 691 if (error == ENOMEM) { 692 printf("UVM: pid %d (%s), uid %d killed: " 693 "out of swap\n", p->p_pid, p->p_comm, 694 p->p_cred && p->p_ucred ? 695 p->p_ucred->cr_uid : -1); 696 trapsignal(p, SIGKILL, fault_pc); 697 } else 698 trapsignal(p, SIGSEGV, fault_pc); 699 out: 700 userret(p); 701 } 702