1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2014, The Linux Foundation. All rights reserved.
4 * Debug helper to dump the current kernel pagetables of the system
5 * so that we can see what the various memory ranges are set to.
6 *
7 * Derived from x86 and arm implementation:
8 * (C) Copyright 2008 Intel Corporation
9 *
10 * Author: Arjan van de Ven <arjan@linux.intel.com>
11 */
12 #include <linux/debugfs.h>
13 #include <linux/errno.h>
14 #include <linux/fs.h>
15 #include <linux/io.h>
16 #include <linux/init.h>
17 #include <linux/mm.h>
18 #include <linux/ptdump.h>
19 #include <linux/sched.h>
20 #include <linux/seq_file.h>
21
22 #include <asm/fixmap.h>
23 #include <asm/kasan.h>
24 #include <asm/memory.h>
25 #include <asm/pgtable-hwdef.h>
26 #include <asm/ptdump.h>
27
28
29 enum address_markers_idx {
30 PAGE_OFFSET_NR = 0,
31 PAGE_END_NR,
32 #if defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS)
33 KASAN_START_NR,
34 #endif
35 };
36
37 static struct addr_marker address_markers[] = {
38 { PAGE_OFFSET, "Linear Mapping start" },
39 { 0 /* PAGE_END */, "Linear Mapping end" },
40 #if defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS)
41 { 0 /* KASAN_SHADOW_START */, "Kasan shadow start" },
42 { KASAN_SHADOW_END, "Kasan shadow end" },
43 #endif
44 { MODULES_VADDR, "Modules start" },
45 { MODULES_END, "Modules end" },
46 { VMALLOC_START, "vmalloc() area" },
47 { VMALLOC_END, "vmalloc() end" },
48 { FIXADDR_START, "Fixmap start" },
49 { FIXADDR_TOP, "Fixmap end" },
50 { PCI_IO_START, "PCI I/O start" },
51 { PCI_IO_END, "PCI I/O end" },
52 { VMEMMAP_START, "vmemmap start" },
53 { VMEMMAP_START + VMEMMAP_SIZE, "vmemmap end" },
54 { -1, NULL },
55 };
56
57 #define pt_dump_seq_printf(m, fmt, args...) \
58 ({ \
59 if (m) \
60 seq_printf(m, fmt, ##args); \
61 })
62
63 #define pt_dump_seq_puts(m, fmt) \
64 ({ \
65 if (m) \
66 seq_printf(m, fmt); \
67 })
68
69 /*
70 * The page dumper groups page table entries of the same type into a single
71 * description. It uses pg_state to track the range information while
72 * iterating over the pte entries. When the continuity is broken it then
73 * dumps out a description of the range.
74 */
75 struct pg_state {
76 struct ptdump_state ptdump;
77 struct seq_file *seq;
78 const struct addr_marker *marker;
79 unsigned long start_address;
80 int level;
81 u64 current_prot;
82 bool check_wx;
83 unsigned long wx_pages;
84 unsigned long uxn_pages;
85 };
86
87 struct prot_bits {
88 u64 mask;
89 u64 val;
90 const char *set;
91 const char *clear;
92 };
93
94 static const struct prot_bits pte_bits[] = {
95 {
96 .mask = PTE_VALID,
97 .val = PTE_VALID,
98 .set = " ",
99 .clear = "F",
100 }, {
101 .mask = PTE_USER,
102 .val = PTE_USER,
103 .set = "USR",
104 .clear = " ",
105 }, {
106 .mask = PTE_RDONLY,
107 .val = PTE_RDONLY,
108 .set = "ro",
109 .clear = "RW",
110 }, {
111 .mask = PTE_PXN,
112 .val = PTE_PXN,
113 .set = "NX",
114 .clear = "x ",
115 }, {
116 .mask = PTE_SHARED,
117 .val = PTE_SHARED,
118 .set = "SHD",
119 .clear = " ",
120 }, {
121 .mask = PTE_AF,
122 .val = PTE_AF,
123 .set = "AF",
124 .clear = " ",
125 }, {
126 .mask = PTE_NG,
127 .val = PTE_NG,
128 .set = "NG",
129 .clear = " ",
130 }, {
131 .mask = PTE_CONT,
132 .val = PTE_CONT,
133 .set = "CON",
134 .clear = " ",
135 }, {
136 .mask = PTE_TABLE_BIT,
137 .val = PTE_TABLE_BIT,
138 .set = " ",
139 .clear = "BLK",
140 }, {
141 .mask = PTE_UXN,
142 .val = PTE_UXN,
143 .set = "UXN",
144 .clear = " ",
145 }, {
146 .mask = PTE_GP,
147 .val = PTE_GP,
148 .set = "GP",
149 .clear = " ",
150 }, {
151 .mask = PTE_ATTRINDX_MASK,
152 .val = PTE_ATTRINDX(MT_DEVICE_nGnRnE),
153 .set = "DEVICE/nGnRnE",
154 }, {
155 .mask = PTE_ATTRINDX_MASK,
156 .val = PTE_ATTRINDX(MT_DEVICE_nGnRE),
157 .set = "DEVICE/nGnRE",
158 }, {
159 .mask = PTE_ATTRINDX_MASK,
160 .val = PTE_ATTRINDX(MT_NORMAL_NC),
161 .set = "MEM/NORMAL-NC",
162 }, {
163 .mask = PTE_ATTRINDX_MASK,
164 .val = PTE_ATTRINDX(MT_NORMAL),
165 .set = "MEM/NORMAL",
166 }, {
167 .mask = PTE_ATTRINDX_MASK,
168 .val = PTE_ATTRINDX(MT_NORMAL_TAGGED),
169 .set = "MEM/NORMAL-TAGGED",
170 }
171 };
172
173 struct pg_level {
174 const struct prot_bits *bits;
175 const char *name;
176 size_t num;
177 u64 mask;
178 };
179
180 static struct pg_level pg_level[] = {
181 { /* pgd */
182 .name = "PGD",
183 .bits = pte_bits,
184 .num = ARRAY_SIZE(pte_bits),
185 }, { /* p4d */
186 .name = "P4D",
187 .bits = pte_bits,
188 .num = ARRAY_SIZE(pte_bits),
189 }, { /* pud */
190 .name = (CONFIG_PGTABLE_LEVELS > 3) ? "PUD" : "PGD",
191 .bits = pte_bits,
192 .num = ARRAY_SIZE(pte_bits),
193 }, { /* pmd */
194 .name = (CONFIG_PGTABLE_LEVELS > 2) ? "PMD" : "PGD",
195 .bits = pte_bits,
196 .num = ARRAY_SIZE(pte_bits),
197 }, { /* pte */
198 .name = "PTE",
199 .bits = pte_bits,
200 .num = ARRAY_SIZE(pte_bits),
201 },
202 };
203
dump_prot(struct pg_state * st,const struct prot_bits * bits,size_t num)204 static void dump_prot(struct pg_state *st, const struct prot_bits *bits,
205 size_t num)
206 {
207 unsigned i;
208
209 for (i = 0; i < num; i++, bits++) {
210 const char *s;
211
212 if ((st->current_prot & bits->mask) == bits->val)
213 s = bits->set;
214 else
215 s = bits->clear;
216
217 if (s)
218 pt_dump_seq_printf(st->seq, " %s", s);
219 }
220 }
221
note_prot_uxn(struct pg_state * st,unsigned long addr)222 static void note_prot_uxn(struct pg_state *st, unsigned long addr)
223 {
224 if (!st->check_wx)
225 return;
226
227 if ((st->current_prot & PTE_UXN) == PTE_UXN)
228 return;
229
230 WARN_ONCE(1, "arm64/mm: Found non-UXN mapping at address %p/%pS\n",
231 (void *)st->start_address, (void *)st->start_address);
232
233 st->uxn_pages += (addr - st->start_address) / PAGE_SIZE;
234 }
235
note_prot_wx(struct pg_state * st,unsigned long addr)236 static void note_prot_wx(struct pg_state *st, unsigned long addr)
237 {
238 if (!st->check_wx)
239 return;
240 if ((st->current_prot & PTE_RDONLY) == PTE_RDONLY)
241 return;
242 if ((st->current_prot & PTE_PXN) == PTE_PXN)
243 return;
244
245 WARN_ONCE(1, "arm64/mm: Found insecure W+X mapping at address %p/%pS\n",
246 (void *)st->start_address, (void *)st->start_address);
247
248 st->wx_pages += (addr - st->start_address) / PAGE_SIZE;
249 }
250
note_page(struct ptdump_state * pt_st,unsigned long addr,int level,u64 val)251 static void note_page(struct ptdump_state *pt_st, unsigned long addr, int level,
252 u64 val)
253 {
254 struct pg_state *st = container_of(pt_st, struct pg_state, ptdump);
255 static const char units[] = "KMGTPE";
256 u64 prot = 0;
257
258 if (level >= 0)
259 prot = val & pg_level[level].mask;
260
261 if (st->level == -1) {
262 st->level = level;
263 st->current_prot = prot;
264 st->start_address = addr;
265 pt_dump_seq_printf(st->seq, "---[ %s ]---\n", st->marker->name);
266 } else if (prot != st->current_prot || level != st->level ||
267 addr >= st->marker[1].start_address) {
268 const char *unit = units;
269 unsigned long delta;
270
271 if (st->current_prot) {
272 note_prot_uxn(st, addr);
273 note_prot_wx(st, addr);
274 }
275
276 pt_dump_seq_printf(st->seq, "0x%016lx-0x%016lx ",
277 st->start_address, addr);
278
279 delta = (addr - st->start_address) >> 10;
280 while (!(delta & 1023) && unit[1]) {
281 delta >>= 10;
282 unit++;
283 }
284 pt_dump_seq_printf(st->seq, "%9lu%c %s", delta, *unit,
285 pg_level[st->level].name);
286 if (st->current_prot && pg_level[st->level].bits)
287 dump_prot(st, pg_level[st->level].bits,
288 pg_level[st->level].num);
289 pt_dump_seq_puts(st->seq, "\n");
290
291 if (addr >= st->marker[1].start_address) {
292 st->marker++;
293 pt_dump_seq_printf(st->seq, "---[ %s ]---\n", st->marker->name);
294 }
295
296 st->start_address = addr;
297 st->current_prot = prot;
298 st->level = level;
299 }
300
301 if (addr >= st->marker[1].start_address) {
302 st->marker++;
303 pt_dump_seq_printf(st->seq, "---[ %s ]---\n", st->marker->name);
304 }
305
306 }
307
ptdump_walk(struct seq_file * s,struct ptdump_info * info)308 void ptdump_walk(struct seq_file *s, struct ptdump_info *info)
309 {
310 unsigned long end = ~0UL;
311 struct pg_state st;
312
313 if (info->base_addr < TASK_SIZE_64)
314 end = TASK_SIZE_64;
315
316 st = (struct pg_state){
317 .seq = s,
318 .marker = info->markers,
319 .level = -1,
320 .ptdump = {
321 .note_page = note_page,
322 .range = (struct ptdump_range[]){
323 {info->base_addr, end},
324 {0, 0}
325 }
326 }
327 };
328
329 ptdump_walk_pgd(&st.ptdump, info->mm, NULL);
330 }
331
ptdump_initialize(void)332 static void __init ptdump_initialize(void)
333 {
334 unsigned i, j;
335
336 for (i = 0; i < ARRAY_SIZE(pg_level); i++)
337 if (pg_level[i].bits)
338 for (j = 0; j < pg_level[i].num; j++)
339 pg_level[i].mask |= pg_level[i].bits[j].mask;
340 }
341
342 static struct ptdump_info kernel_ptdump_info = {
343 .mm = &init_mm,
344 .markers = address_markers,
345 .base_addr = PAGE_OFFSET,
346 };
347
ptdump_check_wx(void)348 void ptdump_check_wx(void)
349 {
350 struct pg_state st = {
351 .seq = NULL,
352 .marker = (struct addr_marker[]) {
353 { 0, NULL},
354 { -1, NULL},
355 },
356 .level = -1,
357 .check_wx = true,
358 .ptdump = {
359 .note_page = note_page,
360 .range = (struct ptdump_range[]) {
361 {PAGE_OFFSET, ~0UL},
362 {0, 0}
363 }
364 }
365 };
366
367 ptdump_walk_pgd(&st.ptdump, &init_mm, NULL);
368
369 if (st.wx_pages || st.uxn_pages)
370 pr_warn("Checked W+X mappings: FAILED, %lu W+X pages found, %lu non-UXN pages found\n",
371 st.wx_pages, st.uxn_pages);
372 else
373 pr_info("Checked W+X mappings: passed, no W+X pages found\n");
374 }
375
ptdump_init(void)376 static int __init ptdump_init(void)
377 {
378 address_markers[PAGE_END_NR].start_address = PAGE_END;
379 #if defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS)
380 address_markers[KASAN_START_NR].start_address = KASAN_SHADOW_START;
381 #endif
382 ptdump_initialize();
383 ptdump_debugfs_register(&kernel_ptdump_info, "kernel_page_tables");
384 return 0;
385 }
386 device_initcall(ptdump_init);
387